Standalone and Enterprise Root servers contain the single copy of the company's private key. This component is essential in authenticating any and all access to the PKI-secured data and entry points. Physical security and data security are both very important tasks in an administrator's role. Locking Down ServersMicrosoft provides very well-defined baseline security guidelines for locking down the operating system, IIS, and administrative access. Change the local administrator and guest account names . Don't use the same administrator and guest account name on every server. Separating Server RolesPlacing more than a single role on a server makes an attacker's job easier. It then becomes possible to compromise several roles in the company's PKI infrastructure. Certificate Services storage and enrollment can be separated. The following list includes some of the tiers that can be physically placed on separate servers:
Assigning Administrative RolesAdministrators need to work with senior executives to define the roles that will be assigned to personnel within the company when it comes to managing the PKI and smartcard system. The persons entrusted with issuing smartcards within an organization are known as enrollment agents . Enrollment agents are typically members of the help desk, IT security, or company security staff. In locations where one of these personnel isn't readily available another trusted individual such as that location's supervisor or manager can be the enrollment agent. Delegating the authority to issue smartcards has administrative as well as security benefits. Some of those benefits are listed here:
There are also some disadvantages to delegating smartcard enrollment. Here are several points to consider:
|