Securing Certificate Services

Previous page
Table of content
Next page

Standalone and Enterprise Root servers contain the single copy of the company's private key. This component is essential in authenticating any and all access to the PKI-secured data and entry points.

Physical security and data security are both very important tasks in an administrator's role.

Locking Down Servers

Microsoft provides very well-defined baseline security guidelines for locking down the operating system, IIS, and administrative access.

Change the local administrator and guest account names . Don't use the same administrator and guest account name on every server.

Separating Server Roles

Placing more than a single role on a server makes an attacker's job easier. It then becomes possible to compromise several roles in the company's PKI infrastructure. Certificate Services storage and enrollment can be separated. The following list includes some of the tiers that can be physically placed on separate servers:

  • Root CA Server

  • Root Subordinates (Intermediate CA)

  • Issuing CA Server

  • Certificate Storage in Active Directory

  • IIS

Assigning Administrative Roles

Administrators need to work with senior executives to define the roles that will be assigned to personnel within the company when it comes to managing the PKI and smartcard system.

The persons entrusted with issuing smartcards within an organization are known as enrollment agents . Enrollment agents are typically members of the help desk, IT security, or company security staff. In locations where one of these personnel isn't readily available another trusted individual such as that location's supervisor or manager can be the enrollment agent.

Delegating the authority to issue smartcards has administrative as well as security benefits. Some of those benefits are listed here:

  • Administrators can delegate this time-consuming process.

  • Enrollment agents process all certificate and smartcard requests .

  • Smartcard users can be stepped through the enrollment process.

There are also some disadvantages to delegating smartcard enrollment. Here are several points to consider:

  • The trustworthiness of the enrollment agent could come into question.

  • Overcoming concerns could require more personnel resources.

  • Remote locations might not have an available enrollment agent full-time .

  • An agent can perform only a limited number of smartcard enrollments per work day.


Previous page
Table of content
Next page
Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325
Authors: Rand Morimoto, Andrew Abbate, Eric Kovach, Ed Roberts
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
SQL Hacks
Cisco IOS Cookbook (Cookbooks (OReilly))
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
InDesign Type: Professional Typography with Adobe InDesign CS2
Web Systems Design and Online Consumer Behavior
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy