Exam Essentials

 < Day Day Up > 



Know what types of applications require the use of a public key infrastructure. You will need to utilize a PKI if you need to perform smart card logons, SSL, IPSec, EFS, S/MIME, or use any applications that require encryption or digital signatures.

Know the forms of enrollment that are available and when they are used. There are several ways you can enroll for a certificate: web-based enrollment, the Certificate MMC, the command line with certreq.exe, and autoenrollment. Web-based enrollment is the most accessible form and can be used for enrollment at all times. The Certificates MMC’s Automatic Certificate Request Setup wizard can be used from Windows 2000, Windows XP, and Windows Server 2003. The command line can be used to script certificate requests for automation. Autoenrollment is the easiest way to obtain and renew certificates in an organization that wants to have the least amount of administrative overhead if you are using Windows XP and Windows Server 2003 server.

Understand what the term two-factor authentication means. A technology like smart cards consists of hardware devices that store private keys and certificates. The user would need to have a password or PIN to use the smart card. This is the first level of authentication. The second part will be the certificate on the smart card that validates the identity of the user.

Know the different types of CAs that you can install and what their role is in PKI. The root CA is the server that issues the initial certificate in the hierarchy. All other certificates in the organization are signed by the root CA’s certificate, so if you trust the root CA, you will trust all certificates in your infrastructure. The intermediate (or policy) CA is responsible for the procedures that are used to approve certificate requests. The issuing CA is the server the clients communicate with to enroll or renew a certificate.

Remember that there are two types of server roles for CAs in a Windows Server 2003 infrastructure: enterprise CA and stand-alone CA. The enterprise CA is integrated with Active Directory and you can use Group Policy to issue certificates to clients. Windows XP and Windows Server 2003 use a Windows Server 2003 enterprise CA to support autoenrollment. This type of CA needs to be connected to the network. A stand-alone CA supports web-based enrollment only but can be removed from the network without causing problems. Stand-alone CAs do not use certificate templates, so the information must be provided during enrollment.

Know how to secure the server roles in a CA hierarchy. You would want to install the root CA on a stand-alone CA that can be removed from the network and stored in a physically secure location. If the root CA is compromised, then all certificates in the PKI would be compromised. The intermediate CA is used to approve request for certificates. You would want to secure this server because an attacker could generate certificates if it was infiltrated. The issuing CA server is the only server that should be exposed to the Internet or the clients.

Remember that you can create a CA hierarchy based on function, organization, departments, and geography. A CA hierarchy based on function will create subordinate CAs for each type of application that the PKI supports, like S/MIME, IPSec, and EFS. A CA hierarchy based on organization will divide certificate servers among the classifications of personnel in the organization, like employee, contractor, and partner. A CA hierarchy based on departments will create CAs for each department, like accounting, marketing, and engineering. This will work well if the administration of the organization is decentralized but still maintains a centralized PKI. It can also be used if departments have differing requirements for issuing certificates. A CA hierarchy based on geography would give personnel in regions or countries control over the appropriate subordinate CAs; this kind of CA hierarchy is generally used to meet the legal requirements of the countries involved on certificates and encryption, but it can also be used to provide availability. While each of these designs usually include issuing CAs, they can also include policy CAs if you need to control granting the certificate request for any of the design strategies.



 < Day Day Up > 



MCSE. Windows Server 2003 Network Security Design Study Guide Exam 70-298
MCSE: Windows(r) Server 2003 Network Security Design Study Guide (70-298)
ISBN: 0782143296
EAN: 2147483647
Year: 2004
Pages: 168

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net