Deploying a Certificate Infrastructure


For PPTP-based VPN connections, a certificate infrastructure is needed only when you are using either smart cards or locally installed user certificates and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication. For L2TP/IPSec, the certificate infrastructure is mandatory. If you are using only a password-based authentication protocol such as Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAP v2), a certificate infrastructure is not required and is not used for the creation of the VPN connection. You can make the choice of using only passwords, but certificates allow for two-factor authentication and will enable you to use security technologies that take advantage of IPSec. This is a wise choice if you have the ability to go this route, and it is the solution recommended by Microsoft for security and authentication versatility.

To use a certificate infrastructure for PPTP-based VPN connections, you must install a computer certificate on the authenticating server (the VPN server or the RADIUS server) and either a certificate on each smart card distributed to VPN client users or a user certificate on each VPN client computer. There are two kinds of certificates to use for remote access communications: computer and user certificates. Computer certificates are needed when using L2TP/IPSec because they allow for the two end nodes (client and server) to create an encrypted IPSec session between them, and then allow for authentication of the user by means of username/password credentials, or even better, smart cards and the user certificate. This process uses the computer certificates prior to authentication to protect the VPN system from offline dictionary attacks, where a hacker will capture the authentication exchange and attempt to crack the passwords. With computer certificates, the entire authentication process is encrypted as well.

As stated previously, you need to install a computer certificate and on the VPN server and all VPV client computers. To do this, you will need a certificate infrastructure. The good news is that Windows Server 2003 has a complete certificate service available as an add-on service, but you will need to install and configure it to get certificates for the VPN. For information about deploying a certificate infrastructure, see Appendix C, “Deploying a Certificate Infrastructure.”

Note

While PPTP does not require certificates, the use of L2TP/IPSec makes it mandatory. So if you are using certificates, make sure to pay close attention to this next section.

Installing Computer Certificates

To install a computer certificate, an issuing certification authority (CA) must be present to issue certificates. (Again, see Appendix C for information on how to set this up.) Once the issuing CA is configured, you can install a computer certificate in any one of the following ways:

  • By configuring the automatic allocation of computer certificates to computers in an Active Directory directory service domain

  • By using a Web browser to request a computer certificate

  • By using the Certificates snap-in to request a computer certificate

  • By using the Certificates snap-in to import a computer certificate

  • By executing a CAPICOM script that requests a computer certificate

Configuring the Automatic Allocation of Computer Certificates

This method allows a single point of configuration for the entire domain and by far is the best way to handle computer certificates. Using Active Directory is always a good idea because it allows you to centrally control all identity and access issues, and when using certificates it becomes an even more powerful tool. All members of the domain automatically request the computer certificate through a group policy setting when they sign into the network automatically—the user doesn’t have to do anything! If you use a Windows Server 2003 or Windows 2000 Certificate Services enterprise CA as an issuing CA, you can install a computer certificate on Internet Authentication Service (IAS) servers and VPN client computers by configuring Group Policy for the auto-enrollment of computer certificates for members of an Active Directory system container. Note that this works using the Windows CA, not a third-party CA. You can use third-party CAs to hand out certificates because

Windows does support certificate interoperability, but the auto-enrollment feature is specifically designed to work with a Windows enterprise CA. This is a major deployment choice, so choose the certificate solutions for your organization wisely and with ease of deployment in mind.

To configure computer certificate enrollment for an enterprise CA

  1. Open the Active Directory Users And Computers snap-in.

  2. In the console tree, double-click Active Directory Users And Computers, right-click the domain name to which your CA belongs, and then click Properties.

  3. On the Group Policy tab, click the appropriate Group Policy object (the default object is Default Domain Policy) and then click Edit.

  4. In the console tree, open Computer Configuration; then Windows Settings; then Security Settings; then Public Key Policies; and then Automatic Certificate Request Settings. The resulting Group Policy Object Editor dialog box is shown in the following figure.

    click to expand

  5. Right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request. The Automatic Certificate Request Setup Wizard appears.

  6. Click Next.

  7. In Certificate Templates, click Computer and then click Next.

  8. If you have more than one enterprise-issuing CA, click the correct enterprise CA, and then click Finish.

    After the domain is configured for auto-enrollment of computer certificates, each computer that is a member of the domain system container requests a computer certificate when computer configuration Group Policy is refreshed. By default, the Winlogon service polls for changes in Group Policy every 90 minutes. To force a refresh of computer Group Policy, restart the computer or type secedit /refreshpolicy machine_policy (for a computer running Windows 2000) or gpupdate /target:computer (for a computer running Windows XP or Windows Server 2003) at a command prompt.

    Perform this procedure for each domain system container as appropriate. It is also a good policy to consider a forced Group Policy update when using Network Access Quarantine Control features, which are described later in this chapter in the section titled “Configuring Quarantine Resources.”

Using a Web Browser to Request a Computer Certificate

Requesting a certificate via the Web, also known as Web enrollment, is done with Microsoft Internet Explorer. For the address, type http://servername/certsrv, where servername is the computer name of the Windows 2000 Server or the Windows Server 2003 CA that is also running Internet Information Services (IIS). A Web-based wizard takes you through the steps of requesting a certificate. To store the requested certificate in the Local Computer store, select the Store Certificate In The Local Certificate Store check box when performing an advanced certificate request. By default, this option is disabled, and certificates are stored in the Current User store. You must have local administrator privileges to store a certificate in the Local Computer store.

The issuing CA must support Web enrollment of certificates. You can use Web enrollment with either an enterprise or stand-alone CA. This is a procedure that has some inherent issues. You need to make sure that the IIS system is completely secure and that you are authenticating users with strong password authentication prior to accessing the certificate-issuing services; that way you can be sure that only the proper people are getting certificates. A good policy is to set up an https- secured Web installment solution, which requires extra steps not outlined here. Once you have the standard http-based site set up, use the IIS documentation to secure the Web site with https.

Using the Certificates Snap-In to Request a Computer Certificate

If you are using a Windows Server 2003 or Windows 2000 Server enterprise CA as an issuing CA, each computer can separately request a computer certificate from the issuing CA by using the Certificates snap-in. This adds more complexity for the user because of the user intervention required, but it’s a good secondary solution in the absence of a complete Active Directory deployment. It’s also useful when using imaging technologies for the rollout of corporate-managed systems. By imaging the installation of the Certificates snap-in, the user only needs to follow the simple instructions below to get certificates.

To request a certificate to store in the Local Computer store

  1. In the console tree of the Certificates snap-in, open the Certificates (Local Computer) folder.

  2. Right-click the Personal folder, point to All Tasks, and then click Request New Certificate.

  • A Certificate Request Wizard will guide you through the steps of requesting a certificate.

Using the Certificates Snap-In to Import a Computer Certificate

If you have a certificate file that contains the computer certificate, you can import the computer certificate by using the Certificates snap-in. This procedure is useful for users with nonmanaged computers, such as personally owned home computers, that need to be provided with certificates when you don’t want to use Web services to do it. The disadvantage is that you will have to hand out certificates in a file format, but it will save you the trouble of publishing the certificate enrollment tools.

To import a certificate to store in the Local Computer store

  1. In the console tree of the Certificates snap-in, open the Certificates (Local Computer)\Personal folder.

  2. Right-click the Personal folder, point to All tasks, and then click Import.

A Certificate Import Wizard will guide you through the steps of importing a certificate from a certificate file.

Executing a CAPICOM Script That Requests a Computer Certificate

In this method, each computer that needs a computer certificate must execute a CAPICOM script that requests a computer certificate from the issuing CA. CAPICOM is a COM client, supporting Automation, that performs cryptographic functions (the CryptoAPI) using Microsoft ActiveX and COM objects. CAPICOM can be used via Microsoft Visual Basic, Visual Basic Scripting Edition, and C++. For more information about CAPICOM, search for “CAPICOM” at http://msdn.microsoft.com/.

Deploying Smart Cards

Deploying smart cards can be a very complex process that we can’t describe completely in this book, but it’s something you should seriously consider for the security of your organization. Windows Server 2003 has complete support for smart cards and EAP authentification protocols and Microsoft itself has deployed smart cards to all users to secure the Microsoft remote access deployment for over 50,000 users. For more information about deploying smart cards in Windows Server 2003, see the topic “Checklist: Deploying smart cards for logging on to Windows” in Windows Server 2003 Help And Support. This Help topic will guide you through deploying smart cards with your certificate solutions and will show you how to work with the hardware required.

Installing User Certificates

Computer certificates identify the corporate-managed resource that allows a connection to happen. User certificates are used to identify the individual and can be stored on a client or on a smart card device. Much of the issuance procedures for user certificates are the same as the procedures for issuing client computer certificates; nonetheless, we’ll provide a complete step-by-step process here. To install a user certificate, an issuing CA must be present to issue certificates. (See Appendix C.) Once the issuing CA is configured, you can install a user certificate in any one of the following ways:

  • By configuring the automatic allocation of user certificates in a Windows 2003 Active Directory domain

  • By using a Web browser to request a user certificate

  • By using the Certificates snap-in to request a user certificate

  • By importing a user certificate using the Certificates snap-in

  • By executing a CAPICOM script that requests a user certificate

Configuring the Automatic Allocation of User Certificates

Just as in computer certificates, Active Directory is the preferred method to use when installing certificates. This method allows a single point of configuration for the entire domain. All users who correspond to members of the domain automatically request the user certificate through a Group Policy setting.

If you use a Windows Server 2003, Enterprise Edition or a Windows Server 2003, Datacenter Edition enterprise CA as an issuing CA, you can install user certificates through autoenrollment for user objects in the directory. However, because of certain advances in the technology of the operating systems, only computers running Windows XP or Windows Server 2003 support user certificate autoenrollment.

To configure user certificate enrollment for an enterprise CA

  1. Click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-In and then click Add.

  3. Under Snap-In, double-click Certificate Templates, click Close, and then click OK.

  4. In the console tree, click Certificate Templates. All certificate templates are displayed in the details pane.

  5. In the details pane, click the User template.

  6. On the Action menu, click Duplicate Template.

  7. In the Template Display Name field, type the name of the new user certificate template (for example, VPN Access).

  8. Make sure that the Publish Certificate In Active Directory check box is selected.

  9. Click the Security tab.

  10. In the Group Or User Names field, click Domain Users.

  11. In the Permissions For Domain Users list, select Allow for the Enroll and Autoenroll check boxes. The following figure shows the resulting configuration.

    Click OK.

  12. Open the Certification Authority snap-in.

  13. In the console tree, open Certification Authority; then your CA name; and then Certificate Templates.

  14. On the Action menu, point to New and then click Certificate Template To Issue.

  15. Click the name of the newly created user certificate template (for example, VPN Access), and then click OK.

  16. Open the Active Directory Users And Computers snap-in.

  17. In the console tree, double-click Active Directory Users And Computers, right-click the domain name to which your CA belongs, and then click Properties.

  18. On the Group Policy tab, click the appropriate Group Policy object (the default object is Default Domain Policy) and then click Edit.

  19. In the console tree, open User Configuration; then Windows Settings; then Security Settings; and then Public Key Policies. The resulting Group Policy Object Editor dialog box is shown in the following figure.

    click to expand

  20. In the details pane, double-click Autoenrollment Settings.

  21. Click Enroll Certificates Automatically.

  22. Select the Renew Expired Certificates, Update Pending Certificates, And Remove Revoked Certificates check box.

  23. Select the Update Certificates That Use Certificate Templates check box. The following figure shows the resulting configuration.

    click to expand

  24. Click OK.

Perform this procedure for each domain system container, as appropriate.

Using a Web Browser to Request a User Certificate

Requesting a certificate via the Web, also known as Web enrollment, is done with Microsoft Internet Explorer. For the address, type http://servername/certsrv, where servername is the computer name of the Windows 2000 Server or the Windows Server 2003 CA that is also running IIS. A Web-based wizard takes you through the steps of requesting a certificate. To store the requested certificate in the Current User store, ensure that the Store Certificate In The Local Computer Certificate Store check box is cleared when performing an Advanced Certificate Request. By default, this option is disabled, and certificates are stored in the Current User store.

The same warning applies as in the previous section on computer certificates: use https to secure these operations once you have the system functioning. The issuing CA must support Web enrollment of certificates. You can use Web enrollment with either an enterprise or stand-alone CA.

Using the Certificates Snap-In to Request a User Certificate

If you are using a Windows Server 2003 enterprise CA as an issuing CA, you can request a user certificate from the Certificates snap-in. This is the preferred method for environments without Active Directory, for those using operating systems previous to Windows XP or Windows Server 2003, and for those using imaging as a deployment tool.

To request a certificate to store in the Current User store

  1. In the console tree of the Certificates snap-in, open the Certificates-Current User folder.

  2. Right-click the Personal folder, point to All Tasks, and then click Request New Certificate.

A Certificate Request Wizard guides you through the steps of requesting a certificate.

Importing a User Certificate Using the Certificates Snap-In

If you have a certificate file that contains a user certificate, import the user certificate from the Certificates snap-in. This is the preferred method for noncorporate computers that need a corporate certificate for remote access and where Web-based enrollment is not a desired solution.

To import a certificate to store in the Current User store

  1. Open the Certificates-Current User folder.

  2. Right-click the Personal folder, point to All Tasks, and then click Import.

A Certificate Import Wizard will guide you through the steps of importing a certificate from a certificate file.

Executing a CAPICOM Script That Requests a User Certificate

In this method, each user must execute a CAPICOM script that requests a user certificate from the issuing CA. See the “Using the Certificates Snap-In to Request a User Certificate” section earlier in the chapter on using CAPICOM scripting for more information.




Deploying Virtual Private Networks With Microsoft Windows Server 2003
Deploying Virtual Private Networks with Microsoft Windows Server 2003 (Technical Reference)
ISBN: 0735615764
EAN: 2147483647
Year: 2006
Pages: 128

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net