Index_C | Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)

C

CA auditing, 637–40

capabilities, 637

categories, 637–38

settings, 638

See also Certification authorities (CAs)

CA certificate wizard, 635–36

CA installation modes, 447–50

automated certificate enrollment support, 449

centralized key archival, 450

certificate and CRL publication, 450

certificate request approval, 449

comparing, 448–50

information retrieval of requests, 449

installation requirements, 448

use of certificate templates, 448–49

See also Certification authorities (CAs)

CAPICOM automation object, 560

CAPImon tool, 459

CAPolicy.inf file, 532

defining trust constraints with, 528–32

sample, 535–36

section header/tags, 533–35

syntax, 532–35

use example, 532

See also Policy.inf file

CA trust definition, 541–42

Centralized user management solutions, 286–96

NIS/LDAP gateway, 286

nss_ldap, 287–88

pam_Kerberos-centric approach, 290–92

pam_LDAP-centric approach, 290

pam_unix-centrix approach, 288–89

Vintela Authentication Services (VAS), 292–95

Winbind, 295–96

Centralized user PKI trust management, 519–21

Enterprise Trust container, 519–20

NTAUTH AD store, 520

Root Certificate Update Service, 521

Trusted Root Certification Authorities container, 519

Certificate autoenrollment, 547–57

advanced options, 553–54

certificate deletion, 557

client-side code, 548

defined, 547

forcing, 551–52

functioning of, 554–57

functions, 547

manually forcing, 552

permissions, 549

process, 555, 556, 557

properties, setting, 550

setting up, 548–49

trigger, 554

use examples, 547–48

user, setting up, 549–51

verbose logging and, 557

See also Certificate enrollment

Certificate-based authentication, 223–39

certificate mapping, 229–31

certificate validation, 231–34

deployment considerations, 234–35

lock symbol, 224

protocols, 223

security services, 223–24

SSL setup, 225–29

See also Authentication

Certificate constraint extensions

application policies, 508–11

Basic Constraints, 504–5

issuance policies, 507–8

list of, 503

Name Constraints, 505–7

new, 504

Policy Constraints, 512–15

Policy Mappings, 511–12

Certificate enrollment, 546–68

autoenrollment, 547–57

certificate distribution/publication, 567–68

certificate generation, 566–67

certificate request creation, 563–65

defined, 546

fault tolerance, 631

interfaces, 557–63

key generation, 563

requestor identification, 565–66

starting manually, 546

Certificate Enrollment Control (CEC), 562–63

Certificate Export Wizard, 569

Certificate life cycle, 545–601

certificate distribution/publication, 567–68

certificate enrollment, 546–68

certificate expiry and lifetimes, 599–601

certificate generation, 566–67

certificate request generation, 563–65

certificate retrieval, 589

certificate revocation, 590–99

certificate validation, 580–88

data recovery, 579

illustrated, 6

key and certificate update, 589

key archival/recovery, 568–79

key generation, 563

overview, 545–46

requestor identification, 565–66

Certificate Managers, 629

Certificate policies (CPs), 608

defining, 609

focus, 608

questions answered by, 608–9

Certificate requests

content, 564

content, viewing, 564–65

generation, 563–65

Certificate revocation, 590–99

automated checking, 592–99

checking fault tolerance, 631

Netscape extensions, 598–99

PKA, checking support, 591–92

process, 590

reason codes, 590

Certificate revocation lists (CRLs), 581, 592–99

complete, 595–96

content, 597

delta, 596–98

layout, 597

publication intervals, 597, 619

publishing, of offline CA, 621

resigning, 631

viewing, 597

See also CRL distribution points (CDPs)

Certificate revocation trees (CRTs), 592

Certificates, 463–80

in autoenrollment process, 554–57

characteristics, 625–26

classifying, 475

client SSL/TLS, 228

distribution/publication, 567–68

EFS, 649

expiry, 599

format, 463

generation, 566–67

importing, 577

lifetimes, 600–601

many-to-one mapping, 230

mapping, 229–31

names, wildcards and, 227

renewing, 635

retrieval, 589

storage, 469–80

trusted root CA, 556

update, 589

validation, 231–34

validity period, 599–601

viewer, 463, 464

X.509, 231, 234

X.509 extensions, displaying, 581

Certificate Server, 444–52

architecture, 445–47

architecture illustration, 445

CA installation modes, 447–50

certsrv.exe, 445

core services, 445

entry module, 445

exit module, 446

intermediaries, 446–47

policy module, 445–46

registration authorities, 450–52

Certificate services event IDs, 639–40

Certificate stores, 469–80

classifying certificates in, 475

containers for user, machine, service principals, 473–74

logical, 473, 475–78

physical, 473, 478–80

Certificate templates, 456, 463–69

administering, 465

default, 466–68

defined, 464

for EFS operations, 649

list of, 467–68

offline, 466

properties, 469, 470–71

properties, issuance requirements, 553

smart card-related, 681

storage, 465

superceding, 554

use, 464

version 2, 465–66

version 2, setting application policies on, 530, 531

Certificate Trust Lists (CTLs), 469, 499

certificate chain processing, 586–87

trust, 587

Certificate validation, 580–88

cross-certification chain processing, 587–89

CTL certificate chain processing, 586–87

defined, 580

regular certificate chain processing, 582–86

steps, 580

Certification authorities (CAs), 9

AIA settings, 624–25

backup-restore, 632–35

configuration options, 618–31

container, 456

database, 574–76, 616–18

database installation options, 617

delegation, 626–30

enterprise, 451

fault tolerance, 631

hardware sizing, 612

installation options, 611, 613–14, 618

installation warning, 617

installation wizard, 616

keys and certificate, 614–15

multiple, 496–97

naming and certificate lifetime options, 615

naming conventions, 616

object permissions, setting, 627

offline, 612–13

preliminary planning, 612–13

private key, 630

properties, 637

revocation settings, 619–24

role, 614

role separation, 626–30

rollover, 635–37

root, 517

server hardening, 630–31

specifications of, 611–31

stand-alone, 451

trust definition overview, 541–42

trust domain, 496

See also CA auditing; CA installation modes

Certification practice statements (CPSs), 608

defined, 608

defining, 610

questions answered by, 609–10

Certreq, 641

Certsrv.exe, 445

Certutil tool, 458, 578

CA backup/restore-related switches, 635

important switches, 640–41

Chain processing

cross-certification, 587–89

CTL certificate, 586–87

examples, 583–84

regular certificate, 582–86

Chains

construction, 582–83

defined, 582

validation, 583–86

viewed from certificate properties, 585

Chrysalis HSM, 486–87

Luna CA, 486–87

Luna RA, 486

Cipher tool, 644

Clear signing, 674–75, 676

Client Licensor Certificate (CLC), 438

Client-side credential caching, 310–11

authentication, 310

with client-side scripting, 311

products, 311

SSO based on, 311

Cloneprincipal API, 358

Cmdkey operation, 324

Code Access Security (CAS), 393, 400–415

code group properties, 408

code groups, 404

concepts, 402–6

defined, 400

evidence types, 403

features, 401

.NET framework concepts, 401–2

permission resources, 405–6

permissions, 404–6

permission sets, 404–6

policies, 402–3

policy enforcement, 412–15

policy management, 406–8

policy types, 403

preconfigured permission sets, 407

SRPs comparison, 415–16

stack walk behavior, 413, 414, 415

technology power, 415

Code groups, 404

defined, 404

properties, 408, 410

See also Code Access Security (CAS)

COM

development framework, 421

execution engine, 412

Command line enrollment interface, 558

Common Internet File System (CIFS), 186

Common Language Runtime (CLR), 400

Communications security, 631

Complete CRLs, 595–96

Constrained delegation, 168–70

Constrained trust models, 502–15

application policies, 508–11

Basic Constraints, 504–5

issuance policies, 507–8

Name Constraints, 505–7

Policy Constraints, 512–15

Policy Mapping, 511–12

See also PKI trust models

Cookies, 241, 242

automatic handling, disabling, 249

Passport, 248–52

in Passport authentication sequence, 253, 254

“plain” ticket, 250

privacy alert, 249

profile, 251

ticket-granting, 250

types, 250

viewing, 248

Credential caching, 124–25

logon and, 124–25

storage, 124

Credential Manager, 319–24

components, 320

credential collection component, 320

credential store, 320

defined, 319

disable dialog boxes, 323

key ring, 320, 321

operation, 323

Credentials

client-side caching, 310–11

multiple, SSO architectures, 308–14

Passport, 245, 246, 247

password, 46–60

server-side caching, 312–14

single set, SSO architectures, 304–8

SSO, 300

use of, 46–49

Credential store, 320

Credential synchronization, 309–10

architecture use, 309

products, 310

CRL distribution points (CDPs), 581, 592–94, 620–24

of CA-issued certificates, 621

configuring, 594

defined, 592

defining, 622

defining, with replaceable parameter syntax, 623

flags, 594

functions, 593

internal namespaces and, 620

number of, 619

of offline CAs, 621

operation, 593

pointers, 592

testing, 595

type, 619

type support, 620

See also Certificate revocation lists (CRLs)

Cross-certification, 499, 500

chain processing, 587–88

defined, 587

download locations, 588

example, 588

Cross-certified trust relationships

defining, 521–27

example, 523

example steps, 524–27

issuance requirements, 525

scenarios, 523

setup, 522

Cross-realm trusts, 203–6

flexibility, 203

illustrated, 205

setup, 204

See also Interoperability

CryptoAPI, 459–63

architecture, 459–61

architecture illustration, 460

defined, 459

functions, 460

Cryptographic Service Providers (CSPs), 110, 459–63, 648, 680

defined, 461

embedding, 461

functions, 461

implementation, 461

Windows Server 2003/XP, 462

See also CryptoAPI