Working with Key Management Service | Microsoft Exchange 2000 Server Adminstrator's Companion

[Previous] [Next]

KMS is an advanced security tool in Exchange 2000 Server that protects data integrity through message encryption and digital signatures. It is an optional component of Exchange 2000 Server that works in close conjunction with Windows 2000 Certificate Services to provide a centralized PKI.

KMS installs its own CSP, which has an embedded Extensible Storage Engine (ESE) database that stores users' private keys so that only KMS has access to those keys. This is necessary, for instance, if a company's messaging is encrypted and an outside legal authority needs to look at certain messages. Having a copy of each user's private key stored inside the KMS ESE database allows users' messages to be decrypted and read.

Certificate Services generates the users' certificates based on requests from KMS and from servers as the trusted third party (TTP) for KMS. The certificate of the CA is embedded in all of the clients that are enrolled through the KMS and CA. This allows clients to trust each other's certificates because they are all issued under the same CA hierarchy.

Although it is the client that does most of the legwork for security, such as generating the signing key pair, storing the user's keys, reading Active Directory for other users' certificates, and performing both the encryption and decryption of messages, the most valuable tasks that KMS performs is key recovery. The KMS ESE database archives a user's encryption key pair but not the signing key pair. This precaution eliminates any potential for signature forgery by an administrator.

NOTE
Users' keys and certificates are stored in an encrypted .EPF file in Outlook 97 and earlier. Outlook 98 stores this information in the IE protected store, and Outlook 2000 stores it in the registry.

KMS Architecture
Figure 21-28 illustrates the KMS architecture. As you can see, Active Directory is used to store the trust lists, revocation lists, and user certificates. KMS communicates with Certificate Services through the CA's Policy module. It is the Policy module inside the CA that defines our certificates and the templates that are available for use by the KMS.

Figure 21-28. KMS architecture.

The figure also shows KMS's encrypted ESE database, in which users' encryption key pairs are archived. Part of the encryption scheme for these key pairs is the KMS startup password. There are no applications, at present, that can view the database. The entire object is encrypted.

The Exchange System snap-in controls what KMS can do and is also used to administer KMS. KMS is extended into Active Directory in the form of a Security tab added to the property sheet for each user account, allowing administrators to enroll users or revoke or recover their key pairs individually.

Before you can install KMS, you must be running Windows 2000 Server in your Exchange organization. This section assumes that you have both Windows 2000 and Exchange 2000 Server running in your environment. Neither Windows 2000 Server nor Exchange 2000 Server needs to be in native mode to install KMS.

NOTE
The Exchange 2000 Key Management Service is compatible with Key Management servers running Exchange Server 5.5 Service Pack 1. To upgrade an Exchange 5.5 Key Management server to Exchange 2000 Server, follow the same procedure you would for any non-KMS Exchange server. For more information on how to upgrade an Exchange Server 5.5 Key Management server to Exchange 2000 KMS, see the Microsoft Exchange 2000 Server Resource Kit (forthcoming from Microsoft Press).

To conduct a successful installation of KMS, you must take several different actions at specific times. We will cover these installation points first and then outline how to install KMS.

First you must install Exchange Certificate Templates after you have installed Windows 2000 Certificate Services but before you install Exchange 2000 KMS. Second know in advance where you want to place the startup password (we'll cover your options in a bit), since you will need to specify its location during the installation of KMS. And finally, after installing KMS, but before you request a certificate from the CA, be sure to grant Manage permissions to KMS.

Installing Exchange Certificate Templates

Before you can install KMS, you must have at least one enterprise CA that can issue Enrollment Agent (Computer), Exchange User, and Exchange Signature Only certificates. In the absence of this configuration, Exchange 2000 Server will not allow you to install KMS. If you attempt to do so, you'll see the message in Figure 21-29.

click to view at full size.

Figure 21-29. Installation error message for KMS.

To create an enterprise CA, right-click the Policy folder in the Certification Authority snap-in, point to New, and select Certificate To Issue. The dialog box shown in Figure 21-30 appears. In this dialog box, you can choose, by default, from the following templates:

User Signature Only

Smart Card User

Authenticated Session

Smart Card Logon

Code Signing

Trust List Signing

Enrollment Agent

Exchange Enrollment Agent (offline request)

Enrollment Agent (Computer)

IPSec

IPSec (offline)

Router (offline)

CEP Encryption

Exchange User

Exchange Signature Only

Figure 21-30. Choosing a certificate template.

Exchange 2000 Server uses three templates for issuing certificates to Exchange 2000 users and computers. The type of template depends on what the certificate will be used for. The Enrollment Agent (Computer) certificate allows KMS to issue certificates on behalf of Exchange Advanced Security users. The Exchange User certificate is used to encrypt mail and digital signatures. The Exchange Signature Only certificate is used for digital signatures only.

Installing KMS

To install KMS, first start the Microsoft Exchange 2000 Server Installation Wizard. In the Component Selection screen, change the install action next to Microsoft Exchange 2000 (the first selection) to Custom. The default is Typical.

Select Install next to Microsoft Exchange Key Management Service. Do the same for any other Exchange components you need, and then proceed with the Exchange installation. Make sure you also select Install next to the Microsoft Exchange System Management Tools. By default, these tools are installed with a Typical installation, but not with a Custom installation. You will be asked to select an administrative group to install KMS into (Figure 21-31). You can have only one instance of KMS per administrative group.

NOTE
If you want to install KMS on a computer that is currently running Exchange 2000 Server, select Change next to Microsoft Exchange 2000 in the Component Selection window. Then select Install next to Microsoft Exchange Key Management Service and click Next.

click to view at full size.

Figure 21-31. Selecting an administrative group in which to install KMS.

The next screen in the wizard asks if you would rather type the startup password manually each time you open the KMS management console or have the password written to either a floppy disk or hard disk (Figure 21-32). If you select manual entry, you'll need to write down the startup password that the installation wizard generates. If you elect to have the password written to a disk, you'll be responsible for securing the password and the disk to which it is written. Should any unauthorized person get access to of that disk, he or she would have complete access to KMS, possibly rendering your mission-critical data useless. After securing your password, you can proceed through the file-copying phase and then click Finish.

click to view at full size.

Figure 21-32. Selecting the startup password option.

REAL WORLD Changing the Location of Your KMS Password
When you install KMS, you're prompted to specify where you would like the KMS password saved. What you're really specifying is where you would like the Kmserver.pwd file to be saved. You choice is placed in the Windows 2000 registry. You can alter this registry entry if you would like to save the password in a secured folder instead of in its default location.

In the Registry Editor (Regedt32.exe), navigate to the subkey HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\KMServer, and then double-click MasterPasswordPath. In the String box, type the location where you want to store the password.

If you change this value to a blank, you will need to manually enter the KMS service password in the Startup parameter dialog box every time you start the KMS service.

Granting Manage Permissions to KMS

Once KMS has been installed, the next step is to add the Key Management server computer account to every Certificate Services server that will be issuing certificates to KMS. Then you must assign the Key Management server Manage permissions on the Certificate Services server. Otherwise, you will not be able to revoke certificates.

To grant Manage permissions to the Key Management server, open the Certification Authority snap-in, right-click the name of your CA, and then choose Properties. On the Security tab, shown in Figure 21-33, click Add.

Figure 21-33. Adding the KMS server account to the CA's security properties.

In Select Users, Computers, or Groups, select the computer name for every Key Management server in your organization, click Add, and then click OK. On the Security tab, select the computer names you have added, and then select the Allow check box to grant your Key Management servers Manage permissions. Figure 21-34 shows a server with these permissions.

Starting KMS

The next step is to start KMS. You do so in the Exchange System snap-in. When you start the snap-in, you'll notice that there is a new container, Advanced Security, under the administrative group into which you installed KMS (Figure 21-35). To start the KMS server, highlight the Advanced Security container, right-click the Key Manager object in the right pane, and choose Start. Either the password dialog box will pop up, and you'll need to enter the password that was given to you during the KMS installation, or you'll have made the kmserver.pwd file on the hard drive by having made the appropriate registry changes mentioned above or you will need to insert the disk containing the kmserver.pwd file. After you have successfully provided the password, KMS will start.

Figure 21-34. KMS server Indianapolis with Manage permissions.

click to view at full size.

Figure 21-35. Advanced Security container in the Exchange System snap-in.

Managing KMS

Now that your KMS server is up and running, you'll need to secure it and learn how to manage the server itself before turning your attention to how KMS issues certificates and works with your users to make their messaging more secure. In this section, we'll look at a number of small but important administrative tasks related to KMS itself.

Adding and Removing KMS Administrators

By default, the only Windows 2000 account allowed to administer KMS belongs to the person who installed KMS. It is highly possible that you'll want to include one or two other administrators in the list of those approved to administer KMS. To add or delete KMS administrators, start Exchange System, click the Advanced Security container, and then, in the details pane, right-click Key Manager and choose Properties. In the Key Management Service Login dialog box, type your administrator password, and then click OK.

NOTE
The default KMS administrator password is password. Remember that you have to reenter your password every time you perform a task or click on a tab in the KMS property sheet. This password is not the same as the account password. Thus, even though you might be logging on to KMS with your user name, the password you use to do so is different from your logon password in Active Directory.

On the Key Manager property sheet, display the Administrators tab (Figure 2136), and then click Add. In the Select User box, click one or more users who will have administrative privileges in KMS.

Figure 21-36. Administrators tab of the Key Manager property sheet.

In the Set Administrator Password field, type and retype a password for the user you selected, and then click OK. To remove an administrator, highlight the name on the Administrators tab, and then click Remove. Remember that if you add someone to the list of KMS administrators, that person will not be able to access the Advanced Security container in Exchange System until you run the Exchange Administration Delegation Wizard and grant that user Exchange administrator rights. At a minimum, an administrator will need these rights for the administrative group in which the Key Management server is located.

Changing the Administrator Password

As we noted in the previous section, the default administrator password is password. You should change the administrator password the first time you start KMS to make the server utility more secure. Whenever you add a KMS administrator, that person will be given his or her own administrator password. KMS administrators can change their passwords at any time.

NOTE
Do not confuse the KMS startup password with the administrator password. The KMS startup password is requested only when you attempt to start KMS.

To change an administrator password, start Exchange System. Click Advanced Security and then, in the details pane, right-click Key Manager and choose Properties. Display the Administrators tab. Select the administrator whose password you would like to change, and then click Change Password. Type the current password, and then type the new password. KMS passwords must be at least six characters long.

Setting Multiple Passwords for KMS Administrative Functions

Use the Passwords tab of the Key Manager property sheet (Figure 21-37) to configure multiple password policies. By default, all KMS operations require only one administrator password, but you can configure certain tasks to require authorization from more than one administrator. Depending on the sensitivity of the task, the number of required passwords can range from one up to the number of administrators listed on the Administrators tab minus one.

Figure 21-37. Passwords tab of the Key Manager property sheet.

In the Add/Delete Administrators, Edit Multiple Password Policies field, click the up arrow or enter the number of administrator passwords required to perform these functions. The default is 1 and the maximum limit is x - 1, where x is the total number of administrators. This way you are always able to accomplish KMS tasks, even if someone is out of the office. If needed, type in new values for the number of administrator passwords required to perform each of the tasks listed.

Changing the KMS Startup Password

Every time KMS is started, an administrator must enter the KMS service startup password. You can change both the startup password and its location to keep KMS secure. The location will either be a disk or a place where you write down the password. For example, you might need to change the password and the location if your KMS administrator has recently left the company and you'd like to keep your KMS service startup password as secure as possible.

To change the KMS startup password, start Exchange System. Click the Advanced Security container, right-click Key Manager, point to All Tasks, and choose Change Startup Password. In the Key Management Service Login dialog box, type the KMS password, and then click OK.

In the Change Startup Password dialog box (Figure 21-38), you can choose a location for your new startup password. To record the password manually, click Display This Password Once. This option is the default and is the more secure choice. If you select it, you must write the password down and keep it in a secure place. If you lose this password, you will not be able to start KMS.

Figure 21-38. Change Startup Password dialog box.

To store the new startup password on removable disks, click Write This Password To A Removable (Floppy) Disk And Create A Backup Copy. This option creates two copies of the password. You should store these disks in secure, separate places. Whenever you need to start KMS, one of these disks must be available.