O BJECTIVES Security is all the rage right now ”and rightly so. For many years , security was thought of as something that only certain networks needed. When security was planned for a network, more often than not it included only a weak solution that the company hoped would keep external intruders out of the network. No longer can networks be exposed to the Internet without a well-thought-out and layered defense plan. In this chapter, we examine a few of the tasks that you may address in your security plan: using digital certificates, using smart cards, auditing, monitoring event logs, and keeping your Windows computers up to date with the latest security updates. Microsoft defines the "Planning, Implementing, and Maintaining Security Infrastructure" objectives as follows : Configure Active Directory directory service for certificate publication . -
Although you do not have to perform any direct configuration of Active Directory to make Certificate Services function, you can configure some advanced tasks, such as certificate autoenrollment for your network's users and computers. Plan a public key infrastructure ( PKI ) that uses Certificate Services. -
Identify the appropriate type of certificate authority to support certificate issuance requirements. -
Plan the enrollment and distribution of certificates. -
Plan for the use of smart cards for authentication. Plan a framework for planning and implementing security. -
Being able to just sit back and watch the network run after implementing your security solution would be nice; however, this is not the case. You must maintain a constant watch over your network, examining many different aspects of it to determine what is occurring that should not be. By auditing and examining the event logs, you can quickly get a good idea of what is going on in your network ”free, without the purchase of any advanced network monitoring tools. Also, without a change and configuration management document in place for your organization, you will likely find yourself in trouble should an ill-planned configuration change go awry. Plan a security update infrastructure. Tools might include Microsoft Baseline Security Analyzer and Microsoft Software Update Services. -
In a perfect world, you would be able to install your server or client operating system and have it be perfect and perfectly secure right out of the box. Although Microsoft has made great progress toward meeting that ideal in Windows Server 2003, it's not quite a reality yet. Part of keeping an operating system secure involves identifying and applying updates as required. The combination of the Microsoft Baseline Security Analyzer (MBSA) and Software Update Services (SUS) makes this task easier for the Windows Server 2003 network administrator. O UTLINE Introduction What's New in Windows Server 2003 Certificate Services? Planning a Windows Server 2003 Public Key Infrastructure ( PKI ) Introduction to the Public Key Infrastructure (PKI) Certificates Certificate Authorities (CAs) Initial Planning for the PKI Planning the CA Hierarchies Planning Certificate Revocation and Renewal Planning Certificate Template Usage Planning Appropriate Certificate Authority Types Enterprise Root CA Enterprise Subordinate CA Standalone Root CA Standalone Subordinate CA Installing and Configuring an Enterprise Root CA Configuring Active Directory for Certificate Publication Planning Certificate Enrollment and Distribution Configuring Certificate Autoenrollment and Renewal Using the Certificate Request Wizard and Certificate Renewal Wizard Using the Web Enrollment Web Pages Planning a Smart Card Solution Smart Card Distribution Requirements Smart Card Enrollment Options Smart Card User Education Smart Card Group Policy Options Planning and Implementing a Security Update Infrastructure Planning for Software Update Services Using the Microsoft Baseline Security Analyzer Maintaining a Security Update Infrastructure Planning a Security Framework Planning for Security Monitoring Planning for Change and Configuration Management Chapter Summary Apply Your Knowledge Exercises Review Questions Exam Questions Answers to Review Questions Answers to Exam Questions Suggested Readings and Resources S TUDY S TRATEGIES -
Become familiar with the topics presented in this chapter, including Certificate Services, auditing, event logs, SUS, and MBSA. All these topics will be important as you plan and implement a security solution for your network. -
Get your hands dirty. The Step by Steps throughout this book provide plenty of directions and exercises, but you should go beyond these examples and create some of your own. If you can, experiment with each of the objectives to see how they work and why you would use each one. |