Lesson 10

Maintaining Network Health

Active Directory Certificate Services The Active Directory Certificate Services (AD CS) role in Windows Server 2008 is a component within Microsoft's larger Identity Lifecycle Management (ILM) strategy. The role of AD CS in ILM is to provide services for managing a Windows Public Key Infrastructure( PKI) for authentication and authorization of users and devices.

PKI allows two parties to communicate securely without ever having communicated with one another before in any previous communication through the use of a mathematical algorithm called public key cryptography.

PKI certificates are managed through Certificate Authorities that are hierarchical, which means that you can have many subordinate CAs within an organization that chain upward to a single root CA.

The Public Key Infrastructure
• CA (Certification Authority) is an entity, that issue and manage digital certificates for use in a PKI.
• Digital certificate contains information about a particular user along with public key, digital signatures and expiration dates.
• Digital signature is an electronic signature to prove the identity of the entity has a signed doc with a private key.
• CPS (Certificate Practice Statement) is how the CA manages certificates and keys.
• CRL(Certificate Revocation List) A Certificate Revocation List (CRL) identifies certificates that have been revoked or terminated.
• Certificate templates used by Admin to simplify management and issuing certificates.
• Smart cards are physical devices containing the digital certificate.
• Self-enrollment gives the user the ability to request their own PKI certificates.
• Autoenrollment is only available in 2003 or later server installations.
• Recovery agent is used to recover keys were a hard drive has crashed and the user does not have a back up of the certificate.
• Key archival most commercial CAs do not allow it at all.

AD CS (Active directory Certificate Services) server role consists of the following services and features:

• CAs(Certification Authorities)
• Web enrollment allows users to connect to a Windows Server 2008 CA through a Web browser to request certificates and obtain an up-to-date Certificate Revocation List.
• Online responder
• NDES (Network Device Enrollment Service) The Network Device Enrollment Service (NDES) allows network devices to enroll for certificates within a Windows Server 2008 PKI using the Simple Certificate Enrollment Protocol (SCEP).

When deploying a Windows-based PKI, two different types of CAs can be deployed: enterprise CAs and standalone CAs.

• Stand alone ca A standalone CA is not integrated with Active Directory and relies on administrator intervention to respond to certificate requests.
• Enterprise CA integrates with an AD Active Directory domain and it can be use templates to allow autoenrollment of digital certificates, as well as storing the certificates themselves within the AD database.

Managing Certificate Enrollments in the Windows 2008 server you can manage it in a number of ways depending on your needs.

In an Active Directory environment you can automate the distribution of PKI certificates by using the following features:
• Certificate templates can be used to automate the deployment of PKI certificates by controlling the security associated with each template:
o The Full Control ACL Admin reserved
o The Read ACL
o The Write ACL should be set up as Admin reserved
o The Enroll ACL manually request certificates
o The Autoenroll ACL users are automatically issued certificates.

• Group Policy can be used to establish autoenrollment settings for an Active Directory Domain. The Certificate Services Client-Autoenrollment node includes the following settings:
o Enroll certificates automatically
o Do not enroll certificates automatically.
o If you select the option to enroll certificates automatically, you can also select one or more of the following settings:
 Renew expired certificates, update pending certificates and remove revoked certificates.
 Update certificates that use certificate templates.
 Expiry notification to notify when a certificate has only a certain percentage of its lifetime remaining.

In a Non Active Directory environment clients can enroll manually for certificates using either of the following: Certificate Request Wizard or the Certification Authority Web Enrollment where users manually create a certificate request.

CA Server Settings

• Key archival and recovery

• Maintainers of a Windows Server 2008 CA
o CA administrator has the overall management of a CA.
o Certificate managers managed and issue certificates.
o Backup operators are able to back up and restore the operating system files and folders.
o Auditors are able to read security logs.

Introducing Network Access Protection (NAP) is a policy enforcement mechanism that is used to allow or reject access to Windows network resources on the basis of policy decisions, such as whether the Windows Firewall is turned on or if anti-virus signatures are up to date.

NAP can be configured with one of five built-in enforcement mechanisms:
• DHCP enforcement
• IPSec enforcement
• VPN enforcement
• 802.1x enforcement
• Terminal Services Gateway enforcement

The NAP client includes one or more System Health Agents (SHAs), which map to System Health Validators(SHVs) within the NAP server architecture.