In this class
*Lets talk Security
* Lions and Tigers and keys and Certificates
* Respect my Authority
*Security In networks is a huge area, but a good place to start is by using Certificate Services as a way to:
- Encrypt Data files
- Encrypt Remote communications
- Secure Email
- Secure Logons with Smart Cards
- Secure Servers with network Access protection (Require Certificates)
- Protect Data from Tampering
So, thats neat and all, but what is Certificate?
* A Certificate is a file that contains
- A public key for encryption
- A Digital Signature for identify verification
- A name, which can refer to a person, a computer or an organization.
- A validity period
- The location of a revocation center (Usally a URL)
* Its used to both encrypt files and communications as well as prove identify.
* A certificate is generated by a certificate authority (Thats a CA if you're cool) using a Private key, which part of a whole Public Key infrastructure.
The Certificates have to come from somewhere
1) Server 2008 Standalone Certificate authority
2) Server 2008 Enterprise Certificate Authority (Integrated into AD)
3) Third party certificate authority (I.e Verisign etc)
* Certificate Authority (CA) Servers that generates certificates are called "Root CA's"
* Certificates are generated from one of these three types of certificate and then passed on to users, devices, other servers and so on.
* Certificate authorities also can provide verification of a user's or organization identify with online responder services.
Multiple Tiers provide Multiple levels of protection
* Usually you'll have more than one machine actually doing certificate services.
* With a Standalone CA, you will create certificates and then pass them off to issuing servers. Then you will take the standalone offline.
* Pretty much all the work is done manually with a standalone CA. You can't just have it autoenroll users.
Enterprise CA's stay online, and need to be highly available
* With an Enterprise CA, it stays online all the time and is integrated with AD.
* Enterprise CA's can assign certificates automatically to uses in AD using Auto enrollment.
* At least a second tier is still a good idea, and you may have more depending on your security needs.
CRL's, NDES's, and OR's - Could I vague it up even more?
* When a certificate is presented by a user when attempting to access an encrypted file or whatever has been secured, the certificate is checked against a Certificate Revocation list (RCL) by a certificate Authority to make sure it hasn't been revoked.
* An Online Responder (OR) can be used in place of a Certificate Authority server. An Online Responder (*new* in server 2008) doesn't need to check the certificate against an entire RCL, and instead just checks to see if the certificate is valid. It's much faster and efficient.
* Network Device Enrollment Service (NDES) allows you to include routers and switches in yuor PKI hierarchy if you really think you need it.
AD CS in a Nutshell
* AD Certificates services allow you to secure just about anything in your network,.
* You need at least one Root CA to create certificates, and will probably have other subordinate servers issue them out to protect your Root CA from getting abused.
* Certification Revocation lists allow for validation of certificates by CA server when they are used, but the new online responder service available in AD CS as of Server 2008 is faster and more efficient.
* The new Network Device Enrollment Service (NDSE) allows you to include switches and routers in your PKI as well.
*Lets talk Security
* Lions and Tigers and keys and Certificates
* Respect my Authority
*Security In networks is a huge area, but a good place to start is by using Certificate Services as a way to:
- Encrypt Data files
- Encrypt Remote communications
- Secure Email
- Secure Logons with Smart Cards
- Secure Servers with network Access protection (Require Certificates)
- Protect Data from Tampering
So, thats neat and all, but what is Certificate?
* A Certificate is a file that contains
- A public key for encryption
- A Digital Signature for identify verification
- A name, which can refer to a person, a computer or an organization.
- A validity period
- The location of a revocation center (Usally a URL)
* Its used to both encrypt files and communications as well as prove identify.
* A certificate is generated by a certificate authority (Thats a CA if you're cool) using a Private key, which part of a whole Public Key infrastructure.
The Certificates have to come from somewhere
1) Server 2008 Standalone Certificate authority
2) Server 2008 Enterprise Certificate Authority (Integrated into AD)
3) Third party certificate authority (I.e Verisign etc)
* Certificate Authority (CA) Servers that generates certificates are called "Root CA's"
* Certificates are generated from one of these three types of certificate and then passed on to users, devices, other servers and so on.
* Certificate authorities also can provide verification of a user's or organization identify with online responder services.
Multiple Tiers provide Multiple levels of protection
* Usually you'll have more than one machine actually doing certificate services.
* With a Standalone CA, you will create certificates and then pass them off to issuing servers. Then you will take the standalone offline.
* Pretty much all the work is done manually with a standalone CA. You can't just have it autoenroll users.
Enterprise CA's stay online, and need to be highly available
* With an Enterprise CA, it stays online all the time and is integrated with AD.
* Enterprise CA's can assign certificates automatically to uses in AD using Auto enrollment.
* At least a second tier is still a good idea, and you may have more depending on your security needs.
CRL's, NDES's, and OR's - Could I vague it up even more?
* When a certificate is presented by a user when attempting to access an encrypted file or whatever has been secured, the certificate is checked against a Certificate Revocation list (RCL) by a certificate Authority to make sure it hasn't been revoked.
* An Online Responder (OR) can be used in place of a Certificate Authority server. An Online Responder (*new* in server 2008) doesn't need to check the certificate against an entire RCL, and instead just checks to see if the certificate is valid. It's much faster and efficient.
* Network Device Enrollment Service (NDES) allows you to include routers and switches in yuor PKI hierarchy if you really think you need it.
AD CS in a Nutshell
* AD Certificates services allow you to secure just about anything in your network,.
* You need at least one Root CA to create certificates, and will probably have other subordinate servers issue them out to protect your Root CA from getting abused.
* Certification Revocation lists allow for validation of certificates by CA server when they are used, but the new online responder service available in AD CS as of Server 2008 is faster and more efficient.
* The new Network Device Enrollment Service (NDSE) allows you to include switches and routers in your PKI as well.
No comments:
Post a Comment