• Chapter 1. Installing and Configuring Windows Server 2003
  • software development Company Server 2003
  • Chapter 1. Installing and Configuring Windows Server 2003
  • New Features in Windows Server 2003
  • Best Practices
  • Moving Forward
  • Version Comparisons
  • Hardware Recommendations
  • Installation Checklist
  • Functional Overview of Windows Server 2003 Setup
  • Installing Windows Server 2003
  • Post Setup Configurations
  • Functional Description of the Windows Server 2003 Boot Process
  • Correcting Common Setup Problems
  • Chapter 2. Performing Upgrades and Automated Installations
  • New Features in Windows Server 2003
  • NT4 Upgrade Functional Overview
  • Upgrading an NT4 or Windows 2000 Server
  • Automating Windows Server 2003 Deployments
  • Moving Forward
  • Chapter 3. Adding Hardware
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Architecture
  • Overview of Windows Server 2003 Plug and Play
  • Installing and Configuring Devices
  • Troubleshooting New Devices
  • Moving Forward
  • Chapter 4. Managing NetBIOS Name Resolution
  • New Features in Windows Server 2003
  • Moving Forward
  • Overview of Windows Server 2003 Networking
  • Name Resolution and Network Services
  • Network Diagnostic Utilities
  • Resolving NetBIOS Names Using Broadcasts
  • Resolving NetBIOS Names Using Lmhosts
  • Resolving NetBIOS Names Using WINS
  • Managing WINS
  • Disabling NetBIOS-over-TCP/IP Name Resolution
  • Chapter 5. Managing DNS
  • New Features in Windows Server 2003
  • Configuring a Caching-Only Server
  • Configuring a DNS Server to Use a Forwarder
  • Managing Dynamic DNS
  • Configuring Advanced DNS Server Parameters
  • Examining Zones with Nslookup
  • Command-Line Management of DNS
  • Configuring DHCP to Support DNS
  • Moving Forward
  • Overview of DNS Domain Structure
  • Functional Description of DNS Query Handling
  • Designing DNS Domains
  • Active Directory Integration
  • Configuring DNS Clients
  • Installing and Configuring DNS Servers
  • Configuring Secondary DNS Servers
  • Integrating DNS Zones into Active Directory
  • Chapter 6. Understanding Active Directory Services
  • New Features in Windows Server 2003
  • Active Directory Support Files
  • Active Directory Utilities
  • Bulk Imports and Exports
  • Moving Forward
  • Limitations of Classic NT Security
  • Directory Service Components
  • Brief History of Directory Services
  • X.500 Overview
  • LDAP Information Model
  • LDAP Namespace Structure
  • Active Directory Namespace Structure
  • Active Directory Schema
  • Chapter 7. Managing Active Directory Replication
  • New Features in Windows Server 2003
  • Replication Overview
  • Detailed Replication Transaction Descriptions
  • Designing Site Architectures
  • Configuring Inter-site Replication
  • Controlling Replication Parameters
  • Special Replication Operations
  • Troubleshooting Replication Problems
  • Moving Forward
  • Chapter 8. Designing Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Design Objectives
  • DNS and Active Directory Namespaces
  • Domain Design Strategies
  • Strategies for OU Design
  • Flexible Single Master Operations
  • Domain Controller Placement
  • Moving Forward
  • Chapter 9. Deploying Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Preparing for an NT Domain Upgrade
  • In-Place Upgrade of an NT4 Domain
  • In-Place Upgrade of a Windows 2000 Forest
  • Migrating from NT and Windows 2000 Domains to Windows Server 2003
  • Additional Domain Operations
  • Moving Forward
  • Chapter 10. Active Directory Maintenance
  • New Features in Windows Server 2003
  • Loss of a DNS Server
  • Loss of a Domain Controller
  • Loss of Key Replication Components
  • Backing Up the Directory
  • Performing Directory Maintenance
  • Moving Forward
  • Chapter 11. Understanding Network Access Security and Kerberos
  • New Features in Windows Server 2003
  • Windows Server 2003 Security Architecture
  • Security Components
  • Password Security
  • Authentication
  • Analysis of Kerberos Transactions
  • MITv5 Kerberos Interoperability
  • Security Auditing
  • Moving Forward
  • Chapter 12. Managing Group Policies
  • New Features in Windows Server 2003
  • Group Policy Operational Overview
  • Managing Individual Group Policy Types
  • Moving Forward
  • Chapter 13. Managing Active Directory Security
  • New Features in Windows Server 2003
  • Overview of Active Directory Security
  • Using Groups to Manage Active Directory Objects
  • Service Accounts
  • Using the Secondary Logon Service and RunAs
  • Using WMI for Active Directory Event Notification
  • Moving Forward
  • Chapter 14. Configuring Data Storage
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Data Storage
  • Performing Disk Operations on IA32 Systems
  • Recovering Failed Fault Tolerant Disks
  • Working with GPT Disks
  • Moving Forward
  • Chapter 15. Managing File Systems
  • New Features in Windows Server 2003
  • Overview of Windows Server 2003 File Systems
  • NTFS Attributes
  • Link Tracking Service
  • Reparse Points
  • File System Recovery and Fault Tolerance
  • Quotas
  • File System Operations
  • Moving Forward
  • Chapter 16. Managing Shared Resources
  • New Features in Windows Server 2003
  • Functional Description of Windows Resource Sharing
  • Configuring File Sharing
  • Connecting to Shared Folders
  • Resource Sharing Using the Distributed File System (Dfs)
  • Printer Sharing
  • Configuring Windows Server 2003 Clients to Print
  • Managing Print Services
  • Moving Forward
  • Chapter 17. Managing File Encryption
  • New Features in Windows Server 2003
  • File Encryption Functional Description
  • Certificate Management
  • Encrypted File Recovery
  • Encrypting Server-Based Files
  • EFS File Transactions and WebDAV
  • Special EFS Guidelines
  • EFS Procedures
  • Moving Forward
  • Chapter 18. Managing a Public Key Infrastructure
  • New Features in Windows Server 2003
  • Moving Forward
  • PKI Goals
  • Cryptographic Elements in Windows Server 2003
  • Public/Private Key Services
  • Certificates
  • Certification Authorities
  • Certificate Enrollment
  • Key Archival and Recovery
  • Command-Line PKI Tools
  • Chapter 19. Managing the User Operating Environment
  • New Features in Windows Server 2003
  • Side-by-Side Assemblies
  • User State Migration
  • Managing Folder Redirection
  • Creating and Managing Home Directories
  • Managing Offline Files
  • Managing Servers via Remote Desktop
  • Moving Forward
  • Chapter 20. Managing Remote Access and Internet Routing
  • New Features in Windows Server 2003
  • Configuring a Network Bridge
  • Configuring Virtual Private Network Connections
  • Configuring Internet Authentication Services (IAS)
  • Moving Forward
  • Functional Description of WAN Device Support
  • PPP Authentication
  • NT4 RAS Servers and Active Directory Domains
  • Deploying Smart Cards for Remote Access
  • Installing and Configuring Modems
  • Configuring a Remote Access Server
  • Configuring a Demand-Dial Router
  • Configuring an Internet Gateway Using NAT
  • Chapter 21. Recovering from System Failures
  • New Features in Windows Server 2003
  • Functional Description Ntbackup
  • Backup and Restore Operations
  • Recovering from Blue Screen Stops
  • Using Emergency Management Services (EMS)
  • Using Safe Mode
  • Restoring Functionality with the Last Known Good Configuration
  • Recovery Console
  • Moving Forward
  • Who Should Read This Book
  • Who This Book Is Not For
  • Conventions
  • Acknowledgments
  • About the Author
  • About the Technical Reviewers
  • Index
  • Index A
  • Index B
  • Index C
  • Index D
  • Index E
  • Index F
  • Index G
  • Index H
  • Index I
  • Index J
  • Index K
  • Index L
  • Index M
  • Index N
  • Index O
  • Index P
  • Index Q
  • Index R
  • Index S
  • Index SYMBOL
  • Index T
  • Index U
  • Index V
  • Index W
  • Index X
  • Index Z
  • Preface
  • Previous Section Next Section

    Certificates

    In Diffie-Hellman and DSS key exchanges, a brand new cipher key is created for each session. This makes sense in applications like IPSec where a secure network communication link is established pretty much on an ad hoc basis. But what if you want to retain the key for later use, such as digital signatures? You need a way to transport the key securely and, just as importantly, you want to make sure that the key comes from an authorized issuer and has not been tampered with along the way.

    The data structure used to transport and validate keys is called a certificate. A certificate acts as a strongbox that protects the key while guaranteeing the identity of the issuer, the identity of the owner, and the purposes for which the key can be used. The certificate also contains additional information called extensions that streamline the validation process.

    A certificate cannot be forged because the issuing authority digitally signs it. The signature is applied to a hash of the certificate. This enables clients to validate the issuer's identity and check for tampering at the same time. The client decrypts the hash using the issuer's public key and then compares the result to a separate hash it performs on the certificate. If the results match, the certificate is valid.

    In Windows Server 2003, Windows XP, and Windows 2000, certificates are handled by the Data Protection API. Certificates issued to a client are stored in the Registry and Active Directory. The keys are stored on disk. Certificates can also be stored in smart cards. This eliminates the vulnerability of on-disk key storage. You can view the certificates issued to you as a PKI client with the Certificates snap-in. There is no pre-built console for this snap-in, so you must load it into an empty console using the FILE | ADD/REMOVE SNAP-IN option in the MMC menu. Figure 18.3 shows the general details of a certificate.

    Figure 18.3. General details of a certificate viewed with the Certificates snap-in.

    graphics/18fig03.gif

    A certificate contains the following items (some are optional):

    • Issued By. The Certification Authority (CA) that issued the certificate. By default, a copy of the public-key certificate is stored in the CA database. A Windows Server 2003 CA can also retain private key certificates.

    • Issued To. The entity that obtained the certificate. In a Windows Server 2003 PKI, computer names can be formatted with the computer's flat name or its fully qualified domain name. If the recipient is a user, the name can be the user's logon ID, User Principal Name (UPN), or Distinguished Name (DN).

    • Intended Uses (OID). A certificate has one or more uses. You cannot issue a carte blanche certificate for every purpose. The issuing CA stipulates the purposes based on an Object ID, or OID. An OID uses a dotted-decimal notation to show a hierarchy. For example, the OID 1.3.6.1.4.1.311.20.2.1 refers to the Enrollment Agent function. The OID is rooted at the ISO in Geneva (1), issued to an ISO recognized organization, the U.S. Department of Defense (1.3.6), and controlled by the Internet Assigned Naming Authority (1.3.6.1).

    • Version. The certificate version. Windows CA servers issue X.509 Version 3 certificates.

    • Serial Number. This is a sequential number assigned by the CA to the certificate. The number is unique and acts as a validity check.

    • Signature Algorithm. The hashing algorithm used to do the digital signature for the certificate. This is typically either SHA-1 or MD5 (RSA).

    • Issuer. This is the X.500 distinguished name of the issuing server—for example, cn = ca-1, o = company, l = phoenix, s = az, c = us, e = administrator@company.com.

    • Valid From. This is the issue date of the certificate.

    • Valid To. This important field defines the expiry date of the certificate. The CA determines how long to issue a certificate. Shorter intervals are more secure but require more work on the part of the clients.

    • Subject. This is the X.500 distinguished name of the certificate's owner.

    • Public Key. This data structure holds the public key itself.

    • CA Version. This is the number of times the authorization certificate for a particular issuing server has been renewed.

    • Subject Key Identifier. This important field contains an SHA-1 hash of the Public Key field used to uniquely identify the contents. This prevents tampering with the public key.

    • Certificate Template. This is a unique Microsoft extension that contains name of the template used by the CA to generate this certificate.

    • Key Usage. This field contains the OIDs of the purposes for the certificate.

    • Authority Key Identifier. Contains an SHA-1 hash of the public key of the issuing CA along with the distinguished name of the CA.

    • CRL Distribution Points (CDPs). Contains the identity of the CDPs listed by LDAP path, URL, and file share name.

    • Authority Information Access. Tells a client where to find the certificate of the issuing CA.

    • Thumbprint. A hash of the certificate used for positive identification.

    • Thumbprint Algorithm. The algorithm used to obtain the certificate hash.

    Certificate Documentation

    The contents and structure of a standard PKI certificate is defined by the ITU (International Telecommunications Union) in the X.509 standard. The most current standard, Version 3, was defined in 1995.

    The ITU works closely with the IETF (Internet Engineering Task Force) to make sure the standards match the current utilization. See RFC 2549, "Internet X.509 Public Key Infrastructure Certificate and CRL Profile," for IETF documentation of the certificate contents and structure.

    Public key technology as it is used today was originally developed by RSA, and you can get documentation at its web site, www.rsalabs.com. The standard certificate structure is documented in PKCS#7 (P7B), "Cryptographic Message Syntax." RSA also documents certificate-handling mechanisms, including the following:

    • PKCS#10, Certification Request Syntax. This is not a certificate, as such, but a way of obtaining a certificate from a Certification Authority.

    • PKCS#11, Cryptographic Token Interface Syntax. This standard defines how to securely store certificates in hardware such as smart cards.

    • PKCS#12, Personal Information Exchange Syntax. This certificate type is designed to securely store and transfer private keys.

    Local Certificate Stores

    The certificates and keys obtained by a PKI client are stored in various places at the local client depending on their function. Windows abstracts the physical locations behind a logical store that can be viewed with the Certificates snap-in (see Figure 18.4). The logical stores are as follows:

    • Personal. This store holds certificates issued to the user, computer, and any services running on the computer. You can view computer and service certificates if you log on with administrator rights. The physical store is the Registry in HKLM | Software | Microsoft | SystemCertificates.

    • Trusted Root Certification Authorities. Contains certificates for root CAs and third-party root CAs that have been preloaded or downloaded by Windows Update. The physical store is the Registry and in Group Policies.

    • Intermediate Certification Authorities. Contains subordinate CA (and third-party subordinates) along with any Certificate Revocation Lists (CRLs).

    • Active Directory User Object. Contains certificates that have been copied to Active Directory.

    • Request. Shows submittals for certificates sent to a CA. Copies of the PKCS#10 requests are stored in the Registry.

    • Software Publishing Certificate (SPC). Computer clients use this store to hold certificates from Authenticode and other digital signing software. The physical store for SPC is the Registry.

    Figure 18.4. Certificate store shown in the Certificates snap-in.

    graphics/18fig04.jpg

      Previous Section Next Section