• Chapter 1. Installing and Configuring Windows Server 2003
  • software development Company Server 2003
  • Chapter 1. Installing and Configuring Windows Server 2003
  • New Features in Windows Server 2003
  • Best Practices
  • Moving Forward
  • Version Comparisons
  • Hardware Recommendations
  • Installation Checklist
  • Functional Overview of Windows Server 2003 Setup
  • Installing Windows Server 2003
  • Post Setup Configurations
  • Functional Description of the Windows Server 2003 Boot Process
  • Correcting Common Setup Problems
  • Chapter 2. Performing Upgrades and Automated Installations
  • New Features in Windows Server 2003
  • NT4 Upgrade Functional Overview
  • Upgrading an NT4 or Windows 2000 Server
  • Automating Windows Server 2003 Deployments
  • Moving Forward
  • Chapter 3. Adding Hardware
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Architecture
  • Overview of Windows Server 2003 Plug and Play
  • Installing and Configuring Devices
  • Troubleshooting New Devices
  • Moving Forward
  • Chapter 4. Managing NetBIOS Name Resolution
  • New Features in Windows Server 2003
  • Moving Forward
  • Overview of Windows Server 2003 Networking
  • Name Resolution and Network Services
  • Network Diagnostic Utilities
  • Resolving NetBIOS Names Using Broadcasts
  • Resolving NetBIOS Names Using Lmhosts
  • Resolving NetBIOS Names Using WINS
  • Managing WINS
  • Disabling NetBIOS-over-TCP/IP Name Resolution
  • Chapter 5. Managing DNS
  • New Features in Windows Server 2003
  • Configuring a Caching-Only Server
  • Configuring a DNS Server to Use a Forwarder
  • Managing Dynamic DNS
  • Configuring Advanced DNS Server Parameters
  • Examining Zones with Nslookup
  • Command-Line Management of DNS
  • Configuring DHCP to Support DNS
  • Moving Forward
  • Overview of DNS Domain Structure
  • Functional Description of DNS Query Handling
  • Designing DNS Domains
  • Active Directory Integration
  • Configuring DNS Clients
  • Installing and Configuring DNS Servers
  • Configuring Secondary DNS Servers
  • Integrating DNS Zones into Active Directory
  • Chapter 6. Understanding Active Directory Services
  • New Features in Windows Server 2003
  • Active Directory Support Files
  • Active Directory Utilities
  • Bulk Imports and Exports
  • Moving Forward
  • Limitations of Classic NT Security
  • Directory Service Components
  • Brief History of Directory Services
  • X.500 Overview
  • LDAP Information Model
  • LDAP Namespace Structure
  • Active Directory Namespace Structure
  • Active Directory Schema
  • Chapter 7. Managing Active Directory Replication
  • New Features in Windows Server 2003
  • Replication Overview
  • Detailed Replication Transaction Descriptions
  • Designing Site Architectures
  • Configuring Inter-site Replication
  • Controlling Replication Parameters
  • Special Replication Operations
  • Troubleshooting Replication Problems
  • Moving Forward
  • Chapter 8. Designing Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Design Objectives
  • DNS and Active Directory Namespaces
  • Domain Design Strategies
  • Strategies for OU Design
  • Flexible Single Master Operations
  • Domain Controller Placement
  • Moving Forward
  • Chapter 9. Deploying Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Preparing for an NT Domain Upgrade
  • In-Place Upgrade of an NT4 Domain
  • In-Place Upgrade of a Windows 2000 Forest
  • Migrating from NT and Windows 2000 Domains to Windows Server 2003
  • Additional Domain Operations
  • Moving Forward
  • Chapter 10. Active Directory Maintenance
  • New Features in Windows Server 2003
  • Loss of a DNS Server
  • Loss of a Domain Controller
  • Loss of Key Replication Components
  • Backing Up the Directory
  • Performing Directory Maintenance
  • Moving Forward
  • Chapter 11. Understanding Network Access Security and Kerberos
  • New Features in Windows Server 2003
  • Windows Server 2003 Security Architecture
  • Security Components
  • Password Security
  • Authentication
  • Analysis of Kerberos Transactions
  • MITv5 Kerberos Interoperability
  • Security Auditing
  • Moving Forward
  • Chapter 12. Managing Group Policies
  • New Features in Windows Server 2003
  • Group Policy Operational Overview
  • Managing Individual Group Policy Types
  • Moving Forward
  • Chapter 13. Managing Active Directory Security
  • New Features in Windows Server 2003
  • Overview of Active Directory Security
  • Using Groups to Manage Active Directory Objects
  • Service Accounts
  • Using the Secondary Logon Service and RunAs
  • Using WMI for Active Directory Event Notification
  • Moving Forward
  • Chapter 14. Configuring Data Storage
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Data Storage
  • Performing Disk Operations on IA32 Systems
  • Recovering Failed Fault Tolerant Disks
  • Working with GPT Disks
  • Moving Forward
  • Chapter 15. Managing File Systems
  • New Features in Windows Server 2003
  • Overview of Windows Server 2003 File Systems
  • NTFS Attributes
  • Link Tracking Service
  • Reparse Points
  • File System Recovery and Fault Tolerance
  • Quotas
  • File System Operations
  • Moving Forward
  • Chapter 16. Managing Shared Resources
  • New Features in Windows Server 2003
  • Functional Description of Windows Resource Sharing
  • Configuring File Sharing
  • Connecting to Shared Folders
  • Resource Sharing Using the Distributed File System (Dfs)
  • Printer Sharing
  • Configuring Windows Server 2003 Clients to Print
  • Managing Print Services
  • Moving Forward
  • Chapter 17. Managing File Encryption
  • New Features in Windows Server 2003
  • File Encryption Functional Description
  • Certificate Management
  • Encrypted File Recovery
  • Encrypting Server-Based Files
  • EFS File Transactions and WebDAV
  • Special EFS Guidelines
  • EFS Procedures
  • Moving Forward
  • Chapter 18. Managing a Public Key Infrastructure
  • New Features in Windows Server 2003
  • Moving Forward
  • PKI Goals
  • Cryptographic Elements in Windows Server 2003
  • Public/Private Key Services
  • Certificates
  • Certification Authorities
  • Certificate Enrollment
  • Key Archival and Recovery
  • Command-Line PKI Tools
  • Chapter 19. Managing the User Operating Environment
  • New Features in Windows Server 2003
  • Side-by-Side Assemblies
  • User State Migration
  • Managing Folder Redirection
  • Creating and Managing Home Directories
  • Managing Offline Files
  • Managing Servers via Remote Desktop
  • Moving Forward
  • Chapter 20. Managing Remote Access and Internet Routing
  • New Features in Windows Server 2003
  • Configuring a Network Bridge
  • Configuring Virtual Private Network Connections
  • Configuring Internet Authentication Services (IAS)
  • Moving Forward
  • Functional Description of WAN Device Support
  • PPP Authentication
  • NT4 RAS Servers and Active Directory Domains
  • Deploying Smart Cards for Remote Access
  • Installing and Configuring Modems
  • Configuring a Remote Access Server
  • Configuring a Demand-Dial Router
  • Configuring an Internet Gateway Using NAT
  • Chapter 21. Recovering from System Failures
  • New Features in Windows Server 2003
  • Functional Description Ntbackup
  • Backup and Restore Operations
  • Recovering from Blue Screen Stops
  • Using Emergency Management Services (EMS)
  • Using Safe Mode
  • Restoring Functionality with the Last Known Good Configuration
  • Recovery Console
  • Moving Forward
  • Who Should Read This Book
  • Who This Book Is Not For
  • Conventions
  • Acknowledgments
  • About the Author
  • About the Technical Reviewers
  • Index
  • Index A
  • Index B
  • Index C
  • Index D
  • Index E
  • Index F
  • Index G
  • Index H
  • Index I
  • Index J
  • Index K
  • Index L
  • Index M
  • Index N
  • Index O
  • Index P
  • Index Q
  • Index R
  • Index S
  • Index SYMBOL
  • Index T
  • Index U
  • Index V
  • Index W
  • Index X
  • Index Z
  • Preface
  • Previous Section Next Section

    Certificate Enrollment

    A CA is a fussily bureaucratic beast. It will not issue certificates to just anyone. A client must submit its certificate request in a special format so that its identity can be quickly and reliably verified before its public key can be incorporated into a signed certificate. This process is called enrollment.

    The most popular format for submitting enrollment requests is the PKCS #10 Certification Request. See RFC 2986, "PKCS #10: Certification Request Syntax Version 1.7," for details about the contents of the request. (Documentation is also available at the RSA web site, www.rsalabs.com.) A PKCS #10 certificate request contains the following information:

    • Client's public key. This is the key the client wants the CA to countersign. Including the public key in clear text is not a problem because the public key was designed to be transmitted in the clear.

    • Client's distinguished name. This is the client's name in X.500 or LDAP format. For example, the DN of the Verisign trust network is OU = VeriSign Trust Network, OU = 1998 VeriSign, Inc. - For authorized use only, OU = Class 1 Public Primary Certification Authority - G2, O = VeriSign, Inc., C = US. An example of a DN for an Active Directory user would be a much less imposing cn=Jane User,ou=Phoenix,dc=Company,dc=com.

    • Digital signature. This is a hash of the certificate request encrypted with the client's private key. The private key itself is never transmitted on the wire. It stays securely situated in the user's local profile.

    • Hash method. This is the hashing algorithm used to create the digital signature. Microsoft PKI using both MD5 and SHA-1.

    When a CA receives a PKCS #10 certification request, it uses the public key in the request to decrypt the digital signature in the request. (Something encrypted with one half of a key pair can only be decrypted with the other half.) If the decryption fails, the CA is forced to assume that a bad guy has intervened and fiddled with the certificate request and the request is discarded.

    If the CA can decrypt the digital signature, it then hashes the request using the same algorithm as that used by the client. If the resulting hash matches the hash in the decrypted signature, the user's identity is validated.

    The CA then digitally signs the user's public key and incorporates it into an X.509 certificate, which it returns to the client. The client distributes copies of this certificate to other entities for use in encrypting data sent to the client. The other entities, when presented with client's X.509 certificate, validate it by checking the digita signature assigned by the CA.

    Certificate Management Messages over CMS (CMC)

    For a long time, RSA Security owned the intellectual property rights to PKCS technology, which caused the PKIX working group of the IETF to fork off a separate PKI standard called the Certificate Management Protocol, or CMP. This standard is documented in two RFCs: RFC 2510, "Internet X.509 Public Key Infrastructure Certificate Management Protocols," and RFC 2511, "Internet X.509 Certificate Request Message Format."

    CMP is much more complex than the RSA key exchange method, but it also provides more features and corrects a couple of hypothetical vulnerabilities. The chief advantage of CMP, from a system administrator's perspective, is its support for the direct involvement of a Registration Authority that can hold copies of private keys in a secure form. In the event that a user loses his private keys, they can be re-issued.

    From the vantage point of a crypto professional, CMP is an improvement over RSA because of the nature of the PKI protocols it uses. CMP uses the Cryptographic Message Syntax (CMS) as documented in RFC 2530, "Cryptographic Message Syntax."

    Russ Housley and Tim Polk, the developers of CMS and CMP, have proposed a new protocol called Certificate Management Messages over CMS (CMC) that combines the best of RSA and CMP to produce a hybrid PKI solution. They document this protocol along with descriptions of the other major PKI components in RFC 2797 and in an outstanding book called Planning For PKI.

    Windows Server 2003, Enterprise Edition and Datacenter Edition support CMC enrollment for XP and Windows Server 2003 clients and PKCS #10 enrollment for Windows 2000 and other downlevel clients. Windows Server 2003, Standard Edition supports only PKCS #10 enrollment.

    Enrollment Functional Description

    Windows Server 2003 and XP computers and users automatically enroll when they log on to a domain that contains a Windows Server 2003 Enterprise CA. Windows 2000 users transparently enroll for an EFS certificate when they encrypt a file in a domain with an Enterprise CA. Clients can also use an MMC-based snap-in called Certificates to request certificates. Clients that do not have direct access to a CA can enroll via the web. All these methods use an ActiveX control called Xenroll.dll to accomplish the enrollment. Here are details of the transactions.


    Computers and users in a Windows Server 2003 domain are issued certificates automatically via group policies. This is configured using the Automatic Certificate Request Settings group policy located under Computer Configuration | Windows Settings | Security Settings | Public Key Policies.

    The auto-enrollment feature is controlled by an Autoenrollment Settings object at the root of the Public Key Policies folder. Figure 18.20 shows the Properties window for this policy.

    Figure 18.20. Autoenrollment Settings policy properties.


    The main option for the policy is to Enroll Certificates Automatically. You can optionally choose to renew and revoke certificates automatically and you can choose to update certificate template types automatically. The option to update the template type is important in a mixed environment because Windows 2000 clients cannot obtain certificates derived from Version 2 templates through auto-enrollment.

    Certificate Enrollment Using the Certificates Snap-In

    Windows 2000 clients can enroll for a Version 1 certificate using the Certificates snap-in. Windows XP and Server 2003 clients can enroll for a Version 2 certificate directly using the Certificates snap-in.

    For example, you can use the Certificates snap-in to obtain an Administrator certificate, which would permit you to do the following:

    • Digitally sign a certificate trust list

    • Encrypt data

    • Encrypt email messages

    • Digitally sign messages

    To request a new certificate, right-click the Personal | Certificates icon in the Certificates snap-in and select REQUEST NEW CERTIFICATE from the flyout menu. This opens a Certificate Request Wizard. Select the certificate type from the pick list. Figure 18.21 shows an example.

    Figure 18.21. Certificate Request Wizard showing list of available certificates.


    When the CA issues the certificate, a copy will be stored locally in the user's Registry and another copy stored in the user's Active Directory object.

    If you put the focus of the Certificates snap-in on the computer rather than the user account when you load it into an MMC console, you can request the domain controller and domain controller email replication certificates required to use SMTP for replication between sites.

    Web Enrollment

    Any client can request a certificate from a CA by using a web browser. You must be running IIS on your CA and you must install the web request feature. This installs a set of virtual directories that clients use to download the ActiveX control for enrollment, Xenroll, and manages the enrollment process using either classic RSA PKCS #10 or the PKIX standard CMC protocol.

    Web enrollment uses a virtual directory called CertSrv that points at Windows\System32\CertSrv. This directory holds ASP pages and other support files to aid in obtaining a certificate along with copies of the CA certificate for the server. Pending enrollment requests and issued certificates are stored securely in the CA database.

    Two other virtual directories support certificate enrollment: CertEnroll and CertControl. The CertEnroll directory holds the Certificate Revocation List (CRL), a digitally signed list of the certificates issued by the CA that are no longer in force. The CertControl directory holds the ActiveX controls used for enrolling web clients.

    An Enterprise CA server requires users to present domain credentials before permitting them to connect to the CertSrv web site. Standalone servers permit anonymous requests unless specifically configured to disallow them.

    An Advanced option in the web enrollment process permits you to submit an existing certificate for certification or to request a smart card certificate. To obtain a certificate from a web server, follow Procedure 18.2.

    Procedure 18.2 Enrolling for a Certificate Using the Web

    1. Connect to the CA via Internet Explorer 5.0 or later. Use the URL http:// <server_name>/certsrv. You are greeted with a Welcome page that displays the request options (see Figure 18.22). The name of the CA server is displayed in the green bar at the top of the page.

      Figure 18.22. Web enrollment Welcome page.


    2. Click Request A Certificate. The next page lists one certificate option, a User certificate, with an Advanced Certificate Request option for obtaining a smart card certificate.

    3. Click User Certificate. The User Certificate - Identifying Information page opens.

    4. Click Submit. The CA processes the request then returns a Certificate Issued page.

    5. Click Install This Certificate. When the certificate request has been processed, a Certificate Installed page opens. You can use the Certificates snap-in to check for the presence of the certificate.

      Previous Section Next Section