June 06, 2005
Tuesday's Cabana Session
Just wanted to update everyone that David Cross will not be arriving until Wednesday, so Darren Canavor from Microsoft is stepping in to assist me with the PKI Deployment
Cabana session. The time remains the same, 3:15 to 4:30 pm, in Track Cabana 16. We will be giving away one signed copy of my PKI book "Microsoft® Windows Server? 2003 PKI and Certificate Security" for the person with the best question
See you tomorrow!
Brian
Posted by at 05:04 PM | Comments (1)
June 03, 2005
Tech Ed in Orlando - Update on Sessions
Hi everyone,
Sorry for the delays in posting the last month, it has been hectic!
I just want to update everyone on my break-out and cabana sessions at Tech Ed.
Break-out Sessions
I am delivering one break-out session, SEC: 400 Managing a Smart Card Deployment at Tech Ed on Wednesday June8, 2005 from 3:45 - 5:00 PM in S200D. This session will discuss managing and planning a smart card deployment for your organization and will include details on current engagements that I am performing for MCS that deal with smart card deployments. If you are looking for additional documentation for your smart card deployment, take a look at these two excellent resources:
- FIPS PUB 201: Personal Identity Verification (PIV) of Federal Employees and Contractors (http://www.csrc.nist.gov/publications/fips/fips201/FIPS-201-022505.pdf). This document's goal is to "improve the identification and authentication of Federal employees and contractors for access to Federal facilities and information systems". It provides some great examples of how to validate the identity of a smart card requester before issuing a smart card to that person.
- X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) (http://www.cio.gov/fpkipa/documents/fbca_cp_09-10-02.pdf). This document is a great resource for guidelines for deploying a Certification Authority that will be trusted by external resources. When looking for smart card resources within the documentation, focus on the discussions on the five assurance levels: rudimentary, basic, medium, high, and test. The document provides descriptions of the types of transactions relevant to each assurance level, the documentation required to validate a requester's identity, and what is required at certificate renewal.
Cabana Sessions
Cabana sessions are probably my favorite part of Tech Ed, as the content is driven by you, the attendees. A Cabana session takes place in a small section of the convention hall, where speakers and experts can field question on the subject of the Cabana from the audience. At last year's show, Paul Adare (www.identit.ca/blogs/paul), extensively used the white board to answers the questions from the audience. I do not think anyone left disappointed. At this year's show, I will be taking part in two Cabana sessions:
- Q&A: PKI Deployment.
This session takes place in Track Cabana 16 on Tuesday June 6th, 2005 from 3:15 to 4:30 pm
This session will be co-hosted by David Cross, Microsoft's PKI Group Program Manager and myself. David and I have written several white papers together and he was a great source of information and assistance for my PKI book "Microsoft® Windows Server? 2003 PKI and Certificate Security" (http://www.microsoft.com/MSPress/books/6745.asp#AboutTheBook). David was the major contributor (say 90%) from the Microsoft PKI Team!
- Q&A: Smart card Deployment.
This session takes place in Track Cabana 16 on Thursday June 8th, 2005 from 1:30 to 2:45 pm
This session will be co- hosted by Paul Adare, IdentIT Inc.'s CTO and myself. Paul and I have been involved in several smart card deployments over the last year and have lots of behind-the-scenes information for the attendees of the session.
See you at the show!
Brian
-
Posted by at 07:04 AM | Comments (0)
Common Questions about Certificate Templates
In the Windows Server 2003 PKI, there are two different types of certificate templates that you can work with. Version 1 certificate templates are certificate templates that also existed in the Windows 2000 PKI and can only have their permissions modified. You cannot change the content of the certificate (the format of the subject, the lifetime of the certificate, the uses of the certificate, etc.). You can, however, duplicate these version 1 templates, creating what is known as a version 2 certificate template. A version 2 certificate template allows you to modify the content and the permissions of the certificate template. It is impossible to create a version 2 certificate template from scratch. You must duplicate an existing version 1 or version 2 certificate template, so choose a certificate template that is close to the functionality that you require.
A version 2 certificate template can only be issued by an enterprise CA running on Windows Server 2003, Enterprise Edition. The most common mistake that I see is that the customer is trying to issue the version 2 certificate templates by an enterprise CA running Windows Server 2003, Standard Edition. The Standard Edition server is hard-coded to *not* issue version 2 certificate templates.
In addition, Windows Server 2003, Standard Edition should not be confused with a Windows Server 2003 standalone CA. A standalone CA, whether it is running on Windows Server 2003, Standard Edition or Windows Server 2003, Enterprise Edition does not use certificate templates at all when it issues certificates. Instead, the certificate content is based entirely on the information provided in the certificate request.
You can perform the editing of certificate template from any Windows XP or Windows Server 2003 domain member computer, as long as you are logged in as a user that is assigned the Read and Write permissions for the specific template. To create new templates, you must be assigned Full Control permission to the CN=Certificate Templates, CN=Public Key Services, CN=Services, CN=Configuration,ForestRootDomain container and the CN=OID, CN=Public Key Services, CN=Services, CN=Configuration,ForestRootDomain container.
Finally, when you attempt to enroll the version 2 certificate template, there are some restrictions on how you enroll them:
- Only users at Windows XP and Windows Server 2003 computers can enroll certificates based on version 2 certificate templates using the Certificate Request Wizard (from the Certificates MMC).
- Users with Windows 2000, Windows XP, and Windows Server 2003 client computers can enroll version 2 certificate templates using the Certificate Enrollment Web Pages
- All client operating systems (Windows 98 and higher) can enroll certificates based on version 2 certificate templates by using scripting.
HTH,
Brian
Posted by at 06:38 AM | Comments (1)
April 30, 2005
Certificate Services and Windows Server 2003 Versions
In one of my most recent postings, I discussed the requirements to issue version 2 certificate templates. The topic clarified the fact that version 2 certificate templates can only be issued by enterprise CAs running on Windows Server 2003, Enterprise Edition. Today, I want to clarify what features differences exist between Certificate Services running on Standard Edition vs. Enterprise Edition vs Data Center Edition.
Standard Edition
An enterprise CA running on Windows Server 2003, Standard Edition is very similar to the functionality of a Windows 2000 enterprise CA. The CA has the following functionality:
- Certificates based on version 1 certificate templates can be issued to users, computers, and network devices
- Version 2 certificate templates can be defined and created from the console.
- Certificates based on version 2 certificate templates cannot be issued to users, computers, and network devices
- Key archival, which requires version 2 certificate templates, cannot be implemented
- Autoenrollment is only supported for computer certificates. Autoenrollment is possible through the Automatic Certificate Request Settings (ACRS) Group Policy setting
- Both base CRLs and delta CRLs can be issued by the CA
- Cross-Certification certificates are recognized, but cannot be issued by the CA
- Auditing can be enabled for specific CA and Certificate management tasks
- Permissions can be assigned for role separation, but role separation cannot be enforced
- Certificate Services cannot be clustered for fault tolerance
Important Small Business Server is the equivalent of a Windows Server 2003, Standard Edition server. This means that the restrictions on Certificate Services for Standard Edition are also relevant to Certificate Services on Small Business Server
Enterprise Edition
An enterprise CA running on Windows Server 2003, Enterprise Edition has the following functionality:
- Certificates based on version 1 certificate templates can be issued to users, computers, and network devices
- Certificates based on version 2 certificate templates can be issued to users, computers, and network devices
- Key archival, which requires version 2 certificate templates, can be implemented for encryption certificates or for certificates that combine signing and encryption
- Autoenrollment is supported for computer certificates.
- Autoenrollment of version 1 certiificate templates is possible for computer accounts through the Automatic Certificate Request Settings (ACRS) Group Policy setting
- Autoenrollment of version 2 certificates templates is possible for computer accounts through a combination of permissions and Group Policy settings
- Autoenrollment of version 2 certificates templates is possible for user accounts through a combination of permissions and Group Policy settings
- Both base CRLs and delta CRLs can be issued by the CA
- Cross-Certification certificates are recognizedby the CA
- Cross-Certification certificates can be defined by using version 2 certificate templates and issued by the CA.
- Auditing can be enabled for specific CA and Certificate management tasks
- Permissions can be assigned for role separation
- Role separation can be enforced. If a user holds two or more of the following roles, they are blocked from all Certificate Services management: CA Administrator, Certificate Manager, Auditor, Backup Operator
- Certificate Services cannot be clustered for fault tolerance
Data Center Edition
An enterprise CA running on Windows Server 2003, Data Center Edition has the same functionality as an enterprise CA running on Enterprise Edition, with the following exception: Certificate Services can be clustered for fault tolerance. Of course, not many of use have the funds available to purchase two Data Center licenses.
So When do I Use Each Server Type
At my customers, I will typically use a combination of Standard Edition and Enterprise Edition.
- Standard Edition is used for all offline CA computers: Root CAs and Policy CAs.
- Enterprise Edition is used for all online CAs. The online CAs can take advantage of the Enterprise Edition feature set for Certificate Services, allowing more options for security and deployment.
- For demonstrations at conferences such as Tech Ed, I will typically use Enterprise Edition for all CAs,in the CA hierarchy as it makes it easier to use differencing disks in Virtual PC
HTH,
Brian
Posted by at 10:08 AM | Comments (1)
April 29, 2005
Tech Ed Europe Announcement
Hi all,
I have just been invited to speak at Tech Ed Europe again in Amsterdam. I will be presenting two sessions and one chalk talk. I am not sure of what dates the sessions will be presented, but wanted to post the session titles and abstracts.
Managing a Smart Card Deployment
Many companies are exploring the deployment of smart cards to increase authentication strength in their networks. This session discusses the design issues you must address when designing your smart card deployment. Not only does a successful smart card deployment require policies and procedures to ensure success, the deployment must also have tools to assist in the deployment and management of the smart cards. The session will look at how Microsoft clients have deployed smart cards in their networks; identify the applications that work for smart cards, and where you still cannot use smart cards. Finally, the session will demonstrate a third party registration authority that allows key recovery for encryption certificates stored on smart cards and helps ensure that identity is proven before issuing a certificate to the certificate requester.
Securing Your Active Directory Deployment: Best Practices
From authentication to authorization, Active Directory is at the heart of distributed network security in a Windows Server based IT infrastructure, and thus plays a key role in securing your IT infrastructure. It is imperative that your organization takes adequate measures to maintain strong security of your Active Directory deployment so as to minimize the risk of a security breach in your Active Directory deployment. In this exciting session, we analyze known threats to your Active Directory deployments and walk through the Top-ten list of actions to take to enhance the security of your Active Directory deployments - from establishing secure Active Directory boundaries to deploying secure domain controllers, from enhancing critical security policies to protecting your administrative accounts and workstations. Come learn everything you need to know to secure your Active Directory deployments.
Chalk Talk: Using Scripting to Ease your PKI Deployment
You are ready to implement your Public Key Infrastructure, and you want to ensure that what you deploy is what you designed. Brian Komar will demonstrate the batch files and scripts that MCS uses during PKI engagements to simplify the PKI deployment process. Not only do these scripts help deployment, but also aid you in a disaster recovery scenario. At the end of the session, you will see the true value of the CertUtil command-line tool.
Brian
Posted by at 06:21 AM | Comments (0)
April 18, 2005
Tech Ed Session Update
Hi all,
There has been a slight change in my smart card session for Tech Ed. I cannot get into specifics, but suffice it to say that the Microsoft Smart Card tools will not be ready in time for discussion at the Orlando Tech Ed. Here is the updated session description:
Many companies are exploring the deployment of smart cards to increase authentication strength in their networks. This session discusses the design issues you must address when designing your smart card deployment. Not only does a successful smart card deployment require policies and procedures to ensure success, the deployment must also have tools to assist in the deployment and management of the smart cards. The session will look at how Microsoft clients have deployed smart cards in their networks; identify the applications that work for smart cards, and where you still cannot use smart cards. Finally, the session will demonstrate a third party registration authority that allows key recovery for encryption certificates stored on smart cards and helps ensure that identity is proven before issuing a certificate to the certificate requester.
The session will include some great demonstrations of a 3rd party registration authority that I have deployed at my customers called Alacris idNexus. The demonstrations will include defining a workflow for smart card enrollment and showing how the registration authority can be configured to implement self recovery. The recovery will also demonstrate how to recover encryption certificates to a smart card. This is great for customers that are planning on deploying S/MIME certificates for secure email on smart cards and are concerned about losing access to encrypted email if a smart card is lost or damaged!
Brian
Posted by at 07:42 PM | Comments (0)
April 16, 2005
WinConnections Conference
I am speaking next week at the Windows and IT Pro Magazine WinConnections conference in San Francisco. This is my fifth year speaking at the conference and the conference just keeps getting better and better. Not only are industry experts such as Mark Minasi and Steve Riley delivering key notes, some of the best minds in the business are delivering sessions.
At the conference, I am delivering the following sessions:
- WIN16: Designing and Deploying a Windows Server 2003 PKI. This session will hilight the lessons learned over the last two years deploying PKI solutions for MCS customers. The session will focus on best practices and some of the common design considerations.
- WIN17: Essential Utilities from the Security Resource Kit Brian, co-author of the Microsoft Windows Security Resource Kit, will be discussing some of his preferred tools from the Resource Kit.
- WIN18: Using the Security Configuration Wizard to Secure Your Windows 2003 Servers. This session will discuss the new Security Configuration Wizard added in Windows Server 2003 SP1 and discuss how to use the wizard to lock down Windows Server 2003 SP1 servers on your network.
In addition, I will be at the Ask the Experts area twice during the show:
- Monday: 3:30pm - 4:00pm
- Tuesday: 12:45 - 3:30pm
Please feel free to come down and chat about security issues you are facing!
For more information on the conference, please click on the following link
WinConnections
Brian
Posted by at 08:12 AM | Comments (0)