Re: Is it reasonable to remove all digital certificates from Windows?

From: Michel Gallant (neutron_at_nspxistar.ca)
Date: 10/09/03 

Date: Thu, 9 Oct 2003 11:21:27 -0400

On the other hand, if you have installed any 3rd party certificates
into the ROOT CA store, you should have a thorough review of
their necessity.

I know some enterprises have intelligent reviews of root CA certs,
and decide to remove many except the ones known to be necessary
for transparency in business (like e-banking etc..)

 - Michel Gallant
   Visual Security MVP

"Sergio Dutra [MS]" <sergiod@online.microsoft.com> wrote in message
news:uOxYXGnjDHA.2424@TK2MSFTNGP10.phx.gbl...
> It's not unreasonable to delete the "third-party" roots (under MMC local
> machine certificates, this would be the "Third Party Root Certification
> Authorities"). Removing these may cause your experience in browsing secure
> sites (https) very unpleasant, though (having to deal with UI). In addition,
> there are no known current attacks that use any certificates issued by any
> of the roots installed by default. These certificate authorities have also
> gone through a third-party audit to ensure they comply with established
> rules for their business.
>
> Removing all certificates would definitely be detrimental to Windows.
> Updates and driver installs wouldn't succeed anymore.
>
> Overall, there is a very minimal security risk with having those
> certificates there, and the costs of removing them outweigh any benefits. I
> would suggest you leave the root certificates on the machine.
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
> "Andreas G." <andreas-dummy@xxx.xxx.de> wrote in message
> news:bm16kt$gfe$1@dackel.pdb.sbs.de...
> > Hi,
> >
> > I want to make my PC as secure as possible.
> >
> > I've heard that one of the method to achieve it is to delete all digital
> > certificates installed on the system (IE options).
> > Is it reasonable?
> >
> > What do I loose if I do it?
> >
> > Thanks in advance.
> >
> > Regards,
> > Andy
> >
> >
>
>

Relevant Pages

  • Re: Enterprise root CA not re-trusted after manually deleted
    ... published) autoenrollment queries AD for CA certs and installs them. ... CA certs in AD). ... deleted root certs can automatically return or need a manual repair. ... If root CA certificates are distributed using autonenrollment (meaning ...
    (microsoft.public.windows.server.security)
  • Re: Certificate issue on Exchange ActiveSync setup (WM6) - UPDATE
    ... In the Certificates snap-in box it is very important you choose "Computer ... Finish out of the standalone boxes and view the Console Root window. ... should now see a Console Root folder, with a Certificates folder under it, ...
    (microsoft.public.pocketpc.activesync)
  • Re: Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
    ... we will need to have trust ... As far as standard versus enterprise, ... If the root CA is compromised your whole PKI ... > your certificates then it would make sense to use your own CA. ...
    (microsoft.public.windows.server.security)
  • Re: Public Key on Enterprise CA
    ... 2000 or Windows Server 2003 Enterprise CA. ... I see that Verisign will sell ... > digital certificates for about $15 per user. ... > savings by managing your own subordinate CA with Verisign as the root CA ...
    (microsoft.public.win2000.security)
  • Re: Enterprise root CA not re-trusted after manually deleted
    ... automatically installed into all computers' Trusted Root Certification ... Does it mean that the Enterprise Root CA's cert is installed ... If root CA certificates are distributed using autonenrollment (meaning you have ... a standard enterprise CA install, and you don't use group policy for ...
    (microsoft.public.windows.server.security)
Quantcast