Re: Configuring an Enterprise wireless solutions with encryption

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 07/07/04

• Next message: Tim: "Certificate Problem - Smart Card Logon"
• Previous message: Joe: "I fix it"
• In reply to: Harrison Midkiff: "Re: Configuring an Enterprise wireless solutions with encryption"
• Next in thread: Bob Qin [MSFT]: "Re: Configuring an Enterprise wireless solutions with encryption"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 06 Jul 2004 20:45:09 -0400

That actually isn't a Microsoft guideline, that is a Cert Authority best
practice. Here is a paper from SANS that discusses root ca's.

http://www.sans.org/rr/papers/63/1322.pdf

Like I said in the previous post, if compromise or loss of your root causing a
complete rebuilding from scratch of your PKI environment is ACCEPTABLE to you,
you do not need a root ca.

If that is not acceptable, you need a root. The root will be offline and any
publishing of CRLs or certs from it will require the Nike Express (hands and
feet) for publishing. You will write the info to a CD or floppy or some other
transportable media and carry to a device that is on the network.

If an intermediate is compromised, you can use the root to invalidate all certs
from it and still keep your PKI infrastructure up and running. If your root is
compromised you throw it all out and start over.

Note my experience is corporate experience. If your friend said what he said to
you in any of the companies I have been with they would have tossed him out the
door and wouldn't have taken the time to see if he landed.

   joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Harrison Midkiff wrote:
> Bob:
> 
> I appreciate you reply to my post.  I am in the process of reviewing the
> white papers.  One question if I may...
> 
> I need to deploy a CA server to enable me to do secure wireless with
> certificates.  I know the best practice is to install an Enterprise Root CA
> and then an Enterprise Subordinate Root CA.  Once the subordinate is online
> you remove the root CA and put it in a safe location.  A friend of mine said
> that was just in a perfect Microsoft world and it was not necessary, so I
> could just do a single Enterprise Root CA.
> 
> What are your thoughts on that?
> 
> Harrison Midkiff
> 
> "Bob Qin [MSFT]" <bobqin@online.microsoft.com> wrote in message
> news:VnmjENzYEHA.3316@cpmsftngxa06.phx.gbl...
> 
>>Hi Harrison,
>>
>>If your domain is Windows 2000 AD, to set up a Windows Server 2003 CA, the
>>Active Directory schema must be upgraded to the Windows Server 2003
> 
> schema.
> 
>>You cannot install a Windows Server 2003 CA into a Windows 2000based
> 
> schema.
> 
>>The schema is updated to the Windows Server 2003 schema by running ADPREP
>>/Forestprep at a Windows 2000 domain controller with the Windows Server
>>2003 CD-ROM in the CD-ROM drive.
>>
>>I would like to recommend that you refer to the Windows Server 2003 help
>>files and the following two public whitepapers.
>>
>>
> 
> http://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/default.as
> 
>>p
>>
>>Best Practices:
>>
> 
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/oper
> 
>>ate/ws3pkibp.asp
>>
>>Have a nice day!
>>
>>Regards,
>>Bob Qin
>>Product Support Services
>>Microsoft Corporation
>>
>>Get Secure! - www.microsoft.com/security
>>
>>====================================================
>>When responding to posts, please "Reply to Group" via your newsreader so
>>that others may learn and benefit from your issue.
>>====================================================
>>This posting is provided "AS IS" with no warranties, and confers no
> 
> rights.
> 
> 
> 

---

• Next message: Tim: "Certificate Problem - Smart Card Logon"
• Previous message: Joe: "I fix it"
• In reply to: Harrison Midkiff: "Re: Configuring an Enterprise wireless solutions with encryption"
• Next in thread: Bob Qin [MSFT]: "Re: Configuring an Enterprise wireless solutions with encryption"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: user authentication failure on windows 2000 domain ... I'm beginning to think this all stems from the loss of your root CA. ... The Windows Server 2003 version of the Certutil.exe utility can be used to ... remove both Windows Server 2003 and Windows 2000 CAs from Active Directory. ... the CA name is Windows2000 Enterprise Root CA. ... (microsoft.public.win2000.active_directory) Re: Isolation of the Root CA ... Windows Server 2003 web enrollment and troubleshooting guide: ... Best Practices for implementing Windows Server 2003 PKI: ... Troubleshooting Certificate Status and Revocation whitepaper: ... >>> standalone root CA and use it to issue a certificate for an Enterprise ... (microsoft.public.win2000.security) Re: PROOF: Windows makes you stupid ... > I'm toying with the idea of going back to Windows Server 2003 as a ... I started the Xandros File ... > Manager in root mode, did a few things with permissions then exited. ... (comp.os.linux.misc) Re: Global Catalogs needed in every AD domain?? ... Well maybe if that is the only DC with GC functionality in the root domain and ... As for Exchange, depending on your size, consider setting up a dedicated site ... Joe Richards Microsoft MVP Windows Server Directory Services ... > with removing GC functions from empty root DC? ... (microsoft.public.windows.server.active_directory) Re: Subject: access denied to images (again) ... \par Microsoft Global Technical Support Center ... \par> caused by the child site template. ... \par> Microsoft Online Support ... Does the issue only occurr on one root site or occurred on all root ... (microsoft.public.sharepoint.portalserver)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)