Re: Should I install Certificate Authority to solve these problems ?

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 10/30/04

  • Next message: Roger Abell: "Re: EFS - Private Key - External storage" 
    Date: Sat, 30 Oct 2004 02:57:05 -0700

    Beginning next year is two months away, or four, or six ?
    Implementing a PKI requires some thought, server builds,
    etc.. It seems your W2k/W2k3 versioning is secondary
    consideration to time to do it right.
    However, for nothing that you mentioned is a PKI the only
    way to do things. In fact, for both of the two specific cases
    you mention at the end, there is some confusion if having
    a CA is thought to be important to them.

    comments inlined below . . . 

    -- 
Roger Abell
"Marlon Brown" <marlon_brownj@hotmail.com> wrote in message
news:uq8OpXkvEHA.3200@TK2MSFTNGP14.phx.gbl...
> I am on Win2000 Domain. I am planning to go to Win2003 beginning next
year.
>
> Management (non technical) is pushing to get Certificate Authority
installed
> on my domain now.
>
You have told them that this requires a minimum of two machines
to do it right, yes ?
> I would like to evaluate if the problems below really require a
Certificate
> Authority to solve those issues below ? Does it make sense create a
> Certificate Authority now (domain), or should I migrate to WIn2003 and
take
> advantage of potential enhanced features there ? If I use IPSec on
Win2003,
> I would need a Certificate Authority in the domain, right ?
>
answer to the last question is NO, others commented upon earlier
> Is it viable installing a Certificate Authority to solve the problems
below
> ?
>
No
> 1) A server management tool can use certificates when the servers
> communicate with one another to verify each other's identity. The guy is
> afraid that someone in the internal organization could pretend to be
> RealServermanagement tool and change another server's configuration.
>
> Does Kerberos provide protection against this ?
>
What server management tool ?
The mmc based tools MS provides with the operating system?
Or some third-party application?
There is misunderstanding all over in this.  If the guy is afraid,
then he perhaps does not understand the strength of the safeguards
that are already in place (at least if deployed correctly).
The tools from MS act only subject to security checks based on
the context of the account in use.  "change another server's config"
seems to imply the concern is over an admin fooling with the
wrong machine - which can be avoided if the admin is a plain
user everywhere except as a local admin on the intended machine.
Kerberos underlies the user identity and authorization.
The machines can be configured to secure their communications
and this may be done at different level of strength (with accompanying
overheads).  But making sure machines are who they are in their
exchanges, and/or limiting what machines may speak in which ways
with other machines are things that may be configured, even without
use of a CA - and doing these does not mean a "management tool"
will only be use the right way by the right person.
>
>
> 2) A client machine accesses a browser connecting to a third-party
> application server. Assume text is trasmitted in clear text. If I use
IPSec
> to encrypt communications. do I need to install the Certificate authority
?
>
If by browser you mean web use, then this only requires that the
webserver have a cert from a recognized cert authority so that the
web traffic can be https (use SSL).  If the third-party server is not
yours then this means they need to do this, using a cert authority
your browser will recognize.  For an in-house use one certainly
can use one's own PKI to provide the needed certs - but having
any party other than one' in-house participants involved usually
means use of a public cert authority.
  • Next message: Roger Abell: "Re: EFS - Private Key - External storage"

    Relevant Pages

    • Re: Should I install Certificate Authority to solve these problems ?
      ... team was planning to implement IPSec in our Win2003 domain. ... arguing that somebody can "spoof the system and a rogue server could pretend ... >> Management is pushing to get Certificate Authority ... > You have told them that this requires a minimum of two machines ...
      (microsoft.public.win2000.security)
    • Performance optimization vs satisficing (was Language Oriented Programming)
      ... >machines that were too small. ... Microsoft has been a leading offender here. ... >arcane issue for server engines. ... magnitude slower, yes, I recall working on a 200mb database, trying to ...
      (comp.object)
    • Re: Should I install Certificate Authority to solve these problems ?
      ... You can use IPsec with or without certs from your PKI. ... negotiations to your AD machines or those trusting the ... > In the item 1 below, the tool in use is a HP server management tool (type ... >>> Management is pushing to get Certificate Authority ...
      (microsoft.public.win2000.security)
    • Re: network slows down after SP2 install
      ... the machines updated from W2K still open and read the ... Locate the "Microsoft network server: ... Install SP2 for WIN XP and latest service pack for Office 2003 on ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • Re: network slows down after SP2 install
      ... These machines cannot even run the program locally being disconnected from the server with a local copy of the database. ... Install SP2 for WIN XP and latest service pack for Office 2003 on ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)