Re: Isolation of the Root CA

• Previous message: Rick Kingslan [MS MVP]: "Re: Account lockout duration=30 minutes, however account remains locked indefinitely."
• In reply to: Michael Shire: "Isolation of the Root CA"
• Next in thread: David Cross [MS]: "Re: Isolation of the Root CA"
• Reply: David Cross [MS]: "Re: Isolation of the Root CA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 20 Nov 2004 07:24:13 GMT

A lot has to do with the complexity of your network and your security needs.
If you run a network that is going to have a three tier hierarchy of
Certificate Authorities with maybe six or eight issuing CA's for various
tasks that are going to issue thousands of certificates then it makes sense
to secure the CA's that only issue certificates to other CA's to minimize
the damage that can be done to the PKI.

However many, many smaller networks are going to use PKI to issue some
certificates for l2tp, an internal web server, email, or maybe a certificate
for IAS server to use for 802.1X wireless with PEAP. In such cases a single
CA may make sense. You have to ask yourself what would happen if my CA was
compromised and it could not longer be trusted. Would it be an
inconvenience, major hassle, or a catastrophe risking highly confidential
data causing possible loss of customers/revenue. Only you can answer that
question. If your needs are modest goals to improve security it [in my
opinion] probably does not make sense to have an offline CA and then one
issuing CA.

An Enterprise CA can not be an offline CA. You would have to start with a
standalone root CA and use it to issue a certificate for an Enterprise CA
subordinate. You would have to add alternate locations for the CRL and CA
certificate before you use it to issue any certificates. The offline CA
could always be offline and certificate requests and CRL's be copied to and
from floppy disk or it could be put online just as long as it takes to issue
the certificates for subordinate CA's. The link below explains more.

http://support.microsoft.com/?kbid=271386

If you feel a single Enterprise CA would work for you there are steps you
can take to secure it. First make sure it is physically secured where only a
very few trusted users have access to it. Other procedures such as
physically securing domain controllers, and implementing complex passwords
are a must. Weak passwords and physical access are still the biggest threats
to a network/domain/computer. Read the Windows 2003 Security guide and first
take the steps for a baseline server lockdown and then read the chapter on
securing a Certificate Authority Server. --- Steve

http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
http://tinyurl.com/dkbu -- same link as above, shorter.

"Michael Shire" <Michael Shire@discussions.microsoft.com> wrote in message
news:EABEAF36-B4C5-4FEB-8152-B5BD071C1CEF@microsoft.com...
> Trying to follow the "Step-by-Step Guide to Setting up a Certification
> Authority".
>
> One major thing I can't seem to grasp is the installation of the Root CA.
> As I understand, the Root CA should NEVER be connected to a network. Is
> the
> same true for an Enterprise Root CA?
>
> If so, how can you connect the server to a domain, and have it register
> itself as a Root CA without connecting it to a network?
>
> If not, can the Enterprise Root CA provide the same level of security as a
> Stand Alone Root CA? If the Enterprise Root CA is on the network, how can
> you ensure that top level of trust isn't compromised?

• Previous message: Rick Kingslan [MS MVP]: "Re: Account lockout duration=30 minutes, however account remains locked indefinitely."
• In reply to: Michael Shire: "Isolation of the Root CA"
• Next in thread: David Cross [MS]: "Re: Isolation of the Root CA"
• Reply: David Cross [MS]: "Re: Isolation of the Root CA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]