Re: Isolation of the Root CA
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 11/20/04
- Previous message: biggins_at_twcny.rr.com: "Re: Microsoft Security Center Warning"
- In reply to: Steven L Umbach: "Re: Isolation of the Root CA"
- Next in thread: Perry: "Re: Isolation of the Root CA"
- Reply: Perry: "Re: Isolation of the Root CA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 20 Nov 2004 14:55:25 -0800
Our best practices guides may help provide some additional guidance and
recommendations:
Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Microsoft Systems Architecture:
http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm122.mspx
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message news:xiCnd.120851$R05.15239@attbi_s53... >A lot has to do with the complexity of your network and your security >needs. If you run a network that is going to have a three tier hierarchy of >Certificate Authorities with maybe six or eight issuing CA's for various >tasks that are going to issue thousands of certificates then it makes sense >to secure the CA's that only issue certificates to other CA's to minimize >the damage that can be done to the PKI. > > However many, many smaller networks are going to use PKI to issue some > certificates for l2tp, an internal web server, email, or maybe a > certificate for IAS server to use for 802.1X wireless with PEAP. In such > cases a single CA may make sense. You have to ask yourself what would > happen if my CA was compromised and it could not longer be trusted. Would > it be an inconvenience, major hassle, or a catastrophe risking highly > confidential data causing possible loss of customers/revenue. Only you can > answer that question. If your needs are modest goals to improve security > it [in my opinion] probably does not make sense to have an offline CA and > then one issuing CA. > > An Enterprise CA can not be an offline CA. You would have to start with a > standalone root CA and use it to issue a certificate for an Enterprise CA > subordinate. You would have to add alternate locations for the CRL and CA > certificate before you use it to issue any certificates. The offline CA > could always be offline and certificate requests and CRL's be copied to > and from floppy disk or it could be put online just as long as it takes to > issue the certificates for subordinate CA's. The link below explains more. > > http://support.microsoft.com/?kbid=271386 > > If you feel a single Enterprise CA would work for you there are steps you > can take to secure it. First make sure it is physically secured where only > a very few trusted users have access to it. Other procedures such as > physically securing domain controllers, and implementing complex passwords > are a must. Weak passwords and physical access are still the biggest > threats to a network/domain/computer. Read the Windows 2003 Security guide > and first take the steps for a baseline server lockdown and then read the > chapter on securing a Certificate Authority Server. --- Steve > > http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en > http://tinyurl.com/dkbu -- same link as above, shorter. > > > "Michael Shire" <Michael Shire@discussions.microsoft.com> wrote in message > news:EABEAF36-B4C5-4FEB-8152-B5BD071C1CEF@microsoft.com... >> Trying to follow the "Step-by-Step Guide to Setting up a Certification >> Authority". >> >> One major thing I can't seem to grasp is the installation of the Root CA. >> As I understand, the Root CA should NEVER be connected to a network. Is >> the >> same true for an Enterprise Root CA? >> >> If so, how can you connect the server to a domain, and have it register >> itself as a Root CA without connecting it to a network? >> >> If not, can the Enterprise Root CA provide the same level of security as >> a >> Stand Alone Root CA? If the Enterprise Root CA is on the network, how >> can >> you ensure that top level of trust isn't compromised? > >
- Previous message: biggins_at_twcny.rr.com: "Re: Microsoft Security Center Warning"
- In reply to: Steven L Umbach: "Re: Isolation of the Root CA"
- Next in thread: Perry: "Re: Isolation of the Root CA"
- Reply: Perry: "Re: Isolation of the Root CA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
