Re: Isolation of the Root CA
From: Perry (Perry_at_discussions.microsoft.com)
Date: 11/25/04
- Next message: Steven L Umbach: "Re: Disable everything except for a web site authentication."
- Previous message: ravi: "Local security settings - secedit"
- In reply to: David Cross [MS]: "Re: Isolation of the Root CA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 24 Nov 2004 15:23:07 -0800
If you want to put your Enterprise CA behind a firewall, is there a best
practice article on that? Or can you follow some of the moving MSRPC to
static mode references.
Thanks,
Perry
"David Cross [MS]" wrote:
> Our best practices guides may help provide some additional guidance and
> recommendations:
>
> Best Practices for implementing Windows Server 2003 PKI:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>
>
>
> Microsoft Systems Architecture:
> http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm122.mspx
>
>
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> http://support.microsoft.com
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:xiCnd.120851$R05.15239@attbi_s53...
> >A lot has to do with the complexity of your network and your security
> >needs. If you run a network that is going to have a three tier hierarchy of
> >Certificate Authorities with maybe six or eight issuing CA's for various
> >tasks that are going to issue thousands of certificates then it makes sense
> >to secure the CA's that only issue certificates to other CA's to minimize
> >the damage that can be done to the PKI.
> >
> > However many, many smaller networks are going to use PKI to issue some
> > certificates for l2tp, an internal web server, email, or maybe a
> > certificate for IAS server to use for 802.1X wireless with PEAP. In such
> > cases a single CA may make sense. You have to ask yourself what would
> > happen if my CA was compromised and it could not longer be trusted. Would
> > it be an inconvenience, major hassle, or a catastrophe risking highly
> > confidential data causing possible loss of customers/revenue. Only you can
> > answer that question. If your needs are modest goals to improve security
> > it [in my opinion] probably does not make sense to have an offline CA and
> > then one issuing CA.
> >
> > An Enterprise CA can not be an offline CA. You would have to start with a
> > standalone root CA and use it to issue a certificate for an Enterprise CA
> > subordinate. You would have to add alternate locations for the CRL and CA
> > certificate before you use it to issue any certificates. The offline CA
> > could always be offline and certificate requests and CRL's be copied to
> > and from floppy disk or it could be put online just as long as it takes to
> > issue the certificates for subordinate CA's. The link below explains more.
> >
> > http://support.microsoft.com/?kbid=271386
> >
> > If you feel a single Enterprise CA would work for you there are steps you
> > can take to secure it. First make sure it is physically secured where only
> > a very few trusted users have access to it. Other procedures such as
> > physically securing domain controllers, and implementing complex passwords
> > are a must. Weak passwords and physical access are still the biggest
> > threats to a network/domain/computer. Read the Windows 2003 Security guide
> > and first take the steps for a baseline server lockdown and then read the
> > chapter on securing a Certificate Authority Server. --- Steve
> >
> > http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
> > http://tinyurl.com/dkbu -- same link as above, shorter.
> >
> >
> > "Michael Shire" <Michael Shire@discussions.microsoft.com> wrote in message
> > news:EABEAF36-B4C5-4FEB-8152-B5BD071C1CEF@microsoft.com...
> >> Trying to follow the "Step-by-Step Guide to Setting up a Certification
> >> Authority".
> >>
> >> One major thing I can't seem to grasp is the installation of the Root CA.
> >> As I understand, the Root CA should NEVER be connected to a network. Is
> >> the
> >> same true for an Enterprise Root CA?
> >>
> >> If so, how can you connect the server to a domain, and have it register
> >> itself as a Root CA without connecting it to a network?
> >>
> >> If not, can the Enterprise Root CA provide the same level of security as
> >> a
> >> Stand Alone Root CA? If the Enterprise Root CA is on the network, how
> >> can
> >> you ensure that top level of trust isn't compromised?
> >
> >
>
>
>
- Next message: Steven L Umbach: "Re: Disable everything except for a web site authentication."
- Previous message: ravi: "Local security settings - secedit"
- In reply to: David Cross [MS]: "Re: Isolation of the Root CA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
