Re: Isolation of the Root CA
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 12/02/04
- Next message: Lars Jensen: "Number of events generated by audit account logon"
- Previous message: Steven L Umbach: "Re: Securing Remote Registry Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 2 Dec 2004 05:13:06 -0800
we have a little guidance in this paper:
Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. Top Whitepapers: Auto-enrollment whitepaper: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx Best Practices for implementing Windows Server 2003 PKI: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx Troubleshooting Certificate Status and Revocation whitepaper: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx Windows Server 2003 web enrollment and troubleshooting guide: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx Windows Server 2003 web enrollment and troubleshooting guide: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx "Perry" <Perry@discussions.microsoft.com> wrote in message news:0D443847-849A-4594-92E1-5A26D05CFCEE@microsoft.com... > If you want to put your Enterprise CA behind a firewall, is there a best > practice article on that? Or can you follow some of the moving MSRPC to > static mode references. > > Thanks, > Perry > > "David Cross [MS]" wrote: > >> Our best practices guides may help provide some additional guidance and >> recommendations: >> >> Best Practices for implementing Windows Server 2003 PKI: >> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx >> >> >> >> Microsoft Systems Architecture: >> http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm122.mspx >> >> >> >> -- >> >> >> David B. Cross [MS] >> >> -- >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> >> http://support.microsoft.com >> >> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message >> news:xiCnd.120851$R05.15239@attbi_s53... >> >A lot has to do with the complexity of your network and your security >> >needs. If you run a network that is going to have a three tier hierarchy >> >of >> >Certificate Authorities with maybe six or eight issuing CA's for various >> >tasks that are going to issue thousands of certificates then it makes >> >sense >> >to secure the CA's that only issue certificates to other CA's to >> >minimize >> >the damage that can be done to the PKI. >> > >> > However many, many smaller networks are going to use PKI to issue some >> > certificates for l2tp, an internal web server, email, or maybe a >> > certificate for IAS server to use for 802.1X wireless with PEAP. In >> > such >> > cases a single CA may make sense. You have to ask yourself what would >> > happen if my CA was compromised and it could not longer be trusted. >> > Would >> > it be an inconvenience, major hassle, or a catastrophe risking highly >> > confidential data causing possible loss of customers/revenue. Only you >> > can >> > answer that question. If your needs are modest goals to improve >> > security >> > it [in my opinion] probably does not make sense to have an offline CA >> > and >> > then one issuing CA. >> > >> > An Enterprise CA can not be an offline CA. You would have to start with >> > a >> > standalone root CA and use it to issue a certificate for an Enterprise >> > CA >> > subordinate. You would have to add alternate locations for the CRL and >> > CA >> > certificate before you use it to issue any certificates. The offline CA >> > could always be offline and certificate requests and CRL's be copied to >> > and from floppy disk or it could be put online just as long as it takes >> > to >> > issue the certificates for subordinate CA's. The link below explains >> > more. >> > >> > http://support.microsoft.com/?kbid=271386 >> > >> > If you feel a single Enterprise CA would work for you there are steps >> > you >> > can take to secure it. First make sure it is physically secured where >> > only >> > a very few trusted users have access to it. Other procedures such as >> > physically securing domain controllers, and implementing complex >> > passwords >> > are a must. Weak passwords and physical access are still the biggest >> > threats to a network/domain/computer. Read the Windows 2003 Security >> > guide >> > and first take the steps for a baseline server lockdown and then read >> > the >> > chapter on securing a Certificate Authority Server. --- Steve >> > >> > http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en >> > http://tinyurl.com/dkbu -- same link as above, shorter. >> > >> > >> > "Michael Shire" <Michael Shire@discussions.microsoft.com> wrote in >> > message >> > news:EABEAF36-B4C5-4FEB-8152-B5BD071C1CEF@microsoft.com... >> >> Trying to follow the "Step-by-Step Guide to Setting up a Certification >> >> Authority". >> >> >> >> One major thing I can't seem to grasp is the installation of the Root >> >> CA. >> >> As I understand, the Root CA should NEVER be connected to a network. >> >> Is >> >> the >> >> same true for an Enterprise Root CA? >> >> >> >> If so, how can you connect the server to a domain, and have it >> >> register >> >> itself as a Root CA without connecting it to a network? >> >> >> >> If not, can the Enterprise Root CA provide the same level of security >> >> as >> >> a >> >> Stand Alone Root CA? If the Enterprise Root CA is on the network, how >> >> can >> >> you ensure that top level of trust isn't compromised? >> > >> > >> >> >>
- Next message: Lars Jensen: "Number of events generated by audit account logon"
- Previous message: Steven L Umbach: "Re: Securing Remote Registry Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
