Microsoft Windows Server 2003 PKI and Certificate Security,9780735620216

Microsoft Windows Server 2003 PKI and Certificate Security

by
Edition: 1st
ISBN13: 9780735620216
ISBN10: 0735620210
Format: Paperback
Pub. Date: 2004-06-09
Publisher(s): Microsoft Press
  • Free Shipping Icon

    This Item Qualifies for Free Shipping!*

    *Excludes marketplace orders.

List Price: $62.99

Rent Book

Select for Price
Add to Cart
There was a problem. Please try again later.

New Book

We're Sorry
Sold Out

Used Book

We're Sorry
Sold Out

eBook

We're Sorry
Not Available

Buy from our Marketplace starting at $2.19

How Marketplace Works:

  • This item is offered by an independent seller and not shipped from our warehouse
  • Item details like edition and cover design may differ from our description; see seller's comments before ordering.
  • Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
  • Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
  • Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.

Summary

No need to buy or outsource costly PKI services when you can use the robust PKI and certificate-based security services already built into Microsoft Windows Server 2003! This in-depth reference teaches you how to design and implement even the most demanding certificate-based security solutions for wireless networking, smart card authentication, VPNs, secure email, Web SSL, EFS, and code-signing applications using Windows Server PKI and certificate services. Microsoft's principal PKI consultant, along with members of the Microsoft PKI Team, shows you how to incorporate best practices, avoid common design and implementation mistakes, help minimize risk, and optimize security administration. CD-ROM features timesaving tools, scripts, and an eBook.

Author Biography

Brian Komar, president of IdentIT Inc., is a principal consultant specializing in network security and PKI. Brian has authored MCSE Training Kits, Microsoft Prescriptive Architecture Guides, and PKI white papers, and he is the coauthor of the Microsoft Windows Security Resource Kit. Brian is also a frequent speaker at IT conferences such as Microsoft TechEd, Windows and .NET Magazine Connections, and Microsoft IT Forum.

Table of Contents

Acknowledgments xvii
Introduction xix
Part I Foundations of PKI
1 Basics of Cryptography
3(14)
Encryption Types
3(1)
Algorithms and Keys
4(1)
Data Encryption
5(7)
Symmetric Encryption
5(2)
Asymmetric Encryption
7(3)
Combining Symmetric and Asymmetric Encryption
10(2)
Digital Signing of Data
12(2)
The Hash Process
12(1)
Hash Algorithms
12(1)
Combining Asymmetric Signing and Hash Algorithms
13(1)
Case Study: Microsoft Applications and Their Encryption Algorithms
14(1)
Opening the EFS White Paper
14(1)
Case Study Questions
15(1)
Additional Information
15(2)
2 Primer to PKI
17(18)
Certificates
17(10)
X.509 Version 1
18(2)
X.509 Version 2
20(1)
X.509 Version 3
21(6)
Certification Authorities
27(4)
Root CA
28(1)
Intermediate CA
29(1)
Policy CA
29(2)
Issuing CA
31(1)
Certificate Revocation Lists
31(2)
Types of CRLs
31(1)
Revocation Reasons
32(1)
Case Study: Inspecting an X.509 Certificate
33(1)
Opening the Certificate File
33(1)
Case Study Questions
33(1)
Additional Information
34(1)
3 Policies and PKI
35(16)
Security Policy
36(3)
Defining Effective Security Policies
37(1)
Resources for Developing Security Policies
37(1)
Defining PKI-Related Security Policies
38(1)
Certificate Policy
39(3)
Contents of a Certificate Policy
40(1)
Certificate Policy Example
40(2)
Certificate Practice Statement (CPS)
42(5)
CPS: Introduction
43(1)
CPS: General Provisions
44(1)
CPS: Identification and Authentication
44(1)
CPS: Operational Requirements
45(1)
CPS: Physical, Procedural, and Personnel Security Controls
46(1)
CPS: Technical Security Controls
46(1)
CPS: Certificate and Certificate Revocation List (CRL) Profiles
47(1)
CPS: Specification Administration
47(1)
Case Study: Planning Policy Documents
47(1)
Design Requirements
47(1)
Case Study Questions
48(1)
Additional Information
48(3)
Part II Establishing a PKI
4 Preparing an Active Directory Environment
51(16)
Preparing a Windows 2000 Active Directory Environment
51(12)
Microsoft Exchange Modifications
52(6)
Extending the Schema
58(2)
Modifying Membership in Cert Publishers
60(3)
Preparing a Windows Server 2003 Active Directory Environment
63(1)
Preparing Non-Active Directory Environments
64(1)
Case Study: Preparing Active Directory
64(2)
Network Details
65(1)
Case Study Questions
65(1)
Additional Information
66(1)
5 Designing a Certification Authority Hierarchy
67(24)
Determining the Number of Tiers in a CA Hierarchy
67(4)
A Single-Tier CA Hierarchy
67(1)
A Two-Tier CA Hierarchy
68(1)
A Three-Tier CA Hierarchy
69(1)
A Four-Tier CA Hierarchy
70(1)
Organizing Issuing CAs
71(2)
Choosing an Architecture
73(1)
Gathering Required Information
74(13)
Identifying PKI-Enabled Applications
74(2)
Determining Security Requirements
76(2)
Determining Technical Requirements
78(7)
Determining Business Requirements
85(1)
Determining External Requirements
85(2)
Case Study: Identifying Requirements
87(2)
Case Study Questions
88(1)
Additional Information
89(2)
6 Implementing a CA Hierarchy
91(54)
Preparing Configuration Scripts for Installation
93(20)
CAPolicy.inf File
93(9)
Pre-Installation Scripts
102(4)
Post-Installation Scripts
106(7)
Implementing an Enterprise Root CA
113(6)
Creating a CAPolicy.inf File
114(1)
Installing Internet Information Services
115(1)
Installing Certificate Services
116(1)
Post-Installation Configuration
117(1)
Enabling .Auditing
118(1)
Implementing a Standalone Root CA
119(5)
Creating a CAPolicy.inf File
120(1)
Installing Certificate Services
121(1)
Post-Installation Configuration
122(1)
Object Access Auditing
123(1)
Implementing an Offline Policy CA
124(7)
Pre-Installation Configuration
124(1)
Creating a CAPolicy.inf File
125(1)
Installing Certificate Services
125(5)
Post-Installation Configuration
130(1)
Object Access Auditing
131(1)
Implementing an Online Issuing CA
131(9)
Pre-Installation Configuration
131(2)
Creating a CAPolicy.inf File
133(1)
Installing IIS
134(1)
Installing Certificate Services
134(4)
Post-Installation Configuration
138(1)
Object Access Auditing
139(1)
Verifying Installation
140(1)
Case Study: Deploying a PKI
141(3)
Case Study Questions
142(2)
Additional Information
144(1)
7 Securing a CA Hierarchy
145(22)
Designing CA Configuration Security Measures
145(3)
Designing Physical Security Measures
148(2)
Securing the CA's Private Key
150(2)
Private Key Stored in the Local Machine Store
150(1)
Private Keys Stored on Smart Cards
151(1)
Private Keys Stored on Hardware Security Modules
152(1)
Hardware Security Modules
152(10)
Categories of HSMs
153(1)
HSM Vendors
154(4)
HSM Deployment Methods
158(4)
Case Study: Planning HSM Deployment
162(3)
Scenario
163(1)
Case Study Questions
164(1)
Additional Information
165(2)
8 Designing Certificate Templates
167(20)
Certificate Template Versions
167(4)
Version 1 Certificate Templates
167(3)
Version 2 Certificate Templates
170(1)
Enrolling Certificates Based on Certificate Templates
171(1)
Modifying Certificate Templates
171(12)
Modifying Version 1 Certificate Template Permissions
171(1)
Modifying Version 2 Certificate Templates
172(10)
Best Practices for Certificate Template Design
182(1)
Case Study: Certificate Template Design
183(2)
Requirements
183(1)
Case Study Questions
183(2)
Additional Information
185(2)
9 Certificate Validation
187(20)
Certificate Validation Process
187(1)
Certificate Validity Checks
188(1)
Certificate Revocation
189(3)
Types of CRLs
189(1)
CRL Retrieval Process
190(1)
Revocation Reasons
190(1)
Revoking a Certificate
191(1)
Building Certificate Chains
192(4)
Exact Match
193(1)
Key Match
194(1)
Name Match
195(1)
Designing PKI Object Publication
196(5)
Choosing Publication Protocols
196(1)
Choosing Publication Points
197(2)
Choosing Publication Intervals
199(2)
Troubleshooting Publication Points
201(3)
Certutil
202(1)
PKI Health Tool
202(2)
Case Study: Choosing Publication Points
204(1)
Design Requirements
204(1)
Case Study Questions
205(1)
Additional Information
205(2)
10 Role Separation
207(26)
Common Criteria Roles
207(13)
Common Criteria Levels
207(3)
The Windows Server 2003 implementation of Common Criteria
210(5)
Assigning Common Criteria Roles
215(2)
Implementing Certificate Manager Restrictions
217(1)
Enforcing Common Criteria Role Separation
218(2)
Other PKI Management Roles
220(8)
Local Administrator
220(1)
Enterprise Admins
221(1)
Certificate Template Manager
222(4)
Enrollment Agent
226(1)
Key Recovery Agent
227(1)
Case Study: Planning PKI Management Roles
228(2)
Scenario
228(1)
Case Study Questions
229(1)
Additional Information
230(3)
11 Planning and Implementing Disaster Recovery
233(18)
Developing Required Documentation
234(1)
Choosing a Backup Method
235(2)
System State Backups
236(1)
Manual Backups
236(1)
Performing System State Backups
237(1)
Performing Manual Backups
238(4)
Using the Certification Authority Console
238(1)
Using Certutil
239(2)
Other Backup Methods
241(1)
Restoration Procedures
242(3)
Reinstalling Certificate Services
242(2)
Restoring System State Backups
244(1)
Restoring Manual Backups
245(1)
Evaluating Backup Methods
245(3)
Hardware Failure
246(1)
Certificate Services Failure
246(1)
Server Replacement
247(1)
Case Study: Replacing Server Hardware
248(2)
Scenario
249(1)
Case Study Questions
249(1)
Additional Information
250(1)
12 Deploying Certificates
251(28)
Certificate Enrollment Methods
253(2)
Choosing an Enrollment Method
255(1)
Choosing Among Manual Enrollment Methods
255(1)
Choosing Among Automatic Enrollment Methods
255(1)
Publishing Certificate Templates for Enrollment
256(1)
Performing Manual Enrollment
257(10)
Using the Certificate Request Wizard
265(2)
Performing Automatic Enrollment
267(3)
Automatic Certificate Request Settings
267(1)
Autoenrollment Settings
268(2)
Performing Scripted Enrollment
270(4)
Certreq.exe
270(3)
Custom Scripting
273(1)
Case Study: Selecting a Deployment Method
274(2)
Scenario
275(1)
Case Study Questions
275(1)
Additional Information
276(3)
13 Creating Trust Between Organizations
279(32)
Methods of Creating Trust
279(9)
Certificate Trust Lists
280(2)
Common Root CAs
282(2)
Cross Certifiation
284(4)
Bridge CAs
Qualified Subordination conditions
288(11)
Name Constraints
289(3)
Basic Constraints
292(2)
Application Policies
294(2)
Certificate Policies
296(3)
Guidelines for Qualified Subordination Conditions
299(1)
Implementing Qualified Subordination
299(5)
Implementing the Policy.inf File
301(1)
Acquiring a Partner's CA Certificate
302(1)
Generating the Cross Certification Authority Certificate
302(2)
Publishing to Active directory
304(1)
Verifying Qualified Subordination
304(1)
Case Study: Trusting Certificates from Another Forest
305(2)
Case Study Questions
Additional Information
307(4)
Part III Deploying Application-Specific Solutions
14 Archiving Encryption Keys
311(20)
Roles in Key Archival
312(1)
The Key Archival Process
312(2)
The Key Recovery Process
314(1)
Requirements for Key Archival
315(7)
Defining Key Recovery Agents
316(4)
Enabling a CA for Key Archival
320(2)
Enabling Key Archival in a Certificate Template
322(1)
Performing Key Recovery
322(4)
Certutil
322(1)
Key Recovery Tool
323(2)
Importing the Recovered Private Key
325(1)
Best Practices
326(1)
Case Study: Lucerne Publishing
327(2)
Scenario
328(1)
Case Study Questions
328(1)
Additional Information
329(2)
15 Smart Card Deployment
331(24)
Using Smart Cards in an Active Directory Environment
331(3)
Smart Cards and Kerberos
332(1)
Requirements for Smart Card Certificates
333(1)
Planning Smart Card Deployment
334(8)
Increasing the Assurance of Smart Card Certificates
335(1)
Identifying the Required Certificate Templates
335(1)
Determining Certificate Distribution Methods
336(2)
Designing Certificate Templates for Smart Cards
338(4)
Deploying a Smart Card Management System
342(1)
Procedures
342(5)
Enabling ActiveX Controls
342(3)
Requesting Smart Card Certificates on Behalf of Other Users
345(1)
Enabling Autoenrollment
346(1)
Implementing Additional Security for Smart Cards
347(2)
Requiring Smart Cards for Interactive Logon
347(1)
Requiring Smart Cards for Remote Access
348(1)
Defining Smart Card Removal Behavior
348(1)
Using Smart Cards for Administrative Tasks
348(1)
Best Practices
349(1)
Case Study: City Power and Light
350(3)
Case Study Questions
352(1)
Additional Information
353(2)
16 Encrypting File System
355(22)
EFS Processes
356(5)
How Windows Chooses an EFS Encryption Certificate
356(1)
Local EFS Encryption
357(1)
Remote EFS Encryption Using SMB
358(1)
Remote EFS Encryption Using WebDAV
359(1)
EFS Decryption
359(1)
EFS Data Recovery
360(1)
One Application, Two Recovery Methods
361(5)
Data Recovery
362(4)
Key Recovery
366(1)
Deploying EFS
366(5)
Enabling and Disabling EFS
366(1)
Certificate Templates for EFS Encryption
367(3)
Certificate Enrollment
370(1)
Best Practices
371(1)
Case Study: Lucerne Publishing
372(3)
Scenario
373(1)
Design Requirements
373(1)
Proposed Solution
373(2)
Case Study Questions
375(1)
Additional Information
375(2)
17 Implementing SSL Encryption for Web Servers
377(34)
How SSL Works
377(3)
Certificate Requirements for SSL
380(1)
Choosing a Web Server Certificate Provider
380(1)
Placement of Web Server Certificates
381(4)
Single Web Server
381(1)
Clustered Web Servers
382(1)
Web Server Protected by ISA with Server Publishing
383(1)
Web Server Protected by ISA with Web Publishing
383(2)
Choosing a Certificate Template
385(1)
Issuing Web Server Certificates
386(8)
Issuing Web Server Certificates to Forest Members
386(3)
Issuing Web Server Certificates to Non-Forest Members
389(4)
Issuing Web Server Certificates to Third-Party Web Servers and Web Acceleration Devices
393(1)
Certificate-Based Authentication
394(3)
Defining Certificate Mappings
395(1)
Choosing Where to Perform Certificate Mappings
396(1)
Performing Certificate-Based Authentication
397(7)
Configure IIS to Use Active Directory Mappings
397(5)
Configure IIS to Use IIS Certificate Mappings
402(2)
Best Practices
404(2)
Case Study: The Phone Company
406(2)
Scenario
406(2)
Case Study Questions
408(1)
Additional Information
408(3)
18 Secure E-Mail
411(30)
Securing E-Mail
411(8)
Secure Multipurpose Internet Mail Extensions (S/MIME)
412(3)
SSL for Internet Protocols
415(4)
Choosing Certification Authorities
419(2)
Choosing Commercial CAs
419(1)
Choosing Private CAs
420(1)
Choosing Certificate Templates
421(4)
A Combined Signing and Encryption Template
421(1)
Dual Certificates for E-Mail
422(3)
Choosing Deployment Methods
425(1)
Enabling Secure E-Mail
426(5)
Enabling Outlook
427(1)
Enabling OWA
428(1)
Enabling Outlook Express
429(1)
Sending Secure E-Mail
430(1)
Migrating from Previous Exchange Server Versions
431(4)
Upgrade to Exchange 2000
431(1)
Enable Key Archival at the Windows Server 2003 Enterprise CA
432(1)
Install an Encryption Certificate at the Enterprise CA
432(1)
Enable Foreign Certificate Import at the Enterprise CA
432(1)
Export the Exchange KMS Database
433(2)
Import the Exchange KMS Database into Enterprise CA Database
435(1)
Best Practices
435(1)
Case Study: Adventure Works
436(3)
Scenario
437(1)
Case Study Questions
438(1)
Additional Information
439(2)
19 Virtual Private Networking
441(26)
Certificate Deployment for VPN
441(5)
Point-to-Point Tunneling Protocol (PPTP)
441(3)
Layer Two Tunneling Protocol (L2TP) with IP Security
444(2)
Certificate Template Design
446(3)
User Authentication
446(1)
Server Authentication
447(1)
IPSec Endpoint Authentication
448(1)
Deploying a VPN Solution
449(10)
IAS Server Configuration
450(4)
VPN Server Configuration
454(2)
Create a VPN Connection Object
456(3)
Best Practices
459(1)
Case Study: Lucerne Publishing
460(3)
Scenario
461(1)
Case Study Questions
462(1)
Additional Information
463(4)
20 Wireless Networking
467(24)
Threats Introduced by Wireless Networking
467(1)
Protecting for Wireless Communications
468(2)
MAC Filtering
468(1)
Wired Equivalent Privacy
469(1)
Wi-Fi Protected Access
470(1)
802.1x Authentication Types
470(3)
EAP/TLS Authentication
471(1)
PEAP Authentication
471(1)
How 802.1x Authentication Works
471(2)
Planning Certificates for 802.1x Authentication
473(2)
Computer Certificates for RADIUS Servers
473(1)
User Certificates for Clients
474(1)
Computer Certificates for Clients
474(1)
Deploying Certificates to Users and Computers
475(2)
RADIUS Server
475(1)
Client Computers
476(1)
Users
476(1)
Implementing 802.1x Authentication
477(9)
Configuring the RADIUS Server
477(6)
Configuring the Wireless Access Point
483(1)
Connecting to the Wireless Network
483(3)
Best Practices
486(1)
Case Study: Margie's Travel
486(3)
Scenario
487(1)
Case Study Questions
488(1)
Additional Information
489(2)
21 Code Signing
491(18)
How Code Signing Works
491(2)
Certification of Code Signing Certificates
493(3)
Commercial Certification
494(1)
Corporate Certification
495(1)
Planning Deployment of Code Signing Certificates
496(1)
Certificate Template Design
496(1)
Planning Enrollment Methods
497(1)
Performing Code Signing
497(5)
Gathering the Required Tools
497(1)
Using Signcode.exe
498(2)
Visual Basic for Applications Projects
500(2)
Verifying the Signature
502(2)
Internet Explorer
502(1)
The Check Trust Program (Chktrust.exe)
503(1)
Best Practices
504(1)
Case Study: Lucerne Publishing
505(1)
Scenario
505(1)
Case Study Questions
506(1)
Additional Information
506(3)
Appendix: Case Study Answers 509(32)
Chapter 1: Basics of Cryptography
509(1)
Chapter 2: Primer to PKI
510(1)
Chapter 3: Policies and PKI
511(1)
Chapter 4: Preparing an Active Directory Environment
512(1)
Chapter 5: Designing a Certification Authority Hierarchy
513(2)
Chapter 6: Implementing a CA Hierarchy
515(3)
Chapter 7: Securing a CA Hierarchy
518(1)
Chapter 8: Designing Certificate Templates
519(2)
Chapter 9: Certificate Validation
521(1)
Chapter 10: Role Separation
521(3)
Chapter 11: Planning and Implementing Disaster Recovery
524(1)
Chapter 12: Issuing Certificates
525(2)
Chapter 13: Creating Trust Between Organizations
527(1)
Chapter 14: Archiving Encryption Keys
528(1)
Chapter 15: Smart Card Deployment
529(2)
Chapter 16: Encrypting File System
531(1)
Chapter 17: Implementing SSL Encryption for Web Servers
532(1)
Chapter 18: Secure E-Mail
533(2)
Chapter 19: Virtual Private Networking
535(2)
Chapter 20: Wireless Networking
537(2)
Chapter 21: Code Signing
539(2)
Index 541

An electronic version of this book is available through VitalSource.

This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.

By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.

Digital License

You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.

More details can be found here.

A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.

Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.

Please view the compatibility matrix prior to purchase.