Securing Windows 2000 Certificate ServicesAbstractTable Of ContentsEnterprise RootEnterprise SubordinateStandalone RootStandalone SubordinateCryptographic Service ProvidersHash AlgorithmsKey LengthUse Existing KeysSecurity ConsultingElectronic Commerce & WWW DesignEmergency ResponseSystem Management at the “Guru” LevelIntrusion Detection and Event ManagementTechnology Strategies and ArchitecturesBoston Los Angeles New York San Francisco Tampa Washington DCOriginal material and content © Osborne/McGraw-Hill, 2000-2001. Supplemental material and updates © SystemExperts Corporation, 1995 - 2001. Securing Windows 2000 Certificate Services Philip Cox ([email protected]) Version 1.0 4/17/2001 Abstract The best place to start this paper is to discuss what it is not about. It is not about designing Public Key Infrastructure (PKI). We are not designing a PKI, but detailing how to securely configure the Win2K certificate services to play apart in the PKI of your company. We will be discussing the following: • PKI Concepts and Definitions • The services provided by Win2K Certificate Services • Installing Certificate Services securely • Managing Certificate Services in a secure manner • Using Certificate Services Understanding Windows 2000 security in general is fundamental to understanding this paper. The usage of the Active Directory (AD) and Group Policies are especially important. This paper is excerpted and modified from a non-published chapter of the “Windows 2000 Security Handbook” (ISBN: 0-07-212433-4, copyright Osborne/McGraw-Hill) authored by Phil Cox and Tom Sheldon (www.windows2000securityhandbook.com). Original material and content © Osborne/McGraw-Hill, 2000-2001. Supplemental material and updates © SystemExperts Corporation, 1995 - 2001. All rights reserved. All trademarks used herein are the property of their respective owners.Original material and content © Osborne/McGraw-Hill, 2000-2001. Supplemental material and updates © SystemExperts Corporation, 1995 - 2001. Table Of Contents Abstract....................................................................................................................................................................1 Table Of Contents....................................................................................................................................................2 Public Key Cryptography.........................................................................................................................................3 Bridge CAs and Feral PKI...............................................................................................................................4 Public Key Infrastructure: Solving the Distribution Problem ..............................................................................4 Certificate Revocation List ..............................................................................................................................4 Windows 2000 Certificate Services.........................................................................................................................5 Certificate Protocols and Standard Structures..........................................................................................................5 Methods to Distribute and Check Certificates......................................................................................................6 Certificate Operations..........................................................................................................................................7 Request.............................................................................................................................................................7 Issue.................................................................................................................................................................8 Revoke.............................................................................................................................................................8 Managing .........................................................................................................................................................8 Authentication, Authorization, and Auditing .......................................................................................................9 Administering Certificate Services ..........................................................................................................................9 Tools....................................................................................................................................................................9 Certificate Manager..........................................................................................................................................9 Certificate Server Manager............................................................................................................................10 Command Line Tools for Manipulating Certificate Services.........................................................................10 Securing the Certificate Services .......................................................................................................................10 Installing Certificate Services ............................................................................................................................10 Certificate Authority Type.............................................................................................................................11 Advanced Options..........................................................................................................................................13 Identifying Information and Database Storage...............................................................................................14 Configuring the Certificate Authority Properties...............................................................................................16 Security Permissions......................................................................................................................................16 Policy and Exit Modules................................................................................................................................19 Setting Web Services