Windows Server 2003 Pki Certificate Security

Sinopsis

Brian Komar is a principal consultant for Microsoft Corporation, specializing in network security and public key infrastructure (PKI). Brian has authored MCSE Training Kits, Microsoft Prescriptive Architecture Guides, and PKI white papers, and he is the coauthor of the Microsoft Windows Security Resource Kit. Brian is a frequent speaker at IT conferences such as Microsoft TechEd, MCP TechMentor, and Windows and .NET Magazine Connections. The Windows Server 2003 PKI and Certificate Security book will demystify PKI and certificate based security implementations for you. It will be very helpful to anyone who wants to learn what PKI can do for them or needs to know the specifics of how to implement it in their network for many uses from large networks to the small office. For many the thought of PKI, intimidates them. It should not as it really is not that difficult and can improve your security tremendously over traditional password based authentication and allow use of strong encryption and digital signing [proof of entity and integrity]. PKI is used to generate public and private keypairs for use in applications such as L2TP VPN, IPSEC, 802.1X authentication for wireless and wired networks, EFS file encryption, application signing, secure email encryption and signing, SSL website security, and smart cards. The book starts out with the basic concepts of PKI and the use of symmetric and asymmetric encrytpion and how they work together in PKI. It also explains digital signiatures the other big use for certificates/private keys. It is written to be very understandable and the user or admin that has little understanding of PKI should have no problem learing the content and implemeting it. It does assume a basic understanding of Active Directory for Enterprise Certificate Authority use and also covers stand alone Certificate Authority. The book is also written so that you can refer to indivudual chapters such as the excellent chapter on how to implement 802.1X wireless if you do not need to know other material covered. PKI hierarchy is well covered whether you need to install a single CA, levels of CA`s in your network, or even how to setup cross trusts to other CA hierarchies for full trust or conditional trust. If you have a Windows 2000 forest you can learn how to prep your forest schema for using a Windows 2003 Enterprise CA to take advantage of the new features such as autoenrollent for XP clients, configurable version 2 certificate templates, and archivable private keys for certificates used for encryption. Other important topics such as how to install a CA, configure a CAPolicy.inf file, use the certutil utility for many tasks, obtaining and implementing your own OID, role separation for those that need it, CRL and AIA publication points which is very important to the success of your PKI particularly if you are going to use an offline CA or for computers not on your network that use your certificates, configuring an offline CA and securing it, using HSM`s hardware security modules to protect the CA`s private key, how to configure version 2 templates, configuring Group Policy for autoenrollment, configuring auditing, using Web Enrollment, how to backup and restore your CA and disaster recovery, how to publish certificates to Active Directory using certutil or PKIhealth tool, the concept of chaining to a trusted root CA [very important], and more. With the book comes a lot of helpful tools and scripts such as an example of a CAPolicy.inf and numerous scripts including enroll.vbs that can be used to enroll users on Windows 2000 computers for certificates via logon script. The last part of the book is about application specific use of certificates such as for EFS, email, VPN, smart cards, and more. The chapters cover the advantages of using certifcates for each application, how to plan it, and the specifics of how to implement including how to configure certificate templates and issue certificates to users and computers in in a step by step fashion to have you up and running for that application. There are many tricks and traps in the book that can save a user a lot of time such as verifying that a VPN server is in the RAS and IAS servers group as one example. These tips show that the book is much more than a cut and paste of white papers as some books are. Then end of each chapter has links to many related KB articles, white papers, and RFC`s for those that want more information. I found the Windows Server 2003 PKI and Certificate Security book puts it all together for Windows 2003 PKI from understanding the concept of PKI to putting it to use in your own network to greatly enhance your security. Microsoft has many excellent white papers and articles on PKI for Windows 2003 but for many this book will be all that is needed and an invaluable resource for those that use it, plan to use it, or want to know more about it.