Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Configuring and Using Active Directory Certificate Services (part 4) - Protecting Your AD CS Configuration

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
11/16/2011 3:31:16 PM

5. Protecting Your AD CS Configuration

Along with the security measures you must perform for your root and intermediate CAs, you must also protect each CA, especially issuing CAs through regular backups. Backing up a CA is very simple. In Server Manager, expand Roles\Active Directory Certificate Services\CA Server Name. Right-click the server name, point to All Tasks, and click Back Up CA. When you launch the backup operation, it launches the Certification Authority Backup Wizard. To back up the CA, use the following operations:

  1. Launch the Certification Authority Backup Wizard and click Next.

  2. On the Items To Back Up page, select the items you want to back up.

    • The Private Key And CA Certificate option protects the certificate for this server.

    • The Certificate Database And Certificate Database Log option protects the certificates that this CA manages. You can also perform incremental database backups.

  3. Identify the location to back up to.

    For example, you could create the backup to a file share on a central server location. Remember, however, that you are backing up highly sensitive data and transporting it over the network, which might not be the best solution. A better choice might be to back up to a local folder and then copy the backup to removable media.

  4. Identify the location and click Next. Note that the target location must be empty.

  5. Assign a strong password to the backup. Click Next.

  6. Review the information and click Finish.

    The wizard performs the backup. Protect the backup media thoroughly because it contains very sensitive information.

You can also perform automated backups through the command line with the Certutil.exe command with the appropriate switches to back up and restore the database.

To restore information, use the Certification Authority Restore Wizard. When you request a restore operation by right-clicking the server name, pointing to All Tasks, and clicking Restore CA, the wizard immediately prompts you to stop the CA service before the restore operation can begin. Click OK. After the service is stopped, the Welcome page of the wizard appears.

  1. Click Next.

  2. Select the items you want to restore. You can restore the private key and the CA certificate as well as the database and log.

  3. Type the location of the backup files or click Browse to locate the backup data. Click Next.

  4. Type the password to open the backup and click Next.

  5. Verify your settings and click Finish.

    After the restore operation is complete, the wizard offers to restart the AD CS service.

  6. Click Yes. Verify the operation of your CA after the restore is complete.

5.1. Practice Configuring and Using AD CS
5.1.1. Practice Configuring and Using AD CS

In this practice, you perform five key tasks. In the first, you finalize the configuration of an Online Responder. In the second, you work with Enterprise PKI to correct the errors in an AD CS implementation. Then you create a custom certificate template to publish certificates. You also enable autoenrollment for certificates to ensure that your users can obtain them automatically. Finally, you ensure that your issuing CA will automatically enroll clients.

EXERCISE 1 Finalizing the Configuration of an Online Responder

As mentioned earlier, to finalize the configuration of an online responder, you must configure and install an OCSP Response Signing certificate and configure an Authority Information Access (AIA) extension to support it. Use the following procedure:

  1. Log on to SERVER04 using the domain administrator account.

  2. In Server Manager, expand Roles\Active Directory Certificate Services and select Certificate Templates. When you click it, the node displays the server name in parentheses, in this case SERVER01.contoso.com.

  3. Right-click the OCSP Response Signing template and click Duplicate Template. Select Windows Server 2008 Enterprise and click OK.

  4. Type a valid name for the new template, such as OCSP Response Signing WS08.

  5. Select the Publish Certificate In Active Directory check box.

  6. On the Security tab, under Group Or User Names, click Add, click Object Types to enable the Computer object type, and click OK.

  7. Type SERVER04, and then click Check Names. Click OK.

  8. Under Group Or User Names, click the computer name you just added, and then, in the Permissions section of the dialog box, select the Read, Enroll, and Autoenroll permissions in the Allow column.

  9. Click OK to create the duplicate template.

Your certificate template is ready. Now you must configure the AIA extension to support the OR. Continue with these steps:

  1. Remain on SERVER04.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Expand Roles\Active Directory Certificate Services\Contoso-Issuing-CA01.

  4. Right-click Contoso-Issuing-CA01 in the tree pane and click Properties.

  5. On the Extensions tab, click the Select Extension drop-down list and choose Authority Information Access (AIA).

  6. Specify the locations to obtain certificate revocation data. In this case, select the location beginning with http://.

  7. Select the Include In The AIA Extension Of Issued Certificates and the Include In The Online Certificate Status Protocol (OCSP) Extension check boxes.

  8. Click OK to apply the changes.

  9. Note that you must stop and restart the AD CS service because of the change. Click Yes in the Certification Authority dialog box to do so.

  10. Move to the Certificate Templates node under Contoso-Issuing-CA01 in the tree pane, right-click Certificate Templates, point to New, and then click Certificate Template To Issue.

  11. In the Enable Certificate Templates dialog box, select the new OCSP Response Signing template that you created earlier and click OK.

    The new template should appear in the details pane.

  12. You now need to verify that the OCSP certificate has been assigned to the server. You do so with the Certificates snap-in. By default, this snap-in is not in a console. You must create a new console to use it.

  13. Open the Start menu, type mmc in the search box, and then press Enter.

  14. In the MMC, click Add/Remove Snap-in on the File menu to open the Add Or Remove Snap-ins dialog box.

  15. Select the Certificates snap-in and click Add.

  16. Select Computer Account and click Next.

  17. Select Local Computer and click Finish.

  18. Click OK to close the Add Or Remove Snap-ins dialog box.

  19. On the File menu, click Save to save the console and place it in your Documents folder. Name the console Computer Certificates and click Save.

  20. Expand Certificates\Personal and select Certificates.

  21. Right-click Certificates under Personal, point to All Tasks, and then click Request New Certificate. Click Next.

  22. On the Certificate Enrollment page, make sure the Active Directory Enrollment Policy is selected and click Next.

  23. Select the new OCSP certificate and click Enroll.

  24. On the next page, click the down arrow to the right of Details, and then click View Certificate. Browse through the tabs to view the certificate details, noting the certificate name. Click OK.

  25. Click Finish to complete this part of the operation.

  26. Right-click the new certificate, point to All Tasks, and then click Manage Private Keys.

  27. On the Security tab, under Group Or User Names, click Add.

  28. In the Select Users, Computers, Service Accounts, Or Groups dialog box, click Locations, select SERVER04, and click OK.

  29. Type Network Service and click Check Names. Click OK.

  30. Click Network Service, and then, in the Permissions section of the dialog box, make sure the Allow::Full Control permission is selected. Click OK to close the dialog box.

Your OR is ready to provide certificate validation information. Now that it is ready, add a revocation configuration. Perform the following steps:

  1. Remain on Server04.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Expand Roles\Active Directory Certificate Services\Online Responder and select Revocation Configuration.

  4. Right-click Revocation Configuration and click Add Revocation Configuration.

  5. On the Welcome page, click Next.

  6. On the Name The Revocation Configuration page, type RCSERVER04.

  7. Click Next.

  8. On the Select CA Certificate Location page, identify the location from which the certificate can be loaded. You can choose from Active Directory, a local certificate store, or a file. Choose Select A Certificate For An Existing Enterprise CA and click Next.

  9. Because your root CA is offline, choose Browse CA Certificates Published In Active Directory and click Browse.

  10. Locate the root certification authority (Contoso-Root-CA) and click OK.

    After the certificate is selected, the wizard loads the Online Responder signing templates.

  11. Click Next.

    On the Select Signing Certificate page, you must select a signing method because the OR signs each response to clients before it sends it. Three choices are available:

    • Automatic selection loads a certificate from the OCSP template you created earlier.

    • Manually, you can choose the certificate to use.

    • CA Certificate uses the certificate from the CA itself.

    Choose Automatically Select A Signing Certificate and select Auto-Enroll For An OCSP Signing Certificate.

  12. Click Browse to browse for a CA and select Contoso-Issuing-CA01. Click OK.

    This should automatically select the certificate template you prepared earlier.

  13. Click Next.

    The wizard initializes the revocation provider. If for some reason it cannot find it—it is not displayed in the dialog box—you must add the provider manually, as described in steps 14 and 15; otherwise, skip to step 16. For the purposes of this exercise, perform steps 14 through 16.

  14. Click Provider, and then click Add under Base CRLs. Use the following HTTP address: http://localhost/ca.crl. Click OK.

  15. Repeat the preceding step for the Delta CRLs and use the same HTTP address. Note, because you are obtaining the certificate from Active Directory, the listed provider is an address in ldap:// format and should be provided automatically by the wizard. AD CS relies on Lightweight Directory Access Protocol (LDAP) to obtain information from the AD DS directory store. In production, however, you might need to add a second source such as from an HTTP address. Click OK.

  16. Click Finish to complete the revocation configuration.

You should now have a new revocation configuration listed in the details pane, however it will not be working because of the HTTP addresses you added in step 14 and 15, which you will correct in the next exercise.

In production you would repeat this procedure for each CA that is an OR.

EXERCISE 2 Correct an AD CS Implementation with Enterprise PKI

In this exercise, you rely on Enterprise PKI to identify and then correct configuration issues with your AD CS implementation. This exercise demonstrates the value of working with Enterprise PKI.

  1. Make sure that SERVER01, SERVER03, and SERVER04 are running.

  2. Log on to SERVER04, using the domain Administrator account.

  3. Launch Server Manager from the Administrative Tools program group.

  4. Expand Roles\Active Directory Certificate Services and select Enterprise PKI. Expand Enterprise PKI\Contoso-Root-CA. Click Contoso-Issuing-CA01 and note the errors. (See Figure 3.) These errors exist if you added HTTP locations in the preceding exercise. If you did not, your configuration will not include any errors.

    These errors refer to the web-based download locations for the CRL Distribution Point and for the AIA. These errors appear because they refer to locations that do not exist. These locations must be created manually in IIS. However, because you are using an AD DS–integrated AD CS deployment, you do not need to add web-based download locations even if they are indicated by default in the configuration of AD CS. In an AD DS–integrated deployment, the directory service is responsible for AIA and CRL distribution, and, because this service is highly available, no secondary location is required. In fact, you need to add secondary locations only if you want to make them available to mobile or external users who are outside your internal network. If you do so, the URLs you specify must be available externally.

    Figure 3. Viewing configuration errors in Enterprise PKI

  5. Right-click Contoso-Issuing-CA01 under AD CS in Server Manager and click Properties.

  6. On the Extensions tab, verify that CRL Distribution Point (CDP) is selected in the drop-down list.

  7. Select http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl in the Locations section of the dialog box, and make sure that Include In CRLs, Clients Use This To Find Delta CRL Locations, as well as Include In The CDP Extension Of Issued Certificates are cleared. (They may already be cleared.)

  8. Select Authority Information Access (AIA) from the drop-down list.

  9. Select http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt and clear Include In The AIA Extension Of Issued Certificates as well as Include In The Online Certificate Status Protocol (OCSP) Extension. Click OK to apply your changes.

    AD CS automatically points to a CertEnroll virtual directory under the default website as the CDP. However, the installation process for AD CS does not create this virtual directory by default. If you need to provide web support for CRLs, even if this is only an internal deployment, you must create the virtual directory in IIS. However, in this case, it is not required. Also, as a best practice, you do not remove the HTTP location. If you need to add it later, the proper format for the URL will already be there, and you need only to reselect the appropriate options.

  10. Because you modified the configuration of the AD CS server, the console asks you to restart AD CS on this server. Click Yes.

  11. Return to Enterprise PKI in Server Manager.

  12. On the toolbar, click the Refresh button to update Enterprise PKI.

    There should no longer be any errors in the Enterprise PKI view.



You must verify Enterprise PKI in your production network to make sure no errors are displayed. Use this procedure to correct them if errors are present.

EXERCISE 3 Create a Duplicate Certificate Template for EFS

In this exercise, you create a duplicate certificate to enable EFS and publish it so it can use autoenroll and use EFS to protect the system data.

  1. Make sure SERVER01 and SERVER04 are both running.

  2. Log on to SERVER04, using the domain Administrator account.

  3. Launch Server Manager from the Administrative Tools program group.

  4. Expand Roles\Active Directory Certificate Services. Click Certificate Templates (servername).

    Note that all the existing templates are listed in the details pane.

    Also note that you are connected to a DC (SERVER01) by default. To work with templates, you must be connected to a DC so that the templates can be published to AD DS. If you are not connected, you must click the More Actions\Connect To Another Writable Domain Controller link in the action pane to do so.

  5. Select the Basic EFS template in the details pane, right-click it, and click Duplicate Template.

  6. Select the version of Windows Server to support—in this case, Windows Server 2008—and click OK.

  7. Name the template Basic EFS WS08 and set the following options. Leave all other options as is.

    • On the Request Handling tab, select the Archive Subject’s Encryption Private Key and Use Advanced Symmetric Algorithm To Send The Key To The CA check boxes. Archival storage of the private key allows you to protect it if the user loses it.

    • On the Subject Name tab, add information to the Alternate Subject Name values. Select the E-mail Name and User Principal Name (UPN) check boxes.

  8. Click OK.

  9. Right-click the EFS Recovery Agent template and click Duplicate.

  10. Select the version of Windows Server to support—in this case, Windows Server 2008—and click OK.

  11. Name the template EFS Recovery Agent WS08 and set the following options. Leave all other options as is.

    • On the General tab, select the Publish Certificate In Active Directory check box. Note that the recovery agent certificate is valid for a much longer period than the EFS certificate itself.

    • On the Request Handling tab, make sure you select the Archive Subject’s Encryption Private Key and Use Advanced Symmetric Algorithm To Send The Key To The CA check boxes. Archival storage of the private key allows you to protect it if the user loses it.

    • On the Subject Name tab, add information to the Alternate Subject Name values. Select the E-mail Name and User Principal Name (UPN) check boxes.

  12. Click OK.

  13. In Server Manager, expand Roles\Active Directory Certificate Services\Issuing CA Name and select Certificate Templates.

  14. To issue a template, right-click Certificate Templates, point to New, and then click Certificate Template To Issue.

  15. In the Enable Certificate Templates dialog box, hold down the Ctrl key and click to select both Basic EFS WS08 and EFS Recovery Agent WS08. Click OK.

    Your templates are ready.

EXERCISE 4 Configure Autoenrollment

In this exercise, you use Group Policy to configure autoenrollment. This exercise uses the Default Domain policy for simplicity, but in your environment, you should create a custom policy for this purpose and for all other custom settings you need to apply at the entire domain level.

  1. Move to SERVER01 and log on as a domain administrator.

  2. Launch Group Policy Management from the Administrative Tools program group.

  3. Expand all the nodes to locate the Default Domain Policy. Right-click it and click Edit.

  4. To assign autoenrollment for computers, expand Computer Configuration\Policies\Windows Settings\Security Settings and select Public Key Policies.

  5. Double-click Certificate Services Client – Auto-Enrollment.

  6. Enable the policy and select the Renew Expired Certificates, Update Pending Certificates, And Remove Revoked Certificates check box.

  7. Click OK to assign these settings. Close the GPMC.

    Your policy is ready.

EXERCISE 5 Enable the CA to Issue Certificates

Now you need to set the default action that the CA performs when it receives certificate requests.

  1. Return to SERVER04 and log on, using the domain Administrator account.

  2. Move to Server Manager.

  3. Right-click the issuing CA server name under AD CS, Contoso-Issuing-CA01, and click Properties.

  4. On the Policy Module tab, click Properties.

  5. To have certificates issued automatically, verify that Follow The Settings In The Certificate Template, If Applicable. Otherwise, Automatically Issue The Certificate is selected. Click OK. Click OK again to close the Properties dialog box.

    Your issuing CA is now ready for production and will begin to issue EFS certificates automatically when they are requested either by your users or by computers.

Other -----------------
- Configuring and Using Active Directory Certificate Services (part 3) - Considerations for the Use and Management of AD CS & Working with Enterprise PKI
- Windows Server 2003 : The Security Configuration Wizard
- Windows Server 2003 : Understanding Security Considerations
- Microsoft Content Management Server : Moving Postings
- Microsoft Content Management Server : Copying Postings
- Upgrading to Systems Management Server 2003 - Upgrading a Primary Site & Upgrading a Secondary Site
- Exchange Server 2007 : Securing Access to ActiveSync Using Internet Security and Acceleration (ISA) Server 2006
- Exchange Server 2007 : Working with ActiveSync Policies
- Microsoft Lync Server 2010 Edge : Reverse Proxy Configuration (part 3)
- Microsoft Lync Server 2010 Edge : Reverse Proxy Configuration (part 2)
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server