Certificate Services

With all of the security threats occurring on the Internet, its important to be able to trust the resource youre connecting to and through which youre passing information. One way you can enable others to trust you, is by installing Certificate Services on your server. Certificate Services is included with Windows Server 2008 but not installed by default. The service is used to issue and manage certificates for a Public Key Infrastructure (PKI). Certificate Services allows a computer running Windows Server 2008 to receive requests for certificates from users and computers, verify the identity of a requestor, issue and revoke certificates, and publish a Certificate Revocation List (CRL).

Installing ADCS Active Directory Certificate Services You can install and configure Certificate Services by running the Add Roles Wizard. By selecting Active Directory Certificate Services (ADCS) from the Server Roles list, you allow Windows Server 2008 to act as a CA, or Certificate Authority. ADCS is used to create a Certification Authority to issue and manage certificates for various applications.

In the Select Server Roles window go ahead and select Active Directory Certificate Services by placing a checkmark next to it, then go ahead and click Next.

On the Select Role Services page, make sure Certification Authority is selected

Notice that the Add Roles Wizard pops up a dialog box telling you that it will need to add a number of web related services . Click Add Required Role Services to confirm that its OK .

On the Specify Setup Type page, leave Enterprise selected. Click Next.

On the Specify CA Type page, click Subordinate CA, and then click Next.

On the Set up Private Key page, click Create a new private key , and then click Next

On the Configure Cryptography page, select a cryptographic service provider, key length, and hash algorithm. Click Next

On the Configure CA Name page, create a unique name to identify the CA. Click Next

On the Set Validity Period page, specify the number of years or months that the CA certificate will be valid. Click Next.

On the Configure Certificate Database page, accept the default locations or specify a custom location for the certificate database and certificate database log. Click Next.

On the Confirm Installation Options page, review all of the configuration settings that you have selected. If you want to accept all of these options, click Install and wait until the setup process has finished.

Following figure shows the certificates Management console

What is a PKI? Whenever an organization uses technologies such as smart cards, IPsec, Secure Sockets Layer (SSL), digital signatures, Encrypting File System (EFS), or other technologies that rely upon using specific levels of encryption, the organization will need to create a public system of encryption and identification. A PKI, or Public Key Infrastructure is used to help ensure that all who are using a system are in fact authorized to access it. Using PKI will enable the use of digital certificates between authenticated and trusted entities. A certificate is nothing more than an electronically-based official document that helps the client viewing the certificate to check the authenticity of the host with the certificate. The most common reason for using a system of certificates is Secure Sockets Layer (SSL), which verifies a user s identity and securely transmits data. Certificates in a PKI are used to secure data and manage the identification credentials of resources within and outside the organization. A Certificate Authority (CA) is part of a Public Key Infrastructure (PKI) whic h is responsible for validating certificates, issuing certificates, and revoking certificates. At the bare minimum, an enterprise using Microsoft Active Directory Certificate Services (ADCS) must have at least one CA that issues and revokes certificates. For redundancy, there is usually more than one CA deployed in an organization. Also, CAs can be either internal or external and can exist at several different levels, acting as a root CA or an issuance -only CA. There are many different ways to deploy your CA, so it is wise to understand your needs before you deploy.

Exam Questions Question Youare an enterprise a dministrator for Certkiller. The corporate networkof the company consists of 10 servers that run Windows Server 2008 in an Active Directory do main and several clientcomputers that run Windows Vista. Allthe servers were Remote Desktop (RDP)enabled with de fault security settings for server administration. Which ofthe following options would you choose to ensure the RDP connections between Windows Server 2008 servers and Windows Vista client computers are as secure as possi ble? A.Configure the firewall on each server to block port 3380. B.Set the security layer for each server tothe RDP security Layer and acquire u ser certificates fromthe internal certificate authority C.Set the security layer for each server tothe RDP security Layer and configure the firewall on each serverto block port 3389. D.Acquire user certificates fromthe int ernal certificate authority and configure each server to allow connections only to RemoteDesktop client co mputers that use Net work Level Authentication. E.None of the above.

Answer D Explanation: Toensure the RDP connections are as secure as possible, you need to first acquire user certificates fromthe internal certificate authority and then configure each server to allow

connections only to Remote Desktop cli ent computers that use Network Level Authentication. Inthe pre-W2008 Terminal Server, you usedto enter the name of the server and a connection is initiated to itslogon screen. Then, at that logon screen you atte mpt to authenticate.Froma security perspective,this isn't a good idea.Because by doing it in this manner, you're actually getting access to a serverpriortoauthentication - the access you're getting is right to a session on that server - and that is not considered a good security p ractice. NLA,or Network Level Authentication, reversesthe order in which aclient atte mpts to connect. Thenew RDC 6.0 client asks you for your use rname and password before it ta kes you to thelogon screen. If you 're attempting to connectto a pre -W2008 server, a failure in that initial logon will fail back to the old way oflogging in. It s hines when connecting to Windows Vista computers and W2008 serverswith NLA conf igured it prevents the failback authentication fromever occurring, which prevents the bad guys fromgaining accessing y our server without a successful authentication.