CN2140 Server IIKemtis KunanuraksapongMSIS with DistinctionMCT, MCITP, MCTS, MCDST, MCP, A+
Agenda
•Chapter 10: Maintaining Network Health•Exercise•Lab•Quiz
Public Key Infrastructure•Allow two parties to communicate securely,
without any previous communication, through the use of public key cryptography
•Public key cryptography stores a public key for each participant in a PKI
•Each participant also possesses a private key•By combining the public key with private key,
one entity can communicate with another entity in a secure fashion without exchanging any sort of shared secret key beforehand▫A shared secret key is a secret piece of
information that is shared between two parties
Certificate Authority (CA)•An entity that issues and manages digital
certificates for use in a PKI▫For Server 2008, it requires AD CS server role▫CAs are hierarchical (One root and several
subordinate CAs) ▫Three-tier hierarchy, where a single root
CA issues certificates to a number of intermediate CAs, allowing the intermediate CAs to issue certificates to users or computers
Digital Certificate
•The digital certificate contains▫The certificate holder’s name▫Public key▫The digital signature of the Certificate
Authority that issued the certificate▫The certificate’s expiration date
Digital Signature•Proves the identity of the entity that has
signed a particular document •A digital signature indicates that the
message is authentic and has not been tampered with since it left the sender’s Outbox
Certificate Practice Statement and Certificate Revocation List•Certificate Practice Statement (CPS)
▫Provides a detailed explanation of how a particular CA manages certificates and keys
•Certificate Revocation List (CRL)▫This list identifies certificates that have
been revoked or terminated, corresponding user, computer, or service
▫Services that utilize PKI should reference the CRL to confirm that a particular certificate has not been revoked prior to its expiration date
Certificate Templates
•Templates used by a CA to simplify the administration and issuance of digital certificates
Self-Enrollment and Enrollment Agents•Self-Enrollment
▫This feature enables users to request their own PKI certificates, typically through a Web browser
•Enrollment agents▫These are used to request certificates on
behalf of a user, computer, or service•You can use either self-enrollment or
enrollment agents
Autoenrollment•Supported by Windows Server 2003 and
later•Allows users and computers to
automatically enroll for certificates based on:▫One or more certificate templates▫Group Policy settings in Active Directory▫Certificate templates that are based on
Windows 2000 will not allow auto-enrollment
Recovery Agent•These agents are configured within a CA
to allow users to recover private keys for users, computers, or services if their keys are lost
Key Archival
•This is the process by which private keys are maintained by the CA for retrieval by a recovery agent
•In a Windows PKI implementation, users’ private keys can be stored within AD
Windows Server 2008 and Certificate Services•The AD CS server role consists of the
following services and features:▫Web enrollment▫Online Responder
Responds the requests from clients about the certificate status
Online Certificate Status Protocol (OCSP)▫Network Device Enrollment Service
(NDES) To enroll the hardware-based routers and
other network device for PKI certificates
Types of CAs
•When deploying a Windows-based PKI, two different types of CAs can be deployed:▫Standalone CA
Not integrated with AD It requires administrator intervention to
respond to certificate requests▫Enterprise CA
Integrated with AD Can use certificate templates
Revocation Configuration•To make revocation information available
▫Each individual CA must be configured with its own revocation configuration
▫Certificate revocation information can come from any 2003, 2008, or non-Microsoft CAs
▫Certificate revocation information is used to determine the validity of certificates Clients connect to alternate resources, such
as Web servers or LDAP directories, where the CA has published its revocation information instead of root CA
Managing Certificate Enrollments• In AD environment, you can automate the
distribution of certificates using any combination of the following features:▫Certificate templates
By controlling the security settings associated with each template Full control / Read / Write ACL Enroll / Autoenroll
▫Allows users or computers to request / automatically obtain the certificate
▫Group Policy To establish autoenrollment settings for an AD
domain Windows Settings\Security Settings\Public Key Policies
Making Certificate Enrollments•In a non-AD environment, clients can
enroll manually for certificates using either of the following:▫Certificate Request Wizard
Allows a user to create a cert request file using the Certificates MMC snap-in to generate a certificate based on the request
▫Certification Authority Web Enrollment Allows users to manually request certificates
using a Web interface By default at https://CA Name/certsrv on a CA
that is running the service
Key Archival and Recovery•In an AD environment, the use of key
archival on one or more CAs, which will store an escrow copy of each certificate's private key on the CA in case it needs to be restored for any reason
•A private key can be restored by one or more key recovery agents
Maintaining a Windows Server 2008 CA•In Windows Server 2008, you can assign
users to one or more of the following predefined security roles within Certificate Services:▫CA Administrator▫Certificate Managers
Issue, approve, deny, revoke, recover achieved keys
▫Backup Operators▫Auditors
Read audit logs, read record and configuration info in the CA database
Network Access Protection
•Network Access Protection includes a number of built-in enforcement methods, which define the mechanisms that NAP can use:▫DHCP enforcement▫Internet Protocol Security (IPSec)
enforcement▫VPN enforcement▫802.1X enforcement▫Terminal Services Gateway (TS Gateway)
enforcement
DHCP Enforcement
•Uses DHCP configuration information to ensure that NAP clients remain in compliance▫If a NAP client is out of compliance, the
client have limited network access until the compliance issue is resolved
Internet Protocol Security (IPSec) Enforcement
•Uses IPSec that has been secured by specially configured PKI certificates known as health certificates, which are issued to clients that meet defined compliance standards.
•If clients cannot provide the necessary health certificate, they will not be able to participate in IPSec-secured traffic
VPN enforcement
•Restricts the level of network access that a remote access client can obtain, based on the health information▫For example, you may define a NAP policy
in which corporate laptops receive full network access upon creating a VPN connection, whereas clients connecting to VPN using their home computers will receive access only to a limited subset of corporate resources.
802.1X enforcement
•Uses 802.1X-aware network access points, such as network switches or wireless access points, to restrict network access of noncompliant resources
Terminal Services Gateway (TS Gateway) enforcement
•Integrates with Terminal Services functionality
•Allows authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device▫NAP can restrict connection attempts by
TS Gateway clients
Components of NAP• The overall architecture of NAP involves the
following components:▫NAP client-side components
NAP Enforcement Client (EC) One or more System Health Agents (SHAs)
Maintains info and reports the health of a NAP client Client side API for both the enforcement Client and
System Health Agent components For third party vendors to make their own ECs and
SHAs The NAP Agent
Maintains and reports the health of a NAP between EC and SHA
Components of NAP▫NAP server-side components
NAP Enforcement Server (ES) One or more System Health Validators
(SHVs) A NAP Health policy server NAP administration server NPS service Health requirement servers Remediation servers
To provide an exception to access the network such as to WSUS or Anti-virus update
How does NAP works• Computer A connect to the network
▫ Built-in SHA create Statement of Health (SOH)▫ SHA passes SOH to the NAP Agent on the client
NAP Agent creates a System Statement of Health (SSOH) then passes on to the NAP EC
▫ EC passes the SSOH to the ES then passes to Administration Server
▫ NAP Admin Server takes individual SOH and pass it to SHV▫ SHV examines the SOH then create Statement of Health
Response (SOHR) indicate any actions▫ Each SHV passes its SOHR back to NAP Admin Server, then
passes on to NPS Service▫ NPS Service combines each SOHR in to a System Statement of
Health Response (SSOHR), then pass SSOHR back to the ES to respond back to client
Assignment
•Summarize the chapter in your own word▫At least 75 words▫Due BEFORE class start on Thursday
•Lab 10▫Due BEFORE class start on Monday