Isolation of the Root CA

[Guest]

Trying to follow the "Step-by-Step Guide to Setting up a Certification
Authority".

One major thing I can't seem to grasp is the installation of the Root CA.
As I understand, the Root CA should NEVER be connected to a network. Is the
same true for an Enterprise Root CA?

If so, how can you connect the server to a domain, and have it register
itself as a Root CA without connecting it to a network?

If not, can the Enterprise Root CA provide the same level of security as a
Stand Alone Root CA? If the Enterprise Root CA is on the network, how can
you ensure that top level of trust isn't compromised?

 

[Rick Kingslan [MS MVP]]

Michael,

Good question. The *NEVER* is a bit too explicit. As you rightly state,
taking the root CA offline prevents the compromise of the top hierarchy of
your PKI. However, this doesn't mean that the root CAQ is never attached to
the network. It just means that you assign subordinates to do the majority
of the work by assigned roles, and that the root CA is on the network no
longer than necessary to greatly reduce the possibility of compromise.

You will have to attach the root CA for the following functions:

* Publishing CRLs
* Creating subordinate CAs

Also, a machine that is a member of a domain may encounter problems
(specifically secure channel errors) when trying to bring it back online
after being offline for a period of time. Hence, a standalone should never
be a member of a domain.

As to the Enterprise Root CA, this type of root is designed to be an online
element. Because of the need to use the templates for CA creation and that
the certificates are published to Active Directory, an Enterprise Root CA
can't be an offline CA. This is a function that is reserved for only the
standalone Root.

Hope the helps....

--
Rick Kingslan CISSP, MCSE, MCSA, MCT
Microsoft MVP
Windows Server / Directory Services
Windows Security
Associate Expert
Expert Zone -

 

[Steven L Umbach]

A lot has to do with the complexity of your network and your security needs.
If you run a network that is going to have a three tier hierarchy of
Certificate Authorities with maybe six or eight issuing CA's for various
tasks that are going to issue thousands of certificates then it makes sense
to secure the CA's that only issue certificates to other CA's to minimize
the damage that can be done to the PKI.

However many, many smaller networks are going to use PKI to issue some
certificates for l2tp, an internal web server, email, or maybe a certificate
for IAS server to use for 802.1X wireless with PEAP. In such cases a single
CA may make sense. You have to ask yourself what would happen if my CA was
compromised and it could not longer be trusted. Would it be an
inconvenience, major hassle, or a catastrophe risking highly confidential
data causing possible loss of customers/revenue. Only you can answer that
question. If your needs are modest goals to improve security it [in my
opinion] probably does not make sense to have an offline CA and then one
issuing CA.

An Enterprise CA can not be an offline CA. You would have to start with a
standalone root CA and use it to issue a certificate for an Enterprise CA
subordinate. You would have to add alternate locations for the CRL and CA
certificate before you use it to issue any certificates. The offline CA
could always be offline and certificate requests and CRL's be copied to and
from floppy disk or it could be put online just as long as it takes to issue
the certificates for subordinate CA's. The link below explains more.

http://support.microsoft.com/?kbid=271386

If you feel a single Enterprise CA would work for you there are steps you
can take to secure it. First make sure it is physically secured where only a
very few trusted users have access to it. Other procedures such as
physically securing domain controllers, and implementing complex passwords
are a must. Weak passwords and physical access are still the biggest threats
to a network/domain/computer. Read the Windows 2003 Security guide and first
take the steps for a baseline server lockdown and then read the chapter on
securing a Certificate Authority Server. --- Steve

http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
http://tinyurl.com/dkbu -- same link as above, shorter.

 

[David Cross [MS]]

Our best practices guides may help provide some additional guidance and
recommendations:

Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx



Microsoft Systems Architecture:
http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm122.mspx



--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

A lot has to do with the complexity of your network and your security
needs. If you run a network that is going to have a three tier hierarchy of
Certificate Authorities with maybe six or eight issuing CA's for various
tasks that are going to issue thousands of certificates then it makes sense
to secure the CA's that only issue certificates to other CA's to minimize
the damage that can be done to the PKI.

However many, many smaller networks are going to use PKI to issue some
certificates for l2tp, an internal web server, email, or maybe a
certificate for IAS server to use for 802.1X wireless with PEAP. In such
cases a single CA may make sense. You have to ask yourself what would
happen if my CA was compromised and it could not longer be trusted. Would
it be an inconvenience, major hassle, or a catastrophe risking highly
confidential data causing possible loss of customers/revenue. Only you can
answer that question. If your needs are modest goals to improve security
it [in my opinion] probably does not make sense to have an offline CA and
then one issuing CA.

An Enterprise CA can not be an offline CA. You would have to start with a
standalone root CA and use it to issue a certificate for an Enterprise CA
subordinate. You would have to add alternate locations for the CRL and CA
certificate before you use it to issue any certificates. The offline CA
could always be offline and certificate requests and CRL's be copied to
and from floppy disk or it could be put online just as long as it takes to
issue the certificates for subordinate CA's. The link below explains more.

http://support.microsoft.com/?kbid=271386

If you feel a single Enterprise CA would work for you there are steps you
can take to secure it. First make sure it is physically secured where only
a very few trusted users have access to it. Other procedures such as
physically securing domain controllers, and implementing complex passwords
are a must. Weak passwords and physical access are still the biggest
threats to a network/domain/computer. Read the Windows 2003 Security guide
and first take the steps for a baseline server lockdown and then read the
chapter on securing a Certificate Authority Server. --- Steve

http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
http://tinyurl.com/dkbu -- same link as above, shorter.

Trying to follow the "Step-by-Step Guide to Setting up a Certification
Authority".

One major thing I can't seem to grasp is the installation of the Root CA.
As I understand, the Root CA should NEVER be connected to a network. Is
the
same true for an Enterprise Root CA?

If so, how can you connect the server to a domain, and have it register
itself as a Root CA without connecting it to a network?

If not, can the Enterprise Root CA provide the same level of security as
a
Stand Alone Root CA? If the Enterprise Root CA is on the network, how
can
you ensure that top level of trust isn't compromised?

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, Rick Kingslan [MS MVP]

Michael,

Good question. The *NEVER* is a bit too explicit.

Actually, in the case of a standalone root CA, NEVER is _exactly_ the
correct term here.

As you rightly state,
taking the root CA offline prevents the compromise of the top hierarchy of
your PKI. However, this doesn't mean that the root CAQ is never attached to
the network.

No, it means that the root CA is _never_ connected to a network.

It just means that you assign subordinates to do the majority
of the work by assigned roles, and that the root CA is on the network no
longer than necessary to greatly reduce the possibility of compromise.

You will have to attach the root CA for the following functions:

* Publishing CRLs
* Creating subordinate CAs

This is simply not true. Again, in the case of a standalone root CA,
there is _never_ a need to attach it to a network. Publishing CRLs and
creating additional subordinate CAs should all be done via sneakernet,
with the requisite files being moved from system to system via some sort
of removable media.
<snip>

<snip<

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Guest]

If you want to put your Enterprise CA behind a firewall, is there a best
practice article on that? Or can you follow some of the moving MSRPC to
static mode references.

Thanks,
Perry

Our best practices guides may help provide some additional guidance and
recommendations:

Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx



Microsoft Systems Architecture:
http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm122.mspx



--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

A lot has to do with the complexity of your network and your security
needs. If you run a network that is going to have a three tier hierarchy of
Certificate Authorities with maybe six or eight issuing CA's for various
tasks that are going to issue thousands of certificates then it makes sense
to secure the CA's that only issue certificates to other CA's to minimize
the damage that can be done to the PKI.

However many, many smaller networks are going to use PKI to issue some
certificates for l2tp, an internal web server, email, or maybe a
certificate for IAS server to use for 802.1X wireless with PEAP. In such
cases a single CA may make sense. You have to ask yourself what would
happen if my CA was compromised and it could not longer be trusted. Would
it be an inconvenience, major hassle, or a catastrophe risking highly
confidential data causing possible loss of customers/revenue. Only you can
answer that question. If your needs are modest goals to improve security
it [in my opinion] probably does not make sense to have an offline CA and
then one issuing CA.

An Enterprise CA can not be an offline CA. You would have to start with a
standalone root CA and use it to issue a certificate for an Enterprise CA
subordinate. You would have to add alternate locations for the CRL and CA
certificate before you use it to issue any certificates. The offline CA
could always be offline and certificate requests and CRL's be copied to
and from floppy disk or it could be put online just as long as it takes to
issue the certificates for subordinate CA's. The link below explains more.

http://support.microsoft.com/?kbid=271386

If you feel a single Enterprise CA would work for you there are steps you
can take to secure it. First make sure it is physically secured where only
a very few trusted users have access to it. Other procedures such as
physically securing domain controllers, and implementing complex passwords
are a must. Weak passwords and physical access are still the biggest
threats to a network/domain/computer. Read the Windows 2003 Security guide
and first take the steps for a baseline server lockdown and then read the
chapter on securing a Certificate Authority Server. --- Steve

http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
http://tinyurl.com/dkbu -- same link as above, shorter.

Trying to follow the "Step-by-Step Guide to Setting up a Certification
Authority".

One major thing I can't seem to grasp is the installation of the Root CA.
As I understand, the Root CA should NEVER be connected to a network. Is
the
same true for an Enterprise Root CA?

If so, how can you connect the server to a domain, and have it register
itself as a Root CA without connecting it to a network?

If not, can the Enterprise Root CA provide the same level of security as
a
Stand Alone Root CA? If the Enterprise Root CA is on the network, how
can
you ensure that top level of trust isn't compromised?

 

[David Cross [MS]]

we have a little guidance in this paper:


Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx


--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.

Top Whitepapers:

Auto-enrollment whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Troubleshooting Certificate Status and Revocation whitepaper:
http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx

If you want to put your Enterprise CA behind a firewall, is there a best
practice article on that? Or can you follow some of the moving MSRPC to
static mode references.

Thanks,
Perry

Our best practices guides may help provide some additional guidance and
recommendations:

Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx



Microsoft Systems Architecture:
http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm122.mspx



--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no
rights.

http://support.microsoft.com

A lot has to do with the complexity of your network and your security
needs. If you run a network that is going to have a three tier hierarchy
of
Certificate Authorities with maybe six or eight issuing CA's for various
tasks that are going to issue thousands of certificates then it makes
sense
to secure the CA's that only issue certificates to other CA's to
minimize
the damage that can be done to the PKI.

However many, many smaller networks are going to use PKI to issue some
certificates for l2tp, an internal web server, email, or maybe a
certificate for IAS server to use for 802.1X wireless with PEAP. In
such
cases a single CA may make sense. You have to ask yourself what would
happen if my CA was compromised and it could not longer be trusted.
Would
it be an inconvenience, major hassle, or a catastrophe risking highly
confidential data causing possible loss of customers/revenue. Only you
can
answer that question. If your needs are modest goals to improve
security
it [in my opinion] probably does not make sense to have an offline CA
and
then one issuing CA.

An Enterprise CA can not be an offline CA. You would have to start with
a
standalone root CA and use it to issue a certificate for an Enterprise
CA
subordinate. You would have to add alternate locations for the CRL and
CA
certificate before you use it to issue any certificates. The offline CA
could always be offline and certificate requests and CRL's be copied to
and from floppy disk or it could be put online just as long as it takes
to
issue the certificates for subordinate CA's. The link below explains
more.

http://support.microsoft.com/?kbid=271386

If you feel a single Enterprise CA would work for you there are steps
you
can take to secure it. First make sure it is physically secured where
only
a very few trusted users have access to it. Other procedures such as
physically securing domain controllers, and implementing complex
passwords
are a must. Weak passwords and physical access are still the biggest
threats to a network/domain/computer. Read the Windows 2003 Security
guide
and first take the steps for a baseline server lockdown and then read
the
chapter on securing a Certificate Authority Server. --- Steve

http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
http://tinyurl.com/dkbu -- same link as above, shorter.


message
Trying to follow the "Step-by-Step Guide to Setting up a Certification
Authority".

One major thing I can't seem to grasp is the installation of the Root
CA.
As I understand, the Root CA should NEVER be connected to a network.
Is
the
same true for an Enterprise Root CA?

If so, how can you connect the server to a domain, and have it
register
itself as a Root CA without connecting it to a network?

If not, can the Enterprise Root CA provide the same level of security
as
a
Stand Alone Root CA? If the Enterprise Root CA is on the network, how
can
you ensure that top level of trust isn't compromised?