Planning a Change and Configuration
Management Framework
 Secedit is used at the command prompt to automate security configuration tasks.
 Local Security Policy is used to configure security policies on a nondomain
controller.These policies apply only to the local machine.
 Security templates are used to configure security policies according to preset
definitions and can be imported into Group Policy.
 The Security Settings extension to Group Policy is used to configure security on
an OU, a site, or a domain.
Planning a Security Update Infrastructure
 MBSA scans for security vulnerabilities in the operating system and other
Microsoft components, including IIS, Exchange Server, SQL Server, Internet
Explorer, and Windows Media Player.
 The command-line program for running MBSA is mbsacli.exe.
 MBSA gives administrators a report after a scan has been completed.This report
explains what security issues were discovered and how to correct them.
 Microsoft SUS is used to apply security updates from a centralized location
within the LAN, giving administrators more control and providing more efficient
downloading of updates.
www.syngress.com
850 Chapter 11 • Planning, Implementing, and Maintaining a Security Framework
255_70_293_ch11.qxd 9/10/03 6:24 PM Page 850
Q: I have a legacy application that requires anonymous access, and some users cannot
access the application.What can I do?
A: It is possible that your application requires you to grant access to the Anonymous Users
group, which is not part of the Everyone group. If you need to grant access to the
Anonymous group, you must explicitly add the Anonymous Logon security group and
its permissions.
Q: I have multiple domains that need access to resources located in other domains. How
can this be set up?
A: If users in one domain need access to resources in another domain within the same

forest, you do not need to do anything special.This is because, by default, a two-way
transitive trust exists between the root domains of every domain tree in the forest so
users in any domain in the forest can access resources in any other domain in that forest
(if they have the proper permissions). However, to speed up the authentication process
between domains, you can create a shortcut trust. If the users in one domain need
access to resources in a domain that is in a different forest, you can either create a forest
trust between the two forests (which is transitive and will allow all domains in each
forest to access all domains in the other) or you can create an external nontransitive
trust directly between the two domains.
Q: I want to keep my domain Administrator account under wraps for security reasons.
What can I do to accomplish this?
A: You can disable the built-in Administrator account, since all hackers know the default
account name and that is half the information they need to take control of your server.
Then you can give administrative privileges to another account.When the
Administrator account is disabled, it can still be used in Safe Mode for troubleshooting
and repairing problems. Alternatively, you can rename the built-in Administrator
account so hackers won’t be able to recognize it so easily.You should not log on as
Administrator for performing everyday tasks. Instead, use the Run as command when
you need to perform administrative tasks.
www.syngress.com
Planning, Implementing, and Maintaining a Security Framework • Chapter 11 851
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the Exam Objectives presented in this
chapter, and to assist you with real-life implementation of these concepts. You will also
gain access to thousands of other FAQs at ITFAQnet.com.
255_70_293_ch11.qxd 9/10/03 6:24 PM Page 851
Q: I am trying to audit folder access by a particular user, and I cannot see any information
in the event log.What could be the problem?

A: Although you can set other types of auditing and they will start immediately, when you
want to audit access to objects such as folders, object auditing must be enabled.Then
you need to set auditing properties on the object you want to audit (in this case, the
folder).To enable object auditing, edit Group Policy for the local computer or the
domain policy. In the left pane of the GPO Editor, click Computer Configuration |
Windows Settings | Security Settings | Local Policies | Audit Policies and in the right
pane, double-click Enable object auditing. Then select to audit successes, failures, or
both.
Q: I need to apply password policies to all clients. How can I do this?
A: Password policies are configured in the Security Settings | Account Policies node of
Group Policy on a local or domain GPO. Password policies cannot be set at the site or
OU level.You can configure Group Policy to enforce password history, set a maximum
and minimum password age, set a minimum password length, enforce complexity
requirements, or enable storage of passwords using reversible encryption.The latter
should be done only if necessary for compatibility purposes, since it decreases security
instead of increasing it.
Q: How can I centrally manage security and provide updates for my client machines?
A: If client computers are running Windows XP,Windows 2000 Professional or Server, or
Windows Server 2003, you can use the Microsoft Baseline Security Analyzer (MBSA)
to scan for security problems and use a Microsoft Software Update Services (SUS)
server to apply security updates. Both of these tools can be downloaded from the
Microsoft Web site. SUS consists of two parts: the SUS server component and the client
Automatic Update feature.The SUS server component synchronizes with the Windows
Update site and downloads critical updates, security updates, and security rollups to the
SUS server. Client machines need the Automatic Update feature installed so they can
connect to the SUS server and download the updates that you have approved for distri-
bution.
Q: I’ve just installed a WAP on our company network so employees can roam with their
laptops and stay connected to the network (for example, when they attend meetings in
conference rooms). Is there anything I need to be aware of in regard to security issues?

A: Wireless networking is inherently less secure than traditional wired networks because
data is transmitted via radio frequency (RF) signals, which are “out there in the air,”
vulnerable to capture by anyone who is within range and has the proper equipment.
Although you might think “within range” means within the 300 feet or so that wireless
manufacturers specify for their devices, a hacker with a high-gain Yagi antenna can
connect to your network from much farther away.This situation is exacerbated by the
www.syngress.com
852 Chapter 11 • Planning, Implementing, and Maintaining a Security Framework
255_70_293_ch11.qxd 9/10/03 6:24 PM Page 852
fact that default settings for most WAPs leave the network wide open, with SSID
broadcasting enabled and WEP disabled. Even if you have turned off SSID broadcasting
and enabled WEP, that doesn’t mean you’re safe.A hacker can still use commonly avail-
able tools to capture packets sent between legitimate users and determine the SSID
from them.Then they can break WEP encryption, which has numerous vulnerabilities,
using WEPCrack or other hacker tools. It is best to treat a wireless network as an
untrusted network; however, you can make it more secure by using technologies such
as 802.1x and 802.11i, by incorporating other mechanisms such as MAC filtering along
with WEP, and by implementing secure authentication methods such as RADIUS/IAS
and using higher-level protocols such as IPSec to protect wireless traffic.
Planning and Implementing Active Directory Security
1. You have instituted new security policies for the IT department. One important rule
is to never log on as Administrator unless it is absolutely necessary.To enhance secu-
rity, you want everyone to use their regular user accounts for everyday tasks so you
can maintain security as much as possible. A junior administrator comes to you and
says he does not wish to log on to the server with an administrative account, but he
needs to use a program that requires administrative privileges.What can he do?
A. If running the program requires administrative privileges, he cannot run it unless
he logs off and logs back on as Administrator.
B. He can open the Computer Management console and use the Set password
option.

C. He can right-click the program he wants to run, select Properties, click the
Advanced button, and configure the program to run without administrative privi-
leges.
D. He can right-click the program, choose the Run as command, and enter the
Administrator account name and password.
www.syngress.com
Planning, Implementing, and Maintaining a Security Framework • Chapter 11 853
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers,
and explanations to the Self Test questions in this chapter as well as the other
chapters in this book, see the Self Test Appendix.
255_70_293_ch11.qxd 9/10/03 6:24 PM Page 853
2. You have been hired as the network administrator for a small law firm.The first thing
you want to do when you take over the job is increase the security on the network.
You evaluate the current security level and find it lacking.You decide that you need
to secure account passwords using strong encryption on domain controllers.Which
utility should you use?
A. System Key Utility
B. Secedit
C. MBSA
D. SUS
3. You have recently hired a new junior administrator to assist you in running the net-
work for a medium-sized manufacturing company.You are explaining to your new
assistant that AD objects are assigned security descriptors to allow you to implement
access control.You tell your assistant that the security descriptor contains several dif-
ferent components.Which of the following are contained in the security descriptor
for an object? (Select all that apply.)
A. Discretionary access control list
B. System access control list
C. Dynamic access control list

D. Ownership information
4. You are attempting to troubleshoot some problems with access that you think can be
traced back to membership in multiple groups.You want to ensure that all administra-
tive accounts are able to perform the tasks they need to accomplish, but you want to
remove the built-in accounts from all groups to which they’ve been added by another
administrator, and give them only the access they had by default.You are a little con-
fused because you know that the built-in accounts already belong to some groups at
installation, and you don’t want to remove them from groups they are supposed to
belong to.To which groups does the Domain Administrator account belong in
Windows Server 2003 by default? (Select all that apply.)
A. Schema Admins
B. Enterprise Admins
C. Group Policy Creator Owners
D. Backup Operators
www.syngress.com
854 Chapter 11 • Planning, Implementing, and Maintaining a Security Framework
255_70_293_ch11.qxd 9/10/03 6:24 PM Page 854
Planning and Implementing Wireless Security
5. You want to allow wireless clients the ability to change their passwords after they
authenticate on the network.Which method of authentication should you implement
for these clients?
A. EAP-TLS
B. EAP
C. PEAP
D. EAP-MS-CHAP v2
6. You are implementing a new wireless network and need to change the default settings
for the equipment on the WLAN.What information should you change? (Select all
that apply.)
A. SSID password
B. SSID network name

C. Domain Administrator password
D. Domain Administrator account should be renamed
7. You have a number of users who need to be able to roam through the building with
their laptop computers and still stay connected to the network. Because of the nature
of their work, it is important that they have relatively fast access for transferring a lot
of very large data files over the network.You need to implement a wireless network
that can connect devices up to 54 Mbps and a minimum of 24 Mbps.Which IEEE
standard should you choose?
A. 802.15
B. 802.11a
C. 802.11b
D. 802.1x
www.syngress.com
Planning, Implementing, and Maintaining a Security Framework • Chapter 11 855
255_70_293_ch11.qxd 9/10/03 6:24 PM Page 855
8. You have hired a consultant to help set up wireless access points on your network. He
tells you that you should turn on WEP for the wireless network to help protect it
from intruders.You tell him that you have heard that WEP has many flaws and you
think additional security measures should be implemented. He assures you that WEP
works fine.What do you tell him are some of the problems with WEP?
A. WEP does not use encryption.
B. WEP uses a short (24 bit) initialization vector (IV).
C. WEP can use only a 40-bit key.
D. WEP uses a public key algorithm.
Monitoring and Optimizing Security
9. Your junior administrator wants to change the name of a user account, but he is wor-
ried that if he does so, the user will have problems accessing resources that she had
previously been given permissions for.The administrator doesn’t want to need to re-
create all the group memberships for the newly named account.You tell him there is
no need to worry; he can go ahead and change the name, and all the account proper-

ties will remain intact.What enables an account to retain its password, profile, group
membership, user rights, and membership information?
A. Group membership of the account
B. Domain the account belongs as a member
C. Password encryption method
D. Security identifier (SID)
10. You suspect that one of your users has been trying to access data in a folder to which
he is not supposed to have permission.You are trying to set auditing on this folder so
you can see if there are any failed events in the log indicating that the user did try to
open the folder.You enable object auditing in the domain’s Group Policy Object.
However, when you go to add this user to be audited for access to the folder, you find
that the folder’s property pages do not contain a Security tab.What could be the
problem?
A. Auditing is not set via the Security tab for folders because they don’t have such a
tab.
B. You cannot audit folder access for a particular user.
C. The folder is not on an NTFS partition.
D. You must share the folder before you can audit it.
www.syngress.com
856 Chapter 11 • Planning, Implementing, and Maintaining a Security Framework
255_70_293_ch11.qxd 9/10/03 6:24 PM Page 856
Planning a Change and Configuration
Management Framework
11. You need to configure Kerberos policies because you want to force user logon restric-
tions.You go to the computer of the user on whom you want to enforce these poli-
cies and access the Local Security Policy. However, in the GPO Editor, you cannot
find Kerberos policies in the Security Settings node under Computer Configuration,
under Windows Settings.What is the problem?
A. You are looking in the wrong section; Kerberos policies are located in the User
Configuration node.

B. You cannot set Kerberos policies through the Local Security Policy console.
C. You must first raise the domain functional level before Kerberos can be used and
this option will appear in the GPO.
D. Another administrator has deleted the Kerberos policies node from the GPO.
12. You have been analyzing all of your security configuration information as part of a
new project that requires you to provide a detailed report on your network’s security
to management.Toward that end, you need to evaluate the security database test.sdb at
the command prompt.What command can you use to do this?
A. secedit /validate test.sdb
B. secedit /analyze test.sdb
C. secedit /configure test.sdb
D. secedit /export test.sdb
13. You want to set up auditing on several folders that contain important and sensitive
information.There are other folders within the specified folders that contain less sen-
sitive information, so you don’t want to audit them, because you want to put as little
overhead burden on the network as you can.What happens to subfolders and files
within a parent folder if auditing has been enabled?
A. Subfolders only are audited
B. Files only are audited; special access must be turned on for the folders to be
audited
C. Subfolders and files are audited
D. No auditing is performed
www.syngress.com
Planning, Implementing, and Maintaining a Security Framework • Chapter 11 857
255_70_293_ch11.qxd 9/10/03 6:24 PM Page 857
14. A parent folder has auditing enabled.Two folders,Applications and Phone Listings, are
listed under this parent folder.You need to have the Phone Listings folder audited but
not the Applications folder. How can this be accomplished?
A. It cannot; all subfolders are audited when the parent folder has auditing enabled.
B. Right-click the Applications folder, and click the Properties tab, select the

Security tab, and click Advanced.Then select the Auditing tab and clear the
check box that is labeled Inherit from parent the auditing entries that
apply to child objects. Include these with entries explicitly defined here.
C. Right-click the Phone Listings folder, click the Properties tab, select the
Security tab, and click Advanced. Then select the Auditing tab and clear the
check box that is labeled Inherit from parent the auditing entries that
apply to child objects. Audit entries defined here.
D. Right-click the Phone Listings folder, click the Security tab, and click
Advanced.Then select the Auditing tab and clear the check box that is labeled
Inherit from parent the auditing entries that apply to child objects.
Include these with entries explicitly defined here option.
Planning a Security Update Infrastructure
15. You need to install the Microsoft Software Update Services (SUS) within your
domain to update security information on client computers.What are the minimum
requirements that you should use for hardware for the server?
A. Pentium III, 256MB RAM, NTFS with a minimum of 50MB for the installation
folder and 6GB for SUS updates and Active Directory installed
B. Pentium III, 512MB RAM, NTFS with a minimum of 100MB for the installation
folder and 6GB for SUS updates without Active Directory installed
C. Pentium III, 256MB RAM, NTFS with a minimum of 25MB for the installation
folder and 6GB for SUS updates without Active Directory installed
D. Pentium III, 512MB RAM, NTFS with a minimum of 50MB for the installation
folder and 5GB for SUS updates and Active Directory installed
www.syngress.com
858 Chapter 11 • Planning, Implementing, and Maintaining a Security Framework
255_70_293_ch11.qxd 9/10/03 6:24 PM Page 858
www.syngress.com
Planning, Implementing, and Maintaining a Security Framework • Chapter 11 859
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this

chapter as well as the other chapters in this book, see the Self Test Appendix.
1. D
2. A
3. A, B, D
4. A, B, C
5. D
6. A, B
7. B
8. B
9. D
10. C
11. B
12. B
13. C
14. B
15. B
255_70_293_ch11.qxd 9/10/03 6:24 PM Page 859
255_70_293_ch11.qxd 9/10/03 6:24 PM Page 860
861
Planning, Implementing,
and Maintaining a Public
Key Infrastructure
Exam Objectives in this Chapter:
6 Planning, Implementing, and Maintaining Security
Infrastructure.
6.2 Plan a public key infrastructure (PKI) that uses Certificate
Services.
6.2.1 Identify the appropriate type of certificate authority to
support certificate issuance requirements.
6.1 Configure Active Directory directory service for certificate

publication.
6.2.2 Plan the enrollment and distribution of certificates.
6.2.3 Plan for the use of smart cards for authentication.
Chapter 12
MCSE 70-293
 Summary of Exam Objectives
 Exam Objectives Fast Track
 Exam Objectives Frequently Asked Questions
 Self Test
 Self Test Quick Answer Key
255_70_293_ch12.qxd 9/10/03 7:20 PM Page 861
EXAM
70-293
OBJECTIVE
6
6.2
Introduction
Public Key Infrastructure (PKI) is the method of choice for handling authentication issues
in large enterprise-level organizations today.Windows Server 2003 includes the tools you
need to create a PKI for your company and issue digital certificates to users, computers, and
applications.This chapter addresses the complex issues involved in planning a certificate-
based PKI.We’ll provide an overview of the basic terminology and concepts relating to the
public key infrastructure, and you’ll learn about public key cryptography and how it is used
to authenticate the identity of users, computers, and applications and services.We’ll discuss
the role of digital certificates and the different types of certificates; user, machine, and appli-
cation certificates.
You’ll learn about certification authorities (CAs), the servers that issue certificates,
including both public CAs and private CAs such as the ones you can implement on your
own network using Windows Server 2003’s certificate services. Next, we’ll discuss the CA
hierarchy and how root CAs and subordinate CAs act together to provide for your organi-

zation’s certificate needs.You’ll find out how the Microsoft certificate services work, and
we’ll walk you through the steps involved in implementing one or more certification
authorities based on the needs of the organization.You’ll learn to determine the appropriate
CA type – enterprise or stand-alone CA – for a given situation and how to plan the CA
hierarchy and provide for security of your CAs.We’ll show you how to plan for enrollment
and distribution of certificates, including the use of certificate requests, role-based adminis-
tration, and auto-enrollment deployment.
Next, we’ll discuss how to implement the use of smart cards for authentication within
the PKI.You’ll learn what smart cards are and how smart card authentication works, and
we’ll show you how to deploy smart card logon on your network.We’ll discuss smart card
readers and show you how to set up a smart card enrollment station. Finally, we’ll discuss
the procedures for using smart cards to log on to Windows, for remote access and VPNs,
and to log on to a terminal server.
Planning a Windows Server 2003
Certificate-Based PKI
Computer networks have evolved in recent years to enable an unprecedented sharing of
information between individuals, corporations, and even national governments.The need to
protect this information has also evolved, and network security has consequently become an
essential concern of most system administrators. Even in smaller organizations, the basic
goal of preventing unauthorized access while still enabling legitimate information to flow
smoothly requires the use of more and more advanced technology.
In the mid-1990s, Microsoft began developing what was to become a comprehensive
security system of authentication protocols and technology based on already developed
cryptography standards known as Public Key Infrastructure (PKI).With the release of
Windows 2000 Server, Microsoft used various existing standards to create the first
www.syngress.com
862 Chapter 12 • Planning, Implementing, and Maintaining a Public Key Infrastructure
255_70_293_ch12.qxd 9/10/03 7:20 PM Page 862
www.syngress.com
Windows-proprietary PKI – one that could be implemented completely without using

third-party companies.Windows Server 2003 expands and improves on that original design
in several significant ways, which we’ll discuss later in this chapter.
Understanding Public Key Infrastructure
To understand how a PKI works, you first need to understand what it is supposed to do.
The goals of your infrastructure should include the following:
■ Proper authentication
■ Trust
■ Confidentiality
■ Integrity
■ Non-repudiation
By using the core PKI elements of public key cryptography, digital signatures, and cer-
tificates, all of these equally important goals can be met successfully.The good news is that
the majority of the work involved in implementing these elements under Windows Server
2003 is taken care of automatically by the operating system and is done behind the scenes.
The first goal, proper authentication, means that you can be highly certain that an entity
such as a user or a computer is indeed the entity that he, she, or it is claiming to be.Think
of a bank. If you wanted to cash a large check, the teller will more than likely ask for some
identification. If you present the teller with a driver’s license and the picture on it matches
your face, the teller can be highly certain that you are that person – that is, if the teller
trusts the validity of the license itself. Because the driver’s license is issued by a government
agency – a trusted third party – the teller is more likely to accept it as valid proof of your
identity than if you presented an employee ID card issued by a small company that the
teller has never heard of.As you can see, trust and authentication work hand in hand.
When transferring data across a network, confidentiality ensures that the data cannot be
viewed and understood by any third party.The data might be anything from an e-mail mes-
sage to a database of social security numbers. In the past twenty years, more effort has been
spent trying to achieve the goal of data confidentiality than perhaps all the others com-
bined. In fact, the entire scientific field of cryptology is devoted to ensuring confidentiality
(as well as all the other PKI goals). Cryptology has even claimed a place in Hollywood –
the movie Sneakers is just one example.

NOTE
Cryptography refers to the process of encrypting data; cryptanalysis is the process
of decrypting, or “cracking,” cryptographic code. Together, the two make up the
science of cryptology.
Planning, Implementing, and Maintaining a Public Key Infrastructure • Chapter 12 863
255_70_293_ch12.qxd 9/10/03 7:20 PM Page 863
As important as confidentiality is, however, the importance of network data integrity
should not be underestimated. Consider the extreme implications of a patient’s medical
records being intercepted during transmission and then maliciously or accidentally altered
before being sent on to their destination. Integrity gives confidence to a recipient that data
has arrived in its original form and hasn’t been changed or edited.
Finally, we come to non-repudiation. A bit more obscure than the other goals, non-repu-
diation enables you to prove that a particular entity sent a particular piece of data. It is
impossible for the entity to deny having sent it. It becomes extremely difficult for an
attacker to masquerade as a legitimate user and then send malevolent data across the net-
work. Non-repudiation is related to, but separate from, authentication.
Public Key Cryptography
The history of general cryptography almost certainly dates back to almost 2000 B.C. when
Roman and Greek statesmen used simple alphabet-shifting algorithms to keep government
communication private. Although complexity increased, not much changed until the 1970s,
when the National Security Agency (NSA) worked with Dr. Horst Feistel to establish the
Data Encryption Standard (DES) and Whitfield Diffie and Martin Hellman introduced the
first Public Key Cryptography Standard (PKCS).Windows Server 2003 still uses Diffie-
Hellman (DH) algorithms for Secure Sockets Layer (SSL),Transport Layer Security (TLS),
and IP Security (IPSec).
DH algorithms are known collectively as shared secret key cryptographies, also known as
symmetric key encryption. Say you have two users, Greg and Matt, who want to communi-
cate privately.With DH, Greg and Matt each generate a random number. Each of these
numbers is known only to the person who generated it. Part one of the DH function
changes each secret number into a non-secret, or public, number. Greg and Matt now

exchange the public numbers and then enter them into part two of the DH function.This
results in a private key – one that is identical to both users. Using advanced mathematics,
this shared secret key can be decrypted only by someone with access to one of the original
random numbers. As long as Greg and Matt keep the original numbers hidden, the shared
secret key cannot be reversed.
Another major force in modern cryptography came about in the late 1970s. RSA Labs,
founded by Ronald Rivest,Adi Shamir, and Leonard Adleman, furthered the concept of key
cryptography by developing a technology of key pairs, where plaintext that is encrypted by
one key can only be decrypted by the other matching key.Windows Server 2003 uses RSA
technology in its various forms extensively for such things as Kerberos authentication and
S/MIME.The theory goes something like this:Two users, Dave and Dixine, wish to com-
municate privately. Dave and Dixine each own a key pair consisting of a public key and a
private key. If Dave wants Dixine to send him an encrypted message, he first transmits his
public key to Dixine. She then uses Dave’s public key to encrypt the message.
Fundamentally, since Dave’s public key was used to encrypt, only Dave’s private key can be
used to decrypt.When he receives the message, only he is able to read it. Security is main-
www.syngress.com
864 Chapter 12 • Planning, Implementing, and Maintaining a Public Key Infrastructure
255_70_293_ch12.qxd 9/10/03 7:20 PM Page 864
tained because only public keys are transmitted – the private keys are kept secret and are
known only to their owners. Figure 12.1 illustrates the process.
E
XAM WARNING
In a Windows Server 2003 PKI, a user’s public and private keys are stored under
the user’s profile. For the administrator, the public keys would be under
Documents and Settings\Administrator\System Certificates\My\Certificates and the
private keys would be under Documents and Settings\Administrator\Crypto\RSA
(where they are double encrypted by Microsoft’s Data Protection API, or DPAPI).
Although a copy of the public keys is kept in the registry, and can even be kept in
Active Directory, the private keys are vulnerable to deletion. If you delete a user

profile, the private keys will be lost!
RSA can also be used to create “digital signatures” (see Figure 12.2 below). In the
communication described above, a public key was used to encrypt a message and the corre-
sponding private key was used to decrypt. If you invert the process, a private key can be
used to encrypt and the matching public key to decrypt.This is useful, for example, if you
want people to know that a document you wrote is really yours. If you encrypt the docu-
www.syngress.com
Planning, Implementing, and Maintaining a Public Key Infrastructure • Chapter 12 865
Figure 12.1 Public/Private Key Data Exchange
Dave
Dixine
Step 1:
Step 3:
Step 4:
Step 2:
Data Exchange Using Public/Private Key Pairs
Dave sends his
public key to Dixine
Goal: Dixine wants to send a secret message to Dave
Dixine
Dixine encrypts the
message with Dave's public
key
Dave
Dixine
Dixine sends the encrypted
message to Dave
Dave
Dave decrypts the
message with his

private key
255_70_293_ch12.qxd 9/10/03 7:20 PM Page 865
ment using your private key, then only your public key can decrypt it. If people use your
public key to read the document and they are successful, they can be certain that it was
“signed” by your private key and is therefore authentic.
www.syngress.com
866 Chapter 12 • Planning, Implementing, and Maintaining a Public Key Infrastructure
Figure 12.2 Digital Signatures
Step 3:
Step 1:
Digital Signatures Using Public/Private Key Pairs
Goal: Dixine wants to send a signed message to Dave
Dixine
Dixine signs (encrypts)
the message with her
private key
Dave
Dave uses Dixine's
public key to decrypt
the signature
Dixine
Dave
Step 2:
Dixine sends the signed
message and her public
key to Dave
Modern Cryptography 101
Thanks to two mathematical concepts, prime number theory and modulo algebra,
most of today’s cryptography encryption standards are considered intractable –
that is, they are unbreakable with current technology in a reasonable amount of

time. For example, it might take 300 linked computers more than 1000 years to
decrypt a message. Of course, quantum computing is expected to someday change
all that, making calculations exponentially faster and rendering all current crypto-
graphic algorithms useless – but don’t worry about that for now.
First, an explanation of the modulo operator. Think about elementary school
where you first learned to do division. You learned that 19/5 equals 3 with a
remainder of 4. You also probably concentrated on the 3 as the important number.
Now, however, you get to look at the remainder. When you take the modulus of
two numbers, the result is the remainder; therefore, 19 mod 5 equals 4. Similarly,
24 mod 5 also equals 4 (can you see why?). Finally, you can conclude that 19 and
24 are congruent in modulo 4. So how does this relate to cryptography and prime
numbers?
Head of the Class
Continued
255_70_293_ch12.qxd 9/10/03 7:20 PM Page 866
The Function of the PKI
The primary function of the PKI is to address the need for privacy throughout a network.
For the administrator, there are many areas that need to be secured. Internal and external
authentication, encryption of stored and transmitted files, and e-mail privacy are just a few
examples.The infrastructure that Windows Server 2003 provides links many different public
key technologies to give the IT administrator the power necessary to maintain a secure net-
work.
Most of the functionality of a Windows Server 2003-based PKI comes from a few cru-
cial components, which are described below.Although there are several third-party vendors,
such as VeriSign (www.verisign.com) that offer similar technologies and components, using
Windows Server 2003 can be a less-costly and easier-to-implement option – especially for
small- and medium-sized companies.
Components of the PKI
Properly planning for and deploying a PKI requires familiarity with a number of compo-
nents, including but not limited to the following:

■ Digital Certificates
■ Certification Authorities
■ Certificate Enrollment
■ Certificate Revocation
■ Encryption/Cryptography Services
In the following sections, we will discuss each of these in more detail.
www.syngress.com
Planning, Implementing, and Maintaining a Public Key Infrastructure • Chapter 12 867
The idea is to take a message and represent it by using a sequence of num-
bers. Call the sequence x
i
. What you need to do is find three numbers that make
the following modulo equation possible: (x
e
)
d
mod y = x
The first two numbers, e and d, are a pair and are completely interchangeable.
The third number, y, is a product of two very large prime numbers (the larger the
primes, the more secure the encryption). Prime number theory is too complex for an
in-depth discussion here, but in a nutshell, remember that a prime number is only
divisible by the number 1 and itself. This gives each prime number “uniqueness.”
After you have found these numbers (although we won’t go into how
because this is the really deep mathematical part), the encryption key becomes the
pair “e, y” and the decryption key becomes the pair “d, y.” Now it doesn’t matter
which key you decide to make public and which key you make private, because
they’re interchangeable. It’s a good thing that Windows Server 2003 does all the
difficult work for us!
255_70_293_ch12.qxd 9/10/03 7:20 PM Page 867
Understanding Digital Certificates

In our previous discussion of public and private key pairs, two users wanted to exchange
confidential information and did so by having one user encrypt the data with the other
user’s public key.We then discussed digital signatures, where the sending user “signs” the
www.syngress.com
868 Chapter 12 • Planning, Implementing, and Maintaining a Public Key Infrastructure
PKI Enhancements in Windows Server 2003
Windows Server 2003 introduces many new enhancements that allow for a more
easily implemented PKI solution. The following list items include the major high-
lights:
■ Auto-enrollment for Users Windows 2000 first introduced the con-
cept of auto-enrollment for a PKI, but it was limited in scope to
machine certificates. Windows Server 2003 now enables the automatic
requesting and issuing of user certificates as well.
■ Key Archival and Recovery Exchange Server 2000 was the first
Microsoft product to employ the capability to recover lost keys, but
Windows Server 2003 now enables the retrieval of encryption private
keys. This eliminates the need to completely reconstruct a user’s key
pairs.
■ Delta Certificate Revocation Lists (Delta CRLs) Delta lists enable new
additions to a CRL to be published without the need to publish the
entire CRL again. Much like an incremental backup in theory, this
advancement helps optimize network speed and simplifies the distribu-
tion of CRLs.
■ Triple DES and Advanced Encryption Standard (AES) Support With
Windows Server 2003, Microsoft has adopted more components of the
standard PKI endorsed by many organizations. The acceptance of 3-
DES, or triple DES, in particular has been greatly anticipated by many
cryptography experts. AES is still a relatively new standard, but possibly
represents the future of encryption.
■ Qualified Subordination When linking an outside organization’s certi-

fication authority (CA) structure with your own, trust issues are
paramount. New advancements enable the limiting of trust chains and
enable the restriction of certificate types acceptable when issued by an
external authority.
■ Version 2 Certificate Templates Windows Server 2003 Enterprise
Edition and Windows Server 2003 Datacenter Edition provide many
enhancements to the certificate templates found in Windows Server
2003 Standard Edition. Delta CRLs, user certificate auto-enrollment,
and key archival/recovery are just some of the important enhancements
that version 2 templates have.
New & Noteworthy
255_70_293_ch12.qxd 9/10/03 7:20 PM Page 868
data by using his or her private key. Did you notice the security vulnerability in these
methods?
In this type of scenario, there is nothing to prevent an attacker from intercepting the
data mid-stream and replacing the original signature with his or her own using of course
his or her own private key.The attacker would then forward the replacement public key to
the unsuspecting party. In other words, even though the data is signed, how can you be sure
of who signed it? The answer in the Windows PKI is the certificate.
Think of a certificate as a small and portable combination safe.The primary purpose of
the safe is to hold a public key (although quite a bit of other information is also held
there). Someone you trust must hold the combination to the safe – that trust is the basis for
the entire PKI system. If I am a user and want to send you my public key so that you can
encrypt some data to send back to me, I can just sign the data myself, but I am then vul-
nerable to the attack mentioned above. However, if I allow a trusted third-party entity to
take my public key (which I don’t mind because they’re trustworthy), lock it away in the
safe, and then send the safe to you, you can ask the trusted party for the combination.
When you open the safe, you can be certain that the public key and all other information
inside really belongs to me, because the safe came from a trustworthy source.The “safe” is
really nothing more than a digital signature, except that the signature comes from a univer-

sally trusted third party and not from me.The main purpose of certificates, then, is to facili-
tate the secure transfer of keys across an insecure network. Figure 12.3 shows the properties
of a Windows certificate. Notice that the highlighted public key is only part of the certificate.
www.syngress.com
Planning, Implementing, and Maintaining a Public Key Infrastructure • Chapter 12 869
Figure 12.3 A Windows Server 2003 Certificate
255_70_293_ch12.qxd 9/10/03 7:20 PM Page 869
TEST DAY TIP
Certificates are at the very core of the Windows PKI. Make certain that you under-
stand what certificates are, and why they are needed when using public keys. Also,
be familiar with the types of certificates listed in this section and the differences
between them.
User Certificates
Of the three general types of certificates found in a Windows PKI, the user certificate is per-
haps the most common. User certificates are certificates that enable the user to do some-
thing that would not otherwise be allowed.The Enrollment Agent certificate is one
example.Without it, even an administrator is not able to enroll smart cards and configure
them properly at an enrollment station. Under Windows Server 2003, required user certifi-
cates can be requested automatically by the client and subsequently issued by a certification
authority (discussed below) with no user intervention necessary.
Machine Certificates
Also known as computer certificates, machine certificates (as the name implies) give the
system – instead of the user – the capability to do something out of the ordinary.The main
purpose for machine certificates is authentication, both client-side and server-side. As stated
earlier, certificates are the main vehicle by which public keys are exchanged in a PKI.
Machine certificates are mainly involved with these behind-the-scenes exchanges and are
normally overseen by the operating system. Machine certificates have been able to take
advantage of Windows’ auto-enrollment feature since Windows 2000 Server was intro-
duced.We will discuss auto-enrollment later in this chapter.
Application Certificates

The term application certificate refers to any certificate that is used with a specific PKI-
enabled application. Examples include IPSec and S/MIME encryption for e-mail.
Applications that need certificates are generally configured to automatically request them
and are then placed in a waiting status until the required certificate arrives. Depending
upon the application, the network administrator or even the user might have the capability
to change or even delete certificate requests issued by the application.
Understanding Certification Authorities
Certificates are a way to transfer keys securely across an insecure network. If any arbitrary
user were allowed to issue certificates, it would be no different from that user simply
signing the data. For a certificate to be of any use, it must be issued by a trusted entity – an
entity that both the sender and receiver trust. Such a trusted entity is known as a certification
authority (CA).Third-party CAs such as VeriSign or Entrust can be trusted because they are
www.syngress.com
870 Chapter 12 • Planning, Implementing, and Maintaining a Public Key Infrastructure
EXAM
70-293
OBJECTIVE
6.2.1
255_70_293_ch12.qxd 9/10/03 7:20 PM Page 870
highly visible and their public keys are well known to the IT community.When you are
confident that you hold a true public key for a CA, and that public key properly decrypts a
certificate, you are then certain that the certificate was digitally signed by the CA and no
one else. Only then can you be positive that the public key contained inside the certificate
is valid and safe.
In a third-party, or external PKI, it is up to the third-party CA to positively verify the
identity of anyone requesting a certificate from it. Beginning with Windows 2000,
Microsoft has allowed the creation of a trusted internal CA – possibly eliminating the need
for an external third party.With a Windows Server 2003 CA, the CA verifies the identity of
the user requesting a certificate by checking that user’s authentication credentials (using
Kerberos or NTLM). If the credentials of the requesting user check out, a certificate is

issued to the user.When the user needs to transmit his or her public key to another user or
application, the certificate is used to prove to the receiver that the public key inside can be
used safely.
In the analogy we used earlier, the state driver’s licensing agency is trusted because it is
known that the agency requires proof of identity before issuing a driver’s license. In the
same way, users can trust the certification authority because they know it verifies the
authentication credentials before issuing a certificate.
CA Hierarchy
For a very small organization, it might be possible under Windows Server 2003 for you to
use only one CA for all PKI functions. However, for larger groups, Microsoft outlines a
three-tier hierarchical structure starting at the top with a root CA, moving downward to a
mid-level CA, and finally an issuing-level CA. Both the mid-level CA and issuing-level CA
are known as subordinate CAs.
EXAM WARNING
Although there are certain advantages to using both external and internal CAs
when planning an organization’s PKI, you should know that it is possible for a
Windows Server 2003 root CA to trust an external root CA, but it is nearly impos-
sible to get the external root CA to trust yours.
The reason is that external CAs are established and highly visible, and
therefore easily verifiable to the outside world. Your internal CA is most defi-
nitely not. To prove your identity to the external authority, you must jump
through a most rigorous set of hoops, and you must also justify the business
need for such a relationship. If you go to Microsoft’s home Web site at
www.microsoft.com and search for the words CA cross trust, you will find a
white paper entitled Public Key Interoperability. This is a good place to start
learning more about this complex topic.
www.syngress.com
Planning, Implementing, and Maintaining a Public Key Infrastructure • Chapter 12 871
EXAM
70-293

OBJECTIVE
6.2.1
255_70_293_ch12.qxd 9/10/03 7:20 PM Page 871
Root CAs
When you first set up an internal PKI, no CA exists.The first CA created is known as the
root CA, and it can be used to issue certificates to users or to other CAs.As mentioned
earlier, in a large organization there usually is a hierarchy where the root CA is not the only
certification authority. In this case, the sole purpose of the root CA is to issue certificates to
other CAs to establish their authority.
The question then becomes: who issues the root CA a certificate? The answer is that a
root CA issues its own certificate (this is called a self-signed certificate). Security is not com-
promised for two reasons. First, you will only implement one root CA in your organization
and second, configuring a root CA requires administrative rights on the server.The root
CA should be kept highly secured because it has so much authority.
Subordinate CAs
Any certification authority that is established after the root CA is a subordinate CA.
Subordinate CAs gain their authority by requesting a certificate from either the root CA or
a higher-level subordinate CA. After the subordinate CA receives the certificate, it can con-
trol CA policies and/or issue certificates itself, depending on your PKI structure and poli-
cies.
T
EST DAY TIP
Remember that if a root or subordinate CA becomes compromised (e.g., the
server’s hard drive is damaged), all CAs subordinate to it will lose their trust rela-
tionship and therefore their authority. Always keep current backups of your CAs.
Worse still is the scenario in which a CA’s private key is obtained by an
attacker. If the CA in question is your root CA, your entire PKI will be compro-
mised.
How Microsoft Certificate Services Works
The Windows Server 2003 PKI does many things behind the scenes.Thanks in part to auto

enrollment (discussed later in this chapter) and certificate stores (places where certificates
are kept after their creation), some PKI-enabled features such as EFS work with no user
intervention at all. Others, such as IPSec, require significantly less work than would be
required without an advanced operating system.
Even though a majority of the PKI is handled by Windows Server 2003, it is still
instructive to have an overview of how certificate services work.
1. First, a system or user generates a public/private key pair and then a certificate
request.
www.syngress.com
872 Chapter 12 • Planning, Implementing, and Maintaining a Public Key Infrastructure
255_70_293_ch12.qxd 9/10/03 7:20 PM Page 872
2. The certificate request, which contains the public key and other identifying infor-
mation such as user name, is forwarded to a CA.
3. The CA verifies the validity of the public key. If it is verified, the CA issues the
certificate.
4. After it is issued, the certificate is ready for use and is kept in the certificate store,
which can reside in Active Directory. Applications that require a certificate use
this central repository when necessary.
In practice, it isn’t terribly difficult to implement certificate services, as the following
exercise shows. Configuring the CA requires a bit more effort, as does planning the struc-
ture and hierarchy of the PKI – especially if you are designing an enterprise-wide solution.
We’ll cover these topics later in this chapter.
EXERCISE 12.01
INSTALLING CERTIFICATE SERVICES
1. After logging on with administrative privileges, click Start | Control
Panel, and then click Add/Remove Programs.
2. Click Add/Remove Windows Components, and then check Certificate
Services. This selects both sub-components of certificate services,
which are Certificate Services CA and Certificate Services Web
Enrollment Support. If Web enrollment support is not checked, you will

not be able to complete Exercise 12.03.
3. A warning dialog box appear telling you that after certificate services
have been installed you will not be able to change the machine’s
domain membership or change its computer name. Click Yes to con-
tinue.
4. You now must choose the type of CA to establish, as seen in Figure
12.4. You have two decisions to make – that of root vs. subordinate
and enterprise vs. standalone (discussed later in this chapter). For this
exercise, click Enterprise root CA and click Next. If you checked the
Use custom settings to generate the key pair and CA certificate,
you would be prompted to choose a custom cryptographic service
provider (CSP), a hash algorithm, and a key length. You could also elect
to use an existing key or to use an imported one.
www.syngress.com
Planning, Implementing, and Maintaining a Public Key Infrastructure • Chapter 12 873
255_70_293_ch12.qxd 9/10/03 7:20 PM Page 873
5. The next dialog box presented is the CA Identifying Information box.
See Figure 12.5. Enter a common name for the CA. For this exercise,
type My Root CA. The distinguished name suffix is provided by the
operating system and is used along with the common name you just
typed in to form the distinguished name. Note that you can also
change the default five-year validity period of the CA. You can set the
validity period as a number of days, weeks, months, or years. Click
Next to continue.
6. After the key pair is generated, the Certificate Database Settings dialog
box appears. As in Figure 12.6, you will notice that both the certificate
database and certificate database log textboxes are already filled with
default values. You may elect to Store configuration information in a
www.syngress.com
874 Chapter 12 • Planning, Implementing, and Maintaining a Public Key Infrastructure

Figure 12.4 Choosing the CA Type
Figure 12.5 Naming the CA
255_70_293_ch12.qxd 9/10/03 7:20 PM Page 874