1

Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2

2

Agenda

BackgroundPKI Enhancements

Server consolidationImproved existing scenariosHTTP based enrollment

Strong Authentication Enhancements

Windows PKI Today

A strategic investmentWindows 2000, Windows XP, Windows Vista and keep on investing

Existing abilities:Server role: CA, OCSP, SCEPClient components: API, UI, Client servicesActive Directory integrationProtocols and application adoption

For more info http://technet.microsoft.com/en-us/library/cc753254.aspxhttp://technet.microsoft.com/en-us/library/cc770357.aspx

PKI Trends

Governments – the biggest cert issuers!!!SMBs need PKI solutionEnterprises need PKI for heterogeneous environmentsApplications use certificates as authorization tokens (short validity period)Industry extends usage of X.509 certificates

Extended Validation (EV) certificatesLogo types

Advanced crypto is picking up

Public Key Infrastructure

Windows 7 Investments

HTTP Based Enrollment

Server Consolidation

Improved Existing

Scenarios

Strong Authentication

Server ConsolidationNot persistent requests

New PKI Scenarios use short-lived certificatesNetwork Access Protection (NAP)OCSP signing certificates

Existing workarounds for DB growth: dedicated servers or high management cleanup costWindows Server 2008 R2

Administrator can configure whether the CA writes to the database

Server ConsolidationNot persistent requests

No-Persist

No-Revocation

Server ConsolidationServer core support

CA is supported on Server CoreLocal command line utilitiesRemote UX managementKey management by HSM vendor

No other ADCS service is supported on Server Core

9

Server ConsolidationCross Forest Enrollment

How does it work today?Single forest

1. CA starts and reads certificate templates from AD

2. Client reads certificate templates from AD

3. Client sends enrollment request to CA

4. CA constructs Subject information based on client object in AD

5. CA issues certificate and returns to client

CA

Active Directory (AD)

Client Workstations

1

3

2

4 5

How does it work today?Multiple forests

Multiple forests implies:Multiple servers Multiple CA keysMultiple HSMMultiple certificate databasesEtc.

How will it work?Cross forest enrollment

Account Forest

Active Directory

Client Workstations

Resource Forest

CA

Active Directory (AD)

Client Workstations

13

2

4

5

Server ConsolidationCross forest enrollment

Windows will support certificate enrollment and issuance across AD forest boundaries

Requires AD forest two-way trust between account and resource forestRequires Windows Server 2008 R2 CARequires Windows XP and above

Server ConsolidationCross forest enrollment: management

CA reads templates from the resource forestClient reads templates from account forestThis require manual steps to make sure templates are in sync

Initial consolidationOngoing synchronization

Best Practice Whitepaper For PKI Consolidation

15

Server Consolidation

1. Simplify management for NAP deployment2. Support CA installations on Server Core3. Support Cross Forest Enrollment

Public Key Infrastructure

Windows 7 Investments

HTTP Based Enrollment

Server Consolidation

Improved Existing

Scenarios

Strong Authentication

Improved Existing ScenariosStandard SKU supports V2 templates

W2K introduced V1 certificate templatesW2K3 introduced V2 certificate templates

Not supported on W2K3 Standard EditionW2K8 introduced V3 certificate templates

Not supported on W2K8 Standard EditionCA installed on Windows Server 2008 R2 Standard Edition supports all certificate template versions

Supports auto enrollmentSupports key archivalEtc.

Improved Existing Scenarios Best practice analyzer

Most of PKI support calls are caused by configuration issuesWindows Server 2008 R2 introduces Best Practice Analyzer (BPA) toolCA defines rules that can be checked by the BPA tool after each CA configuration change

Improved Existing Scenarios Best practice analyzer

BPA Scan

Improved Existing Scenarios Certificate selection

Windows Vista Windows 7

Removed duplicate and archived certificates

Icons to differentiate software vs. smartcard certificates

Improved Existing Scenarios Enterprise SSL EV certificate

Mark an enterprise root CA as an extended validation (EV) root and add the EV policy OIDConfigurable through group policy

22

Improve Existing Scenarios1. V2 Certificate Templates2. Best Practice Analyzer3. Certificate Selection4. Enterprise SSL EV Certificate

Public Key Infrastructure

Windows 7 Investments

HTTP Based Enrollment

Server Consolidation

Improved Existing

Scenarios

Strong Authentication

HTTP Based EnrollmentDesign goal

Enable new scenarios to leverage the Windows PKI client1. Server certificates issued by a public CA2. Issuance across company boundary

Partnership scenario3. Issuance to non-domain-joined machines4. B2C issuance

My bank issues me certificates5. And more…

HTTP Based EnrollmentDesign overview

Specified two new http based protocols for certificate enrollmentImplemented client services on top of new protocolsImplemented server side for these new protocolsWork (in progress) with related ISVs to provide interoperable solutions

26

HTTP Based Enrollment

CA

Active Directory (AD)

Client Workstations

1

3

25

4

1

6

7

Certificate Enrollment Policy WS

Certificate Enrollment WS

HTTP Only

HTTP Based EnrollmentAuto-enrollment enhancements

Ensure the system has a valid certificate for each one of the enrollment policies that are configured for the end entity

Implements client role for both protocolsMaintains list of policy server URI’sMaintains a cache of the enrollment policies returned from all policy serversRuns on non-domain-joined machines

HTTP Based EnrollmentAuthentication

Windows client will use the same authentication mechanism for policy and enrollment servers

KerberosUsername/PasswordCertificate based

Supports credentials storage (optional)Implements renewal through proof of possessionRequires SSL

29

HTTP Based Enrollment Enrollment policies UX

30

HTTP Based Enrollment Enrollment wizard

Added additional step to the Enrollment Wizard

Enrollment Policy Entry

31

HTTP Based Enrollment Group policy UX

Allows admins to publish Policy Servers to client machinesEnsures the policy server URI is validSame UX is used on client machines to configure local policy and users configured entries

32

HTTP Based Enrollment Cross forest support

CA

Active Directory (AD)

Client Workstations

1

3

25

4

1

6

7

Certificate Enrollment Policy WS

Certificate Enrollment WS

Active Directory (AD)

Account Forest Resource Forest

HTTP Based Enrollment Web server scenario: enrollment and renewal

Admin logs on to a web serverAdmin opens IE browses to public CA web site and creates an accountAdmin clicks OK to elevation dialog:

Set policy server URL in the local policy storeSet credentials for policy server (admin or control)Enroll for this policy server

Dynamic Enrollment policyAfter enrollment is done, certificate installed

HTTP Based Enrollment Web server scenario: recover from revocation

System configured with Policy Server EntryCached U/P credentialsEnabled for Auto-Enrollment

CA revokes the system’s certificate and publish new CRLWithin eight hours after old CRL expire:

AE downloads new CRLAE marks existing cert as revokedAE retrieves policies from policy server and enrolls for a new certificate

HTTP Based Enrollment Web server scenario: dynamic policy updates

System configured with Policy ServerOne enrollment policy for SSL 1Year 1024 key sizePolicy needs to be updated every week

CA increases key size to 2048 and update the revision number on the enrollment policy objectWithin a week:

AE downloads new policiesAE marks existing cert as archivedAE enrolls for a new certificate

Public Key Infrastructure

Windows 7 Investments

HTTP Based Enrollment

Server Consolidation

Improved Existing

Scenarios

Strong Authentication

Strong AuthenticationBiometric

New platform for Biometric DevicesFocused on fingerprint based authN in consumer scenariosNew driver model and basis for future certification program

Integrated user experienceWindows logon, local and domainDevice and feature discovery

Enterprise managementDisable Windows Biometric Framework via Group PolicyAllow use for applications but not for domain logon

Strong AuthenticationSmartCard

Smart card Plug-and-Play Windows Update and WSUS/SUS based driver installationPre-Logon driver installationNon-Admin based driver installation

Smart card class mini-driverNIST SP800-73-1 (PIV) supportINCITS GICS (Butterfly) support

Windows 7 Smartcard Framework improvementsImproved support for Biometric Based Smart card unlockNew APIs enabling Secure Key Injection

Strong AuthenticationECC based Smartcard logon

Windows 7 supports:smartcard enrollment for ECC certificatelogon with ECC based certificate

Strong AuthenticationStrong authentication based access control

‘Smart card required’ for remote access checks

Admin: Associate Group SID with an

Issuance Policy OID

Admin: Configure logon certificate template with the issuance policy OID above

Admin: Restrict access to a remote object using the Group SID used in the first step above

User: logon with a certificate based on the certificate template above

Kerberos will add the group SID to the user token

41

Strong Authentication

1. Biometric2. Smartcard

Public Key Infrastructure

Windows 7 Investments

HTTP Based Enrollment

Server Consolidation

Improved Existing

Scenarios

Strong Authentication

43

Q & AMeet me in the

Ask-the-Experts pavilion!

WEDNESDAY - DAY 312:15 - 12:45

44

Related Content

IDA02-ILL: Setting Up and Configuring Active Directory Certificate Services (AD CS) November 5 09:00 - 10:15 November 6 16:20 - 17:35

IDA04-IS: All You Ever Wanted to Ask about Designing and Operating an Enterprise PKI November 6 14:40 - 15:55

45

With an amazing line up of international speakers, there are even more chances to win an evaluation prize! So make sure you submit feedback for all the sessions you attend!

Don’t forget to completeyour session feedback forms via the CommNet terminalsor the Registered Delegate

Pages for your chance towin a HTC Touch Dual!

http://www.microsoft.com/emea/teched2008/itpro/feedback.aspx

Now extended from2 to 24 hours after session

for more chance to WIN

www.microsoft.com/teched Tech·Talks Tech·Ed BloggersLive Simulcasts Virtual Labs

http://microsoft.com/technet

Evaluation licenses, pre-released products, and MORE!

Resources for IT Professionals

46

47

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED

OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.