Upload
loraine-hodges
View
229
Download
4
Tags:
Embed Size (px)
Citation preview
1
Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2
2
Agenda
BackgroundPKI Enhancements
Server consolidationImproved existing scenariosHTTP based enrollment
Strong Authentication Enhancements
Windows PKI Today
A strategic investmentWindows 2000, Windows XP, Windows Vista and keep on investing
Existing abilities:Server role: CA, OCSP, SCEPClient components: API, UI, Client servicesActive Directory integrationProtocols and application adoption
For more info http://technet.microsoft.com/en-us/library/cc753254.aspxhttp://technet.microsoft.com/en-us/library/cc770357.aspx
PKI Trends
Governments – the biggest cert issuers!!!SMBs need PKI solutionEnterprises need PKI for heterogeneous environmentsApplications use certificates as authorization tokens (short validity period)Industry extends usage of X.509 certificates
Extended Validation (EV) certificatesLogo types
Advanced crypto is picking up
Public Key Infrastructure
Windows 7 Investments
HTTP Based Enrollment
Server Consolidation
Improved Existing
Scenarios
Strong Authentication
Server ConsolidationNot persistent requests
New PKI Scenarios use short-lived certificatesNetwork Access Protection (NAP)OCSP signing certificates
Existing workarounds for DB growth: dedicated servers or high management cleanup costWindows Server 2008 R2
Administrator can configure whether the CA writes to the database
Server ConsolidationNot persistent requests
No-Persist
No-Revocation
Server ConsolidationServer core support
CA is supported on Server CoreLocal command line utilitiesRemote UX managementKey management by HSM vendor
No other ADCS service is supported on Server Core
9
Server ConsolidationCross Forest Enrollment
How does it work today?Single forest
1. CA starts and reads certificate templates from AD
2. Client reads certificate templates from AD
3. Client sends enrollment request to CA
4. CA constructs Subject information based on client object in AD
5. CA issues certificate and returns to client
CA
Active Directory (AD)
Client Workstations
1
3
2
4 5
How does it work today?Multiple forests
Multiple forests implies:Multiple servers Multiple CA keysMultiple HSMMultiple certificate databasesEtc.
How will it work?Cross forest enrollment
Account Forest
Active Directory
Client Workstations
Resource Forest
CA
Active Directory (AD)
Client Workstations
13
2
4
5
Server ConsolidationCross forest enrollment
Windows will support certificate enrollment and issuance across AD forest boundaries
Requires AD forest two-way trust between account and resource forestRequires Windows Server 2008 R2 CARequires Windows XP and above
Server ConsolidationCross forest enrollment: management
CA reads templates from the resource forestClient reads templates from account forestThis require manual steps to make sure templates are in sync
Initial consolidationOngoing synchronization
Best Practice Whitepaper For PKI Consolidation
15
Server Consolidation
1. Simplify management for NAP deployment2. Support CA installations on Server Core3. Support Cross Forest Enrollment
Public Key Infrastructure
Windows 7 Investments
HTTP Based Enrollment
Server Consolidation
Improved Existing
Scenarios
Strong Authentication
Improved Existing ScenariosStandard SKU supports V2 templates
W2K introduced V1 certificate templatesW2K3 introduced V2 certificate templates
Not supported on W2K3 Standard EditionW2K8 introduced V3 certificate templates
Not supported on W2K8 Standard EditionCA installed on Windows Server 2008 R2 Standard Edition supports all certificate template versions
Supports auto enrollmentSupports key archivalEtc.
Improved Existing Scenarios Best practice analyzer
Most of PKI support calls are caused by configuration issuesWindows Server 2008 R2 introduces Best Practice Analyzer (BPA) toolCA defines rules that can be checked by the BPA tool after each CA configuration change
Improved Existing Scenarios Best practice analyzer
BPA Scan
Improved Existing Scenarios Certificate selection
Windows Vista Windows 7
Removed duplicate and archived certificates
Icons to differentiate software vs. smartcard certificates
Improved Existing Scenarios Enterprise SSL EV certificate
Mark an enterprise root CA as an extended validation (EV) root and add the EV policy OIDConfigurable through group policy
22
Improve Existing Scenarios1. V2 Certificate Templates2. Best Practice Analyzer3. Certificate Selection4. Enterprise SSL EV Certificate
Public Key Infrastructure
Windows 7 Investments
HTTP Based Enrollment
Server Consolidation
Improved Existing
Scenarios
Strong Authentication
HTTP Based EnrollmentDesign goal
Enable new scenarios to leverage the Windows PKI client1. Server certificates issued by a public CA2. Issuance across company boundary
Partnership scenario3. Issuance to non-domain-joined machines4. B2C issuance
My bank issues me certificates5. And more…
HTTP Based EnrollmentDesign overview
Specified two new http based protocols for certificate enrollmentImplemented client services on top of new protocolsImplemented server side for these new protocolsWork (in progress) with related ISVs to provide interoperable solutions
26
HTTP Based Enrollment
CA
Active Directory (AD)
Client Workstations
1
3
25
4
1
6
7
Certificate Enrollment Policy WS
Certificate Enrollment WS
HTTP Only
HTTP Based EnrollmentAuto-enrollment enhancements
Ensure the system has a valid certificate for each one of the enrollment policies that are configured for the end entity
Implements client role for both protocolsMaintains list of policy server URI’sMaintains a cache of the enrollment policies returned from all policy serversRuns on non-domain-joined machines
HTTP Based EnrollmentAuthentication
Windows client will use the same authentication mechanism for policy and enrollment servers
KerberosUsername/PasswordCertificate based
Supports credentials storage (optional)Implements renewal through proof of possessionRequires SSL
29
HTTP Based Enrollment Enrollment policies UX
30
HTTP Based Enrollment Enrollment wizard
Added additional step to the Enrollment Wizard
Enrollment Policy Entry
31
HTTP Based Enrollment Group policy UX
Allows admins to publish Policy Servers to client machinesEnsures the policy server URI is validSame UX is used on client machines to configure local policy and users configured entries
32
HTTP Based Enrollment Cross forest support
CA
Active Directory (AD)
Client Workstations
1
3
25
4
1
6
7
Certificate Enrollment Policy WS
Certificate Enrollment WS
Active Directory (AD)
Account Forest Resource Forest
HTTP Based Enrollment Web server scenario: enrollment and renewal
Admin logs on to a web serverAdmin opens IE browses to public CA web site and creates an accountAdmin clicks OK to elevation dialog:
Set policy server URL in the local policy storeSet credentials for policy server (admin or control)Enroll for this policy server
Dynamic Enrollment policyAfter enrollment is done, certificate installed
HTTP Based Enrollment Web server scenario: recover from revocation
System configured with Policy Server EntryCached U/P credentialsEnabled for Auto-Enrollment
CA revokes the system’s certificate and publish new CRLWithin eight hours after old CRL expire:
AE downloads new CRLAE marks existing cert as revokedAE retrieves policies from policy server and enrolls for a new certificate
HTTP Based Enrollment Web server scenario: dynamic policy updates
System configured with Policy ServerOne enrollment policy for SSL 1Year 1024 key sizePolicy needs to be updated every week
CA increases key size to 2048 and update the revision number on the enrollment policy objectWithin a week:
AE downloads new policiesAE marks existing cert as archivedAE enrolls for a new certificate
Public Key Infrastructure
Windows 7 Investments
HTTP Based Enrollment
Server Consolidation
Improved Existing
Scenarios
Strong Authentication
Strong AuthenticationBiometric
New platform for Biometric DevicesFocused on fingerprint based authN in consumer scenariosNew driver model and basis for future certification program
Integrated user experienceWindows logon, local and domainDevice and feature discovery
Enterprise managementDisable Windows Biometric Framework via Group PolicyAllow use for applications but not for domain logon
Strong AuthenticationSmartCard
Smart card Plug-and-Play Windows Update and WSUS/SUS based driver installationPre-Logon driver installationNon-Admin based driver installation
Smart card class mini-driverNIST SP800-73-1 (PIV) supportINCITS GICS (Butterfly) support
Windows 7 Smartcard Framework improvementsImproved support for Biometric Based Smart card unlockNew APIs enabling Secure Key Injection
Strong AuthenticationECC based Smartcard logon
Windows 7 supports:smartcard enrollment for ECC certificatelogon with ECC based certificate
Strong AuthenticationStrong authentication based access control
‘Smart card required’ for remote access checks
Admin: Associate Group SID with an
Issuance Policy OID
Admin: Configure logon certificate template with the issuance policy OID above
Admin: Restrict access to a remote object using the Group SID used in the first step above
User: logon with a certificate based on the certificate template above
Kerberos will add the group SID to the user token
41
Strong Authentication
1. Biometric2. Smartcard
Public Key Infrastructure
Windows 7 Investments
HTTP Based Enrollment
Server Consolidation
Improved Existing
Scenarios
Strong Authentication
43
Q & AMeet me in the
Ask-the-Experts pavilion!
WEDNESDAY - DAY 312:15 - 12:45
44
Related Content
IDA02-ILL: Setting Up and Configuring Active Directory Certificate Services (AD CS) November 5 09:00 - 10:15 November 6 16:20 - 17:35
IDA04-IS: All You Ever Wanted to Ask about Designing and Operating an Enterprise PKI November 6 14:40 - 15:55
45
With an amazing line up of international speakers, there are even more chances to win an evaluation prize! So make sure you submit feedback for all the sessions you attend!
Don’t forget to completeyour session feedback forms via the CommNet terminalsor the Registered Delegate
Pages for your chance towin a HTC Touch Dual!
http://www.microsoft.com/emea/teched2008/itpro/feedback.aspx
Now extended from2 to 24 hours after session
for more chance to WIN
www.microsoft.com/teched Tech·Talks Tech·Ed BloggersLive Simulcasts Virtual Labs
http://microsoft.com/technet
Evaluation licenses, pre-released products, and MORE!
Resources for IT Professionals
46
47
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.