70-412: Configuring Advanced Windows Server 2012 services Chapter 6 Configuring Access and Information Protection Solutions

70-412: Configuring Advanced Windows

Server 2012 services

Chapter 6Configuring Access and Information

Protection Solutions

Objective 6.1: Implementing Active Directory Federation

Services

© 2013 John Wiley & Sons, Inc. 3

Active Directory Federation Services

• The Active Directory Federation Services (AD FS) role allows administrators to configure Single Sign-On (SSO) for web-based applications across a single organization or multiple organizations without requiring users to remember multiple usernames and passwords.

• This enables you to configure Internet-facing business-to-business (B2B) applications between organizations.



• AD FS-enabled applications are claims based, which allows a much more scalable authentication model for Internet-facing applications.

• AD FS is an identity access solution that allows any browser-based clients to access a website with a single login to one or more protected Internet-facing applications, even when the user accounts and applications are on different networks and exist within different organizations via a federated trust relationship.



• An AD FS configuration consists of two types of organizations:o Resource organizations: Own the resources or

data that are accessible from the AD FS-enabled application, similar to a trusting domain in a traditional Windows trust relationship.

o Account organizations: Contain the user accounts that access the resources controlled by resource organizations.

• AD FS can be used within a single organization—the single organization is the resource organization and the account organization.


Federated Trust Relationship

• To establish an identity federation partnership, both partners agree to create a federated trust relationship.

• Each partner defines what resources are accessible to the other organization and how access to those resources is enabled.

• User identities and their associated credentials are stored, owned, and managed by the organization where the user is located.

Objective 6.2: Installing and Configuring Active Directory

Certificate Services


Active Directory Certificate Services (AD

CS)• Active Directory Certificate Services (AD CS) is a

server role that allows you to issue and manage digital certificates as part of a public key infrastructure.

• A Public key infrastructure (PKI)o Is a system consisting of hardware, software, policies, and

procedures that create, manage, distribute, use, store, and revoke digital certificates.

o Consists of certification authorities (CAs) and registration authorities that verify and authenticate the validity of each entity involved in an electronic transaction through the use of public key cryptography.

• Within the PKI, the certificate authority (CA) binds a public key with respective user identities and issues digital certificates containing the public key.


Digital Certificate• A digital certificate

o Is an electronic document that contains an identity, such as a user or organization name, along with a corresponding public key.

o Can also be used for authentication because digital certificates are used to prove a person’s or computer’s identity.

o Is similar to a driver’s license or passport because it contains a user’s photograph and thumbprint leaving no doubt about the user's identity.


Benefits of the PKI• Confidentiality: The PKI allows you to

encrypt data is that is stored or transmitted.• Integrity: A digital signature identifies

whether the data is modified while the data is transmitted.

• Authenticity: A message digest is digitally signed using the sender’s private key. Because the digest can be decrypted only with the sender’s corresponding public key, it proves that the message can come only from the sending user (non-repudiation).


Certificate Authority• The CA is a Windows Server 2012 server

role that o Verifies the identity of the certificate

requestors.o Issues certificates to requesting users,

computers, and services.o Manages certificate revocation.


Stand-Alone CA• The stand-alone CA works without Active Directory

and does not need Active Directory. • However, the server can be a member of a domain. • Users can request certificates using a manual

procedure or web enrollment, where they identify information and specify the certificate they need.

• By default, all certificate requests submitted to stand-alone CAs are held in a pending queue until a CA administrator approves them.

• However, you can configure stand-alone CAs to issue certificates automatically upon request, but this is less secure and is usually not recommended.


Enterprise CA• An enterprise CA requires Active Directory and

is typically used to issue certificates to users, computers, devices, and servers for an organization.

• Users can request certificates using manual enrollment, web enrollment, auto-enrollment, or an enrollment agent.

• Because information for a user or computer can be retrieved from Active Directory, templates can be used to generate certificates with the appropriate attributes for the specified certificate type.


Root CA• The root CA is at the top of the certificate

hierarchy. • Because everything branches from the root, it

is trusted by all clients within an organization. • Smaller organizations may only have one CA;

larger organizations could have a root CA with multiple subordinate CAs.

• Although the enterprise CA can issue certificates to end users, it is usually used to issue certificates to subordinate CAs.


Subordinate CAs• There is only one root CA, but there can be

one or more subordinates CAs. • The number of subordinate CAs needed is

determined by geographical location and number of clients.

• If a CA is compromised, all certificates issued by the CA and any subordinate CAs under the compromised CA (including any corresponding issued certificates) are also considered compromised.


Authority Information Access (AIA) Extension• The AIA extension specifies the locations

from which users can obtain the certificate for this CA.

• Certificate chaining is a process that builds one or more certificate paths, which trace to the self-signed or root certificate and help determine whether a digital certificate can be trusted or not.


Certificate Revocation List (CRL)

• The Certificate Revocation List (CRL) o Is a digitally signed list issued by a CA containing a

list of certificates issued by the CA that have been revoked.

o Includes all individual revoked certificates including the serial number of the certificate, the date that the certificate was revoked, and the revocation reason.

• The application uses a CDP to check the CRL for a revoked certificate.

• The CDP is a certificate extension that indicates where the certificate revocation list for a CA can be retrieved.


Online Responder• An Online Responder is a trusted server

that runs the Online Responder service and Online Responder Web proxy to receive and respond to individual client requests for information about the status of a certificate.

• It implements the Online Certificate Status Protocol (OSCP) protocol, which allows a recipient of a certificate to submit a certificate status request to a responder by using the Hypertext Transfer Protocol (HTTP).

Objective 6.3: Managing Certificate

Templates


Importing and Exporting Digital

Certificates• Personal Information Exchange (PKCS #12)

o Supports secure storage of certificates, private keys, and all certificates in a certification path.

o The only file format that can be used to export a certificate and its private key. o Usually has a .pfx or .p12 filename extension.

• Cryptographic Message Syntax Standard (PKCS #7) o Supports storage of certificates and all certificates in a certification path. o Usually has a .p7b or .p7c filename extension.

• Distinguished Encoding Rules (DER)-encoded binary X.509 o Supports storage of a single certificate. o Does not support storage of the private key or certification path. o Usually has a .cer, .crt, or .der filename extension.

• Base64-encoded X.509o Supports storage of a single certificate. o Does not support storage of the private key or certification path.


Certificate Templates• Certificate templates are used to

o Simplify the task of administering a CA by allowing an administrator to identify, modify, and issue certificates preconfigured for selected tasks.

o Establish a set of rules and format for certificate enrollment that are applied to incoming certificate requests.

• The Certificate Templates snap-in enables you to view and modify the properties for each certificate template and copy and modify certificate templates.


Certificate Templates• When accessing the Certificate Templates console, there are

several preconfigured certificate templates that act as a starting point:o Basic EFS (Template Version 1): Used by Encrypting File System (EFS)

to encrypt data.o Computer Template Version 1: Allows a computer to authenticate

itself to the network.o EFS Recovery Agent (Template Version 1): Allows the subject to

decrypt files that were previously encrypted with EFS.o IPSEC (Template Version 1): Used by IPsec to digitally sign, encrypt,

and decrypt network communication when the subject name is supplied to the request.

o Smartcard Logon (Template Version 1): Allows the holder to authenticate using a smart card.

o User (Template Version 1): Used by users for email, EFS, and client authentication.

o Web Server (Template Version 1): Proves the identity of a web server.


Manual Enrollment• When you use manual enrollment, you create a

private key and a certificate request is generated on a device such as a web service or a computer.

• The request is sent to the CA to generate the certificate.

• The certificate is sent back to the device for installation.

• You typically use manual enrollment when the device does not support auto-enrollment, you do not want to wait for auto-enrollment to be applied, or the certificate is not available through auto-enrollment.


CA Web Enrollment• The CA Web enrollment uses a website on

a CA to obtain certificates. The website uses Internet Information Server (IIS), and the AD CS web enrollment role has been installed and configured.

• The URL to make a request is https://<servername>/certsrv. Like with manual enrollment, CA Web enrollment is used on devices that do not support auto-enrollment or when you do not want to wait for auto-enrollment to be applied.


Enrollment Agents• When you use enrollment on behalf

(enrollment agent), the CA administrator creates an enrollment agent account for the user.

• The user with enrollment agent rights can then enroll for certificates on behalf of other users such as when the administrator needs to preload logon certificates on new employees’ smart cards.

• The restricted enrollment agent allows you to limit the permissions for users (usually administrators and help desk personnel) who are designated as enrollment agents to enroll for smart card certificates on behalf of other users.


Auto-Enrollment• Most certificates will be assigned through auto-

enrollment, which is deployed using group policies, specifically o Computer Configuration\Policies\Windows Settings\Security

Settings\Public Key Policies\Certificate Services Client—Auto-Enrollment

o User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Services Client—Auto-Enrollment.

• However, auto-enrollment can be applied only to enterprise CA (not stand-alone CA), and you have to deploy schema template version 2 or higher.

• In addition, the user needs Read, Enroll, and Auto-enroll permissions for the certificate to deployed.


Network Device Enrollment Service

(NDES)• The Network Device Enrollment Service

(NDES) is the Microsoft implementation of Simple Certificate Enrollment Protocol (SCEP), which is used for network devices such as switches and routers to enroll for an X.509 digital certificate from a CA.

• For example, if you want to use port security based on 802.1x for your switches and access points, or if you need SSH to connect to a switch or router, you can use NDES to install certificates using SCEP.


Certificate Renewal• Every certificate has a validity period and

a finite life. • At the end of the validity period, the

certificate is no longer considered acceptable, and the certificate will have to be renewed.

• Of course, it is always best to renew the certificate before the certificate actually expires.


Key Archival and Recovery

• Because certificates often provide keys to the kingdom, you do not want to lose the keys. Therefore, you need to provide key archival and recovery when needed.

• To recover lost keys, use a key archival and recovery agent.

• You can also use automatic or manual key archival and key recovery methods to ensure that you can gain access to data in the event that your keys are lost.

• It should also be emphasized that restoring a key, does not provide data recovery.

• The restored key provides the ability to read a restored file but you need to use another mechanism (e.g., Windows Backup) to actually back up the encrypted data.

Objective 6.4: Managing Certificates


Active Directory Rights Management Services (AD

RMS)• Active Directory Rights Management Services

(AD RMS) is technology used to provide an extra level of security to documents, such as email and Microsoft Office documents, by using encryption to limit access to a document or web page and what can be done with that document or web page.

• For example, you can limit whether a document or web page can be printed, copied, edited, forwarded, or deleted.

• RMS helps contain confidential information so that it stays within the organization and helps limit who can access the data.


AD RMS Components• AD RMS server

o A Windows server that is a member of an Active Directory Domain Services (AD DS) domain.

o When you install AD RMS servers, the location of the server is published to AD DS to a location known as the service connection point.

o Because RMS can be an important component when securing documents, AD RMS might deploy AD RMS with high availability using clustering.


AD RMS Components• AD RMS client

o With Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 operating systems, the client is included.

o With Windows XP, Windows Server 2003, and Windows Server 2003 R2, the client can be downloaded and installed.

o Computers that are members of the domain query AD DS for the service connection point to determine the location of AD RMS services.


AD RMS Components• AD RMS-enabled applications

o An application that allows users to create and consume AD RMS-protected content.

o Examples of AD RMS-enabled applications include Microsoft Word, Microsoft Excel, and Microsoft Outlook.


AD RMS Components• AD RMS root certification cluster

o The first AD RMS server that you deploy in a forest.

o It manages all licensing and certification traffic for the domain in which it is installed.

o The configuration information is installed in a Microsoft SQL database.

o AD RMS root certification clusters are typically found in large branch offices to distribute licenses used in content consumption and publishing.


AD RMS Components• Licensing-only cluster

o An optional component that is not part of the root cluster.

o It relies on the root cluster for certification and other services.

o It only provides both publishing licenses and use licenses to users.

o It is typically used when supporting unique rights management requirements of a department or of external business partners.


AD RMS Certificates and Licenses

• Server licensor certificate (SLC)o A certificate containing the public key that encrypts the

content key in a publishing license. o It allows the AD RMS server to extract the content key

and issue end use licenses (EULs) against the publishing key.

o It is generated when you create the AD RMS cluster. o It allows the AD RMS cluster to issue SLCs to other

servers in the cluster, rights account certificates to clients, Client licensor certificates, publishing licensing, use licenses, and to deploy rights policy template.

o It has a validity of 250 years. Since it is one of the core components, it is important to back up the SLCs on a regular basis.



• AD RMS machine certificateo Used to identify a trusted computer or device. o It is also used to encrypt the rights account certificate

private key and decrypts the rights account certificates.

• Rights account certificate (RAC) o A RAC is issued the first time a user attempts to access

AD RMS-protected content, which is used to identify a specific user.

o RACs can be issued only to users in AD DS whose user accounts have email addresses that are associated with them.

o The default validity time for a RAC is 365 days.



• Temporary rights account certificateo Issued to users who are accessing AD RMS-protected content

from a computer that is not a member of the same or trusted forest as the AD RMS cluster.

o A temporary RAC has a validity time of 15 minutes.

• Active Directory Federation Services (AD FS) RACso Issued to federated users. o They have a validity of seven days.

• Windows Live ID RACo Used with Microsoft account, formerly called Windows Live

Accounts. Windows Live ID RACs used on private computers have a validity of six months.

o Windows Live ID RACs on public computers are valid until the user logs off.



• Client licensor certificateo Allows a user to publish AD RMS-protected content when the

client computer is not connected to the same network as the AD RMS cluster.

o The client licensor certificate public key encrypts the symmetric content key and includes it in the publishing license that it issues.

o The client licensor certificate private key signs any publishing licenses that are issued when the client is not connected to the AD RMS cluster.

o Because client licensor certificates are tied to a specific user’s RAC, when another user without a RAC attempts to publish AD RMS-protected content from the same client, that user will not be able to until the client connects to the AD RMS cluster so that the user can get a RAC.



• Publishing license (PL)o Determines the rights that apply to AD RMS-

protected content.o It contains the content key, which is encrypted

using the public key of the licensing service. o It also contains the URL and the digital signature of

the AD RMS server.

• End use license (EUL)o Required to consume AD RMS-protected content. o The AD RMS server issues one EUL per user per

document. o EULs are cached by default.

Documents

70-412: Configuring Advanced Windows Server 2012 services Chapter 6 Configuring Access and Information Protection Solutions