Embed Size (px)
Citation preview
Deploying PKI Inside Microsoft
The experience of Microsoft in deploying its own corporate PKI
Published: December 2003
Solution OverviewSituation
● Microsoft needed a platform for securing internal and external network communications
Solution● Microsoft IT installed Certificate Services to implement a secure
communications and remote authentication infrastructure
Benefits● Enabled the use of S/MIME signatures and encryption● Secured Web connections● Ensured the confidentiality of stored and transmitted data● Ensured the confidentiality and integrity of transmitted data by
using IPSec● Enabled strong network user authentication
Products and Technologies● Windows 2000 Server● Windows Server 2003● Windows-based PKI and CA● Certificate Services● Active Directory● Windows XP Professional● Microsoft Office Outlook 2003● Smart Cards● EFS, IPSec, S/MIME, SSL
DeploymentWindows 2000 Server PKI
● CA hierarchy● Integration of PKI into Active Directory
DeploymentWindows 2000 Server PKI
● Network and server performance● Security requirements● Windows 2000 Server Certificate Services● CRL lifetime
ArchitectureWindows 2000 Server PKI
Microsoft Corporate Microsoft Corporate Root Authority – Root Authority –
Offline RootOffline Root
Microsoft Intranet Microsoft Intranet CA – Offline CA – Offline
Intermediate 1Intermediate 1
Microsoft Extranet Microsoft Extranet CA –Offline CA –Offline
Intermediate 2Intermediate 2
Microsoft IT vaultMicrosoft IT vault
Intranet Machine CA 1Intranet Machine CA 1
Intranet Machine CA 2Intranet Machine CA 2
FTE User CA 1FTE User CA 1
FTE User CA 2FTE User CA 2
Non-FTE User CA 1Non-FTE User CA 1
Intranet Level 2 Intranet Level 2 User CA 1User CA 1
Intranet Level 2 Intranet Level 2 User CA 2User CA 2
Personnel E-mail CA 1Personnel E-mail CA 1
Extranet Machine CA 1Extranet Machine CA 1
Intranet Network CA 1Intranet Network CA 1
Benefits of Upgrading the PKI to Windows Server 2003● Extended certificate templates● Key archival and recovery● Extended autoenrollment
DeploymentWindows Server 2003 PKI
● Server consolidation● Sanitization of certificates● Inclusion of public root hierarchy
DeploymentWindows Server 2003 PKI
● CA server management and support● Smart Card deployment
ArchitectureWindows Server 2003 PKI
Microsoft CorporateMicrosoft CorporateRoot Authority Root Authority ––
Offline RootOffline Root
Microsoft Intranet CA –Microsoft Intranet CA – Offline IntermediateOffline Intermediate
Third-Party ExternalThird-Party ExternalPublic Root Authority Public Root Authority ––
Offline RootOffline Root
Microsoft CA – Microsoft CA – Offline Offline
IntermediateIntermediate
Microsoft IT vaultMicrosoft IT vault
Personnel E-mail CA 1Personnel E-mail CA 1
Public-Facing SSL CA 1Public-Facing SSL CA 1
Intranet Level 2 User CA 1Intranet Level 2 User CA 1
Intranet Level 2 User CA 2Intranet Level 2 User CA 2
Corporate Enterprise CA 2Corporate Enterprise CA 2
Corporate Enterprise CA 1Corporate Enterprise CA 1
Lessons Learned and Best Practices● Plan for the upgrade to Windows Server 2003
PKI● Carefully consider the number of CA servers
needed● Implement a multiple-tier hierarchy● Consider integration with a public root
Lessons Learned and Best Practices● Automate CRL Publication● Customize the CRL Publication Overlap
Interval● Use New Keys for CA Renewal
Lessons Learned and Best Practices● Plan for certificate issuance policies● Sanitize elements of the PKI● Do not use DSA keys with Windows CE–
based devices
Future Directions
● Export of KMS database to Windows Server 2003 Certificate Services database
● Extension of PKI and Smart Card infrastructure
Summary
● Increased security● Application and service compatibility● Reduced certificate costs● Ease of manageability● Conformance to industry standards● Scalability
For More Information
● White papers● Websites
For More Information● Additional content on Microsoft IT deployments
and best practices can be found on http://www.microsoft.com
● Microsoft TechNet http://www.microsoft.com/technet/itshowcase
● Microsoft Case Study Resourceshttp://www.microsoft.com/resources/casestudies
● E-mail IT [email protected]
This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
