RE: [ActiveDir] Certificate Services (was Active Directory Cookbo ok)

2003-10-25 Thread Robbie Allen 
Certificate Services didn't make it into the AD Cookbook, but will in a
future book.  As far as good sources today, it really depends on if you are
talking about Windows 2000 or Windows Server 2003.  There were quite a few
enhancements to Cert Services in 2003.  Here are a few links you may want to
take a look at (links may wrap)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/proddocs/standard/SE_PKI.asp


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/maintain/operate/ws03pkog.asp


http://www.microsoft.com/windows2000/techinfo/planning/security/adminca.asp


Robbie Allen
http://www.rallenhome.com/


 -Original Message-
 From: Daniel Gilbert [mailto:[EMAIL PROTECTED] 
 Sent: Friday, October 24, 2003 4:18 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Active Directory Cookbook
 
 
 Thanks.  I can see I will have some reading to do this weekend.
 
 Dan
   Original Message 
  Subject: RE: [ActiveDir] Active Directory Cookbook
  From: [EMAIL PROTECTED]
  Date: Fri, October 24, 2003 12:57 pm
  To: [EMAIL PROTECTED]
  
  While not a cookbook per se, I have found this link useful in my
  understanding of PKI:
  http://tinyurl.com/s8y1
   
  HTH
   
   
  Sincerely,
  
  Dèjì Akómöláfé, MCSE MCSA MCP+I
  www.akomolafe.com
  www.iyaburo.com
  Do you now realize that Today is the Tomorrow you were worried about
  Yesterday?  -anon
  
  
  
  From: [EMAIL PROTECTED] on behalf of Daniel Gilbert
  Sent: Fri 10/24/2003 11:34 AM
  To: [EMAIL PROTECTED]
  Subject: RE: [ActiveDir] Active Directory Cookbook
  
  
  
  Robbie,
  
  I haven't gotten my copy of your book yet, I know :-(, I 
 waited until just recently to order it.  I looked at the table of contents
but did not
  see any thing about Certificate Services, is it there and I just missed
it??
  
  If it is not in your book, as the Master of Cookbooks can 
 you suggest a good source for learning Certificate Services structure and 
 installing guide.
  
  I am trying to get my head around Certificate Service in order to
  answer some structure questions.
  
  Dan
    Original Message 
   Subject: RE: [ActiveDir] Active Directory Cookbook
   From: Robbie Allen [EMAIL PROTECTED]
   Date: Fri, October 24, 2003 9:43 am
   To: '[EMAIL PROTECTED]' 
 [EMAIL PROTECTED]
  
   Thanks for all of the positive feedback about the book.  
 I give the
   credit
   to my all-star cast of reviewers :-) 
   
   My main goal was to produce a reference that would help AD admins
  get
   their
   job done quicker and easier.  There is just too much 
 stuff AD admins
   have to
   remember and that's why I thought the O'Reilly cookbook 
 format would
   work
   especially well in this case.
   
   If you have the book (or even if you don't), be sure to check out
  the
   following web site, which has all of the code in the book and any
   corrections: http://www.rallenhome.com/books/adcookbook/code.html
   http://www.rallenhome.com/books/adcookbook/code.html
   
   Keep the feedback coming
   
   Regards,
   Robbie Allen
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED]
  
   Sent: Friday, October 24, 2003 11:51 AM
   To: [EMAIL PROTECTED]
   Cc: [EMAIL PROTECTED]; 
 [EMAIL PROTECTED]
   Subject: Re: [ActiveDir] Active Directory Cookbook
  
  
  
   Agreed - I got mine yesterday from Amazon and I must say that this
   should be
   on the shelf of every AD administrator. Period.
  
   Michael Parent MCSE MCT
   Analyst I - Web Services
   ITOS - Systems Enablement
   Maritime Life Assurance Company
   (902) 453-7300 x3456
  
  
  
 Lou Vega [EMAIL PROTECTED]
   Sent by: [EMAIL PROTECTED]
  
  
   10/24/2003 10:37 AM
   Please respond to ActiveDir
  
  
  
   To:[EMAIL PROTECTED]
   cc:
   Subject:[ActiveDir] Active Directory Cookbook
  
  
  
   Received my very own copy of Mr. Robbie Allen's Tuna book last
  night
   from
   Amazon.com - in the first night's reading the book is already
  proving
   it's
   worth as I see how to do certain things much simpler than 
 I had done
   them
   before (with regards to the VBScripts included), as well as learn
  new
   things
   I didn't realize could be done (in both AD2K and AD2K3). The book
  will
   be
   very handy as I continue to stand up my development Windows 2003
   domain.

   To anyone else on this list who hasn't gotten it yet...it's a
   worthwhile
   addition to your Active Directory library.

   To Robbie (and all the others who assisted him!) - thanks for a
  great
   resource!

   r/
   Lou
  List info   : http://www.activedir.org/mail_list.htm
  List FAQ: http://www.activedir.org/list_faq.htm
  List archive:
  http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm

RE: [ActiveDir] Certificate Services (was Active Directory Cookbo ok)

2003-10-25 Thread Myrick, Todd (NIH/CIT) 
I am currently working on a project to deploy Windows 2003 PKI.  

I will do my best to post to my BLOG things I take away from the planning
Or lack there of, implementation, and operations to show you how we are
going about establishing PKI infrastructure, and integrating both Microsoft
Technology, and third-party technology.

The biggest low hanging fruit Microsoft deployed their PKI for recently was
to support both VPN, and Wireless access to their networks.

Many people get hung up on trying to deploy PKI for E-mail, or Web sites and
get bogged down in organization politics.  It is pretty easy to do.

Windows 2003 PKI has a couple pretty good features that address the Chronic
problems associated with PKI deployments for user certificates, and also
address some of the acute problems associated with certificates for
potential clients of PKI infrastructure.

Specifically:  

Identity Management

Auto enrollment are now features of the OS, not Exchange.

Root CA's can now be Bridge for Bridge CA's so it is easier to create
relationships with outside entities and not have to rely on costly solutions
from the major vendors to give end users certs for signing and encryption.

There is still work to be done when it comes to presenting the path and
location the user is at with in the organization.  

I believe by default Microsoft will put on the certificates the location
within the AD to find the PKI credentials Public keys.  This works well for
internal operations of PKI, but Extranet, and Intranet use of the
credentials should not expose the organizational structure IMHO, and the
directory should be pretty flat.  IE xyz.com  Not
CN=userID,OU=AD,DC=xyz,DC=gov.  More like = CN=UPN,DC=xyz,DC=gov.  I have
not done that much research yet to determine the best way to accomplish
that.

Wireless  VPN improvements

Provisioning PKI credentials for host that don't support or participate in
AD natively has been a challenge.  Remember when I fired up Robbie at DEC.
That is because there is a need for better wireless security, and the
vendors are all trying to be innovative and come up with their own solution
to the problem and write RFC's etc, instead of just working together and
realizing that this solution is nothing more than strategic, and will not be
a revenue generator except to sell existing products.  I believe Cisco and
Microsoft have been working together to make integration between CISCO
hardware and AD much better.  I would like to believe it is because I told
Robbie I was unhappy.  Hehe

Robbie, maybe you can fill in the list on what some of the initiatives are
at play in CISCO related to Windows 2003 PKI.

Delta CRL's  This is a very important development because CRL's could take
time to publish through out the organization if it spanned multiple time
zones.  When you want to stop someone from accessing your network once you
revoke their credentials, DCRL is the way to do it by software.  I am sure
there are hardware solutions.

Hardware Improvements

I also believe the API's and the OS have better support for Security
hardware.  I would love to be able to use memory stick technology to keep my
certs off my user profile, or better yet, export my user profile, and My
Documents to a USB device or smart media.

More to come.

Todd Myrick

 

  

-Original Message-
From: Robbie Allen [mailto:[EMAIL PROTECTED] 
Sent: Saturday, October 25, 2003 2:10 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Certificate Services (was Active Directory Cookbo
ok)

Certificate Services didn't make it into the AD Cookbook, but will in a
future book.  As far as good sources today, it really depends on if you are
talking about Windows 2000 or Windows Server 2003.  There were quite a few
enhancements to Cert Services in 2003.  Here are a few links you may want to
take a look at (links may wrap)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/proddocs/standard/SE_PKI.asp


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/maintain/operate/ws03pkog.asp


http://www.microsoft.com/windows2000/techinfo/planning/security/adminca.asp


Robbie Allen
http://www.rallenhome.com/


 -Original Message-
 From: Daniel Gilbert [mailto:[EMAIL PROTECTED] 
 Sent: Friday, October 24, 2003 4:18 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Active Directory Cookbook
 
 
 Thanks.  I can see I will have some reading to do this weekend.
 
 Dan
   Original Message 
  Subject: RE: [ActiveDir] Active Directory Cookbook
  From: [EMAIL PROTECTED]
  Date: Fri, October 24, 2003 12:57 pm
  To: [EMAIL PROTECTED]
  
  While not a cookbook per se, I have found this link useful in my
  understanding of PKI:
  http://tinyurl.com/s8y1
   
  HTH
   
   
  Sincerely,
  
  Dèjì Akómöláfé, MCSE MCSA MCP+I
  www.akomolafe.com
  www.iyaburo.com
  Do you now realize that Today is the Tomorrow you were worried about