I am currently working on a project to deploy Windows 2003 PKI.
I will do my best to post to my BLOG things I take away from the planning
"Or lack there of", implementation, and operations to show you how we are
going about establishing PKI infrastructure, and integrating both Microsoft
Technology, and third-party technology.
The biggest low hanging fruit Microsoft deployed their PKI for recently was
to support both VPN, and Wireless access to their networks.
Many people get hung up on trying to deploy PKI for E-mail, or Web sites and
get bogged down in organization politics. It is pretty easy to do.
Windows 2003 PKI has a couple pretty good features that address the Chronic
problems associated with PKI deployments for user certificates, and also
address some of the acute problems associated with certificates for
potential clients of PKI infrastructure.
Specifically:
Identity Management
Auto enrollment are now features of the OS, not Exchange.
Root CA's can now be Bridge for Bridge CA's so it is easier to create
relationships with outside entities and not have to rely on costly solutions
from the major vendors to give end users certs for signing and encryption.
There is still work to be done when it comes to presenting the path and
location the user is at with in the organization.
I believe by default Microsoft will put on the certificates the location
within the AD to find the PKI credentials Public keys. This works well for
internal operations of PKI, but Extranet, and Intranet use of the
credentials should not expose the organizational structure IMHO, and the
directory should be pretty flat. IE.... xyz.com Not
CN=userID,OU=AD,DC=xyz,DC=gov. More like = CN=UPN,DC=xyz,DC=gov. I have
not done that much research yet to determine the best way to accomplish
that.
Wireless & VPN improvements
Provisioning PKI credentials for host that don't support or participate in
AD natively has been a challenge. Remember when I fired up Robbie at DEC.
That is because there is a need for better wireless security, and the
vendors are all trying to be innovative and come up with their own solution
to the problem and write RFC's etc, instead of just working together and
realizing that this solution is nothing more than strategic, and will not be
a revenue generator except to sell existing products. I believe Cisco and
Microsoft have been working together to make integration between CISCO
hardware and AD much better. I would like to believe it is because I told
Robbie I was unhappy. Hehe
Robbie, maybe you can fill in the list on what some of the initiatives are
at play in CISCO related to Windows 2003 PKI.
Delta CRL's This is a very important development because CRL's could take
time to publish through out the organization if it spanned multiple time
zones. When you want to stop someone from accessing your network once you
revoke their credentials, DCRL is the way to do it by software. I am sure
there are hardware solutions.
Hardware Improvements
I also believe the API's and the OS have better support for Security
hardware. I would love to be able to use memory stick technology to keep my
certs off my user profile, or better yet, export my user profile, and My
Documents to a USB device or smart media.
More to come.
Todd Myrick
-----Original Message-----
From: Robbie Allen [mailto:[EMAIL PROTECTED]
Sent: Saturday, October 25, 2003 2:10 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Certificate Services (was Active Directory Cookbo
ok)
Certificate Services didn't make it into the AD Cookbook, but will in a
future book. As far as good sources today, it really depends on if you are
talking about Windows 2000 or Windows Server 2003. There were quite a few
enhancements to Cert Services in 2003. Here are a few links you may want to
take a look at (links may wrap)....
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/proddocs/standard/SE_PKI.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/maintain/operate/ws03pkog.asp
http://www.microsoft.com/windows2000/techinfo/planning/security/adminca.asp
Robbie Allen
http://www.rallenhome.com/
> -----Original Message-----
> From: Daniel Gilbert [mailto:[EMAIL PROTECTED]
> Sent: Friday, October 24, 2003 4:18 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Active Directory Cookbook
>
>
> Thanks. I can see I will have some reading to do this weekend.
>
> Dan
> > -------- Original Message --------
> > Subject: RE: [ActiveDir] Active Directory Cookbook
> > From: [EMAIL PROTECTED]
> > Date: Fri, October 24, 2003 12:57 pm
> > To: [EMAIL PROTECTED]
> >
> > While not a cookbook per se, I have found this link useful in my
> > understanding of PKI:
> > http://tinyurl.com/s8y1
> >
> > HTH
> >
> >
> > Sincerely,
> >
> > D�j� Ak�m�l�f�, MCSE MCSA MCP+I
> > www.akomolafe.com
> > www.iyaburo.com
> > Do you now realize that Today is the Tomorrow you were worried about
> > Yesterday? -anon
> >
> > ________________________________
> >
> > From: [EMAIL PROTECTED] on behalf of Daniel Gilbert
> > Sent: Fri 10/24/2003 11:34 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Active Directory Cookbook
> >
> >
> >
> > Robbie,
> >
> > I haven't gotten my copy of your book yet, I know :-(, I
> waited until just recently to order it. I looked at the table of contents
but did not
> > see any thing about Certificate Services, is it there and I just missed
it??
> >
> > If it is not in your book, as the "Master of Cookbooks" can
> you suggest a good source for learning Certificate Services structure and
> installing guide.
> >
> > I am trying to get my head around Certificate Service in order to
> > answer some structure questions.
> >
> > Dan
> > > -------- Original Message --------
> > > Subject: RE: [ActiveDir] Active Directory Cookbook
> > > From: "Robbie Allen" <[EMAIL PROTECTED]>
> > > Date: Fri, October 24, 2003 9:43 am
> > > To: "'[EMAIL PROTECTED]'"
> <[EMAIL PROTECTED]>
> > >
> > > Thanks for all of the positive feedback about the book.
> I give the
> > > credit
> > > to my all-star cast of reviewers :-)
> > >
> > > My main goal was to produce a reference that would help AD admins
> > get
> > > their
> > > job done quicker and easier. There is just too much
> stuff AD admins
> > > have to
> > > remember and that's why I thought the O'Reilly cookbook
> format would
> > > work
> > > especially well in this case.
> > >
> > > If you have the book (or even if you don't), be sure to check out
> > the
> > > following web site, which has all of the code in the book and any
> > > corrections: http://www.rallenhome.com/books/adcookbook/code.html
> > > <http://www.rallenhome.com/books/adcookbook/code.html>
> > >
> > > Keep the feedback coming....
> > >
> > > Regards,
> > > Robbie Allen
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]
> > >
> > > Sent: Friday, October 24, 2003 11:51 AM
> > > To: [EMAIL PROTECTED]
> > > Cc: [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> > > Subject: Re: [ActiveDir] Active Directory Cookbook
> > >
> > >
> > >
> > > Agreed - I got mine yesterday from Amazon and I must say that this
> > > should be
> > > on the shelf of every AD administrator. Period.
> > >
> > > Michael Parent MCSE MCT
> > > Analyst I - Web Services
> > > ITOS - Systems Enablement
> > > Maritime Life Assurance Company
> > > (902) 453-7300 x3456
> > >
> > >
> > >
> > > "Lou Vega" <[EMAIL PROTECTED]>
> > > Sent by: [EMAIL PROTECTED]
> > >
> > >
> > > 10/24/2003 10:37 AM
> > > Please respond to ActiveDir
> > >
> > >
> > >
> > > To: <[EMAIL PROTECTED]>
> > > cc:
> > > Subject: [ActiveDir] Active Directory Cookbook
> > >
> > >
> > >
> > > Received my very own copy of Mr. Robbie Allen's "Tuna" book last
> > night
> > > from
> > > Amazon.com - in the first night's reading the book is already
> > proving
> > > it's
> > > worth as I see how to do certain things much simpler than
> I had done
> > > them
> > > before (with regards to the VBScripts included), as well as learn
> > new
> > > things
> > > I didn't realize could be done (in both AD2K and AD2K3). The book
> > will
> > > be
> > > very handy as I continue to stand up my development Windows 2003
> > > domain.
> > >
> > > To anyone else on this list who hasn't gotten it yet...it's a
> > > worthwhile
> > > addition to your Active Directory library.
> > >
> > > To Robbie (and all the others who assisted him!) - thanks for a
> > great
> > > resource!
> > >
> > > r/
> > > Lou
> > List info : http://www.activedir.org/mail_list.htm
> > List FAQ : http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
