Configuring an Enterprise wireless solutions with encryption

Archived from groups: microsoft.public.win2000.security (More info?)

Hello:

I am in the process of finalizing a project to where I am using encryption
on my wireless network with certificates issued by a Certificate Server. So
far everything has been working on my lab network. I have the approval for
a new server which will be Windows 2003. Part of the reason I am getting
this is because it will be a CA server. In addition the server is also
suppose to run RADIUS, RAS (dial-up), DHCP and AntiVirus. All of these
services are not resource hogs.

I am curious what people think of installing Certificate Services on a
server like this? I know once I install it the server will be permanent.

Harrison Midkiff
8 answers Last reply
More about configuring enterprise wireless solutions encryption
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You don't say anything about the environment but if tearing out the old CA
    structure and rebuilding from scratch would be fairly painful in the event of
    compromise or other issue then you want more than one CA server. You will want a
    root that you will keep offline and one or more CA servers for actually giving
    out the certs. You also want a CDP that is guaranteed to always be available as
    many products will refuse to use a cert if the CRL isn't readily available when
    it wants it.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Harrison Midkiff wrote:
    > Hello:
    >
    > I am in the process of finalizing a project to where I am using encryption
    > on my wireless network with certificates issued by a Certificate Server. So
    > far everything has been working on my lab network. I have the approval for
    > a new server which will be Windows 2003. Part of the reason I am getting
    > this is because it will be a CA server. In addition the server is also
    > suppose to run RADIUS, RAS (dial-up), DHCP and AntiVirus. All of these
    > services are not resource hogs.
    >
    > I am curious what people think of installing Certificate Services on a
    > server like this? I know once I install it the server will be permanent.
    >
    > Harrison Midkiff
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Harrison,

    If your domain is Windows 2000 AD, to set up a Windows Server 2003 CA, the
    Active Directory schema must be upgraded to the Windows Server 2003 schema.
    You cannot install a Windows Server 2003 CA into a Windows 2000based schema.

    The schema is updated to the Windows Server 2003 schema by running ADPREP
    /Forestprep at a Windows 2000 domain controller with the Windows Server
    2003 CD-ROM in the CD-ROM drive.

    I would like to recommend that you refer to the Windows Server 2003 help
    files and the following two public whitepapers.

    http://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/default.as
    p

    Best Practices:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/oper
    ate/ws3pkibp.asp

    Have a nice day!

    Regards,
    Bob Qin
    Product Support Services
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Bob:

    I appreciate you reply to my post. I am in the process of reviewing the
    white papers. One question if I may...

    I need to deploy a CA server to enable me to do secure wireless with
    certificates. I know the best practice is to install an Enterprise Root CA
    and then an Enterprise Subordinate Root CA. Once the subordinate is online
    you remove the root CA and put it in a safe location. A friend of mine said
    that was just in a perfect Microsoft world and it was not necessary, so I
    could just do a single Enterprise Root CA.

    What are your thoughts on that?

    Harrison Midkiff

    "Bob Qin [MSFT]" <bobqin@online.microsoft.com> wrote in message
    news:VnmjENzYEHA.3316@cpmsftngxa06.phx.gbl...
    > Hi Harrison,
    >
    > If your domain is Windows 2000 AD, to set up a Windows Server 2003 CA, the
    > Active Directory schema must be upgraded to the Windows Server 2003
    schema.
    > You cannot install a Windows Server 2003 CA into a Windows 2000based
    schema.
    >
    > The schema is updated to the Windows Server 2003 schema by running ADPREP
    > /Forestprep at a Windows 2000 domain controller with the Windows Server
    > 2003 CD-ROM in the CD-ROM drive.
    >
    > I would like to recommend that you refer to the Windows Server 2003 help
    > files and the following two public whitepapers.
    >
    >
    http://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/default.as
    > p
    >
    > Best Practices:
    >
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/oper
    > ate/ws3pkibp.asp
    >
    > Have a nice day!
    >
    > Regards,
    > Bob Qin
    > Product Support Services
    > Microsoft Corporation
    >
    > Get Secure! - www.microsoft.com/security
    >
    > ====================================================
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    > ====================================================
    > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    That actually isn't a Microsoft guideline, that is a Cert Authority best
    practice. Here is a paper from SANS that discusses root ca's.

    http://www.sans.org/rr/papers/63/1322.pdf

    Like I said in the previous post, if compromise or loss of your root causing a
    complete rebuilding from scratch of your PKI environment is ACCEPTABLE to you,
    you do not need a root ca.

    If that is not acceptable, you need a root. The root will be offline and any
    publishing of CRLs or certs from it will require the Nike Express (hands and
    feet) for publishing. You will write the info to a CD or floppy or some other
    transportable media and carry to a device that is on the network.

    If an intermediate is compromised, you can use the root to invalidate all certs
    from it and still keep your PKI infrastructure up and running. If your root is
    compromised you throw it all out and start over.

    Note my experience is corporate experience. If your friend said what he said to
    you in any of the companies I have been with they would have tossed him out the
    door and wouldn't have taken the time to see if he landed.


    joe


    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Harrison Midkiff wrote:
    > Bob:
    >
    > I appreciate you reply to my post. I am in the process of reviewing the
    > white papers. One question if I may...
    >
    > I need to deploy a CA server to enable me to do secure wireless with
    > certificates. I know the best practice is to install an Enterprise Root CA
    > and then an Enterprise Subordinate Root CA. Once the subordinate is online
    > you remove the root CA and put it in a safe location. A friend of mine said
    > that was just in a perfect Microsoft world and it was not necessary, so I
    > could just do a single Enterprise Root CA.
    >
    > What are your thoughts on that?
    >
    > Harrison Midkiff
    >
    > "Bob Qin [MSFT]" <bobqin@online.microsoft.com> wrote in message
    > news:VnmjENzYEHA.3316@cpmsftngxa06.phx.gbl...
    >
    >>Hi Harrison,
    >>
    >>If your domain is Windows 2000 AD, to set up a Windows Server 2003 CA, the
    >>Active Directory schema must be upgraded to the Windows Server 2003
    >
    > schema.
    >
    >>You cannot install a Windows Server 2003 CA into a Windows 2000based
    >
    > schema.
    >
    >>The schema is updated to the Windows Server 2003 schema by running ADPREP
    >>/Forestprep at a Windows 2000 domain controller with the Windows Server
    >>2003 CD-ROM in the CD-ROM drive.
    >>
    >>I would like to recommend that you refer to the Windows Server 2003 help
    >>files and the following two public whitepapers.
    >>
    >>
    >
    > http://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/default.as
    >
    >>p
    >>
    >>Best Practices:
    >>
    >
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/oper
    >
    >>ate/ws3pkibp.asp
    >>
    >>Have a nice day!
    >>
    >>Regards,
    >>Bob Qin
    >>Product Support Services
    >>Microsoft Corporation
    >>
    >>Get Secure! - www.microsoft.com/security
    >>
    >>====================================================
    >>When responding to posts, please "Reply to Group" via your newsreader so
    >>that others may learn and benefit from your issue.
    >>====================================================
    >>This posting is provided "AS IS" with no warranties, and confers no
    >
    > rights.
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Harrison,

    Your friend's suggestion is not recommended.

    Please refer to the following documents for more information:

    Best Practices for Implementing a Microsoft Windows Server2003 Public Key
    Infrastructure
    http://www.microsoft.com/security/guidance/prodtech/WindowsServer2003.mspx

    Microsoft Solution for Securing Wireless LANs
    http://www.microsoft.com/downloads/details.aspx?FamilyId=CDB639B3-010B-47E7-
    B234-A27CDA291DAD&displaylang=en

    Securing Wireless LANs with PEAP and Passwords
    http://www.microsoft.com/downloads/details.aspx?FamilyID=60c5d0a1-9820-480e-
    aa38-63485eca8b9b&displaylang=en

    Designing and Deploying Wireless LAN Connectivity for the Microsoft
    Corporate Network
    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/wlandply.mspx

    Wish them help.

    Regards,
    Bob Qin
    Product Support Services
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Bob:

    Thanks for your reply to my post....

    I have been doing a lot of research on deploying a CA server. The initial
    purpose for my CA will be for issuing certificates for wireless users so the
    traffic will be encrypted. I have read that I can use an Enterprise Root or
    Sand Alone Root. Because of the integration of the Enterprise Root with
    Active Directory I think I should deploy it. A member of our team seems to
    be adamantly against this, but can not give me any reasons. I do not want
    to discount his objects when it comes to security.

    What are your thoughts on this. Thanks

    Harrison Midkiff


    "Bob Qin [MSFT]" <bobqin@online.microsoft.com> wrote in message
    news:oq2MIaCZEHA.2804@cpmsftngxa06.phx.gbl...
    > Hi Harrison,
    >
    > Your friend's suggestion is not recommended.
    >
    > Please refer to the following documents for more information:
    >
    > Best Practices for Implementing a Microsoft Windows Server2003 Public Key
    > Infrastructure
    > http://www.microsoft.com/security/guidance/prodtech/WindowsServer2003.mspx
    >
    > Microsoft Solution for Securing Wireless LANs
    >
    http://www.microsoft.com/downloads/details.aspx?FamilyId=CDB639B3-010B-47E7-
    > B234-A27CDA291DAD&displaylang=en
    >
    > Securing Wireless LANs with PEAP and Passwords
    >
    http://www.microsoft.com/downloads/details.aspx?FamilyID=60c5d0a1-9820-480e-
    > aa38-63485eca8b9b&displaylang=en
    >
    > Designing and Deploying Wireless LAN Connectivity for the Microsoft
    > Corporate Network
    > http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/wlandply.mspx
    >
    > Wish them help.
    >
    > Regards,
    > Bob Qin
    > Product Support Services
    > Microsoft Corporation
    >
    > Get Secure! - www.microsoft.com/security
    >
    > ====================================================
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    > ====================================================
    > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    Kind of hard to respond to someone who won't give you any reasons. Plus, what is
    it that you could say that could change the mind, obviously they don't know
    themselves what they don't like about it.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Harrison Midkiff wrote:
    > Bob:
    >
    > Thanks for your reply to my post....
    >
    > I have been doing a lot of research on deploying a CA server. The initial
    > purpose for my CA will be for issuing certificates for wireless users so the
    > traffic will be encrypted. I have read that I can use an Enterprise Root or
    > Sand Alone Root. Because of the integration of the Enterprise Root with
    > Active Directory I think I should deploy it. A member of our team seems to
    > be adamantly against this, but can not give me any reasons. I do not want
    > to discount his objects when it comes to security.
    >
    > What are your thoughts on this. Thanks
    >
    > Harrison Midkiff
    >
    >
    >
    >
    >
    > "Bob Qin [MSFT]" <bobqin@online.microsoft.com> wrote in message
    > news:oq2MIaCZEHA.2804@cpmsftngxa06.phx.gbl...
    >
    >>Hi Harrison,
    >>
    >>Your friend's suggestion is not recommended.
    >>
    >>Please refer to the following documents for more information:
    >>
    >>Best Practices for Implementing a Microsoft Windows Server2003 Public Key
    >>Infrastructure
    >>http://www.microsoft.com/security/guidance/prodtech/WindowsServer2003.mspx
    >>
    >>Microsoft Solution for Securing Wireless LANs
    >>
    >
    > http://www.microsoft.com/downloads/details.aspx?FamilyId=CDB639B3-010B-47E7-
    >
    >>B234-A27CDA291DAD&displaylang=en
    >>
    >>Securing Wireless LANs with PEAP and Passwords
    >>
    >
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=60c5d0a1-9820-480e-
    >
    >>aa38-63485eca8b9b&displaylang=en
    >>
    >>Designing and Deploying Wireless LAN Connectivity for the Microsoft
    >>Corporate Network
    >>http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/wlandply.mspx
    >>
    >>Wish them help.
    >>
    >>Regards,
    >>Bob Qin
    >>Product Support Services
    >>Microsoft Corporation
    >>
    >>Get Secure! - www.microsoft.com/security
    >>
    >>====================================================
    >>When responding to posts, please "Reply to Group" via your newsreader so
    >>that others may learn and benefit from your issue.
    >>====================================================
    >>This posting is provided "AS IS" with no warranties, and confers no
    >
    > rights.
    >
    >
    >
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Harrison,

    Generally speaking, a single Enterprise Root CA can also work. But it is
    not the best practice for CA deployment.

    The root CA role is very important in any organization. It is a point that
    is explicitly trusted by all users and devices in your organization. So it
    is highly desirable to protect the root CA private key as much as possible.
    One of the best ways of doing this is to disconnect the CA from the network
    so that access to it is extremely limited. Then we can use the Subordinate
    Root CA to issue certificates.

    Have a nice day!

    Regards,
    Bob Qin
    Product Support Services
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
Ask a new question

Read More

Servers Windows