Should I install Certificate Authority to solve these prob..

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I am on Win2000 Domain. I am planning to go to Win2003 beginning next year.

Management (non technical) is pushing to get Certificate Authority installed
on my domain now.

I would like to evaluate if the problems below really require a Certificate
Authority to solve those issues below ? Does it make sense create a
Certificate Authority now (domain), or should I migrate to WIn2003 and take
advantage of potential enhanced features there ? If I use IPSec on Win2003,
I would need a Certificate Authority in the domain, right ?

Is it viable installing a Certificate Authority to solve the problems below
?

1) A server management tool can use certificates when the servers
communicate with one another to verify each other's identity. The guy is
afraid that someone in the internal organization could pretend to be
RealServermanagement tool and change another server's configuration.

Does Kerberos provide protection against this ?



2) A client machine accesses a browser connecting to a third-party
application server. Assume text is trasmitted in clear text. If I use IPSec
to encrypt communications. do I need to install the Certificate authority ?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Beginning next year is two months away, or four, or six ?
Implementing a PKI requires some thought, server builds,
etc.. It seems your W2k/W2k3 versioning is secondary
consideration to time to do it right.
However, for nothing that you mentioned is a PKI the only
way to do things. In fact, for both of the two specific cases
you mention at the end, there is some confusion if having
a CA is thought to be important to them.

comments inlined below . . .
--
Roger Abell

"Marlon Brown" <marlon_brownj@hotmail.com> wrote in message
news:uq8OpXkvEHA.3200@TK2MSFTNGP14.phx.gbl...
> I am on Win2000 Domain. I am planning to go to Win2003 beginning next
year.
>
> Management (non technical) is pushing to get Certificate Authority
installed
> on my domain now.
>
You have told them that this requires a minimum of two machines
to do it right, yes ?

> I would like to evaluate if the problems below really require a
Certificate
> Authority to solve those issues below ? Does it make sense create a
> Certificate Authority now (domain), or should I migrate to WIn2003 and
take
> advantage of potential enhanced features there ? If I use IPSec on
Win2003,
> I would need a Certificate Authority in the domain, right ?
>
answer to the last question is NO, others commented upon earlier

> Is it viable installing a Certificate Authority to solve the problems
below
> ?
>
No

> 1) A server management tool can use certificates when the servers
> communicate with one another to verify each other's identity. The guy is
> afraid that someone in the internal organization could pretend to be
> RealServermanagement tool and change another server's configuration.
>
> Does Kerberos provide protection against this ?
>
What server management tool ?
The mmc based tools MS provides with the operating system?
Or some third-party application?
There is misunderstanding all over in this. If the guy is afraid,
then he perhaps does not understand the strength of the safeguards
that are already in place (at least if deployed correctly).
The tools from MS act only subject to security checks based on
the context of the account in use. "change another server's config"
seems to imply the concern is over an admin fooling with the
wrong machine - which can be avoided if the admin is a plain
user everywhere except as a local admin on the intended machine.
Kerberos underlies the user identity and authorization.
The machines can be configured to secure their communications
and this may be done at different level of strength (with accompanying
overheads). But making sure machines are who they are in their
exchanges, and/or limiting what machines may speak in which ways
with other machines are things that may be configured, even without
use of a CA - and doing these does not mean a "management tool"
will only be use the right way by the right person.
>
>
> 2) A client machine accesses a browser connecting to a third-party
> application server. Assume text is trasmitted in clear text. If I use
IPSec
> to encrypt communications. do I need to install the Certificate authority
?
>
If by browser you mean web use, then this only requires that the
webserver have a cert from a recognized cert authority so that the
web traffic can be https (use SSL). If the third-party server is not
yours then this means they need to do this, using a cert authority
your browser will recognize. For an in-house use one certainly
can use one's own PKI to provide the needed certs - but having
any party other than one' in-house participants involved usually
means use of a public cert authority.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Thank you Roger ! Migration to Win2003 is six months away and the network
team was planning to implement IPSec in our Win2003 domain.
Can you please tell me why I would need two servers to create the
certificate authority then ?

In the item 1 below, the tool in use is a HP server management tool (type of
Insigth Management that let you use certificates). The new manager is
arguing that somebody can "spoof the system and a rogue server could pretend
to be HPManageTool and change our production server's configuration".
Let's see, if the fellow is using strong passwords on administrator accounts
on servers that should protect against that as you mentioned. In addition,
making sure that the users others than administrators are not members of
local administrators on the server is another layer of protection as well
that obviously we have in place.
If you can explain if Kerberos can also protect against such "spoofing"
described in the scenario above, please let me know.
If I understand one of your comments correctly, regarding the "secure
channels" between Windows server machines, I attempted to configure that in
the past in Group Policies and I was told by MS support that was a good game
plan to wait until migration to Win2003, since those features have been
enhanced.

Regarding providing "encryption" against people that can use a sniffer to
decode packets across our internal network, my answer would be that we are
planning to deploy IPSec after migrating to WIn2003 and that should provide
encryption across the domain. I am wondering if by deploying IPSec and
providing data encryption, it would still viable and necessary put a PKI
infrastructure in place ?





"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:ecRIoZmvEHA.2564@TK2MSFTNGP12.phx.gbl...
> Beginning next year is two months away, or four, or six ?
> Implementing a PKI requires some thought, server builds,
> etc.. It seems your W2k/W2k3 versioning is secondary
> consideration to time to do it right.
> However, for nothing that you mentioned is a PKI the only
> way to do things. In fact, for both of the two specific cases
> you mention at the end, there is some confusion if having
> a CA is thought to be important to them.
>
> comments inlined below . . .
> --
> Roger Abell
>
> "Marlon Brown" <marlon_brownj@hotmail.com> wrote in message
> news:uq8OpXkvEHA.3200@TK2MSFTNGP14.phx.gbl...
>> I am on Win2000 Domain. I am planning to go to Win2003 beginning next
> year.
>>
>> Management (non technical) is pushing to get Certificate Authority
> installed
>> on my domain now.
>>
> You have told them that this requires a minimum of two machines
> to do it right, yes ?
>
>> I would like to evaluate if the problems below really require a
> Certificate
>> Authority to solve those issues below ? Does it make sense create a
>> Certificate Authority now (domain), or should I migrate to WIn2003 and
> take
>> advantage of potential enhanced features there ? If I use IPSec on
> Win2003,
>> I would need a Certificate Authority in the domain, right ?
>>
> answer to the last question is NO, others commented upon earlier
>
>> Is it viable installing a Certificate Authority to solve the problems
> below
>> ?
>>
> No
>
>> 1) A server management tool can use certificates when the servers
>> communicate with one another to verify each other's identity. The guy is
>> afraid that someone in the internal organization could pretend to be
>> RealServermanagement tool and change another server's configuration.
>>
>> Does Kerberos provide protection against this ?
>>
> What server management tool ?
> The mmc based tools MS provides with the operating system?
> Or some third-party application?
> There is misunderstanding all over in this. If the guy is afraid,
> then he perhaps does not understand the strength of the safeguards
> that are already in place (at least if deployed correctly).
> The tools from MS act only subject to security checks based on
> the context of the account in use. "change another server's config"
> seems to imply the concern is over an admin fooling with the
> wrong machine - which can be avoided if the admin is a plain
> user everywhere except as a local admin on the intended machine.
> Kerberos underlies the user identity and authorization.
> The machines can be configured to secure their communications
> and this may be done at different level of strength (with accompanying
> overheads). But making sure machines are who they are in their
> exchanges, and/or limiting what machines may speak in which ways
> with other machines are things that may be configured, even without
> use of a CA - and doing these does not mean a "management tool"
> will only be use the right way by the right person.
>>
>>
>> 2) A client machine accesses a browser connecting to a third-party
>> application server. Assume text is trasmitted in clear text. If I use
> IPSec
>> to encrypt communications. do I need to install the Certificate authority
> ?
>>
> If by browser you mean web use, then this only requires that the
> webserver have a cert from a recognized cert authority so that the
> web traffic can be https (use SSL). If the third-party server is not
> yours then this means they need to do this, using a cert authority
> your browser will recognize. For an in-house use one certainly
> can use one's own PKI to provide the needed certs - but having
> any party other than one' in-house participants involved usually
> means use of a public cert authority.
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

You can use IPsec with or without certs from your PKI.
It just depends on how you want/need to define it. If you
base it on Kerberos you pretty much limit hard binding
negotiations to your AD machines or those trusting the
realm. If it generally advised that your root CA be kept
secured, in an offline state, with a subordinate used for
daily operation. Hence the extra machine.
With the Compaq / HP management systems there are
effectively two flavors - with and without the hardware
card which has its own net wire. Without, then you can
subject all traffic to IPsec. With bypasses the OS and
you have a different set of considerations. There have
been security patches for the apps, which I guess means
that like any net-visible application you are better off
with its accessibility protectively layered.

--
Roger Abell

"Marlon Brown" <marlon_brownj@hotmail.com> wrote in message
news:ep07X9ovEHA.3792@TK2MSFTNGP10.phx.gbl...
> Thank you Roger ! Migration to Win2003 is six months away and the network
> team was planning to implement IPSec in our Win2003 domain.
> Can you please tell me why I would need two servers to create the
> certificate authority then ?
>
> In the item 1 below, the tool in use is a HP server management tool (type
of
> Insigth Management that let you use certificates). The new manager is
> arguing that somebody can "spoof the system and a rogue server could
pretend
> to be HPManageTool and change our production server's configuration".
> Let's see, if the fellow is using strong passwords on administrator
accounts
> on servers that should protect against that as you mentioned. In addition,
> making sure that the users others than administrators are not members of
> local administrators on the server is another layer of protection as well
> that obviously we have in place.
> If you can explain if Kerberos can also protect against such "spoofing"
> described in the scenario above, please let me know.
> If I understand one of your comments correctly, regarding the "secure
> channels" between Windows server machines, I attempted to configure that
in
> the past in Group Policies and I was told by MS support that was a good
game
> plan to wait until migration to Win2003, since those features have been
> enhanced.
>
> Regarding providing "encryption" against people that can use a sniffer to
> decode packets across our internal network, my answer would be that we are
> planning to deploy IPSec after migrating to WIn2003 and that should
provide
> encryption across the domain. I am wondering if by deploying IPSec and
> providing data encryption, it would still viable and necessary put a PKI
> infrastructure in place ?
>
>
>
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:ecRIoZmvEHA.2564@TK2MSFTNGP12.phx.gbl...
> > Beginning next year is two months away, or four, or six ?
> > Implementing a PKI requires some thought, server builds,
> > etc.. It seems your W2k/W2k3 versioning is secondary
> > consideration to time to do it right.
> > However, for nothing that you mentioned is a PKI the only
> > way to do things. In fact, for both of the two specific cases
> > you mention at the end, there is some confusion if having
> > a CA is thought to be important to them.
> >
> > comments inlined below . . .
> > --
> > Roger Abell
> >
> > "Marlon Brown" <marlon_brownj@hotmail.com> wrote in message
> > news:uq8OpXkvEHA.3200@TK2MSFTNGP14.phx.gbl...
> >> I am on Win2000 Domain. I am planning to go to Win2003 beginning next
> > year.
> >>
> >> Management (non technical) is pushing to get Certificate Authority
> > installed
> >> on my domain now.
> >>
> > You have told them that this requires a minimum of two machines
> > to do it right, yes ?
> >
> >> I would like to evaluate if the problems below really require a
> > Certificate
> >> Authority to solve those issues below ? Does it make sense create a
> >> Certificate Authority now (domain), or should I migrate to WIn2003 and
> > take
> >> advantage of potential enhanced features there ? If I use IPSec on
> > Win2003,
> >> I would need a Certificate Authority in the domain, right ?
> >>
> > answer to the last question is NO, others commented upon earlier
> >
> >> Is it viable installing a Certificate Authority to solve the problems
> > below
> >> ?
> >>
> > No
> >
> >> 1) A server management tool can use certificates when the servers
> >> communicate with one another to verify each other's identity. The guy
is
> >> afraid that someone in the internal organization could pretend to be
> >> RealServermanagement tool and change another server's configuration.
> >>
> >> Does Kerberos provide protection against this ?
> >>
> > What server management tool ?
> > The mmc based tools MS provides with the operating system?
> > Or some third-party application?
> > There is misunderstanding all over in this. If the guy is afraid,
> > then he perhaps does not understand the strength of the safeguards
> > that are already in place (at least if deployed correctly).
> > The tools from MS act only subject to security checks based on
> > the context of the account in use. "change another server's config"
> > seems to imply the concern is over an admin fooling with the
> > wrong machine - which can be avoided if the admin is a plain
> > user everywhere except as a local admin on the intended machine.
> > Kerberos underlies the user identity and authorization.
> > The machines can be configured to secure their communications
> > and this may be done at different level of strength (with accompanying
> > overheads). But making sure machines are who they are in their
> > exchanges, and/or limiting what machines may speak in which ways
> > with other machines are things that may be configured, even without
> > use of a CA - and doing these does not mean a "management tool"
> > will only be use the right way by the right person.
> >>
> >>
> >> 2) A client machine accesses a browser connecting to a third-party
> >> application server. Assume text is trasmitted in clear text. If I use
> > IPSec
> >> to encrypt communications. do I need to install the Certificate
authority
> > ?
> >>
> > If by browser you mean web use, then this only requires that the
> > webserver have a cert from a recognized cert authority so that the
> > web traffic can be https (use SSL). If the third-party server is not
> > yours then this means they need to do this, using a cert authority
> > your browser will recognize. For an in-house use one certainly
> > can use one's own PKI to provide the needed certs - but having
> > any party other than one' in-house participants involved usually
> > means use of a public cert authority.
> >
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Well, there are multiple considerations for IPsec.

Whether you use Kerberos or Certificates, you need to understand that
"trust" is defined as the ability to authenticate with IKE; once you're
AuthN'd you're treated equally. The exception to this is that you can
further segment machines into groups (or zones if you will) but each
grouping that would be treated "different" would require a separate root CA.
This is because IPsec consumes the root CA as the trust boundary (much as a
trust relationship or authN within a domain is the trust boundary for Kerb).
You can't for example, constrain the use of certificates for IPsec authN to
a specific OID, or implement EKU to delineate what certs are IPsec specific
and what are not.


"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%233E3OsrvEHA.1984@TK2MSFTNGP14.phx.gbl...
> You can use IPsec with or without certs from your PKI.
> It just depends on how you want/need to define it. If you
> base it on Kerberos you pretty much limit hard binding
> negotiations to your AD machines or those trusting the
> realm. If it generally advised that your root CA be kept
> secured, in an offline state, with a subordinate used for
> daily operation. Hence the extra machine.
> With the Compaq / HP management systems there are
> effectively two flavors - with and without the hardware
> card which has its own net wire. Without, then you can
> subject all traffic to IPsec. With bypasses the OS and
> you have a different set of considerations. There have
> been security patches for the apps, which I guess means
> that like any net-visible application you are better off
> with its accessibility protectively layered.
>
> --
> Roger Abell
>
> "Marlon Brown" <marlon_brownj@hotmail.com> wrote in message
> news:ep07X9ovEHA.3792@TK2MSFTNGP10.phx.gbl...
>> Thank you Roger ! Migration to Win2003 is six months away and the network
>> team was planning to implement IPSec in our Win2003 domain.
>> Can you please tell me why I would need two servers to create the
>> certificate authority then ?
>>
>> In the item 1 below, the tool in use is a HP server management tool (type
> of
>> Insigth Management that let you use certificates). The new manager is
>> arguing that somebody can "spoof the system and a rogue server could
> pretend
>> to be HPManageTool and change our production server's configuration".
>> Let's see, if the fellow is using strong passwords on administrator
> accounts
>> on servers that should protect against that as you mentioned. In
>> addition,
>> making sure that the users others than administrators are not members of
>> local administrators on the server is another layer of protection as well
>> that obviously we have in place.
>> If you can explain if Kerberos can also protect against such "spoofing"
>> described in the scenario above, please let me know.
>> If I understand one of your comments correctly, regarding the "secure
>> channels" between Windows server machines, I attempted to configure that
> in
>> the past in Group Policies and I was told by MS support that was a good
> game
>> plan to wait until migration to Win2003, since those features have been
>> enhanced.
>>
>> Regarding providing "encryption" against people that can use a sniffer to
>> decode packets across our internal network, my answer would be that we
>> are
>> planning to deploy IPSec after migrating to WIn2003 and that should
> provide
>> encryption across the domain. I am wondering if by deploying IPSec and
>> providing data encryption, it would still viable and necessary put a PKI
>> infrastructure in place ?
>>
>>
>>
>>
>>
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:ecRIoZmvEHA.2564@TK2MSFTNGP12.phx.gbl...
>> > Beginning next year is two months away, or four, or six ?
>> > Implementing a PKI requires some thought, server builds,
>> > etc.. It seems your W2k/W2k3 versioning is secondary
>> > consideration to time to do it right.
>> > However, for nothing that you mentioned is a PKI the only
>> > way to do things. In fact, for both of the two specific cases
>> > you mention at the end, there is some confusion if having
>> > a CA is thought to be important to them.
>> >
>> > comments inlined below . . .
>> > --
>> > Roger Abell
>> >
>> > "Marlon Brown" <marlon_brownj@hotmail.com> wrote in message
>> > news:uq8OpXkvEHA.3200@TK2MSFTNGP14.phx.gbl...
>> >> I am on Win2000 Domain. I am planning to go to Win2003 beginning next
>> > year.
>> >>
>> >> Management (non technical) is pushing to get Certificate Authority
>> > installed
>> >> on my domain now.
>> >>
>> > You have told them that this requires a minimum of two machines
>> > to do it right, yes ?
>> >
>> >> I would like to evaluate if the problems below really require a
>> > Certificate
>> >> Authority to solve those issues below ? Does it make sense create a
>> >> Certificate Authority now (domain), or should I migrate to WIn2003 and
>> > take
>> >> advantage of potential enhanced features there ? If I use IPSec on
>> > Win2003,
>> >> I would need a Certificate Authority in the domain, right ?
>> >>
>> > answer to the last question is NO, others commented upon earlier
>> >
>> >> Is it viable installing a Certificate Authority to solve the problems
>> > below
>> >> ?
>> >>
>> > No
>> >
>> >> 1) A server management tool can use certificates when the servers
>> >> communicate with one another to verify each other's identity. The guy
> is
>> >> afraid that someone in the internal organization could pretend to be
>> >> RealServermanagement tool and change another server's configuration.
>> >>
>> >> Does Kerberos provide protection against this ?
>> >>
>> > What server management tool ?
>> > The mmc based tools MS provides with the operating system?
>> > Or some third-party application?
>> > There is misunderstanding all over in this. If the guy is afraid,
>> > then he perhaps does not understand the strength of the safeguards
>> > that are already in place (at least if deployed correctly).
>> > The tools from MS act only subject to security checks based on
>> > the context of the account in use. "change another server's config"
>> > seems to imply the concern is over an admin fooling with the
>> > wrong machine - which can be avoided if the admin is a plain
>> > user everywhere except as a local admin on the intended machine.
>> > Kerberos underlies the user identity and authorization.
>> > The machines can be configured to secure their communications
>> > and this may be done at different level of strength (with accompanying
>> > overheads). But making sure machines are who they are in their
>> > exchanges, and/or limiting what machines may speak in which ways
>> > with other machines are things that may be configured, even without
>> > use of a CA - and doing these does not mean a "management tool"
>> > will only be use the right way by the right person.
>> >>
>> >>
>> >> 2) A client machine accesses a browser connecting to a third-party
>> >> application server. Assume text is trasmitted in clear text. If I use
>> > IPSec
>> >> to encrypt communications. do I need to install the Certificate
> authority
>> > ?
>> >>
>> > If by browser you mean web use, then this only requires that the
>> > webserver have a cert from a recognized cert authority so that the
>> > web traffic can be https (use SSL). If the third-party server is not
>> > yours then this means they need to do this, using a cert authority
>> > your browser will recognize. For an in-house use one certainly
>> > can use one's own PKI to provide the needed certs - but having
>> > any party other than one' in-house participants involved usually
>> > means use of a public cert authority.
>> >
>> >
>>
>>
>
>