Sign in with
Sign up | Sign in
Your question

Isolation of the Root CA

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
November 19, 2004 3:17:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Trying to follow the "Step-by-Step Guide to Setting up a Certification
Authority".

One major thing I can't seem to grasp is the installation of the Root CA.
As I understand, the Root CA should NEVER be connected to a network. Is the
same true for an Enterprise Root CA?

If so, how can you connect the server to a domain, and have it register
itself as a Root CA without connecting it to a network?

If not, can the Enterprise Root CA provide the same level of security as a
Stand Alone Root CA? If the Enterprise Root CA is on the network, how can
you ensure that top level of trust isn't compromised?

More about : isolation root

Anonymous
a b 8 Security
November 20, 2004 12:00:28 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Michael,

Good question. The *NEVER* is a bit too explicit. As you rightly state,
taking the root CA offline prevents the compromise of the top hierarchy of
your PKI. However, this doesn't mean that the root CAQ is never attached to
the network. It just means that you assign subordinates to do the majority
of the work by assigned roles, and that the root CA is on the network no
longer than necessary to greatly reduce the possibility of compromise.

You will have to attach the root CA for the following functions:

* Publishing CRLs
* Creating subordinate CAs

Also, a machine that is a member of a domain may encounter problems
(specifically secure channel errors) when trying to bring it back online
after being offline for a period of time. Hence, a standalone should never
be a member of a domain.

As to the Enterprise Root CA, this type of root is designed to be an online
element. Because of the need to use the templates for CA creation and that
the certificates are published to Active Directory, an Enterprise Root CA
can't be an offline CA. This is a function that is reserved for only the
standalone Root.

Hope the helps....

--
Rick Kingslan CISSP, MCSE, MCSA, MCT
Microsoft MVP
Windows Server / Directory Services
Windows Security
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone


"Michael Shire" <Michael Shire@discussions.microsoft.com> wrote in message
news:EABEAF36-B4C5-4FEB-8152-B5BD071C1CEF@microsoft.com...
> Trying to follow the "Step-by-Step Guide to Setting up a Certification
> Authority".
>
> One major thing I can't seem to grasp is the installation of the Root CA.
> As I understand, the Root CA should NEVER be connected to a network. Is
> the
> same true for an Enterprise Root CA?
>
> If so, how can you connect the server to a domain, and have it register
> itself as a Root CA without connecting it to a network?
>
> If not, can the Enterprise Root CA provide the same level of security as a
> Stand Alone Root CA? If the Enterprise Root CA is on the network, how can
> you ensure that top level of trust isn't compromised?
Anonymous
a b 8 Security
November 20, 2004 10:24:13 AM

Archived from groups: microsoft.public.win2000.security (More info?)

A lot has to do with the complexity of your network and your security needs.
If you run a network that is going to have a three tier hierarchy of
Certificate Authorities with maybe six or eight issuing CA's for various
tasks that are going to issue thousands of certificates then it makes sense
to secure the CA's that only issue certificates to other CA's to minimize
the damage that can be done to the PKI.

However many, many smaller networks are going to use PKI to issue some
certificates for l2tp, an internal web server, email, or maybe a certificate
for IAS server to use for 802.1X wireless with PEAP. In such cases a single
CA may make sense. You have to ask yourself what would happen if my CA was
compromised and it could not longer be trusted. Would it be an
inconvenience, major hassle, or a catastrophe risking highly confidential
data causing possible loss of customers/revenue. Only you can answer that
question. If your needs are modest goals to improve security it [in my
opinion] probably does not make sense to have an offline CA and then one
issuing CA.

An Enterprise CA can not be an offline CA. You would have to start with a
standalone root CA and use it to issue a certificate for an Enterprise CA
subordinate. You would have to add alternate locations for the CRL and CA
certificate before you use it to issue any certificates. The offline CA
could always be offline and certificate requests and CRL's be copied to and
from floppy disk or it could be put online just as long as it takes to issue
the certificates for subordinate CA's. The link below explains more.

http://support.microsoft.com/?kbid=271386

If you feel a single Enterprise CA would work for you there are steps you
can take to secure it. First make sure it is physically secured where only a
very few trusted users have access to it. Other procedures such as
physically securing domain controllers, and implementing complex passwords
are a must. Weak passwords and physical access are still the biggest threats
to a network/domain/computer. Read the Windows 2003 Security guide and first
take the steps for a baseline server lockdown and then read the chapter on
securing a Certificate Authority Server. --- Steve

http://www.microsoft.com/downloads/details.aspx?FamilyI...
http://tinyurl.com/dkbu -- same link as above, shorter.


"Michael Shire" <Michael Shire@discussions.microsoft.com> wrote in message
news:EABEAF36-B4C5-4FEB-8152-B5BD071C1CEF@microsoft.com...
> Trying to follow the "Step-by-Step Guide to Setting up a Certification
> Authority".
>
> One major thing I can't seem to grasp is the installation of the Root CA.
> As I understand, the Root CA should NEVER be connected to a network. Is
> the
> same true for an Enterprise Root CA?
>
> If so, how can you connect the server to a domain, and have it register
> itself as a Root CA without connecting it to a network?
>
> If not, can the Enterprise Root CA provide the same level of security as a
> Stand Alone Root CA? If the Enterprise Root CA is on the network, how can
> you ensure that top level of trust isn't compromised?
Related resources
Anonymous
a b 8 Security
November 20, 2004 5:55:25 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Our best practices guides may help provide some additional guidance and
recommendations:

Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsser...



Microsoft Systems Architecture:
http://www.microsoft.com/resources/documentation/msa/2/...



--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:xiCnd.120851$R05.15239@attbi_s53...
>A lot has to do with the complexity of your network and your security
>needs. If you run a network that is going to have a three tier hierarchy of
>Certificate Authorities with maybe six or eight issuing CA's for various
>tasks that are going to issue thousands of certificates then it makes sense
>to secure the CA's that only issue certificates to other CA's to minimize
>the damage that can be done to the PKI.
>
> However many, many smaller networks are going to use PKI to issue some
> certificates for l2tp, an internal web server, email, or maybe a
> certificate for IAS server to use for 802.1X wireless with PEAP. In such
> cases a single CA may make sense. You have to ask yourself what would
> happen if my CA was compromised and it could not longer be trusted. Would
> it be an inconvenience, major hassle, or a catastrophe risking highly
> confidential data causing possible loss of customers/revenue. Only you can
> answer that question. If your needs are modest goals to improve security
> it [in my opinion] probably does not make sense to have an offline CA and
> then one issuing CA.
>
> An Enterprise CA can not be an offline CA. You would have to start with a
> standalone root CA and use it to issue a certificate for an Enterprise CA
> subordinate. You would have to add alternate locations for the CRL and CA
> certificate before you use it to issue any certificates. The offline CA
> could always be offline and certificate requests and CRL's be copied to
> and from floppy disk or it could be put online just as long as it takes to
> issue the certificates for subordinate CA's. The link below explains more.
>
> http://support.microsoft.com/?kbid=271386
>
> If you feel a single Enterprise CA would work for you there are steps you
> can take to secure it. First make sure it is physically secured where only
> a very few trusted users have access to it. Other procedures such as
> physically securing domain controllers, and implementing complex passwords
> are a must. Weak passwords and physical access are still the biggest
> threats to a network/domain/computer. Read the Windows 2003 Security guide
> and first take the steps for a baseline server lockdown and then read the
> chapter on securing a Certificate Authority Server. --- Steve
>
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
> http://tinyurl.com/dkbu -- same link as above, shorter.
>
>
> "Michael Shire" <Michael Shire@discussions.microsoft.com> wrote in message
> news:EABEAF36-B4C5-4FEB-8152-B5BD071C1CEF@microsoft.com...
>> Trying to follow the "Step-by-Step Guide to Setting up a Certification
>> Authority".
>>
>> One major thing I can't seem to grasp is the installation of the Root CA.
>> As I understand, the Root CA should NEVER be connected to a network. Is
>> the
>> same true for an Enterprise Root CA?
>>
>> If so, how can you connect the server to a domain, and have it register
>> itself as a Root CA without connecting it to a network?
>>
>> If not, can the Enterprise Root CA provide the same level of security as
>> a
>> Stand Alone Root CA? If the Enterprise Root CA is on the network, how
>> can
>> you ensure that top level of trust isn't compromised?
>
>
Anonymous
a b 8 Security
November 22, 2004 4:53:31 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <e4jtY0qzEHA.2040@tk2msftngp13.phx.gbl>, in the
microsoft.public.win2000.security news group, Rick Kingslan [MS MVP]
<rkingsla.cox.net@127.0.0.1> says...

> Michael,
>
> Good question. The *NEVER* is a bit too explicit.

Actually, in the case of a standalone root CA, NEVER is _exactly_ the
correct term here.

> As you rightly state,
> taking the root CA offline prevents the compromise of the top hierarchy of
> your PKI. However, this doesn't mean that the root CAQ is never attached to
> the network.

No, it means that the root CA is _never_ connected to a network.

> It just means that you assign subordinates to do the majority
> of the work by assigned roles, and that the root CA is on the network no
> longer than necessary to greatly reduce the possibility of compromise.
>
> You will have to attach the root CA for the following functions:
>
> * Publishing CRLs
> * Creating subordinate CAs

This is simply not true. Again, in the case of a standalone root CA,
there is _never_ a need to attach it to a network. Publishing CRLs and
creating additional subordinate CAs should all be done via sneakernet,
with the requisite files being moved from system to system via some sort
of removable media.

>
<snip>

<snip<

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
Anonymous
a b 8 Security
November 24, 2004 6:23:07 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If you want to put your Enterprise CA behind a firewall, is there a best
practice article on that? Or can you follow some of the moving MSRPC to
static mode references.

Thanks,
Perry

"David Cross [MS]" wrote:

> Our best practices guides may help provide some additional guidance and
> recommendations:
>
> Best Practices for implementing Windows Server 2003 PKI:
> http://www.microsoft.com/technet/prodtechnol/windowsser...
>
>
>
> Microsoft Systems Architecture:
> http://www.microsoft.com/resources/documentation/msa/2/...
>
>
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> http://support.microsoft.com
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:xiCnd.120851$R05.15239@attbi_s53...
> >A lot has to do with the complexity of your network and your security
> >needs. If you run a network that is going to have a three tier hierarchy of
> >Certificate Authorities with maybe six or eight issuing CA's for various
> >tasks that are going to issue thousands of certificates then it makes sense
> >to secure the CA's that only issue certificates to other CA's to minimize
> >the damage that can be done to the PKI.
> >
> > However many, many smaller networks are going to use PKI to issue some
> > certificates for l2tp, an internal web server, email, or maybe a
> > certificate for IAS server to use for 802.1X wireless with PEAP. In such
> > cases a single CA may make sense. You have to ask yourself what would
> > happen if my CA was compromised and it could not longer be trusted. Would
> > it be an inconvenience, major hassle, or a catastrophe risking highly
> > confidential data causing possible loss of customers/revenue. Only you can
> > answer that question. If your needs are modest goals to improve security
> > it [in my opinion] probably does not make sense to have an offline CA and
> > then one issuing CA.
> >
> > An Enterprise CA can not be an offline CA. You would have to start with a
> > standalone root CA and use it to issue a certificate for an Enterprise CA
> > subordinate. You would have to add alternate locations for the CRL and CA
> > certificate before you use it to issue any certificates. The offline CA
> > could always be offline and certificate requests and CRL's be copied to
> > and from floppy disk or it could be put online just as long as it takes to
> > issue the certificates for subordinate CA's. The link below explains more.
> >
> > http://support.microsoft.com/?kbid=271386
> >
> > If you feel a single Enterprise CA would work for you there are steps you
> > can take to secure it. First make sure it is physically secured where only
> > a very few trusted users have access to it. Other procedures such as
> > physically securing domain controllers, and implementing complex passwords
> > are a must. Weak passwords and physical access are still the biggest
> > threats to a network/domain/computer. Read the Windows 2003 Security guide
> > and first take the steps for a baseline server lockdown and then read the
> > chapter on securing a Certificate Authority Server. --- Steve
> >
> > http://www.microsoft.com/downloads/details.aspx?FamilyI...
> > http://tinyurl.com/dkbu -- same link as above, shorter.
> >
> >
> > "Michael Shire" <Michael Shire@discussions.microsoft.com> wrote in message
> > news:EABEAF36-B4C5-4FEB-8152-B5BD071C1CEF@microsoft.com...
> >> Trying to follow the "Step-by-Step Guide to Setting up a Certification
> >> Authority".
> >>
> >> One major thing I can't seem to grasp is the installation of the Root CA.
> >> As I understand, the Root CA should NEVER be connected to a network. Is
> >> the
> >> same true for an Enterprise Root CA?
> >>
> >> If so, how can you connect the server to a domain, and have it register
> >> itself as a Root CA without connecting it to a network?
> >>
> >> If not, can the Enterprise Root CA provide the same level of security as
> >> a
> >> Stand Alone Root CA? If the Enterprise Root CA is on the network, how
> >> can
> >> you ensure that top level of trust isn't compromised?
> >
> >
>
>
>
Anonymous
a b 8 Security
December 2, 2004 8:13:06 AM

Archived from groups: microsoft.public.win2000.security (More info?)

we have a little guidance in this paper:


Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsser...


--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.

Top Whitepapers:

Auto-enrollment whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsser...
Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsser...
Troubleshooting Certificate Status and Revocation whitepaper:
http://www.microsoft.com/technet/security/topics/crypto...
Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsser...
Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsser...

"Perry" <Perry@discussions.microsoft.com> wrote in message
news:0D443847-849A-4594-92E1-5A26D05CFCEE@microsoft.com...
> If you want to put your Enterprise CA behind a firewall, is there a best
> practice article on that? Or can you follow some of the moving MSRPC to
> static mode references.
>
> Thanks,
> Perry
>
> "David Cross [MS]" wrote:
>
>> Our best practices guides may help provide some additional guidance and
>> recommendations:
>>
>> Best Practices for implementing Windows Server 2003 PKI:
>> http://www.microsoft.com/technet/prodtechnol/windowsser...
>>
>>
>>
>> Microsoft Systems Architecture:
>> http://www.microsoft.com/resources/documentation/msa/2/...
>>
>>
>>
>> --
>>
>>
>> David B. Cross [MS]
>>
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> http://support.microsoft.com
>>
>> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
>> news:xiCnd.120851$R05.15239@attbi_s53...
>> >A lot has to do with the complexity of your network and your security
>> >needs. If you run a network that is going to have a three tier hierarchy
>> >of
>> >Certificate Authorities with maybe six or eight issuing CA's for various
>> >tasks that are going to issue thousands of certificates then it makes
>> >sense
>> >to secure the CA's that only issue certificates to other CA's to
>> >minimize
>> >the damage that can be done to the PKI.
>> >
>> > However many, many smaller networks are going to use PKI to issue some
>> > certificates for l2tp, an internal web server, email, or maybe a
>> > certificate for IAS server to use for 802.1X wireless with PEAP. In
>> > such
>> > cases a single CA may make sense. You have to ask yourself what would
>> > happen if my CA was compromised and it could not longer be trusted.
>> > Would
>> > it be an inconvenience, major hassle, or a catastrophe risking highly
>> > confidential data causing possible loss of customers/revenue. Only you
>> > can
>> > answer that question. If your needs are modest goals to improve
>> > security
>> > it [in my opinion] probably does not make sense to have an offline CA
>> > and
>> > then one issuing CA.
>> >
>> > An Enterprise CA can not be an offline CA. You would have to start with
>> > a
>> > standalone root CA and use it to issue a certificate for an Enterprise
>> > CA
>> > subordinate. You would have to add alternate locations for the CRL and
>> > CA
>> > certificate before you use it to issue any certificates. The offline CA
>> > could always be offline and certificate requests and CRL's be copied to
>> > and from floppy disk or it could be put online just as long as it takes
>> > to
>> > issue the certificates for subordinate CA's. The link below explains
>> > more.
>> >
>> > http://support.microsoft.com/?kbid=271386
>> >
>> > If you feel a single Enterprise CA would work for you there are steps
>> > you
>> > can take to secure it. First make sure it is physically secured where
>> > only
>> > a very few trusted users have access to it. Other procedures such as
>> > physically securing domain controllers, and implementing complex
>> > passwords
>> > are a must. Weak passwords and physical access are still the biggest
>> > threats to a network/domain/computer. Read the Windows 2003 Security
>> > guide
>> > and first take the steps for a baseline server lockdown and then read
>> > the
>> > chapter on securing a Certificate Authority Server. --- Steve
>> >
>> > http://www.microsoft.com/downloads/details.aspx?FamilyI...
>> > http://tinyurl.com/dkbu -- same link as above, shorter.
>> >
>> >
>> > "Michael Shire" <Michael Shire@discussions.microsoft.com> wrote in
>> > message
>> > news:EABEAF36-B4C5-4FEB-8152-B5BD071C1CEF@microsoft.com...
>> >> Trying to follow the "Step-by-Step Guide to Setting up a Certification
>> >> Authority".
>> >>
>> >> One major thing I can't seem to grasp is the installation of the Root
>> >> CA.
>> >> As I understand, the Root CA should NEVER be connected to a network.
>> >> Is
>> >> the
>> >> same true for an Enterprise Root CA?
>> >>
>> >> If so, how can you connect the server to a domain, and have it
>> >> register
>> >> itself as a Root CA without connecting it to a network?
>> >>
>> >> If not, can the Enterprise Root CA provide the same level of security
>> >> as
>> >> a
>> >> Stand Alone Root CA? If the Enterprise Root CA is on the network, how
>> >> can
>> >> you ensure that top level of trust isn't compromised?
>> >
>> >
>>
>>
>>
!