Isolation of the Root CA

Archived from groups: microsoft.public.win2000.security (More info?)

Trying to follow the "Step-by-Step Guide to Setting up a Certification
Authority".

One major thing I can't seem to grasp is the installation of the Root CA.
As I understand, the Root CA should NEVER be connected to a network. Is the
same true for an Enterprise Root CA?

If so, how can you connect the server to a domain, and have it register
itself as a Root CA without connecting it to a network?

If not, can the Enterprise Root CA provide the same level of security as a
Stand Alone Root CA? If the Enterprise Root CA is on the network, how can
you ensure that top level of trust isn't compromised?
6 answers Last reply
More about isolation root
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Michael,

    Good question. The *NEVER* is a bit too explicit. As you rightly state,
    taking the root CA offline prevents the compromise of the top hierarchy of
    your PKI. However, this doesn't mean that the root CAQ is never attached to
    the network. It just means that you assign subordinates to do the majority
    of the work by assigned roles, and that the root CA is on the network no
    longer than necessary to greatly reduce the possibility of compromise.

    You will have to attach the root CA for the following functions:

    * Publishing CRLs
    * Creating subordinate CAs

    Also, a machine that is a member of a domain may encounter problems
    (specifically secure channel errors) when trying to bring it back online
    after being offline for a period of time. Hence, a standalone should never
    be a member of a domain.

    As to the Enterprise Root CA, this type of root is designed to be an online
    element. Because of the need to use the templates for CA creation and that
    the certificates are published to Active Directory, an Enterprise Root CA
    can't be an offline CA. This is a function that is reserved for only the
    standalone Root.

    Hope the helps....

    --
    Rick Kingslan CISSP, MCSE, MCSA, MCT
    Microsoft MVP
    Windows Server / Directory Services
    Windows Security
    Associate Expert
    Expert Zone - www.microsoft.com/windowsxp/expertzone


    "Michael Shire" <Michael Shire@discussions.microsoft.com> wrote in message
    news:EABEAF36-B4C5-4FEB-8152-B5BD071C1CEF@microsoft.com...
    > Trying to follow the "Step-by-Step Guide to Setting up a Certification
    > Authority".
    >
    > One major thing I can't seem to grasp is the installation of the Root CA.
    > As I understand, the Root CA should NEVER be connected to a network. Is
    > the
    > same true for an Enterprise Root CA?
    >
    > If so, how can you connect the server to a domain, and have it register
    > itself as a Root CA without connecting it to a network?
    >
    > If not, can the Enterprise Root CA provide the same level of security as a
    > Stand Alone Root CA? If the Enterprise Root CA is on the network, how can
    > you ensure that top level of trust isn't compromised?
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    A lot has to do with the complexity of your network and your security needs.
    If you run a network that is going to have a three tier hierarchy of
    Certificate Authorities with maybe six or eight issuing CA's for various
    tasks that are going to issue thousands of certificates then it makes sense
    to secure the CA's that only issue certificates to other CA's to minimize
    the damage that can be done to the PKI.

    However many, many smaller networks are going to use PKI to issue some
    certificates for l2tp, an internal web server, email, or maybe a certificate
    for IAS server to use for 802.1X wireless with PEAP. In such cases a single
    CA may make sense. You have to ask yourself what would happen if my CA was
    compromised and it could not longer be trusted. Would it be an
    inconvenience, major hassle, or a catastrophe risking highly confidential
    data causing possible loss of customers/revenue. Only you can answer that
    question. If your needs are modest goals to improve security it [in my
    opinion] probably does not make sense to have an offline CA and then one
    issuing CA.

    An Enterprise CA can not be an offline CA. You would have to start with a
    standalone root CA and use it to issue a certificate for an Enterprise CA
    subordinate. You would have to add alternate locations for the CRL and CA
    certificate before you use it to issue any certificates. The offline CA
    could always be offline and certificate requests and CRL's be copied to and
    from floppy disk or it could be put online just as long as it takes to issue
    the certificates for subordinate CA's. The link below explains more.

    http://support.microsoft.com/?kbid=271386

    If you feel a single Enterprise CA would work for you there are steps you
    can take to secure it. First make sure it is physically secured where only a
    very few trusted users have access to it. Other procedures such as
    physically securing domain controllers, and implementing complex passwords
    are a must. Weak passwords and physical access are still the biggest threats
    to a network/domain/computer. Read the Windows 2003 Security guide and first
    take the steps for a baseline server lockdown and then read the chapter on
    securing a Certificate Authority Server. --- Steve

    http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
    http://tinyurl.com/dkbu -- same link as above, shorter.


    "Michael Shire" <Michael Shire@discussions.microsoft.com> wrote in message
    news:EABEAF36-B4C5-4FEB-8152-B5BD071C1CEF@microsoft.com...
    > Trying to follow the "Step-by-Step Guide to Setting up a Certification
    > Authority".
    >
    > One major thing I can't seem to grasp is the installation of the Root CA.
    > As I understand, the Root CA should NEVER be connected to a network. Is
    > the
    > same true for an Enterprise Root CA?
    >
    > If so, how can you connect the server to a domain, and have it register
    > itself as a Root CA without connecting it to a network?
    >
    > If not, can the Enterprise Root CA provide the same level of security as a
    > Stand Alone Root CA? If the Enterprise Root CA is on the network, how can
    > you ensure that top level of trust isn't compromised?
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Our best practices guides may help provide some additional guidance and
    recommendations:

    Best Practices for implementing Windows Server 2003 PKI:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx


    Microsoft Systems Architecture:
    http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm122.mspx


    --


    David B. Cross [MS]

    --
    This posting is provided "AS IS" with no warranties, and confers no rights.

    http://support.microsoft.com

    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:xiCnd.120851$R05.15239@attbi_s53...
    >A lot has to do with the complexity of your network and your security
    >needs. If you run a network that is going to have a three tier hierarchy of
    >Certificate Authorities with maybe six or eight issuing CA's for various
    >tasks that are going to issue thousands of certificates then it makes sense
    >to secure the CA's that only issue certificates to other CA's to minimize
    >the damage that can be done to the PKI.
    >
    > However many, many smaller networks are going to use PKI to issue some
    > certificates for l2tp, an internal web server, email, or maybe a
    > certificate for IAS server to use for 802.1X wireless with PEAP. In such
    > cases a single CA may make sense. You have to ask yourself what would
    > happen if my CA was compromised and it could not longer be trusted. Would
    > it be an inconvenience, major hassle, or a catastrophe risking highly
    > confidential data causing possible loss of customers/revenue. Only you can
    > answer that question. If your needs are modest goals to improve security
    > it [in my opinion] probably does not make sense to have an offline CA and
    > then one issuing CA.
    >
    > An Enterprise CA can not be an offline CA. You would have to start with a
    > standalone root CA and use it to issue a certificate for an Enterprise CA
    > subordinate. You would have to add alternate locations for the CRL and CA
    > certificate before you use it to issue any certificates. The offline CA
    > could always be offline and certificate requests and CRL's be copied to
    > and from floppy disk or it could be put online just as long as it takes to
    > issue the certificates for subordinate CA's. The link below explains more.
    >
    > http://support.microsoft.com/?kbid=271386
    >
    > If you feel a single Enterprise CA would work for you there are steps you
    > can take to secure it. First make sure it is physically secured where only
    > a very few trusted users have access to it. Other procedures such as
    > physically securing domain controllers, and implementing complex passwords
    > are a must. Weak passwords and physical access are still the biggest
    > threats to a network/domain/computer. Read the Windows 2003 Security guide
    > and first take the steps for a baseline server lockdown and then read the
    > chapter on securing a Certificate Authority Server. --- Steve
    >
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
    > http://tinyurl.com/dkbu -- same link as above, shorter.
    >
    >
    > "Michael Shire" <Michael Shire@discussions.microsoft.com> wrote in message
    > news:EABEAF36-B4C5-4FEB-8152-B5BD071C1CEF@microsoft.com...
    >> Trying to follow the "Step-by-Step Guide to Setting up a Certification
    >> Authority".
    >>
    >> One major thing I can't seem to grasp is the installation of the Root CA.
    >> As I understand, the Root CA should NEVER be connected to a network. Is
    >> the
    >> same true for an Enterprise Root CA?
    >>
    >> If so, how can you connect the server to a domain, and have it register
    >> itself as a Root CA without connecting it to a network?
    >>
    >> If not, can the Enterprise Root CA provide the same level of security as
    >> a
    >> Stand Alone Root CA? If the Enterprise Root CA is on the network, how
    >> can
    >> you ensure that top level of trust isn't compromised?
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <e4jtY0qzEHA.2040@tk2msftngp13.phx.gbl>, in the
    microsoft.public.win2000.security news group, Rick Kingslan [MS MVP]
    <rkingsla.cox.net@127.0.0.1> says...

    > Michael,
    >
    > Good question. The *NEVER* is a bit too explicit.

    Actually, in the case of a standalone root CA, NEVER is _exactly_ the
    correct term here.

    > As you rightly state,
    > taking the root CA offline prevents the compromise of the top hierarchy of
    > your PKI. However, this doesn't mean that the root CAQ is never attached to
    > the network.

    No, it means that the root CA is _never_ connected to a network.

    > It just means that you assign subordinates to do the majority
    > of the work by assigned roles, and that the root CA is on the network no
    > longer than necessary to greatly reduce the possibility of compromise.
    >
    > You will have to attach the root CA for the following functions:
    >
    > * Publishing CRLs
    > * Creating subordinate CAs

    This is simply not true. Again, in the case of a standalone root CA,
    there is _never_ a need to attach it to a network. Publishing CRLs and
    creating additional subordinate CAs should all be done via sneakernet,
    with the requisite files being moved from system to system via some sort
    of removable media.

    >
    <snip>

    <snip<

    --
    Paul Adare
    "On two occasions, I have been asked [by members of Parliament],
    'Pray, Mr. Babbage, if you put into the machine wrong figures,
    will the right answers come out?' I am not able to rightly apprehend
    the kind of confusion of ideas that could provoke such a question."
    -- Charles Babbage (1791-1871)
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    If you want to put your Enterprise CA behind a firewall, is there a best
    practice article on that? Or can you follow some of the moving MSRPC to
    static mode references.

    Thanks,
    Perry

    "David Cross [MS]" wrote:

    > Our best practices guides may help provide some additional guidance and
    > recommendations:
    >
    > Best Practices for implementing Windows Server 2003 PKI:
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
    >
    >
    >
    > Microsoft Systems Architecture:
    > http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm122.mspx
    >
    >
    >
    > --
    >
    >
    > David B. Cross [MS]
    >
    > --
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    > http://support.microsoft.com
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:xiCnd.120851$R05.15239@attbi_s53...
    > >A lot has to do with the complexity of your network and your security
    > >needs. If you run a network that is going to have a three tier hierarchy of
    > >Certificate Authorities with maybe six or eight issuing CA's for various
    > >tasks that are going to issue thousands of certificates then it makes sense
    > >to secure the CA's that only issue certificates to other CA's to minimize
    > >the damage that can be done to the PKI.
    > >
    > > However many, many smaller networks are going to use PKI to issue some
    > > certificates for l2tp, an internal web server, email, or maybe a
    > > certificate for IAS server to use for 802.1X wireless with PEAP. In such
    > > cases a single CA may make sense. You have to ask yourself what would
    > > happen if my CA was compromised and it could not longer be trusted. Would
    > > it be an inconvenience, major hassle, or a catastrophe risking highly
    > > confidential data causing possible loss of customers/revenue. Only you can
    > > answer that question. If your needs are modest goals to improve security
    > > it [in my opinion] probably does not make sense to have an offline CA and
    > > then one issuing CA.
    > >
    > > An Enterprise CA can not be an offline CA. You would have to start with a
    > > standalone root CA and use it to issue a certificate for an Enterprise CA
    > > subordinate. You would have to add alternate locations for the CRL and CA
    > > certificate before you use it to issue any certificates. The offline CA
    > > could always be offline and certificate requests and CRL's be copied to
    > > and from floppy disk or it could be put online just as long as it takes to
    > > issue the certificates for subordinate CA's. The link below explains more.
    > >
    > > http://support.microsoft.com/?kbid=271386
    > >
    > > If you feel a single Enterprise CA would work for you there are steps you
    > > can take to secure it. First make sure it is physically secured where only
    > > a very few trusted users have access to it. Other procedures such as
    > > physically securing domain controllers, and implementing complex passwords
    > > are a must. Weak passwords and physical access are still the biggest
    > > threats to a network/domain/computer. Read the Windows 2003 Security guide
    > > and first take the steps for a baseline server lockdown and then read the
    > > chapter on securing a Certificate Authority Server. --- Steve
    > >
    > > http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
    > > http://tinyurl.com/dkbu -- same link as above, shorter.
    > >
    > >
    > > "Michael Shire" <Michael Shire@discussions.microsoft.com> wrote in message
    > > news:EABEAF36-B4C5-4FEB-8152-B5BD071C1CEF@microsoft.com...
    > >> Trying to follow the "Step-by-Step Guide to Setting up a Certification
    > >> Authority".
    > >>
    > >> One major thing I can't seem to grasp is the installation of the Root CA.
    > >> As I understand, the Root CA should NEVER be connected to a network. Is
    > >> the
    > >> same true for an Enterprise Root CA?
    > >>
    > >> If so, how can you connect the server to a domain, and have it register
    > >> itself as a Root CA without connecting it to a network?
    > >>
    > >> If not, can the Enterprise Root CA provide the same level of security as
    > >> a
    > >> Stand Alone Root CA? If the Enterprise Root CA is on the network, how
    > >> can
    > >> you ensure that top level of trust isn't compromised?
    > >
    > >
    >
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    we have a little guidance in this paper:


    Windows Server 2003 web enrollment and troubleshooting guide:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx


    --
    David B. Cross [MS]
    --
    This posting is provided "AS IS" with no warranties, and confers no rights.

    Top Whitepapers:

    Auto-enrollment whitepaper:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
    Best Practices for implementing Windows Server 2003 PKI:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
    Troubleshooting Certificate Status and Revocation whitepaper:
    http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
    Windows Server 2003 web enrollment and troubleshooting guide:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
    Windows Server 2003 web enrollment and troubleshooting guide:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx

    "Perry" <Perry@discussions.microsoft.com> wrote in message
    news:0D443847-849A-4594-92E1-5A26D05CFCEE@microsoft.com...
    > If you want to put your Enterprise CA behind a firewall, is there a best
    > practice article on that? Or can you follow some of the moving MSRPC to
    > static mode references.
    >
    > Thanks,
    > Perry
    >
    > "David Cross [MS]" wrote:
    >
    >> Our best practices guides may help provide some additional guidance and
    >> recommendations:
    >>
    >> Best Practices for implementing Windows Server 2003 PKI:
    >> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
    >>
    >>
    >>
    >> Microsoft Systems Architecture:
    >> http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm122.mspx
    >>
    >>
    >>
    >> --
    >>
    >>
    >> David B. Cross [MS]
    >>
    >> --
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights.
    >>
    >> http://support.microsoft.com
    >>
    >> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    >> news:xiCnd.120851$R05.15239@attbi_s53...
    >> >A lot has to do with the complexity of your network and your security
    >> >needs. If you run a network that is going to have a three tier hierarchy
    >> >of
    >> >Certificate Authorities with maybe six or eight issuing CA's for various
    >> >tasks that are going to issue thousands of certificates then it makes
    >> >sense
    >> >to secure the CA's that only issue certificates to other CA's to
    >> >minimize
    >> >the damage that can be done to the PKI.
    >> >
    >> > However many, many smaller networks are going to use PKI to issue some
    >> > certificates for l2tp, an internal web server, email, or maybe a
    >> > certificate for IAS server to use for 802.1X wireless with PEAP. In
    >> > such
    >> > cases a single CA may make sense. You have to ask yourself what would
    >> > happen if my CA was compromised and it could not longer be trusted.
    >> > Would
    >> > it be an inconvenience, major hassle, or a catastrophe risking highly
    >> > confidential data causing possible loss of customers/revenue. Only you
    >> > can
    >> > answer that question. If your needs are modest goals to improve
    >> > security
    >> > it [in my opinion] probably does not make sense to have an offline CA
    >> > and
    >> > then one issuing CA.
    >> >
    >> > An Enterprise CA can not be an offline CA. You would have to start with
    >> > a
    >> > standalone root CA and use it to issue a certificate for an Enterprise
    >> > CA
    >> > subordinate. You would have to add alternate locations for the CRL and
    >> > CA
    >> > certificate before you use it to issue any certificates. The offline CA
    >> > could always be offline and certificate requests and CRL's be copied to
    >> > and from floppy disk or it could be put online just as long as it takes
    >> > to
    >> > issue the certificates for subordinate CA's. The link below explains
    >> > more.
    >> >
    >> > http://support.microsoft.com/?kbid=271386
    >> >
    >> > If you feel a single Enterprise CA would work for you there are steps
    >> > you
    >> > can take to secure it. First make sure it is physically secured where
    >> > only
    >> > a very few trusted users have access to it. Other procedures such as
    >> > physically securing domain controllers, and implementing complex
    >> > passwords
    >> > are a must. Weak passwords and physical access are still the biggest
    >> > threats to a network/domain/computer. Read the Windows 2003 Security
    >> > guide
    >> > and first take the steps for a baseline server lockdown and then read
    >> > the
    >> > chapter on securing a Certificate Authority Server. --- Steve
    >> >
    >> > http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
    >> > http://tinyurl.com/dkbu -- same link as above, shorter.
    >> >
    >> >
    >> > "Michael Shire" <Michael Shire@discussions.microsoft.com> wrote in
    >> > message
    >> > news:EABEAF36-B4C5-4FEB-8152-B5BD071C1CEF@microsoft.com...
    >> >> Trying to follow the "Step-by-Step Guide to Setting up a Certification
    >> >> Authority".
    >> >>
    >> >> One major thing I can't seem to grasp is the installation of the Root
    >> >> CA.
    >> >> As I understand, the Root CA should NEVER be connected to a network.
    >> >> Is
    >> >> the
    >> >> same true for an Enterprise Root CA?
    >> >>
    >> >> If so, how can you connect the server to a domain, and have it
    >> >> register
    >> >> itself as a Root CA without connecting it to a network?
    >> >>
    >> >> If not, can the Enterprise Root CA provide the same level of security
    >> >> as
    >> >> a
    >> >> Stand Alone Root CA? If the Enterprise Root CA is on the network, how
    >> >> can
    >> >> you ensure that top level of trust isn't compromised?
    >> >
    >> >
    >>
    >>
    >>
Ask a new question

Read More

Security Enterprise Windows