SlideShare a Scribd company logo

MCSA 70-412 Chapter 06

Download as PPTX, PDF
C
Computer Networking

Microsoft Certified Solution Associate Chapter 6: - Implementing AD CS

Education
1 of 56
Module 6 Implementing AD CS
Module Overview • Using Certificates in a Business Environment • PKI Overview • Deploying CAs • Deploying and Managing Certificate Templates • Implementing Certificate Distribution and Revocation • Managing Certificate Recovery
Lesson 1: Using Certificates in a Business Environment • Using Certificates for SSL • Using Certificates for Digital Signatures • Demonstration: Signing a Document Digitally • Using Certificates for Content Encryption • Using Certificates for Authentication
Using Certificates for SSL • The purpose of securing a connection with SSL is to protect data during communication • For SSL, a certificate must be installed on the server • Be aware of trust issues • The SSL works in the following steps: 1. The user types an HTTPS URL 2. The web server sends its SSL certificate 3. The client performs a check of the server certificate 4. The client generates a symmetric encryption key 5. The client encrypts this key with the server’s public key 6. The server uses its private key to decrypt the encrypted symmetric key • Make sure that you configure the SSL certificate properly
Using Certificates for Digital Signatures • Digital signatures ensure: • Content is not modified during transport • The identity of the author is verifiable • Digital signatures work in the following steps: 1. When an author digitally signs a document or a message, the operating system on his or her machine creates a message cryptographic digest 2. The cryptographic digest is then encrypted by using author’s private key and added to the end of the document or message 3. The recipient uses the author’s public key to decrypt the cryptographic digest and compare it to the cryptographic digest created on the recipient’s machine • Users need to have a certificate based on a User template to use digital signatures
Demonstration: Signing a Document Digitally In this demonstration, your instructor will show you how to digitally sign a document in Microsoft Word
Using Certificates for Content Encryption • Encryption protects data from unauthorized access • EFS uses certificates for file encryption • To send an encrypted message, you must possess the recipient’s public key File encryption key: Encrypted with the file owner’s public key File encryption key: Encrypted with the public key of Recovery agent 1 File encryption key: Encrypted with the public key of Recovery agent 2 (optional) • • • • Encrypted Data Data Recovery Fields Header
Using Certificates for Authentication You can use certificates for user and device authentication, and in network and application access scenarios such as: • L2TP/IPsec VPN • EAP-TLS • PEAP • NAP with IPsec • Outlook Web App • Mobile device authentication
Lesson 2: PKI Overview • What Is PKI? • Components of a PKI Solution • What Are CAs? • Overview of the AD CS Server Role in Windows Server 2012 • New Features of AD CS in Windows Server 2012 • Public vs. Private CAs • What Is a Cross-Certification Hierarchy?
What Is PKI? PKI : • Is a standard approach to security-based tools, technologies, processes, and services that are used to enhance the security of communications, applications, and business transactions • Relies on the exchange of digital certificates between authenticated users and trusted resources PKI provides: • Confidentiality • Integrity • Authenticity • Non-repudiation
Components of a PKI Solution CA Digital Certificates CRLs and Online Responders Certificate Templates Certificates and CA Management Tools AIA and CDPs Public Key–Enabled Applications and Services
What Are CAs? Root CA Issues a self- signed certificate for itself Verifies the identity of the certificate requestor Manages certificate revocation Issues certificates to users, computers, and services
Overview of the AD CS Server Role in Windows Server 2012 CA Online Responder NDES CA Web enrollment CES CEP Enrollment Proxy Policy
New Features of AD CS in Windows Server 2012 • All AD CS role services run on all versions of Windows Server • Full integration with Server Manager • Manageable through Windows PowerShell • New certificate template version (v4) • Support for automatic renewal of certificates for non-domain joined computers • Enforcement of certificate renewal with the same key • Additional security for certificate requests • Support for Virtual Smart Cards
Public vs. Private CAs Internal private CAs: • Require greater administration than external public CAs • Cost less than external public CAs, and provide greater control over certificate management • Are not trusted by external clients by default • Offer advantages such as customized templates and autoenrollment External public CAs: • Are trusted by many external clients • Have slower certificate procurement
What Is a Cross-Certification Hierarchy? Root CA Root CA Organization 1 Organization 2 Subordinate CA Subordinate CA Root CA Root CA Organization 1 Organization 2 Subordinate CA Subordinate CA Cross-Certification at the Root CA Level Cross-Certification Subordinate CA to Root CA
Lesson 3: Deploying CAs • Options for Implementing CA Hierarchies • Stand-alone vs. Enterprise CAs • Considerations for Deploying a Root CA • Demonstration: Deploying a Root CA • Considerations for Deploying a Subordinate CA • How to Use the CAPolicy.inf File for Installation • Configuring CA Administration and Security • Configuring CA Policy and Exit Modules • Demonstration: Configuring CA Properties • CA Backup and Recovery
Options for Implementing CA Hierarchies Root CA Issuing CAs Root CA Policy CA Root CA Policy CA Issuing CA Issuing CA Issuing CA Issuing CA Issuing CA Issuing CA Policy CA Usage Two-Tier Hierarchy Cross-Certification Trust Root CA Policy CAs Issuing CAIssuing CAIssuing CA
Stand-alone vs. Enterprise CAs Stand-alone CAs Enterprise CAs Must be used if any CA (root/intermediate/policy) is offline, because a stand-alone CA is not joined to an AD DS domain Requires the use of AD DS Can use Group Policy to propagate certificate to trusted root CA certificate store Users provide identifying information and specify type of certificate Publishes user certificates and CRLs to AD DS Does not require certificate templates Issues certificates based upon a certificate template All certificate requests are kept pending until administrator approval Supports autoenrollment for issuing certificates
Considerations for Deploying a Root CA •Computer name and domain membership cannot change •When you plan private key configuration, consider the following: • CSP • Key character length with a default of 2,048 • The hash algorithm that is used to sign certificates issued by a CA •When you plan a root CA, consider the following: • Name and configuration • Certificate database and log location • Validity period
Demonstration: Deploying a Root CA In this demonstration, you will see how to deploy an enterprise root CA
Considerations for Deploying a Subordinate CA Root Subordinate RASEFSS/MIME Certificate Uses Root Subordinate Load Balancing India Canada USA Root Subordinate Locations Root Subordinate Employee Contractor Partner Organizational Divisions
How to Use the CAPolicy.inf File for Installation The CAPolicy.inf file is stored in the %Windir% folder of the root or subordinate CA, and defines the following: • CPS • Object Identifier • CRL publication intervals • CA renewal settings • Key size • Certificate validity period • CDP and AIA paths
Configuring CA Administration and Security • You can establish role-based administration for CA hierarchy by defining the following roles: • CA administrator • Certificate manager • Backup operator • Auditor • Enrollees • You can assign the following permissions on the CA level: • Read • Issue and Manage Certificates • Manage CA • Request Certificates • Certificate managers can be restricted to a template
Configuring CA Policy and Exit Modules • The policy module determines the action that is performed after the certificate request is received • The exit module determines what happens with a certificate after it is issued • Each CA is configured with default policy and exit modules • The FIM CM 2010 deploys custom policy and exit modules • The exit module can send email or publish a certificate to a file system • You have to use certutil to specify these settings, as they are not available in the CA administrator console
Demonstration: Configuring CA Properties In this demonstration, your instructor will show you how to configure CA properties
CA Backup and Recovery To back up a CA, follow this procedure: 1. Record the names of the certificate templates 2. Back up a CA in the CA admin console 3. Export the registry subkey 4. Uninstall the CA role (optional, only if you move CA) 5. Confirm the %SystemRoot% folder locations 6. Remove the old CA from the domain (optional, only if you move CA) To restore, follow this procedure: 1. Install AD CS 2. Use the existing private key 3. Restore the registry file 4. Restore the CA database and settings 5. Restore the certificate templates
Lab A: Deploying and Configuring CA Hierarchy • Exercise 1: Deploying a Stand-Alone Root CA • Exercise 2: Deploying an Enterprise Subordinate CA Logon Information Virtual machines: 20412C-LON-DC1 20412C-LON-SVR1 20412C-LON-SVR2 20412C-LON-CA1 User name: AdatumAdministrator Password: Pa$$w0rd Estimated Time: 50 minutes
Lab Scenario As A. Datum Corporation has expanded, its security requirements have also increased. The security department is particularly interested in enabling secure access to critical websites, and in providing additional security for features. To address these and other security requirements, A. Datum has decided to implement a PKI using the AD CS role in Windows Server 2012. As one of the senior network administrators at A. Datum, you are responsible for implementing the AD CS deployment.
Lab Review • Why is it not recommended to install just an enterprise root CA?
Lesson 4: Deploying and Managing Certificate Templates • What Are Certificate and Certificate Templates? • Certificate Template Versions in Windows Server 2012 • Configuring Certificate Template Permissions • Configuring Certificate Template Settings • Options for Updating a Certificate Template • Demonstration: Modifying and Enabling a Certificate Template
What Are Certificate and Certificate Templates? A certificate contains information about users, devices, usage, validity, and a key pair A certificate template defines: • The format and contents of a certificate • The process for creating and submitting a valid certificate request • The security principals that are allowed to read, enroll, or use autoenrollment for a certificate that will be based on the template • The permissions required to modify a certificate template
Certificate Template Versions in Windows Server 2012 Version 1: • Introduced in Windows 2000 Server, provides for backward compatibility in newer versions • Creates by default when a CA is installed • Cannot be modified (except for permissions) or removed, but can be duplicated to become version 2 or 3 templates, which can then be modified Version 2: • Default template introduced with Windows Server 2003 • Allows customization of most settings in the template • Several preconfigured templates are provided when a CA is installed Version 3: • Supports advanced Suite B cryptographic settings • Includes advanced options for encryption, digital signatures, key exchange, and hashing • Only supports Windows Server 2008 and Windows Server 2008 R2 servers • Only supports Windows Vista and Windows 7 client computers Version 4: • Available only for Windows Server 2012 and Windows 8 clients • Supports both CSPs and KSPs • Supports renewal with the same key
Configuring Certificate Template Permissions Permissions Description Full Control Allows a designated user, group, or computer to modify all attributes—including ownership and permissions Read Allows a designated user, group, or computer to read the certificate in AD DS when enrolling Write Allows a designated user, group, or computer to modify all attributes except permissions Enroll Allows a designated user, group, or computer to enroll for the certificate template Autoenroll Allows a designated user, group, or computer to receive a certificate through the autoenrollment process
Configuring Certificate Template Settings For each certificate template, you can customize several settings, such as validity time, purpose, CSP, private key exportability, and issuance requirements Category Single purpose examples Multiple purpose examples Users • Basic EFS • Authenticated session • Smart card logon • Administrator • User • Smart card user Computers • Web server • IPsec • Computer • Domain controller
Options for Updating a Certificate Template Modify the original certificate template to incorporate the new settings Modifying Replace one or more certificate templates with an updated certificate template Superseding UpdatedOriginal Smart Card 1 Smart Card 2 Smart Cards (new)
Demonstration: Modifying and Enabling a Certificate Template In this demonstration, you will see how to modify and enable a certificate template
Lesson 5: Implementing Certificate Distribution and Revocation • Options for Certificate Enrollment • How Does Autoenrollment Work? • Enrollment Agent Overview • Demonstration: Configuring the Restricted Enrollment Agent • What Is NDES? • How Does Certificate Revocation Work? • Considerations for Publishing AIAs and CDPs • What Is an Online Responder? • Demonstration: Configuring an Online Responder
Options for Certificate Enrollment Method Use Autoenrollment • To automate the request, retrieval, and storage of certificates for domain-based computers Manual enrollment • To request certificates by using the Certificates Templates console or Certreq.exe when the requestor cannot communicate directly with the CA CA Web enrollment • To request certificates from a website that is located on a CA • To issue certificates when autoenrollment is not available Enroll on behalf • To provide IT staff with the right to request certificates on behalf of another user (Enrollment Agent)
How Does Autoenrollment Work? A certificate template is configured to Allow, Enroll, and Autoenroll permissions for users who receive the certificates The client machine receives the certificates during the next Group Policy refresh interval An Active Directory Group Policy Object should be created to enable autoenrollment. The GPO should be linked to the appropriate site, domain, or organizational unit The CA is configured to issue the template Certificate template CA Group Policy Object Client machine
Enrollment Agent Overview An Enrollment Agent is a user who has the appropriate certificate assigned and and has the ability to request certificates on behalf of other users or computers The restricted Enrollment Agent has limited permissions: • Limits permissions of the Enrollment Agent: • For specific group of users • For specific certificate templates • Requires Windows Server 2008 Enterprise edition or Windows Server 2012 CA
Demonstration: Configuring the Restricted Enrollment Agent In this demonstration, you will see how to configure the Restricted Enrollment Agent
What Is NDES? NDES: • Uses SCEP to communicate with network devices • Functions as an AD CS role service • Requires IIS CA Network Router Network
How Does Certificate Revocation Work? 1. Certificate is revoked 2. Certificate revocation is published 3. Client computer verifies certificate validity and revocation
Considerations for Publishing AIAs and CDPs Publish the root certificate CA and URL to: • AD DS • Web servers • FTP servers • File servers Offline Root CA Internet Firewall Firewall External Web server AD DS FTP server Internal Web server File server
What Is an Online Responder? Uses OCSP validation and revocation checking using HTTP Receives and responds dynamically to individual requests Supports only Windows Server 2008, Windows Vista, and newer Windows operating systems Functions as a responder to multiple CAs
Demonstration: Configuring an Online Responder In this demonstration, you will see how to configure an Online Responder
Lesson 6: Managing Certificate Recovery • Overview of Key Archival and Recovery • Configuring Automatic Key Archival • Demonstration: Configuring a CA for Key Archival • Recovering a Lost Key • Demonstration: Recovering a Lost Private Key
Overview of Key Archival and Recovery • Private keys can get lost when: • A user profile is deleted • An operating system is reinstalled • A disk is corrupted • A computer is lost or stolen • It is critical that you archive private keys for for certificates that are used for encryption • The KRA is needed for key recovery • Key archival must be configured on the CA and on the certificate template • Key recovery is a two-phase process: 1. Key retrieval 2. Key recovery • The KRA certificate must be protected
Configuring Automatic Key Archival üConfigure and issue the KRA certificate template Steps to configure automatic key archival: Designate a person as the KRA, and enroll for the certificate Enable key archival on the CA Modify and enable certificate templates for key archival    
Demonstration: Configuring a CA for Key Archival In this demonstration, you will see how to configure a CA for key archival
Recovering a Lost Key 1. The private key is lost or corrupted 3. The Certificate Manager extracts the number PKCS#7 from the CA 6. The user imports the private key 5. The KRA recovers the private key 4. The Certificate Manager transfers the number PKCS #7 to the KRA Serial #: 00AD036 PKCS#7 2. The Certificate Manager finds the serial number of the certificate
Demonstration: Recovering a Lost Private Key In this demonstration, you will see how to recover a lost private key
Lab B: Deploying and Managing Certificates • Exercise 1: Configuring Certificate Templates • Exercise 2: Configuring Certificate Enrollment • Exercise 3: Configuring Certificate Revocation • Exercise 4: Configuring Key Recovery Logon Information Virtual machines: 20412C-LON-DC1 20412C-LON-SVR1 20412C-LON-SVR2 20412C-LON-CA1 20412C-LON-CL1 User name: AdatumAdministrator Password: Pa$$w0rd Estimated Time: 75 minutes
Lab Scenario As A. Datum Corporation has expanded, its security requirements have also increased. The security department is particularly interested in enabling secure access to critical websites, and in providing additional security for features such as drive encryption, smart cards, and the Windows 7 and Windows 8 DirectAccess feature. To address these and other security requirements, A. Datum has decided to implement a PKI using the AD CS role in Windows Server 2012. As one of the senior network administrators at A. Datum, you are responsible for implementing the AD CS deployment. You will deploy the CA hierarchy, develop the procedures and process for managing certificate templates, and deploy and revoke certificates.
Lab Review • What is the main benefit of OCSP over CRL? • What must you do to recover private keys?

Recommended

The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)Jay Simcox
 
02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptxAdiWidyanto2
 
Active directory domain services
Active directory domain servicesActive directory domain services
Active directory domain servicesIGZ Software house
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services202066
 
Microsoft Active Directory.pptx
Microsoft Active Directory.pptxMicrosoft Active Directory.pptx
Microsoft Active Directory.pptxmasbulosoke
 
Active directory slides
Active directory slidesActive directory slides
Active directory slidesTimothy Moffatt
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directorythebigredhemi
 
Administer Active Directory
Administer Active DirectoryAdminister Active Directory
Administer Active DirectoryHameda Hurmat
 

Recommended

The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)Jay Simcox
 
02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptxAdiWidyanto2
 
Active directory domain services
Active directory domain servicesActive directory domain services
Active directory domain servicesIGZ Software house
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services202066
 
Microsoft Active Directory.pptx
Microsoft Active Directory.pptxMicrosoft Active Directory.pptx
Microsoft Active Directory.pptxmasbulosoke
 
Active directory slides
Active directory slidesActive directory slides
Active directory slidesTimothy Moffatt
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directorythebigredhemi
 
Administer Active Directory
Administer Active DirectoryAdminister Active Directory
Administer Active DirectoryHameda Hurmat
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory TrainingNishad Sukumaran
 
MCSA 70-412 Chapter 05
MCSA 70-412 Chapter 05MCSA 70-412 Chapter 05
MCSA 70-412 Chapter 05Computer Networking
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptxsyedasadraza13
 
Azure-AD.pptx
Azure-AD.pptxAzure-AD.pptx
Azure-AD.pptxssuser9dddf7
 
Chapter Two.pptx
Chapter Two.pptxChapter Two.pptx
Chapter Two.pptxssuser8347a1
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02gameaxt
 
Introduction to Hyper-V
Introduction to Hyper-VIntroduction to Hyper-V
Introduction to Hyper-VMark Wilson
 
Active Directory Trusts
Active Directory TrustsActive Directory Trusts
Active Directory Trustsn|u - The Open Security Community
 
Active directory
Active directoryActive directory
Active directoryMuuluu
 
SC-900 Capabilities of Microsoft Compliance Solutions
SC-900 Capabilities of Microsoft Compliance SolutionsSC-900 Capabilities of Microsoft Compliance Solutions
SC-900 Capabilities of Microsoft Compliance SolutionsFredBrandonAuthorMCP
 
Part 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewPart 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewNeeraj Kumar
 
Active directory domain service
Active directory domain serviceActive directory domain service
Active directory domain serviceFestus Oriaku
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directorythoms1i
 
Microsoft Offical Course 20410C_03
Microsoft Offical Course 20410C_03Microsoft Offical Course 20410C_03
Microsoft Offical Course 20410C_03gameaxt
 
A Deepdive into Azure Networking
A Deepdive into Azure NetworkingA Deepdive into Azure Networking
A Deepdive into Azure NetworkingKarim Vaes
 
Active Directory
Active Directory Active Directory
Active Directory Sandeep Kapadane
 
Mcse 2012
Mcse 2012Mcse 2012
Mcse 2012Mohammed Zainul Abiddin
 
Server 2008 r2 ppt
Server 2008 r2 pptServer 2008 r2 ppt
Server 2008 r2 pptRaj Solanki
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and applicationaminpathan11
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsWinWire Technologies Inc
 
MCSA 70-412 Chapter 08
MCSA 70-412 Chapter 08MCSA 70-412 Chapter 08
MCSA 70-412 Chapter 08Computer Networking
 
MCSA 70-412 Chapter 07
MCSA 70-412 Chapter 07 MCSA 70-412 Chapter 07
MCSA 70-412 Chapter 07 Computer Networking
 

More Related Content

What's hot

Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptxsyedasadraza13
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02gameaxt
 
Introduction to Hyper-V
Introduction to Hyper-VIntroduction to Hyper-V
Introduction to Hyper-VMark Wilson
 
Active directory
Active directoryActive directory
Active directoryMuuluu
 
SC-900 Capabilities of Microsoft Compliance Solutions
SC-900 Capabilities of Microsoft Compliance SolutionsSC-900 Capabilities of Microsoft Compliance Solutions
SC-900 Capabilities of Microsoft Compliance SolutionsFredBrandonAuthorMCP
 
Part 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewPart 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewNeeraj Kumar
 
Active directory domain service
Active directory domain serviceActive directory domain service
Active directory domain serviceFestus Oriaku
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directorythoms1i
 
Microsoft Offical Course 20410C_03
Microsoft Offical Course 20410C_03Microsoft Offical Course 20410C_03
Microsoft Offical Course 20410C_03gameaxt
 
A Deepdive into Azure Networking
A Deepdive into Azure NetworkingA Deepdive into Azure Networking
A Deepdive into Azure NetworkingKarim Vaes
 
Server 2008 r2 ppt
Server 2008 r2 pptServer 2008 r2 ppt
Server 2008 r2 pptRaj Solanki
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and applicationaminpathan11
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsWinWire Technologies Inc
 

What's hot (20)

Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory Training
 
MCSA 70-412 Chapter 05
MCSA 70-412 Chapter 05MCSA 70-412 Chapter 05
MCSA 70-412 Chapter 05
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptx
 
Azure-AD.pptx
Azure-AD.pptxAzure-AD.pptx
Azure-AD.pptx
 
Chapter Two.pptx
Chapter Two.pptxChapter Two.pptx
Chapter Two.pptx
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02
 
Introduction to Hyper-V
Introduction to Hyper-VIntroduction to Hyper-V
Introduction to Hyper-V
 
Active Directory Trusts
Active Directory TrustsActive Directory Trusts
Active Directory Trusts
 
Active directory
Active directoryActive directory
Active directory
 
SC-900 Capabilities of Microsoft Compliance Solutions
SC-900 Capabilities of Microsoft Compliance SolutionsSC-900 Capabilities of Microsoft Compliance Solutions
SC-900 Capabilities of Microsoft Compliance Solutions
 
Part 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewPart 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An Overview
 
Active directory domain service
Active directory domain serviceActive directory domain service
Active directory domain service
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
 
Microsoft Offical Course 20410C_03
Microsoft Offical Course 20410C_03Microsoft Offical Course 20410C_03
Microsoft Offical Course 20410C_03
 
A Deepdive into Azure Networking
A Deepdive into Azure NetworkingA Deepdive into Azure Networking
A Deepdive into Azure Networking
 
Active Directory
Active Directory Active Directory
Active Directory
 
Mcse 2012
Mcse 2012Mcse 2012
Mcse 2012
 
Server 2008 r2 ppt
Server 2008 r2 pptServer 2008 r2 ppt
Server 2008 r2 ppt
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and application
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
 

Viewers also liked

The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiNathan Winters
 
20081023 Internet of Services at eChallenges 2008 conference
20081023 Internet of Services at eChallenges 2008 conference20081023 Internet of Services at eChallenges 2008 conference
20081023 Internet of Services at eChallenges 2008 conferenceArian Zwegers
 
IoT services in the automotive sector
IoT services in the automotive sectorIoT services in the automotive sector
IoT services in the automotive sectorPRIME
 
Web of Things Platforms Tutorial
Web of Things Platforms TutorialWeb of Things Platforms Tutorial
Web of Things Platforms TutorialEVRYTHNG
 
IoT / M2M Solutions with Informix in the IoT Gateway
IoT / M2M Solutions with Informix in the IoT GatewayIoT / M2M Solutions with Informix in the IoT Gateway
IoT / M2M Solutions with Informix in the IoT GatewayEurotech
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and ApplicationsSvetlin Nakov
 
Agri-IoT: A Semantic Framework for Internet of Things-enabled Smart Farming A...
Agri-IoT: A Semantic Framework for Internet of Things-enabled Smart Farming A...Agri-IoT: A Semantic Framework for Internet of Things-enabled Smart Farming A...
Agri-IoT: A Semantic Framework for Internet of Things-enabled Smart Farming A...Andreas Kamilaris
 
Industry 4.0 – the German vision for advanced manufacturing
Industry 4.0 – the German vision for advanced manufacturing Industry 4.0 – the German vision for advanced manufacturing
Industry 4.0 – the German vision for advanced manufacturing Vinnova
 
Business Models in the Internet of Services
Business Models in the Internet of ServicesBusiness Models in the Internet of Services
Business Models in the Internet of ServicesNico Weiner
 
electronic_payment_system_in_korea_eng
electronic_payment_system_in_korea_engelectronic_payment_system_in_korea_eng
electronic_payment_system_in_korea_engFrank Mercado
 
Architecture and Development of NFC Applications
Architecture and Development of NFC ApplicationsArchitecture and Development of NFC Applications
Architecture and Development of NFC ApplicationsThomas de Lazzari
 

Viewers also liked (19)

MCSA 70-412 Chapter 08
MCSA 70-412 Chapter 08MCSA 70-412 Chapter 08
MCSA 70-412 Chapter 08
 
MCSA 70-412 Chapter 07
MCSA 70-412 Chapter 07 MCSA 70-412 Chapter 07
MCSA 70-412 Chapter 07
 
MCSA 70-412 Chapter 04
MCSA 70-412 Chapter 04MCSA 70-412 Chapter 04
MCSA 70-412 Chapter 04
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pki
 
20081023 Internet of Services at eChallenges 2008 conference
20081023 Internet of Services at eChallenges 2008 conference20081023 Internet of Services at eChallenges 2008 conference
20081023 Internet of Services at eChallenges 2008 conference
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim Polk
 
IoT and M2M Safety and Security
IoT and M2M Safety and Security IoT and M2M Safety and Security
IoT and M2M Safety and Security
 
IoT services in the automotive sector
IoT services in the automotive sectorIoT services in the automotive sector
IoT services in the automotive sector
 
Web of Things Platforms Tutorial
Web of Things Platforms TutorialWeb of Things Platforms Tutorial
Web of Things Platforms Tutorial
 
IoT / M2M Solutions with Informix in the IoT Gateway
IoT / M2M Solutions with Informix in the IoT GatewayIoT / M2M Solutions with Informix in the IoT Gateway
IoT / M2M Solutions with Informix in the IoT Gateway
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
 
Pki for dummies
Pki for dummiesPki for dummies
Pki for dummies
 
Agri-IoT: A Semantic Framework for Internet of Things-enabled Smart Farming A...
Agri-IoT: A Semantic Framework for Internet of Things-enabled Smart Farming A...Agri-IoT: A Semantic Framework for Internet of Things-enabled Smart Farming A...
Agri-IoT: A Semantic Framework for Internet of Things-enabled Smart Farming A...
 
India industry 4.0
India industry 4.0India industry 4.0
India industry 4.0
 
Understanding the Internet of Things Protocols
Understanding the Internet of Things ProtocolsUnderstanding the Internet of Things Protocols
Understanding the Internet of Things Protocols
 
Industry 4.0 – the German vision for advanced manufacturing
Industry 4.0 – the German vision for advanced manufacturing Industry 4.0 – the German vision for advanced manufacturing
Industry 4.0 – the German vision for advanced manufacturing
 
Business Models in the Internet of Services
Business Models in the Internet of ServicesBusiness Models in the Internet of Services
Business Models in the Internet of Services
 
electronic_payment_system_in_korea_eng
electronic_payment_system_in_korea_engelectronic_payment_system_in_korea_eng
electronic_payment_system_in_korea_eng
 
Architecture and Development of NFC Applications
Architecture and Development of NFC ApplicationsArchitecture and Development of NFC Applications
Architecture and Development of NFC Applications
 

Similar to MCSA 70-412 Chapter 06

Provisioning Certificates
Provisioning CertificatesProvisioning Certificates
Provisioning Certificatesmacbrained
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
IBM Streams V4.1 and User Authentication with Client Certificates
IBM Streams V4.1 and User Authentication with Client CertificatesIBM Streams V4.1 and User Authentication with Client Certificates
IBM Streams V4.1 and User Authentication with Client Certificateslisanl
 
Passwordless Development using Azure Identity
Passwordless Development using Azure IdentityPasswordless Development using Azure Identity
Passwordless Development using Azure IdentitySarah Dutkiewicz
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...DATA SECURITY SOLUTIONS
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScaleAmazon Web Services
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaJ.D. Wade
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015J.D. Wade
 
Service management Dec 11
Service management Dec 11Service management Dec 11
Service management Dec 11Richard Conway
 
Service Management Dec 11
Service Management Dec 11Service Management Dec 11
Service Management Dec 11clarendonint
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015J.D. Wade
 
What's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow DublinWhat's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow DublinAmazon Web Services
 
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Codit
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultTom Kerkhove
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
EC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKIEC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKIParnashreeSaha
 
Unit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptxUnit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptxRAMESHMRA21130030110
 
SSL deep dive vCenter Server 5.5
SSL deep dive vCenter Server 5.5SSL deep dive vCenter Server 5.5
SSL deep dive vCenter Server 5.5fbuechsel
 

Similar to MCSA 70-412 Chapter 06 (20)

Provisioning Certificates
Provisioning CertificatesProvisioning Certificates
Provisioning Certificates
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
 
IBM Streams V4.1 and User Authentication with Client Certificates
IBM Streams V4.1 and User Authentication with Client CertificatesIBM Streams V4.1 and User Authentication with Client Certificates
IBM Streams V4.1 and User Authentication with Client Certificates
 
Passwordless Development using Azure Identity
Passwordless Development using Azure IdentityPasswordless Development using Azure Identity
Passwordless Development using Azure Identity
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointalooza
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015
 
Service management Dec 11
Service management Dec 11Service management Dec 11
Service management Dec 11
 
Service Management Dec 11
Service Management Dec 11Service Management Dec 11
Service Management Dec 11
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
 
What's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow DublinWhat's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow Dublin
 
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
EC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKIEC PKI Training on-prem and cloud-based PKI
EC PKI Training on-prem and cloud-based PKI
 
Unit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptxUnit 4 (Part II) - Authentication Framework for PKC.pptx
Unit 4 (Part II) - Authentication Framework for PKC.pptx
 
6421 b Module-06
6421 b Module-066421 b Module-06
6421 b Module-06
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
 
SSL deep dive vCenter Server 5.5
SSL deep dive vCenter Server 5.5SSL deep dive vCenter Server 5.5
SSL deep dive vCenter Server 5.5
 

More from Computer Networking

More from Computer Networking (7)

MCSA 70-412 Chapter 12
MCSA 70-412 Chapter 12MCSA 70-412 Chapter 12
MCSA 70-412 Chapter 12
 
MCSA 70-412 Chapter 11
MCSA 70-412 Chapter 11MCSA 70-412 Chapter 11
MCSA 70-412 Chapter 11
 
MCSA 70-412 Chapter 10
MCSA 70-412 Chapter 10MCSA 70-412 Chapter 10
MCSA 70-412 Chapter 10
 
MCSA 70-412 Chapter 09
MCSA 70-412 Chapter 09MCSA 70-412 Chapter 09
MCSA 70-412 Chapter 09
 
MCSA 70-412 Chapter 03
MCSA 70-412 Chapter 03MCSA 70-412 Chapter 03
MCSA 70-412 Chapter 03
 
MCSA 70-412 Chapter 02
MCSA 70-412 Chapter 02MCSA 70-412 Chapter 02
MCSA 70-412 Chapter 02
 
MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01
 

Recently uploaded

Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingTeacherCyreneCayanan
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 

Recently uploaded (20)

Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 

MCSA 70-412 Chapter 06

  • 2. Module Overview • Using Certificates in a Business Environment • PKI Overview • Deploying CAs • Deploying and Managing Certificate Templates • Implementing Certificate Distribution and Revocation • Managing Certificate Recovery
  • 3. Lesson 1: Using Certificates in a Business Environment • Using Certificates for SSL • Using Certificates for Digital Signatures • Demonstration: Signing a Document Digitally • Using Certificates for Content Encryption • Using Certificates for Authentication
  • 4. Using Certificates for SSL • The purpose of securing a connection with SSL is to protect data during communication • For SSL, a certificate must be installed on the server • Be aware of trust issues • The SSL works in the following steps: 1. The user types an HTTPS URL 2. The web server sends its SSL certificate 3. The client performs a check of the server certificate 4. The client generates a symmetric encryption key 5. The client encrypts this key with the server’s public key 6. The server uses its private key to decrypt the encrypted symmetric key • Make sure that you configure the SSL certificate properly
  • 5. Using Certificates for Digital Signatures • Digital signatures ensure: • Content is not modified during transport • The identity of the author is verifiable • Digital signatures work in the following steps: 1. When an author digitally signs a document or a message, the operating system on his or her machine creates a message cryptographic digest 2. The cryptographic digest is then encrypted by using author’s private key and added to the end of the document or message 3. The recipient uses the author’s public key to decrypt the cryptographic digest and compare it to the cryptographic digest created on the recipient’s machine • Users need to have a certificate based on a User template to use digital signatures
  • 6. Demonstration: Signing a Document Digitally In this demonstration, your instructor will show you how to digitally sign a document in Microsoft Word
  • 7. Using Certificates for Content Encryption • Encryption protects data from unauthorized access • EFS uses certificates for file encryption • To send an encrypted message, you must possess the recipient’s public key File encryption key: Encrypted with the file owner’s public key File encryption key: Encrypted with the public key of Recovery agent 1 File encryption key: Encrypted with the public key of Recovery agent 2 (optional) • • • • Encrypted Data Data Recovery Fields Header
  • 8. Using Certificates for Authentication You can use certificates for user and device authentication, and in network and application access scenarios such as: • L2TP/IPsec VPN • EAP-TLS • PEAP • NAP with IPsec • Outlook Web App • Mobile device authentication
  • 9. Lesson 2: PKI Overview • What Is PKI? • Components of a PKI Solution • What Are CAs? • Overview of the AD CS Server Role in Windows Server 2012 • New Features of AD CS in Windows Server 2012 • Public vs. Private CAs • What Is a Cross-Certification Hierarchy?
  • 10. What Is PKI? PKI : • Is a standard approach to security-based tools, technologies, processes, and services that are used to enhance the security of communications, applications, and business transactions • Relies on the exchange of digital certificates between authenticated users and trusted resources PKI provides: • Confidentiality • Integrity • Authenticity • Non-repudiation
  • 11. Components of a PKI Solution CA Digital Certificates CRLs and Online Responders Certificate Templates Certificates and CA Management Tools AIA and CDPs Public Key–Enabled Applications and Services
  • 12. What Are CAs? Root CA Issues a self- signed certificate for itself Verifies the identity of the certificate requestor Manages certificate revocation Issues certificates to users, computers, and services
  • 13. Overview of the AD CS Server Role in Windows Server 2012 CA Online Responder NDES CA Web enrollment CES CEP Enrollment Proxy Policy
  • 14. New Features of AD CS in Windows Server 2012 • All AD CS role services run on all versions of Windows Server • Full integration with Server Manager • Manageable through Windows PowerShell • New certificate template version (v4) • Support for automatic renewal of certificates for non-domain joined computers • Enforcement of certificate renewal with the same key • Additional security for certificate requests • Support for Virtual Smart Cards
  • 15. Public vs. Private CAs Internal private CAs: • Require greater administration than external public CAs • Cost less than external public CAs, and provide greater control over certificate management • Are not trusted by external clients by default • Offer advantages such as customized templates and autoenrollment External public CAs: • Are trusted by many external clients • Have slower certificate procurement
  • 16. What Is a Cross-Certification Hierarchy? Root CA Root CA Organization 1 Organization 2 Subordinate CA Subordinate CA Root CA Root CA Organization 1 Organization 2 Subordinate CA Subordinate CA Cross-Certification at the Root CA Level Cross-Certification Subordinate CA to Root CA
  • 17. Lesson 3: Deploying CAs • Options for Implementing CA Hierarchies • Stand-alone vs. Enterprise CAs • Considerations for Deploying a Root CA • Demonstration: Deploying a Root CA • Considerations for Deploying a Subordinate CA • How to Use the CAPolicy.inf File for Installation • Configuring CA Administration and Security • Configuring CA Policy and Exit Modules • Demonstration: Configuring CA Properties • CA Backup and Recovery
  • 18. Options for Implementing CA Hierarchies Root CA Issuing CAs Root CA Policy CA Root CA Policy CA Issuing CA Issuing CA Issuing CA Issuing CA Issuing CA Issuing CA Policy CA Usage Two-Tier Hierarchy Cross-Certification Trust Root CA Policy CAs Issuing CAIssuing CAIssuing CA
  • 19. Stand-alone vs. Enterprise CAs Stand-alone CAs Enterprise CAs Must be used if any CA (root/intermediate/policy) is offline, because a stand-alone CA is not joined to an AD DS domain Requires the use of AD DS Can use Group Policy to propagate certificate to trusted root CA certificate store Users provide identifying information and specify type of certificate Publishes user certificates and CRLs to AD DS Does not require certificate templates Issues certificates based upon a certificate template All certificate requests are kept pending until administrator approval Supports autoenrollment for issuing certificates
  • 20. Considerations for Deploying a Root CA •Computer name and domain membership cannot change •When you plan private key configuration, consider the following: • CSP • Key character length with a default of 2,048 • The hash algorithm that is used to sign certificates issued by a CA •When you plan a root CA, consider the following: • Name and configuration • Certificate database and log location • Validity period
  • 21. Demonstration: Deploying a Root CA In this demonstration, you will see how to deploy an enterprise root CA
  • 22. Considerations for Deploying a Subordinate CA Root Subordinate RASEFSS/MIME Certificate Uses Root Subordinate Load Balancing India Canada USA Root Subordinate Locations Root Subordinate Employee Contractor Partner Organizational Divisions
  • 23. How to Use the CAPolicy.inf File for Installation The CAPolicy.inf file is stored in the %Windir% folder of the root or subordinate CA, and defines the following: • CPS • Object Identifier • CRL publication intervals • CA renewal settings • Key size • Certificate validity period • CDP and AIA paths
  • 24. Configuring CA Administration and Security • You can establish role-based administration for CA hierarchy by defining the following roles: • CA administrator • Certificate manager • Backup operator • Auditor • Enrollees • You can assign the following permissions on the CA level: • Read • Issue and Manage Certificates • Manage CA • Request Certificates • Certificate managers can be restricted to a template
  • 25. Configuring CA Policy and Exit Modules • The policy module determines the action that is performed after the certificate request is received • The exit module determines what happens with a certificate after it is issued • Each CA is configured with default policy and exit modules • The FIM CM 2010 deploys custom policy and exit modules • The exit module can send email or publish a certificate to a file system • You have to use certutil to specify these settings, as they are not available in the CA administrator console
  • 26. Demonstration: Configuring CA Properties In this demonstration, your instructor will show you how to configure CA properties
  • 27. CA Backup and Recovery To back up a CA, follow this procedure: 1. Record the names of the certificate templates 2. Back up a CA in the CA admin console 3. Export the registry subkey 4. Uninstall the CA role (optional, only if you move CA) 5. Confirm the %SystemRoot% folder locations 6. Remove the old CA from the domain (optional, only if you move CA) To restore, follow this procedure: 1. Install AD CS 2. Use the existing private key 3. Restore the registry file 4. Restore the CA database and settings 5. Restore the certificate templates
  • 28. Lab A: Deploying and Configuring CA Hierarchy • Exercise 1: Deploying a Stand-Alone Root CA • Exercise 2: Deploying an Enterprise Subordinate CA Logon Information Virtual machines: 20412C-LON-DC1 20412C-LON-SVR1 20412C-LON-SVR2 20412C-LON-CA1 User name: AdatumAdministrator Password: Pa$$w0rd Estimated Time: 50 minutes
  • 29. Lab Scenario As A. Datum Corporation has expanded, its security requirements have also increased. The security department is particularly interested in enabling secure access to critical websites, and in providing additional security for features. To address these and other security requirements, A. Datum has decided to implement a PKI using the AD CS role in Windows Server 2012. As one of the senior network administrators at A. Datum, you are responsible for implementing the AD CS deployment.
  • 30. Lab Review • Why is it not recommended to install just an enterprise root CA?
  • 31. Lesson 4: Deploying and Managing Certificate Templates • What Are Certificate and Certificate Templates? • Certificate Template Versions in Windows Server 2012 • Configuring Certificate Template Permissions • Configuring Certificate Template Settings • Options for Updating a Certificate Template • Demonstration: Modifying and Enabling a Certificate Template
  • 32. What Are Certificate and Certificate Templates? A certificate contains information about users, devices, usage, validity, and a key pair A certificate template defines: • The format and contents of a certificate • The process for creating and submitting a valid certificate request • The security principals that are allowed to read, enroll, or use autoenrollment for a certificate that will be based on the template • The permissions required to modify a certificate template
  • 33. Certificate Template Versions in Windows Server 2012 Version 1: • Introduced in Windows 2000 Server, provides for backward compatibility in newer versions • Creates by default when a CA is installed • Cannot be modified (except for permissions) or removed, but can be duplicated to become version 2 or 3 templates, which can then be modified Version 2: • Default template introduced with Windows Server 2003 • Allows customization of most settings in the template • Several preconfigured templates are provided when a CA is installed Version 3: • Supports advanced Suite B cryptographic settings • Includes advanced options for encryption, digital signatures, key exchange, and hashing • Only supports Windows Server 2008 and Windows Server 2008 R2 servers • Only supports Windows Vista and Windows 7 client computers Version 4: • Available only for Windows Server 2012 and Windows 8 clients • Supports both CSPs and KSPs • Supports renewal with the same key
  • 34. Configuring Certificate Template Permissions Permissions Description Full Control Allows a designated user, group, or computer to modify all attributes—including ownership and permissions Read Allows a designated user, group, or computer to read the certificate in AD DS when enrolling Write Allows a designated user, group, or computer to modify all attributes except permissions Enroll Allows a designated user, group, or computer to enroll for the certificate template Autoenroll Allows a designated user, group, or computer to receive a certificate through the autoenrollment process
  • 35. Configuring Certificate Template Settings For each certificate template, you can customize several settings, such as validity time, purpose, CSP, private key exportability, and issuance requirements Category Single purpose examples Multiple purpose examples Users • Basic EFS • Authenticated session • Smart card logon • Administrator • User • Smart card user Computers • Web server • IPsec • Computer • Domain controller
  • 36. Options for Updating a Certificate Template Modify the original certificate template to incorporate the new settings Modifying Replace one or more certificate templates with an updated certificate template Superseding UpdatedOriginal Smart Card 1 Smart Card 2 Smart Cards (new)
  • 37. Demonstration: Modifying and Enabling a Certificate Template In this demonstration, you will see how to modify and enable a certificate template
  • 38. Lesson 5: Implementing Certificate Distribution and Revocation • Options for Certificate Enrollment • How Does Autoenrollment Work? • Enrollment Agent Overview • Demonstration: Configuring the Restricted Enrollment Agent • What Is NDES? • How Does Certificate Revocation Work? • Considerations for Publishing AIAs and CDPs • What Is an Online Responder? • Demonstration: Configuring an Online Responder
  • 39. Options for Certificate Enrollment Method Use Autoenrollment • To automate the request, retrieval, and storage of certificates for domain-based computers Manual enrollment • To request certificates by using the Certificates Templates console or Certreq.exe when the requestor cannot communicate directly with the CA CA Web enrollment • To request certificates from a website that is located on a CA • To issue certificates when autoenrollment is not available Enroll on behalf • To provide IT staff with the right to request certificates on behalf of another user (Enrollment Agent)
  • 40. How Does Autoenrollment Work? A certificate template is configured to Allow, Enroll, and Autoenroll permissions for users who receive the certificates The client machine receives the certificates during the next Group Policy refresh interval An Active Directory Group Policy Object should be created to enable autoenrollment. The GPO should be linked to the appropriate site, domain, or organizational unit The CA is configured to issue the template Certificate template CA Group Policy Object Client machine
  • 41. Enrollment Agent Overview An Enrollment Agent is a user who has the appropriate certificate assigned and and has the ability to request certificates on behalf of other users or computers The restricted Enrollment Agent has limited permissions: • Limits permissions of the Enrollment Agent: • For specific group of users • For specific certificate templates • Requires Windows Server 2008 Enterprise edition or Windows Server 2012 CA
  • 42. Demonstration: Configuring the Restricted Enrollment Agent In this demonstration, you will see how to configure the Restricted Enrollment Agent
  • 43. What Is NDES? NDES: • Uses SCEP to communicate with network devices • Functions as an AD CS role service • Requires IIS CA Network Router Network
  • 44. How Does Certificate Revocation Work? 1. Certificate is revoked 2. Certificate revocation is published 3. Client computer verifies certificate validity and revocation
  • 45. Considerations for Publishing AIAs and CDPs Publish the root certificate CA and URL to: • AD DS • Web servers • FTP servers • File servers Offline Root CA Internet Firewall Firewall External Web server AD DS FTP server Internal Web server File server
  • 46. What Is an Online Responder? Uses OCSP validation and revocation checking using HTTP Receives and responds dynamically to individual requests Supports only Windows Server 2008, Windows Vista, and newer Windows operating systems Functions as a responder to multiple CAs
  • 47. Demonstration: Configuring an Online Responder In this demonstration, you will see how to configure an Online Responder
  • 48. Lesson 6: Managing Certificate Recovery • Overview of Key Archival and Recovery • Configuring Automatic Key Archival • Demonstration: Configuring a CA for Key Archival • Recovering a Lost Key • Demonstration: Recovering a Lost Private Key
  • 49. Overview of Key Archival and Recovery • Private keys can get lost when: • A user profile is deleted • An operating system is reinstalled • A disk is corrupted • A computer is lost or stolen • It is critical that you archive private keys for for certificates that are used for encryption • The KRA is needed for key recovery • Key archival must be configured on the CA and on the certificate template • Key recovery is a two-phase process: 1. Key retrieval 2. Key recovery • The KRA certificate must be protected
  • 50. Configuring Automatic Key Archival üConfigure and issue the KRA certificate template Steps to configure automatic key archival: Designate a person as the KRA, and enroll for the certificate Enable key archival on the CA Modify and enable certificate templates for key archival    
  • 51. Demonstration: Configuring a CA for Key Archival In this demonstration, you will see how to configure a CA for key archival
  • 52. Recovering a Lost Key 1. The private key is lost or corrupted 3. The Certificate Manager extracts the number PKCS#7 from the CA 6. The user imports the private key 5. The KRA recovers the private key 4. The Certificate Manager transfers the number PKCS #7 to the KRA Serial #: 00AD036 PKCS#7 2. The Certificate Manager finds the serial number of the certificate
  • 53. Demonstration: Recovering a Lost Private Key In this demonstration, you will see how to recover a lost private key
  • 54. Lab B: Deploying and Managing Certificates • Exercise 1: Configuring Certificate Templates • Exercise 2: Configuring Certificate Enrollment • Exercise 3: Configuring Certificate Revocation • Exercise 4: Configuring Key Recovery Logon Information Virtual machines: 20412C-LON-DC1 20412C-LON-SVR1 20412C-LON-SVR2 20412C-LON-CA1 20412C-LON-CL1 User name: AdatumAdministrator Password: Pa$$w0rd Estimated Time: 75 minutes
  • 55. Lab Scenario As A. Datum Corporation has expanded, its security requirements have also increased. The security department is particularly interested in enabling secure access to critical websites, and in providing additional security for features such as drive encryption, smart cards, and the Windows 7 and Windows 8 DirectAccess feature. To address these and other security requirements, A. Datum has decided to implement a PKI using the AD CS role in Windows Server 2012. As one of the senior network administrators at A. Datum, you are responsible for implementing the AD CS deployment. You will deploy the CA hierarchy, develop the procedures and process for managing certificate templates, and deploy and revoke certificates.
  • 56. Lab Review • What is the main benefit of OCSP over CRL? • What must you do to recover private keys?

Editor's Notes

  1. Presentation: 150 minutes Lab: 120 minutes After completing this module, the students will be able to: Describe public key infrastructure (PKI). Explain how to deploy certification authorities (CAs). Explain how to deploy and configure a CA hierarchy. Explain how to deploy and manage certificates. Implement certificate distribution and revocation. Describe how to manage certificate recovery. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 20412C_06.pptx. Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations. Practice performing the labs. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance.
  2. Introduce the module, and determine the students’ level of experience with PKI. Is it widely used by the students? Are they already familiar with the basic administration of Active Directory® Certificate Services (AD CS)? It is common to find students who are responsible for their PKI, but not completely comfortable with its administration or components. One point worth mentioning about AD CS in a smaller environment is that it rarely requires maintenance.
  3. This lesson describes the practical application of certificates. Most of the students will know about Secure Sockets Layer (SSL), digital signature, and encryption, but they might not be familiar with how these technologies work. Try to focus on explaining how these technologies work in detail. Also, describe how certificates and key pairs enable these technologies.
  4. Define SSL. After that, ask the students to describe how SSL works. Discuss the process of the SSL handshake, step by step. Do not forget to mention the potential trust issues for a server certificate. Describe how to configure an SSL certificate on Internet Information Services (IIS) and when to use subject alternative names. This topic contains a large amount of the content in the workbook, so make sure that you cover it all during teaching.
  5. Define the purpose of a digital signature. Make sure that you emphasize that a digital signature protects content consistency but does not protect content from unauthorized access. Explain how content is signed digitally and how a digital signature is verified. Use the process described in the workbook for detailed steps. At the end, explain how to configure and issue a certificate for digital signature.
  6. Preparation Steps For this demonstration, you will need the 20412C-LON-DC1 and 20412C-LON-CL1 virtual machines. Sign in as Adatum\Administrator with the password Pa$$w0rd. After you have finished this demo, leave the virtual machines running for the next demo. Demonstration Steps On LON-CL1, open Windows® PowerShell. At the Windows PowerShell command prompt, type mmc.exe, and then press Enter. Click the File menu, and then select Add/Remove Snap-in. Select Certificates, click Add, select My user account, click Finish, and then click OK. Expand Certificates-Current User, right-click Personal, select All Tasks, and then click Request New Certificate. In the Certificate Enrollment Wizard, click Next twice. On the Certificate Enrollment page, in the list of available templates, select User, click Enroll, and then click Finish. Close the Console 1 window without saving changes. Open Microsoft Word 2013. In a blank document, type some text, and then save the file to the desktop. On the toolbar, click INSERT, and then in the Text pane, in the Signature Line drop-down list box, click Microsoft Office Signature Line. In the Signature setup window, type your name in the Suggested signer text box, type Administrator in the Suggested signer’s title text box, type Administrator@adatum.com in the Suggested signer’s email address text box, and then click OK. Right-click the signature line in the document, and then click Sign…
  7. In the Sign window, click Change. On the Certificate list, select the certificate with today’s date, and then click OK. In the text box right to the sign X, type your name, click Sign, and then click OK. Note: Explain to the students that besides typing your name, you also can select an image instead. This image can be your scanned, handwritten signature. Ensure that the document cannot be edited anymore. Close Word 2013, and save the changes when prompted. Stay signed in for the next demonstration.
  8. Describe encryption and compare it to digital signatures. Be sure to emphasize the differences between the two. Define Encrypting File System (EFS), and use the diagram on the slide to describe how it works with one user, and with multiple users and Data Recovery Agent. Also, describe how email encryption works and what its limitations are.
  9. Describe some scenarios for using certificates for authentication of users and devices.
  10. Briefly describe the lesson content. Because this content has not changed much since Windows Server® 2008, if your students have previous PKI experience, you can expedite the teaching of this lesson except for the topic about the new AD CS features in Windows Server 2012.
  11. Explain the basics of PKI. It is important that the students understand what PKI is. Some students may find it easier to initially grasp what PKI is if you give them the synonym—certificate services. This term may be more familiar to the students. You should tell the students that PKI is not equal to certificate services, but in Windows Server, you can implement PKI solutions by implementing and configuring certificate services. After that, you can continue to talk about the benefits of PKI.
  12. Briefly describe each component of the PKI solution. Do not spend too much time on this topic, because most of these components will be discussed later in more detail. The purpose of this topic is to provide the students with a high-level overview of components that make up a PKI solution.
  13. Explain what a CA is, and how it operates. CAs are the key components of the PKI environment. In a simple PKI environment, a single CA may provide all of the PKI services.
  14. Introduce AD CS, and explain the purpose of each role service. Spend some time describing the role services that are new to Windows Server 2008 R2 and Windows Server 2012.
  15. In this topic, discuss the new features of AD CS in Windows Server 2012. If you did not spend much time on the previous topics in this lesson, devote more time to this topic. The students will most likely be very interested in Virtual Smart Cards, so be sure to explain clearly how this concept works and how it differs from traditional smart cards.
  16. Start by explaining that a CA solution can be implemented as an internal private CA, or an organization can use an external public CA. Many organizations use both: an external public CA for their public-facing services, and an internal private CA for their internal corporate requirements. You can also discuss a newer approach that some organizations use, the hybrid approach. In this scenario, the root is an externally trusted root CA, and internal CAs that issue certificates are subordinates. With the hybrid approach, companies can issue certificates that are trusted by virtually all computers. This module goes into more detail about this method in the following topics. Therefore, keep the discussion at a high level at this point, because subsequent topics provide more detail. Remind the students that a public CA is trusted by virtually all modern computers and applications, while an internal private CA is usually not trusted outside of the company that runs it. Mention that some organizations might choose to define their own list of trusted CAs. Ask the students which type of CA they are using in their environments today, and what its limitations.
  17. Explain the following benefits of a cross-certification hierarchy: It provides an approach for one CA hierarchy to trust another CA hierarchy. It provides interoperability PKI between networks or other organizations (mergers, acquisitions, partnerships). It assumes complete trust of a foreign CA hierarchy. It can be configured at the root CA level or at the subordinate-to-the-root CA level. Question Your company is currently acquiring another company. Both companies run their own PKI. What could you do to minimize disruption and continue to provide PKI services seamlessly? Answer You could implement a cross-certification hierarchy.
  18. Briefly describe the lesson content. Ask the students if they have previous experience with CA deployment. Point out to the students that things have not changed much in this area since Windows Server 2008 R2.
  19. Highlight the various usage scenarios for CAs. This should help the students understand the typical usage scenarios that are found in an enterprise environment. Compare these scenarios with a typical usage scenario in a small environment (single-server PKI). Make sure that the students understand that a single CA does not represent a CA hierarchy, although it is still a fully functional PKI.
  20. Discuss the following: Stand-alone and enterprise CAs, and the differences between the two. CAs that issue certificates to clients over the Internet. A root CA is typically configured as a stand-alone CA. Mention that business requirements often dictate the type (or types) of CAs that the students will use. For example, autoenrollment requires an enterprise CA.
  21. Describe the key points related to considerations for installing a root CA. When you discuss the private key configuration, mention that any provider that starts with a number sign (#) in its name is a Cryptography Next Generation (CNG) provider. CNG, which was first introduced in Windows Vista®, has been enhanced in Windows Server 2008 and Windows Server 2012. The CNG application programming interface (API) is the long-term replacement for the Cryptography Application Programming Interface (CryptoAPI) in older versions of the Windows operating system.
  22. Preparation Steps This demonstration is mandatory to perform, because it establishes the PKI and CA that are used in the following demonstrations in this module. For this demonstration, start 20412C-LON-DC1 and 20412C-LON-SVR1. Sign in to both virtual machines as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps Deploy a root CA On LON-SVR1, in the Server Manager, click Add roles and features. On the Before You Begin page, click Next. On the Select installation type page, click Next. On the Select destination server page, click Next. On the Select server roles page, select Active Directory Certificate Services. In the Add Roles and Features Wizard, click Add Features, and then click Next. On the Select features page, click Next. On the Active Directory Certificate Services page, click Next. On the Select role services page, ensure that Certification Authority is selected, and then click Next. On the Confirm installation selections page, click Install. On the Installation progress page, after the installation completes successfully, click the text Configure Active Directory Certificate Services on the destination server. In the AD CS Configuration Wizard, on the Credentials page, click Next. On the Role Services page, select Certification Authority, and then click Next.
  23. Discuss scenarios for deploying a subordinate CA. Ask the students if they have PKI deployed in their environments, and whether they use only root CAs, or if they have also deployed subordinate CAs as well.
  24. Describe the CAPolicy.inf file, and explain its structure and uses. Also, point the students to the syntax examples in the workbook.
  25. Define and discuss role-based administration for the CA hierarchy. Discuss each role and its rights and permissions. Explain the relationship between role-based administration and security permissions that are defined on the CA level.
  26. Define policy and exit modules on the CA. Most of the students probably will not be familiar with these settings, as they are used rarely. Use FIM CM to provide real-life examples of custom policy and exit modules. Spend some time explaining how to configure default exit modules to perform certain tasks.
  27. Preparation Steps For this demonstration, you will need the 20412C-LON-DC1 and 20412C-LON-SVR1 virtual machines. Sign in as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps On LON-SVR1, open the Server Manager, click Tools, and then click Certification Authority. In the certsrv console, right-click AdatumRootCA, and then select Properties. On the General tab, click View Certificate. When the Certificate window opens, review the data on the General, Details, and Certification Path tabs, and then click OK. On the Policy Module tab, click Properties. Review the settings available for the Default policy module, and then click OK. On the Exit Module tab, click Properties. Show the Publication Settings available in the default Exit module, and then click OK. On the Extensions tab, review the options available for the CDP and AIA locations. On the Security tab, review the available options on the access control list (ACL), and also review the default permissions. On the Certificate Managers tab, review the options and explain how to restrict security principals to specific certificate templates, and then click Cancel. Close the certsrv console
  28. Discuss the procedure for CA backup and restore. Emphasize that this is done as a part of an entire backup strategy or when moving a CA to another computer. First, make sure that you define scenarios for this and discuss each step. Use the workbook for detailed steps. This slide provides only high-level steps for this procedure.
  29. Exercise 1: Deploying a Stand-Alone Root CA A. Datum wants to start using certificates for various purposes. You need to install the appropriate CA infrastructure. Because they are using Windows Server 2012 AD DS, you decided to implement the AD CS role. When you were reviewing available designs, you decided to implement a stand-alone root CA. This CA will be taken offline after it issues a certificate for subordinate CA. Exercise 2: Deploying an Enterprise Subordinate CA After you deploy the stand-alone root CA, the next step is to deploy an enterprise subordinate CA. A. Datum wants to use an enterprise subordinate CA to utilize AD DS integration. In addition, because the root CA is stand-alone, you want to publish its certificate to all clients.
  30. Question Why is it not recommended to install just an enterprise root CA? Answer For security reasons, root CAs should be offline, without any network access. A root enterprise CA cannot be offline, so there is no maximum protection for its key.
  31. Briefly describe the lesson content. Emphasize that certificate templates are important, because they provide the ability to customize certificate settings.
  32. You should start by defining a certificate. Ask the students to provide their definition of a certificate. After that, start to introduce templates. A set of default templates is included during the installation of AD CS. Explain that the students can duplicate and modify these default templates to meet business requirements. Specific template versions and features are covered in later topics. Also, emphasize that in Windows Server 2008 R2, the Standard edition operating system also works with certificate templates.
  33. Discuss certificate template versions, and the functional differences between them.
  34. Discuss security options for certificate templates. Explain that the DACL for a certificate template has the same purpose as with other Active Directory objects. Also, emphasize the difference between the Enroll and Autoenroll permissions.
  35. Discuss settings that you can modify on a certificate template. If time permits, you can quickly show these options in a CA Manager console. Also, discuss single purpose and multiple purpose certificates.
  36. As a best practice, mention that the students should duplicate templates before they modify them. This preserves the original template for future duplications or as a reference. You can replace a template with a new one by using the option to supersede an existing template. This option is available in each template.
  37. Preparation Steps For this demonstration, start 20412C-LON-DC1 and 20412C-LON-SVR1. Sign in to both virtual machines as Adatum\Administrator with the password Pa$$w0rd. Be sure to complete all previous demonstrations before you begin this demonstration. Demonstration Steps Modify and enable a certificate template On LON-SVR1, on the taskbar, click the Server Manager icon. In the Server Manager, click Tools, and then click Certification Authority. In the Certification Authority console, expand AdatumRootCA, right-click Certificate Templates, and then click Manage. Review the list of default templates. Examine the templates and their properties. In the Details pane, double-click IPsec. In the IPsec Properties dialog box, scroll through the tabs, and note what you can modify on each tab. Note that on the Security tab, you can define permissions for enrollment. Click Cancel to close the template. In the Certificate Templates console, in the Details pane, right-click the Exchange User certificate template, and then click Duplicate Template. In the Properties of New Template dialog box, review options on the Compatibility tab. Click the General tab, and then in the Template display name text box, type Exchange User Test1. Click the Superseded Templates tab, and then click Add. Click the Exchange User template, and then click OK. Click the Security tab, and then click Authenticated Users.
  38. Under the Permissions for Authenticated Users node, select the Allow check boxes for Read, Enroll, and Autoenroll, and then click OK. Close the Certificate Templates console. In the Certification Authority console, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select the Exchange User Test1 certificate, and then click OK.
  39. Present the lesson content. Be aware that this is an extensive lesson with several technologies to cover, so you should plan to spend some more time on this lesson.
  40. Discuss and describe each enrollment method. Be sure to provide a valid scenario for each enrollment method, and to explain their differences.
  41. Discuss the following: Autoenrollment enables organizations to deploy public key–based certificates to users and computers automatically. Domain members using the Windows XP operating system, Windows Server 2003, or newer versions can use certificate autoenrollment. The Certificate Services administrator can allow Enroll and Autoenroll permissions, and configure templates for users who receive certificates. Domain-based Group Policy activates and manages autoenrollment. Both computer-based and user-based Group Policy can activate autoenrollment. By default, Group Policy is applied at the restart for computers, or at logon for users, and is refreshed periodically. The Group Policy setting is named Certificate Services Client - AutoEnrollment. An internal timer triggers autoenrollment every eight hours after previous autoenrollment activation. For each request that requires user interaction as per the certificate template, a pop-up window displays approximately 60 seconds after logon. If no user interaction occurs on the certificate template, no window displays. You may want to expand upon certificate usage with Group Policy, as covered in the workbook—that is, enhancements in Windows Server 2008, the benefits of deploying via Group Policy, and other features. You also may want to briefly discuss autoenrollment from the perspectives of CA options or certificate templates. Finally, be sure to discuss Credential Roaming.
  42. Define what the Enrollment Agent certificate is and what can be done with it. Describe how the Enrollment Agent worked in older versions of Windows Server. Describe the drawbacks of that approach. After that, define the Restricted Enrollment Agent and describe how it works.
  43. Preparation Steps For this demonstration, start 20412C-LON-DC1, 20412C-LON-SVR1, and 20412C-LON-CL1. Sign in to 20412C-LON-DC1 and 20412C-LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd. Do not sign in to 20412C-LON-CL1 until directed to do so. Be sure to complete all previous demonstrations before you start this demonstration. Demonstration Steps Configure the Restricted Enrollment Agent On LON-SVR1, on the taskbar, click the Server Manager icon. In the Server Manager console, click Tools, and then open the Certification Authority. In the certsrv console, expand AdatumRootCA, right-click Certificate Templates, and then click Manage. In the Certificate Templates console, double-click Enrollment Agent, click the Security tab, and then click Add. In the Select Users, Computers, Service Accounts, or Groups window, type Allie, click Check Names, and then click OK. On the Security tab, click Allie Bellew, select Allow for Read and Enroll permissions, and then click OK. Close the Certificate Templates console. In the certsrv console, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. In the list of templates, click Enrollment Agent, and then click OK.
  44. Switch to LON-CL1, and sign in as Adatum\Allie with the password Pa$$w0rd. On the Start screen, type mmc.exe, and then press Enter. In Console1, open the File menu, and then click Add/Remove Snap-in. Click Certificates, click Add, and then click OK. Expand Certificates – Current User, and then click Personal. Right-click Personal, point to All Tasks, and then click Request New Certificate. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next. On the Select Certificate Enrollment Policy page, click Next. On the Request Certificates page, select Enrollment Agent, click Enroll, and then click Finish. Switch to LON-SVR1. In the Certification Authority console, right-click AdatumRootCA, and then click Properties. In the AdatumRootCA Properties dialog box, click the Enrollment Agents tab. On the Enrollment Agents tab, click Restrict Enrollment agents. In the pop-up window, click OK. On the Enrollment Agents tab, under Enrollment Agents, click Add. In the Select User, Computer, or Group window, type Allie, click Check Names, and then click OK. Click Everyone, and then click Remove. In the certificate templates section, click Add. In the list of templates, select User, and then click OK. In the Certificate Templates section, click <All>, and then click Remove. In the permission section, click Add.
  45. In the Select User, Computer, or Group window, type Marketing, click Check Names, and then click OK. In the Permission section, click Everyone, click Remove, and then click OK.
  46. Discuss the primary functionality of Network Device Enrollment Service (NDES). Explain that NDES performs the following functions: Generates and provides one-time enrollment passwords to administrators. Receives and processes Simple Certificate Enrollment Protocol (SCEP) enrollment requests on behalf of software running on network devices. Retrieves pending requests from the CA. Explain what is needed to deploy NDES.
  47. Discuss the following steps regarding certificate revocation with the students: A certificate is revoked from the CA Microsoft Management Console (MMC) snap-in. During revocation, a reason code and a date and time are specified. The certificate revocation list (CRL) is published through the CA MMC snap-in (or the scheduled revocation list is published automatically based on the configured value). When Windows client computers are presented with a certificate, they use a process to verify revocation status by querying the issuing CA. That check determines whether the certificate is revoked, and presents that information to the application requesting the verification.
  48. Be sure to explain what AIA and CDP are, and the purpose of these certificate extensions. After that, discuss publication points and usage scenarios. Explain to students that after you install a root CA, you need to configure two X.509 version 3 extension fields, known as the AIA and the CDP extensions. These extensions apply to all certificates that the root CA issues. These extensions define where client applications can find valid AIA and CDP information for the root CA. Inform the students that the formatting and publishing of AIA and CDP extension URLs are generally the same for root CAs and subordinate CAs. The difference between offline CAs and online CAs is that offline CAs require manual certificate and CRL publishing to a directory or Web server.
  49. Describe how an Online Responder uses Online Certificate Status Protocol (OCSP) to provide a more efficient method for clients to determine the revocation status of a certificate. OCSP uses HTTP for submitting certificate status requests. Remind the students that using standard CRLs may be inefficient because of the size of the CRL, and that clients must check the entire CRL. An Online Responder does this checking process for the client, and responds only with the requested certificate. Mention that the Online Responder can support a number of CAs, including a CA other that Microsoft.
  50. Preparation Steps For this demonstration, start 20412C-LON-DC1 and 20412C-LON-SVR1. Sign in to both virtual machines as Adatum\Administrator with the password Pa$$w0rd. Be sure to complete all previous demonstrations before you start this demonstration. Demonstration Steps Configure an Online Responder On LON-SVR1, on the taskbar, click the Server Manager icon. In the Server Manager, click Add roles and features. Click Next three times. On the Select server roles page, expand Active Directory Certificate Services (Installed), and then select Online Responder. Click Add Features. Click Next two times, and then click Install. When the message displays that installation is successful, click Configure Active Directory Certificate Services on the destination server. In the AD CS Configuration Wizard, click Next. Select Online Responder, and then click Next. Click Configure, and then click Close two times. In the Server Manager console, click Tools, and then click the Certification Authority console on LON-SVR1. In the Certification Authority console, right-click AdatumRootCA, and then click Properties. In the AdatumRootCA Properties dialog box, on the Extensions tab, in the Select extension list, click Authority Information Access (AIA), and then click Add.
  51. In the Add Location dialog box, type http://LON-SVR1/ocsp, and then click OK. Select the Include in the AIA extension of issued certificates check box. Select the Include in the online certificate status protocol (OCSP) extension check box, and then click OK. In the Certificate Authority box, restart Active Directory Certificate Services by clicking Yes. In the certsrv console, expand AdatumRootCA, right-click the Certificate Templates folder, and then click Manage. In the Certificate Templates console, double-click the OCSP Response Signing template. In the OCSP Response Signing Properties dialog box, click the Security tab. Under Permissions for Authenticated Users, select the Allow for Enroll check box, and then click OK. Close the Certificate Templates console. In the Certification Authority console, right-click the Certificate Templates folder, point to New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select the OCSP Response Signing template, and then click OK. On LON-SVR1, in Server Manager, click Tools, and then click Online Responder Management. In the Online Responder Management console, right-click Revocation Configuration, and then click Add Revocation Configuration. In the Add Revocation Configuration Wizard, click Next. On the Name the Revocation Configuration page, in the Name text box, type AdatumCA Online Responder, and then click Next. On the Select CA Certificate Location page, click Next. On the Choose CA Certificate page, click Browse, click the AdatumRootCA certificate, click OK, and then click Next.
  52. Provide a brief overview of the lesson content.
  53. Explain the scenarios in which the private key can become lost. Also, explain why the private key is important, and describe the consequences of losing a private key. After that, explain how you can protect, archive, and recover your private key. Do not go into too much detail, because this subject will be discussed in greater detail in following topics. Note: The practice of user profile deletion for the purpose of troubleshooting user issues is not recommended, and can cause other issues in the work environment.
  54. Use this topic to describe the process to configure automatic key archival. Discuss the types of templates that should have key archival enabled, for example, an EFS certificate. Explain that if a certificate is already configured without key archival, you can configure a superseded template to replace the previous certificate. Mention that users are not protected by key archival until they have enrolled for a certificate that has key recovery enabled.
  55. Preparation Steps For this demonstration, start 20412C-LON-DC1 and 20412C-LON-SVR1. Sign in to both virtual machines as Adatum\Administrator with the password Pa$$w0rd. Be sure to complete all previous demonstrations before you start this demonstration. Demonstration Steps Configure automatic key archival On LON-SVR1, open the Certification Authority console. In the Certificate Authority console, expand the adatumRootCA node, right-click the Certificate Templates folder, and then click Manage. In the Details pane, right-click the Key Recovery Agent certificate, and then click Properties. In the Key Recovery Agent Properties dialog box, on the Issuance Requirements tab, clear the CA certificate manager approval check box. Note: This is for test purposes only. In a production environment, you should not change this value. On the Security tab, notice that Domain Admins and Enterprise Admins are the only groups that have the Enroll permission, and then click OK. Make no changes here. Close the Certificates Templates console. In the Certificate Authority console, right-click Certificate Templates, click New, click Certificate Template to issue, click Key Recovery Agent, and then click OK. This process configures a CA to issue certificates based on the Key Recovery Agent template. Click the Start screen, type mmc.exe, and then press Enter. In the Console 1 window, click File, and then click Add/remove Snap-In. On the Add/Remove Snap-ins page, select Certificates, and then click Add. Select My user account, click Finish, and then click OK.
  56. With the help of the diagram on the slide, explain to the students the procedure to restore a lost key. Explain how you can transfer a file to the recovery agent, how key recovery is performed, and how the key is restored on the client’s computer.
  57. Preparation Steps For this demonstration, start 20412C-LON-DC1 and 20412C-LON-SVR1. Sign in to both virtual machines as Adatum\Administrator with the password Pa$$w0rd. Be sure to complete all previous demonstrations before you start this demonstration. If you do not have enough time, you can skip this demonstration, because the students will be doing this in a lab. Demonstration Steps Recover a lost private key On LON-SVR1, click to the Start screen, type mmc.exe and then press Enter. Click File, and then click Add/Remove Snap-in. Select Certificates, and then click Add. Click My user account, and then click Finish and then click OK. Expand Certificates - Current User, expand Personal, and then right-click Certificates. Then select All tasks, and click Request New Certificate. Click Next twice. Enroll for the Exchange User Test1 certificate by using the wizard. When you select the Exchange User Test1 template in the wizard, click to open settings to enter Subject name. In the Type list, click Email, and in the value field, type administrator@adatum.com, click Add, click OK, and then click Enroll. Click Finish. Verify that the certificate displays in the Personal->Certificates store. Simulate a lost private key by deleting the administrator@adatum.com certificate from the Personal certificate store. Right-click administrator@adatum.com, click Delete, and then click Yes. Minimize the Certificates (Console1) console. In the Certification Authority console, in the Issued Certificates folder, double-click the certificate with Exchange User Test1 as the template name. This is the certificate that you issued in an earlier step. From the Details tab, record the serial number. (You can copy and paste it to Notepad, and then remove spaces between numbers.)
  58. Open a command-prompt window with elevated privileges. (On the Start menu, type cmd, right-click Command Prompt, and then click Run as Administrator.) In the command-prompt window, switch to the root of drive C by typing cd.., and then press Enter. (You might have to do this twice.) Select the certificate serial number from Notepad, right-click it, and then select Copy. Switch back to the command-prompt window, and type the following command, where <serialnumber> is a number that you paste from Notepad: Certutil -getkey <serialnumber> outputblob Press Enter. Note: If a question mark appears at the beginning of the number after you paste it in, delete it. Also ensure that you remove all spaces from the serial number, or enclose the serial number in quotation marks. After the command completes successfully, open drive C and verify that the Outputblob file displays. Switch back to the command-prompt window. At a command prompt, type the following, and then press Enter: Certutil -recoverkey outputblob recover.pfx When prompted, type Pa$$w0rd as the new password, and then confirm the password. Browse to drive C, and then verify that the Recover.pfx file—the recovered key—is created. Right click the file recover.pfx, and then click Install PFX. (Note: If Install PFX option is not available, select Open with and then click Crypto Shell Extensions)
  59. This lab can take more than an hour to complete. Be prepared to help the students, and to discuss tasks that they are performing. It is crucial that all the students have completed Lab A, to prepare the PKI environment for this lab. Exercise 1: Configuring Certificate Templates After deploying the CA infrastructure, the next step is to deploy the certificate templates that are required in the organization. First, A. Datum wants to implement a new Web server certificate and implement smart card certificates for users. They also want to implement new certificates on the LON-SVR2 web server. Exercise 2: Configuring Certificate Enrollment The next step in implementing the PKI at A. Datum is to configure certificate enrollment. A. Datum wants to enable different options for distributing the certificates. Users should be able to enroll automatically, and smart card users should get their smart cards from an Enrollment Agent. A. Datum has delegated Enrollment Agent rights for the Marketing department group to user Allie Bellew. Exercise 3: Configuring Certificate Revocation As part of configuring the certificate infrastructure, A. Datum wants to configure revocation components on newly established CAs. You will configure CRL and Online Responder components. Exercise 4: Configuring Key Recovery As a part of establishing a PKI, you want to configure and test procedures for the recovery of private keys. You want to assign a KRA certificate for an administrator, and configure CA and specific certificate templates to allow key archiving. In addition, you want to test a procedure for key recovery.
  60. Question What is the main benefit of OCSP over CRL? Answer OCSP provides status for a single certificate that clients request, instead of downloading the entire CRL and delta CRLs. In addition, responses are much faster and more reliable, because clients do not cache them. Question What must you do to recover private keys? Answer To recover private keys, you must configure CA to archive private keys for specific templates, and you must issue a KRA certificate.