1 / 47

Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2

Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2. Agenda. Background PKI Enhancements Server consolidation Improved existing scenarios HTTP based enrollment Strong Authentication Enhancements. Windows PKI Today. A strategic investment

mikko
Download Presentation

Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2

  2. Agenda • Background • PKI Enhancements • Server consolidation • Improved existing scenarios • HTTP based enrollment • Strong Authentication Enhancements

  3. Windows PKI Today • A strategic investment • Windows 2000, Windows XP, Windows Vista and keep on investing • Existing abilities: • Server role: CA, OCSP, SCEP • Client components: API, UI, Client services • Active Directory integration • Protocols and application adoption • For more info • http://technet.microsoft.com/en-us/library/cc753254.aspx • http://technet.microsoft.com/en-us/library/cc770357.aspx

  4. PKI Trends • Governments – the biggest cert issuers!!! • SMBs need PKI solution • Enterprises need PKI for heterogeneous environments • Applications use certificates as authorization tokens (short validity period) • Industry extends usage of X.509 certificates • Extended Validation (EV) certificates • Logo types • Advanced crypto is picking up

  5. Windows 7 Investments Strong Authentication Public Key Infrastructure Server Consolidation Improved Existing Scenarios HTTP Based Enrollment

  6. Server ConsolidationNot persistent requests • New PKI Scenarios use short-lived certificates • Network Access Protection (NAP) • OCSP signing certificates • Existing workarounds for DB growth: dedicated servers or high management cleanup cost • Windows Server 2008 R2 • Administrator can configure whether the CA writes to the database

  7. Server ConsolidationNot persistent requests No-Persist No-Revocation

  8. Server ConsolidationServer core support • CA is supported on Server Core • Local command line utilities • Remote UX management • Key management by HSM vendor • No other ADCS service is supported on Server Core

  9. Server ConsolidationCross Forest Enrollment

  10. How does it work today?Single forest CA • CA starts and reads certificate templates from AD • Client reads certificate templates from AD • Client sends enrollment request to CA • CA constructs Subject information based on client object in AD • CA issues certificate and returns to client 3 5 Client Workstations Active Directory (AD) 1 2 4

  11. How does it work today?Multiple forests • Multiple forests implies: • Multiple servers • Multiple CA keys • Multiple HSM • Multiple certificate databases • Etc.

  12. How will it work?Cross forest enrollment CA 3 5 Client Workstations Client Workstations Active Directory Active Directory (AD) Account Forest Resource Forest 1 2 4

  13. Server ConsolidationCross forest enrollment • Windows will support certificate enrollment and issuance across AD forest boundaries • Requires AD forest two-way trust between account and resource forest • Requires Windows Server 2008 R2 CA • Requires Windows XP and above

  14. Server ConsolidationCross forest enrollment: management • CA reads templates from the resource forest • Client reads templates from account forest • This require manual steps to make sure templates are in sync • Initial consolidation • Ongoing synchronization • Best Practice Whitepaper For PKI Consolidation

  15. Server Consolidation Simplify management for NAP deployment Support CA installations on Server Core Support Cross Forest Enrollment

  16. Windows 7 Investments Strong Authentication Public Key Infrastructure Server Consolidation Improved Existing Scenarios HTTP Based Enrollment

  17. Improved Existing ScenariosStandard SKU supports V2 templates • W2K introduced V1 certificate templates • W2K3 introduced V2 certificate templates • Not supported on W2K3 Standard Edition • W2K8 introduced V3 certificate templates • Not supported on W2K8 Standard Edition • CA installed on Windows Server 2008 R2 Standard Edition supports allcertificate template versions • Supports auto enrollment • Supports key archival • Etc.

  18. Improved Existing Scenarios Best practice analyzer • Most of PKI support calls are caused by configuration issues • Windows Server 2008 R2 introduces Best Practice Analyzer (BPA) tool • CA defines rules that can be checked by the BPA tool after each CA configuration change

  19. Improved Existing Scenarios Best practice analyzer BPA Scan

  20. Improved Existing Scenarios Certificate selection Windows Vista Windows 7 Icons to differentiate software vs. smartcard certificates Removed duplicate and archived certificates

  21. Improved Existing Scenarios Enterprise SSL EV certificate • Mark an enterprise root CA as an extended validation (EV) root and add the EV policy OID • Configurable through group policy

  22. Improve Existing Scenarios V2 Certificate Templates Best Practice Analyzer Certificate Selection Enterprise SSL EV Certificate

  23. Windows 7 Investments Strong Authentication Public Key Infrastructure Server Consolidation Improved Existing Scenarios HTTP Based Enrollment

  24. HTTP Based EnrollmentDesign goal Enable new scenarios to leverage the Windows PKI client • Server certificates issued by a public CA • Issuance across company boundary • Partnership scenario • Issuance to non-domain-joined machines • B2C issuance • My bank issues me certificates • And more…

  25. HTTP Based EnrollmentDesign overview • Specified two new http based protocols for certificate enrollment • Implemented client services on top of new protocols • Implemented server side for these new protocols • Work (in progress) with related ISVs to provide interoperable solutions

  26. HTTP Based Enrollment Active Directory (AD) Certificate Enrollment Policy WS HTTP Only 3 4 6 7 Client Workstations Certificate Enrollment WS CA 1 2 5 1

  27. HTTP Based EnrollmentAuto-enrollment enhancements • Ensure the system has a valid certificate for each one of the enrollment policies that are configured for the end entity • Implements client role for both protocols • Maintains list of policy server URI’s • Maintains a cache of the enrollment policies returned from all policy servers • Runs on non-domain-joined machines

  28. HTTP Based EnrollmentAuthentication • Windows client will use the same authentication mechanism for policy and enrollment servers • Kerberos • Username/Password • Certificate based • Supports credentials storage (optional) • Implements renewal through proof of possession • Requires SSL

  29. HTTP Based Enrollment Enrollment policies UX

  30. HTTP Based Enrollment Enrollment wizard • Added additional step to the Enrollment Wizard Enrollment Policy Entry

  31. HTTP Based Enrollment Group policy UX • Allows admins to publish Policy Servers to client machines • Ensures the policy server URI is valid • Same UX is used on client machines to configure local policy and users configured entries

  32. HTTP Based Enrollment Cross forest support Active Directory (AD) Active Directory (AD) Certificate Enrollment Policy WS 7 6 4 3 Client Workstations Certificate Enrollment WS Account Forest CA Resource Forest 5 1 1 2

  33. HTTP Based Enrollment Web server scenario: enrollment and renewal • Admin logs on to a web server • Admin opens IE browses to public CA web site and creates an account • Admin clicks OK to elevation dialog: • Set policy server URL in the local policy store • Set credentials for policy server (admin or control) • Enroll for this policy server • Dynamic Enrollment policy • After enrollment is done, certificate installed

  34. HTTP Based Enrollment Web server scenario: recover from revocation • System configured with Policy Server Entry • Cached U/P credentials • Enabled for Auto-Enrollment • CA revokes the system’s certificate and publish new CRL • Within eight hours after old CRL expire: • AE downloads new CRL • AE marks existing cert as revoked • AE retrieves policies from policy server and enrolls for a new certificate

  35. HTTP Based Enrollment Web server scenario: dynamic policy updates • System configured with Policy Server • One enrollment policy for SSL 1Year 1024 key size • Policy needs to be updated every week • CA increases key size to 2048 and update the revision number on the enrollment policy object • Within a week: • AE downloads new policies • AE marks existing cert as archived • AE enrolls for a new certificate

  36. Windows 7 Investments Strong Authentication Public Key Infrastructure Server Consolidation Improved Existing Scenarios HTTP Based Enrollment

  37. Strong AuthenticationBiometric • New platform for Biometric Devices • Focused on fingerprint based authN in consumer scenarios • New driver model and basis for future certification program • Integrated user experience • Windows logon, local and domain • Device and feature discovery • Enterprise management • Disable Windows Biometric Framework via Group Policy • Allow use for applications but not for domain logon

  38. Strong AuthenticationSmartCard • Smart card Plug-and-Play • Windows Update and WSUS/SUS based driver installation • Pre-Logon driver installation • Non-Admin based driver installation • Smart card class mini-driver • NIST SP800-73-1 (PIV) support • INCITS GICS (Butterfly) support • Windows 7 Smartcard Framework improvements • Improved support for Biometric Based Smart card unlock • New APIs enabling Secure Key Injection

  39. Strong AuthenticationECC based Smartcard logon • Windows 7 supports: • smartcard enrollment for ECC certificate • logon with ECC based certificate

  40. Strong AuthenticationStrong authentication based access control • ‘Smart card required’ for remote access checks

  41. Strong Authentication Biometric Smartcard

  42. Windows 7 Investments Strong Authentication Public Key Infrastructure Server Consolidation Improved Existing Scenarios HTTP Based Enrollment

  43. Q & A Meet me in the Ask-the-Experts pavilion! WEDNESDAY - DAY 312:15 - 12:45

  44. Related Content IDA02-ILL: Setting Up and Configuring Active Directory Certificate Services (AD CS) November 5 09:00 - 10:15 November 6 16:20 - 17:35 IDA04-IS: All You Ever Wanted to Ask about Designing and Operating an Enterprise PKI November 6 14:40 - 15:55

  45. Now extended from2 to 24 hours after sessionfor more chance to WIN • Don’t forget to completeyour session feedbackforms via theCommNet terminalsor theRegistered Delegate Pages foryour chance towin aHTC Touch Dual! • With an amazing line up of international speakers, there are even more chances to win an evaluation prize! So make sure you submit feedback for all the sessions you attend! • http://www.microsoft.com/emea/teched2008/itpro/feedback.aspx

  46. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related