1 / 29

CN2140 Server II

CN2140 Server II. Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS , MCDST, MCP, A+. Agenda. Chapter 10: Maintaining Network Health Exercise Lab Quiz. Public Key Infrastructure.

Download Presentation

CN2140 Server II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

  2. Agenda • Chapter 10: Maintaining Network Health • Exercise • Lab • Quiz

  3. Public Key Infrastructure • Allow two parties to communicate securely, without any previous communication, through the use of public key cryptography • Public key cryptography stores a public key for each participant in a PKI • Each participant also possesses a private key • By combining the public key with private key, one entity can communicate with another entity in a secure fashion without exchanging any sort of shared secret key beforehand • A shared secret key is a secret piece of information that is shared between two parties

  4. Certificate Authority (CA) • An entity that issues and manages digital certificates for use in a PKI • For Server 2008, it requires AD CS server role • CAs are hierarchical (One root and several subordinate CAs) • Three-tier hierarchy, where a single root CA issues certificates to a number of intermediate CAs, allowing the intermediate CAs to issue certificates to users or computers

  5. Digital Certificate • The digital certificate contains • The certificate holder’s name • Public key • The digital signature of the Certificate Authority that issued the certificate • The certificate’s expiration date

  6. Digital Signature • Proves the identity of the entity that has signed a particular document • A digital signature indicates that the message is authentic and has not been tampered with since it left the sender’s Outbox

  7. Certificate Practice Statement and Certificate Revocation List • Certificate Practice Statement (CPS) • Provides a detailed explanation of how a particular CA manages certificates and keys • Certificate Revocation List (CRL) • This list identifies certificates that have been revoked or terminated, corresponding user, computer, or service • Services that utilize PKI should reference the CRL to confirm that a particular certificate has not been revoked prior to its expiration date

  8. Certificate Templates • Templates used by a CA to simplify the administration and issuance of digital certificates

  9. Self-Enrollment and Enrollment Agents • Self-Enrollment • This feature enables users to request their own PKI certificates, typically through a Web browser • Enrollment agents • These are used to request certificates on behalf of a user, computer, or service • You can use either self-enrollment or enrollment agents

  10. Autoenrollment • Supported by Windows Server 2003 and later • Allows users and computers to automatically enroll for certificates based on: • One or more certificate templates • Group Policy settings in Active Directory • Certificate templates that are based on Windows 2000 will not allow auto-enrollment

  11. Recovery Agent • These agents are configured within a CA to allow users to recover private keys for users, computers, or services if their keys are lost

  12. Key Archival • This is the process by which private keys are maintained by the CA for retrieval by a recovery agent • In a Windows PKI implementation, users’ private keys can be stored within AD

  13. Windows Server 2008 and Certificate Services • The AD CS server role consists of the following services and features: • Web enrollment • Online Responder • Responds the requests from clients about the certificate status • Online Certificate Status Protocol (OCSP) • Network Device Enrollment Service (NDES) • To enroll the hardware-based routers and other network device for PKI certificates

  14. Types of CAs • When deploying a Windows-based PKI, two different types of CAs can be deployed: • Standalone CA • Not integrated with AD • It requires administrator intervention to respond to certificate requests • Enterprise CA • Integrated with AD • Can use certificate templates

  15. Revocation Configuration • To make revocation information available • Each individual CA must be configured with its own revocation configuration • Certificate revocation information can come from any 2003, 2008, or non-Microsoft CAs • Certificate revocation information is used to determine the validity of certificates • Clients connect to alternate resources, such as Web servers or LDAP directories, where the CA has published its revocation information instead of root CA

  16. Managing Certificate Enrollments • In AD environment, you can automate the distribution of certificates using any combination of the following features: • Certificate templates • By controlling the security settings associated with each template • Full control / Read / Write ACL • Enroll / Autoenroll • Allows users or computers to request / automatically obtain the certificate • Group Policy • To establish autoenrollment settings for an AD domain • Windows Settings\Security Settings\Public Key Policies

  17. Making Certificate Enrollments • In a non-AD environment, clients can enroll manually for certificates using either of the following: • Certificate Request Wizard • Allows a user to create a cert request file using the Certificates MMC snap-in to generate a certificate based on the request • Certification Authority Web Enrollment • Allows users to manually request certificates using a Web interface • By default at https://CA Name/certsrvon a CA that is running the service

  18. Key Archival and Recovery • In an AD environment, the use of key archival on one or more CAs, which will store an escrow copy of each certificate's private key on the CA in case it needs to be restored for any reason • A private key can be restored by one or more key recovery agents

  19. Maintaining a Windows Server 2008 CA • In Windows Server 2008, you can assign users to one or more of the following predefined security roles within Certificate Services: • CA Administrator • Certificate Managers • Issue, approve, deny, revoke, recover achieved keys • Backup Operators • Auditors • Read audit logs, read record and configuration info in the CA database

  20. Network Access Protection • Network Access Protection includes a number of built-in enforcement methods, which define the mechanisms that NAP can use: • DHCP enforcement • Internet Protocol Security (IPSec) enforcement • VPN enforcement • 802.1X enforcement • Terminal Services Gateway (TS Gateway) enforcement

  21. DHCP Enforcement • Uses DHCP configuration information to ensure that NAP clients remain in compliance • If a NAP client is out of compliance, the client have limited network access until the compliance issue is resolved

  22. Internet Protocol Security (IPSec) Enforcement • Uses IPSec that has been secured by specially configured PKI certificates known as health certificates, which are issued to clients that meet defined compliance standards. • If clients cannot provide the necessary health certificate, they will not be able to participate in IPSec-secured traffic

  23. VPN enforcement • Restricts the level of network access that a remote access client can obtain, based on the health information • For example, you may define a NAP policy in which corporate laptops receive full network access upon creating a VPN connection, whereas clients connecting to VPN using their home computers will receive access only to a limited subset of corporate resources.

  24. 802.1X enforcement • Uses 802.1X-aware network access points, such as network switches or wireless access points, to restrict network access of noncompliant resources

  25. Terminal Services Gateway (TS Gateway) enforcement • Integrates with Terminal Services functionality • Allows authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device • NAP can restrict connection attempts by TS Gateway clients

  26. Components of NAP • The overall architecture of NAP involves the following components: • NAP client-side components • NAP Enforcement Client (EC) • One or more System Health Agents (SHAs) • Maintains info and reports the health of a NAP client • Client side API for both the enforcement Client and System Health Agent components • For third party vendors to make their own ECs and SHAs • The NAP Agent • Maintains and reports the health of a NAP between EC and SHA

  27. Components of NAP • NAP server-side components • NAP Enforcement Server (ES) • One or more System Health Validators (SHVs) • A NAP Health policy server • NAP administration server • NPS service • Health requirement servers • Remediation servers • To provide an exception to access the network such as to WSUS or Anti-virus update

  28. How does NAP works • Computer A connect to the network • Built-in SHA create Statement of Health (SOH) • SHA passes SOH to the NAP Agent on the client • NAP Agent creates a System Statement of Health (SSOH) then passes on to the NAP EC • EC passes the SSOH to the ES then passes to Administration Server • NAP Admin Server takes individual SOH and pass it to SHV • SHV examines the SOH then create Statement of Health Response (SOHR) indicate any actions • Each SHV passes its SOHR back to NAP Admin Server, then passes on to NPS Service • NPS Service combines each SOHR in to a System Statement of Health Response (SSOHR), then pass SSOHR back to the ES to respond back to client

  29. Assignment • Summarize the chapter in your own word • At least 75 words • Due BEFOREclass start on Thursday • Lab 10 • Due BEFORE class start on Monday

More Related