Root and Policy CAs - Best Practices for Patches/Updates

[Max]

What is the best practice for Root and Policy CAs that are kept
offline as far as Windows Updates, Patches, Service Packs, etc.?
Should they be applied on a regular basis? Should every critical
update be applied, or only updates that directly effect certificate
services?

How often (if ever) should updates be applied and what updates (just
service packs?)?

If I ever called Microsoft Support with an issue on a offline Policy
CA, is the first thing they're going to ask me is my server entirely
up to date with Service Packs/Patches?

Thanks,
Max

 

[Brian Komar]

Subject: Root and Policy CAs - Best Practices for Patches/Updates
From: Max <[email protected]>
Newsgroups: microsoft.public.win2000.security

What is the best practice for Root and Policy CAs that are kept
offline as far as Windows Updates, Patches, Service Packs, etc.?
Should they be applied on a regular basis? Should every critical
update be applied, or only updates that directly effect certificate
services?

How often (if ever) should updates be applied and what updates (just
service packs?)?

If I ever called Microsoft Support with an issue on a offline Policy
CA, is the first thing they're going to ask me is my server entirely
up to date with Service Packs/Patches?

Thanks,
Max

I would recommend attempting to keep up to date with service packs and
patches by using windows update. The Windows Catalog allows you to
download patches and burning them to a CD-ROM for installation at the
remote server.

To be honest, it is up to the organization to make this determination.
Are you planning to attach the offline CAs to a network at all? Are you
planning to virus scan any media inserted into the offline CA (floppy
disks, USB tokens, CD-ROMs).

Any contact with external computers and data is a risk that you have to
choose whether to risk exposure to the offline CA.

Brian