Configuring an Enterprise wireless solutions with encryption

[Harrison Midkiff]

Hello:

I am in the process of finalizing a project to where I am using encryption
on my wireless network with certificates issued by a Certificate Server. So
far everything has been working on my lab network. I have the approval for
a new server which will be Windows 2003. Part of the reason I am getting
this is because it will be a CA server. In addition the server is also
suppose to run RADIUS, RAS (dial-up), DHCP and AntiVirus. All of these
services are not resource hogs.

I am curious what people think of installing Certificate Services on a
server like this? I know once I install it the server will be permanent.

Harrison Midkiff

 

[Joe Richards [MVP]]

You don't say anything about the environment but if tearing out the old CA
structure and rebuilding from scratch would be fairly painful in the event of
compromise or other issue then you want more than one CA server. You will want a
root that you will keep offline and one or more CA servers for actually giving
out the certs. You also want a CDP that is guaranteed to always be available as
many products will refuse to use a cert if the CRL isn't readily available when
it wants it.

 

[Bob Qin [MSFT]]

Hi Harrison,

If your domain is Windows 2000 AD, to set up a Windows Server 2003 CA, the
Active Directory schema must be upgraded to the Windows Server 2003 schema.
You cannot install a Windows Server 2003 CA into a Windows 2000based schema.

The schema is updated to the Windows Server 2003 schema by running ADPREP
/Forestprep at a Windows 2000 domain controller with the Windows Server
2003 CD-ROM in the CD-ROM drive.

I would like to recommend that you refer to the Windows Server 2003 help
files and the following two public whitepapers.

http://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/default.as
p

Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/oper
ate/ws3pkibp.asp

Have a nice day!

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Harrison Midkiff]

Bob:

I appreciate you reply to my post. I am in the process of reviewing the
white papers. One question if I may...

I need to deploy a CA server to enable me to do secure wireless with
certificates. I know the best practice is to install an Enterprise Root CA
and then an Enterprise Subordinate Root CA. Once the subordinate is online
you remove the root CA and put it in a safe location. A friend of mine said
that was just in a perfect Microsoft world and it was not necessary, so I
could just do a single Enterprise Root CA.

What are your thoughts on that?

Harrison Midkiff

 

[Joe Richards [MVP]]

That actually isn't a Microsoft guideline, that is a Cert Authority best
practice. Here is a paper from SANS that discusses root ca's.

http://www.sans.org/rr/papers/63/1322.pdf

Like I said in the previous post, if compromise or loss of your root causing a
complete rebuilding from scratch of your PKI environment is ACCEPTABLE to you,
you do not need a root ca.

If that is not acceptable, you need a root. The root will be offline and any
publishing of CRLs or certs from it will require the Nike Express (hands and
feet) for publishing. You will write the info to a CD or floppy or some other
transportable media and carry to a device that is on the network.

If an intermediate is compromised, you can use the root to invalidate all certs
from it and still keep your PKI infrastructure up and running. If your root is
compromised you throw it all out and start over.

Note my experience is corporate experience. If your friend said what he said to
you in any of the companies I have been with they would have tossed him out the
door and wouldn't have taken the time to see if he landed.


joe

 

[Bob Qin [MSFT]]

Hi Harrison,

Your friend's suggestion is not recommended.

Please refer to the following documents for more information:

Best Practices for Implementing a Microsoft Windows Server2003 Public Key
Infrastructure
http://www.microsoft.com/security/guidance/prodtech/WindowsServer2003.mspx

Microsoft Solution for Securing Wireless LANs
http://www.microsoft.com/downloads/details.aspx?FamilyId=CDB639B3-010B-47E7-
B234-A27CDA291DAD&displaylang=en

Securing Wireless LANs with PEAP and Passwords
http://www.microsoft.com/downloads/details.aspx?FamilyID=60c5d0a1-9820-480e-
aa38-63485eca8b9b&displaylang=en

Designing and Deploying Wireless LAN Connectivity for the Microsoft
Corporate Network
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/wlandply.mspx

Wish them help.

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Harrison Midkiff]

Bob:

Thanks for your reply to my post....

I have been doing a lot of research on deploying a CA server. The initial
purpose for my CA will be for issuing certificates for wireless users so the
traffic will be encrypted. I have read that I can use an Enterprise Root or
Sand Alone Root. Because of the integration of the Enterprise Root with
Active Directory I think I should deploy it. A member of our team seems to
be adamantly against this, but can not give me any reasons. I do not want
to discount his objects when it comes to security.

What are your thoughts on this. Thanks

Harrison Midkiff

 

[Joe Richards [MVP]]

Kind of hard to respond to someone who won't give you any reasons. Plus, what is
it that you could say that could change the mind, obviously they don't know
themselves what they don't like about it.

 

[Bob Qin [MSFT]]

Hi Harrison,

Generally speaking, a single Enterprise Root CA can also work. But it is
not the best practice for CA deployment.

The root CA role is very important in any organization. It is a point that
is explicitly trusted by all users and devices in your organization. So it
is highly desirable to protect the root CA private key as much as possible.
One of the best ways of doing this is to disconnect the CA from the network
so that access to it is extremely limited. Then we can use the Subordinate
Root CA to issue certificates.

Have a nice day!

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.