Information Technology Reference
In-Depth Information
It's a matter of trust. Whether you're shopping on a Web site, engaging in
online banking, or even reading a corporate e-mail, you must have a certain level of trust that
the entity you're exchanging information with is actually who it says it is. Unfortunately, digital
fraud and scams have become all too common. Fortunately, there are ways to protect yourself
and your organization in the form of digital certificates.
Microsoft Active Directory Certificate Services provides the infrastructure for issuing and
validating digital certificates in a corporate environment. With digital certificates, users can pro-
vide proof of their identities to corporate resources and confirm the identity of resources they
access. Active Directory Certificate Services is Microsoft's implementation of a public key infra-
structure (PKI), which secures information transfer and identity management and verification.
This chapter describes how a PKI works and defines the terms used to discuss a PKI and Active
Directory Certificate Services. You learn how to install and configure the Active Directory
Certificate Services role and how to configure and manage key elements of the role, such as cer-
tification authorities and certificate enrollments and revocations.
Active Directory Certificate Services (AD CS) is a server role in Windows Server 2008, referred
to as Certificate Services in previous Windows versions. AD CS provides the services for creat-
ing a public key infrastructure (PKI) that administrators can use to issue and manage public key
certificates. With AD CS, you can add a level of security for a variety of applications, including
e-mail, wireless networks, virtual private networks (VPNs), Encrypting File System (EFS), smart
cards for user logons, Secure Socket Layer/Transport Layer Security (SSL/TLS), and others. This
section describes the basic components of a PKI and defines several terms used in implementing
PKIs and AD CS.
A
public key infrastructure (PKI)
is a security system that binds a user's or device's identity to a
cryptographic key that secures data transfer with encryption and ensures data authenticity with
digital certificates. PKI provides the following services to a network:
•
Confidentiality
—Data and communications are protected by encryption algorithms, allow-
ing only the authorized parties to access information.
•
Integrity
—Ensures that data received is the same as data sent.
•
Nonrepudiation
—Ensures that a party in a communication can't dispute the validity of the
transaction, much like a signature on a letter or contract is used to verify that the signa-
tory wrote the letter.
•
Authentication
—Verifies the identity of a person or system involved in a transaction.
Before going into the details of a PKI, first you need to understand why this service is nec-
essary. Suppose you want to do some online banking, a transaction you want to be confidential.
You open your Web browser and go to
www.mybank.com
.
You enter your logon information
and proceed with your transaction. Without some type of security system in place, a number of
things can go wrong with this procedure, as in the following examples:
• DNS servers could be compromised, replacing the IP address of
www.mybank.com
with
the IP address of a fraudulent site. All your logon information, including, perhaps, your
account number, is actually being sent to the fraudulent Web site and could be used to
access your real account. Without some type of security system in place, you can't be sure
of the authenticity of the server you're communicating with.
• Someone could be electronically eavesdropping on your conversation. You might actually
be communicating with
www.mybank.com
,
but someone could be “listening” to the con-
versation with a packet-capturing program, which means your transaction is not confiden-
tial. The packets can be examined to find your logon information and account information
for later use.
Search WWH ::
Custom Search