Announcement

Collapse
No announcement yet.

Certificate Authority Help

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate Authority Help

    I have to deploy a RADIUS server, and have chosen to use MS IAS along with MS Certificate Authority to prove my user's identity with a Digital Certificate. I will administer this solution on approximately 15 police vehicles with an "in-car" computer using a high-speed wireless broadband card. However, I have about 30 police officers that will routinely log into any one of those vehicles when their shift begins. For example, Officer A could potentially log into Vehicle 1, Vehicle 2, Vehicle 3, and so forth. This could exponetially increase my need for user certifiactes, right? Because I have installed MS Certificate Authority Services on Server 2003 Standard, will I max out at the 50-user limit? Should I request 'user' or 'computer' certificates for each in-car computer system? I'm hoping to find someone with a lot of experience in deploying the Certificate Authority services in a 2003 environment, because I have zero!
    Thank you!

  • #2
    Re: Certificate Authority Help

    At what point does authentication take place? If its during user login you'll need some type of smart card and user certificates.

    If its the device that authenticates you'll need a machine cert per device.

    You have one thousand options and step one is spending a few days reading about PKI on TechNet.

    Comment


    • #3
      Re: Certificate Authority Help

      I have been reading a lot about PKI lately. I'm trying to accomplish two-factor authentication on our remote "in-car" computer systems. Because we are a police agency, we have to abide by some DOJ (department of justice) security policies. One of the methods to employ is RADIUS. As far as I know, two-factor authentication is "something you know, and something you have". So the end user would "know" a password, and "have" a digital certificate. It would be to our benefit if I could use a device-level certificate as I only have 2003 Standard and do not want to exceed the 50-user limit. I'm having a problem getting the gears moving in the right directon for this whole project. I think I have the pieces of the puzzle, but might need some help getting the entire picture in place. Things I've done so far:
      Installed MS IIS on server A
      Installed MS IAS on server A
      Installed MS CA on server A
      Enabled the RADIUS protocol on server B (planned to be the NAS)

      I can browse to server A and submit requests for certs, however at the moment I can only retrieve "User" certs, not "Computer" certs.

      I have no one here in my department to lean on for advice or direction, I am it. And if I am it, then we're jacked.... JK... where are you located Garen?

      Comment


      • #4
        Re: Certificate Authority Help

        What 50 user limit do you mean?
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Certificate Authority Help

          my apologies. I have been reading so many different tech notes that I mistakingly mixed up my CA info with that of IAS. IAS has a 50 client maximum (for standard 2003). But my focus is to get this entire solution to work and its pretty difficult as I don't know a lot about Microsoft CA. I guess I'm looking for someone to bounce ideas off of, but at the same time trying not to reinvent the wheel in this deployment.

          Comment


          • #6
            Re: Certificate Authority Help

            I think you are confused with the terminology.
            With 50 Radius clients they mean 50 devices that a user would use to connect to such as a VPN server or a WAP.


            With Microsoft CA, well it isn't actually that hard however it can be quite confusing.
            I really recommend you to read a book about this before diving into it.
            2008 version: http://www.amazon.com/Windows-Server...8133866&sr=8-1
            2003 version: http://www.amazon.com/Microsoft-Wind...8133866&sr=8-6

            These books really explains a lot how to setup a PKI environment.

            Anyhow, setup a offline root CA, and 1 or 2 (or so) issuing CA's. If you install those issuing CA's on a Windows 2003 Enterprise server you can benefit the auto enrollment option.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Certificate Authority Help

              I was confused in that I was suggesting that I could only have 50 clients pull certificates. However, I now realize that I mixed up the two products. We have a tight budget and only have 2 servers that will be handling this entire solution. I have installed MS CA, IIS, and IAS on the same 2003 Standard server - is that a bad idea? My environment is not big and this deployment will only benefit less than 20 cars and 35-40 police staff. I have created AD groups specifically for these users and will only add them to the RADIUS authentication process. Thanks a lot Marcel for the book idea, but it looks like I'll be jumping in head first and try not to break anything along the way.

              Comment


              • #8
                Re: Certificate Authority Help

                There might become 2 problems with this:
                1) since you are not using a enterprise server you can't do auto-enrollment. So each certificate has to be deployed manually. It can take a lot of work doing so.
                2) Without an offline root CA it can become a true nightmare if he is getting breached.

                Personally I really would start reading the books to make it more clear.

                This might also be interesting, but quite less info then in the books:
                http://www.windowsecurity.com/articl...ide-Part1.html
                And as an addition: http://technet.microsoft.com/ru-ru/l...8WS.10%29.aspx
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Certificate Authority Help

                  Thanks a lot for the additional info and articles. I'm going to look into them right now. I've read about the auto-enrollment option, but I just don't have the luxury of 2003 enterprise at the moment. Thankfully I have less than 20 mobile units to deploy this to. I will have to live with manually adding the certs.
                  Hopefully my server will not be breached. It sits behind a nicely confgured firewall, and the only way to get to it from the "outside" would be through our VPN (which is heavily guarded and well maintained). Let me look over these two articles you sent me and if you don't mind, I might have a question or two later.

                  Again, thanks a lot!

                  Joey

                  Comment


                  • #10
                    Re: Certificate Authority Help

                    How would offline root help in this scenario? I image he will have less than 100 certificates handed out from a single CA.

                    If that CA gets hacked, he has to reissue everything whether he has a offlien root or not. I think those only come into play in major enterprises with 1000's of certis spread out among different divisions with each CA being a child. In that case if one division is hacked they just axe that child CA and rebuild from there.

                    I could be wrong but I always saw the offline root recommendation as a way to sell more licenses.

                    Comment


                    • #11
                      Re: Certificate Authority Help

                      I've begun reading the article from windowsecurity.com and they are explaing the usage of a 2 or 3-tier PKI environment. I just don't have the option for a multi-server solution or an enterprise server. I am really hoping to run this small CA deployment on a single server. It can be done that way, right?

                      Comment


                      • #12
                        Re: Certificate Authority Help

                        Yes you can of course...
                        Personally I work for enterprise organisations and if we build a PKI environment we always use a 2 or 3 tier build.
                        Marcel
                        Technical Consultant
                        Netherlands
                        http://www.phetios.com
                        http://blog.nessus.nl

                        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                        "No matter how secure, there is always the human factor."

                        "Enjoy life today, tomorrow may never come."
                        "If you're going through hell, keep going. ~Winston Churchill"

                        Comment


                        • #13
                          Re: Certificate Authority Help

                          with what has been said so far, I'm going to ask about re-deploying another server for this purpose. I don't want to stray too far from normal and/or best practices for this project. I've asked my supervisor to look into Enterprise costs I'll see what I can come up with over the next few days.

                          Comment


                          • #14
                            Re: Certificate Authority Help

                            Personally I really think you should start reading the books and see what fits your needs.
                            I'm really sure it will help you making the decisions.

                            Btw did you already thought about something else... Token authentication for example?
                            Marcel
                            Technical Consultant
                            Netherlands
                            http://www.phetios.com
                            http://blog.nessus.nl

                            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                            "No matter how secure, there is always the human factor."

                            "Enjoy life today, tomorrow may never come."
                            "If you're going through hell, keep going. ~Winston Churchill"

                            Comment


                            • #15
                              Re: Certificate Authority Help

                              Tokens are a nice idea, but the addiotnal cost and amount of user interaction would be too much for these people! I want something that runs seemlessly in the background so my end user doesn't really have to worry about doing anything in addition to what they currently have to do. People don't appreciate change..
                              Last edited by ITGuyinLB; 13th November 2009, 23:56.

                              Comment

                              Working...
                              X