|
[ Pobierz całość w formacie PDF ]
.html (2 of 4) [8/3/2000 6:56:05 AM]�Configuring Windows 2000 Server Security:Microsoft Windows 2000 Public Key InfrastructureFigure 10.9 This is a certificate authority� s hierarchical structure.The structure for the certificate authorities model has been designed as a hierarchy, which contains multiplecertificate authorities with defined parent-child relationships.The certificate authority at the very top of thehierarchy is referred to as a root CA.The children are certified by certificates issued for them by their parent.One advantage of a hierarchical structure over a linear structure is that few trusts are needed with the rootcertificate authorities.The Microsoft Management Console Certificate snap-in is the administrative tool used to specify whichcertificate authority to trust.It is through this application that trusted root certificate Authorities are definedso that the proper certificate authority is used by the clients in verifying certificates.If you create a certificateauthority, its certificate should be added so it is used as a trusted certificate authority.The trust created bydefault is for only one computer, but through the group policy editor the certificate authority can be set forglobal implementation.If there is a certificate authority that you do not want to trust, make sure that thiscertificate authority is removed.The hierarchical model allows trust relationships with other organizations to be implemented easily.Forexample, if ABC Corporation is a subordinate certificate authority of the public root of which XYZCorporation is also a subordinate, the two corporations automatically trust each other.Figure 10.9 shows therelationship between the two companies and the root certificate authority.The certificate authority contains numerous properties that are tied to its use.The administrator can use theMicrosoft Management Console Certificate snap-in to specify the certificate policy that will control thegeneration and use of certificates by the CA, as shown in Figure 10.10.When they are specified, theproperties will restrict when certificates are valid.A user can use the certificate to validate secure mail butmay not be allowed to use the certificate� s private key for digital signatures.These objects may be restrictedin any combination:Figure 10.10 These are certificate authority properties." Server authentication" Client authentication" Code signing" E-mail" IP Security end system" IPSec tunnel" IPSec user" Timestamping" Microsoft Encrypted File SystemTo make the public key infrastructure transparent to the user, Windows 2000 had to make it possible tosupport automatic certificate enrollment, which is controlled by certificate types and auto-enrollment objects.Both of these elements are integrated with the group policy object, so they can be defined at the site, thedomain, the organizational unit, the computer, or the user level.Previous Table of Contents Nexthttp://corpitk.earthweb.com/reference/pro/1928994024/ch09/09-07.html (3 of 4) [8/3/2000 6:56:05 AM]�Configuring Windows 2000 Server Security:Microsoft Windows 2000 Public Key InfrastructureConfiguring Windows 2000 Server Securityby Thomas W.Shinder, M.D., MCSE, MCP+I, MCT, Debra Littlejohn Shinder, MCSE, MCP+I, MCT,D.Lynn White, MCSE, MCPS, MCP+I, MCTSyngress Publishing, Inc.ISBN: 1928994024 Pub Date: 06/01/99Search this book:Search TipsAdvanced SearchPrevious Table of Contents NextTitleCertificate Enrollment and RenewalCertificate types are templates used to define policies that control the generation and use of a certificate.Thetemplate is identified by having a common name that usually associates with the group for which thetemplate was designed , such as the template named Engineers.-----------The template defines components that will be incorporated into the certificate, such as:" Name requirements" Expiration date" Cryptographic service provider" Public Key generation algorithmTemplates are created for users and for computers through the use of the Template Creation Wizard.Smart Card LogonSmart card logon is controlled by the policy established with the user object.The policy can be set one oftwo ways.The smart card logon policy can be set to enforce smart card logon, so password-based logon isnot available.The disadvantage of setting the policy in this fashion is that users must have their smart cardand a computer available with a smart card reader in order to log on.The second way to set the policy forsmart card logons is to enable smart card logon, which will still allow password-based logons to occur on thenetwork.Both smart card policies will add security to prevent unauthorized access.Applications OverviewThe Public Key Infrastructure gives the Windows 2000 operating system a way to integrate services andtools to manage the public-key-based applications.As application programmers implement the secret-key- orpublic-key-based security model into their code, organizations gain new security functionality.Someapplications already have the public key mechanisms available, because the programmers have made use ofthe Public Key Infrastructure.When the Public Key Infrastructure has been configured, an application canhttp://corpitk.earthweb.com/reference/pro/1928994024/ch09/09-08.html (1 of 3) [8/3/2000 6:56:07 AM]�Configuring Windows 2000 Server Security:Microsoft Windows 2000 Public Key Infrastructureuse the public key cryptography.If it is correctly written, this will keep all the encryption process transparentto the user.Web SecurityWindows 2000 provides support for both Secure Sockets Layer /Transport Layer Security (SSL/TLS) andServer Gated Cryptography (SGC) to ensure secure Web communications.Server Gated Cryptography is anextension to SSL3.0 that was defined to secure online banking sessions.The Transport Layer Security can be used to access any kind of Web site
[ Pobierz całość w formacie PDF ]
zanotowane.pldoc.pisz.plpdf.pisz.plhanula1950.keep.pl
|