EXERCISE 12.01.E XERCISE 12.03R EQUESTING A C ERTIFICATE FROM A W EB S...

5. - MCSE EXAM 70 293 PLANNING AND MAINTAINING A WINDOWS SERVER 2003 NETWORK INFRASTRUCTURE PHẦN 9 PPT 5. - MCSE EXAM 70 293 PLANNING AND MAINTAINING A WINDOWS SERVER 2003 NETWORK INFRASTRUCTURE PHẦN 9 PPT 5. - MCSE EXAM 70 293 PLANNING AND MAINTAINING A WINDOWS SERVER 2003 NETWORK INFRASTRUCTURE PHẦN 9 PPT
MCSE EXAM 70 293 PLANNING AND MAINTAINING A WINDOWS SERVER 2003 NETWORK INFRASTRUCTURE PHẦN 9 PPT
5. When the Certificate Issuedpage appears, click Install ThisCertificate. Close the browser.

Auto-Enrollment Deployment

Perhaps the most exciting new feature of the Windows Server 2003 PKI is the ability to useauto-enrollment for user certificates as well as for computer certificates.The request andissuance of these certificates may proceed without user intervention.There are, however,some strict requirements:

Only Windows Server 2003 clients or Windows XP clients can use auto-enroll-ment.

Windows Server 2003 Enterprise Edition or Datacenter Edition is required toconfigure auto-enrollment for version 2 templates.Group policies are used in Active Directory to configure auto-enrollment. InComputer Configuration | Windows Settings | Security Settings | Public KeyPolicies, there is a group policy entitled Automatic Certificate Request Settings.Theproperty sheet for this policy enables you to choose to either Enroll certificates auto-matically or not. Also, you will need to ensure that Enroll subject without requiringany user inputoption is selected on the Request Handlingtab of the certificate tem-plate property sheet. Finally, be aware that doing either of the following will cause auto-enrollment to fail:

Setting the This number of authorized signaturesoption on the IssuanceRequirementstab to higher than one.

Selecting the Supply in the requestoption on the Subject Nametab.

T

EST

D

AY

T

IPRemember that auto-enrollment is available for user certificates only if the client isWindows XP or Windows Server 2003, and you must be logging on to a WindowsServer 2003 domain. Machine certificates can be issued via auto-enrollment withWindows 2000.

Role-Based Administration

In a small network of one or two servers and just a handful of clients, administration is gen-erally not a difficult task.When the size of the network increases, however, the complexityof administration seems to increase exponentially. Microsoft’s recommendations for a largenetwork include dividing administrative tasks among the different administrative personnel.One administrator may be in charge of backups and restores, whereas another administratormay have complete control over a certain domain, and so on.The role of each administratoris defined by the tasks that he or she is assigned to, and individual permissions are grantedbased on those tasks. PKI administration, which can be as daunting as general networkadministration, can be similarly divided. Microsoft defines five different roles that can beused within a PKI to facilitate administration:

CA Administrator

Certificate Manager

Backup Operator

Auditor

EnrolleeAt the top of the hierarchy is the CA administrator.The role is defined by the ManageCApermission and has the authority to assign other CA roles and to renew the CA’s cer-tificate. Underneath the CA administrator is the certificate manager.The certificate man-ager role is defined by the Issue and Manage Certificatespermission and has the authority toapprove enrollment and revocation requests.The Backup Operator and the Auditor roles are actually operating system roles and arenot CA-specific.The Backup Operator has the authority to back up the CA and theAuditor has the authority to configure and view audit logs of the CA.The final role is thatof the Enrollees. All authenticated users are placed in this role and are able to request cer-tificates from the CA.

Implementing Smart Card

EXAM