Maintaining Network Health

 Public Key Infrastructure (PKI)
 Provides assurance that you are communicating with the entity you think you are.
 Allows two parties to communicate though an algorithm know as public key cryptography.
 Each client has a public key and a private key



No need for a pre-shared key
Combining the two allows us to communicate securely
This is more efficient than a pre-shared key.

 Certification Authority(CA) – issues and manages digital certificates for the PKI
 Digital Certificate – digital document that contains information about a particular user, computer, or device.
Holds the public key.
 Smart Cards – credit card like devices that have a digital certificate installed on them. Used to log into resources.
 Self-enrollment – Allows users to request their own certificates.
 Autoenrollment – Automatically enroll for certificates.
 Recovery Agents – Used to recovery lost certificates.

 Web Enrollment – self enrollment through a Web
Browser.
 Online Responder – responds to requests from clients about the status of a specific certificate.
 Standalone CA – not integrated with AD.
 Enterprise CA – integrated with AD, ideal implementation
 Installing Certificate Services is a Role we can select.

 In and AD environment you can automate the distribution of certificates.
 This is controlled through Group Policy
 In non-Active Directory environments you must manually enroll for certificates.
 Use the certificate wizard in the Certificates MMC.
 Enroll through the web by typing the in the servers web address in a web browser.

 Be sure to designate a Recovery Agent incase of lost certificates. Only the Recovery Agent can recover these.
 You can assign users to one or more of the following predefined security roles:
 CA Administrator – overall management



Certificate manager – issuing and managing certificates
Backup operator – back up and restore OS files and folders and CA information
Auditors – Able o manage and read security logs on a computer running AD CS role.

 NAP helps protect from “unhealthy” computers from coming onto the network.
 Connecting computers are “evaluated”
 If they meet the criteria of the NAP policy they are permitted access to the network
 If they do not the criteria they are either:


Denied access to the network
Sent to Remediation network

Remediation servers allow noncompliant computers to become compliant. IE. The remediation network my have the antivirus software available for install.

 DHCP enforcement – easiest method. If the NAP client is out of compliance the DHCP server will assign an address with limited access.
 IPSec enforcement – uses health certificates. If a client is out of compliance it will not get the health certificate and therefore wont be able to communicate through IPSec or on the network.
 VPN enforcement – restricts the level of access that a remote client can obtain. IE. Work laptops get full access, home laptops get limited access
 802.1X enforcement – restricts on physical connections

You Learned (cont.)

A PKI allows two parties to communicate securely without ever having communicated with one another before in any previous communication through the use of a mathematical algorithm called public key cryptography.
Lesson 10

You Learned (cont.)

PKI certificates are managed through Certificate
Authorities that are hierarchical, which means that you can have many subordinate CAs within an organization that chain upward to a single root CA.

A Certificate Revocation List (CRL) identifies certificates that have been revoked or terminated.
Lesson 10

You Learned (cont.)

Web enrollment allows users to connect to a
Windows Server 2008 CA through a Web browser to request certificates and obtain an upto-date Certificate Revocation List.
Lesson 10

You Learned (cont.)

When deploying a Windows-based PKI, two different types of CAs can be deployed: enterprise CAs and standalone CAs. A standalone CA is not integrated with Active
Directory and relies on administrator intervention to respond to certificate requests.
Lesson 10

You Learned (cont.)

An enterprise CA integrates with Active
Directory. It can use certificate templates as well as Group Policy Objects to allow for autoenrollment of digital certificates, as well as store digital certificates within the Active Directory database for easy retrieval by users and devices.
Lesson 10

You Learned (cont.)

Network Access Protection (NAP) is a policy enforcement mechanism that is used to allow or reject access to Windows network resources on the basis of policy decisions, such as whether the Windows Firewall is turned on or if anti-virus signatures are up to date.
Lesson 10

You Learned (cont.)
 NAP can be configured with one of four built-in enforcement mechanisms: DHCP, 802.1X, IPSec, and
VPN.
 The NAP client includes one or more System Health
Agents (SHAs), which map to System Health Validators
(SHVs) within the NAP server architecture.
Lesson 10