Using the Explorer Window in Windows 7

The Explorer windows are powerful easy-touse tools for working with files consistently across Windows 7. Explorers give you more information and control while simplifying how you work with your files. The experience is easy and consistent, whether you're browsing documents or photos or even using the Control Panel. Key elements of the Explorer windows in Windows 7 are designed to help you get to the information you need, when you need it. Each Explorer window includes the following elements:

• Back and Forward buttons. Use to navigate between previously viewed folders.

• Address bar. Use to navigate directly to a different location, including local and network disks, folders, and web locations.

• Search box. Use to perform instant searches, which show only those files that match what you typed in the Search box for the current folder and any of its subfolders.

• Toolbar/Command bar. Use to perform file related commands. Toolbar/Command bars display only the task buttons that are appropriate for the files being displayed. There are two consistent buttons on every Toolbar/Command bar: Organize and Views.

• Navigation pane. (New!) Use to display common folders, such as Favorites, Libraries, HomeGroup (a shared network), Computer, and Network, using a Folder list tree structure.

• Libraries. (New!) Use to access common folders, such as Documents, Music, Pictures, and Videos. A library is a collection of files and folders linked from different locations, including your computer, HomeGroup, or network, into a central place. A file or folder can be stored in one location, yet linked to a library for easy access. For example, your My Documents folder located in your personal folder (the one with your account name) is linked to the Documents library.

Source of Information : Microsoft Windows 7 on Demand (2009)

Snipping the Screen in Windows 7

The Snipping Tool (New!) allows you to capture a screen shot of anything currently on your screen as an image file. After you capture the image, you can annotate, save and share it with others in an e-mail. You can capture the screen in different ways: draw a free-form shape around an object, draw a rectangle around an object, select a window, or take the entire screen.



Use the Snipping Tool
Click the Start button, point to All Programs, click Accessories, and then click Snipping Tool.

To change snipping options, click the Options button, select the options you want, and then click OK.

To capture a screen, click the New Snip button arrow, and then select a capture option:
• Free-form Snip.
• Rectangle Snip.
• Window Snip.
• Full-screen Snip.

Drag a free-form or rectangle shape, or click a window.

To annotate the image, use the Pen, Highlighter, and Eraser tools.

To share the image, use the Send Snip button.

Click the Save button, select a save location, and then select a file format (PNG, GIF, JPEG, or MHT). MHT is for a single page web page.

To copy it to the Clipboard to paste in a document, click the Copy button.

When you’re done, click the Close button.

Source of Information : Microsoft Windows 7 on Demand (2009)

Changing the Way a Program Starts in Windows 7

The left column of the Start menu is separated into two lists: pinned items above the separator line and most frequently used items below. The pinned items remain on the Start menu, like a push pin holds paper on a bulletin board, until you unpin them. In addition to pinning and unpinning programs and windows to the Start menu, you can now pin and unpin them to the taskbar (New!). The default programs pinned to the taskbar include Internet Explorer, Windows Explorer, and Windows Media Player, however, you can customize it. Windows also tracks recently opened files, known as jump lists, to programs on the Start menu and taskbar, which you can pin or unpin to the list (New!).



Pin or Unpin a Program or Items on the Start Menu or Taskbar
• Pin a program on the Start menu. Right-click a program on the Start menu, and then click Pin to Start Menu.

• Unpin a program on the Start menu. Right-click a pinned program on the Start menu, and then click Unpin from Start Menu.

• Pin a program on the taskbar. Right-click an open program on the taskbar, and then click Pin this program to taskbar (New!). You can also, right-click a program on the Start menu, and then click Pin to Taskbar (New!).

• Unpin a program on the taskbar. Right-click a pinned program on the taskbar, and then click Unpin this program from taskbar (New!).

• Pin or unpin an item on a jump list. Click the Start menu or rightclick a taskbar program, point to jump list, point to an item, and then click the Pin or Unpin icon (New!).

• Remove an item on a jump list. Click the Start menu or right-click a taskbar program, point to jump list, right-click an item, and then click Remove from this list.

Source of Information : Microsoft Windows 7 on Demand (2009)

Starting and Exiting a Program in Windows 7

The most common way to start a Windows program is to use the Start menu, which provides easy access to programs installed on your computer. Clicking the Start button on the taskbar displays the Start menu, which lists common and recently used programs and the All Programs submenu. The All Programs submenu is the master list of every program on your computer. In addition to tracking frequently used programs, Windows also tracks recently opened files, known as jump lists (New!). When you point to a program—such as Microsoft Word— on the Start menu with a arrow next to it, a list of recently opened files or folders and related tasks appear for easy access. For example, Windows Media Player displays a jump list with recently played music files and commands to play all music and resume previous list (New!). When you’re done working with a program, you should exit, or close it, to conserve your computer’s resources.

If you start a program, such as your e-mail program, every time you start Windows, you can save some time by adding the program to the Startup folder. The contents of the Startup folder appear on the Startup submenu on the All Programs menu. Sometimes a program installs a program to the Startup folder. Every time you start Windows, the programs in the Startup folder automatically start. Click the Start button, and then locate the program you want to add to the Startup submenu. Using the Ctrl key copies the program to the Startup submenu. Hold down the Ctrl key, and then drag the program on top of the Startup item on the All Programs submenu. When the Startup submenu opens, drag the program onto the submenu, and then release the mouse button and the Ctrl key. If you don’t want the program automatically starting with Windows, you can remove it from the Startup folder. Click the Start button, point to All Programs, and then click Startup. Right-click the program you want to remove on the Startup submenu. Click Delete, and then click Yes to confirm the deletion.

You can display the Programs list in a single column. Right-click the Start button, click Properties, click Customize, click the Advanced tab, select the Scroll Programs check box, and then click OK twice. Point to the black triangle arrows at the top and bottom to scroll through the list.



Start a Program from the Start Menu
Windows provides several ways to start a program:
• Click the Start button, and then click a program.

• Click the Start button, point to a program, and then click a file name from the jump list (New!). When a program on the Start menu displays a submenu, a jump list displays recently opened files.

• Click the Start button, point to All Programs, click a program group if necessary, and then click a program.

• Click the Start button, click Computer or Documents, navigate to the folder with the program or file associated with the program you want, and then double-click the icon.

• Click the Start button, point to All Programs, click Accessories, click Run, type the full path and file name of the program, and then click OK.



Exit a Program
Windows provides several ways to exit a program:
• Click the File menu, and then click Exit.

• Click the Close button on the program’s title bar.

• Double-click the Control-menu on the program’s title bar.

• Right-click the program’s taskbar button, and then click Close.

Source of Information : Microsoft Windows 7 on Demand (2009)

Managing Windows in Windows 7

One of the most powerful things about Windows is that you can open more than one window or program at once. This means, however, that the desktop can get cluttered with many open windows for the various programs. Windows 7 groups similar types of windows under one button on the taskbar, which you can use to switch among open windows and programs (New!). If you prefer a keyboard shortcut, you can also press Alt-Tab or {WINDOW}Tab (Aero) to switch to an open window. You can identify a window by its name on the title bar at the top of the window, which you can also use to move or resize it (New!). Each window is also surrounded by a border and resize buttons in the upper-right corner that you can use to resize the window.



Switch Among Open Windows
Click anywhere in a window to make it active, or point to a taskbar button for an open program or window, and then click a name or icon. You can also press Alt-Tab to switch windows.

• In Windows Aero, a live thumbnail appears when you
point to an open program or window taskbar button. When you point to the thumbnail, the program or window temporally appears until you move the mouse (New!). You can also press{WINDOW}Tab to switch windows.



Move or Resize a Window
Point to the window’s title bar. Drag the window to a new location, and then release the mouse button.
• Maximize active window. Drag the title bar to the top edge of the desktop (New!) or doubleclick the title bar.

• Resize active window for side by side use. Drag the title bar to the left or right edge of the desktop (New!).



Use Buttons to Resize and Close a Window
All windows contain the same sizing and close buttons:
• Maximize button. Click to make a window fill the entire screen.

• Restore Down button. Click to reduce a maximized window.

• Minimize button. Click to shrink a window to a taskbar button.

• Close button. Click to close the window.

• Show desktop button. Click to minimize or restore all windows. In Windows Aero, point to the button to peek at the desktop through transparent windows (New!).



Use the Mouse to Resize a Window
• Resize a window using a border. Move the mouse over a border in a non-maximized window until the mouse pointer changes into a two-headed arrow, and then drag until the window is the size you want.

• Resize all open windows on the desktop. Right-click a blank area of the taskbar, and then click a command:
• Cascade windows.
• Show window stacked.
• Show windows side by side.

• Minimize or restore all open windows except active one. In Windows Aero, drag the title bar back and forth (shake) to minimize or restore all open windows except the active one (New!).


Source of Information : Microsoft Windows 7 on Demand (2009)

Using Desktop Gadgets in Windows 7

Windows 7 gives you quick access to gadgets—such as news headlines and updates, slide shows, weather information, traffic maps, Internet radio streams, and slide shows of online photo albums—anywhere on your desktop (New!). Gadgets are mini-applications that can connect to web services, such as an RSS feed (which automatically delivers web content to your desktop), or integrate with many of your applications, such as viewing your calendar. Windows 7 comes with a set of gadgets to get you started, including the Windows Media Center gadget (New!). However, you can easily download more gadgets from an online gadget gallery.

You can download more gadgets. Right-click a blank area of the desktop, click Gadgets, and then click Get More Gadgets Online to open the gadget web site and download more gadgets.


Work with Desktop Gadgets
• Add a Gadget. Right-click a blank area of the desktop, click Gadgets, double-click the gadget you want, and then click the Close button.

• Close a Gadget. Point to the gadget you want to close, click the Close button, and then click Close Gadget (if requested).

• Resize a Gadget. Point to the gadget, and then click the Larger size or Smaller size button (toggles).

• Change Gadget Options. Point to the gadget you want to change, click the Options button (wrench icon), select the options you want, and then click OK.

• Move a Gadget. Point to the gadget, and then drag the Drag gadget (dot grid) to another location on the desktop.

Source of Information : Microsoft Windows 7 on Demand (2009)

Using the Taskbar in Windows 7

The horizontal bar at the bottom of your screen is called the taskbar; it contains several important items: the Start button, program and taskbar buttons, notification area, and Show desktop button. The taskbar allows you to start programs, files, and windows, as well as switch among currently running programs or open windows. In addition to pinning programs and windows to the Start menu, you can now pin them to the taskbar (New!). The default programs pinned to the taskbar include Internet Explorer, Windows Explorer, and Windows Media Player, however, you can customize it. The Show desktop button minimizes all open windows to display the desktop. In Windows Aero, when you point to the Show desktop button, all open windows appear transparent, which allows you to peek at the desktop. In addition to tracking frequently used programs, Windows also tracks recently opened files, known as jump lists (New!), which you can open from the taskbar.


Use the Taskbar
• Pin to the Taskbar. Right-click an open program or taskbar button, and then click Pin this program to taskbar.

• Unpin from the Taskbar. Right-click a pinned item on the taskbar, and then click Unpin this program from taskbar.

• Access a Jump List. Right-click a taskbar button, and then click a recently opened item from the list.

• Show desktop (minimize all windows). Click the Show desktop button on the taskbar (right side).

• Show desktop (make all windows transparent). In Windows Aero, point to the Show desktop button. Right-click the Show desktop button, and then click Peek at desktop (New!) to turn it off and on.

• Switch among open programs or windows. Click in a window to make it active, or point to a taskbar button for an open program or window, and then click a name or icon. In Windows Aero, a live thumbnail appears when you point to an open program or window taskbar button. When you point to it, the program or window temporarily appears until you move the mouse (New!).

Source of Information : Microsoft Windows 7 on Demand (2009)

Using the Start Menu in Windows 7

The key to getting started with the Windows desktop is learning how to use the Start button on the taskbar. Clicking the button on the taskbar displays the Start menu, a list of commands that allow you to start a program, open a document, change a Windows setting, find a file, or display support information. The top right of the Start menu indicates who is currently using the computer. The left column of the Start menu is separated into two lists: pinned items above the separator line and most frequently used items below. The pinned items remain on the Start menu, like a push pin holds paper on a bulletin board. The most frequently used items change as you use programs: Windows keeps track of which programs you use and displays them on the Start menu for easy access.

In addition to tracking frequently used programs, Windows also tracks recently opened files, known as jump lists (New!). When you point to a program—such as Microsoft Word, Internet Explorer or Windows Explorer—on the Start menu with a arrow next to it, a list of recently opened files or folders and related tasks appear for easy access. For example, Internet Explorer displays a jump list with recently visited web sites and commands for InPrivate browsing and New Tab. The arrow next to a menu item indicates a cascading menu, or submenu, which is a list of commands for that menu item. You can also pin recently opened files to the Start menu that you want to use on a regular basis.

The right column of the Start menu provides easy access to folders, Windows settings, devices and printers (New!), help information, and shutdown functionality. As you become more familiar with Windows, you might want to customize the Start menu to include additional items that you use most often.

As you continue to install programs on your computer, finding them on the Start menu can sometimes be difficult. Windows 7 makes it easy with the Instant Search box, which allows you to search the Start menu to find programs and other Windows items, such as Internet favorites, history, files, contacts, e-mail messages, and appointments. To perform a search, click the Start menu, click in the Instant Search box and start typing the search text you want. As you type, the Start menu shows the possible results organized by type with the number of matches (New!). A priority given to the programs you use frequently The search results continue to narrow as you continue to type. If you don't find what you are looking for on the Start menu during a search, you can click See More Results to see a complete listing of highlighted results (New!), or expand the search.



Start Menu Commands
All Programs - Opens a list of all the programs included on the Start menu

Search box - Locates programs, and other Windows items, such as Internet favorites, history, files, contacts, e-mail messages, and appointments

User name - Opens the personal folder, where you store files and information, such as Contacts, Desktop, Downloads, Favorites, Links, Document, Music, Pictures, Videos, Saved Games, and Searches

Documents - Opens the Documents folder, where you store and manage files

Pictures - Opens the Pictures folder, where you store and manage photos, images, and graphic files

Music - Opens the Music folder, where you store and manage sound and audio files

Games - Opens the Games folder, where you play Windows 7 games, such as Chess Titans, FreeCell, Hearts, Internet Backgammon, Internet Checker, Internet Spades, Mahjong Titans, Minesweeper, Purble Place, Solitaire, and Spider Solitaire

Computer - Opens the Computer window, where you access information about disk drives and other hardware devices

Control Panel - Provides options to customize the appearance and functionality of the computer

Devices and Printers (New!) - Opens the Devices and Printers window, where you can display and manage currently installed devices, such as monitors, printers, and faxes, and add new devices

Default Programs - Displays the Default Programs window, where you can choose default programs for web browsing, e-mail, playing music, and other activities

Help and Support - Displays Windows Help topics, tutorials, troubleshooting, support options, and tools

Power button (Shutdown) - Exits Windows and turns off the computer; also customizable for other power/ New!) shutdown options

Arrow (Shutdown menu) - Provides options to switch to a different users, log off the computer, lock the computer, restart the computer, or set the computer to sleep or hibernate mode


Source of Information : Microsoft Windows 7 on Demand (2009)

Windows 7 - Exploring the Windows Desktop

When you first start Windows 7, you see the Windows desktop, or a Welcome screen (a way to identify yourself on the computer), depending on your installation. The desktop is an on-screen version of an actual desk, containing windows, icons, files, and programs. You can use the desktop to access, store, organize, modify, share, and explore information (such as a letter, the news, or a list of addresses), whether it resides on your computer, a network, a HomeGroup (shared home network) (New!), or the Internet. In addition to windows and icons, you can also add miniprograms, called gadgets, to the desktop, which provide easy access to frequently used tools, such as a clock or calendar, and information at a glance. The bar at the bottom of your screen is called the taskbar; it allows you to start programs and switch among currently running programs. At the left end of the taskbar is the Start button, which you use to start programs, find and open files, access the Windows Help and Support Center, and much more. Next to the Start button are program or taskbar buttons, which you can use to start programs and switch between open windows and programs. The default programs pinned to the taskbar include Internet Explorer, Windows Explorer, and Windows Media Player, however, you can customize it (New!) like the Start menu. At the right end of the taskbar is the notification area, which displays the time, the date, and program related icons. You can click an icon to display a window of options. For example, when you click the Volume icon, a window appears where you can adjust or mute the volume. If icons in the notification area are not used for a while, an arrow appears to hide the icons and reduce clutter. You can click the arrow to display hidden icons or click a link to customize the notification area to select which icons and notifications appear on the taskbar (New!). You can also quickly drag a hidden icon on or displayed icon off the notification area to add or remove it from the taskbar (New!). Next to the notification area is the Show desktop button (the blank button at the right end of the taskbar), which allows you to quickly show the desktop (New!). If you upgraded your computer to Windows 7 from a previous version of Windows, your desktop might contain additional desktop icons and toolbars.

Source of Information : Microsoft Windows 7 on Demand (2009) (ATTiCA)

Windows 7 - Using Windows Aero

Introducing Windows Aero
Windows 7 provides two distinct user interface experiences: a "basic" experience for entry-level systems, and a more visually dynamic experience called Windows Aero. Windows Aero is an environment with an additional level of visual sophistication. Windows Aero provides spectacular visual effects, such as glass-like interface elements that you can see through, subtle window animations, window colors, live thumbnails that you can display on the taskbar, Windows Flip and Windows Flip 3D that you can use to graphically open windows, and Aero Peek or Aero Shake that you can use to minimize and restore open programs and windows.



Live Taskbar Thumbnails
When you rest the mouse pointer over a taskbar item, Windows Aero displays a Live thumbnail of the window, showing the content of that window. The Live thumbnail is displayed whether the window is minimized or not, and whether the content of the window is a document, photo, or even a running video or process.



Windows Flip and Windows Flip 3D
Windows Aero provides two ways to manage windows: Windows Flip and Windows Flip 3D. Flip allows you to flip through open windows, providing a Live thumbnail of each window, rather than just a generic icon and file name. By using the Alt+Tab keys, live thumbnails appear to make it easier to quickly identify the window you want, particularly when multiple windows of the same kind are open. The selected live thumbnail appears on the desktop and all other windows appear transparent (New!). Windows Flip 3D creates a view of your open windows in a three-dimensional stack on your desktop. By using the (Windows logo) A+Tab keys, you can flip through the open windows to quickly locate and select the window you want. You can also use the scroll wheel on your mouse to flip through open windows in a stack and select the one you want.



Show the Desktop with Aero Peek
In Windows Basic, when you click the Show desktop button (the blank button on the right side of the taskbar next to the clock), it minimizes all open windows to display the desktop. In Windows Aero, the functionality changes a bit. When you point to the Show desktop button in Windows Aero, all open windows appear transparent (New!), which allows you to quickly peek at the desktop. If you prefer the Windows Basic functionality, you can turn off the peek transparency. Rightclick the Show desktop button, and then click Peek At Desktop to turn it off and on (New!). Minimize Windows with Aero Shake With Aero Shake, you can minimize and restore all open windows except the one you’re shaking, dragging back and forth (New!). Simply, click the menu bar of the window you want to keep open, and then drag (shake) the window back and forth. If you prefer using a keyboard shortcut, you can also press Windows logo key+Home to minimize or restore all windows except for the active window.



Preparing for Windows Aero
Windows 7 can display different features based on the hardware capabilities of the computer it is running on. Computers running Windows 7 Home Basic, Windows 7 Starter, or those without the hardware needed to run Windows Aero use the basic user interface. If your computer meets the minimal hardware requirements to be Windows 7 PC Capability Ready, you see the Windows 7 Basic user experience. If your computer meets the increased hardware requirements to be Windows 7 PC Premium Ready, you see the Windows Aero user experience. The increased requirements include:
• 1-gigahertz (GHz) 32-bit or 64-bit (x64) processor
• 1 GB of RAM
• 128 MB graphics card
• DirectX 9 class graphics processor
• 64, 128, or 256 MB of graphics memory (Recommended)



Running Windows Aero
Before you can run Windows Aero, you need to make sure Windows 7 contains the proper settings. Make sure your computer meets the increase hardware requirements and the Windows theme is set to a Windows 7 Aero theme in the Control Panel under Appearance and Personalization. If you encounter a problem, the Aero troubleshooter opens to help you out. If the troubleshooter doesn’t open, you can open it in Windows Help and Support. Click the Start button, click Help and Support, type aero troubleshooter in the Search box, press Enter, and then click Open The Aero Troubleshooter.

Source of Information : Microsoft Windows 7 on Demand (2009) (ATTiCA)

Introducing Windows 7

Windows 7 Editions
Windows 7 comes in four main editions: the Home Basic Edition for consumers; the Home Premium Edition for consumer power users; the Professional Edition for business and power users; and the Ultimate Edition for the complete package. Two other editions are available for specific needs: the Starter Edition and Enterprise Edition. The Starter Edition is for the beginning PC user and provides the most basic entry to Windows 7, which is targeted to emerging markets. The Enterprise Edition is for large corporations with advanced data protection, compatibility, and international support needs. The Home Basic Edition provides a basic secure entry point for using Windows 7. The Home Premium Edition adds to the basic experience by providing the Windows Aero experience, the Mobility Center and Tablet PC support for laptops, Windows Meeting Space for sharing documents, and Windows Media Center for media entertainment. The Professional Edition modifies the Home Premium Edition by adding advanced hardware protection, business networking and remote desktop access, and by removing the Windows Media Center. The Ultimate Edition combines everything from all the editions into one complete package.



Windows 7 User Experience
Windows 7 provides two distinct user interface experiences: a basic experience for entry level systems, and a more visually dynamic experience called Windows Aero. Both offer a new and intuitive navigation experience that help you more easily find and organize your applications and files, but Aero goes further by delivering a truly next-generation desktop experience.

The basic experience has been updated and streamlined so you can find and work with your programs and files more easily than in previous versions of Windows. Some of the important new features include Explorer windows, Live icons, Search Folders, and Instant Search.

Windows 7 uses Explorer windows to give you more information and control while simplifying how you work with your files. Each Explorer window includes a Command Bar, Live icons, column headers, and a Navigation pane. Command Bars display only the tasks that are most appropriate for the files being displayed. Live icons are scalable thumbnails that display the first page of documents, the actual image of a photo, or the album art for individual songs in your music collection, making it easier to find exactly what you are looking for. The Navigation pane (New!) contains Libraries, HomeGroups, networks, disk drives, Search Folders and Favorites folders that you have created on your computer. A Search Folder is simply a search that you save. Opening a Search Folder instantly runs that saved search, displaying up-to-date results immediately.

With Windows 7, you no longer have to remember where you store every file. Instead, to find a file, you need only to remember something about it. The updated Start menu integrates the Instant Search box to help you quickly find and start any program or file on your computer. After you add or edit file properties or data associated with a file, such as a keyword on a document, you can use the Instant Search box to quickly find a file by the file property.

Source of Information : Microsoft Windows 7 on Demand (2009)

Windows Server 2008 - Certificate Key Recovery

Key recovery is compatible with the CryptoAPI architecture of Windows 2008, but it is not a necessary requirement. For key recovery, an entity’s private key must be stored permanently. The storage of private keys guarantees that critical information will always be accessible, even if the information should get corrupted or deleted. On the other hand, there is a security issue in the backup of the private keys. The archived private key should be used to impersonate the private key owner only if corruption occurs on your system.



Backup and Restore
Microsoft recommends that you back up your entire CA server. By backing up the system state data on your CA, you will automatically get a backup of the certificate store, the registry, system files, and Active Directory (if your CA is a domain controller). Sometimes, you may want to just back up the certificate services portion of your computer without doing a full backup of everything else. Your backups are only useful if you can restore them.



Assigning Roles
In a small network of one or two servers and just a handful of clients, administration is generally not a difficult task. When the size of the network increases, however, the complexity of administration seems to increase exponentially. Microsoft’s recommendations for a large network include dividing administrative tasks among the different administrative personnel. One administrator may be in charge of backups and restores, whereas another administrator may have complete control over a certain domain and so on. The role of each administrator is defined by the tasks that he or she is assigned to, and individual permissions are granted based on those tasks. PKI administration, which can be as daunting as general network administration, can be similarly divided. Microsoft defines five different roles that can be used within a PKI to facilitate administration:

• CA Administrator
• Certificate Manager
• Backup Operator
• Auditor
• Enrollee

At the top of the hierarchy is the CA administrator. The role is defined by the Manage CA permission and has the authority to assign other CA roles and to renew the CA’s certificate. Underneath the CA administrator is the certificate manager. The certificate manager role is defined by the Issue and Manage Certificates permission and has the authority to approve enrollment and revocation requests.

The Backup Operator and the Auditor roles are actually operating system roles, and not CA specific. The Backup Operator has the authority to backup the CA and the Auditor has the authority to configure and view audit logs of the CA. The fina role is that of the Enrollees. All authenticated users are placed in this role, and are able to request certificates from the CA.



Enrollments
In order for a PKI client to use a certificate, two basic things must happen. First, a CA has to make the certificate available and second, the client has to request the certificate. Only after these first steps can the CA issue the certificate or deny the request. Making the certificate available is done through the use of certificate templates and is a topic that we discuss in detail below.

Like Windows Server 2003, Windows Server 2008 PKI also supports autoenrollment for user certificates as well as for computer certificates. The request and issuance of these certificates may proceed without user intervention. Group policies are used in Active Directory to configure autoenrollment. In Computer Configuration | Windows Settings | Security Settings | Public Key Policies, there is a group policy entitled Automatic Certificate Request Settings. The Property sheet for this policy allows you to choose to either Enroll certificates automatically or not. Also, you will need to ensure that Enroll subject without requiring any user input option is selected on the Request Handling tab of the certificate template Property sheet. Finally, be aware that doing either of the following will cause autoenrollment to fail:

• Setting the This number of authorized signatures option on the
Issuance Requirements tab to higher than one.

• Selecting the Supply in the request option on the Subject Name tab.



Revocation
A CA’s primary duty is to issue certificates, either to subordinate CAs, or to PKI clients. However, each CA also has the ability to revoke those certificates when necessary. Certificates are revoked when the information contained in the certificate is no longer considered valid or trusted. This can happen when a company changes ISPs (Internet Service Providers), moves to a new physical address or when the contact listed on the certificate has changed. Essentially, a certificate should be revoked whenever there is a change that makes the certificate’s information “stale” and no longer reliable from that point forward.

In addition to the changes in circumstance that can cause a certification revocation, certain owners may have their certificate revoked upon terminating employment.
The most important reason to revoke a certificate is if the private key as been compromised in any way. If a key has been compromised, it should be revoked immediately.

Along with notifying the CA of the need to revoke a certificate, it is equally important to notify all certificate users of the date that the certificate will no longer be valid. After notifying users and the CA, the CA is responsible for changing the status of the certificate and notifying users that it has been revoked.

When a certificate revocation request is sent to a CA, the CA must be able to authenticate the request with the certificate owner. Once the CA has authenticated the request, the certificate is revoked and notification is sent out. CAs are not the only ones who can revoke a certificate. A PKI administrator can revoke a certificate, but without authenticating the request with the certificate owner. This allows for the revocation of certificates in cases where the owner is no longer accessible or available as in the case of termination.

The X.509 standard requires that CA’s publish certificate revocation lists (CRLs). In their simplest form, a CRL is a published form listing the revocation status of certification that the CA manages. There are several forms that revocation lists may take, but the two most noteworthy are simple CRLs and delta CRLs.

A simple CRL is a container that holds a list of revoked certificates with the name of the CA, the time the CRL was published, and when the next CRL will be published. It is a single file that continues to grow over time. The fact that only information about the certificates is included and not the certificate itself helps to manage the size of a simple CRL.

Delta CRLs can handle the issues that simple CRLs cannot- size and distribution. While simple CRLs contain only certain information about a revoked certificate, it can still become a large file. How, then, do you continually distribute a large file to all parties that need to see the CRL? The solution is in Delta CRLs. In an environment leveraging delta CRLs, a base CRL is sent to all end parties to initialize their copies of the CRL. Afterwards, updates know as deltas are sent out on a periodic basis to inform the end parties of any changes.

In practice within Windows Server 2008, the tool that the CA uses for revocation is the certificate revocation list, or CRL. The act of revoking a certificate is simple: from the Certification Authority console, simply highlight the Issued Certificates container, right-click the certificate and choose All | Revoke Certificate. The certificate will then be located in the Revoked Certificates container.

When a PKI entity verifies a certificate’s validity, that entity checks the CRL before giving approval. The question is: how does a client know where to check for the list? The answer is the CDPs, or CRL Distribution Points. CDPs are locations on the network to which a CA publishes the CRL; in the case of an enterprise CA under Windows Server 2008, Active Directory holds the CRL, and for a stand-alone, the CRL is located in the certsrv\ certenroll directory. Each certificate has a location listed for the CDP, and when the client views the certificate, it then understands where to go for the latest CRL.

In order for a CA to publish a CRL, use the Certificate Authority console to right-click the Revoked Certificates container and choose All Tasks | Publish. From there, you can choose to publish either a complete CRL, or a Delta CRL. Whether you select a New CRL or a Delta CRL, you are next prompted to enter a publication interval (the most frequent intervals chosen are one week for full CRLs and one day for Delta CRLs). Clients cache the CRL for this period of time, and then check the CDP again when the period expires. If an updated CDP does not exist or cannot be located, the client automatically assumes that all certificates are invalid.

Source of Information : Syngress The Best Damn Windows Server 2008 Book Period 2nd Edition

Windows Server 2008 - Working with Certificate Services

Certificate Services in Windows Server 2008 is an easier venture than ever before. As we look at what is entailed in the components involved in establishing and supporting a PKI in Windows Server 2008 we need to quickly discuss what Certificate Services do for us. In Active Directory and Windows Server 2008, Certificate Services allow administrators to establish and manage the PKI environment. More generally, they allow for a trust model to be established within a given organization. The trust model is the framework that will hold all the pieces and components of the PKI in place. Typically, there are two options for a trust model within PKI: a single CA model and a hierarchical model. The certificate services within Windows Server 2008 provide the interfaces and underlying technology to setup and manage both of these type of deployments.



Configuring a Certificate Authority
By definition, a certificate authority is an entity (computer or system) that issues digital certificates of authenticity for use by other parties. With the ever increasing demand for effective and efficient methods to verify and secure communications, our technology market has seen the rise of many trusted third parties into the market. If you have been in the technology field for any length of time, you are likely familiar with many such vendors by name: VeriSign, Entrust, Thawte, GeoTrust, DigiCert and GoDaddy are just a few.

While these companies provide an excellent and useful resource for both the IT administrator and the consumer, companies and organizations desired a way to establish their own certificate authorities. In a third-party, or external PKI, it is up to the thirdparty CA to positively verify the identity of anyone requesting a certificate from it. Beginning with Windows 2000, Microsoft has allowed the creation of a trusted internal CA—possibly eliminating the need for an external third party. With a Windows Server 2008 CA, the CA verifies the identity of the user requesting a certificate by checking that user’s authentication credentials (using Kerberos or NTLM). If the credentials of the requesting user check out, a certificate is issued to the user. When the user needs to transmit his or her public key to another user or application, the certificate is then used to prove to the receiver that the public key inside can be used safely.



Certificate Authorities
Certificates are a way to transfer keys securely across an insecure network. If any arbitrary user were allowed to issue certificates, it would be no different than that user simply signing the data. In order for a certificate to be of any use, it must be issued by a trusted entity—an entity that both the sender and receiver trust. Such a trusted entity is known as a Certification Authority (CA). Third-party CAs such as VeriSign or Entrust can be trusted because they are highly visible, and their public keys are well known to the IT community. When you are confident that you hold a true public key for a CA, and that public key properly decrypts a certificate, you are then certain that the certificate was digitally signed by the CA and no one else. Only then can you be positive that the public key contained inside the certificate is valid and safe.

In the analogy we used earlier, the state driver’s licensing agency is trusted because it is known that the agency requires proof of identity before issuing a driver’s license. In the same way, users can trust the certification authority because they know it verifies the authentication credentials before issuing a certificate. Within an organization leveraging Windows Server 2008, several options exist for building this trust relationship. Each of these begins with the decisions made around selecting and implementing certificate authorities. With regard to the Microsoft implementation of PKI, there are at least four major roles or types of certificate authorities to be aware of:

• Enterprise CA
• Standard CA
• Root CA
• Subordinate CA

Believe it or not, beyond this list at least two variations exist: intermediate CAs and leaf CAs, each of which is a type of subordinate CA implementation.



Standard vs. Enterprise
An enterprise CA is tied into Active Directory and is required to use it. In fact, a copy of its own CA certificate is stored in Active Directory. Perhaps the biggest difference between an enterprise CA and a stand-alone CA is that enterprise CAs use Kerberos or NTLM authentication to validate users and computers before certificates are issued. This provides additional security to the PKI because the validation process relies on the strength of the Kerberos protocol, and not a human administrator. Enterprise CAs also use templates.

There are also several downsides to an enterprise CA. In comparison to a stand-alone CA, enterprise CAs are more difficult to maintain and require a much more in-depth knowledge about Active Directory and authentication. Also, because an enterprise CA requires Active Directory, it is nearly impossible to remove it from the network. If you were to do so, the Directory itself would quickly become outdated—making it difficult to resynchronize with the rest of the network when brought back online. Such a situation would force an enterprise CA to remain attached to the network, leaving it vulnerable to attackers.



Root vs. Subordinate Certificate Authorities
As discussed earlier, there are two ways to view PKI trust models: single CA and hierarchical. In a single CA model PKIs are very simplistic; only one CA is used within the infrastructure. Anyone who needs to trust parties vouched for by the CA is given the public key for the CA. That single CA is responsible for the interactions that ensue when parties request and seek to verify the information for a given certificate.

In a hierarchical model, a root CA functions as a top-level authority over one or more levels of CAs beneath it. The CAs below the root CA are called subordinate CAs. Root CAs serve as a trust anchor to all the CA’s beneath it and to the users who trust the root CA. A trust anchor is an entity known to be trusted without requiring that it be trusted by going to another party, and therefore can be used as a base for trusting other parties. Since there is nothing above the root CA, no one can vouch for its identity; it must create a self-signed certificate to vouch for itself. With a self-signed certificate, both the certificate issuer and the certificate subject are exactly the same. Being the trust anchor, the root CA must make its own certificate available to all of the users (including subordinate CAs) that will ultimately be using that particular root CA.

Hierarchical models work well in larger hierarchical environments, such as large government organizations or corporate environments. Often, a large organization also deploys a Registration Authority, Directory Services and optionally Timestamping Services in an organization leveraging a hierarchical approach to PKI. In situations where different organization are trying to develop a hierarchical model together (such as post acquisition or merger companies or those that are partnered for collaboration), a hierarchical model can be very difficult to establish as both parties must ultimately agree upon a single trust anchor.

When you first set up an internal PKI, no CA exists. The first CA created is known as the root CA, and it can be used to issue certificates to users or to other CAs. As mentioned above, in a large organization there usually is a hierarchy where the root CA is not the only certification authority. In this case, the sole purpose of the root CA is to issue certificates to other CAs in order to establish their authority.

Any certification authority that is established after the root CA is a subordinate
CA. Subordinate CAs gain their authority by requesting a certificate from either the root CA or a higher level subordinate CA. Once the subordinate CA receives the certificate, it can control CA policies and/or issue certificates itself, depending on your PKI structure and policies. Sometimes, subordinate CAs also issue certificates to other CAs below them on the tree. These CAs are called intermediate CAs. Is most hierarchies, there is more than one intermediate CA. Subordinate CAs that issue certificates to end users, server, and other entities but do not issue certificates to other CAs are called leaf CAs.



Certificate Requests
In order to receive a certificate from a valid issuing CA, a client—computer or user—must request a certificate from a CA.

There are three ways that this request can be made:
• Autoenrollment
• Use of the Certificates snap-in
• Via a web browser

It is very likely that the most common method for requesting a certificate is autoenrollment. A client can also request a certificate by use of the Certificates snap in. The snap-in, shown can be launched by clicking Start | Run, and then typing in certmgr.msc and pressing Enter. Note that the Certificates snap-in does not appear in the Administrative Tools folder as the Certification Authority snap-in does after installing certificate services. Once you open the Certificate Snap-in, expand the Personal container, and then right-clicking the Certificates container beneath it. You can start the Certificate Request Wizard by choosing All Tasks | Request New Certificate …,



Certificate Practice Statement
As the use of X.509-based certificates continues to grow it becomes increasingly important that the management an organization of certificates be as diligent as possible. We know what a digital certificate is and what its critical components are, but a CA can issue a certificate for a number of different reasons. The certificate, then, must indicate exactly what the certificate will be used for. The set of rules that indicates exactly how a certificate may be used (what purpose it can e trusted for, or perhaps the community for which it can be trusted) is called a certificate policy. The X.509 standard defines certificate policies as “a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements.”

Different entities have different security requirements. For example, users want a digital certificate for securing e-mail (either encrypting the incoming messages signing outgoing mail), Syngress (as other Web vendors do) wants a digital certificate for their online store, etc. Every user will want to secure their information, and a certificate owner will use the policy information to determine if they want to accept a certificate.

It is important to have a policy in place to state what the appropriate protocol is for use of certificates—how they are requested, how and when they may be used, etc.—but it is equally as important to explain exactly how to implement those policies. This is where the Certificate Practice Statement (CPS) comes in. A CPS describes how the CA plans to manage the certificates it issues.


Source of Information : Syngress The Best Damn Windows Server 2008 Book Period 2nd Edition

Windows Server 2008 - Public Key Functionality

Public key cryptography brings major security technologies to the desktop in the Windows 2000 environment. The network now is provided with the ability to allow users to safely:

• Transmit over insecure channels
• Store sensitive information on any commonly used media
• Verify a person’s identity for authentication
• Prove that a message was generated by a particular person
• Prove that the received message was not tampered with in transit

Algorithms based on public keys can be used for all these purposes. The most popular public key algorithm is the standard RSA, which is named after its three inventors: Rivest, Shamir, and Adleman. The RSA algorithm is based on two prime numbers with more than 200 digits each. A hacker would have to take the ciphertext and the public key and factor the product of the two primes. As computer processing time increases, the RSA remains secure by increasing the key length, unlike the DES algorithm, which has a fixed key length.

Public key algorithms provide privacy, authentication, and easy key management, but they encrypt and decrypt data slowly because of the intensive computation required. RSA has been evaluated to be from 10 to 10,000 times slower than DES in some environments, which is a good reason not to use public key algorithms for bulk encryption.



Digital Signatures
Document letterhead can be easily created on a computer, so forgery is a security issue. When information is sent electronically, no human contact is involved. The receiver wants to know that the person listed as the sender is really the sender and that the information received has not been modified in any way during transit. A hash algorithm is implemented to guarantee the Windows 2000 user that the data is authentic. A hash value encrypted with a private key is called a digital signature. Anyone with access to the corresponding public key can verify the authenticity of a digital signature. Only a person having a private key can generate digital signatures. Any modification makes a digital signature invalid.

The purpose of a digital signature is to prevent changes within a document from going unnoticed and also to claim the person to be the original author. The document itself is not encrypted. The digital signature is just data sent along with the data guaranteed to be untampered with. A change of any size invalidates the digital signature.

When King Henry II had to send a message to his troops in a remote location, the letter would be sealed with wax, and while the wax was still soft the king would use his ring to make an impression in it. No modification occurred to the original message if the seal was never broken during transit. There was no doubt that King Henry II had initiated the message, because he was the only person possessing a ring that matched the waxed imprint. Digital signatures work in a similar fashion in that only the sender’s public key can authenticate both the original sender and the content of the document.

The digital signature is generated by a message digest, which is a number generated by taking the message and using a hash algorithm. A message digest is regarded as a fingerprint and can range from a 128-bit number to a 256-bit number. A hash function takes variable-length input and produces a fixed-length output. The message is first processed with a hash function to produce a message digest. This value is then signed by the sender’s private key, which produces the actual digital signature. The digital signature is then added to the end of the document and sent to the receiver along with the document.

Since the mere presence of a digital signature proves nothing, verification must be mathematically proven. In the verification process, the first step is to use the corresponding public key to decrypt the digital signature. The result will produce a 128-bit number. The original message will be processed with the same hash function used earlier and will result in a message digest. The two resulting 128-bit numbers will then be compared, and if they are equal, you will receive notification of a good signature.
If a single character has been altered, the two 128-bit numbers will be different, indicating that a change has been made to the document, which was never scrambled.



Authentication
Public key cryptography can provide authentication instead of privacy. In Windows 2000, a challenge is sent by the receiver of the information. The challenge can be implemented one of two ways. The information is authenticated because only the corresponding private key could have encrypted the information that the public key is successfully decrypting.

In the first authentication method, a challenge to authenticate involves sending an encrypted challenge to the sender. The challenge is encrypted by the receiver, using the sender’s public key. Only the corresponding private key can successfully decode the challenge. When the challenge is decoded, the sender sends the plaintext back to the receiver. This is the proof for the receiver that the sender is truly the sender. For example, when Alice receives a document from Bob, she wants to authenticate that the sender is really Bob. She sends an encrypted challenge to Bob, using his public key. When he receives the challenge, Bob uses his private key to decrypt the information.

The decrypted challenge is then sent back to Alice. When Alice receives the decrypted challenge, she is convinced that the document she received is truly from Bob. The second authentication method uses a challenge that is sent in plaintext. The receiver, after receiving the document, sends a challenge in plaintext to the sender. The sender receives the plaintext challenge and adds some information before adding a digital signature.

The challenge and digital signature now head back to the sender. The digital signature is generated by using a hash function and then encrypting the result with a private key, so the receiver must use the sender’s public key to verify the digital signature. If the signature is good, the original document and sender have at this point been verified mathematically.



Secret Key Agreement via Public Key
The PKI of Windows 2000 permits two parties to agreed on a secret key while they use nonsecure communication channels. Each party generates half the shared secret key by generating a random number, which is sent to the other party after being encrypted with the other party’s public key. Each receiving side then decrypts the ciphertext using a private key, which will result in the missing half of the secret key. By adding both random numbers together, each party will have an agreed-upon shared secret key, which can then be used for secure communication even though the secret key was first obtained through a nonsecure communication channel.



Bulk Data Encryption without Prior Shared Secrets
The final major feature of public key technology is that it can encrypt bulk data without generating a shared secret key first. The biggest disadvantage of using asymmetric algorithms for encryption is the slowness of the overall process, which results from the necessary intense computations; the largest disadvantage of using symmetric algorithms for encryption of bulk data is the need for a secure communication channel for exchanging the secret key. The Windows 2000 operating system combines symmetric and asymmetric algorithms to get the best of both worlds at just the right moment.

For a large document that must be kept secret, because secret key encryption is the quickest method to use for bulk data, a session key is used to scramble the document.
To protect the session key, which is the secret key needed to decrypt the protected data; the sender encrypts this small item quickly by using the receiver’s public key. This encryption of the session key is handled by asymmetric algorithms, which use intense computation but do not require much time, due to the small size of the session key. The document, along with the encrypted session key, is then sent to the receiver. Only the intended receiver will possess the correct private key to decode the session key, which is needed to decode the actual document. When the session key is in plaintext, it can be applied to the ciphertext of the bulk data and then transform the bulk data back to plaintext.

The Windows Server 2008 PKI does many things behind the scenes. Thanks in part to auto enrollment and certificate stores (places where certificates are kept after their creation), some PKI-enabled features such as EFS work with no user intervention at all. Others, such as IPSec, require significantly less work than would be required without an advanced operating system. Even though a majority of the PKI is handled by Server, it is still instructive to have an overview of how certificate services work.

1. First, a system or user generates a public/private key pair and then a certificate request.

2. The certificate request, which contains the public key and other identifying information such as user name, is forwarded on to a CA.

3. The CA verifies the validity of the public key. If it is verified, the CA issues the certificate.

4. Once issued, the certificate is ready for use and is kept in the certificate store, which can reside in Active Directory. Applications that require a certificate use this central repository when necessary.

In practice, it isn’t terribly difficult to implement certificate services, as the following sidebar shows. Configuring the CA requires a bit more effort, as does planning the structure and hierarchy of the PKI—especially if you are designing an enterprise-wide solution.

In our previous discussion of public and private key pairs, two users wanted to exchange confidential information and did so by having one user encrypt the data with the other user’s public key. We then discussed digital signatures, where the sending user “signs” the data by using his or her private key. Did you notice the security vulnerability in these methods?



User Certificates
Of the three general types of certificates found in a Windows PKI, the user certificate is perhaps the most common. User certificates are certificates that enable the user to do something that would not be otherwise allowed. The Enrollment Agent certificate is one example. Without it, even an administrator is not able to enroll smart cards and configure them properly at an enrollment station. Under Windows Server 2008, required user certificates can be requested automatically by the client and subsequently issued by a certification authority (discussed below) with no user intervention necessary.



Machine Certificates
Also known as computer certificates, machine certificates (as the name implies) give the system—instead of the user—the ability to do something out of the ordinary. The main purpose for machine certificates is authentication, both client-side and server-side. As stated earlier, certificates are the main vehicle by which public keys are exchanged in a PKI. Machine certificates are mainly involved with these behind-the-scenes exchanges, and are normally overseen by the operating system. Machine certificates have been able to take advantage of Windows’ autoenrollment feature since 2000 Server was introduced.



Application Certificates
The term application certificate refers to any certificate that is used with a specific PKI-enabled application. Examples include IPSec and S/MIME encryption for e-mail. Applications that need certificates are generally configured to automatically request them, and are then placed in a waiting status until the required certificate arrives. Depending upon the application, the network administrator or even the user might have the ability to change or even delete certificate requests issued by the application.

Source of Information : Syngress The Best Damn Windows Server 2008 Book Period 2nd Edition

Widows Server 2008 - How Certificates Work

Before we delve into the inner workings of a certificate, let’s discuss what a certificate actually is in layman’s terms. In PKI, a digital certificate is a tool used for binding a public key with a particular owner. A great comparison is a driver’s license. Consider the information listed on a driver’s license:

• Name
• Address
• Date of birth
• Photograph
• Signature
• Social security number (or another unique number such as a state issued license number)
• Expiration date
• Signature/certification by an authority (typically from within the issuing state’s government body)

The information on a state license photo is significant because it provides crucial information about the owner of that particular item. The signature from the state official serves as a trusted authority for the state, certifying that the owner has been verified and is legitimate to be behind the wheel of a car. Anyone, like an officer, who wishes to verify a driver’s identity and right to commute from one place to another by way of automobile need only ask for and review the driver’s license. In some cases, the officer might even call or reference that license number just to ensure it is still valid and has not been revoked.

A digital certificate in PKI serves the same function as a driver’s license. Various systems and checkpoints may require verification of the owner’s identity and status and will reference the trusted third party for validation. It is the certificate that enables this quick hand-off of key information between the parties involved.

The information contained in the certificate is actually part or the X.509 certificate standard. X.509 is actually an evolution of the X.500 directory standard. Initially intended to provide a means of developing easy-to-use electronic directories of people that would be available to all Internet users, it became a directory and mail standard for a very commonly known mail application: Microsoft Exchange 5.5. The X.500 directory standard specifies a common root of a hierarchical tree although the “tree” is inverted: the root of the tree is depicted at the “top” level while the other branches— called “containers”—are below it. Several of these types of containers exist with a specific naming convention. In this naming convention, each portion of a name is specified by the abbreviation of the object type or a container it represents. For example, a CN= before a username represents it is a “common name”, a C= precedes a “country,”, and an O= precedes “organization”. These elements are worth remembering as they will appear not only in discussions about X.500 and X.509, but they are ultimately the basis for the scheme of Microsoft’s premier directory service, Active Directory.

X.509 is the standard used to define what makes up a digital certificate. Within this standard, a description is given for a certificate as allowing an association between a user’s distinguished name (DN) and the user’s public key. The DN is specified by a naming authority (NA) and used as a unique name by the certificate authority (CA) who will create the certificate.



X.509 Certificate Data
Serial Number. A unique identifier.

Subject. The name of the person or company that is
being identified, sometimes listed as “Issued To”.

Signature Algorithm. The algorithm used to create the signature.

Issuer. The trusted authority that verified the information and generated the certificate, sometimes listed as “Issued By”.

Valid From. The date the certificate was activated.

Valid To. The last day the certificate can be used.

Public Key. The public key that corresponds to the private key.

Thumbprint Algorithm. The algorithm used to create the unique value of a certificate.

Thumbprint. The unique value of every certificate, which positively identifies the certificate. If there is ever a question about the authenticity of a certificate, check this value with the issuer.

Source of Information : Syngress The Best Damn Windows Server 2008 Book Period 2nd Edition

PKI Enhancements in Windows Server 2008

Windows Server 2008 introduces many new enhancements that allow for a more easily implemented PKI solution and, believe it or not, the development of such solutions. Some of these improvements extend to the clients, such as the Windows Vista operating system. Overall, these improvements have increased the manageability throughout Windows PKI. For example, the revocations services have been redesigned, and the attack surface for enrollment has decreased. The following list items include the major highlights:

• Enterprise PKI (PKIView). PKIView is a Microsoft Management Console (MMC) snap-in for Windows Server 2008. It can be used to monitor and analyze the health of the certificate authorities and to view details for each certificate authority certificate published in Active Directory Certificate Servers.

• Web Enrollment. Introduced in Windows Server 2000, the new Web enrollment control is more secure and makes the use of scripts much easier. It is also easier to update than previous versions.

• Network Device Enrollment Service (NDES). In Windows Server 2008, this service represents Microsoft’s implementation of the Simple Certificate Enrollment Protocol (SCEP), a communication protocol that makes it possible for software running on network devices, such as routers and switches that cannot otherwise be authenticated on the network, to enroll for x.509 certificates from a certificate authority.

• Online Certificate Status Protocol (OCSP). In cases where conventional CRLs (Certificate Revocation Lists) are not an optimal solution, Online Responders can be configured on a single computer or in an Online Responder Array to manage and distribute revocation status information.

• Group Policy and PKI. New certificate settings in Group Policy now enable administrators to manage certificate settings from a central location for all the computers in the domain.

• Cryptography Next Generation. Leveraging the U.S. government’s Suite B cryptographic algorithms, which include algorithms for encryption, digital signatures, key exchange, and hashing, Cryptography Next Generation (CNG) offers a flexible development platform that allows IT professionals to create, update, and use custom cryptography algorithms in cryptography-related applications such as Active Directory Certificate Services (AD CS), Secure Sockets Layer (SSL), and Internet Protocol Security (IPSec).

Source of Information : Syngress The Best Damn Windows Server 2008 Book Period 2nd Edition

The Function and Components of PKI

The Function of the PKI
The primary function of the PKI is to address the need for privacy throughout a network. For the administrator, there are many areas that need to be secured. Internal and external authentication, encryption of stored and transmitted files, and e-mail privacy are just a few examples. The infrastructure that Windows Server 2008 provides links many different public key technologies in order to give the IT administrator the power necessary to maintain a secure network.

Most of the functionality of a Windows Server 2008-based PKI comes from a few crucial components, which are described in this chapter. Although there are several thirdparty vendors such as VeriSign (www.verisign.com) that offer similar technologies and components, using Windows Server 2008 can be a less costly and easier to implement option—especially for small and medium-sized companies.



Components of PKI
In today’s network environments, key pairs are used in a variety of different functions.
This series will likely cover topics such as virtual private networks (VPNs), digital signatures, access control (SSH), secure e-mail (PGP—mentioned already—and S/MIME), and secure Web access (Secure Sockets Layer, or SSL). Although these technologies are varied in purpose and use, each includes an implementation of PKI for managing trusted communications between a host and a client.

While PKI exists at some level within the innards of several types of communications technologies, its form can change from implementation to implementation. As such, the components necessary for a successful implementation can vary depending on the requirements, but in public key cryptography there is always:
• A private key
• A public key
• A trusted third party (TTP)

Since a public key must be associated with the name of its owner, a data structure known as a public key certificate is used. The certificate typically contains the owner’s name, their public key and e-mail address, validity dates for the certificate, the location of revocation information, the location of the issuer’s policies, and possibly other affiliate information that identifies the certificate issuer with an organization such as an employer or other institution.

In most cases, the private and public keys are simply referred to as the private and public key certificates, and the trusted third party is commonly known as the certificate authority (CA). The certificate authority is the resource that must be available to both the holder of the private key and the holder of the public key. Entire hierarchies can exist within a public key infrastructure to support the use of multiple certificate authorities.

In addition to certificate authorities and the public and private key certificates they publish, there are a collection of components and functions associated with the management of the infrastructure. As such, a list of typical components required for a functional public key infrastructure would include but not be limited to the following:

• Digital certificates
• Certification authorities
• Certificate enrollment
• Certificate revocation
• Encryption/cryptography services

Although we have already covered digital certificates and certificate authorities at a high level, it will be well worth our time to revisit these topics. In the sections to follow, we will explore each of the aforementioned topics in greater detail.

Source of Information : Syngress The Best Damn Windows Server 2008 Book Period 2nd Edition

Windows Server 2008 - Understanding resources

Computers provide a number of resources. Some resources are dynamic. When you start an application, it allocates memory from a pool of memory that the server provides. However, other resources are static. The server allocates the resources to address specific needs. Most hardware uses static resources in one of four categories:

• Memory
• I/O
• IRQ
• DMA

The hardware relies on the memory to perform tasks, just as applications do. For example, a display adapter uses memory to store images that you eventually see on the monitor. The processor communicates with a particular piece of hardware using a specific I/O address. When a piece of hardware needs to communicate with the processor, it relies on an IRQ. Hardware may also need to transfer data from its own, “personal” memory to the system memory using DMA. DMA provides data transfers between main memory and device memory without interrupting the CPU. You can view resources by type or connection. Sometimes you want to view the resources used by a particular device. In this case, right-click the device you want to view and choose Properties from the context menu. Select the Resources tab and you see a listing of the resources used by that device.

Notice that this device, the Standard VGA Graphics Adapter, has both memory and I/O range resource requirements. In addition, the system tells you that this device isn’t conflicting with any other device on the system, which means that no two devices require the same memory or I/O range.

All the entries you see are in hexadecimal (base 16) because that’s how the computer thinks about the resources. If you ever need to change any of the resource settings, you also need to think in hexadecimal. Normally, hexadecimal entries appear with 0x in front of them. For example, 0xF is a hexadecimal value with the decimal value 15. However, all values in Device Manager are in hexadecimal, even if they aren’t preceded by 0x.

Most devices have standardized settings. For example, communications port 1 (COM1) normally uses an I/O range of 0x03F8 to 0x3FF and an IRQ of 4. A standard computer can have up to four COM ports, each of which has its own standard settings. The same statement holds true for parallel (LPT) ports and many other devices. Windows stores these settings in the information (INF) files associated with the device. If you need to use an alternative setting, clear the Use Automatic Settings option and you find that you can choose from one of the recognized alternatives. In this case, the COM port can use one of eight alternative settings.

In very rare circumstances, you can provide custom settings for a particular device. To make this happen, you must clear the Use Automatic Settings option and choose one of the resources. For example, you might choose to change the IRQ for the COM port. Click Change Settings and you see an Edit Interrupt Request dialog box, where you can choose a different IRQ. Device Manager tells you whether any other devices are using the setting you choose. In some cases, you might have to disable one device to make room for another — although this, too, is extremely rare when working with Windows Server 2008.


The settings you change in Device Manager aren’t arbitrary. The hardware must have the required configuration to accept the new settings. For example, if a serial card has settings for only IRQ 3 and IRQ 4, then you can’t set the card for IRQ 5 in Device Manager and expect it to work. The settings in Device Manager define the physical interface between the Windows drivers and the hardware. Normally, you want to stick with the automatic settings when you can, and use the standard configurations provided by the device vendor when the automatic configuration fails. Avoid providing custom settings unless you truly know which settings the device accepts.


An easy technique for converting between hexadecimal and decimal
Most people don’t think about numbers in hexadecimal. In fact, making the transition can prove difficult, even when you need to use hexadecimal for every task. Fortunately, Windows provides an easy method of converting between decimal and hexadecimal: the Calculator utility. To start this utility, choose Start -> Programs -> Accessories -> Calculator. When you see the Calculator utility, choose View -> Scientific. Notice that Calculator view changes to include a number of new features, including Hex and Dec options. Conversions are easy: To convert a number from decimal to hexadecimal, click Dec, type the decimal value you want to convert, and then click Hex. The number automatically changes from decimal to hexadecimal form. Likewise, if you want to convert a number from hexadecimal to decimal, click Hex, type the hexadecimal value you want to convert, and then click Dec.


Source of Information : For Dummies Windows Server 2008

Windows Server 2008 - Viewing broken devices

You may have noticed the device (Base System Device) with the odd-looking yellow triangle containing an exclamation mark. This device is broken. The yellow triangle tells you that the device isn’t functioning at all (rather than partially) for whatever reason. Whenever you open Device Manager, it shows you all broken devices automatically, by expanding the hierarchy to show these devices and displaying the little yellow icon. Another term for a device in this condition is banged out. Categories that have broken devices also display a special icon, a circle with a blue question mark.

The method you use to fix a broken device depends on the problem it has. Fortunately, Device Manager normally provides some kind of clue to the problem. To see this clue, right-click the device entry and choose Properties from the context menu. Select the General tab and you see a Properties dialog box.

Drivers are the most common problem you encounter, other than a device that has completely failed. When a device fails completely, you have to replace it and let Windows recognize the new device. Sometimes a device won’t even appear on the list. You installed it, but

Windows simply doesn’t recognize it. When this problem occurs, make sure to verify that you installed the device correctly. A missed connector or a connector that isn’t firmly seated can cause all kinds of problems. If you’re certain that the device is installed correctly, choose Actions -> Scan for Hardware Changes, and Windows checks for the new device.

To go along with the act of scanning for a device, sometimes uninstalling and then reinstalling a device can work wonders. Right-click the device and choose Uninstall from the context menu to remove its driver from the system. Reboot and Windows normally detects the device automatically. Make sure that you use the latest signed drivers to reinstall the device.

Other errors include resource conflicts or a device that simply isn’t receiving what it needs to work properly. Although manual resource configuration is rarely needed when working with newer versions of Windows, you may still have to do it.

When all else fails, you may have to disable a device to get the rest of your system working. Generally, this is a last-ditch effort because the device becomes completely unusable and Windows won’t scan for updates for you. It’s as though the device doesn’t exist on your system. Of course, you can always enable the device later when you discover a fix for the problem. To disable a device, right-click its entry and choose Disable from the context menu. When you want to re-enable the device, right-click its entry and choose Enable from the context menu.

Source of Information : For Dummies Windows Server 2008

Window Server 2008 - Managing the Device Manager display

Many people use Device Manager in a single view. This view is quite convenient for finding a particular device quickly, which is why people use it often and the reason that Microsoft made this view the default. All the view options appear on the View menu. Device Manager includes these four views:

• Devices by Type: When using this view, Device Manager categorizes the devices on the system and places each device into a folder containing other devices of the same type. For example, the Disk Drives folder contains all hard drives and flash drives on the machine. However, CD and DVD drives appear in a separate DVD/CD-ROM Drives folder.

• Devices by Connection: Everything in the computer is connected in some way. The connections form a hierarchy, with the computer as a whole sitting at the top of the hierarchy. As you move down the hierarchy, you begin seeing support devices and, finally, devices such as hard drives. For example, your server may use the hierarchy to display the connectivity required to access the hard drive.

• Resources by Type: The resources provided by your computer come in four forms: memory, input/output (I/O) addresses, interrupt requests (IRQs), and direct memory access (DMA). The “Understanding resources” section of this chapter provides a complete discussion of resources. However, this view provides a listing of resources used by various devices and categorizes them by resource type.

• Resources by Connection: You may run into a situation where it appears that multiple devices have a resource conflict. All the devices appear to have problems, but you can’t discover the source of that problem. Viewing resources by connection helps you see the interaction between devices based on the resources they use. You may find that a device doesn’t work because a device that’s higher in the hierarchy doesn’t have the resources it requires. A single device misconfiguration can cause multiple device failures.

The views determine what you see. However, you can also choose what you see. Choose the View -> Customize command and you see the Customize View dialog box. Choosing options in this dialog box shows or hides the Device Manager features.

You can remove any of the toolbars or menus. If you remove everything, you end up with the File and Help menus. When you’re working in this view, it’s impossible to change the view and perform many other tasks. However, you can still perform many tasks by right-clicking the object you want to work with (such as a hard drive) and choosing the appropriate option from its context menu.

If you remove enough options, you find that the View menu disappears completely, which may leave you wondering how to get it back. When this problem occurs, right-click the title bar and choose Customize View from the context menu. You see the Customize View dialog box, where you can add the view features you need.

Source of Information : For Dummies Windows Server 2008

Windows Server 2008 - Scalability Improvements

You’ve probably heard the term scalability, but few people take the time to define it for themselves. In this book, scalability is the ability of a server to handle an additional load without significant performance degradation. When you add a second user, the server may slow a little, but not enough for anyone to notice. Adding three or more users also incurs a small, barely noticeable performance degradation. Even when a server is scalable, it eventually reaches a maximum load where it can’t handle even one more user. When every resource is used, albeit used as efficiently as possible, the server has reached a maximum load and can’t handle another user no matter how you might try to coax it. Many people feel that scalability is limitless. All scalability really does is make the server perform better across its load range — there isn’t any magic involved in the process. Of course, a scalable server can extend its load slightly because it uses resources more efficiently. Windows Server 2008 provides many levels of additional scalability over previous editions of Windows. The focus of this chapter is hardware, and you’ll find many scalability improvements in this area. You can categorize the improvements in three ways:

• Improved software support: Using drivers and support software that improves overall server performance also improves scalability. Every time Windows Server 2008 uses a resource more efficiently, the resource availability extends to users, processes, drivers, and other entities that need it. The new XML Paper Specification Driver (XPSDrv) is an example of improved software that provides a performance and scalability boost.

• Direct device participation: Many devices now include some level of intelligence. By leveraging that intelligence, Windows Server 2008 can offload part of the processing requirements to the device, which frees server resources for other uses. The new Web Services on Devices (WSD) functionality is an example of how Windows Server 2008 supports device participation.

• Direct client participation: Clients make many requests and then wait for the server to respond to them. While the client sits and idles, many of the processor cycles that it could use end up wasted. Providing ways for the client to participate in handling a particular request makes the server more scalable.

The amount of scalability that a server achieves often depends on the cooperation of these three elements. For example, the amount of processing burden that the server can offload to the client depends on the Page Description Language (PDL) that the print job uses and the content of the document itself. Some forms of PDL and content require a certain level of server participation. Printing a report that depends on content from a database using PostScript is far less likely to enhance scalability than a plain-text print job that relies solely on the content in Word.

The client also affects how scalable the server becomes. Microsoft’s technology appears to depend on communicating with a Vista client to achieve maximum scalability. Obviously, someone has to run tests, at some point, to demonstrate this reliance because Microsoft isn’t saying much (although its marketing literature often fails to mention Windows XP as a client). My own tests indicate that Windows Server 2008 prefers Vista as a client.

Windows Server 2008 also uses Remote Procedure Calls (RPCs) more efficiently. An RPC is a call from the client to the server for specific needs, such as the print spooler. By using RPC calls more efficiently and relying on fewer of them, Windows Server 2008 gets a scalability boost, especially in a medium to large company environment (where even small differences can mean a lot).

Source of Information : For Dummies Windows Server 2008

Windows Server 2008 - Understanding the Server Roles

The roles that you see defined for your server depend on which version of Windows Server 2008 you purchase. Advanced versions of the product include more roles. In addition, the GUI version of Windows Server 2008 provides more roles than does the Server Core version. The following sections describe the roles that come with the GUI version of Windows Server 2008 Enterprise Edition. The roles you see with your server setup may vary from this list.



Considering the Active Directory Certificate Service role
You install this role to create a new Certificate Authority (CA). A CA is a special server used to issue certificates, such as those used to sign applications or enhance the security of your e-mail. The certificate tells someone else who you are and helps them determine whether they can trust you. These certificates are the same ones you see when you go to a secure Web site. In fact, you can use this role to help you create a certificate for your Web server, making secure communications possible.

This role has limited functionality in the real world, but the functionality it provides is extremely important. Normally, the CA is a trusted third party, such as VeriSign. A self-signed certificate of the kind created by this role is good only in situations where the person seeing your certificate already trusts you. The certificate acts only as verification that it really is you and not someone posing as you. Common uses for this kind of certificate include testing setups of Internet Information Server (IIS) and in-house applications. Using a self-signed certificate saves money and lets you preserve the thirdparty certificate you own for external, public use.



Considering the Active Directory Domain Services role
This role is the one that Windows Server 2008 installs when you promote the server to a domain controller. Active Directory is a special kind of database that holds all the settings for everything on your network. You find user, application, and system settings in this database. In addition to storing settings, Active Directory provides support for major applications such as Microsoft Exchange Server. The Domain Services portion of an Active Directory setup is essentially the Database Management System (DBMS) that provides access to the Active Directory database.

You can’t install this role by itself. Windows Server 2008 looks for a number of additional features. In addition, the setup for this role is more complicated than just about any other role you can install.



An overview of the Active Directory Federation Services role
One problem with modern networks is that the user has to remember so many logons. Every time the user wants to access another resource, it requires a logon of some sort. When you install Active Directory Domain Services (AD DS), you obtain federated logon capability for the local network. A federated logon is one in which a Single Sign On (SSO) acts as a key to access all areas of the network for which the user has the appropriate credentials. Using SSO makes working with the network considerably easier.

Unfortunately, the federated services provided with AD DS don’t extend to Web applications. When a user logs on to your server from a remote location through multiple Web applications, every Web application requires a separate logon. The Active Directory Federation Services (AD FS) role adds support for SSO to your server. The user can now log on once and access every application for which the user has the proper credentials. Of course, not just local users require these services. You can also use this feature to make things easier for your business-to-business (B2B) relationship. The more complex the B2B relationship, the more sense it makes to install this role on your server.

Microsoft uses standardized technologies to provide AD FS support, in the form of the WS-* standards. A complete discussion of all these standards is outside the scope of this book. However, you can read about them, and see how they relate to each other, at http://www.ws-standards.com/.



Working with the Active Directory Lightweight Directory Services role
Most of the applications on your network don’t use Active Directory for data storage. Only the large applications, such as Exchange Server, require extensive data storage in Active Directory. However, some applications fall between these two extremes of needing no Active Directory support and requiring the complete package. In this case, the application may need Active Directory Lightweight Directory Services (AD LDS). You may know AD LDS by a different name, Lightweight Directory Access Protocol (LDAP). LDAP is a standardized technology that you find on many platforms, not just on Windows (see the LDAP standards at http://www.ietf.org/rfc/rfc1777.txt and http://www.faqs.org/rfcs/rfc1823.html for further information). It provides a standardized method of accessing directory information using TCP. AD LDS is an LDAP implementation that doesn’t depend on AD DS. In other words, you can use this feature without promoting your server to a domain controller. You can find a listing of LDAP resources at http://dir.yahoo.com/Computers_and_Internet/Communications_and_Networking/Protocols/LDAP__Lightweight_Directory_Access_Protocol_/.



Working with the Active Directory Rights Management Services role
The whole purpose of Active Directory Rights Management Services (AD RMS) is Digital Rights Management (DRM). The features that this role provides help you protect your data by checking the credentials of each user requesting data access. It doesn’t matter where the access occurs — the user must have proper rights to work with it. Using this role implies that you want to protect access to your data when that access occurs outside your network. Consequently, you must install the Web Server (IIS) role to use this role. In addition, the software requires access to a DBMS. Microsoft naturally suggests that you use SQL Server to provide the DBMS services. These three pieces of the software combine to let a document “call home” and verify that someone opening it has the required permissions. When a user doesn’t have the required permissions, the document doesn’t let the user see anything. hack, only to have someone else come along and hack it again. Generally speaking, the best way to keep a secret is not to tell anyone. When you have data that you must share, placing it on your Web server probably isn’t the best idea. Restricting access — not telling the secret — is always the best first line of defense at your disposal.



Working with the Application Server role
An application server is a special way of providing services to a client machine. The application executes partially on the server and partially on the client. Precisely how the application works depends on where the developer determines the particular piece of code works best. The Application Server role provides this functionality to Windows Server 2008 users. The following list provides additional resources you can use for this topic:
• Discover the Enterprise Service Bus (ESB) at http://www.microsoft.com/biztalk/solutions/soa/esb.mspx.
• See the Microsoft Enterprise Services Overview at http://www.microsoft.com/downloads/details.aspx?FamilyId=B4FF0934-2CF1-423B-B273-D482E60442BA.
• Discover .NET Framework 3.0 resources at http://www.microsoft.com/events/series/msdnnetframework3.aspx.
• Obtain an overview of the .NET Framework 3.0 at http://msdn2.microsoft.com/en-us/library/ms687307.aspx.



Considering the DHCP Server role
The Dynamic Host Configuration Protocol (DHCP) is a standard means for client computers to request an Internet Protocol (IP) address from a server. You normally need just one such server for a small to medium-size network. You must have a DHCP server installed before you can promote your server to a domain controller.



Considering the DNS Server role
The Domain Name System (DNS) is a standard means of converting IP addresses into a human readable form. For example, when you want to access Microsoft’s main page, you type http://www.microsoft.com, not the IP address of the Microsoft Web site. The DNS server converts this human readable name into the IP address. You must have a DNS server installed before you can promote your server to a domain controller.



An overview of the Fax Server role
Installing the Fax Server role lets you use your server to send and receive faxes, if you have the required hardware and software installed. This role also requires that you install the Print Server role.



An overview of the File Services role
Installing the File Services role lets you share files on the network. This role is the one you always install on the server because a server isn’t much good if you can’t share files. Adding the File Services role provides basic file sharing only. File services haven’t changed much over the years. The first peer-to-peer network provided this basic functionality. However, file services have increased in functionality. You can install a number of role services to enhance the capability of this particular role. For example, Microsoft provides a role service that indexes content to make it easier and faster to find.



Considering the Network Policy and Access Services role
The name of this particular role is a bit misleading because it provides a lot more functionality than its name implies. In fact, installing this particular role provides the following services:
• Network Policy Server (NPS)
• Network Access Protection (NAP) Health Policy Server
• Secure Wireless Access (IEEE 802.11)
• Secure Wired Access (IEEE 802.3)
• Central Network Policy Management
• Remote Access Dial-In User Server (RADIUS) Server and Proxy
• Remote Access Service (RAS)
• Routing
• Health Registration Authority (HRA)
• Host Credential Authorization Protocol (HCAP)
• Tools Required to Manage All Access Services
The scope of this particular role is incredible. It provides many of the features that modern servers must provide for outside communication.



Considering the Print Services role
Providing print services is another common role for servers. At one time, printers were extremely expensive (and good printers still are), so issuing one to each user wasn’t cost effective. This role helps you manage all printers connected to the server and offers their use to any users with the required access.



Considering the Terminal Services role
Terminal Services offers remote connectivity to anyone who needs to work with the server directly. In many cases, this activity means using a light client or involves an administrator performing configuration tasks. The two most common ways to use Terminal Services is by using Remote Desktop or by using RemoteApp applications. Using Terminal Services offers many benefits, including reducing client costs and ensuring that applications remain updated. Of course, many issues arise from working with Terminal Services as well, such as increased server load.



Considering the UDDI Services role
The Universal Description, Discovery, and Integration (UDDI) service is the Microsoft method of making Web services and their associated applications easily accessible from the server. For the most part, you never install this role unless you have a custom application that relies on it.



Considering the Web Server (IIS) role
Web servers traditionally serve content over the Internet or an intranet. Users view the content by using a browser or a special application. Modern Web servers provide fully distributed application support in addition to dynamic and static content. IIS 7.0 is a completely new version of IIS with many changes that will surprise you if you haven’t worked with it yet. Book VII provides complete details on working with IIS 7.0.



Working with the Windows Deployment Services role
If you normally install Windows through your server, you need to install this role. The Windows Deployment Services lets a client log in to the server and install a complete copy of Windows without any interaction on the part of the user or administrator. Of course, you have to perform a number of configuration tasks to make this feature work. You can learn more about Windows Deployment Services at http://msdn2.microsoft.com/en-us/library/aa967394.aspx.



Working with the Windows SharePoint Services role
The SharePoint Services technology lets application users share data through the server. The application must provide the functionality required to work with SharePoint Services. For example, advanced versions of Office 2007 provide the functionality required to use SharePoint Services. Of course, before you can use SharePoint Services, you must have a server with the SharePoint Services role installed in order to provide the required connectivity, which is the only reason that you would install this role. You can learn more about SharePoint Services at http://www.microsoft.com/technet/windowsserver/sharepoint/default.mspx.

Source of Information : For Dummies Windows Server 2008

The many complications and risks of tape

Magnetic tape technology was adopted for backup many years ago because it met most of the physical storage requirements, primarily by being ...