PKI Enhancements in Windows Server 2008

Windows Server 2008 introduces many new enhancements that allow for a more easily implemented PKI solution and, believe it or not, the development of such solutions. Some of these improvements extend to the clients, such as the Windows Vista operating system. Overall, these improvements have increased the manageability throughout Windows PKI. For example, the revocations services have been redesigned, and the attack surface for enrollment has decreased. The following list items include the major highlights:

• Enterprise PKI (PKIView). PKIView is a Microsoft Management Console (MMC) snap-in for Windows Server 2008. It can be used to monitor and analyze the health of the certificate authorities and to view details for each certificate authority certificate published in Active Directory Certificate Servers.

• Web Enrollment. Introduced in Windows Server 2000, the new Web enrollment control is more secure and makes the use of scripts much easier. It is also easier to update than previous versions.

• Network Device Enrollment Service (NDES). In Windows Server 2008, this service represents Microsoft’s implementation of the Simple Certificate Enrollment Protocol (SCEP), a communication protocol that makes it possible for software running on network devices, such as routers and switches that cannot otherwise be authenticated on the network, to enroll for x.509 certificates from a certificate authority.

• Online Certificate Status Protocol (OCSP). In cases where conventional CRLs (Certificate Revocation Lists) are not an optimal solution, Online Responders can be configured on a single computer or in an Online Responder Array to manage and distribute revocation status information.

• Group Policy and PKI. New certificate settings in Group Policy now enable administrators to manage certificate settings from a central location for all the computers in the domain.

• Cryptography Next Generation. Leveraging the U.S. government’s Suite B cryptographic algorithms, which include algorithms for encryption, digital signatures, key exchange, and hashing, Cryptography Next Generation (CNG) offers a flexible development platform that allows IT professionals to create, update, and use custom cryptography algorithms in cryptography-related applications such as Active Directory Certificate Services (AD CS), Secure Sockets Layer (SSL), and Internet Protocol Security (IPSec).

Source of Information : Syngress The Best Damn Windows Server 2008 Book Period 2nd Edition

No comments:

The inefficiencies and risks of backup processes

If cloud storage had existed decades ago, it’s unlikely that the industry would have developed the backup processes that are commonly used ...