IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

3.5 Request-Install basic EFS certificate HTTPS Web enroll Windows Server 2008 Enterprise Sub Policy CA

We have spent a lot of investigations on the AD CS PKI model setup, as well as its best practices so that now we can sleep safe and sound. And the most important one is about HTTPS Web Enrollment as of the previous episode about Configuring Active Directory Certificate Services Certificates. Because today we will utilize our PKI to implement EFS in protecting data from the breach, destruction, etc., which require an unforgeable method in obtaining certificates.

By default, data on Windows' NTFS drives/network shares expose to others logical/real users; it ranges from Read-only to unlimited access; especially in the case that drives are detached from the host OS.

EFS ensures only and only authorized users, who are added into data's security principals can access it.

We are dealing with AD CS from administrator standpoints so that theories and guidelines will be included to make sure advantages can be achieved, and weakness must be eliminated.

Furthermore, the surfaces/application of PKI is quite simple to deploy, and detailed step-by-step articles are available through links.

[00:18] "Step by Step : Encrypting User Data with EFS in Windows Server 2012 R2" – mizitechinfo.wordpress.com


https://mizitechinfo.wordpress.com/2014/07/29/step-by-step-encrypting-user-data-with-efs-in-windows-server-2012-r2/

[00:21] Remember that, behind this cross-platform Web Enrollment app

Certificates snap-in or this Web Enrollment is some sort of "wrapper" for what policies are defined by CAs or separately Policy CA.

For instance, here is which CTs are available is defined by AD Enrollment Policy.

[00:29] EFS certificate request is available in form of an "advanced certificate request" on Request a Certificate page.

3 5 Request Install basic EFS certificate HTTPS Web enroll Windows Server 2008 Enterprise Sub Policy CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

Advanced Certificate Request

The policy of the CA determines the types of certificates you can request Click one of the following options to:

Create and submit a request to this CA

Submit a certificate request using a base-64-encoded CMC or PKCS #10 file or submit a renewal request by using a base-64-encoded PKCS #7 file.

Advanced Certificate Request

The policy of the CA determines the types of certificates you can request Click one of the following options to:

Create and submit a request to this CA

Submit a certificate request using a base-64-encoded CMC or PKCS #10 file or submit a renewal request by using a base-64-encoded PKCS #7 file.

[00:34] "Submit an Advanced Certificate Request over the Web" – technet.microsoft.com


https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772158(v=ws.11)

[00:36] Web Access Confirmation

3 5 Request Install basic EFS certificate HTTPS Web enroll Windows Server 2008 Enterprise Sub Policy CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

This Web site is attempting to perform a digital certificate

operation on your behalf:

https://snoopy-server-2/certsrv/certrqma.asp

You should only allow known Web sites to perform digital

certificate operations on your behalf.

Do you want to allow this operation?

[00:34] "Submit an Advanced Certificate Request over the Web" – technet.microsoft.com


https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772158(v=ws.11)

With abilities to tweak Key Options: CSP, Key Size, etc., Request Format and Hash Algorithm, etc., this function requires skilled users.

Moreover, we can save the request to submit to a standalone CA, because this is an Enterprise CA, and templates may override our setting tweaks.

Certificate Template: User

Key Options:

Create new key set Use existing key set

CSP Microsoft Enhanced Cryptographic Provider v1.0

Key Usage: Exchange

Key Size: 1024

Automatic key container name User specified a key container name

Mark keys as exportable

Enable strong private key protection

Additional Options:

Request Format CMC PKCS 10

Hash Algorithm sha1

Only used to sign request

Save request

Thanks to the Enterprise CA in our PKI model, AD-integrated requires no further users' inputs, as the user has been authenticated from the domain login, so the risk about impersonating as mentioned is minimized.

[00:57] "Certification Authority Web Enrollment Guidance" – technet.microsoft.com

3 5 Request Install basic EFS certificate HTTPS Web enroll Windows Server 2008 Enterprise Sub Policy CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831649(v=ws.11)

Give the request a memorable Friendly Name for further identifying then the Web Enrollment will Generating request, Waiting for server response, and "The certificate you requested was issued to you" automatically.

[01:15]

Keep in mind that EFS certificates need the user identities so that Certificates snap-in must be opened in Current User mode to see it resides in the Personal store as you can see its "Issued By, Expiration Date Intended Purpose, etc."

(Of course, an admin can audit domain users' certificates remotely through this MMC console).

[01:19] Install this certificate.

3 5 Request Install basic EFS certificate HTTPS Web enroll Windows Server 2008 Enterprise Sub Policy CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

Your new certificate has been successfully installed.

Utilizing EFS requires nothing but some points and clicks on subjects: folders, files, network shares.

EFS demands little users' effort versus its superior roles in the company's data protection is a great demo about PKI

[01:27] "Help Secure your Business Information using Encrypting File System" – blogs.technet.microsoft.com

3 5 Request Install basic EFS certificate HTTPS Web enroll Windows Server 2008 Enterprise Sub Policy CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

https://techcommunity.microsoft.com/t5/Windows-Server-Essentials-and/bg-p/SBS/2010/03/09/help-secure-your-business-information-using-encrypting-file-system/

In the very first episodes of this series, the hierarchical PKI's benefits in designated layers of CAs: Root, Policy, Subordinate are flexibility, manageability, audit ability, as well as security.

The role of a policy CA is to describe the policies and procedures that an organization implements to secure its PKI, the processes that validate the identity of certificate holders, and the processes that enforce the procedures that manage certificates. A policy CA issues certificates only to other CAs. The CAs that receive these certificates must uphold and enforce the policies that the policy CA defined.

[01:32] "What is the role of a Policy CA" – social.technet.microsoft.com


http://bit.ly/what-role-policy-CA-TN

[01:34] Specifically, a Domain Admins' user can use GPO to define Policy CAs and enrollment policies separately then do assignments among them.

3 5 Request Install basic EFS certificate HTTPS Web enroll Windows Server 2008 Enterprise Sub Policy CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

[01:36] "Manage Certificate Enrollment Policy by Using Group Policy" – technet.microsoft.com


https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851772(v=ws.11)

Come back to the clients' view, EFS deployment has Data Recovery Agent, GPO enforcement as two guidelines.

Finally, nowadays, EFS should be implemented across company campuses, so you must check out my next video in certificate auto-enrollment, the mandatory step to make it happen :"3

[SHAZAM]


http://shazam.marvel-it.icu/s=8b75997b&f=1JbnaWKG

[YOUTUBE]

Request-Install basic EFS certificate HTTPS Web enroll Windows Server 2008 Enterprise Sub Policy CA

Tags

Related Articles

Back to top button