- Maximizing Certificate Services Implementations
- Securing Certificate Services
- Getting the Most Out of Smartcards
- Tips and Tricks for Securing Access to the Network
- Creating a Single Sign-on Environment
- Securing Access to Web Servers and Services
- Protecting Certificate-based Services from Disaster
- Integrating Smartcards with Personal Devices
Securing Certificate Services
Standalone and Enterprise Root servers contain the single copy of the company's private key. This component is essential in authenticating any and all access to the PKI-secured data and entry points.
Physical security and data security are both very important tasks in an administrator's role.
Locking Down Servers
Microsoft provides very well-defined baseline security guidelines for locking down the operating system, IIS, and administrative access.
Change the local administrator and guest account names. Don't use the same administrator and guest account name on every server.
Separating Server Roles
Placing more than a single role on a server makes an attacker's job easier. It then becomes possible to compromise several roles in the company's PKI infrastructure. Certificate Services storage and enrollment can be separated. The following list includes some of the tiers that can be physically placed on separate servers:
Root CA Server
Root Subordinates (Intermediate CA)
Issuing CA Server
Certificate Storage in Active Directory
Assigning Administrative Roles
Administrators need to work with senior executives to define the roles that will be assigned to personnel within the company when it comes to managing the PKI and smartcard system.
The persons entrusted with issuing smartcards within an organization are known as enrollment agents. Enrollment agents are typically members of the help desk, IT security, or company security staff. In locations where one of these personnel isn't readily available another trusted individual such as that location's supervisor or manager can be the enrollment agent.
Delegating the authority to issue smartcards has administrative as well as security benefits. Some of those benefits are listed here:
Administrators can delegate this time-consuming process.
Enrollment agents process all certificate and smartcard requests.
Smartcard users can be stepped through the enrollment process.
There are also some disadvantages to delegating smartcard enrollment. Here are several points to consider:
The trustworthiness of the enrollment agent could come into question.
Overcoming concerns could require more personnel resources.
Remote locations might not have an available enrollment agent full-time.
An agent can perform only a limited number of smartcard enrollments per work day.