Microsoft Downloads: Public Key Infrastructure at Microsoft

Microsoft IT installed a public key infrastructure to implement a security-enhanced communications and remote authentication infrastructure. This enabled the use of S/MIME signatures and encryption, helped secure Web connections by using Secure Sockets Layer or Transport Layer Security, helped ensure the confidentiality of stored data by using Encrypting File System, helped ensure the confidentiality and integrity of transmitted data by using IPsec, and enabled strong network user authentication by using smart cards.

Executive Summary

Many of the techniques and products available to help secure an enterprise network rely on some form of cryptography. A public key infrastructure (PKI) provides the certificates used by each party involved in a cryptographically secured electronic transaction. To help secure the Microsoft corporate network and certify its software, Microsoft Information Technology (Microsoft IT) needed to implement several initiatives that required cryptographic techniques. Today, these initiatives include:

· Certificate-based 802.1X wireless authentication.

· Smart cards for two-factor remote access authentication.

· Secure Multipurpose Internet Mail Extensions (S/MIME) for digitally signing and encrypting email.

· Encrypting File System (EFS) for file and folder encryption.

· Internet Protocol security (IPsec) for the security of network transactions.

· Secure Sockets Layer (SSL) for the security of web connections.

· Network Access Protection (NAP) for enforcing system health.

These initiatives required the presence of an enterprise-wide PKI to provide public key–based security services.

Running its own certification authorities (CAs) rather than using commercial, non-Microsoft services enabled Microsoft IT to more securely manage the infrastructure and reduce the costs associated with issuing certificates and managing an external CA relationship. Implementing an enterprise PKI enabled Microsoft IT to better secure its network-based communications.

Microsoft IT's easy-to-manage, standards-based, scalable PKI solution resulted in a method to exchange sensitive data, compatibility with other Microsoft applications, and lower infrastructure costs.

This white paper describes the production deployment and use of the PKI features available in the Windows Server 2008 and Windows Server 2008 R2 operating systems. This white paper also offers lessons learned and best practices, and it includes a discussion on the future directions of the technology at Microsoft. It assumes that readers are technical decision makers and are already familiar with the fundamentals of public key cryptography systems, the benefits that such systems offer, and the components required to implement those systems. Links to additional sources of information about PKI are available in the "For More Information" section at the end of this paper.

Complete paper DOWNLOAD HERE