Deploying PKI

Recently I decided to spend some time to implement some new technologies in my environment at home. The environment itself is a mixture between test and production. If you are reading this post on www.halbheer.info/security, you are already accessing this environment. So, I host my web server, mail server etc. there, all our private mails are received there but I am still trying to deploy beta-technology as I want to understand the challenges you all will go through when you run these products in your production environment – being well aware that 8 or 9 servers and a few clients is by far not comparable with what you do out there.

Now, I decided to write a few blog post about how I integrated our technology as I wanted to prepare the environment for the active protection technologies being part of our next generation of the Forefront suite called Stirling as well as some other cool stuff we recently released (like NAP) but I never had actively in my hands. I decided to share some of the experiences and challenges with you as I went through this (it was a lot of fun for me).

Let’s start with PKI first – which I deployed a few years ago already. Even though I know that there are quite some companies that are still refraining from deploying PKI, I am definitely convinced that over short- or mid-term there is no way around it. Certificates and the authentication linked to it is already all across an infrastructure. So, let’s start there.

Before I joined Microsoft, I was working at PricewaterhouseCoopers running PKI projects mainly with regards to policy development, processes and organizational concepts. These projects (not only our part but including the software licenses) tended to be huge and very time- and money-intense. One of the reasons for that was, that it was far away from being commodity. Believe me or not but back then (this was around the year 2000) I was saying the PKI cannot take off before Microsoft integrates it into the client.

I then moved to Microsoft and we released XP with already a pretty good PKI integration, especially when we added the Windows Server 2003 PKI. However, there was a downside: Too many customers just went through the wizard and installed a PKI – and generated a problem. Even though today I am convinced that you need not these thick books of paper before (I am not paid by the number of pages I write ) you need to do some planning. Especially you have to make sure you understand the application of the PKI before you deploy it as well as the assets you are protecting. This means planning, this means concepts, this means experience.

There are actually some pretty good papers on our website which can help you there:

• Designing a Public Key Infrastructure
• Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure
• Windows Server 2003 PKI Operations Guide
• Troubleshooting PKI Problems on Windows Vista

These documents help you to understand, which decisions you need to take before you start to deploy. Decisions, such as (not complete):

• Enrollment processes
• Protection of the different private keys
• Certificate Lifecycles (yes, there are different validity periods and they will depend on each other)
• Revocation and distribution of the revocation information
• etc.

So, I took it pretty straight-forward: I decided that I needed a PKI for various purposes but definitely no high-trust certificates (I did not have a HSM – a hardware device for the protection of the CA’s private key – anyway). So I looked into naming of the PKI, lifetime of the root cert etc. and then went for it.

So, I installed initially a Root CA, which directly issues certificates for machines and websites. I even put it on a DC. The reason for that was two-fold:

1. I definitely did not need higher security for my CA than the security level of the DC
2. I did not have more server available

Well, honestly, I started to deploy certs and later on re-started again… I stupidly named my PKI “Root” and became the joke of my friends at Microsoft. When you looked at my “Trusted Certification Authorities” on any of my computers, there was one "called “Root”, which is really descriptive . So, I wanted to get rid of this problem and re-installed the stuff (which you probably do not want to do – therefore think first not like me). I even have the root cert publically available as I need it from time to time outside my infrastructure as I am hosting my parent’s mail as well and I want not that they get a warning box if they access my SMTPS or POPS servers. It is on https://www.halbheer.info/Transfer%20Documents/Technical%20Documents/halbheerroot.zip and is called Halbheer Root today.

This deployment allowed me then to go for Domain Isolation with IPSec and in parallel Network Access Protection. I will talk more about this, once I touched briefly on the theme of monitoring.

Roger