Your network contains a standalone root certification authority (CA). You have a server named
Server1 that runs Windows Server 2008 R2. You issue a server certificate to Server1. You deploy
Secure Socket Tunneling Protocol (SSTP) on Server1. You need to recommend a solution that allows
external partner computers to access internal network resources by using SSTP. What should you
recommend?
A.
Enable Network Access Protection (NAP) on the network.
B.
Deploy the Root CA certificate to the external computers.
C.
Implement the Remote Desktop Connection Broker role service.
D.
Configure the firewall to allow inbound traffic on TCP Port 1723.
Explanation:
Lesson 1: Configuring Active Directory Certificate Services
Certificate Authorities are becoming as integral to an organization’s network infrastructure as
domain controllers, DNS, and DHCP servers. You should spend at least as much time planning the
deployment of Certificate Services in your organization’s Active Directory environment as you spend
planning the deployment of these other infrastructure servers. In this lesson, you will learn how
certificate templates impact the issuance of digital certificates, how to configure certificates to be
automatically assigned to users, and how to configure supporting technologies such as Online
Responders and credential roaming. Learning how to use these technologies will smooth the
integration of certificates into your organization’s Windows Server 2008 environment.
After this lesson, you will be able to:
Install and manage Active Directory Certificate Services.■
■ Configure autoenrollment for certificates.
■ Configure credential roaming.
■ Configure an Online Responder for Certificate Services.
Estimated lesson time: 40 minutes
Types of Certificate Authority
When planning the deployment of Certificate Services in your network environment, you must
decide which type of Certificate Authority best meets your organizational requirements. There are
four types of Certificate Authority (CA):
■Enterprise Root
■Enterprise Subordinate
■Standalone Root
■Standalone Subordinate
The type of CA you deploy depends on how certificates will be used in your environment and the
state of the existing environment. You have to choose between an Enterprise or a Standalone CA
during the installation of the Certificate Services role, as shown in Figure 10-1. You cannot switch
between any of the CA types after the
CA has been deployed.
Figure 10-1Selecting an Enterprise or Standalone CA
Enterprise CAs require access to Active Directory. This type of CA uses Group Policy to propagate the
certificate trust lists to users and computers throughout the domain and publish certificate
revocation lists to Active Directory. Enterprise CAs issue certificates from certificate templates,
which allow the following functionality:
■Enterprise CAs enforce credential checks on users during the certificate enrollment process. Each
certificate template has a set of security permissions that determine whether a particular user is
authorized to receive certificates generated from that template.
■ Certificate names are automatically generated from information stored within Active Directory.
The method by which this is done is determined by certificate template configuration.
■ Autoenrollment can be used to issue certificates from Enterprise CAs, vastly simplifying the
certificate distribution process. Autoenrollment is configured through applying certificate template
permissions.
In essence, Enterprise CAs are fully integrated into a Windows Server 2008 environment. This type of
CA makes the issuing and management of certificates for Active Directory clients as simple as
possible.
Standalone CAs do not require Active Directory. When certificate requests are submitted to
Standalone CAs, the requestor must provide all relevant identifying information and manually
specify the type of certificate needed. This process occurs automatically with an Enterprise CA. By
default, Standalone CA requests require administrator approval. Administrator intervention is
necessary because there is no automated method of verifying a requestor’s credentials. Standalone
CAs do not use certificate templates, limiting the ability for administrators to customize certificates
for specific organizational needs.
You can deploy Standalone CAs on computers that are members of the domain. When installed by a
user that is a member of the Domain Admins group, or one who has been delegated similar rights,
the Standalone CA’s information will be added to the Trusted Root Certificate Authorities certificate
store for all users and computers in the domain. The CA will also be able to publish its certificate
revocation list to Active Directory.
Whether you install a Root or Subordinate CA depends on whether there is an existing certificate
infrastructure.
Root CAs are the most trusted type of CA in an organization’s public key infrastructure (PKI)
hierarchy. Root CAs sit at the top of the hierarchy as the ultimate point of trust and hence must be
as secure as possible. In many environments, a Root CA is only used to issue signing certificates to
Subordinate CAs. When not used for this purpose, Root CAs are kept offline in secure environments
as a method of reducing the chance that they might be compromised.
If a Root CA is compromised, all certificates within an organization’s PKI infrastructure should be
considered compromised. Digital certificates are ultimately statements of trust. If you cannot trust
the ultimate authority from which that trust is derived, it follows that you should not trust any of the
certificates downstream from that ultimate authority.
Subordinate CAs are the network infrastructure servers that you should deploy to issue the everyday
certificates needed by computers, users, and services. An organization can have many Subordinate
CAs, each of which is issued a signing certificate by the Root CA. In the event that one Subordinate
CA is compromised, trust of that CA can be revoked from the Root CA. Only the certificates that were
issued by that CA will be considered untrustworthy. You can replace the compromised Subordinate
CA without having to replace the entire organization’s certificate infrastructure. Subordinate CAs can
be replaced, but a compromised Enterprise Root CA usually means you have to redeploy the Active
Directory forest from scratch. If a Standalone Root CA is compromised, it also necessitates the
replacement of an organization’s PKI infrastructure.
