Certificate Services



Dan
07-09-2005, 10:51 PM
Hi all,

I plan to implement WPA using a RADIUS server. To do this I must install
certificate services on a server. Is there an "outside" security risk by
doing this? If so what are the best steps of precaution when installing
certificate services on Windows Server 2003?
--
Thanks,

Dan

Steven L Umbach
07-09-2005, 10:51 PM
To keep the integrity of your PKI you want to make sure that the Certificate
Authority is well secured meaning physically and that administrator access
to the server is closely controlled. Otherwise you run the risk of
unauthorized certificates being issued or even unauthorized subordinate
Certificate Authorities being installed. You can control which
users/computers can obtain certificates by configuring security permissions
on the certificate templates. You should also be aware that if you have the
choice installing your CA on Windows 2003 Enterprise Server in a domain then
you will be able to use version 2 templates and take advantage of
autoenrollment for users and computers which can greatly help in managing
certificates and renewals. The links below may help. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:4A21E8A3-D7EB-42C8-BB9A-8676E820D61A@microsoft.com...
> Hi all,
>
> I plan to implement WPA using a RADIUS server. To do this I must install
> certificate services on a server. Is there an "outside" security risk by
> doing this? If so what are the best steps of precaution when installing
> certificate services on Windows Server 2003?
> --
> Thanks,
>
> Dan

Dan
07-09-2005, 10:51 PM
Implementing WPA with RADIUS doesn't mean you HAVE TO install Certificate
services, unless you are implementing EAP-TLS. You can always use
PEAP-MS-CHAPV2 which will require username and password instead.

"Dan" wrote:

> Hi all,
>
> I plan to implement WPA using a RADIUS server. To do this I must install
> certificate services on a server. Is there an "outside" security risk by
> doing this? If so what are the best steps of precaution when installing
> certificate services on Windows Server 2003?
> --
> Thanks,
>
> Dan

Dan
07-09-2005, 10:51 PM
Thanks! Appreciate the advice.

"Steven L Umbach" wrote:

> To keep the integrity of your PKI you want to make sure that the Certificate
> Authority is well secured meaning physically and that administrator access
> to the server is closely controlled. Otherwise you run the risk of
> unauthorized certificates being issued or even unauthorized subordinate
> Certificate Authorities being installed. You can control which
> users/computers can obtain certificates by configuring security permissions
> on the certificate templates. You should also be aware that if you have the
> choice installing your CA on Windows 2003 Enterprise Server in a domain then
> you will be able to use version 2 templates and take advantage of
> autoenrollment for users and computers which can greatly help in managing
> certificates and renewals. The links below may help. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
> http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:4A21E8A3-D7EB-42C8-BB9A-8676E820D61A@microsoft.com...
> > Hi all,
> >
> > I plan to implement WPA using a RADIUS server. To do this I must install
> > certificate services on a server. Is there an "outside" security risk by
> > doing this? If so what are the best steps of precaution when installing
> > certificate services on Windows Server 2003?
> > --
> > Thanks,
> >
> > Dan
>
>
>

Dan
07-09-2005, 10:51 PM
The main goal of my project is to eliminate end user involvment when
connecting wirelessly, yet tighten security. No passwords, no encryption keys
to enter, but strictly authentication. (I'm currently running only WEP and it
doesn't make me feel like my wireless network is secured enough) Thanks for
the reply though, and if you have any more ideas that might help a "newbie"
with this project please let me know. Thanks for the response!

"Dan" wrote:

> Implementing WPA with RADIUS doesn't mean you HAVE TO install Certificate
> services, unless you are implementing EAP-TLS. You can always use
> PEAP-MS-CHAPV2 which will require username and password instead.
>
> "Dan" wrote:
>
> > Hi all,
> >
> > I plan to implement WPA using a RADIUS server. To do this I must install
> > certificate services on a server. Is there an "outside" security risk by
> > doing this? If so what are the best steps of precaution when installing
> > certificate services on Windows Server 2003?
> > --
> > Thanks,
> >
> > Dan

Dan
07-09-2005, 10:51 PM
I see your point and using Certificate Services will be a good choice. No,
WEP is not secure. I'm also implementing WPA-RADIUS using Microsoft IAS
Server but with Windows 2000 Server instead of 2003 Server. I've tried using
a Linksys AP but didn't work. However, a 3com wireless AP worked for me
flawlessly using WPA-RADIUS with PEAP-MS-CHAPV2.
I'm a newbie on Certificate Services using Win2000 and have found articles
on mostly 2003. Mostly the same, but I wasn't able to fully understand the
purpose of issuing Certificates, handling out certificates, what is templates
and such. Hopefully, someone can explain in "layman's" term the how to and
what they are.

"Dan" wrote:

> The main goal of my project is to eliminate end user involvment when
> connecting wirelessly, yet tighten security. No passwords, no encryption keys
> to enter, but strictly authentication. (I'm currently running only WEP and it
> doesn't make me feel like my wireless network is secured enough) Thanks for
> the reply though, and if you have any more ideas that might help a "newbie"
> with this project please let me know. Thanks for the response!
>
> "Dan" wrote:
>
> > Implementing WPA with RADIUS doesn't mean you HAVE TO install Certificate
> > services, unless you are implementing EAP-TLS. You can always use
> > PEAP-MS-CHAPV2 which will require username and password instead.
> >
> > "Dan" wrote:
> >
> > > Hi all,
> > >
> > > I plan to implement WPA using a RADIUS server. To do this I must install
> > > certificate services on a server. Is there an "outside" security risk by
> > > doing this? If so what are the best steps of precaution when installing
> > > certificate services on Windows Server 2003?
> > > --
> > > Thanks,
> > >
> > > Dan

Steven L Umbach
07-09-2005, 10:51 PM
PEAP still requires that the IAS/radius server have a certificate, though
you could buy one from a third party if you want. --- Steve


"Dan" <Dan@discussions.microsoft.com> wrote in message
news:B4D34D1A-09C8-4B68-9B45-B9FC1CB93346@microsoft.com...
> Implementing WPA with RADIUS doesn't mean you HAVE TO install Certificate
> services, unless you are implementing EAP-TLS. You can always use
> PEAP-MS-CHAPV2 which will require username and password instead.
>
> "Dan" wrote:
>
>> Hi all,
>>
>> I plan to implement WPA using a RADIUS server. To do this I must install
>> certificate services on a server. Is there an "outside" security risk by
>> doing this? If so what are the best steps of precaution when installing
>> certificate services on Windows Server 2003?
>> --
>> Thanks,
>>
>> Dan

Dan
07-09-2005, 10:51 PM
Let me get this right.....only the IAS/RADIUS server requires the certificate
but not the wireless AP, user or other computer correct?

"Steven L Umbach" wrote:

> PEAP still requires that the IAS/radius server have a certificate, though
> you could buy one from a third party if you want. --- Steve
>
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:B4D34D1A-09C8-4B68-9B45-B9FC1CB93346@microsoft.com...
> > Implementing WPA with RADIUS doesn't mean you HAVE TO install Certificate
> > services, unless you are implementing EAP-TLS. You can always use
> > PEAP-MS-CHAPV2 which will require username and password instead.
> >
> > "Dan" wrote:
> >
> >> Hi all,
> >>
> >> I plan to implement WPA using a RADIUS server. To do this I must install
> >> certificate services on a server. Is there an "outside" security risk by
> >> doing this? If so what are the best steps of precaution when installing
> >> certificate services on Windows Server 2003?
> >> --
> >> Thanks,
> >>
> >> Dan
>
>
>

Steven L Umbach
07-09-2005, 10:51 PM
Yes. For PEAP only the IAS/radius server needs a certificate and the client
computers need to trust the CA that issued the certificate. If you have not
seen the link below yet it is a pretty good read on 802.1X that takes you
step by step through setting it up in a test lab. --- Steve

http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:FC3CD3BA-6EA5-4795-8AF7-1348C7E5E302@microsoft.com...
> Let me get this right.....only the IAS/RADIUS server requires the
> certificate
> but not the wireless AP, user or other computer correct?
>
> "Steven L Umbach" wrote:
>
>> PEAP still requires that the IAS/radius server have a certificate, though
>> you could buy one from a third party if you want. --- Steve
>>
>>
>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>> news:B4D34D1A-09C8-4B68-9B45-B9FC1CB93346@microsoft.com...
>> > Implementing WPA with RADIUS doesn't mean you HAVE TO install
>> > Certificate
>> > services, unless you are implementing EAP-TLS. You can always use
>> > PEAP-MS-CHAPV2 which will require username and password instead.
>> >
>> > "Dan" wrote:
>> >
>> >> Hi all,
>> >>
>> >> I plan to implement WPA using a RADIUS server. To do this I must
>> >> install
>> >> certificate services on a server. Is there an "outside" security risk
>> >> by
>> >> doing this? If so what are the best steps of precaution when
>> >> installing
>> >> certificate services on Windows Server 2003?
>> >> --
>> >> Thanks,
>> >>
>> >> Dan
>>
>>
>>

Dan
07-09-2005, 10:51 PM
Well, thats funny. I did my setup on a test environment using a Win2K Server
running DNS. DHCP, IAS and also installed Microsoft server CA. Another
machine running Win2K Server running Microsoft ISA Server 2000. A wireless
AP using WPA-RADIUS using PEAP-MS-CHAPV2. Then I use a Win2K Pro laptop and
connect wirelessly via the AP using PEAP-MS-CHAPV2. No prompt to ask me for
certification, just username and password. I'm in.
As far as I understood, if I use EAP-TLS, that is when I need certificates
because TLS requires machine authentication.

"Steven L Umbach" wrote:

> Yes. For PEAP only the IAS/radius server needs a certificate and the client
> computers need to trust the CA that issued the certificate. If you have not
> seen the link below yet it is a pretty good read on 802.1X that takes you
> step by step through setting it up in a test lab. --- Steve
>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:FC3CD3BA-6EA5-4795-8AF7-1348C7E5E302@microsoft.com...
> > Let me get this right.....only the IAS/RADIUS server requires the
> > certificate
> > but not the wireless AP, user or other computer correct?
> >
> > "Steven L Umbach" wrote:
> >
> >> PEAP still requires that the IAS/radius server have a certificate, though
> >> you could buy one from a third party if you want. --- Steve
> >>
> >>
> >> "Dan" <Dan@discussions.microsoft.com> wrote in message
> >> news:B4D34D1A-09C8-4B68-9B45-B9FC1CB93346@microsoft.com...
> >> > Implementing WPA with RADIUS doesn't mean you HAVE TO install
> >> > Certificate
> >> > services, unless you are implementing EAP-TLS. You can always use
> >> > PEAP-MS-CHAPV2 which will require username and password instead.
> >> >
> >> > "Dan" wrote:
> >> >
> >> >> Hi all,
> >> >>
> >> >> I plan to implement WPA using a RADIUS server. To do this I must
> >> >> install
> >> >> certificate services on a server. Is there an "outside" security risk
> >> >> by
> >> >> doing this? If so what are the best steps of precaution when
> >> >> installing
> >> >> certificate services on Windows Server 2003?
> >> >> --
> >> >> Thanks,
> >> >>
> >> >> Dan
> >>
> >>
> >>
>
>
>

Steven L Umbach
07-09-2005, 10:51 PM
Does your IAS server have a certificate? The client may not necessarily be
prompted for a certificate if it trusts the certificate that the IAS server
has. You can use the mmc snapin for certificates for computer to view
certificates on a computer. The link below has more details. The IAS
certificate is used to create the secure TLS connection in a way very
similar to when you visit a secure website. --- Steve

http://www.microsoft.com/technet/community/columns/cableguy/cg0702.mspx

PEAP with MS-CHAP v2 requires certificates on the IAS servers but not on the
wireless clients. IAS servers must have a certificate installed in their
Local Computer certificate store. Instead of deploying a PKI, you can
purchase individual certificates from a third-party CA to install on your
IAS servers. To ensure that wireless clients can validate the IAS server
certificate chain, the root CA certificate of the CA that issued the IAS
server certificates must be installed on each wireless client.


"Dan" <Dan@discussions.microsoft.com> wrote in message
news:3FA384C0-B00F-4CC4-A02B-68A73104D718@microsoft.com...
> Well, thats funny. I did my setup on a test environment using a Win2K
> Server
> running DNS. DHCP, IAS and also installed Microsoft server CA. Another
> machine running Win2K Server running Microsoft ISA Server 2000. A
> wireless
> AP using WPA-RADIUS using PEAP-MS-CHAPV2. Then I use a Win2K Pro laptop
> and
> connect wirelessly via the AP using PEAP-MS-CHAPV2. No prompt to ask me
> for
> certification, just username and password. I'm in.
> As far as I understood, if I use EAP-TLS, that is when I need certificates
> because TLS requires machine authentication.
>
> "Steven L Umbach" wrote:
>
>> Yes. For PEAP only the IAS/radius server needs a certificate and the
>> client
>> computers need to trust the CA that issued the certificate. If you have
>> not
>> seen the link below yet it is a pretty good read on 802.1X that takes you
>> step by step through setting it up in a test lab. --- Steve
>>
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
>>
>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>> news:FC3CD3BA-6EA5-4795-8AF7-1348C7E5E302@microsoft.com...
>> > Let me get this right.....only the IAS/RADIUS server requires the
>> > certificate
>> > but not the wireless AP, user or other computer correct?
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> PEAP still requires that the IAS/radius server have a certificate,
>> >> though
>> >> you could buy one from a third party if you want. --- Steve
>> >>
>> >>
>> >> "Dan" <Dan@discussions.microsoft.com> wrote in message
>> >> news:B4D34D1A-09C8-4B68-9B45-B9FC1CB93346@microsoft.com...
>> >> > Implementing WPA with RADIUS doesn't mean you HAVE TO install
>> >> > Certificate
>> >> > services, unless you are implementing EAP-TLS. You can always use
>> >> > PEAP-MS-CHAPV2 which will require username and password instead.
>> >> >
>> >> > "Dan" wrote:
>> >> >
>> >> >> Hi all,
>> >> >>
>> >> >> I plan to implement WPA using a RADIUS server. To do this I must
>> >> >> install
>> >> >> certificate services on a server. Is there an "outside" security
>> >> >> risk
>> >> >> by
>> >> >> doing this? If so what are the best steps of precaution when
>> >> >> installing
>> >> >> certificate services on Windows Server 2003?
>> >> >> --
>> >> >> Thanks,
>> >> >>
>> >> >> Dan
>> >>
>> >>
>> >>
>>
>>
>>

lynn@garlic.com
07-09-2005, 10:52 PM
Dan wrote:
> Implementing WPA with RADIUS doesn't mean you HAVE TO install
Certificate
> services, unless you are implementing EAP-TLS. You can always use
> PEAP-MS-CHAPV2 which will require username and password instead.

note that there have been certificateless public key implementations
for both kerberos and raidus done.
http://www.garlic.com/~lynn/subpubkey.html#kerberos
http://www.garlic.com/~lynn/subpubkey.html#radius

in principle, certificateless operations maintains existing business
processes for registering authentication material ... but replaces the
registration of a pin/password with the registration of a public key.
then the user authenticates with a userid/digital signature .... where
the digital signature is verified with the onfile public key.
http://www.garlic.com/~lynn/subpubkey.html#certless

the original design point for PKIs and certificates was the offline
email model of the early 80s; the recipient dailed up their local
electronic post office, exchanged email, hung up and found themselves
with an email from a total stranger that they had never communicated
with before. in this first-time stranger communication in the offline
world, the recipient had not resources to determine information about
the sender. this is somewhat the email analogy to the letters of credit
paradigm from sailing ship days.

using somewhat abstract information theory, a certificate represents an
armored, stale, static, distributed catched information. it is pushed
by the sender to the relying-party ... so that the relying party can
have information about the sender in the stranger, first-time
communication where the relying party is offline and has no recourse
for obtaining any information about a stranger in a first time
communication situation.

in the early 90s, there was some move for x.509 identity certificates
by trusted third party certification authorities. however, it was
somewhat difficult for a CA to predict exactly what identity
information some unknown relying party in the future might require. As
a result there was some move to grossly overlead identity certificates
with enormous amounts of privacy information.

in the mid-90s, various infrastructures (like financial institutions)
were coming to realize that enormous amounts of identity infomration
represented significant liability and privacy issues. as a result there
was some efforts in the area of relying-party-only certificate
http://www.garlic.com/~lynn/subpubkey.html#rpo

where a certificate might only contain some form of an account number
as certified information. the key owner would constantly digitally sign
transactions with their private key and push the transaction, the
digital signature, and the certificate to the relying party (who had
originally issued the certificate and has a superset of all the
information already on file, including the public key and the
associated account record). in all cases the account selection (number,
userid, or some other value) was also present in the digitally signed
transaction.

when the relying-party receives the transaction, they pull the look-up
value from the transaction, read the associated account information,
retrieve the public key from the account, and using the onfile public
key, verify the digital signature. In such scenarios, it is possible to
demonstrate that such stale, static digital certificates are redundant
and superfluous.

there was another downside in the case of financial payment
transactions. the typical payment transactions is on the order of 60-80
bytes. the typical relying-party-only certificate from the mid-90s was
on the order of 4k-12k bytes. In addition to the stale, static digital
certificates being redundant and superfluous ... there were able to
contribute a factor of 100 times payload bloat to the transmission.


Certificate Services