Plan infrastructure services server roles
IPv4 / IPv6
IPv4 and IPv6 can be found here
IPv6 stateless autoconfiguration:
Generates a link-local address
Test whether the link-local address is unique within that subnet (DAD) (Duplicate Address Detection)
If it is unique then it assigns itself that address
Contacts the local router (Router Solicitation Message)
Gets network prefix, address lifetime, next hop etc. from router advertisement. (DAD occurs again to ensure the auto configured global address is unique)
Stateless configuration doesn’t assign DNS server addresses, for this purpose DHCPv6 can be configured to assign DNS server addresses.
Dual stack v4 and v6 addresses.
Use transition technologies – Internet (teredo and 6to4) intranet (ISATAP)
DNS in Windows Server 2008 R2 has DHCP filters which allows the administrator to filter out MAC addresses which can or cannot get an IP address from DHCP.
DHCP can be configured to dish out IPv6 DNS server addresses and DNS domain names in a stateless environment whereas in a stateful IPv6 environment DHCPv6 can dish out IP addresses, gateway address, DNS server addresses etc.
Primary read-only zones are new and used when a RODC is deployed.
DNS client cache refreshes every 15 minutes.
DNS stub zones contain the Name Server record and Start of Authority record for a delegated DNS zone. The A glue record contains the Name Server IP address. Stub zones minimise the replication of zones; the local DNS server maintains a list of NS and glue A records.
DNS now supports DNS background zone loading; this allows the DNS server to service requests whilst the zone is still loading; incoming client requests are prioritised and loaded on demand.
Microsoft attempt to finally replace WINS in GlobalNames; this functionality allows you to map a flat name to a FQDN within DNS. GlobalNames are not dynamically updated thus should be used where IP addresses are static. Other use cases are: applications cannot support FQDNs, DNS servers are running Windows Server 2008 / 2008 R2 or you’re decomissioning WINS.
GlobalNames is enabled as follows:
dnscmd . /config /enableglobalnamessupport 1
Network Access Control
Network Access Protection is a features in Windows Server 2008 that controls access to network resources based on a client computers identity and compliance.
NAP uses the clients security center (Vista / XP SP3) as reference e.g. is the Windows firewall enabled etc.
NAP enforcement is configured via group policy (Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Enforcement Clients and Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Network Access Protection Agent); create a group which contains the NAP client computers and filter the GPO using GPO security filtering. The configuration can be viewed on the client by running netsh as below.
netsh nap client show state
NAP events can be viewed via Event Viewer\Application and Service Logs\Microsoft\Windows\Network Access Protection\Operational
DHCP enforcement ensure clients are healthy i.e. they have met the health policy requirements before being given an IP address lease; the caveat of this enforcement method is a user with adminisrator privileges could statically assign themselves an IP address to bypass this enforcement method.
DHCP enforcement requires DHCP server options from the Default Network Access Protection and Default User Classes. If the DHCP server is installed on a different server to the NPS role, then the DHCP server should be configured as a remote RADIUS client.
Non compliant and non NAP capable client should have defined remediation servers which allow access to resources which they can use to become healthy or NAP capable e.g. a workgroup client computer receiving DHCP leases from a NAP scope will be deemed non NAP capable until it has been joined to the domain and downloaded the necessary policies and has the necessary group membership.
IPsec enforcement ensures computers are healthy before being able to communicate with corporate resources; this enforcement method is tamper resistant as the client computer requires a health certificate from a Health Registration Authority CA. This method allows end-to-end encryption too.
IPsec enforcement requires a Domain Controller, preferably an Enterprise Certificate Authority and a standalone issuing Certificate Authority, Health Registration Authority (HRA) and Network Policy Server. The standalone CA issues system health authentication certificates via the HRA server.
Client or server computers which are exempt from IPsec communication should have the system health authentication certificate auto-enrolled.
The NPS server should have a computer certificate enrolled to encrypt communication with the HRA website; this website has two roles, one to authenticate domain computers using Windows Authentication and two non domain computers using Anonymous authentication. Anonymous clients will need to trust the Root certificate authority or which ever CA issued the SSL certificate for the HRA website.
When configuring NAP you would need to configure a RADIUS client if the HRA role is installed anywhere other than where the NPS role is installed.
NAP IPsec enforcement requires an additional group policy object configuring (Computer Configuration\Policies\Windows Settings\Security Settings\NAP Client Configuration\Trusted Server Groups\) with the Url of the HRA server e.g. https://%5Bfqdn%5D/DomainHRA/hcsrvext.dll.
It is possible to configure HRA auto-discovery but this requires DNS srv records and auto-discovery registry keys configured on the client.
VPN enforcement ensures computers are healthy before allowing them to access the corporate network via the VPN server.
VPN enforcement requires a domain controller, Certificate services, RADIUS server (NPS), VPN (RRAS) and DHCP to issue IP addresses to VPN clients.
VPN enforcement client settings configured via group policy depend on the client operating systems (Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Enforcement Clients\Remote Access Enforcement Client (XP/Vista) and \EAP Quarantine Enforcement Client (Windows 7))
Step-by-step guides here
more information here too.
- PPTP – lowest security, easiest to configure and uses MS-CHAPv2
- L2TP – requires computer certificates, works with IPv6 and uses IPsec for authentication, data integrity and encryption. Heterogeneous.
- SSTP – requires the endpoint certificate be trusted by client machines, uses SSL for authentication, data integrity and encryption thus uses TCP port 443 which allows the VPN to traverse proxies, NAT and firewalls; requires Windows Server 2008 and Vista SP1 and later though. The CRL distribution point must be accessible from the internet.
- IKEv2 – Enables clients to utilise VPN reconnect functionality. Requires at least Windows 7 and Windows Server 2008 R2. Uses UDP port 500. IKEv2 is the default connection the Windows 7 VPN client will try.
By default a VPN client will access all of its resources via the VPN tunnel, if you want to use split tunnelling configure the VPN connection TCP/IP properties to not use the default gateway on the remote network.
If you’re using DHCP to issue VPN clients with an address you can use the ‘Default Routing and Remote Access Class’ options.
EAP-TLS – requires the RAS server be a member of the domain.
MS-CHAPv2 – default authentication and encryption protocol.
EAP-MD5-CHAP – generally used with non-Microsoft clients.
Certificate service can issue certificate which are used for code signing, driver signing, email signing, web site traffic encryption, data encryption i.e. IPsec and EFS, wireless authentication and smartcards.
Key differences between external and internal certificate authorities
- external certificate authorities are commonly trusted i.e. the root certificates are shipped with the major operating system vendors.
Internal certificate authorities
- No AD DS requirement
- manual requests and manual approval
- no certificate templates
- manually install root certificate in client computer stores
- generally the root certificate authority which is switched off once subordinate certificates have been issued
- Requires AD DS which in turn supports auto enrolment
- smartcards and authentication tokens can be issued to validate user credentials
- certificates and certificate revocation lists are published to AD DS
- certificate template types 2 and 3 are available for customising certificates
- certificate requests can get information from AD DS in order to submit the certificate request on behalf of the client
Certificate authority certificates
NOTE: No certificate can be issued an expiry date which exceeds the certificate in the chain above it.
The root certificate should use a strong hash algorithm e.g. SHA256 (XP has issues with SHA2 algorithms) and a 4096 bit key length (unless using legacy applications might have to use 2048 bit). The validity of the certificate should be less than its expected lifetime.
Intermediate certificate (subordinate)
Intermediate certificate authorities should use a smaller key length and less computational hash algorithm than the root certificate but the validity should be significantly less too. Should be okay to reuse the same key.
Issuing certificate (subordinate)
Issuing certificate authorities should use smaller key length (if applicable) and less computational hash algorithm, again validity should be significantly less. It is also a good idea to issue a new key when renewing the issuing certificate this creates a new certificate revocation list which should speed up crl look ups.
Expiring and newly generated certificates can co-exist which allows you to renew the root, intermediate or issuing certificates before they expire.
This allows user certificates and private keys to roam with the user i.e. the desktops they logon to. So when that user encrypts a document, connects to a wireless network which is secured using certificates and RADIUS or connects a website which requires client certificates for authentication the same certificate is used no matter which desktop they use.
Credential roaming only works with x.509 type 3 certificates (these are new in Server 2008) that have RSA or DSA key pairs; I think the following cryptographic providers are all use RSA or DSA:
- Microsoft Base Cryptographic Provider
- Microsoft Enhanced Cryptographic Provider
- Microsoft DSS Cryptographic Provider
- Microsoft Base and Diffie-Hellman Cryptographic Provider
- sChannel Cryptographic Provider
Credential roaming is implemented by turning on a user group policy object i.e. User Configuration > Windows Settings > Public Key Policies > Certificates Services Client – Credential Roaming. More information here and here.
When the user logs off a particular desktop their certificates, private keys and credentials are removed too.
By default a standalone CA is configured to mark certificate requests as pending.
Certificate autoenrollment allows certificates to be deployed to computers, service account and users without their knowledge. To configure autoenrollment you must have enterprise or domain administrator privleges.
The first step to configuring auto-enrollment is by configuring certificate templates with AD CS with read, enroll and autoenroll permissions. If a certificate is being renewed then read and enroll the only permissions required. There is more information in the certificates template section.
Finally configure a autoenrollment policy within the domain i.e. configure a GPO for Certificate Services Client – Auto-Enrollment.
Authority Information Access is used by clients to build a certificate chain for a particular certificate. AIA is also used to publish information about the OCSP.
Certificate revocation distribution points must be configured before issuing any certificates in order for the distribution points to be included in the issued certificates.
The CRL contains the whole revocation list and the delta CRL contains the revocation changes.
When you revoke a certificate you are unable to unrevoke it unless the certificate was revoked with the reason of ‘Certificate Hold’.
OCSP – to retrieve a OCSP response signing certificate the OCSP service account should be granted enroll permission.
Microsoft’s online responder service uses Online Certificate Status Protocol (OCSP) to manage certificate revocation in diverse environments.
OSCP is used mostly where:
- clients do not have high speed connections to download CRLs or for clients who connect remotely.
- certificate revocation checking activity peaks at specific times e.g. user logon or sending signed email.
- a non-Microsoft CA is used.
- information about all revoked or suspended certificate should be limited and certificate revocation information should be provided on a request by request basis.
Basics of the online responder
- Receives certificate revocation check, decodes and verifies the request (after local cache and OCSP cache has been checked)
- OCSP checks local CRL and a cached copy of the most recent CRL issued by the CA
- If the above step fails the OCSP retrieves a CRL from the CA
- OCSP Web proxy encodes the response and sends the information back to the client
General properties of the certificate template allows you to configure whether to publish issued certificates to Active Directory, this allows user to locate another users public key before they encrypt a file or email or to stop duplicate certificates being issued to users and computers for the same purpose. AD DS can also be used to populate information required for the certificate request such as the common name and publish the CRL too.
You can configured the validity and renewal periods too.
The certificate template extensions determine the certificate template rules (assurance), application policy (what the certificate can be used for e.g. web server), key usage (what specific task is can be used for e.g. server authentication / client authentication), key archival (are the keys for this certificate archived in the CA database should the private key be lost? useful for EFS certificate templates where you have key recovery agent in place) and basic constraints which e.g. define that an issuing CA can only issue user certificates not CA certificates.
The request handing of a certificate template determines its intended purpose (encryption, signature, both or signature and smartcard), its archive settings e.g. can the private key be exported, user input settings e.g. require input or enroll with no input), key size and cryptographic provider.
The cryptography of a certificate template determines its algorithm (RSA, DSA or ECDH), key size, providers, hash algorithms (SHA#, MD# or AES#) and
The subject names of a certificate template determines whether the subject name is built from AD DS i.e. common name and distinguished name or supplied in the certificate request.
You can configure the template for high volume scenario by selecting ‘do not store certificates and requests in the CA database’. These are primarily used with NAP and IPsec enforcement.
Active Directory components
- Forest – Contains one or more trees and makes up a single instance of Active Directory
- Trees – contiguous namespace i.e. domain.com > one.domain.com > corp.one.domain.com etc.
- Domains – security boundary for authentication etc.
- Sites – defined geographically locations within a domain
A global catalog is a distributed data repository which contains a partial representation of every object in every domain.
Must receive updates from a Windows Server 2008 writable domain controller which hosts the PDC emulator FSMO role.
Only one RODC can exist per domain per site.