Windows 7 / Security and Privacy

---

Certificate Authentication

If you want to bring users into a network over the Internet, but you are concerned that sending usernames and passwords in that public way might compromise them, then you can replace them with a digital certificate. A digital certificate (or just "certificate") is issued by a certification authority (CA), who digitally signs it and says that the bearer is who he or she claims to be, or that an object and sender are as represented. There are both private and public CAs. An organization can be its own private CA and issue certificates to its employees, vendors, and/or customers, so that those people can be authenticated when they try to enter the organization's network. Also, a well-trusted public CA, such as VeriSign (http://www.verisign.com/), can issue a certificate to a person, object, organization, or web site. A person or organization receiving the certificate, if they trust the CA, can be reasonably certain that the presenter is as represented. Besides a certificate, most CAs provide the bearer with an encryption key in the certificate, so that secure data transmissions can occur.

To set up certificate authentication, these steps must take place:

1. The user must obtain a certificate.
2. A user account must be established for the user.
3. The certification authority must be listed in the Certificate Trust List.
4. The certificate must be mapped to the user account.

Set Up Active Directory Certificate Services The user can obtain a certificate in several ways, one of which is through a Windows Server 2008 domain controller with Active Directory Certificate Services (AD CS) installed. AD CS is a role that must be installed in Server Manager. Here are the steps to do that:

1. Click Start | Server Manager and click Roles in the left pane. Click Add Roles to open the Add Roles Wizard dialog box. Click Next.
2. Click Active Directory Certificate Services if it isn't already checked (if it is, AD CS is already installed on this computer and you can jump to the next section). Click Next.
3. Read the notes and any of the Help articles you wish. Note that if you install AD CS, you will not be able to rename the computer, and then click Next.
4. Select the role services you want to use with AD CS:
   • Certification Authority: to issue and manage certificates and is required in all instances
   • Certification Authority Web Enrollment: to provide a web interface to request and renew certificates
   • Online Responder: to provide certificate information available in complex networks
   • Network Device Enrollment: Service to issue and manage certificates to routers and other devices without network accounts
   NOTE: The discussion in this tutorial will cover both Certification Authority and Certification Authority Web Enrollment, but Online Responder and Network Device Enrollment Service are beyond our scope.
5. Click Next and select the type of certificate authority (CA) to be installed from the following choices:
   • Enterprise: If this server is part of a domain, it can use Directory Service to issue and manage certificates.
   • Standalone If this server cannot use Directory Service to issue and manage certificates, it can still be part of a domain.
6. Click Next and select the level of CA for this server:
   • Root CA: if this is the first or only CA and will issue its own certificates
   • Subordinate CA: if this CA will get its certificates from a higher CA
7. Click Next and select whether you want to create a new private key or use an existing one.
8. Click Next and select the Cryptographic Service Provider (CSP) that you want to use to generate the private key, the hash algorithm and the key length. Under most circumstances, except if you are using smart cards, you want to leave the defaults. If you are using smart cards, you may need to select a CSP that is used by the smart card.
9. Click Next, accept the default or enter a name and a suffix for the CA, and click Next again. Select the validity period for certificates generated by this CA.
10. Click Next. You are shown where the certificate database and log will be stored. Once more click Next. If IIS is running, click Yes to temporarily stop Internet Information Services (IIS). If the IIS role is not installed, you can choose which role services you want installed.
11. Review the selections you have made. If you want to make changes, click Previous. When you are ready, click Install. The role(s) and role services will be installed.
12. Click Close when you are told that you have successfully completed installation. Close Server Manager. Restart the computer (even if you are not prompted).

Once you have installed the certification authority, you can review it with these steps:

1. Click Start | Administrative Tools | Certification Authority. In the left pane, open the new CA you just created and click Issued Certificates. You should see one or more certificates, like this (if you don't see any certificates and you restarted the computer, click Refresh in the Action menu).
2. Double-click one of the certificates to open it, click the Details tab, and click the various fields to see the details within the open certificate. Click OK when you are done looking at the certificate.
3. Back in the Certification Authority window, click Certificate Templates in the left pane. On the right, you can see the types of certificates that are available and their intended purpose.
4. Double-click one of the templates to open its Properties dialog box. When you are finished looking at the properties, close the dialog box and the Certification Authority window.

Request a Certificate: With AD CS installed, users, computers, and other services can request certificates to identify themselves. Normally, certificates are automatically given to computers and users who are known and trusted entities on the network. The certificate that was automatically created when AD CS was installed was issued to the server on which AD CS resides. It is also possible to explicitly request a certificate over either an intranet or the Internet, or on the server with AD CS.

Request a Certificate over a Web Connection: Over the Internet or an intranet is the most common way that users request a certificate for their use. In doing this, the user accesses a web page that is created and maintained by AD CS. Use these steps to request a certificate over an intranet or the Internet:

1. Open your browser and enter the URL or address of the server with AD CS. The address should look something like http://servername/certsrv/. The page should appear.
2. Click Request A Certificate and click User Certificate. If you want the user to have a smart card, click More Options, where you can select a Cryptographic Service Provider (CSP) and the request format.
3. Click Submit. You are told that the web site is requesting a new certificate for you and asking if you want to go ahead. Click Yes. If the user and/or computer are already known to the server, a certificate will be issued. Otherwise, you will be told that the request is pending.
4. When you see Certificate Issued, click Install This Certificate. You are told that the web site is adding a certificate to the computer and asked if you are sure you want to do that. Click Yes, given that is what you want to do. You are told that the certificate is installed and you can close your browser.

Directly Request a Certificate Directly requesting a certificate from AD CS is most commonly done for documents or other objects, or for services. It requires the Certificate console in the Microsoft Management Console (MMC). Here is how to set up the Certificate console (assuming that it hasn't been done before) and to request a certificate from it:

1. Click Start | Run, type mmc, and click OK. The MMC shell opens.
2. Click the File menu and click Add/Remove Snap-in. In the Add Or Remove Snap-ins dialog box, click Certificates, click Add, click My User Account for where you want to manage certificates, and click Finish.
   NOTE: If you choose to manage certificates for My User Account, the snap-in you create will create certificates only for you. If you choose to manage certificates for Service Account or Computer Account, you must pick a service or computer to manage, such as the web server or the local computer, and you will be able to issue certificates for the service or computer.
3. Click OK to complete the Add/Remove Snap-in process. In the console on the left, open Certificates - Current User | Personal | Certificates.
4. Click the Action menu and click All Tasks | Request New Certificate With New Key. The Certificate Enrollment wizard opens.
5. Click Next, choose a certificate type to support the purpose of the certificate you want to issue (select Administrator for at least one certificate), and click Enroll again.
6. When you are told the certificate has been enrolled, click Finish. A new certificate will be issued.
7. Close the Certificates console, click Yes to save the settings for this new console in a file named Certificates.msc, click Save, and finally close the MMC.

List Certificate Authorities To accept certificates that are presented to the network, the CA must be known to the network. This is accomplished by being listed as a trusted CA in the Certificate Trust List (CTL), which is maintained as part of the group policy.

The following steps show you how to open the group policy, create a CTL, and make an entry into it (these steps assume that you want to work with the CTL at the domain level, but you could also do it at the local computer level and at the OU level):

1. Click Start | Server Manager and open Features | Group Policy Management | Forest | Domains | domain name | Group Policy Objects.
2. Right-click Default Domain Policy and click Edit. The Group Policy Management Editor window opens.
3. In the left pane, open Computer Configuration | Windows Settings | Security Settings | Public Key Policies, and click Enterprise Trust. Click the Action menu and click New | Certificate Trust List. The Certificate Trust List Wizard opens.
4. Click Next. If you so choose, enter an identifying prefix for the CTL, enter the months and/or days that it is valid, select the purposes of the CTL, and click Next.
5. In the Certificates In The CTL dialog box, click Add From Store. The Select Certificate dialog box opens, in which you can select those certificates whose issuers you want to include in the CTL. Early in the list, you will find the certificates that your new CA issued as you followed the steps earlier in this tutorial.
6. Double-click one of the certificates you created. When it opens, you may find that it is not trusted, even though it was created on the same computer. You are told that it must be added to the CTL to be trusted.
7. Select the certificates whose issuers you want on the CTL, holding down ctrl while selecting more than one certificate. Click OK. The new list of certificates will appear in the Certificate Trust List Wizard.
8. Click Next. You must attach a certificate, probably your own, for the purpose of a digital signature for the CTL, and the encryption key used with the signature certificate will be used with the file that contains the CTL.
   NOTE: The certificate that you select for the purpose of adding the digital signature to the CTL must be created for the current user with the Administrator template, similar to the Signature certificate you created previously in "Request a Certificate."
9. Click Select From Store, select the certificate you want to use, click OK, and then click Next. If you wish, you can add a timestamp; then click Next again.
10. Enter a name that is easy to remember and a description for this CTL and click Next. Review the settings you have chosen and click Back if you need to correct something; when ready, click Finish. You will be told whether the CTL was successfully created.
11. Click OK. The new CTL appears on the right of the Group Policy Management Editor window. Double-click it. The CTL opens, and in the Trust List tab, you see a list of the certificate authorities that you have added to your CTL.
12. Click a CA. You can see some of the details behind a certificate and if you click View Certificate, you can see the entire certificate. Close the CTL and the Group Policy Management Editor.

Map Certificates to User Accounts: The core of Windows Server 2008's user-oriented security are user accounts with a username and password to log on, which are the basis for the permission system that controls access to computer and network resources. Someone who comes into Windows Server 2008 with a certificate but without a username and password for a user account and the permissions that go with it cannot log on. The solution is to map or relate a certificate to a user account, so that someone who presents an acceptable certificate will be attached to a user account and given the permissions he or she would acquire by logging on with a username and password. Windows Server 2008 does certificate mapping in two ways: through Active Directory Domain Services and through Internet Information Services (IIS). Also, mapping can be done from one certificate to one user account (one-to-one mapping) or from several certificates to one account (many-to-one mapping).

Certificate mapping through Active Directory Domain Services can be done with the following steps:

1. Click Start | Administrative Tools | Active Directory Users And Computers.
2. Click the View menu and click Advanced Features (if it is not already checked).
3. In the left pane, open the domain with the user account to which you want to map, and then click Users.
4. In the list of users on the right, select the user account to which a certificate will be mapped.
5. Click the Action menu, click Name Mappings (if you don't see it, redo Step 2) to open the Security Identity Mapping dialog box, click the X.509 Certificates tab, and click Add to open the Add Certificate dialog box.
6. Search for and identify, or type, the path and name of the certificate that you want to use, and then click Open. Often the certificates, which have the extension .cer, are in the C:\Windows\System32\Certsrv folder.
7. If you don't find a CER file, you may need to export one from the MMC Certificates console. To do so, click Start | Run, type mmc, and press enter. Then click the File menu, click Open, select the Certificates.msc file, click Open, open Console Root | Certificates - Current User | Personal | Certificates, and select the certificate to use.
8. Click the Action menu; click All Tasks | Export; click Next; click No, Do Not Export The Private Key; click Next; accept the default DER Encoded Binary format; click Next; enter a useful filename; browse to where you want it stored; click Next; click Finish; and click OK when told that the export was successful. Close the Certificates console.
9. Double-click the certificate you will use, and it is displayed in a second Add Certificate dialog box.
10. If you want one-to-one mapping, both Use Issuer For Alternate Security Identity and Use Subject For Alternate Security Identity should be checked (Use Issuer For Alternate Security Identity is always checked by default and is grayed in most instances, so you can't change it). If you want many-to-one mapping only, Use Issuer For Alternate Security Identity should be checked.
11. Click OK. The certificate is displayed again in the Security Identity Mapping dialog box; click OK again. Close the Active Directory Users And Computers window.

Now, when a user presents this certificate, she or he will be mapped to the related user account and given the permissions that are associated with it.