Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)
With the release of Windows Server 2003, Microsoft ships version 3 of its PKI software. Figure 13.1 shows a timeline of the Microsoft PKI software versions and the different NT releases.
Microsoft’s original Certificate Authority (CA) software, which became available as part of the Windows NT 4.0 Option Pack, is a basic PKI solution that many administrators use to generate Secure Sockets Layer (SSL) or Secure Mail (S/MIME) certificates.
Windows 2000 contains an updated CA product that offers Active Directory integration capabilities, enhanced scalability, and support for multilevel PKI hierarchies. Still, the Win2K CA software lacks important features, such as granular PKI-administration capabilities (e.g., the ability to delegate permission to an administrator to approve certificate issuance for only a specific group of users), advanced certificate- and CA-configuration features (e.g., features that let you change certificate-content layout or set advanced CA-auditing options), and the ability to easily build custom PKI-enabled applications to extend and reuse the PKI platform. These shortcomings have prevented some large companies from deploying a Windows-based PKI.
The Windows Server 2003 PKI, which Microsoft has designed to work in conjunction with XP and other downlevel Windows client systems, counters most of the drawbacks of earlier Windows PKIs. The Windows Server 2003 PKI supports features such as cross-certification (as well as hierarchical certification), qualified subordination, customizable certificate templates, centralized key archiving and key recovery, user autoenrollment, and delta certificate revocation lists (CRLs). It also provides enhanced role separation, administrative delegation, and auditing options. All the new Windows Server 2003 PKI features and more are explained in greater detail in this and the next chapters.
The upcoming release of the Windows Server 2003 operating system (code-named Longhorn and Blackcomb) will contain further enhancements to Microsoft’s PKI software.
Категории