Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)

Version 3 of Microsoft’s PKI software is more scalable, flexible, and extensible than its Windows 2000 and NT4 Option Pack predecessors. The following is a summary of the main arguments supporting the choice for Windows Server 2003 PKI over another PKI product.

• Scalability: Windows Server 2003 PKI software has almost unlimited scalability when it comes to the number of certificates a single CA can issue. Microsoft did tests where more than 35 million certificates were issued on a single CA—they were issued at a rate of about 60 certificates per second. An explanation for this high level of scalability can partially be found in the fact that in Windows 2000 Microsoft adapted JET Blue technology for the CA database. Another important scalability factor is the full support for multiple-level CA hierarchies, consisting of a root CA and multiple levels (up to 40) of subordinate CAs. The NT 4 Option Pack PKI software only supported two-level hierarchies.

• Flexibility: The Windows Server 2003 CA service can be installed in two modes: enterprise or stand-alone. Each mode is built to fit particular enterprise security needs. Compared to versions 1 and 2, the Windows Server 2003 CA service offers much more configuration options. One of the greatest features of Windows Server 2003 PKI is that an administrator has complete control over what is contained in a Windows Server 2003 certificate (through the use of editable certificate templates).

• Interoperability: Microsoft PKI supports the major open PKI standards: ITU-T X.509, IETF PKIX, and PKCS.^[1] Windows Server 2003 PKI supports a wide range of cryptographic algorithms: RSA, DSA, RC4, AES, and so forth. A Windows Server 2003 CA can also be integrated relatively easily with PKI software from other vendors. To test specific interoperability scenarios and issues, Microsoft has been actively participating in interoperability initiatives such as the European Electronic Messaging Association’s pki Challenge (more information can be found at http://www.eema.org).

• Extensibility: The Windows Server 2003 CA is extensible. Its policy and exit modules can be customized to meet an enterprise’s specific CA needs. To meet advanced security requirements, the Windows Server 2003 CA can be linked to hardware security modules (HSM). Windows Server 2003 also comes with new facilities that can be used to easily PKI-enable an application: A good example is the support for CAPICOM.

• Reduced TCO: Windows Server 2003 PKI allows an organization to leverage the investments made in an enterprise AD infrastructure. Ideally, the PKI design should be run in parallel with the AD design.

• Pricing: An important argument that has been present since the first releases of Windows PKI and a competitive ace that Microsoft will continue to play is the low cost of the Windows PKI products. Although it is true that advanced PKI products such as Entrust and Baltimore PKI offer some interesting features that are still not available in Windows Server 2003 PKI, we should not forget that the opposite is also true: Features such as machine- and user-autoenrollment are not supported by all advanced PKI products. An interesting detail is that in this release Microsoft’s CA software is only included with Windows Server 2003 Enterprise Server (formerly known as Windows 2000 Advanced Server) and Windows Server 2003 Data- center Server.

Although the Windows Server 2003 PKI might not yet offer all the capabilities of more advanced products (like Entrust, Baltimore, or Smart- trust PKI), its affordability might make it attractive to a lot of smaller companies. Given Windows Server 2003 PKI’s low cost and enhanced features, it might well be the product that brings PKI to the masses. Although Windows PKI is not a fully proven technology—an important requirement for success in enterprises with high-end security requirements—the software will probably prove itself as it matures over the years and as more organizations adopt it. In the meantime, this upgrade to the Windows PKI is worthy of serious consideration.

^[1]Appendix 2 gives an overview of the different Public Key Cryptography Standard (PKCS) standards.