Security Basics mailing list archives
RE: MS Stand-alone CA on Shared Server?
From: "Ackley, Alex" <aackley () epmgpc com>
Date: Thu, 16 Aug 2007 12:15:17 -0400
Megan, I'll second this idea. This is exactly what we do. We virtualized our Root CA and then created a subordinate CA to actually issue all of our certs. Powered down the root and been working just fine. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ramsdell, Scott Sent: Thursday, August 16, 2007 9:32 AM To: Megan Kielman; security-basics () securityfocus com Subject: RE: MS Stand-alone CA on Shared Server? Megan, Do you have the option of virtualizing this box? You would then be able to run the virtual certificate root, authorize a subordinate, then power the root down. Your subordinate would run on the shared server. You would then be able to bring the root back up to revoke any cert if the subordinate was compromised. Within Active Directory you will specify the recovery agent and other roles. To protect your cert server, ensure those roles are properly assigned and monitor changes to those roles. Ideally, the recovery agent would be someone other than the LAN admin or default domain admin account, otherwise the LAN admin has free reign. Make the recovery agent an IT manager or HR type. Only you can weigh your risks, and you'll want to consider how the certs are being used. Are you only signing internal emails to add authenticity? If so, that's less of a risk than if you're using the certs to auth to MSGINA. If you're using the certs to encrypt file systems, make sure you're taking advantage of Cert Server 2003's ability to centrally store the certs. That way you'll be able to recover encrypted files with the recovery agent. The certs are stored differently than on a host, they're in a secured database accessible through AD cert services only. So, an admin of the server wouldn't have an easy time of exporting the certs, as you can't simply export them the usual way you would a local cert. I'm sure others on the list with more experience can contribute more specific info as well. Kind Regards, Scott Ramsdell CISSP, CCNA, MCSE Security Network Engineer -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Megan Kielman Sent: Wednesday, August 15, 2007 9:07 AM To: security-basics () securityfocus com Subject: MS Stand-alone CA on Shared Server? I sent an email out a few days ago and haven't heard a response, not sure if it didn't get sent or if nobody responded :) I apologize in advance if this is a duplicate. I have built a MS Stand-alone CA, as our certificate needs are very small, this is the only CA in the hierarchy. I have read from several sources that hosting the CA on a shared server is a bad idea, however, we do not have enough resources to host the CA on its own server, especially when it will have low utilization. Can anyone provide me with assistance in properly hardening this box? Am I making a huge mistake placing it on the same server that hosts our Operations Manager (monitoring) Root server? It is currently sitting on an internal isolated lan. The risks that I understand are that if the server is renamed, the issued certificates are no longer valid. Also, it is important that the CA is protected since if compromised the integrity of our certificates are lost. Thanks!
Current thread:
- MS Stand-alone CA on Shared Server? Megan Kielman (Aug 15)
- RE: MS Stand-alone CA on Shared Server? Ramsdell, Scott (Aug 16)
- RE: MS Stand-alone CA on Shared Server? Ackley, Alex (Aug 16)
- Re: MS Stand-alone CA on Shared Server? Megan Kielman (Aug 16)
- RE: MS Stand-alone CA on Shared Server? Ramsdell, Scott (Aug 16)
- Re: MS Stand-alone CA on Shared Server? Megan Kielman (Aug 17)
- RE: MS Stand-alone CA on Shared Server? Ramsdell, Scott (Aug 16)
- Re: MS Stand-alone CA on Shared Server? gjgowey (Aug 16)