RE: MS Stand-alone CA on Shared Server?

["Ackley, Alex" <aackley () epmgpc com>]

Megan,  I'll second this idea.  This is exactly what we do.  We virtualized our Root CA and then created a subordinate 
CA to actually issue all of our certs.  Powered down the root and been working just fine.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ramsdell, Scott
Sent: Thursday, August 16, 2007 9:32 AM
To: Megan Kielman; security-basics () securityfocus com
Subject: RE: MS Stand-alone CA on Shared Server?

Megan,

Do you have the option of virtualizing this box?  You would then be able to run the virtual certificate root, authorize 
a subordinate, then power the root down.  Your subordinate would run on the shared server.  You would then be able to 
bring the root back up to revoke any cert if the subordinate was compromised.

Within Active Directory you will specify the recovery agent and other roles.  To protect your cert server, ensure those 
roles are properly assigned and monitor changes to those roles.  Ideally, the recovery agent would be someone other 
than the LAN admin or default domain admin account, otherwise the LAN admin has free reign.  Make the recovery agent an 
IT manager or HR type.

Only you can weigh your risks, and you'll want to consider how the certs are being used.  Are you only signing internal 
emails to add authenticity?  If so, that's less of a risk than if you're using the certs to auth to MSGINA.  If you're 
using the certs to encrypt file systems, make sure you're taking advantage of Cert Server 2003's ability to centrally 
store the certs.  That way you'll be able to recover encrypted files with the recovery agent.

The certs are stored differently than on a host, they're in a secured database accessible through AD cert services 
only.  So, an admin of the server wouldn't have an easy time of exporting the certs, as you can't simply export them 
the usual way you would a local cert.

I'm sure others on the list with more experience can contribute more specific info as well.

Kind Regards,
 
Scott Ramsdell
CISSP, CCNA, MCSE
Security Network Engineer

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Megan Kielman
Sent: Wednesday, August 15, 2007 9:07 AM
To: security-basics () securityfocus com
Subject: MS Stand-alone CA on Shared Server?

I sent an email out a few days ago and haven't heard a response, not
sure if it didn't get sent or if nobody responded :) I apologize in
advance if this is a duplicate.

I have built a MS Stand-alone CA, as our certificate needs are very
small, this is the only CA in the hierarchy. I have read from several
sources that hosting the CA on a shared server is a bad idea, however,
we do not have enough resources to host the CA on its own server,
especially when it will have low utilization. Can anyone provide me
with assistance in properly hardening this box? Am I making a huge
mistake placing it on the same server that hosts our Operations
Manager (monitoring) Root server? It is currently sitting on an
internal isolated lan.

The risks that I understand are that if the server is renamed, the
issued certificates are no longer valid. Also, it is important that
the CA is protected since if compromised the integrity of our
certificates are lost.
Thanks!