vb.net code 39 barcode Implementing Identity and Access (IDA) Control Using Active Directory in VS .NET

Draw Code128 in VS .NET Implementing Identity and Access (IDA) Control Using Active Directory

Around 80 percent of PSS support calls regarding certificate usage are due to incorrectly published CA certificate and CRL information. Seth Scruggs, PSS Support Engineer The best way to prevent revocation checking attacks is to ensure that revocation checking publication points are accessible by all users at all times. The certificate-chaining engine must have access to the CRL and CA certificate for each CA in the certificate chain or to the OCSP responder for each CA in the chain if using OCSP for revocation checking. If any CA in the certificate chain s CRL, CA certificate, or OCSP responder is not available, the chaining engine will prevent that certificate from being used if certificate revocation is enabled. You can ensure that the clients can contact the CRL distribution point or OCSP responder by hosting the URLs on clustered servers or load-balancing clusters with very high availability. When you define the CDP and AIA URLs, ensure that you order the URLs so that the majority of applications performing revocation checking can access the primary URL. In Figure 10-2, the URLs are ordered so that an HTTP URL is the primary URL and LDAP is the secondary URL. This ordering allows non-Windows computers to access the CRL or CA certificate from the primary URL without having to resort to the secondary URL.

10:

If you implement OCSP for revocation checking, you must ensure that the OCSP responder is available for all revocation checking. You can implement Network Load Balancing to ensure that the OCSP responder is highly available.

If an attacker can gain local administrator access to the computer running Active Directory Certificate Services, the attacker can modify the CA configuration. This modification can include altering URLs for CRL publication, revoking legitimate certificates, and issuing certificates to nonvalid computers or users. You can protect against change to the CA configuration by restricting membership in CA management groups. The configuration changes are stored as registry entries. Only members of the local Administrators group and groups assigned the Manage CA permission at the CA can make CA configuration changes. The catch is that a member of the Administrators group can make changes to the CA configuration. To detect who made an authorized or unauthorized change to the CA configuration, ensure that you enable auditing at the CA. Windows Server 2008 allows you to define which management actions are included in the CA s Security log. To ensure that all events related to Active Directory Certificate Services auditing are logged to the Security log, enable both success and failure events for Object Access at the CA. The settings can be applied directly in the Local Security Policy console or by applying a Group Policy Object (GPO) with the required auditing settings. Once you have enabled object access auditing, you can enable specific audit settings in the Certification Authority console. As shown in Figure 10-3, you can enable the following auditing options on the Auditing tab of the CA Properties dialog box.

defining Authority Information Access (AIA) and CRL distribution point (CDP) URLs or a Key Recovery Agent.

Change CA Security Settings Logs any attempts to modify CA permissions, including adding CA administrators or certificate managers. Issue And Manage Certificate Requests Logs any attempts by a certificate manager to

Revoke Certificates And Publish CRLs Logs any attempts by a certificate manager to revoke an issued certificate or by a CA administrator to publish an updated CRL. Store And Retrieve Archived Keys Logs any attempts during the enrollment process to archive private keys in the CA database or attempts by certificate managers to extract archived private keys from the CA database.

Part II: