Microsoft IT has released an updated version of the “Public Key Infrastructure at Microsoft” whitepaper found at http://www.microsoft.com/download/en/details.aspx?id=27581 or here Public Key Infrastructure at Microsoft 1750_PKI_TWP
The update deals with changes to the Microsoft internal PKI structure as part of the Windows Server 2008 R2 migration. There are many good “lessons learned and best practicess” outlined by Microsoft IT as a result of the migration/upgrade process that was performed.
Some of my favorites are the way they use CRL Overlap to provide higher availablity of CRLs and the simplified two tier structure together with Cross Forest Enrollment and the discussions about virtualisation of CAs
Some of the highlighted features in the document are:
Windows Server 2008:
- Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis
- Enhanced performance monitoring with the addition of new performance counters
- Scalable, high-speed revocation status response services that combine CRLs and integrated Online Responder services
- Support for Cryptography Next Generation (CNG) to enable the use of Suite B algorithms
- Enhanced service monitoring with the introduction of the Windows Server 2008 AD CS Management Pack for Microsoft Operations Manager 2005
- More detailed server administration with restricted certificate managers
- Failover cluster support
Windows Server 2008 R2:
- Cross-forest enrollment capability that allows for consolidation of existing hardware
- Databaseless CA feature to avoid storing unnecessary certificate records
- Best Practice Analyzer for improved configuration practices
- Web-based certificate enrollment protocol to allow enrollment over the Internet
Categories: ADCS, certificate, Certification Authority, certifikat, Microsoft, Windows Server 2008, Windows Server 2008 R2 Tags: ADCS, Certificate, Microsoft IT, Windows Server 2008, Windows Server 2008 R2
Hur hanterar du och ditt företag er it-miljö på bästa sätt?
Best of MMS är eventet du inte ska missa. Här får du veta allt om de mest aktuella produkterna och teknikerna från Microsoft när det gäller it-management. Under det kommande året väntas till exempel flera produktlanseringar inom System Center-familjen.
På plats är de främsta svenska it-experterna. Det blir två dagar fyllda med teknikspäckade föredrag – om ämnen som Opalis, System Center Configuration Manager 2012, IPv6, System Center Virtual Machine Manager 2012 och System Center Service Manager R2, Hyper-V Cloud med mera.
Är du nyfiken på IPv6 och hur det nya protokollet kommer att påverka båda hanteringen av Windows Server och säkerheten i dina system?
Läs mer och boka din plats redan idag på http://www.microsoft.com/sverige/bestofmms2011/default.html
A must have tools for all of you with minidriver based smart cards to manage admin and user pin on such cards. The tool is free to download and use as well as to modify or reuse the code in other projects.
Many thanks to Björn Österman who made the tool available.
/Hasain
—————————————————————————
scUtil.exe, version 1.0, Author: Bjorn Osterman, Company: TrueSec AB, Sweden
syntax: scUtil.exe unblockpin <adminkey> <newpin>
scUtil.exe changepin <oldpin> <newpin>
scUtil.exe changeadminkey <oldadminkey> <newadminkey>
scUtil.exe calculateresponse <adminkey> <challange>
scUtil.exe generaterandomkey
<adminkey> is one the the following alternatives:
– 48 hexadecimal characters
– “default”, representing 48 zeroes
– “random”, representing 48 random hexadecimal characters
<pin> is variable-length string composed of alphanumerical characters
—————————————————————————
download: scUtil.zip