Chapter 10 “Maintaining Network Health”

Thursday, April 11, 2013

There are two different types of Certificate Authority (CA) computers that can be deployed using a Windows based Public Key Infrastructure (PKI).  A standalone CA is not used with Active Directory and requires an administrator to respond to certificate requests.  A standalone CA can be both a root and a subordinate CA in any PKI.  In a standalone environment the root CA can be taken offline for added security.  An enterprise CA works with Active Directory and can be both the root and subordinate CA.  Enterprise CAs can use certificate templates to allow auto enrollment of digital certificates, as well as storing certificates themselves within the Active Directory database.  With Windows Server 2008 you can configure Online Responders to make revocation information available for other CAs.  Using Active Directory in the Windows Server 2008 environment you can automate the distribution of certificates by using features like certificate templates using Full Control Access Control Lists (ACL), Read ACLs, Write ACLs, Enroll ACLs, and Autoenroll ACLs.  You can also use Group Policy to enroll certificates automatically or to not enroll certificates automatically.  In a non-Active Directory environment clients can enroll manually using either the Certificate Request Wizard or the Certification Authority Web Enrollment.  When using Network Access Protection (NAP) there are a number of built-in enforcement methods, for example, DHCP enforcement, IPSec enforcement, VPN enforcement, 802.1X enforcement, and Terminal Services Gateway enforcement.  In the lab for this class we used DHCP enforcement which will provide a DHCP configuration to the client that will limit access to the network until the issues are resolved.  The client side components include the Enforcement Client (EC), System Health Agents (SHA), Client-side API for third party vendors, and the NAP agent.  NAP Server-side components include the Enforcement Server (ES), System Health Validators (SHV), a NAP health policy server, a NAP administrator server, a Health requirement server, and a Remediation server.