ITS 3250 - Securing Systems
Windows Server 2012 Security...
Chapter 3, Deploying Directory Services and Certificate Services
Chapter 4, Deploying AD FS and AD RMS in Windows Server 2012
This lesson presents some Microsoft material about
certificates in chapter 3, and material about federation services and
AD rights in chapter 4. Objectives important to this lesson:
- Evolving threats against certificates
- Implementing Directory Services
- Implementing Certificate Services
- Planning for AD Federation Services
- Deploying AD Federation Services
- Deploying AD Rights Management Services
Our text begins chapter 3 with two news stories from 2011,
about the Dutch company Diginotar,
and about the multinational company Comodo, both of whom provide
certificate services to clients, and both of whom were compromised by
hackers. The loss of confidence in the certificates issued by those
companies caused massive certificate revocations and replacements.
The text makes its points, then moves on to discuss features
Services in Windows Server 2012. These are some of the items discussed.
- Virtual domain controllers can be cloned from existing
virtual domain controllers instead of from templates
- Active Directory Federated Services come with the
installation of Server 2012
- Server 2012 allows devices to securely join the domain over
- Password Policy can be managed in the Active Directory
We will leave the other features in this section as material
discussion board. Which ones do you consider to be important, useful,
The text continues on page 54 with a discussion of installing
the Active Directory Domain Services Role through Server Manager.
- Page 57 illustrates adding other servers to your server
pool through Server Manager. They can be added through an LDAP search, through a DNS search, or by importing a list from a text file.
- When adding the servers you can assign them to a default or
a custom group.
- If you are running Server Manager on a domain controller,
you can either install AD DS on a remote server with a role
preselected, or you can add the role after installing AD DS.
- The text continues with more steps that promote a remote
server to be a domain controller, and continue the configuring the new
server. The steps continue through page 69.
Returning to the opening topic of the chapter, the text begins
a section on Active Directory
Certificate Services on page 70.
- Certificate Services are also installed through Server
- Workstations and servers can use a Certificate Authority
(CA) from your site, based
on information in AD
- Other features are listed on pages 70 and 71.
The text cautions us to plan which roles a server will take on
installing CS. It recommends that the server acting as the Certificate
Authority be hardened with Security Configuration Wizard after
installation. On page 72, the text lists four key responsibilities for
- accept or reject certificate requests from users,
computers, and other entities
- verify the requester's information and verify that policy
allows the requester to make the request
- validate certificates
- revoke certificates and publish them in the Certification
Revocation List (CRL)
When installing AD CS Role, you can start with Server Manager
as you did when installing AD. You can also use PowerShell. Note the
warnings on page 75 about making sure the role to install is available,
and to install the graphic management interface if you choose
PowerShell as your installation method. The text begins a section on
using Server Manager to install AD CS on page 77. Page 85 starts a
section on installing Site-Aware Certificate Enrollment, and its
features described earlier in the chapter.
The text explains one need for Federation Services on page 91:
to enable applications running in one domain to authenticate with user
accounts in another domain. On page 92, the text lists three common
reasons that lead to using AD FS:
- Access to an application on a trusted network without
having to log on to that network
- Providing a single logon regardless of the authentication
used on the other network
- Enabling SSO (Single SignOn) for employees accessing web
scenario is described on page 96, having a cloud service that requires
a federated trust between your network and the cloud provider's network.
This type of service is useful, but it takes careful planning
to avoid opening a security breach in both involved networks. Take note
of the planning concerns on pages 93 through 95.
On page 97, the text tells us that AD FS is based on Windows
Identity Foundation (WIF), which is now part of the .Net Framework,
included with Windows Server 2012. This sounds very much like material
for a certification test question.
The text presents instructions for installing AS FS through
PowerShell, and through Server Manager. The Server Manager section is
more detailed and goes on to page 107. It is followed by a
troubleshooting section that runs to page 110.
The other major topic of chapter 4 is Active Directory Rights Management Services
(AD RMS). This service is
discussed in the text as being vital to protecting the confidentiality
of data sent in emails. The text recommends that we consider using AD
RMS as an on-premise (single location) solution, and that we consider
using Windows Azure AD RMS
when we need to integrate cloud services in our solution. In this case,
the cloud based Azure AD RMS verifies that a user has rights before
they are allowed to see the contents of encrypted files.
Some considerations are offered:
- You will need at least one AD RMS root cluster for each
forest in your organization, but Microsoft recommends two in each
forest for "high availability".
- The text is a bit less clear on the next one. It says not
to install AD RMS in conjunction with AD DS (Domain Services). It means
that we should not put them on
the same server. The text
recommends a dedicated server for AD RMS, but then again that is
recommended for every product.
The text begins a set of installation instructions on page
113. Note the three preparation conditions: Exchange Server is
installed and running, SQL Server is installed and running, and Windows
Network Load Balancing (NLB) is
installed on both nodes that
running AD RMS. This is not as
clear from the text description as it is
from the graphic on page 113.
installation process must be done on each node, with the second node
joining the AD RMS cluster that you create with the first node.
Installation instructions continue through page 118.