ITS 3250 - Securing Systems

Windows Server 2012 Security...
Chapter 3, Deploying Directory Services and Certificate Services
Chapter 4, Deploying AD FS and AD RMS in Windows Server 2012

This lesson presents some Microsoft material about certificates in chapter 3, and material about federation services and AD rights in chapter 4. Objectives important to this lesson:

1. Evolving threats against certificates
   
2. Implementing Directory Services
3. Implementing Certificate Services
   
   
4. Planning for AD Federation Services
5. Deploying AD Federation Services
6. Deploying AD Rights Management Services
   

Concepts:

Chapter 3

Our text begins chapter 3 with two news stories from 2011, about the Dutch company Diginotar, and about the multinational company Comodo, both of whom provide certificate services to clients, and both of whom were compromised by hackers. The loss of confidence in the certificates issued by those companies caused massive certificate revocations and replacements.

The text makes its points, then moves on to discuss features in AD Services in Windows Server 2012. These are some of the items discussed.

• Virtual domain controllers can be cloned from existing virtual domain controllers instead of from templates
• Active Directory Federated Services come with the installation of Server 2012
• Server 2012 allows devices to securely join the domain over the Internet
• Password Policy can be managed in the Active Directory Administrative Center

We will leave the other features in this section as material for a discussion board. Which ones do you consider to be important, useful, or unnecessary?

The text continues on page 54 with a discussion of installing the Active Directory Domain Services Role through Server Manager.

• Page 57 illustrates adding other servers to your server pool through Server Manager. They can be added through an LDAP search, through a DNS search, or by importing a list from a text file.
  
• When adding the servers you can assign them to a default or a custom group.
• If you are running Server Manager on a domain controller, you can either install AD DS on a remote server with a role preselected, or you can add the role after installing AD DS.
• The text continues with more steps that promote a remote server to be a domain controller, and continue the configuring the new server. The steps continue through page 69.
  

Returning to the opening topic of the chapter, the text begins a section on Active Directory Certificate Services on page 70.

• Certificate Services are also installed through Server Manager.
• Workstations and servers can use a Certificate Authority (CA) from your site, based on information in AD
• Other features are listed on pages 70 and 71.
  

The text cautions us to plan which roles a server will take on when installing CS. It recommends that the server acting as the Certificate Authority be hardened with Security Configuration Wizard after installation. On page 72, the text lists four key responsibilities for a CA:

• accept or reject certificate requests from users, computers, and other entities
• verify the requester's information and verify that policy allows the requester to make the request
• validate certificates
• revoke certificates and publish them in the Certification Revocation List (CRL)

When installing AD CS Role, you can start with Server Manager as you did when installing AD. You can also use PowerShell. Note the warnings on page 75 about making sure the role to install is available, and to install the graphic management interface if you choose PowerShell as your installation method. The text begins a section on using Server Manager to install AD CS on page 77. Page 85 starts a section on installing Site-Aware Certificate Enrollment, and its features described earlier in the chapter.

Chapter 4

The text explains one need for Federation Services on page 91: to enable applications running in one domain to authenticate with user accounts in another domain. On page 92, the text lists three common reasons that lead to using AD FS:

• Access to an application on a trusted network without having to log on to that network
• Providing a single logon regardless of the authentication used on the other network
• Enabling SSO (Single SignOn) for employees accessing web apps
  

A fourth scenario is described on page 96, having a cloud service that requires a federated trust between your network and the cloud provider's network.

This type of service is useful, but it takes careful planning to avoid opening a security breach in both involved networks. Take note of the planning concerns on pages 93 through 95.

On page 97, the text tells us that AD FS is based on Windows Identity Foundation (WIF), which is now part of the .Net Framework, included with Windows Server 2012. This sounds very much like material for a certification test question.

The text presents instructions for installing AS FS through PowerShell, and through Server Manager. The Server Manager section is more detailed and goes on to page 107. It is followed by a troubleshooting section that runs to page 110.

The other major topic of chapter 4 is Active Directory Rights Management Services (AD RMS). This service is discussed in the text as being vital to protecting the confidentiality of data sent in emails. The text recommends that we consider using AD RMS as an on-premise (single location) solution, and that we consider using Windows Azure AD RMS when we need to integrate cloud services in our solution. In this case, the cloud based Azure AD RMS verifies that a user has rights before they are allowed to see the contents of encrypted files.

Some considerations are offered:

• You will need at least one AD RMS root cluster for each forest in your organization, but Microsoft recommends two in each forest for "high availability".
  
• The text is a bit less clear on the next one. It says not to install AD RMS in conjunction with AD DS (Domain Services). It means that we should not put them on the same server. The text recommends a dedicated server for AD RMS, but then again that is recommended for every product.
  

The text begins a set of installation instructions on page 113. Note the three preparation conditions: Exchange Server is installed and running, SQL Server is installed and running, and Windows Network Load Balancing (NLB) is installed on both nodes that will be running AD RMS. This is not as clear from the text description as it is from the graphic on page 113.

The installation process must be done on each node, with the second node joining the AD RMS cluster that you create with the first node. Installation instructions continue through page 118.