Updated: April 17, 2006 Building a Secure Connected Infrastructure with Digital Certificates: The Checklist1. Determine where your business requires strong authentication. | • | Start by assessing what sensitive data and critical resources need to be protected within your environment. This is the place for strong authentication solutions, places where a traditional username and password simply aren’t enough to mitigate security risk. | | • | When industry experts talk about strong authentication, they do not mean just user authentication. It also applies to application, device and network authentication. If you want to control remote access to your local area network (LAN), for example, you need to authenticate devices that access that wireless LAN. | | • | If you need to ensure the security of transactions occurring when users remotely access your corporate LAN, you need a strong authentication solution for any users who are allowed to have that access. If strong authentication is a fundamental requirement for all desktop logins within your infrastructure, you may want to evaluate a solution, such as smart cards for all employees. | | • | Determine where your most critical assets are and evaluate what form of strong authentication can most effectively meet your requirements for protecting those assets. |
2. Evaluate and consider taking advantage of the latest technology. | • | Over the past decade, Microsoft has made significant investments in improving the digital certificate and authentication infrastructure in Windows. Once you’ve determined where digital certificate-based authentication can help you get secure, it’s important for you to learn about the authentication features and functionality of Microsoft Windows Server 2003 and Windows XP Professional.
| • | If you haven’t already upgraded to Windows Server 2003 R2 and Windows XP Professional Service Pack 2 (SP2), this should be priority project for your business. These releases ensure you’re working with the most secure versions of our software. |
| • | One feature of Windows XP Professional is auto-enrollment. This feature can help you automatically deploy certificates to desktops to enable 802.1x secure communication over your corporate wireless networks. Auto-enrollment greatly simplifies the process of locking down access to an unprotected wireless LAN. |
| • | Additionally, the combination of Windows Server 2003 and Windows XP can also enable you to use a smart card to log into a terminal server session. This feature enables terminal services for thin client functionality while ensuring strong authentication to the server-side application. |
| • | Beyond Windows XP and Windows Server 2003, Windows Vista and Windows Server “Longhorn” will bring even more advances, which make digital certificates and smart cards easier to deploy, maintain, and use. For example, Windows Vista will incorporate a number of usability enhancements such as smart card PIN unblock in the Ctrl-Alt-Delete UI so that resetting a PIN is as easy as resetting a password for end users. Certificate roaming will also be possible with Windows Vista. This means that users can automatically roam all of their digital certificates to any desktops they log into with their Active Directory user account. In the past, this could only be accomplished by roaming the entire profile of the user, which was a high-bandwidth and cumbersome way to successfully roam a few very small digital certificates. |
|
3. Evaluate certificate management solutions. | • | Many of you may have looked into digital certificates and smart cards in the past and determined that the management burden of deployment was too great or that the complexities of defining and managing policies associated with digital certificates outweighed the benefits of deployment. | | • | If you’re a small- to medium-sized business, Windows Server 2003 and Windows XP provide a comprehensive set of certificate services that, depending on factors like regulatory compliance issues or the need for multi-factor authentication with smart card, may provide all you need to achieve your strong authentication goals. | | • | As businesses grow, however, the management challenges associated with digital certificates grow with them. This fact and the customer pain points associated with it are the primary drivers for a new product for Microsoft. Microsoft Certificate Lifecycle Manager (CLM) is a policy- and workflow-driven solution designed to simplify the process of deploying, managing, and maintaining digital certificates and smart cards in Windows environments. | | • | As you evaluate deploying strong authentication solutions, we recommend you evaluate Beta 1 of CLM. As you consider the beta, which is open to all customers, you might also want to review the Getting Started with Microsoft CLM Guide and see if CLM can help you effectively deploy an enterprise class strong authentication solution with or without smart cards. |
4. Take the first steps towards implementing digital certificates to meet your enterprise security needs. | • | Once you have walked through the first 3 steps of the checklist, you may decide that it’s time your organization take a closer look at digital certificates for use inside your infrastructure. There are three ways in which you can immediately evaluate the value of digital certificates:
| • | 802.1x secure wireless - While we’ve discussed a number of ways in which you can better determine how and when strong authentication is appropriate for your business, one of the most commonly deployed technologies today is a wireless network for employee access. This common productivity tool is also one of the greatest security risks your company faces as unwelcome, malicious users can gain access to your network. If left unsecured, a sophisticated attack could gain gather unencrypted data. If you are a Windows XP customer today, one of the best ways to see the benefits and ease of digital-certificate based authentication is to turn on auto-enrollment for secure wireless certificates and lock down that wireless LAN. For more information about implementing certificate auto-enrollment, visit Security360: Learn Best Practices to Guide Your Security Strategy. |
| • | Smart card logon - Customers are telling us that the requirement for a ubiquitous strong authentication solution across their infrastructure is becoming a necessity. At Microsoft, we believe that smart cards and USB smart tokens are the best choice to address this growing requirement, providing a strong and multi-factor solution. That’s why we’ve developed both partnerships and guidance to help you evaluate smart card solutions without having to invest in specific technology today. In coordination with our CLM beta program, we have several partners that can provide you with evaluation packs of smart cards and supporting software to use in lab environments or early pilot projects. For example, Rack Technologies has a simple form you can fill out to order an evaluation pack with either traditional credit card format smart cards or USB-based smart tokens. As you proceed with this evaluation, you will want to review the Secure Access Using Smart Cards Planning Guide to learn how to use smart cards to compliment existing defense-in-depth measures within your environment. |
| • | Digitally signing e-mails in Microsoft Office Outlook - To help comply with recent regulations, many customers are looking for mechanisms to protect the integrity of emails as they travel across networks. Secure/Multipurpose Internet Mail Extensions (S/MIME) provide a consistent way to send and receive secure e-mails. S/MIME is implemented in e-mail by digital signing an e-mail with the key contained in a digital certificate. Once an e-mail is “signed,” the recipient’s e-mail application, such as Outlook, can use data contained in the signature to:
| • | compare the e-mail content to its original, ensuring no changes have been made in transit, and | | • | to authenticate the sender, ensuring she is who she says she is. |
|
Related Resources |
|
|
