Home page logo
/

basics logo Security Basics mailing list archives

Re: MS Stand-alone CA on Shared Server?
From: "Megan Kielman" <megan.kielman () gmail com>
Date: Thu, 16 Aug 2007 07:01:53 -0700

Yes I have the option of virtualizing this server.

You mention that I would assign roles within AD but I didn't think
this was an option for stand-alone CAs.

The certificates are only to be used for Operations Manager (to
encrypt traffic between server and agents in internal non-trusted
domains) and OWA, both internal.

On 8/16/07, Ramsdell, Scott <Scott.Ramsdell () cellnet com> wrote:
Megan,

Do you have the option of virtualizing this box?  You would then be able to run the virtual certificate root, 
authorize a subordinate, then power the root down.  Your subordinate would run on the shared server.  You would then 
be able to bring the root back up to revoke any cert if the subordinate was compromised.

Within Active Directory you will specify the recovery agent and other roles.  To protect your cert server, ensure 
those roles are properly assigned and monitor changes to those roles.  Ideally, the recovery agent would be someone 
other than the LAN admin or default domain admin account, otherwise the LAN admin has free reign.  Make the recovery 
agent an IT manager or HR type.

Only you can weigh your risks, and you'll want to consider how the certs are being used.  Are you only signing 
internal emails to add authenticity?  If so, that's less of a risk than if you're using the certs to auth to MSGINA.  
If you're using the certs to encrypt file systems, make sure you're taking advantage of Cert Server 2003's ability to 
centrally store the certs.  That way you'll be able to recover encrypted files with the recovery agent.

The certs are stored differently than on a host, they're in a secured database accessible through AD cert services 
only.  So, an admin of the server wouldn't have an easy time of exporting the certs, as you can't simply export them 
the usual way you would a local cert.

I'm sure others on the list with more experience can contribute more specific info as well.

Kind Regards,

Scott Ramsdell
CISSP, CCNA, MCSE
Security Network Engineer

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Megan Kielman
Sent: Wednesday, August 15, 2007 9:07 AM
To: security-basics () securityfocus com
Subject: MS Stand-alone CA on Shared Server?

I sent an email out a few days ago and haven't heard a response, not
sure if it didn't get sent or if nobody responded :) I apologize in
advance if this is a duplicate.

I have built a MS Stand-alone CA, as our certificate needs are very
small, this is the only CA in the hierarchy. I have read from several
sources that hosting the CA on a shared server is a bad idea, however,
we do not have enough resources to host the CA on its own server,
especially when it will have low utilization. Can anyone provide me
with assistance in properly hardening this box? Am I making a huge
mistake placing it on the same server that hosts our Operations
Manager (monitoring) Root server? It is currently sitting on an
internal isolated lan.

The risks that I understand are that if the server is renamed, the
issued certificates are no longer valid. Also, it is important that
the CA is protected since if compromised the integrity of our
certificates are lost.
Thanks!




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault