Re: MS Stand-alone CA on Shared Server?

["Megan Kielman" <megan.kielman () gmail com>]

Yes I have the option of virtualizing this server.

You mention that I would assign roles within AD but I didn't think
this was an option for stand-alone CAs.

The certificates are only to be used for Operations Manager (to
encrypt traffic between server and agents in internal non-trusted
domains) and OWA, both internal.

On 8/16/07, Ramsdell, Scott <Scott.Ramsdell () cellnet com> wrote:
> Megan,
>
> Do you have the option of virtualizing this box?  You would then be able to run the virtual certificate root, 
> authorize a subordinate, then power the root down.  Your subordinate would run on the shared server.  You would then 
> be able to bring the root back up to revoke any cert if the subordinate was compromised.
>
> Within Active Directory you will specify the recovery agent and other roles.  To protect your cert server, ensure 
> those roles are properly assigned and monitor changes to those roles.  Ideally, the recovery agent would be someone 
> other than the LAN admin or default domain admin account, otherwise the LAN admin has free reign.  Make the recovery 
> agent an IT manager or HR type.
>
> Only you can weigh your risks, and you'll want to consider how the certs are being used.  Are you only signing 
> internal emails to add authenticity?  If so, that's less of a risk than if you're using the certs to auth to MSGINA.  
> If you're using the certs to encrypt file systems, make sure you're taking advantage of Cert Server 2003's ability to 
> centrally store the certs.  That way you'll be able to recover encrypted files with the recovery agent.
>
> The certs are stored differently than on a host, they're in a secured database accessible through AD cert services 
> only.  So, an admin of the server wouldn't have an easy time of exporting the certs, as you can't simply export them 
> the usual way you would a local cert.
>
> I'm sure others on the list with more experience can contribute more specific info as well.
>
> Kind Regards,
>
> Scott Ramsdell
> CISSP, CCNA, MCSE
> Security Network Engineer
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Megan Kielman
> Sent: Wednesday, August 15, 2007 9:07 AM
> To: security-basics () securityfocus com
> Subject: MS Stand-alone CA on Shared Server?
>
> I sent an email out a few days ago and haven't heard a response, not
> sure if it didn't get sent or if nobody responded :) I apologize in
> advance if this is a duplicate.
>
> I have built a MS Stand-alone CA, as our certificate needs are very
> small, this is the only CA in the hierarchy. I have read from several
> sources that hosting the CA on a shared server is a bad idea, however,
> we do not have enough resources to host the CA on its own server,
> especially when it will have low utilization. Can anyone provide me
> with assistance in properly hardening this box? Am I making a huge
> mistake placing it on the same server that hosts our Operations
> Manager (monitoring) Root server? It is currently sitting on an
> internal isolated lan.
>
> The risks that I understand are that if the server is renamed, the
> issued certificates are no longer valid. Also, it is important that
> the CA is protected since if compromised the integrity of our
> certificates are lost.
> Thanks!