Installing Stand Alone Root CA – Server 2012


Introduction:

Depending on the CA hierarchy to be designed, this article focus on the steps required to install offline root CA on Windows Server 2012. Following are the assumptions

a)      Server will not be joined to the Active Directory domain

b)      Root CA is configured as Offline

c)      CAPolicy.inf is created under C:\windows and configured as per the CA hierarchy

d)     Networking and Storage considerations are considered

e)      Provision of User accounts are done ( local administrator permissions are configured accordingly )

 

Download File

Installing Stand Alone Root CA Server 2012

Cannot Rename Computer Name or Unjoin Computer – Certificate Services 2012


Introduction:

Careful consideration should be made before installing Certificate Services on the Windows Server 2012. A proper CA hierarchy should be design along with Naming standards, CA names cannot be more than 64 characters in length. Naming convention rules which applied to Server 2008 R2 still holds good for Server 2012 such as

 

Considerations:

a) Names cannot contain special characters

b) Chinese / Arabic … supports 37 character long

c) Server Name becomes the Common Name for CA .

d) CN of the certificate should not be configured with FQDN

e) After installation of Certificate Services on Server 2012, Administrators cannot change the Server name or Unjoin the computer from domain. the only way to change the server name / unjoin from domain is to uninstall the Certificate Services.

 

 

image

 

To Unjoin / Change Computer Name:

1) On CA Server  Navigate to Server Manager

2) Click Manage option located at top right corner of Server Manager , select Remove Roles and Features

3) Select CA Server from Server Pool and on Server Roles window, Uncheck Active Directory Certificate Service and click Remove Features

4) Restart the CA Server and administrators now will be able to Rename and Unjoin activities.

 

Windows Server 2012 Server Manager Overview


Prior to release of Server Manager in Windows Server 2008, Enterprise solution was to use different third party vendors which includes CA , HP utilities to manage servers and workstations from centralized location. Today’s release of Server Manager on Windows Server 2012 provides enhanced functionality to manage Servers from a centralized location. One of the key aspect of Server Operations is to monitor the event logs. Day- day the servers register thousands of different event logs, which provide vital information to Support Engineers or Operations Center to manage and monitor those events. Server Manager can be strictly considered for Mid-size organization for managing and monitor servers. One of the key task is to monitor the events and find the root cause of the issue based on the DLL or EXE which registers the event.
Server Manager can provide satisfying information for administrators to troubleshoot the errors or collect the event logs based on the Microsoft Product / applications and provide the information to Microsoft in the event of troubleshooting high Severity issues.

Please click the link below for further reading.

Windows Server 2012 Server Manager

Windows 7 Administrator Account


Windows 7 is released and most of the organizations are migrating to windows 7 to experience the latest features.

As i was deploying windows 7 , i came across a interesting behavior which i would like to blog, when you install Windows 7 using a CD / ISO build, by default both

the Administrator and Guest account is disabled which is a better way for not having a blank password and user can later activate administrator account either by

going to the properties of the account and activate the account or use Net user “user name” /active .

 

But if you observe carefully , the user who you logs in for the first time ( not administrator ) is the part of administrator group.

Another observation is that if you “run as administrator” it wont prompt you for administrator privileges  and still execute the command

eg: cmd –> ipconfig /registerdns ( it would prompt you for elevated privileges ) but wont prompt you for administrator password.

 

I would see that this user is equivalent to have administrator rights.

Windows OS Security Ratings


Orange Book.

 

US government saw the tremendous usage of commercial operating systems in mid 1980’s , it proposed a standard related to operating system security. Security was one of the major / key role in order to manage the data , this is not specific to single organization because different organizations has different set of data which they need to get secured.

 

Trusted Computer System Evaluation Criteria ( TCSEC ) was then brought in by US DOD , they wrote the standard which followed specific criteria to handle different levels of security and printed it with a Orange cover , since then TCSEC got its name as Orange Book.

 

Orange Book main objective was to evaluate the computer security with 3 major areas

a)      storage of data in computer

b)      Retrieval of sensitive data

 

Orange Book defines 4 broad hierarchies starting from A to D ( A1, B3, B2, B1, C2, C1, D)  with subcategories where A being very secure and D being less secure.

 

 

DID YOU KNOW ?

 

Microsoft Operating systems security falls under C and B category,  where in under B division Microsoft operating system only meets 2 of the required security and not all.

 

 

 

The four Divisions are

 

A Division (Verified Protection): While developing operating system to meet A1 rating , developers should keep system design and security policy has high priority , so vendor manages to design operating systems which meet A rating till date.

 

B Division (Mandatory Protection)  : B division is sub categorized into B3, B2 and B1 respectively . These B division systems requires more testing and documentation. Windows operating system falls under B division and the component Microsoft developed is SAS .

 

C Division (Discrete Protection): Most of Microsoft operating systems along with LINUX falls under this division. Implementation of passwords , auditing, protection for files are some of the major factors of C division.

 

D Division( Minimal Security ) : Operating systems with minimal or no security falls under this division where as there are no rules defined for D division operating systems.

 

 

This article would be helpful for the architects who are designing the infrastructure with mixed operating systems and help them to evaluate the security protections supported by them.

 

Some Important LInks

http://www.cesg.gov.uk/products_services/iacs/index.shtml

http://www.niap-ccevs.org/

 

 

Sainath

Microsoft MVP