Note-to-self: New Guidance for Securing Public Key Infrastructure

Source: TechNet Blogs » Microsoft Security Blog » New Guidance for Securing Public Key Infrastructure

http://blogs.technet.com/b/security/archive/2014/06/11/new-guidance-for-securing-public-key-infrastructure.aspx

“Public Key Infrastructure (PKI) is used as a building block to provide key security controls, such as data protection and authentication for organizations. Many organizations operate their own PKI to support things like remote access, network authentication and securing communications.

The threat of compromise to IT infrastructures from attacks is evolving. The motivations behind these attacks are varied, and compromising an organization’s PKI can significantly help an attacker gain access to the sensitive data and systems they are after.

 To help enterprises design PKI and protect it from emerging threats, Microsoft IT has released a detailed technical reference document – “Securing Public Key Infrastructure.”

Note-to-self: useful links when you need to add 3rd party certs to the NTAuth store

For Win2003:

How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store
http://support.microsoft.com/kb/295663/en

For Win 2008, Windows Server 2012:

Add Published Certificates to Active Directory Containers
http://technet.microsoft.com/en-us/library/cc731612.aspx

“If a CA certificate is not added automatically when the new CA is created, such as a stand-alone CA created by a user who is not a member of the Enterprise Admins group, the CA certificate can still be added manually to the NTAuthCertificates container.

This process can also be used to add the CA certificate of a non-Microsoft CA that has been used to issue smart card logon or domain controller certificates. By publishing these CA certificates to the Enterprise NTAuth store, the administrator indicates that the CA is trusted to issue certificates of these types.

Using Enterprise PKI: http://technet.microsoft.com/en-us/library/cc754963.aspx

Install the Enterprise PKI Console: http://technet.microsoft.com/en-us/library/cc771085.aspx