Scenario 4: Blocking Certificates that are not Trusted According to Group Policy........ 14
Scenario 6: Extending Expiration Times for CRLs and OCSP responses..................... 17
This step-by-step guide provides the instructions that you need to set up certificate settings in Group Policy in a test lab environment. We recommend that you do not use this guide in a production environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Server® Code Name "Longhorn" operating system features without additional documentation (as listed in the Additional Resources section) and should be used with discretion as a stand-alone document.
What is Certificate Settings in Group Policy?
As X.509 public key infrastructures become more prominent in applications and a foundation of trust management, many organizations need more options to manage certificate path discovery and path validation settings. Previous versions of Windows operating systems did not have tools to customize certificate settings. Certificate settings in Group Policy provide this ability in the Windows Server Code Name "Longhorn" Beta 3 operating system. It enables you to manage the certificate validation settings according to the security needs of your organization.
You can use certificate settings in Group Policy to control certificate validation and path discovery settings for your environment. These settings include ways to manage certificates used by client computers in the domain, revocation policies, and network retrieval settings.
What’s new in certificate settings in Group Policy?
Certificate settings in Group Policy allow you to easily configure and manage certificate validation settings. With these settings, you can effectively perform a variety of tasks, such as:
· Deploy intermediate certification authority (CA) certificates for all computers in a domain
· Block certificates that are not trusted by the security policy
· Manage certificates used for code signing
· Configure the retrieval settings for certificates and certificate revocation lists (CRLs).
The following image is a screenshot of the Group Policy Management console.
In the Group Policy Management console, you can find the certificate settings under Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.
The Windows Server Code Name "Longhorn" certificate settings in Group Policy now include four new Group Policy stores:
· Intermediate Certification Authorities
· Trusted Publishers
· Untrusted Certificates
· Trusted People
The Certificate Path Validation Settings object is also new and includes options to configure path validation settings, such as network retrieval timeouts and revocation settings.
Who should use certificate settings in Group Policy?
This guide is intended for the following audiences:
· IT planners and analysts who are evaluating the product
· Security architects who are responsible for implementing Trustworthy Computing
· Security administrators who run public key infrastructure (PKI) enabled applications in their environment
Benefits of certificate settings in Group Policy
You can use the certificate settings in Group Policy to manage the certificate settings on all the computers in the domain from a central location.
For example, in situations where certain intermediate CA certificates expire and clients cannot automatically retrieve the certificate, you can now deploy these certificates on client computers by using Group Policy.
In addition, you can use certificate settings in Group Policy to ensure that users never download code signed by unapproved publisher certificates. You can also configure network timeouts to better control the chain building timeouts for large CRLs and use revocation settings to extend CRL expiration times if a delay in publishing a new CRL is affecting applications. This guide will help you understand the key scenarios of these new certificate settings and how to enable them to use the settings effectively.
In This Guide
The purpose of this guide is to help administrators become familiar with the Certificate settings in Group Policy in Windows Server Code Name "Longhorn."
Scenario 1: Managing Trusted Root Certificates
Scenario 2: Managing Trusted Publishers
Scenario 3: Deploying Intermediate CA Certificates
Scenario 4: Blocking Certificates that are not Trusted According to Group Policy
Scenario 5: Handling Large Certificate Revocation Lists
Scenario 6. Extending Expiration Times for CRLs and OCSP Responses
Scenario 1: Managing Trusted Root Certificates
In this scenario, you are responsible for management of the security environment for your domain, and you want to completely manage trust and disallow users in the domain to configure their own set of trusted root certificates and peer trust certificates. You can easily enable this setting by using the Stores tab in Certificate Path Validation Settings.
Before you start
· You should have a computer configured as domain controller and a client computer joined to the domain
· Group Policy Management Microsoft Management Console (MMC) snap-in must be installed on the domain controller
· PKI must be setup on the domain
· You must be logged on as a member of the Domain Admins group
To prevent users from managing certificate trust
| 1. Click Start, click Start Search, type mmc, and then press ENTER. 2. On the File menu, click Add/Remove Snap-in. · If you are editing the Group Policy object for the local computer, under Available snap-ins, double-click Local Group Policy Object Editor, click Add, and then click Finish. · If you are editing the Group Policy object for the domain, under Available snap-ins, double-click Group Policy Management Editor, click Browse and select the Default Domain Policy Object or select the domain, then click Finish. 3. If you have no more snap-ins to add to the console, click OK. 4. In the console tree, go to Default Domain Policy or Local Computer Policy, Computer Configuration, Windows Settings, Security Settings and click Public Key Policies. Then select Certificate Path Validation Settings. 5. Select the Stores tab. 6. Check Define these policy settings 7. Clear the Allow user trusted root CAs to be used to validate certificates option in the Per User Certificate Stores section. 8. Clear the Allow users to trust peer trust certificates option in the Per user certificate stores section. 9. Select the root CAs that the client computers can trust in the Root certificate stores section. 10. Click OK to apply the new setting. |
The following figure is a screenshot of the Stores tab on the Certificate Path Validation Settings Properties page.
Scenario 2: Managing Trusted Publishers
In this scenario, you are responsible for managing the security environment of your domain. The security policy of your company requires that only the administrators can add certificates used for code signing. You can easily reflect this setting using the Trusted Publishers user interface.
Before you start
· You should have a computer configured as domain controller and a client computer joined to the domain
· Group Policy Management MMC snap-in must be installed on the domain controller
· PKI must be setup on the domain
· You must be logged on as a member of the Domain Admins group.
This scenario includes two parts:
· Configuring Trusted Publishers
· Configuring who can manage certificates that are used for code signing
To configure Trusted Publishers policy
| 1. Click Start, click Start Search, type mmc, and then press ENTER. 2. On the File menu, click Add/Remove Snap-in. · If you are editing the Group Policy object for the local computer, under Available snap-ins, double-click Local Group Policy Object Editor, click Add, and then click Finish. · If you are editing the Group Policy object for the domain, under Available snap-ins, double-click Group Policy Management Editor, click Browse and select the Default Domain Policy Object or select the domain, then click Finish. 3. If you have no more snap-ins to add to the console, click OK. 4. In the console tree, go to Default Domain Policy or Local Computer Policy, Computer Configuration, Windows Settings, Security Settings and click Public Key Policies. Then select the Trusted Publishers tab. 5. Implement the changes you desire, click Apply if you wish to make additional changes, and OK when you are done making changes. |
To allow only administrators to manage certificates used for code signing
| 1. Click Start, click Start Search, type mmc, and then press ENTER. 2. On the File menu, click Add/Remove Snap-in. · If you are editing the Group Policy object for the local computer, under Available snap-ins, double-click Local Group Policy Object Editor, click Add, and then click Finish. · If you are editing the Group Policy object for the domain, under Available snap-ins, double-click Group Policy Management Editor, click Browse and select the Default Domain Policy Object or select the domain, then click Finish. 3. If you have no more snap-ins to add to the console, click OK. 4. In the console tree, go to Default Domain Policy or Local Computer Policy, Computer Configuration, Windows Settings, Security Settings and click Public Key Policies. Then select the Trusted Publishers tab. 5. In the Adding Trusted Publishers section, select Allow only all administrators to manage Trusted Publishers. 6. Click Apply to apply the new settings, and OK when you are done making changes. |
The following figure is a screenshot of the Trusted Publishers tab on the Certificate Path Validation Settings Properties page.
Scenario 3: Deploying Intermediate CA Certificates
In this scenario, you are responsible for managing the security environment of your domain. You are encountering errors in certificate chain building due to expired intermediate CA certificates. This is affecting revocation checking for your applications. To solve this problem, you need to deploy new intermediate CA certificates on all computers in the domain. You can do this easily from a central location using certificate settings in Group Policy.
Before you start
· You should have a computer configured as domain controller and a client computer joined to the domain
· Group Policy Management MMC snap-in must be installed on the domain controller
· PKI must be setup on the domain
· You must be logged on as a member of the Domain Admins group.
of
· Managing intermediate CA certificates for the domain
· Managing intermediate CA certificates for the local computer
To manage intermediate CA certificates for the domain
| 1. Click Start, click Start Search, type mmc, and then press ENTER. 2. On the File menu, click Add/Remove Snap-in. · If you are editing the Group Policy object for the domain, under Available snap-ins, double-click Group Policy Management Editor, click Browse and select the Default Domain Policy Object or select the domain, then click Finish. 3. If you have no more snap-ins to add to the console, click OK. 4. In the console tree, go to Default Domain Policy, Computer Configuration, Windows Settings, and Security Settings and click Public Key Policies. 5. Right click on the Intermediate Certification Authorities store. Click Import to import the certificates and follow the steps in the Certificate Import wizard. |
To manage intermediate CA certificates for the local computer
| 1. Click Start, click Start Search, type mmc, and then press ENTER. 2. On the File menu, click Add/Remove Snap-in. Under Available snap-ins, double-click Certificates, click Add. In the option, this snap-in will always manage certificates for, select the Computer Account and then select Local Computer and click Finish. 3. If you have no more snap-ins to add to the console, click OK. 4. Expand the Certificates snap-in. 5. Right click on the Intermediate Certification Authorities store. 6. Click Import to import the certificates and follow the steps in the Certificate Import wizard. |
Scenario 4: Blocking Certificates that are not Trusted According to Group Policy
In this scenario, you are responsible for managing the security environment of your domain. Based on Group Policy requirements, you do not want applications and clients to trust specific certificates. However you cannot revoke these certificates because they are issued by external CAs. You can disallow these untrusted certificates by adding them to the untrusted certificates store. You can now manage the untrusted certificates store using Group Policy.
Before you start
· You should have a computer configured as domain controller and a client computer joined to the domain
· Group Policy Management MMC snap-in must be installed on the domain controller
· PKI must be setup on the domain
· You must be logged on as a member of the Domain Admins group.
This scenario includes two parts:
· Blocking certificates for the domain
· Blocking certificates for the local computer
To block certificates for the domain
| 1. Click Start, click Start Search, type mmc, and then press ENTER. 2. On the File menu, click Add/Remove Snap-in. · If you are editing the Group Policy object for the domain, under Available snap-ins, double-click Group Policy Management Editor, click Browse and select the Default Domain Policy Object or select the domain, then click Finish. 3. If you have no more snap-ins to add to the console, click OK. 4. In the console tree, go to Default Domain Policy, Computer Configuration, Windows Settings, and Security Settings and click Public Key Policies. 5. Right click on the Untrusted Certificates store. 6. Click Import to import the certificates and follow the steps in the Certificate Import wizard. |
To block certificates for the local computer
| 1. Click Start, click Start Search, type mmc, and then press ENTER. 2. On the File menu, click Add/Remove Snap-in. · Under Available snap-ins, double-click Certificates, click Add. In the option, this snap-in will always manage certificates for, select the Computer Account and then select Local Computer and click Finish. 3. If you have no more snap-ins to add to the console, click OK. 4. Expand the Certificates snap-in. 5. Right click on the Untrusted Certificates store. 6. Click Import to import the certificates and follow the steps in the Certificate Import wizard. |
Scenario 5: Handling Large Certificate Revocation Lists
In this scenario, you are responsible for managing the security environment of your domain. Your applications encounter frequent failures in retrieving large certification revocation lists (CRLs). Large CRLs fail to download because it takes longer to download them than the default timeout of 15 seconds. You want to configure the default retrieval timeouts to solve this problem. You can easily configure this setting using the Network Retrieval tab of the Certificate Path Validation Settings dialog box.
Before you start
· You should have a computer configured as domain controller and a client computer joined to the domain
· Group Policy Management MMC snap-in must be installed on the domain controller
· PKI must be setup on the domain
· You must be logged on as a member of the Domain Admins group.
To increase the retrieval timeout option for large certificate revocation lists
| 1. Click Start, click Start Search, type mmc, and then press ENTER. 2. On the File menu, click Add/Remove Snap-in. · If you are editing the Group Policy object for the local computer, under Available snap-ins, double-click Local Group Policy Object Editor, click Add, and then click Finish. · If you are editing the Group Policy object for the domain, under Available snap-ins, double-click Group Policy Management Editor, click Browse and select the Default Domain Policy Object or select the domain, then click Finish. 3. If you have no more snap-ins to add to the console, click OK. 4. In the console tree, go to Default Domain Policy or Local Computer Policy, Computer Configuration, Windows Settings, Security Settings and click Public Key Policies. Then select Certificate Path Validation Settings. 5. Select the Network Retrieval tab. 6. In the Default retrieval timeout settings section, select the Default URL retrieval timeout (in seconds) option 7. Enter the desired timeout value. 8. Click OK to apply the new settings. |
The following figure is a screenshot of the Network Retrieval tab of the Certificate Path Validation Settings Properties dialog box.
Scenario 6: Extending Expiration Times for CRLs and OCSP responses
In this scenario, you are responsible for managing the security environment of your domain. Network problems prevent you from publishing the latest CRL, which can cause all certificate chain validations to fail. You want to extend the expiration time of the existing CRL or the Online Certificate Status Protocol (OCSP) response to prevent this from happening. You can use the Revocation tab on the Certificate Path Validation Settings dialog box to manage this behavior.
Before you start
· You should have a computer configured as domain controller and a client computer joined to the domain
· Group Policy Management MMC snap-in must be installed on the domain controller
· PKI must be setup on the domain
· You must be a member of the Domain Admins group.
This scenario includes two parts:
· Configuring revocation settings for the local computer
· Extending the validity period for CRL and OCSP responses for the local computer
To configure revocation settings for the local computer
| 1. Click Start, click Start Search, type mmc, and then press ENTER. 2. On the File menu, click Add/Remove Snap-in. · If you are editing the Group Policy object for the local computer, under Available snap-ins, double-click Local Group Policy Object Editor, click Add, and then click Finish. · If you are editing the Group Policy object for the domain, under Available snap-ins, double-click Group Policy Management Editor, click Browse and select the Default Domain Policy Object or select the domain, then click Finish. 3. In the console tree, go to Default Domain Policy or Local Computer Policy, Computer Configuration, Windows Settings, Security Settings and click Public Key Policies. Then select Certificate Path Validation Settings. 4. Select the Revocation tab. 5. Select the policy options you want. 6. Click Define these policy settings. 7. Click OK to apply the new setting. |
To extend the validity period for CRL and OCSP responses for the local computer
| 1. Click Start, click Start Search, type mmc, and then press ENTER. 2. On the File menu, click Add/Remove Snap-in. · If you are editing the Group Policy object for the local computer, under Available snap-ins, double-click Local Group Policy Object Editor, click Add, and then click Finish. · If you are editing the Group Policy object for the domain, under Available snap-ins, double-click Group Policy Management Editor, click Browse and select the Default Domain Policy Object or select the domain, then click Finish. 3. If you have no more snap-ins to add to the console, click OK. 4. In the console tree, go to Default Domain Policy or Local Computer Policy, Computer Configuration, Windows Settings, Security Settings and click Public Key Policies. Then select Certificate Path Validation Settings. 5. Select the Revocation tab. 6. Select the Allow CRL and OCSP responses to be valid longer than their lifetime option. For Time the validity period can be extended, enter the desired value of time (in hours). 7. Click Define these policy settings. 8. Click OK to apply the new setting. |
The following figure is a screenshot of the Revocation tab on the Certificate Path Validation Settings Properties dialog box.
Having your own house is the dream of every person. For a middle class person, it is considered as a lifetime achievement as it requires quite a huge amount of money. Banks play a pivotal role in fulfilling this basic need. The products they offer and the services they provide are of immense use to people who intend to have their own house. For a safe and beneficial home loan, proper awareness over the products, policies, terms and conditions of the bank is most important as ignorance may result in more payments to the bank in terms of principal and interest components.
ReplyDeleteBut working with Mr Pedro changed everything in the lending experience, Mr Pedro helped me with a home loan at 2% rate which was very fast and smooth.
I will recommend Mr Pedro a loan officer and his awesome funding company Email Mr Pedro on pedroloanss@gmail.com.
Marie Carlos,
Texas USA