Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


June 2007

Identity Lifecycle Manager 2007

Issue secure certificates
From the June 2007 Edition
of Windows IT Pro
Brian Komar
Cover Story
InstantDoc #95762
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    It’s 10:00 P.M.: Do You Know Who’s Logged On?

Workflow design. The biggest benefit of ILM 2007 certificate management is the ability to define workflows for certificate management. For example, you can define exactly what process is used to obtain Secure MIME (S/MIME) certificates or to unblock a smart card. The following three common models exist for certificate management.

  • In a Self-Service model, all processes within a workflow are initiated by the certificate subscriber defined in the profile template. For example, a user can initiate the request of an Encrypting File System (EFS) certificate. Self-service for certificate acquisition is typically considered a low-assurance model because no person other than the certificate requestor is involved in the issuance of the certificate. However, self-service is acceptable for several scenarios such as IPsec certificates or EFS encryption certificates.
  • In a Delegated model, a workflow is initiated by a certificate manager but is completed by the certificate subscriber. This workflow is considered medium assurance and is typically used for certificates that require strong validation of the subscriber's identity. For example, the certificate request for an EFS recovery agent or a Key Recovery Agent might use a delegated workflow. A certificate manager will initiate the request, with control being passed to the subscriber through the use of one-time secrets in an email message to complete the request.
  • In a Centralized model, the entire request is completed by the certificate manager. This workflow is typically used for high-assurance certificates. The certificate manager acts as an enrollment agent and places the subscriber's name information in the subject of the issued certificate.

Permissions. To define certificate management workflows, you must assign CLM extended permissions. The following seven extended permissions are assigned to users, groups, or the ILM 2007 certificate management Service Connection Point (SCP—which I define in the following section):

  • CLM Audit—Allows viewing the profile template setting, approving requests, and generating reports
  • CLM Enrollment Agent—Allows the holder to request a certificate on behalf of another user
  • CLM Request Enroll—Allows the initiation, execution, or completion of an enrollment request
  • CLM Request Recover—Allows the initiation of encryption key recovery operations from the CA database
  • CLM Request Renew—Allows the initiation, execution, or completion of a renewal request when an original user certificate is near its expiration date and needs to be replaced with a new certificate that has a new validity period
  • CLM Request Revoke—Allows termination of a certificate's validity before its expiration date (e.g., a certificate can be revoked because a user's laptop was stolen)
  • CLM Request Unblock Smart Card— Allows a smart card's user PIN to be reset, reestablishing access to the smart card's key material

In addition, profile template objects include the CLM Enroll permission. Users who request certificates included in a profile template must be assigned the CLM Enroll permission on the profile template. If a user requests a certificate on behalf of another user, both the requestor (enrollment agent) and the target user must be assigned CLM Enroll permissions.

Note that ILM 2007 certificate management permissions can be assigned only to users, global groups, or universal groups. Permission assignments made to domain local groups are ignored.

Permission assignment locations. In ILM 2007 certificate management, effectively managing permissions includes intertwining the following five permission assignment locations. Figure 1 illustrates these locations.

  1. Service Connection Point—If a user or group is assigned a CLM extended permission at the SCP, then the user gains access to the CLM management Web portal. A permission assignment at the SCP translates to a potential assignment of permissions. The permissions are effective only if a matching permission is assigned to a user or a group. Users require only Read permissions on the SCP to participate in CLM workflows.
  2. Profile Template Object—A user or group must be assigned the Read and CLM Enroll permission on the profile template object to allow enrollment of certificates based on the profile template. If the workflow includes a manager acting as an enrollment agent, both the manager and the target users must be assigned the CLM Enroll permission.
  3. Users/Groups—This permission assignment location goes hand-in-hand with the SCP. As I stated earlier, the SCP permission is a potential assignment. You could perform the assigned action on some user or group. A permission assignment on a user or group closes this loop. The user or group permission defines the target of the management action.
  4. Certificate Template(s)—If the workflow requires the submission of certificate requests to a CA, the submitter of the request must be assigned the Read and Enroll permissions on the included certificate templates.
  5. Within a Management Policy—The final permission assignment occurs within a management policy. The managers within a workflow must be assigned the right to initiate, approve, or act as an enrollment agent in a workflow. Alternatively, you can enable the self-service option to let a user initiate personal workflow requests.

Reporting. ILM 2007 certificate management includes excellent reporting facilities. In general, reports can be classified into the following three categories.

  • CLM Summary Reports—Provide summarized reports for all managed requests, certificate usage, certificate expiry, and smart card inventories. These reports are useful when reporting to management about the state of all certificates managed by ILM 2007.
  • CLM Detail Reports—Provide detailed reports for smart cards, smart card histories, requests, certificate template usage, and certificate revocation lists. Detail reports are appropriate when you are researching certificate usage for a specific person or smart card device.
  • CLM Settings Reports—Provide detailed setting information for certificate templates or profile templates. These reports can be used to document the finalized settings defined for each certificate template or profile template you deploy.
   Previous  1  [2]  3  4  Next 


Learning Path Certificate Security
"Authentication Options"

"CA Trust Relationships in Windows Server 2003 PKI"

"Enhancing Win2K Logon Security with Smart Cards"

"Guarding Your Certificate Authorities"

"Introducing Microsoft Certificate Lifecycle Manager"

"Longhorn Server PKI"

"PKI and Your Win2K Network"

"Public Key Infrastructure in Windows 2000"

"Secure E-Commerce with Smart Cards"

"Validating Digital Certificates in Windows PKI"

"Windows Server 2003 Certificate Services"
Top Viewed ArticlesView all articles
2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

Microsoft, News Corp. Discuss Locking Out Google

Microsoft and Rupert Murdoch's News Corp. recently discussed an alliance that would counter Google's fledgling online news service. ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events Introduction to Identity Lifecycle Manager "2"

SQL Server Security: How to Secure, Monitor & Audit Your Databases

Protecting Mobile Users' Data

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement