Keeping Your Business Safe from Attack: Encryption and Certificate Services will provide readers with the information they need to best deploy Windows Public Key Infrastructure (PKI) services in their IT environment. The book explains the key components, concepts, and standards behind PKI and provides insight into how to put a Windows-rooted PKI into operation and how to keep it operational.

Keeping Your Business Safe from Attack: Encryption and Certificate Services will provide readers with the information they need to best deploy Windows Public Key Infrastructure (PKI) services in their IT environment. The eBook explains the key components, concepts, and standards behind PKI and provides practical insights into how to put a Windows-rooted PKI into operation and how to keep it running. The eBook's primary audience is technical planners, architects, and consultants. IT and security planners and decision managers will also find value in the introductory and closing chapters.

Chapter 1 provides a general introduction to PKI. It defines PKI, describes its key components, and highlights the security value-add services provided by a PKI. The chapter also provides an introduction to the cryptographic roots of PKI: It explains key cryptographic concepts (e.g., symmetric, asymmetric ciphers, hashing) and processes. The chapter closes with an overview of PKI standards, an introduction to Windows PKI, and a set of general guidelines you should keep in mind when designing, implementing, and maintaining a PKI.

The second chapter focuses on the PKI components that are available in Windows PKI. These components include the Certification Authority (CA), Registration Authority (RA), Active Directory (AD), and the PKI client. The chapter clearly explains the key features of the different components and highlights the architectural options available for each component. For example, it explains the differences between Windows standalone and enterprise CAs, highlights the advantages and disadvantages of integrating a CA with AD, and underlines the importance of and options for secure private key storage.

Trust is a fundamental concept in PKI and is reflected in the PKI trust model. Chapter 3 explains the PKI trust models that are available in Windows PKI and provides guidance on how to choose the right trust model for your IT environment. The chapter also spends a significant amount of time on how trust decisions are made and can be influenced on the Windows PKI client side.

Chapter 4 starts off with an overview of the certificate lifecycle. It then focuses on certificate enrollment and its impact on PKI design by addressing the questions "What are the enrollment options in Windows PKI?" and "How are machine and user certificate automatic enrollment configured?" The last part focuses on key archival and recovery, including how to set it up, what are its advantages and disadvantages, and when should you use it.

As the second chapter regarding the certificate lifecycle, Chapter 5 explains certificate validation and revocation and their effect on the overall architecture. Both processes are driven from the PKI-client side and have important implications on the PKI design process that you must get right from the start of your PKI design.

Chapter 6 summarizes the PKI design process based on the different elements that were highlighted in the previous chapters and lists the key decisions that must be made during each design step. The second part of this chapter focuses on Windows PKI maintenance and administration by answering the questions "How can you set up role separation and advanced auditing?" and "What should you do when the CA certificate expires?"

PKI is of little or no use if you don’t have applications using it. The last chapter of the eBook highlights the most popular PKI-enabled applications and how to put them into production. These include secure mail (using the Secure MIME—S/MIME—standard), secure Web (using the Secure Sockets Layer—SSL—and Transport Layer Security—TLS—standards), smart card logon, and strong network authentication for remote or wireless access.

-- Jan De Clercq
A member of the HP Security Office, where he focuses on identity management and security for Microsoft platforms