Windows 2008 PKI Combat 2: Registering and Roaming

In the past, autoenrollment was part of the Winlogon process in Windows, exposing it to more attacks. In fact, all Windows NT services have been used as a WMI task by the redesign schema. This means that Windows Vista and Windows Server 2008 components do not have as many attack surfaces as Windows Server 2003 and Windows XP.

Advance notification attributes are also added before the certificate expires. In other words, it is notifying the user when a certificate is about to terminate or is terminated. The related scenario is that when autoenrollment is not enabled, the computer cannot automatically update or register a certificate on behalf of the user.

Credential roaming

As mentioned earlier, credential roaming has been introduced in Windows Server 2003 SP1 and is now an integral part of Windows Server 2008.

The purpose of credential roaming is to reduce the credential replication for different computers, which copies the encryption key to the user's computer through the Active Directory.

When the user logs on to the computer, the authentication information is sent to the server, and the public key and private key are exchanged on the server. Typically, the user's credentials are routed between workstations by using roaming profiles, which can cause increased load.

With credential roaming, the user's public and private keys follow the user's Active Directory object regardless of which computer they are using. For active or roaming users, this improves messaging protection, user authentication, and the ability to deploy smart cards.

Demo of registration and credential roaming

In Windows Server 2008, the registered user interface has been improved a lot. At the same time, availability, flexibility, and support are enhanced. For the sake of simplicity, we will register a new certificate from the same computer, our CA server. Typically, we are able to register from any computer or server in the domain. We open the certificate MMC. The personal Folders located under our current Certificate user tree will display all of the current certificates for that user. As shown in Figure 14.

In this demo, we will request a new user certificate. We can do it through the Action menu. Registering the user interface gives us a number of new options, compared to previous versions. We will only configure the server to accept some different types of authentication, but we can see these available options even if they are not in use. As shown in Figure 15.