Windows Tip Sheet
Digital Certificates for Everyone
Even a simple PKI can be useful and secure.
Everyone knows how useful digital certificates can be. One common use is to
issue digital certificates to employees for use in signing and encrypting e-mail,
and many organizations are deploying internal certification authorities (CAs)
to support that purpose.
But what if your organization isn’t? Not having a full public key infrastructure
(PKI) available makes e-mail certificates impractical, because they’re
too expensive to buy, but some organizations simply don’t want signed
or encrypted e-mail. Not having a CA does, however, mean some other useful Windows
features become unavailable. For example, with a code-signing certificate, you
can more easily implement Software Restriction Policies and secure scripting,
helping to prevent unauthorized software from running on your network.
Deploying an entire PKI just to issue a couple code-signing certificates is
overkill, though. Or is it? A PKI doesn’t have to be complicated to be
both useful and secure. For example, take a standalone (non-domain member) Win2003
box (even an older desktop-class machine will do; you’re not looking for
blazing performance). Install Certificate Services as a standalone root CA.
Disconnect the server from the network. When you need a certificate, just boot
up the machine and issue one to yourself; turn the machine off when you’re
finished and store it in a secure place. Keeping the machine off the network
will help ensure that your new CA’s root key isn’t compromised in
any way, thus keeping your issued certificates more trustworthy. You’ll
get some of the benefits of having a full PKI—such as issuing certificates
for enterprise-level tasks like code signing—and you won’t need
a full PKI deployment or the resources that those can require.
| Cool
Gadget |
 |
| The Yellow Machine from Anthology
Solutions has a built-in 8-port LAN switch and WAN gateway. |
Coolest gadget ever: The Yellow Machine from Anthology
Solutions. It’s a shoebox-sized device running embedded
Linux on an ASIC (which reduces power requirements) containing
up to 1.6TB—yes, TB—of storage. It’s a killer
network-attached storage (NAS) device, fast enough to stream
movies and big enough to store hundreds of ‘em, or the
Accounting department’s files, whichever is more important. |
|
|
More Resources:
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.