| Author | Messages | |
RobSilver
Posts:0
 | | 07/03/2010 7:04 PM |
| So, I'm installing a MS 2008 R2 STD Standalone Root CA. RAID1 HDs will be in a bank safe once I have issued Issuing CA certs and exported the root cert. No HSM. Server HW will be recycled into production.
I'm not installing any AV or Patches on this machine and will activate telephonically.
Any security concerns with this approach? Interested in any thoughts on this approach.
Regards,
Rob Silver<http://robsilver.org/>
| | | |
| TG
Posts:298
| | 07/03/2010 9:30 PM |
| What are your plans for CRL issuing by the root CA?
----- Original Message -----
From: "[Infraspec] Rob Silver" [rob@infraspec.net]
Sent: 07/03/2010 05:04 PM GMT
To: "activedir@mail.activedir.org" <activedir@mail.activedir.org>
Subject: [ActiveDir] OT: Trusted Root CA Security
So, I'm installing a MS 2008 R2 STD Standalone Root CA. RAID1 HDs will be in a bank safe once I have issued Issuing CA certs and exported the root cert. No HSM. Server HW will be recycled into production.
I'm not installing any AV or Patches on this machine and will activate telephonically.
Any security concerns with this approach? Interested in any thoughts on this approach.
Regards,
Rob Silver<http://robsilver.org/>
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
| | | |
| dloder
Posts:131
| | 07/07/2010 1:20 PM |
| How do you plan on bringing the server back up in "x" years when you need to resign an issuing CA and all the hardware that takes whatever form factor drive you have stored away has been cycled out of the environment?
Seems like a much better candidate for a VM image that you archive to DVD media for storage.
Microsoft also recommends that offline CAs still be maintained at supported service pack levels. So you should have expectations for needing to bring it online on a somewhat regular basis.
-- http://dloder.blogspot.com --
--- On Sat, 7/3/10, [Infraspec] Rob Silver <rob@infraspec.net> wrote:
From: [Infraspec] Rob Silver <rob@infraspec.net>
Subject: [ActiveDir] OT: Trusted Root CA Security
To: "activedir@mail.activedir.org" <activedir@mail.activedir.org>
Date: Saturday, July 3, 2010, 1:04 PM
So, I'm installing a MS 2008 R2 STD Standalone Root CA. RAID1 HDs will be in a bank safe once I have issued Issuing CA certs and exported the root cert. No HSM. Server HW will be recycled into production.
I'm not installing any AV or Patches on this machine and will activate telephonically.
Any security concerns with this approach? Interested in any thoughts on this approach.
Regards,
Rob Silver
| | | |
| RobSilver
Posts:0
| | 07/13/2010 9:20 AM |
| Hi David
Good point regarding having the image on a VM and not a physical disk. This was my initial thought. However, my concern with using a VM image is the potential of theft (copy - paste the VM HD) and access to the private key. Also, similar to the HW issue where the HW might be recycled, the VM image itself may be obsolete for future VM kernels and HW virtualization technologies.
Interested in any other approaches to this.
Regards,
rob silver | managing director | infraspec | cell: +26774212064 | mail: rob@infraspec.net | skype: rob.silver.botswana | msn: rob@infraspec.net
[Description: cid:image001.png@01CA217D.7937A940]
It's not a Bug -It's a Feature!
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: 07 July 2010 2:17 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Trusted Root CA Security
How do you plan on bringing the server back up in "x" years when you need to resign an issuing CA and all the hardware that takes whatever form factor drive you have stored away has been cycled out of the environment?
Seems like a much better candidate for a VM image that you archive to DVD media for storage.
Microsoft also recommends that offline CAs still be maintained at supported service pack levels. So you should have expectations for needing to bring it online on a somewhat regular basis.
-- http://dloder.blogspot.com --
--- On Sat, 7/3/10, [Infraspec] Rob Silver <rob@infraspec.net<mailto:rob@infraspec.net>> wrote:
From: [Infraspec] Rob Silver <rob@infraspec.net<mailto:rob@infraspec.net>>
Subject: [ActiveDir] OT: Trusted Root CA Security
To: "activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>" <activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>>
Date: Saturday, July 3, 2010, 1:04 PM
So, I'm installing a MS 2008 R2 STD Standalone Root CA. RAID1 HDs will be in a bank safe once I have issued Issuing CA certs and exported the root cert. No HSM. Server HW will be recycled into production.
I'm not installing any AV or Patches on this machine and will activate telephonically.
Any security concerns with this approach? Interested in any thoughts on this approach.
Regards,
Rob Silver<http://robsilver.org/>
| | | |
| dloder
Posts:131
| | 07/13/2010 1:35 PM |
| You already made a decision to store the bits in some form in a safe. Either you trust it to do its job of protecting the data, or you do not. The paranoid in me might encrypt the image to help mitigate such a perceived issue. How would one mitigate duplication of the physical drive contents?
As I mentioned before, you should not have an expectation of placing the CA in the safe for 10 years and never touch it. Establishing a process for maintaing the image on a supported OS and service pack could also take into consideration appropriate VM maintenance.
A VM scenario makes developing that process much more manageable, rather than physical hardware, especially when you've given away the hardware host.
-- http://dloder.blogspot.com --
--- On Tue, 7/13/10, [Infraspec] Rob Silver <rob@infraspec.net> wrote:
From: [Infraspec] Rob Silver <rob@infraspec.net>
Subject: RE: [ActiveDir] OT: Trusted Root CA Security
To: "activedir@mail.activedir.org" <activedir@mail.activedir.org>
Date: Tuesday, July 13, 2010, 4:13 AM
Hi David
Good point regarding having the image on a VM and not a physical disk. This was my initial thought. However, my concern with using a VM image is the potential of theft (copy – paste the VM HD) and access to the private key. Also, similar to the HW issue where the HW might be recycled, the VM image itself may be obsolete for future VM kernels and HW virtualization technologies.
Interested in any other approaches to this.
Regards,
rob silver | managing director | infraspec | cell: +26774212064 | mail: rob@infraspec.net | skype: rob.silver.botswana | msn: rob@infraspec.net
It's not a Bug -It's a Feature!
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: 07 July 2010 2:17 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Trusted Root CA Security
How do you plan on bringing the server back up in "x" years when you need to resign an issuing CA and all the hardware that takes whatever form factor drive you have stored away has been cycled out of the environment?
Seems like a much better candidate for a VM image that you archive to DVD media for storage.
Microsoft also recommends that offline CAs still be maintained at supported service pack levels. So you should have expectations for needing to bring it online on a somewhat regular basis.
-- http://dloder.blogspot.com --
--- On Sat, 7/3/10, [Infraspec] Rob Silver <rob@infraspec.net> wrote:
From: [Infraspec] Rob Silver <rob@infraspec.net>
Subject: [ActiveDir] OT: Trusted Root CA Security
To: "activedir@mail.activedir.org" <activedir@mail.activedir.org>
Date: Saturday, July 3, 2010, 1:04 PM
So, I'm installing a MS 2008 R2 STD Standalone Root CA. RAID1 HDs will be in a bank safe once I have issued Issuing CA certs and exported the root cert. No HSM. Server HW will be recycled into production.
I'm not installing any AV or Patches on this machine and will activate telephonically.
Any security concerns with this approach? Interested in any thoughts on this approach.
Regards,
Rob Silver
| | | |
| RobSilver
Posts:0
| | 07/13/2010 2:39 PM |
| In the event of complete PKI failure, I don’t think you want your VM image encrypted ☺
Unfortunately, an HSM is out of the question where I am.
Any other comments on this from the gallery?
Regards,
Rob Silver<http://robsilver.org/>
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: 13 July 2010 2:30 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Trusted Root CA Security
You already made a decision to store the bits in some form in a safe. Either you trust it to do its job of protecting the data, or you do not. The paranoid in me might encrypt the image to help mitigate such a perceived issue. How would one mitigate duplication of the physical drive contents?
As I mentioned before, you should not have an expectation of placing the CA in the safe for 10 years and never touch it. Establishing a process for maintaing the image on a supported OS and service pack could also take into consideration appropriate VM maintenance.
A VM scenario makes developing that process much more manageable, rather than physical hardware, especially when you've given away the hardware host.
-- http://dloder.blogspot.com --
--- On Tue, 7/13/10, [Infraspec] Rob Silver <rob@infraspec.net<mailto:rob@infraspec.net>> wrote:
From: [Infraspec] Rob Silver <rob@infraspec.net<mailto:rob@infraspec.net>>
Subject: RE: [ActiveDir] OT: Trusted Root CA Security
To: "activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>" <activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>>
Date: Tuesday, July 13, 2010, 4:13 AM
Hi David
Good point regarding having the image on a VM and not a physical disk. This was my initial thought. However, my concern with using a VM image is the potential of theft (copy – paste the VM HD) and access to the private key. Also, similar to the HW issue where the HW might be recycled, the VM image itself may be obsolete for future VM kernels and HW virtualization technologies.
Interested in any other approaches to this.
Regards,
rob silver | managing director | infraspec | cell: +26774212064 | mail: rob@infraspec.net<mailto:rob@infraspec.net> | skype: rob.silver.botswana | msn: rob@infraspec.net<mailto:rob@infraspec.net>
[Description: cid:image001.png@01CA217D.7937A940]
It's not a Bug -It's a Feature!
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: 07 July 2010 2:17 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Trusted Root CA Security
How do you plan on bringing the server back up in "x" years when you need to resign an issuing CA and all the hardware that takes whatever form factor drive you have stored away has been cycled out of the environment?
Seems like a much better candidate for a VM image that you archive to DVD media for storage.
Microsoft also recommends that offline CAs still be maintained at supported service pack levels. So you should have expectations for needing to bring it online on a somewhat regular basis.
-- http://dloder.blogspot.com<http://dloder.blogspot.com/> --
--- On Sat, 7/3/10, [Infraspec] Rob Silver <rob@infraspec.net<http://us.mc1104.mail.yahoo.com/mc/compose?to=rob@infraspec.net>> wrote:
From: [Infraspec] Rob Silver <rob@infraspec.net<http://us.mc1104.mail.yahoo.com/mc/compose?to=rob@infraspec.net>>
Subject: [ActiveDir] OT: Trusted Root CA Security
To: "activedir@mail.activedir.org<http://us.mc1104.mail.yahoo.com/mc/compose?to=activedir@mail.activedir.org>" <activedir@mail.activedir.org<http://us.mc1104.mail.yahoo.com/mc/compose?to=activedir@mail.activedir.org>>
Date: Saturday, July 3, 2010, 1:04 PM
So, I'm installing a MS 2008 R2 STD Standalone Root CA. RAID1 HDs will be in a bank safe once I have issued Issuing CA certs and exported the root cert. No HSM. Server HW will be recycled into production.
I'm not installing any AV or Patches on this machine and will activate telephonically.
Any security concerns with this approach? Interested in any thoughts on this approach.
Regards,
Rob Silver<http://robsilver.org/>
| | | |
| tilbard
Posts:2
| | 07/13/2010 3:47 PM |
| Best of both worlds? VM, after it's setup export it to a removable Hard Drive that you keep in a safe. When you need to update it, etc... Take it out, import it into Hyper-V/VMWare, update, then re-export.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of [Infraspec] Rob Silver
Sent: Tuesday, July 13, 2010 9:31 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Trusted Root CA Security
In the event of complete PKI failure, I don’t think you want your VM image encrypted J
Unfortunately, an HSM is out of the question where I am.
Any other comments on this from the gallery?
Regards,
Rob Silver <http://robsilver.org/>
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: 13 July 2010 2:30 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Trusted Root CA Security
You already made a decision to store the bits in some form in a safe. Either you trust it to do its job of protecting the data, or you do not. The paranoid in me might encrypt the image to help mitigate such a perceived issue. How would one mitigate duplication of the physical drive contents?
As I mentioned before, you should not have an expectation of placing the CA in the safe for 10 years and never touch it. Establishing a process for maintaing the image on a supported OS and service pack could also take into consideration appropriate VM maintenance.
A VM scenario makes developing that process much more manageable, rather than physical hardware, especially when you've given away the hardware host.
-- http://dloder.blogspot.com --
--- On Tue, 7/13/10, [Infraspec] Rob Silver <rob@infraspec.net> wrote:
From: [Infraspec] Rob Silver <rob@infraspec.net>
Subject: RE: [ActiveDir] OT: Trusted Root CA Security
To: "activedir@mail.activedir.org" <activedir@mail.activedir.org>
Date: Tuesday, July 13, 2010, 4:13 AM
Hi David
Good point regarding having the image on a VM and not a physical disk. This was my initial thought. However, my concern with using a VM image is the potential of theft (copy – paste the VM HD) and access to the private key. Also, similar to the HW issue where the HW might be recycled, the VM image itself may be obsolete for future VM kernels and HW virtualization technologies.
Interested in any other approaches to this.
Regards,
rob silver | managing director | infraspec | cell: +26774212064 | mail: rob@infraspec.net | skype: rob.silver.botswana | msn: rob@infraspec.net
It's not a Bug -It's a Feature!
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: 07 July 2010 2:17 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Trusted Root CA Security
How do you plan on bringing the server back up in "x" years when you need to resign an issuing CA and all the hardware that takes whatever form factor drive you have stored away has been cycled out of the environment?
Seems like a much better candidate for a VM image that you archive to DVD media for storage.
Microsoft also recommends that offline CAs still be maintained at supported service pack levels. So you should have expectations for needing to bring it online on a somewhat regular basis.
-- http://dloder.blogspot.com <http://dloder.blogspot.com/> --
--- On Sat, 7/3/10, [Infraspec] Rob Silver <rob@infraspec.net <http://us.mc1104.mail.yahoo.com/mc/compose?to=rob@infraspec.net> > wrote:
From: [Infraspec] Rob Silver <rob@infraspec.net <http://us.mc1104.mail.yahoo.com/mc/compose?to=rob@infraspec.net> >
Subject: [ActiveDir] OT: Trusted Root CA Security
To: "activedir@mail.activedir.org <http://us.mc1104.mail.yahoo.com/mc/compose?to=activedir@mail.activedir.org> " <activedir@mail.activedir.org <http://us.mc1104.mail.yahoo.com/mc/compose?to=activedir@mail.activedir.org> >
Date: Saturday, July 3, 2010, 1:04 PM
So, I'm installing a MS 2008 R2 STD Standalone Root CA. RAID1 HDs will be in a bank safe once I have issued Issuing CA certs and exported the root cert. No HSM. Server HW will be recycled into production.
I'm not installing any AV or Patches on this machine and will activate telephonically.
Any security concerns with this approach? Interested in any thoughts on this approach.
Regards,
Rob Silver <http://robsilver.org/>
| | | |
|
|