You can also use Group Policy to enroll user and computer certificates automatically, making the entire certificate process transparent to your end users. Before proceeding, you should understand what certificates are and why they are an important part of network security.
Think of a digital certificate as a carrying case for a public key. A certificate can contain both a public and a private key and a set of attributes, including the key holder’s name and email address. These attributes specify something about the holder: their identity, what they’re allowed to do with the certificate, and so on. The attributes and the public key are bound together because the certificate is digitally signed by the entity that issued it. Anyone who wants to verify the certificate’s contents can verify the issuer’s signature.
Certificates are one part of what security experts call a public- key infrastructure (PKI). A PKI has several different components that you can mix and match to achieve the desired results. Microsoft’s PKI implementation offers the following functions:
Certificate Authorities CAs issue certificates, revoke certificates they’ve issued, and publish certificates for their clients. Big CAs like Thawte and VeriSign do this for millions of users. If you want, you can also set up your own CA for each department or workgroup in your organization. Each CA is responsible for choosing which attributes it will include in a certificate and what mechanism it will use to verify those attributes before it issues the certificate.
Certificate Publishers They make certificates publicly available, inside or outside an organization. This allows widespread availability of the critical material needed to support the entire PKI.
PKI- Savvy Applications These allow you and your users to do useful things with certificates, such as encrypt email or network connections. Ideally, the user shouldn’t have to know (or even be aware of) what the application is doing— everything should work seamlessly and automatically. The best- known examples of PKI- savvy applications are web browsers such as Internet Explorer and Firefox and email applications such as Outlook.
Certificate Templates These act like rubber stamps. By specifying a particular template as the model you want to use for a newly issued certificate, you’re actually telling the CA which optional attributes to add to the certificate as well as implicitly telling it how to fill some of the mandatory attributes. Templates greatly simplify the process of issuing certificates because they keep you from having to memorize the names of all of the attributes you may potentially want to put in a certificate.
Learn More About PKI |
When discussing certificates, it’s also important to mention PKI and its definition. The exam doesn’t go deeply into PKI, but I recommend you do some extra research on your own because it is an important technology and shouldn’t be overlooked. PKI is actually a simple concept with a lot of moving parts. When broken down to its bare essentials, PKI is nothing more than a server and workstations utilizing a software service to add security to your infrastructure. When you use PKI, you are adding a layer of protection. The auto- enrollment Settings policy determines whether users and/or computers are automatically enrolled for the appropriate certificates when necessary. By default, this policy is enabled if a certificate server is installed, but you can make changes to the settings, as shown in Exercise 8.5. |
In Exercise 8.5, you will learn how to configure automatic certificate enrollment in Group Policy. You must have first completed the other exercises in this chapter in order to proceed with Exercise 8.5.
EXERCISE 8.5
Configuring Automatic Certificate Enrollment in Group Policy
- Open the Group Policy Management Console tool.
- Right- click the North America OU that you created in the previous exercises in this book.
- Select Create A GPO In This Domain And Link It Here and name it Test CA. Click OK.
- Right- click the Test CA GPO and choose Edit.
- Open Computer Configuration ➢ Policies ➢ Windows Settings ➢ Security Settings ➢ Public Key Policies.
- Double- click Certificate Services Client – Auto- Enrollment in the right pane.
- The Certificate Services Client – Auto- Enrollment Properties dialog box will appear. For now, don’t change anything—j ust become familiar with the settings in this dialog box. Click OK to close it.
Redirecting Folders
Another set of Group Policy settings that you will learn about are the folder redirection settings. Group Policy provides a means for redirecting the Documents, Desktop, and Start Menu folders, as well as cached application data, to network locations. Folder redirection is particularly useful for the following reasons:
■ When they are using roaming user profiles, a user’s Documents folder is copied to the local machine each time they log on. This requires high bandwidth consumption and time if the Documents folder is large. If you redirect the Documents folder, it stays in the redirected location, and the user opens and saves files directly to that location.
■ Documents are always available no matter where the user logs on.
■ Data in the shared location can be backed up during the normal backup cycle without user intervention.
■ Data can be redirected to a more robust server- side administered disk that is less prone to physical and user errors.
When you decide to redirect folders, you have two options:
■ Basic redirection redirects everyone’s folders to the same location (but each user gets their own folder within that location).
■ Advanced redirection redirects folders to different locations based on group membership. For instance, you could configure the Engineers group to redirect their folders to //Engineering1/Documents/ and the Marketing group to //Marketing1/ Documents/. Again, individual users still get their own folder within the redirected location.
To configure folder redirection, follow the steps in Exercise 8.6. You must have completed the other exercises in this chapter to proceed with this exercise.
EXERCISE 8.6
Configuring Folder Redirection in Group Policy
- Open the GPMC tool.
- Open the North America OU and then edit the Test CA GPO.
- Open User Configuration ➢ Policies ➢ Windows Settings ➢ Folder Redirection ➢ Documents.
- Right- click Documents, and select Properties.
- On the Target tab of the Documents Properties dialog box, choose the Basic – Redirect Everyone’s Folder To The Same Location selection from the Settings drop-d own list.
- Leave the default option for the Target Folder Location drop-d own list and specify a network path in the Root Path field.
- Click the Settings tab. All of the default settings are self- explanatory and should typically be left at the default setting. Click OK when you have finished.
Folder Redirection Facts |
Try not to mix up the concepts of folder redirection and offline folders, especially in a world with ever- increasing numbers of mobile users. Folder redirection and offline folders are different features. Windows Server 2022 folder redirection works as follows: The system uses a pointer that moves the folders you want to a location you specify. Users do not see any of this— it is transparent to them. One problem with folder redirection is that it does not work for mobile users (users who will be offline and who will not have access to files they may need). Offline folders, however, are copies of folders that were local to you. Files are now available locally to you on the system you have with you. They are also located back on the server where they are stored. The next time you log in, the folders are synchronized so that both folders contain the latest data. This is a perfect feature for mobile users, whereas folder redirection provides no benefit for the mobile user. |