+ Reply to Thread
Results 1 to 12 of 12
  1. Design Exam Verteran! kamikaze_worm's Avatar
    Join Date
    Apr 2008
    Location
    Croydon, UK
    Posts
    68

    Certifications
    A+, MCP, MCTS, MCSA
    #1

    Default Enterprise and Stand alone Root CA's - HELP

    HI All

    I am now at the stage of taking practice exams for 298 after completing all the study, however one question keeps rearing its head and getting me so some help please.

    When i did my study I learn't that in a PKI heriechy you should take the root offline to secure the infrastructure, however it Should NOT be an enterprise root as it is not a good idea to take that offline. I thought it should be a standalone root CA.

    In transcender there are questions I have answer based on this theory but they are wrong. The answer is telling me (most of the time) to take the enterprise root offline and delpoy subordinate enterprise CA's

    I'm very :S

    My Exam is not far away, Any Ideas?

    Kamikaze_worm
    Reply With Quote Quote  

  2. SS -->
  3. God Emperor of Canada
    Join Date
    May 2010
    Posts
    38

    Certifications
    A+ MCSA CCNA
    #2
    Im not an expert but i believe that you use enterprise CAs internally and use standalone for stuff that would go between organizations. If you use enterprise subordinates you have to have an enterprise root. Also Stand alone CAs cant do everything that Enterprise ones can so make sure that the purpose of the CA doesnt require it to be part of a domain. Unfortunately i dont remember the specifics of what the enterprise ones can do compared to standalone but i believe its stuff that requires it to be part of a domain

    Also I thought it was recommended to take offline all root CAs unless there is a specific requirement that requires it to be online.
    Reply With Quote Quote  

  4. Member Jarhead2011's Avatar
    Join Date
    Feb 2011
    Posts
    89

    Certifications
    CompTia A+, CompTia Network+, MCP, MCSA 2003, MCSE 2003
    #3
    you dont necessarily have to have a enterprise root CA if you have a sub enterprise CA. As far as I know best practice according to multiple resources best practice is to have a Stand alone root CA and sub enterprise CA, if you have and AD domain. If you have a enterprise root CA then it can't be offline for more than 60 days or so, because AD will pick that the computer account is no longer active.
    Reply With Quote Quote  

  5. God Emperor of Canada
    Join Date
    May 2010
    Posts
    38

    Certifications
    A+ MCSA CCNA
    #4
    I did not know that, thanks for clarifying!
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Oct 2008
    Location
    Long Island, NY
    Posts
    693

    Certifications
    CCENT, Microsoft Cert Specialist: 74-409, MCITP:EA/MCSA:2008, MCSA:Win8.1/Win7, MCSE:Sec.2003, MCTS(x4); A+('07), Sec+ ('08)
    #5
    I thought the best practice model was for

    Stand alone root CA (only online to update CRL at times) -> Enterprise subordinate (for CA policies) -> Enterprise subordinates (for issuing certificates)

    I may be wrong
    Reply With Quote Quote  

  7. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #6
    According to James Conrad, the reason that you make the Root CA a standalone CA is so that you can take it offline. The CA's underneath won't care if it is there or not.


    Enterprise CA's are part of the domain and thus have domain computer accounts. Remember that the computer has a password that needs to be changed every 30 days. If you leave your enterprise CA offline for more than 30 days then the password is going to expire and you will probably need to reset the computer account in Active Directory.

    The ideal situation to shoot for is two levels of standalone CA's that remain offline and then your issuing CA's to be on the third level and be configured as enterprise CA's and remain online. But remember that ideal situations aren't always present in real life and thus aren't presented on the exam. If your manager tells you that the budget only allows two levels of CA's, then you can preach best practices until you are blue in the face but you are still going to need to implement a infrastructure that only is two levels and still make it as secure as possible.

    And I do swear by Transcender, but nobody is perfect. I have found 2 mistakes with their questions in the 6 or 7 different exam packs that I have used. Use the feedback to submit your claim. Maybe they are wrong (and will admit to that), but at the very least you will get a reply back from George or someone explaining why they believe the question is correct.
    Last edited by Devilsbane; 05-13-2011 at 06:47 PM.
    Reply With Quote Quote  

  8. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #7
    Taking enterprise root CA offline.

    Here is an older thread, but there is some good discussion on the subject of CA's. And here is a technet document.

    http://technet.microsoft.com/en-us/l...34(WS.10).aspx
    Reply With Quote Quote  

  9. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #8
    I read the 70-299 book and there were a couple chapters on certificates and CA's. They explained some differences between Enterprise and Standalone, but they never went into too much details about when to use a standalone. It was very one sided with all of the features that enterprise provides. Maybe MS just wants to sell more copies of Enterprise and Datacenter server?

    The 298 being a design exam I would expect to get into more details on that, but maybe there is the same slant there too.
    Reply With Quote Quote  

  10. Member Shadly1's Avatar
    Join Date
    May 2011
    Location
    Orange, CA
    Posts
    96

    Certifications
    A+, Net+, MCP, MCSA 2003, MCSE 2003
    #9
    I just got through that part in the Self-Paced Training Kit. What I gathered, from a security standpoint, is just plain DON'T create an Enterprise Root. Good security is to make it standalone so you can lock it in a vault for long periods of time... and not the same vault you store your backup tapes in.
    Reply With Quote Quote  

  11. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #10
    Quote Originally Posted by Shadly1 View Post
    I just got through that part in the Self-Paced Training Kit. What I gathered, from a security standpoint, is just plain DON'T create an Enterprise Root. Good security is to make it standalone so you can lock it in a vault for long periods of time... and not the same vault you store your backup tapes in.
    I agree with this, but the test might not. Don't rule out an answer just because it uses an enterprise root, always read the question or the case study if it is for the 298.

    If it's going offline, then it should be standalone. Even the test should agree with that.
    Reply With Quote Quote  

  12. Member Shadly1's Avatar
    Join Date
    May 2011
    Location
    Orange, CA
    Posts
    96

    Certifications
    A+, Net+, MCP, MCSA 2003, MCSE 2003
    #11
    Quote Originally Posted by Devilsbane View Post
    I agree with this, but the test might not. Don't rule out an answer just because it uses an enterprise root, always read the question or the case study if it is for the 298.

    If it's going offline, then it should be standalone. Even the test should agree with that.
    Yeah, I found a couple of examples of enterprise roots in my study materials. They don't go into too much detail about why. All I can guess is that it was a single CA to start with and has grown to require subordinates? Doesn't matter that much. I just have to pay attention to the wording. I know it's good security to have offline root/online enterprise subordinates but it's not always what's out there.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Jul 2009
    Location
    Atlanta, GA
    Posts
    279

    Certifications
    CISSP, PMP, MCSE 2003:Security, MCITP:EA, MCITP:EDA7, Security+, Network+, ITIL V3 Foundations, CCNA, CCNA:Security, ITIL Expert
    #12
    You also need to know the differences between an enterprise and stand alone based on what the functions need to be. I don't remember the details, but I seem to remember that a stand alone cannot use templates, etc... If you know these differences then you should be fine - just know what types of certs each can give out. I have seen questions that based the answer based on what types of functions/certs were to be distributed.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks