Home > Ask the Microsoft Exchange Experts > Richard Luckett: Spam and Security Questions & Answers > Why standalone certificate authorities are more secure
Ask The Exchange Expert: Questions & Answers
EMAIL THIS

Why standalone certificate authorities are more secure

Richard Luckett EXPERT RESPONSE FROM: Richard Luckett

Pose a Question
Other Exchange Categories
Meet all Exchange Experts
Become an Expert for this site


Exchange Server tips, tutorials and expert advice
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


>
QUESTION POSED ON: 11 November 2005
I understand that Microsoft only recommends installing a standalone certificate authority when you do not have an Active Directory domain, and automatic deployment of certificates to users and computers isn't required.

If someone wants to take advantage of the enterprise certificate authority, but wants the best security, can the certificate authority be placed on the internal network (thereby requiring the ISA server to be a member of the internal domain)?


>
It seems to me that you have two lines of thought converging here. One is trying to figure out how to deploy your enterprise certificate authority (CA) in the most secure fashion, and the other has something to do with ISA. I think I know where you are headed, so I'll give it a shot.

Microsoft recommends deploying a standalone certificate authority to protect the root certificate authority from being compromised. Standalone certificate authorities can be taken offline (when they are not being used to generate certificates) which helps to protect the validity of your root certificate authority. The workload of deploying user certificates can be done by subordinates while the root certificate authority is offline. Subordinate certificate authorities can be member servers of the domain and can be used for automating the deployment of certificates.

How can ISA help? ISA can prevent any external users from accessing the certificate authority. And depending on how you configure ISA, it can even help you protect your certificate authority from internal users as well.

I hope this helps. Please respond with a comment to this answer if I'm way off base here.

Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:

  • Reference Center: ISA Server
  • Reference Center: Permissions and authentication


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



    RELATED CONTENT
    Richard Luckett: Spam and Security
    How effective is tracking the IP address of an email hacker?
    Why can't I grant users permissions to an Exchange public folder?
    How can I configure Exchange IMF to allow an IP address or DNS?
    Tool helps identify inbound Exchange Server email flow issues
    Configure SMTP relay restrictions in Exchange Server 2003 to stop spam
    How to lock down an SMTP relay to prevent spam in Exchange Server 2003
    Connecting an Apple iPhone to Exchange Server on Windows SBS 2003
    Why does a security alert pop up when accessing Outlook Web Access?
    Exchange email sent to a domain using SPF authentication is returned
    Selectively set email permissions for Exchange groups

    Microsoft Exchange Server Permissions
    Exchange users receiving email addressed to legacy users
    Restrict access to Outlook Web Access via Exchange System Manager
    Why you should secure Exchange 2007 using administrative policies
    Editing Exchange Server public folder permissions
    Can't delete old Microsoft Outlook public folders
    Why can't I grant users permissions to an Exchange public folder?
    Exchange public folder calendar can't be opened in Microsoft Outlook
    Grant or deny permissions to access a user's Exchange 2007 mailbox
    Set Outlook calendar permissions for group to view private meetings
    Exchange Admin 101: Exchange 2003 and Exchange 2007 admin privileges

    ISA Server and Firewalls for Microsoft Exchange Server
    Top 5 Exchange mobile tips of 2008
    Microsoft Exchange Server security dos and don'ts
    Windows SBS and Exchange Server security configuration best practices
    Why Exchange ActiveSync fails with NAT firewalls
    Deploying ISA Server as a firewall for Exchange Server mobile devices
    Adjust your firewall to avoid Exchange 2007 Direct Push failures
    OWA stops working from external network connection
    Enhance OWA logon security using Microsoft ISA Server
    Firewall problems with Exchange Server 2007 email attachments
    How and why to disable certain ESMTP verbs

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    privilege  (SearchExchange.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Outlook Web Access (OWA) Tips and Advice
    HomeNewsTopicsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersIT Downloads
    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2004 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts