Standalone and Enterprise CA's скачать в хорошем качестве

Standalone and Enterprise CA's

A standalone CA does not require any domain membership, however an enterprise CA does. Both have their advantages and disadvantages. This video will look at what features you get and lose which will help you decide which CA is the best choice for you. Download PDF Handout http://ITFreeTraining.com/handouts/ce... Standalone vs Enterprise At the most basic level, the basic different between a standalone CA and an Enterprise CA is that an Enterprise CA needs to be a member of the domain while a standalone CA does not. If you decide to, you can install a standalone CA on a server that is a member of the domain. It should be remembered that once you install a Certificate Authority, properties for the server like the computer name cannot be changed. For this reason, if you only require a standalone CA, it may be a better choice to not have the server holding that standalone CA a member of the domain. Having the server a member of the domain also means that the server will need to check in with a domain controller once in a while. This essentially means that the server cannot be taken offline for extended periods. In some cases, a standalone CA may only be used to issue a couple of certificates, for example when it is used as a root CA. If this is the case, a non-domain member is a better choice as once the CA has issued these certificates it can stay offline for extended periods of time without issue. Having the CA offline means that the keys that are on the CA are protected from attack. If an attacker was to gain access to these keys, this means any certificates below this would need to be reissued. For this reason, being able to take the standalone CA offline for extended periods helps protect the key and the CA. A Standalone CA is often used for external services. Since external services often require access from the internet, using a standalone CA means that CA's can be installed on perimeter or DMZ networks. Since no domain services are required, the CA does not require a domain controller on the perimeter network or a rule to be created in the firewall in order to allow it access to the domain. This helps improve security, as if the CA was to become compromised, that attacker would only have access to what is on the CA and would not have access to any domain information. Enterprise CA's are often installed on internal networks as they require access to Domain Controllers. Even though Enterprise CA's essentially have to be online most of the time to access Domain Services and are domain members this makes them harder to secure and there is more opportunity for an attacker to do damage as they potentially have access to domain resources, but there are some advantages to having an enterprise CA. Since an Enterprise CA is a member of the domain, domain members can use automatic processes in order to obtain certificates. A standalone CA cannot use automatic processes and certificates allocated must be approved manually. This means that an Enterprise CA is a good choice if certificates need to be issued regularly. For example, health certificates that are issued daily to clients before they can access the network. Example of these include Wifi and Network Access Protection (NAP). A NAP client requires a health certificate before they can access the network and these certificates generally have a short life span. Certificates that are once issued and are valid for a few years a standalone CA may be good choice for this. Since on a standalone CA the certificate needs to be approved by an administrator having to manually approve certificates becomes time consuming if they are required to be approved on a regular basis. The exception to this is if there were a lot of certificates being issued. When this occurs, you may want to automate the process even though the certificates are valid for a long time. At the end of the day the decision is based on the amount of administrator time required versus how secure you want your network to be. Description to long for YouTube. Please see the following link for the rest of the description. http://itfreetraining.com/certificate... See    / itfreetraining   or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 780-782