| Author |
Message |
Rob McShinsky
Guest
|
 Posted:
Thu Feb 10, 2005 9:00 pm Post subject:
Thoughts on Offline Root possibilities. |
|
|
What are your thoughts on placing an offline root in a Virtual PC/Virtual
Server environment? This of course would not include an HSM option. There
has been talk of Laptops or small machines that could be locked away, but
that ties alot to hardware. In theory couldn't a hardrive, DVD, or thumb
drive with your Virutal OS and Root CA be used or a combination of those for
redundency. It would be much easier to just backup the virtual system files
and easier to store without the reliance on aging hardware. What are your
thoughts based on the current documented pratices?
Rob McShinsky |
|
| Back to top |
|
 |
Mark Gamache
Guest
|
| Posted:
Thu Feb 10, 2005 11:14 pm Post subject:
Re: Thoughts on Offline Root possibilities. |
|
|
For an organization that is trying to save money, and it sounds like you
are, its a great idea. Additionally you can use this method to get
separation of roles so that no one person can issue a cert from the root.
The root won't be a member of the domain, so it will have a local
administrator. If you encrypt the VM image for storage and make sure that
no one has both the machine admin password and the key to decrypt the VM
image, then you have separation. It will take at least two people working
to gather to issue certs. Just make sure to take and test your disaster
recovery plan so you don't lose or damage the VM image.
In the end, it comes down to deciding just how strong your PKI model needs
to be. Technically the VM will work great. The question is, does it
provide the security and technical controls that are required for your
business process.
Cheers,
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:eGEZAF4DFHA.3368@TK2MSFTNGP10.phx.gbl...
| Quote: |
What are your thoughts on placing an offline root in a Virtual PC/Virtual
Server environment? This of course would not include an HSM option.
There has been talk of Laptops or small machines that could be locked
away, but that ties alot to hardware. In theory couldn't a hardrive, DVD,
or thumb drive with your Virutal OS and Root CA be used or a combination
of those for redundency. It would be much easier to just backup the
virtual system files and easier to store without the reliance on aging
hardware. What are your thoughts based on the current documented
pratices?
Rob McShinsky
|
|
|
| Back to top |
|
|
Miha Pihler [MVP]
Guest
|
| Posted:
Fri Feb 11, 2005 2:10 am Post subject:
Re: Thoughts on Offline Root possibilities. |
|
|
Hi Rob,
While you have a good idea I have two reservations.
First one would be support. I am not sure if such setup of CA is supported
by Microsoft. Last time I checked I was told it would only be supported if I
can reproduce the problem that I have on virtual environment on physical
hardware. This information was given to me about a year ago and I haven't
followed it up since -- so I don't know what is current status on this!
The second problem that I see with this is if someone gets a hold of the
device storing the image (e.g. DVD or hard drive) he/she could make a copy
of it. Unless you implement certain safeguards against this it could happen
that you have no knowledge that one copy of virtual environment was made and
is "out there"...
--
Mike
Microsoft MVP - Windows Security
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:eGEZAF4DFHA.3368@TK2MSFTNGP10.phx.gbl...
| Quote: |
What are your thoughts on placing an offline root in a Virtual PC/Virtual
Server environment? This of course would not include an HSM option.
There has been talk of Laptops or small machines that could be locked
away, but that ties alot to hardware. In theory couldn't a hardrive, DVD,
or thumb drive with your Virutal OS and Root CA be used or a combination
of those for redundency. It would be much easier to just backup the
virtual system files and easier to store without the reliance on aging
hardware. What are your thoughts based on the current documented
pratices?
Rob McShinsky
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in