CA question

Afternoon Ladies and Gents,

I'm currently studying up for 70-293 and I finally reached the PKI section of the study materials. I understand the basics of it so far, but my biggest question is actual use of certificates. I know that certificates allow trust between computers, but the practical use of them is what gets me.

In the Testout CBT, the instructor goes about showing me how certificates can be used to establish IPSec policies between two machines, as well as using a certificate to give a user the DRA privledges. Now, correct me if I'm wrong-but can't you just give those permissions to the user via Active Directory, and why not just set the local policies of each machine to use IPSec Request/Require? Certificates need to be used on 802.1x networks if I remember correctly, and I understand the need for them on smart cards-but besides those two I don't know how else I would use them.

If anyone has some suggestions or a better understanding of it I'd love to pick your brain. I know that PKI and NLB are big on this exam from reading previous posts, so I'd like to make sure I understand it completely before even exam prepping.

Thanks,
Agent6376

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    EFS, smart cards. SSL/TLS (HTTPS), email signing and encrypting, code signing, IPSec, etc.

    Imagine what a nightmare it would be to administer 1000 machines by configuring the local IPSec policies. What happens when something changes? You could configure and modify that in minutes with a PKI and auto-enrollment group policies. Plus, certificates are typically more secure than the alternative (i.e. using a PSK with IPSec).

    You should get this book: Amazon.com: Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Pro - One-Offs): Brian Komar, Microsoft Corporation: Books

    I made it through the exam without it, but I'm going through it now. Both the Syngress and MS Press books are really weak when it comes to PKI.
  • Agent6376Agent6376 Member Posts: 201
    Thanks for the reply Dynamik. I see what you're saying and it makes much more sense. After going over the chapter again and being introduced to the autoenrollment features, I can see how it could help administration a great deal.

    I'm looking forward to labbing this one up, along with clustering.
Sign In or Register to comment.