Use PKI to Secure a Network Environment

PKI, also known as Public Key Infrastructure, is the structure of encryption and security that secures connections between the server and the client. It uses two separate cryptographic keys: a public key and a private key. This preserves the user's data from fraud or tampering. The goal of a public-key is to control keys and certificates.

In this hands-on lab, you will use PKI to secure a network environment. First, you will install the Window Server Certification Authority role, and then you will configure an enterprise root certificate authority (CA). Next, you will configure a web server to require HTTPS client certificates, and then you will enable DNSSEC for a DNS zone. Finally, you will encrypt files by using EFS. The other guided and advanced challenges in this series are "Enable DNSSEC" and "Can You Secure DNS Resource Records and Windows NTFS Volume File Objects?" respectively.

Understand the Scenario

In this virtual lab, you are a system administrator for a company that plans to use a public key infrastructure (PKI) to secure data systems and digital assets. Certificates will be used to ensure that only clients with trusted certificates can connect to the IIS web site over HTTPS. Your job is to enable DNSSEC and protect data at rest by using EFS. To accomplish this, you will use a virtual machine named DC1 that runs Microsoft Windows Server 2016. DC1 is configured as a domain controller for an Active Directory domain named Contoso. You will connect to the virtual machine console directly in the lab environment.

Install and configure the Certification Authority role

A certificate authority (CA) is a committed entity that distributes digital certificates, which are data files applied to cryptographically combine an entity with a public key. The digital certificate can then be verified using the certificate authority's public key. In this section of the lab, you will install and configure the Certification Authority role. First, you will install Active Directory Certificate Services and the Certification Authority role service, and finally, you will create a new enterprise root CA named ContosoCA.

Configure HTTPS on a web server

In this section of the lab, you will now configure HTTPS on a web server. First, you will create a custom web server certificate template that derives the subject name from the Active Directory DNS name of the computer. Next, you will acquire a web server certificate using the CustomWebServer template, and then specify a friendly name of WebSite1.Configure an IIS HTTPS binding for the default web site using the WebSite1 certificate. HTTPS is Hypertext Transfer Protocol Secure. It is the custom where encrypted HTTP data is transported over a reliable connection.

Configure DNSSEC

After configuring HTTPS on a web server, in this section of the lab, learners will now configure DNSSEC. DNSSEC secures the Internet community from falsified DNS information by utilizing public-key cryptography to digitally confirm valid region data when it arrives at the system and then confirm it at its target. In the Default Domain Policy, you will enable DNSSEC for all client DNS queries against DNS records in the contoso.com DNS zone.

Configure the Name Resolution Policy Table

The Name Resolution Policy Table (NRPT) allows users to implement name resolution methods on security-aware DNS clients. The NRPT is a table that includes rules that you can set to define DNS settings or specific behavior for names or namespaces. The NRPT can be configured using the Group Policy Management Editor. In this section of the lab, you will configure the Name Resolution Policy Table. In the Default Domain Policy, you will enable DNSSEC for all client DNS queries against DNS records in the contoso.com DNS zone and refresh Group Policy.

Encrypt files and folders using EFS

EFS is the Encrypting File System. It uses an encryption quality to select files for EFS security. The system then encrypts with the public key and saves it with the encrypted file. When users access the encrypted file, the policy applies the private key for decryption and then uses the FEK to decrypt the file. In this section of the lab, you will encrypt files and folders using EFS. First, you will create a folder named SampleFiles in the root folder on drive C and then create SampleFile1.txt and SampleFile2.txt in the SampleFiles folder. Next, you will encrypt SampleFile1.txt by using File Explorer and encrypt SampleFile2.txt using cipher.exe.

Lab Summary Conclusion

After completing the "Can You Use PKI to Secure a Network Environment?" virtual lab, you will have accomplished the following:

• Install and configure the Certification Authority role.
• Configure HTTPS on a web server.
• Configure DNSSEC.
• Configure the Name Resolution Policy Table.
• Encrypt files and folders using EFS.