|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Offline Root CA Maintainance Best Practice Query.Dear All,
We have two tier CA architecture in our Enviornment. A Offline Root CA and an online issueing CA. We have kept the Offline Root CA on a VM. The VM is turned off. But all Servers in our enviornment are patched with latest security patches. Is it necessary to patch the Root CA Server(offline) ? What is the best practice for patching and antivirus definition update on offline Root CA ? There is no "best practices" answer.
I have seen: 1) The offline root CA is fully patched the day before any key ceremony activities 2) The offline CA only has service packs and Cert Services fixes or related (DST patch) applied and anti-viru updates 3) The offline CA only has anti-virus update 4) No updates applied but only virus-scanned media is used. What does your CPS state? That is the authoritiative document Brian Show quoteHide quote "Sukhwinder Singh" <SukhwinderSi***@discussions.microsoft.com> wrote in message news:CA1D83FE-2955-452E-9AAC-FAA8210CA4F7@microsoft.com... > Dear All, > > We have two tier CA architecture in our Enviornment. A Offline Root CA and > an online issueing CA. We have kept the Offline Root CA on a VM. The VM is > turned off. But all Servers in our enviornment are patched with latest > security patches. Is it necessary to patch the Root CA Server(offline) ? > What > is the best practice for patching and antivirus definition update on > offline > Root CA ? Dear Brian,
Thanks for your reply. What we wanted to know is how it is suggested to patch the offline Root CA. We have our Root CA in VM and it is offline. Is it suggested to bring the root CA online once in a month do the patching and Anti-virus update. We have heard from Microsoft MCS team that some of the organisations have their Offline Root CA kept in the BAnk lockers so I was wandering how they patch their server. It is mandatory from the Organisations security perspective that we have to Harden all the servers and patch them regularly. I need to have a proper process in place for the same. Thanks and Regards, Sukhwinder Singh Show quoteHide quote "Brian Komar" wrote: > There is no "best practices" answer. > I have seen: > 1) The offline root CA is fully patched the day before any key ceremony > activities > 2) The offline CA only has service packs and Cert Services fixes or related > (DST patch) applied and anti-viru updates > 3) The offline CA only has anti-virus update > 4) No updates applied but only virus-scanned media is used. > What does your CPS state? That is the authoritiative document > Brian > > "Sukhwinder Singh" <SukhwinderSi***@discussions.microsoft.com> wrote in > message news:CA1D83FE-2955-452E-9AAC-FAA8210CA4F7@microsoft.com... > > Dear All, > > > > We have two tier CA architecture in our Enviornment. A Offline Root CA and > > an online issueing CA. We have kept the Offline Root CA on a VM. The VM is > > turned off. But all Servers in our enviornment are patched with latest > > security patches. Is it necessary to patch the Root CA Server(offline) ? > > What > > is the best practice for patching and antivirus definition update on > > offline > > Root CA ? > Then you must follow your policy.
If you state that the root CA publishes its CRL every 6 months (or whatever your publication schedule is) You should be able to add patching as the day prior to CRL publication task, and perform all patching the day prior to CRL publication. This is a common process at many of my clients. They do not bring the root CA up just to apply patches as a separate event. They do the patching as a preceding event to the CRL publication Brian Show quoteHide quote "Sukhwinder Singh" <SukhwinderSi***@discussions.microsoft.com> wrote in message news:091BD4CF-18B6-45FC-A185-D045C9FF94DC@microsoft.com... > Dear Brian, > > Thanks for your reply. What we wanted to know is how it is suggested to > patch the offline Root CA. We have our Root CA in VM and it is offline. Is > it > suggested to bring the root CA online once in a month do the patching and > Anti-virus update. We have heard from Microsoft MCS team that some of the > organisations have their Offline Root CA kept in the BAnk lockers so I was > wandering how they patch their server. > It is mandatory from the Organisations security perspective that we have > to > Harden all the servers and patch them regularly. I need to have a proper > process in place for the same. > > Thanks and Regards, > > Sukhwinder Singh > > > > > > "Brian Komar" wrote: > >> There is no "best practices" answer. >> I have seen: >> 1) The offline root CA is fully patched the day before any key ceremony >> activities >> 2) The offline CA only has service packs and Cert Services fixes or >> related >> (DST patch) applied and anti-viru updates >> 3) The offline CA only has anti-virus update >> 4) No updates applied but only virus-scanned media is used. >> What does your CPS state? That is the authoritiative document >> Brian >> >> "Sukhwinder Singh" <SukhwinderSi***@discussions.microsoft.com> wrote in >> message news:CA1D83FE-2955-452E-9AAC-FAA8210CA4F7@microsoft.com... >> > Dear All, >> > >> > We have two tier CA architecture in our Enviornment. A Offline Root CA >> > and >> > an online issueing CA. We have kept the Offline Root CA on a VM. The VM >> > is >> > turned off. But all Servers in our enviornment are patched with latest >> > security patches. Is it necessary to patch the Root CA Server(offline) >> > ? >> > What >> > is the best practice for patching and antivirus definition update on >> > offline >> > Root CA ? >> 
Other interesting topics
A simple way to block a specific URL? Without Proxy?
spyware strikes again, can it be stopped I want to limited user access Has Microsoft recently introduced "Loopback check" functionality in Windows 2000? C: drive =?UTF-8?B?ZW5jcnlwdGlvbg==?= NTFS permission issue Administrator not allowed to change local security settings Windows XP admin malware scan patch make security in two part of institute |
|||||||||||||||||||||||
