is it true...

G

Gunna

Guest
that an Enterprise Root CA has to be a domain controller? What about

subordinates?

 
P

Paul Adare

Guest
On Tue, 8 Apr 2008 17:18:04 -0700, Gunna wrote:

<span style="color:blue">

> that an Enterprise Root CA has to be a domain controller? What about

> subordinates?</span>

Absolutely not true. In fact, if you follow good security practices where

you want to reduce the attack surface on your core infrastructure servers,

a domain controller should only ever be a domain controller, and a CA

should only ever be a CA.

--

Paul Adare

http://www.identit.ca

Shift to the left! Shift to the right! Pop up, push down, byte, byte,

byte!

 
D

Dobromir Todorov

Guest
.... plus following the same good security practices, your Root CA should be

offline, while an offline domain controller isn't any good nowadays...

--

---

HTH,

Dobromir

Learn more about Security and Identity Management:

Visit http://www.iamechanics.com

"Paul Adare" <pkadare@gmail.com> wrote in message

news:1tj95axsmmjus.1997pdyfpo2mj.dlg@40tude.net...<span style="color:blue">

> On Tue, 8 Apr 2008 17:18:04 -0700, Gunna wrote:

><span style="color:green">

>> that an Enterprise Root CA has to be a domain controller? What about

>> subordinates?</span>

>

> Absolutely not true. In fact, if you follow good security practices where

> you want to reduce the attack surface on your core infrastructure servers,

> a domain controller should only ever be a domain controller, and a CA

> should only ever be a CA.

>

> --

> Paul Adare

> http://www.identit.ca

> Shift to the left! Shift to the right! Pop up, push down, byte, byte,

> byte! </span>

 
Top Bottom