0 оценок0% нашли этот документ полезным (0 голосов)
26 просмотров20 страниц
Bstract Certificate Settings in group Policy in the #indo$s %er&er Code 'a(e ) onghorn) Beta operating syste( allo$ you to (anage the settings for certificate path disco&ery and &alidation using "roup Policy ob+ects. -his is a preli(inary docu(ent and (ay be changed substantially prior to final co(ercial release of the
Bstract Certificate Settings in group Policy in the #indo$s %er&er Code 'a(e ) onghorn) Beta operating syste( allo$ you to (anage the settings for certificate path disco&ery and &alidation using "roup Policy ob+ects. -his is a preli(inary docu(ent and (ay be changed substantially prior to final co(ercial release of the
Bstract Certificate Settings in group Policy in the #indo$s %er&er Code 'a(e ) onghorn) Beta operating syste( allo$ you to (anage the settings for certificate path disco&ery and &alidation using "roup Policy ob+ects. -his is a preli(inary docu(ent and (ay be changed substantially prior to final co(ercial release of the
Code Name "Longhorn" Microsoft Corporation Published (for Beta 2): May 2006 Updated: August 2006 Updated for Beta : May 200! bstract Certificate settings in "roup Policy in the #indo$s %er&er Code 'a(e )*onghorn) Beta operating syste( allo$ you to (anage the settings for certificate path disco&ery and &alidation using "roup Policy ob+ects, -his guide includes syste( re.uire(ents/ installation instructions/ and step0by0step instructions for enforcing trust (anage(ent decisions and (anaging certificate settings according to your organi1ation2s security re.uire(ents, -his is a preli(inary docu(ent and (ay be changed substantially prior to final co((ercial release of the soft$are described herein, -he infor(ation contained in this docu(ent represents the current &ie$ of Microsoft Corporation on the issues discussed as of the date of publication, Because Microsoft (ust respond to changing (ar3et conditions/ it should not be interpreted to be a co((it(ent on the part of Microsoft/ and Microsoft cannot guarantee the accuracy of any infor(ation presented after the date of publication, -his #hite Paper is for infor(ational purposes only, M4C56%67- MA89% '6 #A55A'-49%/ 9:P59%%/ 4MP*49; 65 %-A-U-65</ A% -6 -=9 4'765MA-46' 4' -=4% ;6CUM9'-, Co(plying $ith all applicable copyright la$s is the responsibility of the user, #ithout li(iting the rights under copyright/ no part of this docu(ent (ay be reproduced/ stored in or introduced into a retrie&al syste(/ or trans(itted in any for( or by any (eans (electronic/ (echanical/ photocopying/ recording/ or other$ise)/ or for any purpose/ $ithout the e>press $ritten per(ission of Microsoft Corporation, Microsoft (ay ha&e patents/ patent applications/ trade(ar3s/ copyrights/ or other intellectual property rights co&ering sub+ect (atter in this docu(ent, 9>cept as e>pressly pro&ided in any $ritten license agree(ent fro( Microsoft/ the furnishing of this docu(ent does not gi&e you any license to these patents/ trade(ar3s/ copyrights/ or other intellectual property, ? 200! Microsoft Corporation, All rights reser&ed, Acti&e ;irectory/ Microsoft/ M%0;6%/ %harePoint/ #indo$s/ #indo$s '-/ #indo$s %er&er/ are either registered trade(ar3s or trade(ar3s of Microsoft Corporation in the United %tates and@or other countries, All other trade(ar3s are property of their respecti&e o$ners, Contents Certificate %ettings in "roup Policy %tep0by0%tep "uide for #indo$s %er&er Code 'a(e )*onghorn),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, A Contents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, Certificate %ettings in "roup Policy %tep0by0%tep "uide for #indo$s %er&er Code 'a(e )*onghorn) ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, B #hat is Certificate %ettings in "roup PolicyC,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,B 4n -his "uide,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ! %cenario A: Managing -rusted 5oot Certificates,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,D %cenario 2: Managing -rusted Publishers,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,A0 %cenario : ;eploying 4nter(ediate CA Certificates,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,A2 %cenario E: Bloc3ing Certificates that are not -rusted According to "roup Policy,,,,,,,,AE %cenario B: =andling *arge Certificate 5e&ocation *ists,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,AB %cenario 6: 9>tending 9>piration -i(es for C5*s and 6C%P responses,,,,,,,,,,,,,,,,,,,,,A! Additional 5esources,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 20 Certificate Settings in Group Policy Step- by-Step Guide for Windows Server Code Name "Longhorn" -his step0by0step guide pro&ides the instructions that you need to set up certificate settings in "roup Policy in a test lab en&iron(ent, #e reco((end that you do not use this guide in a production en&iron(ent, %tep0by0step guides are not necessarily (eant to be used to deploy #indo$s %er&erF Code 'a(e )*onghorn) operating syste( features $ithout additional docu(entation (as listed in the Additional 5esources section) and should be used $ith discretion as a stand0alone docu(ent, What is Certificate Settings in Group Policy! As :,B0G public 3ey infrastructures beco(e (ore pro(inent in applications and a foundation of trust (anage(ent/ (any organi1ations need (ore options to (anage certificate path disco&ery and path &alidation settings, Pre&ious &ersions of #indo$s operating syste(s did not ha&e tools to custo(i1e certificate settings, Certificate settings in "roup Policy pro&ide this ability in the #indo$s %er&er Code 'a(e )*onghorn) Beta operating syste(, 4t enables you to (anage the certificate &alidation settings according to the security needs of your organi1ation, <ou can use certificate settings in "roup Policy to control certificate &alidation and path disco&ery settings for your en&iron(ent, -hese settings include $ays to (anage certificates used by client co(puters in the do(ain/ re&ocation policies/ and net$or3 retrie&al settings, What"s new in certificate settings in Group Policy! Certificate settings in "roup Policy allo$ you to easily configure and (anage certificate &alidation settings, #ith these settings/ you can effecti&ely perfor( a &ariety of tas3s/ such as: ;eploy inter(ediate certification authority (CA) certificates for all co(puters in a do(ain Bloc3 certificates that are not trusted by the security policy Manage certificates used for code signing # Configure the retrie&al settings for certificates and certificate re&ocation lists (C5*s), -he follo$ing i(age is a screenshot of the "roup Policy Manage(ent console, 4n the "roup Policy Manage(ent console/ you can find the certificate settings under Computer Configuration/ Windows Settings/ Security Settings/ and Public $ey Policies, -he #indo$s %er&er Code 'a(e )*onghorn) certificate settings in "roup Policy no$ include four ne$ "roup Policy stores: 4nter(ediate Certification Authorities -rusted Publishers Untrusted Certificates -rusted People -he Certificate Path Halidation %ettings ob+ect is also ne$ and includes options to configure path &alidation settings/ such as net$or3 retrie&al ti(eouts and re&ocation settings, % Who should use certificate settings in Group Policy! -his guide is intended for the follo$ing audiences: 4- planners and analysts $ho are e&aluating the product %ecurity architects $ho are responsible for i(ple(enting -rust$orthy Co(puting %ecurity ad(inistrators $ho run public 3ey infrastructure (P84) enabled applications in their en&iron(ent &enefits of certificate settings in Group Policy <ou can use the certificate settings in "roup Policy to (anage the certificate settings on all the co(puters in the do(ain fro( a central location, 7or e>a(ple/ in situations $here certain inter(ediate CA certificates e>pire and clients cannot auto(atically retrie&e the certificate/ you can no$ deploy these certificates on client co(puters by using "roup Policy, 4n addition/ you can use certificate settings in "roup Policy to ensure that users ne&er do$nload code signed by unappro&ed publisher certificates, <ou can also configure net$or3 ti(eouts to better control the chain building ti(eouts for large C5*s and use re&ocation settings to e>tend C5* e>piration ti(es if a delay in publishing a ne$ C5* is affecting applications, -his guide $ill help you understand the 3ey scenarios of these ne$ certificate settings and ho$ to enable the( to use the settings effecti&ely, 'n (his Guide -he purpose of this guide is to help ad(inistrators beco(e fa(iliar $ith the Certificate settings in "roup Policy in #indo$s %er&er Code 'a(e )*onghorn,) %cenario A: Managing -rusted 5oot Certificates %cenario 2: Managing -rusted Publishers %cenario : ;eploying 4nter(ediate CA Certificates %cenario E: Bloc3ing Certificates that are not -rusted According to "roup Policy %cenario B: =andling *arge Certificate 5e&ocation *ists %cenario 6, 9>tending 9>piration -i(es for C5*s and 6C%P 5esponses Additional 5esources ) Scenario *+ ,anaging (rusted -oot Certificates 4n this scenario/ you are responsible for (anage(ent of the security en&iron(ent for your do(ain/ and you $ant to co(pletely (anage trust and disallo$ users in the do(ain to configure their o$n set of trusted root certificates and peer trust certificates, <ou can easily enable this setting by using the %tores tab in Certificate Path Halidation %ettings, &efore you start <ou should ha&e a co(puter configured as do(ain controller and a client co(puter +oined to the do(ain "roup Policy Manage(ent Microsoft Manage(ent Console (MMC) snap0in (ust be installed on the do(ain controller P84 (ust be setup on the do(ain <ou (ust be logged on as a (e(ber of the ;o(ain Ad(ins group (o prevent users from managing certificate trust A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-, 2, 6n the /ile (enu/ clic3 dd0-emove Snap-in, 4f you are editing the "roup Policy ob+ect for the local co(puter/ under vailable snap-ins/ double0clic3 Local Group Policy 1b2ect .ditor/ clic3 dd/ and then clic3 /inish, 4f you are editing the "roup Policy ob+ect for the do(ain/ under vailable snap-ins/ double0clic3 Group Policy ,anagement .ditor3 clic3 &rowse and select the ;efault ;o(ain Policy 6b+ect or select the do(ain/ then clic3 /inish, , 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$, E, 4n the console tree/ go to 4efault 4omain Policy or Local Computer Policy/ Computer Configuration/ Windows Settings/ Security Settings and clic3 Public $ey Policies, -hen select Certificate Path 5alidation Settings, B, %elect the Stores tab, 6, Chec3 4efine these policy settings !, Clear the llow user trusted root Cs to be used to validate certificates option in the Per 6ser Certificate Stores section, 7 D, Clear the llow users to trust peer trust certificates option in the Per user certificate stores section, G, %elect the root CAs that the client co(puters can trust in the -oot certificate stores section, A0, Clic3 1$ to apply the ne$ setting, -he follo$ing figure is a screenshot of the Stores tab on the Certificate Path 5alidation Settings Properties page, 8 Scenario 9+ ,anaging (rusted Publishers 4n this scenario/ you are responsible for (anaging the security en&iron(ent of your do(ain, -he security policy of your co(pany re.uires that only the ad(inistrators can add certificates used for code signing, <ou can easily reflect this setting using the -rusted Publishers user interface, &efore you start <ou should ha&e a co(puter configured as do(ain controller and a client co(puter joined to the domain Group Policy Management MMC snap0in (ust be installed on the do(ain controller P84 (ust be setup on the do(ain <ou (ust be logged on as a (e(ber of the ;o(ain Ad(ins group, -his scenario includes t$o parts: Configuring -rusted Publishers Configuring $ho can (anage certificates that are used for code signing (o configure (rusted Publishers policy A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-, 2, 6n the /ile (enu/ clic3 dd0-emove Snap-in, 4f you are editing the "roup Policy ob+ect for the local co(puter/ under vailable snap-ins/ double0clic3 Local Group Policy 1b2ect .ditor/ clic3 dd/ and then clic3 /inish, 4f you are editing the "roup Policy ob+ect for the do(ain/ under vailable snap-ins/ double0clic3 Group Policy ,anagement .ditor3 clic3 &rowse and select the ;efault ;o(ain Policy 6b+ect or select the do(ain/ then clic3 /inish, , 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$, E, 4n the console tree/ go to 4efault 4omain Policy or Local Computer Policy/ Computer Configuration/ Windows Settings/ Security Settings and clic3 Public $ey Policies, -hen select the (rusted Publishers tab, B, 4(ple(ent the changes you desire/ clic3 pply if you $ish to (a3e additional changes/ and 1$ $hen you are done (a3ing changes, *: (o allow only administrators to manage certificates used for code signing A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-, 2, 6n the /ile (enu/ clic3 dd0-emove Snap-in, 4f you are editing the "roup Policy ob+ect for the local co(puter/ under vailable snap-ins/ double0clic3 Local Group Policy 1b2ect .ditor/ clic3 dd/ and then clic3 /inish, 4f you are editing the "roup Policy ob+ect for the do(ain/ under vailable snap-ins/ double0clic3 Group Policy ,anagement .ditor3 clic3 &rowse and select the ;efault ;o(ain Policy 6b+ect or select the do(ain/ then clic3 /inish, , 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$, E, 4n the console tree/ go to 4efault 4omain Policy or Local Computer Policy/ Computer Configuration/ Windows Settings/ Security Settings and clic3 Public $ey Policies, -hen select the (rusted Publishers tab, B, 4n the dding (rusted Publishers section/ select llow only all administrators to manage (rusted Publishers, 6, Clic3 pply to apply the ne$ settings/ and 1$ $hen you are done (a3ing changes, -he follo$ing figure is a screenshot of the (rusted Publishers tab on the Certificate Path 5alidation Settings Properties page, ** Scenario ;+ 4eploying 'ntermediate C Certificates 4n this scenario/ you are responsible for (anaging the security en&iron(ent of your do(ain, <ou are encountering errors in certificate chain building due to e>pired inter(ediate CA certificates, -his is affecting re&ocation chec3ing for your applications, -o sol&e this proble(/ you need to deploy ne$ inter(ediate CA certificates on all co(puters in the do(ain, <ou can do this easily fro( a central location using certificate settings in "roup Policy, *9 &efore you start <ou should ha&e a co(puter configured as do(ain controller and a client co(puter joined to the domain Group Policy Management MMC snap0in (ust be installed on the do(ain controller P84 (ust be setup on the do(ain <ou (ust be logged on as a (e(ber of the ;o(ain Ad(ins group, -his scenario includes t$o parts: Managing inter(ediate CA certificates for the do(ain Managing inter(ediate CA certificates for the local co(puter (o (anage inter(ediate CA certificates for the do(ain A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-, 2, 6n the /ile (enu/ clic3 dd0-emove Snap-in, 4f you are editing the "roup Policy ob+ect for the do(ain/ under vailable snap-ins/ double0clic3 Group Policy ,anagement .ditor3 clic3 &rowse and select the ;efault ;o(ain Policy 6b+ect or select the do(ain/ then clic3 /inish, , 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$, E, 4n the console tree/ go to 4efault 4omain Policy/ Computer Configuration/ Windows Settings/ and Security Settings and clic3 Public $ey Policies, B, 5ight clic3 on the 'ntermediate Certification uthorities store, Clic3 'mport to i(port the certificates and follo$ the steps in the Certificate 4(port $i1ard, (o (anage inter(ediate CA certificates for the local co(puter A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-, 2, 6n the /ile (enu/ clic3 dd0-emove Snap-in, Under vailable snap-ins/ double0clic3 Certificates/ clic3 dd< 4n the option/ this snap-in will always manage certificates for/ select the Computer ccount and then select Local Computer and clic3 /inish, , 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$, E, 9>pand the Certificates snap0in, B, 5ight clic3 on the 'ntermediate Certification uthorities store, *; 6, Clic3 'mport to i(port the certificates and follo$ the steps in the Certificate 4(port $i1ard, Scenario =+ &loc>ing Certificates that are not (rusted ccording to Group Policy 4n this scenario/ you are responsible for (anaging the security en&iron(ent of your do(ain, Based on "roup Policy re.uire(ents/ you do not $ant applications and clients to trust specific certificates, =o$e&er you cannot re&o3e these certificates because they are issued by e>ternal CAs, <ou can disallo$ these untrusted certificates by adding the( to the untrusted certificates store, <ou can no$ (anage the untrusted certificates store using "roup Policy, &efore you start <ou should ha&e a co(puter configured as do(ain controller and a client co(puter joined to the domain Group Policy Management MMC snap0in (ust be installed on the do(ain controller P84 (ust be setup on the do(ain <ou (ust be logged on as a (e(ber of the ;o(ain Ad(ins group, -his scenario includes t$o parts: Bloc3ing certificates for the do(ain Bloc3ing certificates for the local co(puter (o bloc3 certificates for the do(ain A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-, 2, 6n the /ile (enu/ clic3 dd0-emove Snap-in, 4f you are editing the "roup Policy ob+ect for the do(ain/ under vailable snap-ins/ double0clic3 Group Policy ,anagement .ditor3 clic3 &rowse and select the ;efault ;o(ain Policy 6b+ect or select the do(ain/ then clic3 /inish, , 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$, E, 4n the console tree/ go to 4efault 4omain Policy/ Computer Configuration/ Windows Settings/ and Security Settings and clic3 Public $ey Policies, B, 5ight clic3 on the 6ntrusted Certificates store, *= 6, Clic3 'mport to i(port the certificates and follo$ the steps in the Certificate 4(port $i1ard, (o bloc3 certificates for the local computer A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-, 2, 6n the /ile (enu/ clic3 dd0-emove Snap-in, Under vailable snap-ins/ double0clic3 Certificates/ clic3 dd< 4n the option/ this snap-in will always manage certificates for/ select the Computer ccount and then select Local Computer and clic3 /inish, , 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$, E, 9>pand the Certificates snap0in, B, 5ight clic3 on the 6ntrusted Certificates store, 6, Clic3 'mport to i(port the certificates and follo$ the steps in the Certificate 4(port $i1ard, Scenario #+ ?andling Large Certificate -evocation Lists 4n this scenario/ you are responsible for (anaging the security en&iron(ent of your do(ain, <our applications encounter fre.uent failures in retrie&ing large certification re&ocation lists (C5*s), *arge C5*s fail to do$nload because it ta3es longer to do$nload the( than the default ti(eout of AB seconds, <ou $ant to configure the default retrie&al ti(eouts to sol&e this proble(, <ou can easily configure this setting using the Networ> -etrieval tab of the Certificate Path 5alidation Settings dialog bo>, &efore you start <ou should ha&e a co(puter configured as do(ain controller and a client co(puter joined to the domain Group Policy Management MMC snap0in (ust be installed on the do(ain controller P84 (ust be setup on the do(ain <ou (ust be logged on as a (e(ber of the ;o(ain Ad(ins group, (o increase the retrieval timeout option for large certificate revocation lists A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-, *# 2, 6n the /ile (enu/ clic3 dd0-emove Snap-in, 4f you are editing the "roup Policy ob+ect for the local co(puter/ under vailable snap-ins/ double0clic3 Local Group Policy 1b2ect .ditor/ clic3 dd/ and then clic3 /inish, 4f you are editing the "roup Policy ob+ect for the do(ain/ under vailable snap-ins/ double0clic3 Group Policy ,anagement .ditor3 clic3 &rowse and select the ;efault ;o(ain Policy 6b+ect or select the do(ain/ then clic3 /inish, , 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$, E, 4n the console tree/ go to 4efault 4omain Policy or Local Computer Policy/ Computer Configuration/ Windows Settings/ Security Settings and clic3 Public $ey Policies, -hen select Certificate Path 5alidation Settings, B, %elect the Networ> -etrieval tab, 6, 4n the 4efault retrieval timeout settings section/ select the 4efault 6-L retrieval timeout @in secondsA option !, 9nter the desired ti(eout &alue, D, Clic3 1$ to apply the ne$ settings, -he follo$ing figure is a screenshot of the Networ> -etrieval tab of the Certificate Path 5alidation Settings Properties dialog bo>< *% Scenario %+ .Btending .Bpiration (imes for C-Ls and 1CSP responses 4n this scenario/ you are responsible for (anaging the security en&iron(ent of your do(ain, 'et$or3 proble(s pre&ent you fro( publishing the latest C5*/ $hich can cause all certificate chain &alidations to fail, <ou $ant to e>tend the e>piration ti(e of the e>isting C5* or the 6nline Certificate %tatus Protocol (6C%P) response to pre&ent this fro( happening, <ou can use the -evocation tab on the Certificate Path 5alidation Settings dialog bo> to (anage this beha&ior, *) &efore you start <ou should ha&e a co(puter configured as do(ain controller and a client co(puter joined to the domain Group Policy Management MMC snap0in (ust be installed on the do(ain controller P84 (ust be setup on the do(ain <ou (ust be a (e(ber of the ;o(ain Ad(ins group, -his scenario includes t$o parts: Configuring re&ocation settings for the local co(puter 9>tending the &alidity period for C5* and 6C%P responses for the local co(puter (o configure revocation settings for the local computer A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-, 2, 6n the /ile (enu/ clic3 dd0-emove Snap-in, 4f you are editing the "roup Policy ob+ect for the local co(puter/ under vailable snap-ins/ double0clic3 Local Group Policy 1b2ect .ditor/ clic3 dd/ and then clic3 /inish, 4f you are editing the "roup Policy ob+ect for the do(ain/ under vailable snap-ins/ double0clic3 Group Policy ,anagement .ditor3 clic3 &rowse and select the ;efault ;o(ain Policy 6b+ect or select the do(ain/ then clic3 /inish, , 4n the console tree/ go to 4efault 4omain Policy or Local Computer Policy/ Computer Configuration/ Windows Settings/ Security Settings and clic3 Public $ey Policies, -hen select Certificate Path 5alidation Settings, E, %elect the -evocation tab, B, %elect the policy options you $ant, 6, Clic3 4efine these policy settings, !, Clic3 1$ to apply the ne$ setting, (o eBtend the validity period for C-L and 1CSP responses for the local computer A, Clic3 Start/ clic3 Start Search/ type mmc/ and then press .N(.-, 2, 6n the /ile (enu/ clic3 dd0-emove Snap-in, 4f you are editing the "roup Policy ob+ect for the local co(puter/ under vailable snap-ins/ double0clic3 Local Group Policy 1b2ect .ditor/ *7 clic3 dd/ and then clic3 /inish, 4f you are editing the "roup Policy ob+ect for the do(ain/ under vailable snap-ins/ double0clic3 Group Policy ,anagement .ditor3 clic3 &rowse and select the ;efault ;o(ain Policy 6b+ect or select the do(ain/ then clic3 /inish, , 4f you ha&e no (ore snap0ins to add to the console/ clic3 1$, E, 4n the console tree/ go to 4efault 4omain Policy or Local Computer Policy/ Computer Configuration/ Windows Settings/ Security Settings and clic3 Public $ey Policies, -hen select Certificate Path 5alidation Settings, B, %elect the -evocation tab, 6, %elect the Allo$ C5* and 6C%P responses to be &alid longer than their lifeti(e option, 7or (ime the validity period can be eBtended/ enter the desired &alue of ti(e (in hours), !, Clic3 4efine these policy settings, D, Clic3 1$ to apply the ne$ setting, -he follo$ing figure is a screenshot of the -evocation tab on the Certificate Path 5alidation Settings Properties dialog bo>, *8 dditional -esources -he follo$ing resources pro&ide additional infor(ation about certificate settings in "roup Policy in #indo$s %er&er Code 'a(e )*onghorn,) 7or help $ith certificate settings in "roup Policy/ as $ith any Microsoft #indo$s co(ponent/ please choose one of the support options listed on the Microsoft =elp and %upport #eb site (http:@@go,(icrosoft,co(@f$lin3@C*in34dI!66AG), ;o(ain controller role: Configuring a do(ain controller (http:@@go,(icrosoft,co(@f$lin3@C*in34dIDGBB) 9: Best Practices for 4(ple(enting a Microsoft #indo$s %er&er 200 Public 8ey 4nfrastructure (http:@@go,(icrosoft,co(@f$lin3@C*in34dIDGBBE) 9*
Palo Alto Networks: The Ultimate Guide To Quickly Pass All The Exams And Getting Certified. Real Practice Test With Detailed Screenshots, Answers And Explanations