PKI Core Roles

• Enabling strong network user authentication by using smart cards
• Helping to ensure the confidentiality and integrity of transmitted data by using IPsec
• Helping to ensure the confidentiality of stored data by using EFS
• Helping to secure e-mail by using S/MIME encryption and digital signatures
• Helping to secure Web connections by using SSL or Transport Layer Security (TLS)
• Helping to facilitate secure relationships with business partners

The common factor for supporting these security technologies was the implementation of a PKI.

...

A Windows Server PKI features:

• Certificate Services. Certificate Services enables an enterprise to issue and manage X.509 version 3.0 certificates and implement its own PKI.
• Public key–enabled applications and services. These include Internet Information Services (IIS), Windows Internet Explorer, Microsoft Office Outlook® messaging and collaboration client and Microsoft Outlook Express, EFS, IPsec, and smart card logon.
• Integration with the Active Directory® directory service. An enterprise can use Active Directory as a publication point for CAs and issued certificates. Active Directory and the account authentication mechanism can also effectively serve as the registration authority, controlling who is able to enroll for what type of certificates based on account credentials.
• Autoenrollment. An enterprise can use Group Policy to configure automatic certificate enrollment for Active Directory computer account objects.
• Smart card logon support. An enterprise can use smart cards for interactive logons as well as for certificate and key storage.
• Public key policies in Group Policy. PKI Group Policy enables administrators to define and control various aspects of PKI use within the domain, including root trust, EFS data recovery, and autoenrollment for computer accounts.

...

Requiring 3 Smart Cards for High Level Security

Microsoft IT created security worlds with administrative card sets composed of six smart cards, any three of which were required to perform administrative functions. The administrative cards were needed whenever a new CA was brought online and added to the associated security world. Two cards were distributed to the Legal and Corporate Affairs department, two others were distributed to a separate internal auditing team, and the final two were retained by the IT Security team in Microsoft IT. The requirement of three smart cards provided role separation and guaranteed that performing such high-level functions required the involvement of members from at least two of these three groups.

Read the whole white paper @> IT Showcase: Deploying PKI Inside Microsoft