Credential roaming best practices
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Certificates and private keys are important elements of an organization’s security infrastructure. Therefore, you need to consider the following best practices and other considerations when planning and implementing credential roaming:
Credential roaming is supported for clients running Windows Server 2003 with Service Pack 1 (SP1). Credential roaming is supported on domain controllers running Windows 2000 Service Pack 3 or later or Windows Server 2003. Mixed environments containing domain controllers running Windows 2000 SP3 or later and Windows Server 2003 are also supported. The forest functional level can be either Windows 2000 or Windows Server 2003.
An update was recently made available that enables credential roaming on clients running Windows XP Professional (SP2) and an update is available for Windows Server 2003 SP1.
Note
- For the best performance and security, it is recommended that the servers be upgraded to Windows Server 2003 SP1.
Organizations should not enable both roaming user profiles and credential roaming for the same user. Although the two capabilities are not mutually exclusive, unexpected results can occur if both are used by a given user. For example, if certificates and private keys are stored in both Active Directory and as part of their roaming user profile, the user might use the less current versions.
Note
- For more information about configuring roaming user profiles, see Implementing Roaming User Profiles in the Windows Server 2003 Deployment Kit.
Credential roaming does not provide complete protection for certificates and private keys if they are accidentally deleted by a user. Use certificate and key archival and recovery to protect credentials from accidental deletion. For more information, see Key archival and recovery.
Credentials such as enrollment agent certificates that require very strong protection of private keys should not be used in conjunction with credential roaming; instead, these credentials should be stored on smart cards and usage of the smart card should be required each time the user logs on.
Organizations that are concerned about keys being left on computers that might be stolen and subject to brute force attacks should seriously consider whether to implement credential roaming for their most sensitive users and data. If the benefits of credential roaming outweigh the potential risks, they can configure the user's profile by using Group Policy to delete on logoff the user’s profile that includes the certificates and private keys. For more information, see Using User Profiles. Alternately, require smart cards to be used for every logon.
If Encrypting File System (EFS) is used, it is recommended that the data recovery certificate (DRA) and private key not be imported into the end user’s account profile. Importing DRA certificates into the user’s account profile would unintentionally roam the DRA key and certificate to the user’s account in Active Directory. It is a best practice to use a dedicated DRA or separate user account for the purposes of EFS data recovery. In addition, DRA keys should never be imported into a non-administrator account.
Organizations that are concerned about an administrator resetting a user password and logging onto the system as the user to steal or use their keys should use smart cards or strong private key protection to prevent this from happening. Credential roaming is not supported for clients who are migrated from one domain to another. The user must export all keys and certificates before the account is migrated and then reimport all keys and certificates after the account is migrated to the new domain.