Securing PKI: Appendix F: List of Recommendations by Impact Level

Article
08/31/2016

Applies To: Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012

Below is a complete list of all recommendations made throughout this paper, classified according to the Determining the Level of Protection Required of the CA. Recommendations are broken out according to the chapter in which they were found. Some of the recommendations are strategic in nature, and require planning and potentially redesign to implement, while some are tactical and focused on specific components and infrastructure.

Planning a CA Hierarchy

Recommendation	Tactical or Strategic	Impact Level
Do not use a one-tier hierarchy	Strategic	High Internal
Plan for upcoming PKI uses cases as part of the initial design	Strategic	Medium

Physical Security

Recommendation	Tactical or Strategic	Rating
Leverage existing data center controls for physical security where possible	Strategic	Medium
Track and audit requests for physical access to PKI assets	Tactical	High Internal
Use biometrics as an authentication mechanism to access PKI assets	Tactical	High Internal
Prevent tailgating to sensitive areas where PKI assets are stored	Tactical	High Internal
Use alarm systems to detect access to PKI assets	Tactical	High Internal
Use cameras to monitor physical access to PKI assets	Tactical	High Internal
Geographically separate primary and backup sites	Strategic	High Internal
Use obscurity carefully to not disclose unnecessary information about PKI assets	Tactical	High Internal

PKI Process Security

Recommendation	Tactical or Strategic	Rating
Develop a Certificate Policy to govern the use of the PKI	Strategic	High External
Develop a formal Certification Practice Statement	Strategic	High External
Document issuance controls and certificate usage (informal CP/CPS)	Tactical	High Internal
Document CA standard operating procedures	Tactical	High Internal
Utilize any existing policy structure to store and maintain PKI policy	Tactical	Medium
Involve your policy team in the creation of PKI policy	Strategic	High Internal
Involve your legal department in policy creation if your PKI may affect external customers or partners	Strategic	High Internal
Form a Policy Authority to provide governance for the PKI	Strategic	High Internal
Formalize the work performed by the Policy Authority with auditable change control and meeting minutes	Tactical	High Internal
Meet regularly as a Policy Authority to review and update the PKI policy	Tactical	High Internal
Establish formal PKI roles and responsibilities and assign specific individuals to each roles	Tactical	High Internal
Provide role specific training for all individuals responsible for the PKI	Strategic	Medium
Vet individuals who fill trusted roles with a comprehensive background check (in accordance with local privacy law) or other mechanism	Strategic	High Internal
Perform formal key ceremonies that follow a script and include a witness	Tactical	High Internal

Technical Controls for Securing PKI

Recommendation	Tactical or Strategic	Rating
Create baseline system configurations for CA and RA systems	Tactical	Medium
Disable CD-ROM Autoplay	Tactical	Medium
Rename local administrator and guest accounts	Tactical	Medium
Disable local administrator and guest accounts	Tactical	Medium
Use a distinct password for the local administrator account that is not used on other systems	Tactical	Medium
Enable the Windows Firewall with Advanced Security and block all traffic that is not required	Tactical	Medium
Disable services that are not required for the CA to function	Tactical	Medium
Disable LM and NTLMv1 authentication protocols	Tactical	Medium
Only install software that is necessary for the CA to perform its function	Tactical	Medium
Disable Direct Memory Access (DMA) devices	Tactical	Medium
Disable Remote Desktop Services	Tactical	High Internal
Do not install additional server roles on Certification Authorities, such as running a CA on a domain controller	Tactical	Medium
Use alternate accounts separate from the standard accounts used on productivity workstations to manage the PKI	Tactical	Medium
Update CA regularly using update infrastructure separate from what is used to manage the general Windows server®/workstation population	Strategic	High Internal
Prevent access to the internet from CAs	Tactical	Medium
Limit local administrator group membership to only users in trusted roles who manage the PKI	Tactical	Medium
Remove Enterprise Admins and Domain Admins from local administrators group on CAs	Tactical	Medium
Eliminate or limit the number of service accounts with administrative rights on CAs and RAs	Tactical	Medium
Enable application whitelisting using AppLocker or another third party application	Tactical	High Internal
Use secure administrative hosts or jump hosts to perform remote management tasks	Strategic	High Internal
Disable Remote Management Boards on physical servers	Tactical	High Internal
Require PKI administrators to use smart cards for all accounts that manage the PKI	Strategic	High Internal
Use a Hardware Security Module in offline CAs	Strategic	High Internal
Keep offline CAs truly offline, allow only physical access to all components	Tactical	Medium
Use only authorized, dedicated devices to transfer files to/from offline CAs	Tactical	Medium
Update offline CAs with service packs, security updates specific to CA software, and updates related to system time (time zone changes)	Tactical	Medium
Update HSM software and firmware when released	Tactical	Medium
Ensure that any activity performed on an offline CA can be traced to an individual, either through individual accounts or additional auditing and surveillance	Strategic	Medium
When virtualizing offline CAs, decouple the guest files from the physical hardware so the hardware can be easily replaced	Tactical	Medium
When virtualizing offline CAs, use a dedicated host machine that is secured in a locked rack or safe. If dedicated hardware cannot be used, build a clean host OS each time the CA VMs need to be brought online	Tactical	Medium
When virtualizing offline CAs, securely build the VM on the dedicated hardware, do not build it on an online host and migrate it to the dedicated hardware	Tactical	Medium
Prior to performing any operations on an offline CA, verify the system time is correct.	Tactical	Medium
When virtualizing offline CAs, perform regular backups of hard disk files. Securely store the backups along with any required software at a backup site	Tactical	Medium
When virtualizing online CAs, limit access to the host to only those who should have access to the PKI	Tactical	High Internal
When virtualizing online CAs, use network attached HSMs for key protection	Tactical	High Internal
When virtualizing online CAs, continue to take regular CA backups with all data needed to restore the CA	Tactical	Medium
If using software keys, protect all key backups (PKCS#12, PFX files) with the same level of protection provided to the CA	Tactical	Medium
Do not include backups of the private key as part of the standard backup process. Backup the key(s) as needed and physically protect them by storing in a safe, within a tamper-evident bag and audit all access to the backup	Tactical	Medium
Do not connect backup systems directly to the CA. Backup the CA to another location which is backed up regularly to eliminate the need for backup software on the CA	Tactical	High Internal
Isolate certificate systems from other systems on the network	Strategic	High External
Implement “security zones” to isolate certificate systems based on their criticality and relationship to each other	Strategic	High External
Only allow inbound and outbound connections that are necessary for the CA and supporting systems to function	Tactical	Medium
Restrict access to network HSM devices to only the systems that utilize them	Tactical	High Internal
Restrict management access to originate from a limited set of administrative hosts	Strategic	High Internal
Control “enroll” access to certificate templates and only provide the access to accounts that require the certificate	Tactical	Medium
Remove unused certificate templates from CAs	Tactical	Medium
Use additional enrollment controls for templates that allow you to specify the subject in the request	Tactical	Medium
Do not use the EDITF_ATTRIBUTESUBJECTALTNAME2 flag on any CA without additional issuance controls	Tactical	Medium

Planning Certificate Algorithms and Usages

Recommendation	Tactical or Strategic	Rating
Use 2048 bit and above key length for RSA keys	Strategic	Medium
If using ECC for CA keys, use P-256, P-384 or P-521 curves	Strategic	Medium
Use RSA 4096 for CA certificates that expire more than 15 years in the future	Strategic	Medium
Use the SHA-2 family of hash algorithms	Strategic	Medium
Root CA certificate should not be valid for more than 25 years	Strategic	Medium
Issuing CA certificates should not be valid for more than 5 years	Strategic	Medium
Renew an issuing CA certificate once before replacing the key pair	Strategic	Medium
Use certificate expiration events in Windows 8® and Windows Server 2012® and above to assist in expiration notification	Strategic	Medium
Match the strength of asymmetric key algorithms with the strength of the hash algorithm	Strategic	Medium
Use the correct key usage for each certificate use case	Strategic	Medium
Determine the extended key usages for each PKI use case	Strategic	Medium
Constrain issuing CAs (use the path length constraint to ensure that CA can only issue end-entity certificates and limit application policies)	Strategic	Medium

Protecting CA Keys and Critical Artifacts

Recommendation	Tactical or Strategic	Impact Level
If using network HSMs for offline CAs, do not connect the HSM to a routable network	Tactical	High Internal
Create enough HSM tokens to account for disaster recovery	Strategic	Medium
Use tamper-evident containers/packaging to store PKI artifacts such as HSM tokens or backup data	Tactical	High Internal
Store PKI artifacts in a climate controlled location	Tactical	Medium
Maintain an auditable chain of custody of PKI artifacts	Strategic	High Internal
Maintain an inventory of PKI artifacts	Strategic	High Internal

Monitoring Public Key Infrastructure

Recommendation	Tactical or Strategic	Impact Level
Monitor Active Directory® for changes groups that control access to CAs, membership in the “Cert Publishers” group, changes to privileged and VIP accounts, and unauthorized changes to certificate templates	Tactical	High Internal
Record and review physical access events	Tactical	High Internal
Record and review all physical access to HSMs	Tactical	High Internal
Record and review logs from network equipment that supports PKI	Tactical	High Internal
Record and review physical access to PKI artifacts, such as access to safes	Tactical	High Internal
Configure Windows® audit policy to enable auditing for Certification Services	Tactical	Medium
Monitor changes to the CA registry	Tactical	High Internal
Monitor for changes to certificate templates	Tactical	High Internal

Compromise Response

Recommendation	Tactical or Strategic	Impact Level
Identify critical systems and processes that are dependent on PKI	Strategic	Medium
Develop a basic plan of action for compromise before a compromise occurs	Strategic	Medium