Partager via


Securing PKI: Appendix F: List of Recommendations by Impact Level

 

Applies To: Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012

Below is a complete list of all recommendations made throughout this paper, classified according to the Determining the Level of Protection Required of the CA. Recommendations are broken out according to the chapter in which they were found. Some of the recommendations are strategic in nature, and require planning and potentially redesign to implement, while some are tactical and focused on specific components and infrastructure.

Planning a CA Hierarchy

Recommendation

Tactical or Strategic

Impact Level

Do not use a one-tier hierarchy

Strategic

High Internal

Plan for upcoming PKI uses cases as part of the initial design

Strategic

Medium

Physical Security

Recommendation

Tactical or Strategic

Rating

Leverage existing data center controls for physical security where possible

Strategic

Medium

Track and audit requests for physical access to PKI assets

Tactical

High Internal

Use biometrics as an authentication mechanism to access PKI assets

Tactical

High Internal

Prevent tailgating to sensitive areas where PKI assets are stored

Tactical

High Internal

Use alarm systems to detect access to PKI assets

Tactical

High Internal

Use cameras to monitor physical access to PKI assets

Tactical

High Internal

Geographically separate primary and backup sites

Strategic

High Internal

Use obscurity carefully to not disclose unnecessary information about PKI assets

Tactical

High Internal

PKI Process Security

Recommendation

Tactical or Strategic

Rating

Develop a Certificate Policy to govern the use of the PKI

Strategic

High External

Develop a formal Certification Practice Statement

Strategic

High External

Document issuance controls and certificate usage (informal CP/CPS)

Tactical

High Internal

Document CA standard operating procedures

Tactical

High Internal

Utilize any existing policy structure to store and maintain PKI policy

Tactical

Medium

Involve your policy team in the creation of PKI policy

Strategic

High Internal

Involve your legal department in policy creation if your PKI may affect external customers or partners

Strategic

High Internal

Form a Policy Authority to provide governance for the PKI

Strategic

High Internal

Formalize the work performed by the Policy Authority with auditable change control and meeting minutes

Tactical

High Internal

Meet regularly as a Policy Authority to review and update the PKI policy

Tactical

High Internal

Establish formal PKI roles and responsibilities and assign specific individuals to each roles

Tactical

High Internal

Provide role specific training for all individuals responsible for the PKI

Strategic

Medium

Vet individuals who fill trusted roles with a comprehensive background check (in accordance with local privacy law) or other mechanism

Strategic

High Internal

Perform formal key ceremonies that follow a script and include a witness

Tactical

High Internal

Technical Controls for Securing PKI

Recommendation

Tactical or Strategic

Rating

Create baseline system configurations for CA and RA systems

Tactical

Medium

Disable CD-ROM Autoplay

Tactical

Medium

Rename local administrator and guest accounts

Tactical

Medium

Disable local administrator and guest accounts

Tactical

Medium

Use a distinct password for the local administrator account that is not used on other systems

Tactical

Medium

Enable the Windows Firewall with Advanced Security and block all traffic that is not required

Tactical

Medium

Disable services that are not required for the CA to function

Tactical

Medium

Disable LM and NTLMv1 authentication protocols

Tactical

Medium

Only install software that is necessary for the CA to perform its function

Tactical

Medium

Disable Direct Memory Access (DMA) devices

Tactical

Medium

Disable Remote Desktop Services

Tactical

High Internal

Do not install additional server roles on Certification Authorities, such as running a CA on a domain controller

Tactical

Medium

Use alternate accounts separate from the standard accounts used on productivity workstations to manage the PKI

Tactical

Medium

Update CA regularly using update infrastructure separate from what is used to manage the general Windows server®/workstation population

Strategic

High Internal

Prevent access to the internet from CAs

Tactical

Medium

Limit local administrator group membership to only users in trusted roles who manage the PKI

Tactical

Medium

Remove Enterprise Admins and Domain Admins from local administrators group on CAs

Tactical

Medium

Eliminate or limit the number of service accounts with administrative rights on CAs and RAs

Tactical

Medium

Enable application whitelisting using AppLocker or another third party application

Tactical

High Internal

Use secure administrative hosts or jump hosts to perform remote management tasks

Strategic

High Internal

Disable Remote Management Boards on physical servers

Tactical

High Internal

Require PKI administrators to use smart cards for all accounts that manage the PKI

Strategic

High Internal

Use a Hardware Security Module in offline CAs

Strategic

High Internal

Keep offline CAs truly offline, allow only physical access to all components

Tactical

Medium

Use only authorized, dedicated devices to transfer files to/from offline CAs

Tactical

Medium

Update offline CAs with service packs, security updates specific to CA software, and updates related to system time (time zone changes)

Tactical

Medium

Update HSM software and firmware when released

Tactical

Medium

Ensure that any activity performed on an offline CA can be traced to an individual, either through individual accounts or additional auditing and surveillance

Strategic

Medium

When virtualizing offline CAs, decouple the guest files from the physical hardware so the hardware can be easily replaced

Tactical

Medium

When virtualizing offline CAs, use a dedicated host machine that is secured in a locked rack or safe. If dedicated hardware cannot be used, build a clean host OS each time the CA VMs need to be brought online

Tactical

Medium

When virtualizing offline CAs, securely build the VM on the dedicated hardware, do not build it on an online host and migrate it to the dedicated hardware

Tactical

Medium

Prior to performing any operations on an offline CA, verify the system time is correct.

Tactical

Medium

When virtualizing offline CAs, perform regular backups of hard disk files. Securely store the backups along with any required software at a backup site

Tactical

Medium

When virtualizing online CAs, limit access to the host to only those who should have access to the PKI

Tactical

High Internal

When virtualizing online CAs, use network attached HSMs for key protection

Tactical

High Internal

When virtualizing online CAs, continue to take regular CA backups with all data needed to restore the CA

Tactical

Medium

If using software keys, protect all key backups (PKCS#12, PFX files) with the same level of protection provided to the CA

Tactical

Medium

Do not include backups of the private key as part of the standard backup process. Backup the key(s) as needed and physically protect them by storing in a safe, within a tamper-evident bag and audit all access to the backup

Tactical

Medium

Do not connect backup systems directly to the CA. Backup the CA to another location which is backed up regularly to eliminate the need for backup software on the CA

Tactical

High Internal

Isolate certificate systems from other systems on the network

Strategic

High External

Implement “security zones” to isolate certificate systems based on their criticality and relationship to each other

Strategic

High External

Only allow inbound and outbound connections that are necessary for the CA and supporting systems to function

Tactical

Medium

Restrict access to network HSM devices to only the systems that utilize them

Tactical

High Internal

Restrict management access to originate from a limited set of administrative hosts

Strategic

High Internal

Control “enroll” access to certificate templates and only provide the access to accounts that require the certificate

Tactical

Medium

Remove unused certificate templates from CAs

Tactical

Medium

Use additional enrollment controls for templates that allow you to specify the subject in the request

Tactical

Medium

Do not use the EDITF_ATTRIBUTESUBJECTALTNAME2 flag on any CA without additional issuance controls

Tactical

Medium

Planning Certificate Algorithms and Usages

Recommendation

Tactical or Strategic

Rating

Use 2048 bit and above key length for RSA keys

Strategic

Medium

If using ECC for CA keys, use P-256, P-384 or P-521 curves

Strategic

Medium

Use RSA 4096 for CA certificates that expire more than 15 years in the future

Strategic

Medium

Use the SHA-2 family of hash algorithms

Strategic

Medium

Root CA certificate should not be valid for more than 25 years

Strategic

Medium

Issuing CA certificates should not be valid for more than 5 years

Strategic

Medium

Renew an issuing CA certificate once before replacing the key pair

Strategic

Medium

Use certificate expiration events in Windows 8® and Windows Server 2012® and above to assist in expiration notification

Strategic

Medium

Match the strength of asymmetric key algorithms with the strength of the hash algorithm

Strategic

Medium

Use the correct key usage for each certificate use case

Strategic

Medium

Determine the extended key usages for each PKI use case

Strategic

Medium

Constrain issuing CAs (use the path length constraint to ensure that CA can only issue end-entity certificates and limit application policies)

Strategic

Medium

Protecting CA Keys and Critical Artifacts

Recommendation

Tactical or Strategic

Impact Level

If using network HSMs for offline CAs, do not connect the HSM to a routable network

Tactical

High Internal

Create enough HSM tokens to account for disaster recovery 

Strategic

Medium

Use tamper-evident containers/packaging to store PKI artifacts such as HSM tokens or backup data

Tactical

High Internal

Store PKI artifacts in a climate controlled location

Tactical

Medium

Maintain an auditable chain of custody of PKI artifacts

Strategic

High Internal

Maintain an inventory of PKI artifacts

Strategic

High Internal

Monitoring Public Key Infrastructure

Recommendation

Tactical or Strategic

Impact Level

Monitor Active Directory® for changes groups that control access to CAs, membership in the “Cert Publishers” group, changes to privileged and VIP accounts, and unauthorized changes to certificate templates

Tactical

High Internal

Record and review physical access events

Tactical

High Internal

Record and review all physical access to HSMs

Tactical

High Internal

Record and review logs from network equipment that supports PKI

Tactical

High Internal

Record and review physical access to PKI artifacts, such as access to safes

Tactical

High Internal

Configure Windows® audit policy to enable auditing for Certification Services

Tactical

Medium

Monitor changes to the CA registry

Tactical

High Internal

Monitor for changes to certificate templates

Tactical

High Internal

Compromise Response

Recommendation

Tactical or Strategic

Impact Level

Identify critical systems and processes that are dependent on PKI

Strategic

Medium

Develop a basic plan of action for compromise before a compromise occurs

Strategic

Medium

See Also

Securing Public Key Infrastructure (PKI)
Securing PKI: Introduction
Securing PKI: Planning a CA Hierarchy
Securing PKI: Physical Controls for Securing PKI
Securing PKI: PKI Process Security
Securing PKI: Technical Controls for Securing PKI
Securing PKI: Planning Certificate Algorithms and Usages
Securing PKI: Protecting CA Keys and Critical Artifacts
Securing PKI: Monitoring Public Key Infrastructure
Securing PKI: Compromise Response
Securing PKI: Appendix A: Events to Monitor
Securing PKI: Appendix B: Certification Authority Audit Filter
Securing PKI: Appendix C: Delegating Active Directory PKI Permissions
Securing PKI: Appendix D: Glossary of Terms
Securing PKI: Appendix E: PKI Basics
Security and Protection
Secure Windows Server 2012 R2 and Windows Server 2012