AD CS Security Guidance
Applies to: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
It is important to define and implement an Active Directory Certificate Services (AD CS) management model when you develop a certification authority (CA) infrastructure. This management model should complement your existing security management delegation plan and, if necessary, can help you meet Common Criteria requirements for role separation.
To ensure that a single individual cannot compromise public key infrastructure (PKI) services, it is best to distribute management roles across different individuals in your organization.
Implement Role-Base Administration
You can use role-based administration to organize certification authority (CA) administrators into separate, predefined CA roles, each with its own set of tasks. Roles are assigned by using each user's security settings. You assign a role to a user by assigning that user the specific security settings that are associated with the role. A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, cannot perform.
Note: Role-based administration is supported by both enterprise and stand-alone CAs starting with Windows Server 2003 Enterprise edition CAs.
The following table describes the roles, users, and groups that can be used to implement role-based administration. To assign a role to a user or group, you must assign the role's corresponding security permissions, group memberships, or user rights to the user or group. These security permissions, group memberships, and user rights are used to distinguish which users have which roles.
Roles and groups | Security permission | Description |
CA administrator | Manage CA | Configure and maintain the CA. This is a CA role and includes the ability to assign all other CA roles and renew the CA certificate. These permissions are assigned by using the Certification Authority snap-in. |
Certificate manager | Issue and Manage Certificates | Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA officer. These permissions are assigned by using the Certification Authority snap-in. |
Backup operator | Back up file and directories
Restore file and directories |
Perform system backup and recovery. Backup is an operating system feature. |
Auditor | Manage auditing and security log | Configure, view, and maintain audit logs. Auditing is an operating system feature. Auditor is an operating system role. |
Enrollees | Read
Enroll |
Enrollees are clients who are authorized to request certificates from a CA. This is not a CA role. |
All CA roles are assigned and modified by members of local Administrators, Enterprise Admins, or Domain Admins. On enterprise CAs, local administrators, enterprise administrators, and domain administrators are CA administrators by default. Only local administrators are CA administrators by default on a stand-alone CA. If a stand-alone CA is installed on a server that is joined to an Active Directory domain, domain administrators are also CA administrators.
The CA administrator and certificate manager roles can be assigned to Active Directory users or local users in the Security Accounts Manager (SAM) of the local computer, which is the local security account database. As a best practice, you should assign roles to group accounts instead of individual user accounts.
Only CA administrator, certificate manager, auditor, and backup operator are CA roles. The other users described in the table are relevant to role-based administration and should be understood before assigning CA roles.
Only CA administrators and certificate managers are assigned by using the Certification Authority snap-in. To change the permissions of a user or group, you must change the user's security permissions, group membership, or user rights.
To set CA administrator and certificate manager security permissions for a CA
- Open the Certification Authority snap-in.
- In the console tree, click the name of the CA.
- On the Action menu, click Properties.
- Click the Security tab, and specify the security permissions.
Roles and activities
Each CA role has a specific list of CA administration tasks associated with it. The following table lists all the CA administration tasks along with the roles in which they are performed.
Activity | CA administrator | Certificate manager | Auditor | Backup operator | Local administrator | Notes |
Install CAs | X | |||||
Configure policy and exit modules | X | |||||
Stop and start the Active Directory Certificate Services (AD CS) service | X | |||||
Configure extensions | X | |||||
Configure roles | X | |||||
Renew CA keys | X | |||||
Define key recovery agents | X | |||||
Configure certificate manager restrictions | X | |||||
Delete a single row in the CA database | X | |||||
Delete multiple rows in the CA database (bulk deletion) | X | X | The user must be both a CA administrator and a certificate manager. This activity cannot be performed when role separation is enforced. | |||
Enable role separation | X | |||||
Issue and approve certificates | X | |||||
Deny certificates | X | |||||
Revoke certificates | X | |||||
Reactivate certificates that are placed on hold | X | |||||
Renew certificates | X | |||||
Enable, publish, or configure certificate revocation list (CRL) schedules | X | |||||
Recover archived keys | X | Only a certificate manager can retrieve the encrypted key data structure from the CA database. The private key of a valid key recovery agent is required to decrypt the key data structure and generate a PKCS #12 file. | ||||
Configure audit parameters | X | By default, the local administrator holds the system audit user right. | ||||
Audit logs | X | By default, the local administrator holds the system audit user right. | ||||
Back up the system | X | By default, the local administrator holds the system backup user right. | ||||
Restore the system | X | By default, the local administrator holds the system backup user right. | ||||
Read the CA database | X | X | X | X | By default, the local administrator holds the system audit and system backup user rights. | |
Read CA configuration information | X | X | X | X | By default, the local administrator holds the system audit and system backup user rights. |
Additional considerations
- Enrollees are allowed to read CA properties and CRLs, and can request certificates. On an enterprise CA, a user must have Read and Enroll permissions on the certificate template to request a certificate. CA administrators, certificate managers, auditors, and backup operators have implicit Read permissions.
- An auditor holds the system audit user right.
- A backup operator holds the system backup user right. In addition, the backup operator has the ability to start and stop the Active Directory Certificate Services (AD CS) service.
Assigning roles
The CA administrator for a CA assigns users to the separate roles of role-based administration by applying the security settings required by a role to the user's account. The CA administrator can assign a user to more than one role, but the CA is more secure when each user is assigned to only one role. When this delegation strategy is used, fewer CA tasks can be compromised if a user's account becomes compromised.
To force Role Separation
In order to force Role Separation on the Certification Authority (CA) the Administrator should follow these steps:
- Open an elevated Command Prompt (CMD);
- Execute the following command: CertUtil.exe -setreg CA\RoleSeparationEnabled 1
- Restart Active Directory Certificate Services.
To disable Role Separation, the Administrator should follow these steps:
- Open an elevated Command Prompt (CMD);
- Execute the following command: CertUtil.exe -delreg CA\RoleSeparationEnabled
- Restart Active Directory Certificate Services.
Administrator concerns
The default installation setting for a stand-alone CA is to have members of the local Administrators group as CA administrators. The default installation setting for an enterprise CA is to have members of the local Administrators, Enterprise Admins, and Domain Admins groups as CA administrators. To limit the power of any of these accounts, they should be removed from the CA administrator and certificate manager roles when all CA roles are assigned.
As a best practice, group accounts that have been assigned CA administrator or certificate manager roles should not be members of the local Administrators security group. Also, CA roles should only be assigned to group accounts and not individual user accounts.
Note: Membership in the local Administrators group on the CA is required to renew a CA certificate. Members of this group can assume administrative authority over all other CA roles.
Restrict Certificate Managers
A certificate manager can approve certificate enrollment and revocation requests, issue certificates, and manage certificates. This role can be configured by assigning a user or group the Issue and Manage Certificatespermission.
When you assign this permission to a user or group, you can further refine their ability to manage certificates by group and by certificate template. For example, you might want to implement a restriction that they can only approve requests or revoke smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group.
This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA.
You must be a CA administrator or a member of Enterprise Admins, or equivalent, to complete this procedure.
To configure certificate manager restrictions for a CA
- Open the Certification Authority snap-in, and right-click the name of the CA.
- Click Properties, and then click the Security tab.
- Verify that the user or group that you have selected has Issue and Manage Certificates permission. If they do not yet have this permission, select the Allow check box, and then click Apply.
- Click the Certificate Managers tab.
- Click Restrict certificate managers, and verify that the name of the group or user is displayed.
- Under Certificate Templates, click Add, select the template for the certificates that you want this user or group to manage, and then click OK. Repeat this step until you have selected all certificate templates that you want to allow this certificate manager to manage.
- Under Permissions, click Add, type the name of the client for whom you want the certificate manager to manage the defined certificate types, and then click OK.
- If you want to block the certificate manager from managing certificates for a specific user, computer, or group, under Permissions, select this user, computer, or group, and click Deny.
- When you are finished configuring certificate manager restrictions, click OK or Apply.
Establish Restricted Enrollment Agents
An enrollment agent is a user who can enroll for a certificate on behalf on another client. Unlike a certificate manager, an enrollment agent can only process the enrollment request and cannot approve pending requests or revoke issued certificates.
Windows Server 2008 includes three certificate templates that enable different types of enrollment agents:
- Enrollment Agent. Used to request certificates on behalf of another subject.
- Enrollment Agent (Computer). Used to request certificates on behalf of another computer subject.
- Exchange Enrollment Agent (Offline Request). Used to request certificates on behalf of another subject and supply the subject name in the request. This template is used by the Network Device Enrollment Service for its enrollment agent certificate.
When you create an enrollment agent, you can further refine the agent's ability to enroll for certificates on behalf of others by group and by certificate template. For example, you might want to implement a restriction that the enrollment agent can only enroll for smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group.
This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA.
Important: You can only apply enrollment agent restrictions starting with Windows Server 2008–based CAs. Enrollment agent policy must also be configured properly.
You must be a CA administrator or a member of Enterprise Admins, or equivalent, to complete this procedure.
To configure enrollment agent restrictions for a CA
- Open the Certification Authority snap-in, right-click the name of the CA, and then click Properties.
- Click the Enrollment Agents tab, click Restrict enrollment agents, and click OK on the message that appears.
- Under Enrollment agents, click Add, type the names of the users or groups that you want to configure, and then click OK. Click Everyone, and then click Remove.
- Under Certificate Templates, click Add, select the template for the certificates that you want this user or group to be able to enroll from, and then click OK. Repeat this step until you have selected all certificate templates that you want to enable for this enrollment agent. When you have finished adding the names of certificate templates, click <All>, and then click Remove.
- Under Permissions, click Add, type the names of the users or groups for whom you want the enrollment agent to manage the defined certificate types, and then click OK. Click Everyone, and then click Remove.
- If you want to block the enrollment agent from managing certificates for a user, computer, or group, under Permissions, select this user, computer, or group, and then click Deny.
- When you are finished configuring enrollment agent restrictions, click OK or Apply.
Note: The user or group that you applied enrollment agent restrictions to must have a valid enrollment agent certificate for the CA before they can act as an enrollment agent, whether restricted enrollment agent permissions have or have not been configured.
Configure CA Event Auditing
You can audit a variety of events relating to the management and activities of a certification authority (CA):
- Back up and restore the CA database
- Change the CA configuration
- Change CA security settings
- Issue and manage certificate requests
- Revoke certificates and publish certificate revocation lists (CRLs)
- Store and retrieve archived keys
- Start and stop Active Directory Certificate Services (AD CS)
Important: To audit events, the computer must also be configured for auditing of object access. Enable both Success and Failure auditing to capture all events. Audit policy options can be viewed and managed in local or domain Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies. Ensure that someone will regularly review and archive the event logs.
To configure CA event auditing
- Open the Certification Authority snap-in.
- In the console tree, click the name of the CA.
- On the Action menu, click Properties.
- On the Auditing tab, click the events you want to audit, and then click OK.
- On the Action menu, point to All Tasks, and then click Stop Service.
- On the Action menu, point to All Tasks, and then click Start Service.
Send E-mail When a Certification Event Occurs
The following procedure configures a certification authority (CA) to send e-mail when a certification event occurs.
Membership in Domain Admins or local Administrators, or equivalent, is the minimum required to complete this procedure.
To send e-mail when a certification event occurs
At an elevated command prompt, type:
certutil -setreg exit\smtp\<smtpserverServerName>
certutil -setreg exit\smtp\<eventfilter +Event>
The following tables explain the command values and options available for this procedure.
Value | Description |
certutil | The name of the command-line tool. |
-setreg | Modifies the registry. |
exit\smtp\smtpserver | The registry value that contains the name of the Simple Mail Transfer Protocol (SMTP) server. |
exit\smtp\eventfilter | The registry value that contains the list of events that the CA should monitor. When any of these events occur, the CA will send e-mail. |
+ | Indicates that, if there are current entries stored in this registry value, this entry should be appended to them. |
Event | Specifies the event to add to the list of events for the CA to monitor. An event can be any value in the following table. |
Event value | Description |
ExitEvent_CertIssued | Specifies the action of issuing a certificate. |
ExitEvent_CertPending | Specifies the action of a certificate request being received by the CA and set to pending. |
ExitEvent_CertDenied | Specifies the action of a certificate request being received by the CA and that request being denied. |
ExitEvent_CertRevoked | Specifies the action of a revocation of an existing certificate. |
ExitEvent_CRLIssued | Specifies the action of a certificate revocation list (CRL) being issued. |
ExitEvent_Startup | Specifies the action of the CA during startup. |
ExitEvent_Shutdown | Specifies the action of the CA during shutdown. |
Additional considerations
- To open a command prompt, click Start, point to All Programs, click Accessories, and then click Command Prompt.
- When the ExitEvent_CRLIssued, ExitEvent_Startup, and ExitEvent_Shutdown events occur, the CA does not contain an e-mail address because there is no user associated with this event. Therefore, an e-mail address must be configured when using these events. To configure the e-mail address to send e-mail when these events occur, type the following certutil commands at a command prompt:
certutil -setreg exit\smtp\CRLIssued\To<E-mailString>
certutil -setreg exit\smtp\Startup\To<E-mailString>
certutil -setreg exit\smtp\Shutdown\To<E-mailString>
E-mailString specifies an e-mail address or a string of e-mail addresses that are separated by semicolons.
- If the SMTP server is not set to accept anonymous connections, the CA must be configured to provide a user name and password when it connects. To configure the CA to authenticate with the SMTP server, type the following certutil commands at a command prompt:
certutil -setreg exit\smtp\SMTPAuthenticate 1
certutil -setsmtpinfo<UserName>
- UserName specifies the user name of a valid account on the SMTP server. You will be prompted to provide the password for this user name.