There are no Group Policy settings available for the Certification Authority role service.
More Information
The following resources on Microsoft.com provide further security best practice information about how to harden server computers running the Certification Authority role service:
Active Directory Certificate Services.
Certutil tasks for managing CRLs.
Certificate Template Overview.
Defining PKI Management and Delegation.
Rooted Trust Model.
The following Help and Support topics in Windows Server 2008:
"Stand-alone Certification Authorities."
"Enterprise Certification Authorities."
"Install a Root Certification Authority."
"Set Up a Certification Authority by Using a Hardware Security Module."
"Install a Subordinate Certification Authority."
"Implement Role-Based Administration."
Certification Authority Web Enrollment Role Service
The Certification Authority Web Enrollment role service provides an enrollment mechanism for you to issue and renew certificates for the following resources:
Users and computers that are members of your domain.
Users and computers that are not joined to your domain.
Users and computers that are not connected directly to your intranet.
Users running operating systems other than Windows®.
Downloading certificate trust lists.
Instead of using the auto-enrollment feature of a CA or the Certificate Request Wizard, you can allow users to request and obtain new and renewed certificates over an Internet or intranet connection by using the Certification Authority Web Enrollment role service.
To install the Certification Authority Web Enrollment role service, membership in Domain Admins, or equivalent, is the minimum requirement to complete this procedure. For more information, see "Implement Role-Based Administration" in the Help and Support for Windows Server 2008.
For more information about the Certification Authority Web Enrollment role service, see AD CS: Web Enrollment.
Role Attack Surface
The Certification Authority Web Enrollment role service is susceptible to the same security attacks as any CA. To identify the attack surface for this role service, you need to identify the:
Installed files. The files that are installed as part of the Certification Authority Web Enrollment role service.
Running services. The services that run as part of the Certification Authority Web Enrollment role service.
Note You can use the RootkitRevealer and Sigcheck utilities that are part of Windows Sysinternals to verify the integrity of the installed files and the files that the services run.
Firewall rules. The Windows Firewall rules that the Certification Authority Web Enrollment role service uses.
Role dependencies. The dependencies for the Certification Authority Web Enrollment role service.
Security Measures
This section describes the security measures that you can incorporate into your Certification Authority Web Enrollment role service configuration to protect the server against malicious attacks. The recommendations that follow assume that you have only selected the Certification Authority Web Enrollment role service option on the Select Role Services page of the Add Roles Wizard. Recommendations for other role services are not included.
The following table summarizes the recommended security configuration tasks for hardening servers performing the Certification Authority Web Enrollment role service. If you need help to complete any of the checklist items, see the following sections in this chapter for additional details and recommendations.
Table 9.2 Configuration Checklist
|
Configuration tasks
|
|
Enable Windows Authentication for intranet-based requests.
|
|
Protect certificate enrollment requests and responses by using Secure Sockets Layer (SSL) encryption.
|
|
Dedicate a computer to the Certification Authority Web Enrollment role service.
|
|
Perform the hardening recommendations for the Web Services (IIS) server role.
|
|
Configure a user account as the designated registration authority.
|
Enable Windows Authentication for Intranet-Based Requests
When you install the Certificate Web Enrollment role service, the CertSrv and CertEnroll virtual directories are created in the Default Web Site. By default, anonymous authentication is used to access these virtual directories. If the Certificate Web Enrollment role service only services intranet-based computers, you can configure these virtual directories to use Windows Authentication.
Windows authentication uses the NTLM or Kerberos protocols to authenticate client computers. Windows authentication is best suited for an intranet environment. Windows authentication is typically not suited for use over the Internet. Instead use either Basic or Digest authentication for use over the Internet and encrypt all traffic by using SSL.
Important Do not enable anonymous access to the CertSrv and CertEnroll virtual directories that are created in the Default Web Site.
For more information about configuring a Web site to use Windows Authentication, see IIS 7.0: Configuring Authentication in IIS 7.0.
Protect Certificate Enrollment Requests and Responses by Using SSL Encryption
By default, the CertSrv and CertEnroll virtual directories created in the Default Web Site use HTTP. The HTTP protocol sends the certificate enrollment requests and responses in plaintext. Microsoft strongly recommends that you protect this traffic by using SSL encryption.
For more information about how to configure a Web site to protect traffic by using SSL encryption, see "Encrypt data sent between the Web server and client" in the Help and Support for Windows Server 2008.
Dedicate a Computer to the Certification Authority Web Enrollment Role Service
Install the Certification Authority Web Enrollment role service on a computer dedicated to the role service. Although you can install this role service on the same computer that runs the Certification Authority role service, doing so increases the attack surface of the Certification Authority role service.
Installing the Certification Authority Web Enrollment role service on a dedicated computer diverts Web-based traffic from the computer running the Certification Authority role service.
You may want to install the Certification Authority Web Enrollment role service on more than one computer depending on the type of users you are supporting. For example, if you are supporting:
Users in your intranet, then you may want to install one or more computers running the Certification Authority Web Enrollment role service in your intranet.
Users on the Internet, then you may want to install one or more computers running the Certification Authority Web Enrollment role service in a perimeter network or extranet in your organization.
Perform the Hardening Recommendations for the Web Services (IIS) Server Role
Because this role service runs on IIS 7.0, ensure to perform the hardening recommendations for the Web Services (IIS) server role. For more information about hardening the Web Services (IIS) Server role, see Chapter 6, "Hardening Web Services" in this guide.
The Certification Authority Web Enrollment role service needs a set of credentials that it uses to authenticate with the Certification Authority when requesting a certificate, which is known as the designated registration authority.
Microsoft recommends creating a user account to serve as the designated registration authority instead of using the network service account (NetworkService) for this purpose. This is because you can assign only the necessary rights and permissions to a user account, while the NetworkService account may have more rights and permissions than are necessary. In addition, you could affect other software running on the computer if you change the rights and permissions granted to the NetworkService account. The user account must be a member of the Domain and you must add it to the local IIS_IUSRS group.
Relevant Group Policy Settings
There are no Group Policy settings available for the Certification Authority Web Enrollment role service.
More Information
The following resources on Microsoft.com provide further security best practice information about how to harden server computers running the Certificate Authority Web Enrollments role service:
Active Directory Certificate Services.
AD CS: Web Enrollment.
IIS 7.0: Configuring Authentication in IIS 7.0.
In the Help and Support for Windows Server 2008, see the following topics:
"Encrypt data sent between the Web server and client."
"Implement Role-Based Administration."
|