Relevant Group Policy Settings
There are no Group Policy settings available for the Online Responder role service.
More Information
The following resources provide further security best practice information about how to harden server computers running the Online Responder role service:
Active Directory Certificate Services.
AD CS: Online Certificate Status Protocol Support.
IIS 7.0: Configuring Authentication in IIS 7.0.
Online Responder Installation, Configuration, and Troubleshooting Guide.
"Implement Role-Based Administration" in the Help and Support for Windows Server 2008.
Network Device Enrollment Service Role Service
The Network Device Enrollment Service (NDES) role service allows routers and other network devices that do not have Windows accounts to obtain certificates. NDES is the Microsoft implementation of the Simple Certificate Enrollment Protocol (SCEP), a communication protocol that makes it possible for software running on network devices, such as routers and switches that cannot otherwise be authenticated on the network, to enroll for X.509 certificates from a CA.
To configure the Network Device Enrollment Service role service, membership in the Administrators group is the minimum requirement to complete this procedure. For more information, see "Implement Role-Based Administration" in the Help and Support for Windows Server 2008.
For more information about this role service, see the following resources:
AD CS: Network Device Enrollment Service.
Microsoft SCEP Implementation Whitepaper.
Attack Surface
The NDES role service is susceptible to many of the same security attacks as any CA. To identify the attack surface for this role service, you need to identify the:
Installed files. The files that are installed as part of the NDES role service.
Running services. The services that run as part of the NDES role service.
Note You can use the RootkitRevealer and Sigcheck utilities that are part of Windows Sysinternals to verify the integrity of the installed files and the files that the services run.
Firewall rules. The Windows Firewall rules that the NDES role service uses.
Role dependencies. The dependencies for the NDES role service.
Security Measures
This section describes the security measures that you can incorporate into your NDES role service configuration to protect the server against malicious attacks. The recommendations that follow assume that you have only selected the Network Device Enrollment Service role service option on the Select Role Services page of the Add Roles Wizard. Recommendations for other role services are not included.
Configuration Checklist
The following table summarizes the recommended security configuration tasks for hardening servers performing the NDES role service. If you need help to complete any of the checklist items, see the following sections in this chapter for additional details and recommendations.
Table 9.4 Configuration Checklist
|
Configuration tasks
|
|
Configure a user account as the designated registration authority.
|
|
Configure the strongest possible security for the Registration Authority.
|
Configure a User Account as the Designated Registration Authority
The NDES role service needs a set of credentials that it uses to authenticate with the Certification Authority when requesting a certificate, which is known as the designated registration authority.
If you use the NDES role service, Microsoft recommends creating a user account to serve as the designated registration authority instead of using the network service account (NetworkService) for this purpose. This is because you can assign only the necessary rights and permissions to a user account, while the NetworkService account may have more rights and permissions than are necessary. In addition, you could affect other software running on the computer if you change the rights and permissions granted to the NetworkService account. The user account must be a member of the Domain and you must add it to the local IIS_IUSRS group.
For more information about how to configure a user account as the designated registration authority, see "Configure the Network Device Enrollment Service" in the Help and Support for Windows Server 2008.
Configure the Strongest Possible Security for the Registration Authority
The NDES role service uses two certificates and their keys to enable device enrollment. One certificate and key is used to avoid repetition of communication between the CA and the Registration Authority. The other certificate and key are used to secure communication between the Registration Authority and the network device.
Organizations might want to use different Cryptographic Service Providers (CSPs) to store these keys, or they may want to change the length of the keys used by the service. You can specify the configuration for the Registration Authority when you install the NDES role service on the Configure Cryptography for Registration Authority page. Microsoft recommends that you keep the default settings unless you have specific requirements otherwise.
Note Only Cryptographic Application Programming Interface (CryptoAPI) Service Providers are supported for the Registration Authority keys. Cryptography API: Next Generation (CNG) providers are not supported.
Relevant Group Policy Settings
There are no Group Policy settings available for the NDES role service.
More Information
The following resources provide further security best practice information about how to harden server computers running the NDES role service:
Active Directory Certificate Services.
AD CS: Network Device Enrollment Service.
Microsoft SCEP Implementation Whitepaper.
In the Help and Support for Windows Server 2008, see the following topics:
"Implement Role-Based Administration."
"Configure the Network Device Enrollment Service."
More Information
The following resources on Microsoft.com provide further security best practice information about how to harden server computers running AD CS role services:
For the Certification Authority role service, see:
Active Directory Certificate Services.
Certutil tasks for managing CRLs.
Certificate Template.
Defining PKI Management and Delegation.
Windows Server 2008 Help and Support topics:
"Enterprise Certification Authorities."
"Install a Root Certification Authority."
"Install a Subordinate Certification Authority."
"Set Up a Certification Authority by Using a Hardware Security Module."
"Stand-alone Certification Authorities."
"Implement Role-Based Administration."
For the Certificate Authority Web Enrollments role service, see:
Active Directory Certificate Services.
AD CS: Web Enrollment.
IIS 7.0: Configuring Authentication in IIS 7.0.
Windows Server 2008 Help and Support topics:
"Encrypt data sent between the Web server and client."
"Implement Role-Based Administration."
For the Online Responder role service, see:
Active Directory Certificate Services.
AD CS: Online Certificate Status Protocol Support.
IIS 7.0: Configuring Authentication in IIS 7.0.
Online Responder Installation, Configuration, and Troubleshooting Guide.
Windows Server 2008 Help and Support topic:
"Implement Role-Based Administration."
For the Network Device Enrollment Service role service, see:
Active Directory Certificate Services.
AD CS: Network Device Enrollment Service.
Microsoft SCEP Implementation Whitepaper.
Windows Server 2008 Help and Support topics:
"Configure the Network Device Enrollment Service."
"Implement Role-Based Administration."
Chapter 10: Hardening Network Policy and Access Services
Network Policy and Access Services (NPAS) in Windows Server® 2008 provides technologies that allow you to deploy and operate a virtual private network (VPN), a dial-up network, 802.1X–protected wired and wireless access, and Cisco Network Admission Control (NAC)–based devices. With NPAS, you can define and enforce policies for network access authentication, authorization, and client health using Network Policy Server (NPS), Routing and Remote Access Service, Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP).
You can deploy NPS as a Remote Authentication Dial-in User Service (RADIUS) server, RADIUS proxy, both a RADIUS server and proxy, and as a Network Access Protection (NAP) health policy server. NAP helps you ensure that computers connecting to the network are compliant with organization network and client health policies.
Note The NPAS server role is not available on Server Core installations of Windows Server 2008.
This chapter provides prescriptive guidance to help you harden the role services of the NPAS role. The role services within the NPAS role are displayed in the following figure.
Figure 10.1 Role services hierarchy for the NPAS role
Because each of the NPAS role services performs distinct functions, you need to identify the NPAS role services that are configured on your server computer, and then harden each role service.
|