TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Microsoft Edge
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Skype for Business
See all products »
Resources
Channel 9 Video
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Windows Update
Trials
Windows Server 2016
System Center 2016
Windows 10 Enterprise
SQL Server 2016
See all trials »
Related Sites
Microsoft Download Center
Microsoft Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Expert-led, virtual classes
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
Microsoft Official Courses On-Demand
Certifications
Certification overview
Special offers
MCSE Cloud Platform and Infrastructure
MCSE: Mobility
MCSE: Data Management and Analytics
MCSE Productivity
Other resources
Microsoft Events
Exam Replay
Born To Learn blog
Find technical communities in your area
Azure training
Official Practice Tests
Support options
For business
For developers
For IT professionals
For technical support
Support offerings
More support
Microsoft Premier Online
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Skip to locale bar
Editing: AD CS Security Guidance
Wiki
>
TechNet Articles
>
AD CS Security Guidance
Article
Edit
History
Title
<html> <body> <p><a name="top">Applies</a> to: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012<br> <br> It is important to define and implement an Active Directory Certificate Services (AD CS) management model when you develop a certification authority (CA) infrastructure. This management model should complement your existing security management delegation plan and, if necessary, can help you meet Common Criteria requirements for role separation. </p> <p>To ensure that a single individual cannot compromise public key infrastructure (PKI) services, it is best to distribute management roles across different individuals in your organization.<br> [TOC]</p> <h1><a name="Implement_Role-Base_Administration"></a>Implement Role-Base Administration</h1> <p>You can use role-based administration to organize certification authority (CA) administrators into separate, predefined CA roles, each with its own set of tasks. Roles are assigned by using each user's security settings. You assign a role to a user by assigning that user the specific security settings that are associated with the role. A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, cannot perform.<br> <br> Note: Role-based administration is supported by both enterprise and stand-alone CAs starting with Windows Server 2003 Enterprise edition CAs.<br> <br> The following table describes the roles, users, and groups that can be used to implement role-based administration. To assign a role to a user or group, you must assign the role's corresponding security permissions, group memberships, or user rights to the user or group. These security permissions, group memberships, and user rights are used to distinguish which users have which roles.</p> <table> <tbody> <tr> <th colspan="1"><span style="font-size:11px">Roles and groups</span></th> <th colspan="1"><span style="font-size:11px">Security permission</span></th> <th colspan="1"><span style="font-size:11px">Description</span></th> </tr> <tr> <td colspan="1"> <p><span style="font-size:11px">CA administrator</span></p> </td> <td colspan="1"> <p><span style="font-size:11px">Manage CA </span></p> </td> <td colspan="1"> <p><span style="font-size:11px">Configure and maintain the CA. This is a CA role and includes the ability to assign all other CA roles and renew the CA certificate. These permissions are assigned by using the Certification Authority snap-in.</span></p> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:11px">Certificate manager</span></p> </td> <td colspan="1"> <p><span style="font-size:11px">Issue and Manage Certificates </span></p> </td> <td colspan="1"> <p><span style="font-size:11px">Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA officer. These permissions are assigned by using the Certification Authority snap-in.</span></p> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:11px">Backup operator</span></p> </td> <td colspan="1"> <p><span style="font-size:11px">Back up file and directories </span></p> <p><span style="font-size:11px">Restore file and directories </span></p> </td> <td colspan="1"> <p><span style="font-size:11px">Perform system backup and recovery. Backup is an operating system feature.</span></p> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:11px">Auditor</span></p> </td> <td colspan="1"> <p><span style="font-size:11px">Manage auditing and security log </span></p> </td> <td colspan="1"> <p><span style="font-size:11px">Configure, view, and maintain audit logs. Auditing is an operating system feature. Auditor is an operating system role.</span></p> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:11px">Enrollees</span></p> </td> <td colspan="1"> <p><span style="font-size:11px">Read</span></p> <p><span style="font-size:11px">Enroll</span></p> </td> <td colspan="1"> <p><span style="font-size:11px">Enrollees are clients who are authorized to request certificates from a CA. This is not a CA role</span>.</p> </td> </tr> </tbody> </table> <p>All CA roles are assigned and modified by members of local <strong>Administrators</strong>, <strong>Enterprise Admins</strong>, or <strong>Domain Admins</strong>. On enterprise CAs, local administrators, enterprise administrators, and domain administrators are CA administrators by default. Only local administrators are CA administrators by default on a stand-alone CA. If a stand-alone CA is installed on a server that is joined to an Active Directory domain, domain administrators are also CA administrators.</p> <p>The CA administrator and certificate manager roles can be assigned to Active Directory users or local users in the Security Accounts Manager (SAM) of the local computer, which is the local security account database. As a best practice, you should assign roles to group accounts instead of individual user accounts.</p> <p>Only CA administrator, certificate manager, auditor, and backup operator are CA roles. The other users described in the table are relevant to role-based administration and should be understood before assigning CA roles.</p> <p>Only CA administrators and certificate managers are assigned by using the Certification Authority snap-in. To change the permissions of a user or group, you must change the user's security permissions, group membership, or user rights.<br> <br> To set CA administrator and certificate manager security permissions for a CA</p> <ol> <li>Open the Certification Authority snap-in. </li><li>In the console tree, click the name of the CA. </li><li>On the Action menu, click Properties. </li><li>Click the Security tab, and specify the security permissions. </li></ol> <p><a href="http://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance/edit.aspx#top">return to top</a></p> <h3><a name="Roles_and_activities"></a>Roles and activities</h3> <p>Each CA role has a specific list of CA administration tasks associated with it. The following table lists all the CA administration tasks along with the roles in which they are performed.</p> <span style="font-size:10px"></span> <table style="width:675px; height:585px"> <tbody> <tr> <th colspan="1"><span style="font-size:10px">Activity</span></th> <th colspan="1"><span style="font-size:10px">CA administrator</span></th> <th colspan="1"><span style="font-size:10px">Certificate manager</span></th> <th colspan="1"><span style="font-size:10px">Auditor</span></th> <th colspan="1"><span style="font-size:10px">Backup operator</span></th> <th colspan="1"><span style="font-size:10px">Local administrator</span></th> <th colspan="1"><span style="font-size:10px">Notes</span></th> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Install CAs</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Configure policy and exit modules</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Stop and start the Active Directory Certificate Services (AD CS) service</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Configure extensions</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Configure roles</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Renew CA keys</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Define key recovery agents</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Configure certificate manager restrictions</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Delete a single row in the CA database</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Delete multiple rows in the CA database (bulk deletion)</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">The user must be both a CA administrator and a certificate manager. This activity cannot be performed when role separation is enforced.</span></p> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Enable role separation</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Issue and approve certificates</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Deny certificates</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Revoke certificates</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Reactivate certificates that are placed on hold</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Renew certificates</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Enable, publish, or configure certificate revocation list (CRL) schedules</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Recover archived keys</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">Only a certificate manager can retrieve the encrypted key data structure from the CA database. The private key of a valid key recovery agent is required to decrypt the key data structure and generate a PKCS #12 file.</span></p> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Configure audit parameters</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">By default, the local administrator holds the <strong> system audit</strong> user right.</span></p> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Audit logs</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">By default, the local administrator holds the <strong> system audit</strong> user right.</span></p> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Back up the system</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">By default, the local administrator holds the <strong> system backup</strong> user right.</span></p> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Restore the system</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">By default, the local administrator holds the <strong> system backup</strong> user right.</span></p> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Read the CA database</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">By default, the local administrator holds the <strong> system audit </strong>and<strong> system backup</strong> user rights.</span></p> </td> </tr> <tr> <td colspan="1"> <p><span style="font-size:10px">Read CA configuration information</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px">X</span></p> </td> <td colspan="1"> <p><span style="font-size:10px"></span></p> <br> </td> <td colspan="1"> <p><span style="font-size:10px">By default, the local administrator holds the <strong> system audit </strong>and<strong> system backup</strong> user rights.</span></p> </td> </tr> </tbody> </table> <h3 class="subHeading"><a name="Additional_considerations"></a></h3> <p class="subHeading"><a href="http://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance/edit.aspx#top">return to top</a></p> <h3 class="subHeading"><a name="Additional_considerations"></a>Additional considerations</h3> <div class="subSection"> <ul> <li class="unordered">Enrollees are allowed to read CA properties and CRLs, and can request certificates. On an enterprise CA, a user must have Read and Enroll permissions on the certificate template to request a certificate. CA administrators, certificate managers, auditors, and backup operators have implicit Read permissions. </li><li class="unordered">An auditor holds the <strong>system audit</strong> user right. </li><li class="unordered">A backup operator holds the <strong>system backup</strong> user right. In addition, the backup operator has the ability to start and stop the Active Directory Certificate Services (AD CS) service. </li></ul> <p><a href="http:///" target="_blank" title="return to top">return to top</a></p> </div> <h2 class="heading"><a name="Assigning_roles"></a>Assigning roles</h2> <div id="sectionSection1" class="section"> <p>The CA administrator for a CA assigns users to the separate roles of role-based administration by applying the security settings required by a role to the user's account. The CA administrator can assign a user to more than one role, but the CA is more secure when each user is assigned to only one role. When this delegation strategy is used, fewer CA tasks can be compromised if a user's account becomes compromised.<br> <br> <a href="http://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance/edit.aspx#top">return to top</a></p> </div> <h2 class="heading"><a name="Administrator_concerns"></a>Administrator concerns</h2> <div id="sectionSection2" class="section"> <p>The default installation setting for a stand-alone CA is to have members of the local Administrators group as CA administrators. The default installation setting for an enterprise CA is to have members of the local Administrators, Enterprise Admins, and Domain Admins groups as CA administrators. To limit the power of any of these accounts, they should be removed from the CA administrator and certificate manager roles when all CA roles are assigned.</p> <p>As a best practice, group accounts that have been assigned CA administrator or certificate manager roles should not be members of the local Administrators security group. Also, CA roles should only be assigned to group accounts and not individual user accounts.<br> <br> Note: Membership in the local Administrators group on the CA is required to renew a CA certificate. Members of this group can assume administrative authority over all other CA roles.<br> <br> <a href="http://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance/edit.aspx#top">return to top</a></p> <h1><a name="Restrict_Certificate_Managers"></a>Restrict Certificate Managers</h1> <p>A certificate manager can approve certificate enrollment and revocation requests, issue certificates, and manage certificates. This role can be configured by assigning a user or group the Issue and Manage Certificatespermission.</p> <p>When you assign this permission to a user or group, you can further refine their ability to manage certificates by group and by certificate template. For example, you might want to implement a restriction that they can only approve requests or revoke smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group.</p> <p>This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA.</p> <p>You must be a CA administrator or a member of Enterprise Admins, or equivalent, to complete this procedure. <br> <br> To configure certificate manager restrictions for a CA</p> <ol> <li>Open the Certification Authority snap-in, and right-click the name of the CA. </li><li> <p>Click <strong>Properties</strong>, and then click the <strong>Security </strong> tab.</p> </li><li> <p>Verify that the user or group that you have selected has <strong>Issue and Manage Certificates</strong> permission. If they do not yet have this permission, select the <strong>Allow</strong> check box, and then click <strong>Apply</strong>.</p> </li><li> <p>Click the <strong>Certificate Managers </strong>tab.</p> </li><li> <p>Click <strong>Restrict certificate managers</strong>, and verify that the name of the group or user is displayed.</p> </li><li> <p>Under <strong>Certificate Templates</strong>, click <strong>Add</strong>, select the template for the certificates that you want this user or group to manage, and then click <strong>OK</strong>. Repeat this step until you have selected all certificate templates that you want to allow this certificate manager to manage.</p> </li><li> <p>Under <strong>Permissions</strong>, click <strong>Add</strong>, type the name of the client for whom you want the certificate manager to manage the defined certificate types, and then click <strong>OK</strong>.</p> </li><li> <p>If you want to block the certificate manager from managing certificates for a specific user, computer, or group, under <strong>Permissions</strong>, select this user, computer, or group, and click <strong> Deny</strong>.</p> </li><li> <p>When you are finished configuring certificate manager restrictions, click <strong> OK</strong> or <strong>Apply</strong>.</p> </li></ol> <h1><a name="Establish_Restricted_Enrollment_Agents"></a></h1> <p><a href="http://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance/edit.aspx#top">return to top</a></p> <h1><a name="Establish_Restricted_Enrollment_Agents"></a>Establish Restricted Enrollment Agents</h1> <p>An enrollment agent is a user who can enroll for a certificate on behalf on another client. Unlike a certificate manager, an enrollment agent can only process the enrollment request and cannot approve pending requests or revoke issued certificates.</p> <p>Windows Server 2008 includes three certificate templates that enable different types of enrollment agents:</p> <ul> <li class="unordered"><strong>Enrollment Agent</strong>. Used to request certificates on behalf of another subject. </li><li class="unordered"><strong>Enrollment Agent (Computer)</strong>. Used to request certificates on behalf of another computer subject. </li><li class="unordered"><strong>Exchange Enrollment Agent (Offline Request)</strong>. Used to request certificates on behalf of another subject and supply the subject name in the request. This template is used by the Network Device Enrollment Service for its enrollment agent certificate. </li></ul> <p>When you create an enrollment agent, you can further refine the agent's ability to enroll for certificates on behalf of others by group and by certificate template. For example, you might want to implement a restriction that the enrollment agent can only enroll for smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group.</p> <p>This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA.<br> <br> Important: You can only apply enrollment agent restrictions starting with Windows Server 2008–based CAs. Enrollment agent policy must also be configured properly.</p> <div class="alert"> <p>You must be a CA administrator or a member of <strong>Enterprise Admins</strong>, or equivalent, to complete this procedure.<br> <br> <a href="http://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance/edit.aspx#top">return to top </a></p> </div> <h2 class="subHeading"><a name="To_configure_enrollment_agent_restrictions_for_a_CA"></a>To configure enrollment agent restrictions for a CA</h2> <div class="subSection"> <ol class="ordered"> <li> <p>Open the Certification Authority snap-in, right-click the name of the CA, and then click <strong>Properties</strong>. </p> </li><li> <p>Click the <strong>Enrollment Agents </strong>tab, click <strong>Restrict enrollment agents</strong>, and click <strong>OK</strong> on the message that appears.</p> </li><li> <p>Under <strong>Enrollment agents</strong>, click <strong>Add</strong>, type the names of the users or groups that you want to configure, and then click <strong>OK</strong>. Click <strong>Everyone</strong>, and then click <strong>Remove</strong>.</p> </li><li> <p>Under <strong>Certificate Templates</strong>, click <strong>Add</strong>, select the template for the certificates that you want this user or group to be able to enroll from, and then click <strong>OK</strong>. Repeat this step until you have selected all certificate templates that you want to enable for this enrollment agent. When you have finished adding the names of certificate templates, click <strong><All></strong>, and then click <strong>Remove</strong>.</p> </li><li> <p>Under <strong>Permissions</strong>, click <strong>Add</strong>, type the names of the users or groups for whom you want the enrollment agent to manage the defined certificate types, and then click <strong>OK</strong>. Click <strong>Everyone</strong>, and then click <strong>Remove</strong>.</p> </li><li> <p>If you want to block the enrollment agent from managing certificates for a user, computer, or group, under <strong>Permissions</strong>, select this user, computer, or group, and then click <strong>Deny</strong>.</p> </li><li> <p>When you are finished configuring enrollment agent restrictions, click <strong> OK</strong> or <strong>Apply</strong>. </p> </li></ol> </div> <div class="alert">Note: The user or group that you applied enrollment agent restrictions to must have a valid enrollment agent certificate for the CA before they can act as an enrollment agent, whether restricted enrollment agent permissions have or have not been configured.<br> <br> <a href="http://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance/edit.aspx#top">return to top</a><br> </div> <h1 class="alert"><a name="Configure_CA_Event_Auditing"></a>Configure CA Event Auditing</h1> <div class="alert">You can audit a variety of events relating to the management and activities of a certification authority (CA): <ul> <li class="unordered">Back up and restore the CA database </li><li class="unordered">Change the CA configuration </li><li class="unordered">Change CA security settings </li><li class="unordered">Issue and manage certificate requests </li><li class="unordered">Revoke certificates and publish certificate revocation lists (CRLs) </li><li class="unordered">Store and retrieve archived keys </li><li class="unordered">Start and stop Active Directory Certificate Services (AD CS) </li></ul> <br> Important: To audit events, the computer must also be configured for auditing of object access. Enable both Success and Failure auditing to capture all events. Audit policy options can be viewed and managed in local or domain Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies. Ensure that someone will regularly review and archive the event logs.<br> <br> <a href="http://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance/edit.aspx#top">return to top</a><br> <br> </div> <h2 class="alert"><a name="To_configure_CA_event_auditing"></a>To configure CA event auditing</h2> <div class="alert"> <ol> <li>Open the Certification Authority snap-in. </li><li>In the console tree, click the name of the CA. </li><li>On the <strong>Action</strong> menu, click <strong>Properties</strong>. </li><li>On the <strong>Auditing</strong> tab, click the events you want to audit, and then click <strong>OK</strong>. </li><li>On the <strong>Action</strong> menu, point to <strong>All Tasks</strong>, and then click <strong>Stop Service</strong>. </li><li>On the <strong>Action</strong> menu, point to <strong>All Tasks</strong>, and then click <strong>Start Service</strong>. </li></ol> <p><a href="http://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance/edit.aspx#top">return to top</a></p> <h1><a name="Send_E-mail_When_a_Certification_Event_Occurs"></a>Send E-mail When a Certification Event Occurs</h1> <p>The following procedure configures a certification authority (CA) to send e-mail when a certification event occurs.</p> <p>Membership in <strong>Domain Admins</strong> or local <strong>Administrators</strong>, or equivalent, is the minimum required to complete this procedure.<br> <br> <a href="http://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance/edit.aspx#top">return to top</a></p> <h4 class="subHeading"><a name="To_send_e-mail_when_a_certification_event_occurs"></a>To send e-mail when a certification event occurs</h4> <div class="subSection"> <ul> <li> <p>At an elevated command prompt, type:</p> <p><code>certutil -setreg exit\smtp\<smtpserverServerName></code></p> <p><code>certutil -setreg exit\smtp\<eventfilter +Event></code></p> </li></ul> </div> <p>The following tables explain the command values and options available for this procedure. </p> <table> <tbody> <tr> <th colspan="1">Value</th> <th colspan="1">Description</th> </tr> <tr> <td colspan="1"> <p>certutil</p> </td> <td colspan="1"> <p>The name of the command-line tool.</p> </td> </tr> <tr> <td colspan="1"> <p>-setreg</p> </td> <td colspan="1"> <p>Modifies the registry.</p> </td> </tr> <tr> <td colspan="1"> <p>exit\smtp\smtpserver</p> </td> <td colspan="1"> <p>The registry value that contains the name of the Simple Mail Transfer Protocol (SMTP) server.</p> </td> </tr> <tr> <td colspan="1"> <p>exit\smtp\eventfilter</p> </td> <td colspan="1"> <p>The registry value that contains the list of events that the CA should monitor. When any of these events occur, the CA will send e-mail.</p> </td> </tr> <tr> <td colspan="1"> <p>+</p> </td> <td colspan="1"> <p>Indicates that, if there are current entries stored in this registry value, this entry should be appended to them.</p> </td> </tr> <tr> <td colspan="1"> <p>Event</p> </td> <td colspan="1"> <p>Specifies the event to add to the list of events for the CA to monitor. An event can be any value in the following table.</p> </td> </tr> </tbody> </table> <h3 class="subHeading"> </h3> <table> <tbody> <tr> <th colspan="1">Event value</th> <th colspan="1">Description</th> </tr> <tr> <td colspan="1"> <p>ExitEvent_CertIssued</p> </td> <td colspan="1"> <p>Specifies the action of issuing a certificate.</p> </td> </tr> <tr> <td colspan="1"> <p>ExitEvent_CertPending</p> </td> <td colspan="1"> <p>Specifies the action of a certificate request being received by the CA and set to pending.</p> </td> </tr> <tr> <td colspan="1"> <p>ExitEvent_CertDenied</p> </td> <td colspan="1"> <p>Specifies the action of a certificate request being received by the CA and that request being denied.</p> </td> </tr> <tr> <td colspan="1"> <p>ExitEvent_CertRevoked</p> </td> <td colspan="1"> <p>Specifies the action of a revocation of an existing certificate.</p> </td> </tr> <tr> <td colspan="1"> <p>ExitEvent_CRLIssued</p> </td> <td colspan="1"> <p>Specifies the action of a certificate revocation list (CRL) being issued.</p> </td> </tr> <tr> <td colspan="1"> <p>ExitEvent_Startup</p> </td> <td colspan="1"> <p>Specifies the action of the CA during startup.</p> </td> </tr> <tr> <td colspan="1"> <p>ExitEvent_Shutdown</p> </td> <td colspan="1"> <p>Specifies the action of the CA during shutdown.</p> </td> </tr> </tbody> </table> <h4 class="subHeading"><a name="Additional_considerations"></a></h4> <p class="subHeading"><a href="http://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance/edit.aspx#top">return to top</a></p> <h4 class="subHeading"><a name="Additional_considerations"></a>Additional considerations</h4> <div class="subSection"> <ul> <li class="unordered">To open a command prompt, click <strong>Start</strong>, point to <strong>All Programs</strong>, click <strong>Accessories</strong>, and then click <strong>Command Prompt</strong>. </li><li class="unordered">When the ExitEvent_CRLIssued, ExitEvent_Startup, and ExitEvent_Shutdown events occur, the CA does not contain an e-mail address because there is no user associated with this event. Therefore, an e-mail address must be configured when using these events. To configure the e-mail address to send e-mail when these events occur, type the following certutil commands at a command prompt: </li></ul> </div> <blockquote dir="ltr" class="subSection" style="margin-right:0px"> <p class="unordered"><strong>certutil -setreg exit\smtp\CRLIssued\To<E-mailString><br> </strong><strong>certutil -setreg exit\smtp\Startup\To<E-mailString> <br> certutil -setreg exit\smtp\Shutdown\To<E-mailString></strong> </p> <p><em>E-mailString</em> specifies an e-mail address or a string of e-mail addresses that are separated by semicolons. </p> </blockquote> <div class="subSection"> <ul> <li class="unordered">If the SMTP server is not set to accept anonymous connections, the CA must be configured to provide a user name and password when it connects. To configure the CA to authenticate with the SMTP server, type the following certutil commands at a command prompt: </li></ul> </div> <blockquote dir="ltr" style="margin-right:0px"> <p class="unordered"><strong>certutil -setreg exit\smtp\SMTPAuthenticate 1 <br> certutil -setsmtpinfo<UserName></strong> </p> </blockquote> <ul> <li class="unordered"><em>UserName</em> specifies the user name of a valid account on the SMTP server. You will be prompted to provide the password for this user name. </li></ul> </div> </div> <a href="http://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance/edit.aspx#top">return to top</a><br> </body> </html>
Comment
Tags
Please add 3 and 2 and type the answer here: