Security - Page 5 - Uwe Gradenegger

Restrict extended key usage (EKU) for imported root certification authority certificates

A useful hardening measure for Certification Authorities is to restrict the Certification Authority certificates so that they are only used for the actually issued extended key usage (Extended Key Usage) becomes familiar.

In the event of a compromise of the certification authority, the damage is then limited to these Extended Key Usages. The smart card logon extended key usage would then only be present in the certification authority certificate of the certification authority that actually issues such certificates.

Use HTTP over Transport Layer Security (HTTPS) for the revocation list distribution points (CDP) and the online responder (OCSP).

With regard to the design of the infrastructure for providing revocation information - i.e. the CRL Distribution Points (CSP) as well as the Online Responders (Online Certificate Status Protocol, OCSP) - the question arises whether these should be "secured" via Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

What to consider when applying Microsoft Security Baselines?

In the context of hardening measures, it is a good idea to use the Microsoft published Microsoft Security Baselines to your own server landscape.

This will inevitably have an impact on PKI components. The following is an overview of the expected effects and countermeasures.

Required Windows security permissions for the Certificate Enrollment Policy Web Service (CEP)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will have an impact on the CEP components.

Overview of audit events generated by the Certification Authority

The following is an overview of the audit events generated by the certification authority in the Windows Event Viewer.

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Basics and risk assessment Delegation settings

Delegation is required whenever there is an intermediary between the user and the actual service. In the case of certification authority web registration, this would be the case if it is installed on a separate server. It then acts as an intermediary between the applicant and the certification authority.

Standard auditing rules for Windows Server operating systems

Once a group policy with audit settings is active, the default auditing rules preconfigured with the operating system are turned off and only the explicitly configured audit settings are applied.

Required Windows security permissions for the Certificate Enrollment Web Service (CES)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will impact the CES components.

Configure the Certificate Enrollment Web Service (CES) to work with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CES with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Configure the Certificate Authority Web Enrollment (CAWE) for use with a domain account.

The following describes how to set up Certificate Authority Web Enrollment (CAWE) so that the service runs under a domain account.

Configure Certificate Authority Web Enrollment (CAWE) for use with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CAWE with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Windows security permissions required for Certificate Authority Web Enrollment (CAWE)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will impact Certificate Authority Web Enrollment (CAWE).

Configure the Certificate Enrollment Policy Web Service (CEP) to work with a domain account.

The following describes how to set up a Certificate Enrollment Policy Web Service (CEP) that the service runs under a domain account.

Configure the Certificate Enrollment Policy Web Service (CEP) to work with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CEP with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Use Authentication Mechanism Assurance (AMA) to secure administrative account logins.

Authentication Mechanism Assurance (AMA) is a feature designed to ensure that a user is a member of a security group only if they can be shown to have logged in using a strong authentication method (i.e., a smart card). If the user logs in via username and password instead, he or she will not have access to the requested resources.

Originally intended for access to file servers, however, AMA can also be used (with some restrictions) for administrative logon. Thus, for example, it would be conceivable for a user to be unprivileged when logging in with a username and password, and to have administrative rights when logging in with a certificate.