As part of security hardening efforts against the Active Directory directory service, the question of why Active Directory integrated certificate authorities (Enterprise Certification Authority) are members of the Pre-Windows 2000 Compatible Access security group comes up frequently.
During the installation of an Active Directory integrated certificate authority, the computer object of the server on which the certificate authority is installed is automatically entered as a member in this group by the installation routine, provided that the user installing the certification authority is authorized to do so.
What is the problem?
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
The Pre-Windows 2000 Compatible Access security group allows its members read access to all user and computer objects. To an attacker, this could provide valuable information about the corporate network.
The Pre-Windows 2000 Compatible Access group is used for backward compatibility for computers that are running Microsoft Windows NT 4.0 and earlier. Members of this group have Read access on all users and groups in the domain.
https://support.microsoft.com/en-us/help/325363/how-to-add-users-to-the-pre-windows-2000-compatible-access-group-in-wi
Why are Certification Authorities members of this group?
If the restricted certificate manager function is used, the certificate authorities must be members of this group.
If a CA is running on a member server and the Restrict certificate managers property is enabled, then the member server needs to be added to the Pre-Windows 2000 Compatible Access built-in group of every domain from which it will receive certificate requests. Once added to these groups, the administrator of the CA is allowed to issue a certificate for subjects in those domains.
http://technet.microsoft.com/en-us/library/cc773190(v=ws.10).aspx
Can I safely remove the certification authorities from the group and is this useful?
If the restricted certificate manager feature is not used, the certificate authorities can be safely removed from the Pre-Windows 2000 Compatible Access security group.
On the other hand, certification authorities are highly privileged security-critical systems anyway, which are to be assigned to administrative layer 0 (Tier-0). Thus, one would have more serious problems if the certification authority were to be compromised.
One thought on “Warum Active Directory integrierte Zertifizierungsstellen Mitglieder der „Pre-Windows 2000 Compatible Access“ Sicherheitsgruppe sind”
Comments are closed.