Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AD CS - RBAC & Hardening Guidance v1.1


Published on

A great basic to secure an PKI system.

Published in: Engineering
  • Be the first to comment

AD CS - RBAC & Hardening Guidance v1.1

  1. 1.  Active Directory Certificate Services (CS) – PKI Security Author Huy Contact
  2. 2.  Introduction “PublicKey Infrastructure (PKI) is used as a building block to provide key security controls, such as data protection and authentication for organizations. Many organizations operate their own PKI to support thingslike remote access, network authentication and securing communications. The threat of compromise to IT infrastructures from attacks is evolving. Themotivations behind these attacks are varied, and compromising an organization’sPKI can significantly help an attacker gain access to the sensitive data and systems they are after. PKI systems should be treated as critical systems and havestrong technical controls deployed to protect them from unauthorized access. As with other critical systems, hardened baselines and strict managementaccess should be implemented. Strong protection mechanismsshould be deployed, because a compromise of a key can lead to a compromise of your IT infrastructure.” - Source: securing-public-key-infrastructure/
  3. 3.  Why you should care about securing PKI? Microsoft once stated the following statements: “Security of the systems and processes comprising a PKI should be the first and foremost considerations when designing and deploying a PKI.” “A common method of compromise is for attackers to leverage misconfigurations within the PKI to issue certificates for other users of systems for which the requesting user should not have rights to request, or certificate types that the user should not be able to request. Examplesinclude misconfigurationsin template permissions, such as overly broad enrollment permissions, or misconfigurations on the CA thatallow users to request certificates with user-defined data. Misconfigurations in allowed certificate usages and constraints could also allow attackers to create subordinateCAs with arbitrary attributes.” There are many different ways to improve the security posture of your PKI, but all the recommendations that Microsoft have been released are not available for all organizations. It goes a lot in the details from physical security to hardware security to apply hardening to logging and so on. This document rather put the focus on the recommendations that (should) be available for everyone by using the built-in tools in AD and Windows to secure their Certificate Authorities, such as Applocker, Group Policy, Event Logging, Windows Firewall, etc.
  4. 4.  Overview of selected security measures Creation date: Sunday, October 13, 2019 Selected by: Huy Kha Inspired by: KPN Security Policy
  5. 5. Requirement Implementing RBAC to manage & approve authorization Description An RBAC model should be deployed to delegate administrative tasks in CA to ensure that not one single individual is able to compromise the entire CAserver. Supplement There are two important tasks with a specific focus on CA  Manage CA  Issue and Manage Certificates By default Domain Admins or equivalent are able to manage both tasks, but this groups should not be used to manage CA. Two new groups should be created and granted one of the following permission mention above. None of them should be able to do both tasks. ID AD-CS-001 Version 1.1 Exception <Insert here your exception>  Tasks CAAdministrator CA Manager Configure and maintain the CA. Approve certificate enrollment and revocation requests.
  6. 6.  AD-CS-01: Who can do what?  CAAdministrator  Create Certificate Templates  Enroll users and computers to the created certificate template  Start and stop Active Directory Certificate Services  Configure extensions  Configure roles  Define key recovery agents  Restrict certificate managers  Delete a single row in CA  Mass deletion of CA rows  Enable, publish, or configure certificate revocation list (CRL) schedules  Read the CAdatabase  Read the CAconfiguration  Configure policy and exist module  CA Manager  Issue and approve certificates  Deny certificates  Revoke certificates  Reactivate certificates that are placed on hold  Renew certificate template  Recover archived keys  Read the CAdatabase  Read the CAconfiguration
  7. 7.  AD-CS-001: How to delegate administrative tasks in CA? Start with creating two new groups in AD - CAAdministrators - CA Managers OpenADSI Edit → Configuration → CN=Services → CN=Public Key Services The following containers that have been marked in RED are the containers that we need to use to delegate the administrative tasks. - CN=Certificate Templates - CN=OID
  8. 8.  Right click on CN=Certificate Templates → Security → Add → CA Administrators → Full control  Right click on CN=OID → Security → Add → CAAdministrators → Full control
  9. 9. Open Certificate Authority → Right click on CAserver object → Security → Add → CAAdministrators → Read → Manage CA→ Uncheck ‘’RequestCertificates’’ Now we have finished the delegation for CAAdministrators.
  10. 10. Open Certificate Authority → Right click on CAserver object → Security → Add → CA Managers → Issue and Manage Certificates → Request Certificates Now we have finished the delegation for CAManagers.
  11. 11. Requirement Make Back-ups of CA Description At least one or perhaps two members needs to be dedicated to make back-ups on all the CAservers. Since making back-ups is a vital process that should never be left out. Supplement Make a back-up of your CA every <insert> weeks, months or days. It is up to you what kind of process you would pick. There is a Local group called ‘’Backup Operators’’that can be found at Computer Management → Local Users and Groups →Groups -> Backup Operators This group has the necessary rights to back-up and restore all the files and directories. ID AD-CS-002 Exception <Insert your exception>  Tasks  BackupOperator  Back up CA  Restore CA  Backup & Restore CAconfiguration in Registry  Start and stop Active Directory Certificate Services
  12. 12.  AD-CS-002: How to make back-ups in CA? Log on the CAserver(s) → Open Computer Management → Local Users and Groups → Groups → Backup Operators → Add the appropriate member(s) Backup Operators has the right to log on locally at the servers. This does not mean they are able to log through RDP, FYI.
  13. 13. When performing back-ups. Make sure you include the following:  CA certificate(s) and private key(s)  CA database backup  CA registry information Tip: Consider backing up the CA to another secure location that interfaces with backup systems rather than having backup systems connect directly to the CA. Ensure bothcheck boxes have been selected.
  14. 14. Here we could see that our backup has been stored Now we could also have the option to restore the back-ups And here we have restored our back-ups
  15. 15. Make sure that we set a strong password forthe private key of the back-up, and also note it down in tools like Password Managers. If someone did had for <XYZ> reasons access to back-up files. They still need to know the password ofthe private key. Recommendation: Set a password of at least 25-28 characters.
  16. 16. Like Microsoft recommends. Do not forget to make back-ups of the CA registry information that is stored in the following location: HKLMSystemCurrentControlSetServicesCertSVcConfigurationCAname Make an export of the folder and save it to the right location. PowerShellscriptto run a schedule task to back-up CA:
  17. 17. Requirement Turn on CAAuditing Description By default all the related events regarding CAare not logged. These auditing rules needs to be enabled and manage by the security team with the likes of an SOC/SIEMfor example. Supplement Since PKI is a critical assetit should be monitored or otherwise you would have blind spots in your environment. Logging and monitoring is one of the most important tasks to ensure the security of an Certificate Authority. ID AD-CS-003 Exception <Insert your exception>  Tasks  SOC/SIEM  Configure auditing rules  Managing auditing logs in Event Viewer  Import & Export event logs in Event Viewer  Clear event logs
  18. 18.  AD-CS-003: How to turn on auditing rules for CA? First a new group should be created that is responsible for managing CAauditing logs. After the group has been created. Add your SOC/SIEM, security guys and girls in that group and add the createdgroupto the local ‘’Event Log Readers’’groupon the CAservers. Now we need to delegate the administrative tasks to allow them managing & auditing the security logs of the CAservers, without having high privileges such as Domain Admin. Besides of that, they do not need to be able to log on to the CA servers. This should not be allowed. Log on the CAserver and open Local Security Policy → Policies → Windows Settings → Security Settings → Local Policies → User Right Assignment → Manage auditing and security logs
  19. 19. Now give the created group for SOC/SIEMthe ‘’Read permission’’on all the CA server object. Now the created group for SOC/SIEM has the permission to configure these auditing rules.
  20. 20. Microsoft recommends to turn on every auditing rule, but that does not mean that you should collect all the CAevent related logs. Besides of that – I would wait with turning on the ‘’Issue and Manage Certificates’’, since it could generate a lot of noisy events. First goal is to start with collecting the events you want and create procedures for handling those. I would start looking at all the CArelated events that might be interesting to collect in your SIEM. This can found here: 2012-r2-and-2012/dn786423(v%3Dws.11) My suggestion would be to keep an eye for the high/medium priority events, and then switch over to the ‘’low’s’’
  21. 21.  AD-CS-003: Events to monitor High & Medium priority event ID’s only here, but that does not mean you should ignore the ‘’lows’’one. Windows Event ID Priority Event Summary Audit filter required Description 4873 Medium A certificate request extension changed. Request ID: %1 Name: %2 Type: %3 Flags: %4 Data: %5 Issue and manage certificate requests If this functionality is not used by the CA, it may indicate tampering with a request 4874 Medium One or more certificate request attributes changed. Request ID: %1 Attributes: %2 Issue and manage certificate requests If this functionality is not used by the CA, it may indicate tampering with a request 4882 High The security permissions for Certificate Services changed. %1 Change CA security settings May indicate an attacker granting permissions for other accounts to enroll.
  22. 22. 4883 Medium Certificate Services retrieved an archived key. Request ID: %1 Store and retrieve archived keys 4885 High The audit filter for Certificate Services changed. Filter: %1 Change CA security settings May indicate an attacker disabling monitoring in an attempt to cover their tracks prior to certificate activities. 4887 Medium Certificate Services approved a certificate request and issued a certificate. Request ID: %1 Requester: %2 Attributes: %3 Disposition: %4 SKI: %5 Subject: %6 Issue and manage certificate requests Issuance of certificates that contain usages that allow the owner to perform privileged operations (Enrollment Agent, Code Signing etc.)
  23. 23. Windows Event ID Priority Event Summary Audit filter required Description 4888 High Certificate Services denied a certificate request. Request ID: %1 Requester: %2 Attributes: %3 Disposition: %4 SKI: %5 Subject: %6 Issue and manage certificate requests 4890 High The certificate manager settings for Certificate Services changed. Enable: %1 %2 Change CA security settings May indicate tampering with permissions with what users are able to enrol on behalf of other users, commonly used to issue smart card certificates.
  24. 24. 4891 Medium A configuration entry changed in Certificate Services. Node: %1 Entry: %2 Value: %3 Change CA configuration Can be used to monitor for changes to Policy/Exit modules on the CA or configuration of CDP/AIA extensions. 4892 Medium A property of Certificate Services changed. Property: %1 Index: %2 Type: %3 Value: %4 Change CA configuration Can be used to track changes to Key Recovery Agent configuration 4896 High One or more rows have been deleted from the certificate database. Table ID: %1 Filter: %2 Rows Deleted: %3 Issue and manage certificate requests May indicate an attacker covering their tracks after issuing certificates
  25. 25. WindowsEventID Priority EvenSummary Audit filter required Description 4897 Medium Role separation enabled:%1 Change CA securitysettings If role separation isused,thiscan be usedto trigger an alertif the expected configuration changes. 4898 Medium Certificate Servicesloadeda template. %1v%2 (Schema V%3) %4 %5 Template Information: Template Content: %7 Security Descriptor: %8 Additional Information: Domain Controller:%6 Change CA securitysettings Alertif templates that are not expectedonaCA are loaded. 4899 Medium A Certificate Servicestemplate wasupdated. %1 v%2 (Schema V%3) %4 %5 Template Change Information: Old Template Content:%8 New Template Content: %7 Additional Information: Domain Controller:%6 Change CA securitysettings 4900 Medium Certificate Servicestemplate securitywas updated. Change Information: Old Template Content: %9 Change CA securitysettings
  26. 26. WindowsEventID Priority EventSummary Audit filter required Description 15 High Active Directory Certificate Servicesdidnot start: Versiondoes not match certif.dll. 55 Medium Active Directory Certificate Services unrevokedthe certificate for request%1 for%2. Notavailable in Microsoft WindowsServer 2008® 60 High Active Directory Certificate Servicesrefused to processan extremelylong requestfrom%1. Thismay indicate a denial-of-service attack.If the requestwas rejectedinerror, modifythe MaxIncomingMes sageSize registryparameter viacertutil -setreg CAMaxIncoming MessageSize <bytes>. 95 High Security permissionsare corruptedor missing. The Active Directory Certificate Servicesmayneed to be reinstalled.
  27. 27.  AD-CS-003: Advanced Auditing Logs Although enabling auditing forAD CS provides a solid foundation for capturing events that occurwithin the scopeofthe CA service, additional events can occuron the CA that may indicate a compromise or a potential compromise. These additional events are useful to capture in addition to the CAaudit events. Ensure that at least the following audit settings have been enabled on all the CA servers.  Audit Certification Services  Audit Registry
  28. 28. Verify through the following command to see if these audit settings have been enabled:  auditpol /get /category:*
  29. 29.  AD-CS-003: Auditing CA Registry Key Changes With an audit filter configured to capture this event, the only method that will trigger an alert is making the change through the snap-in. To capture changes to all AD CS configuration settings stored locally on the CA, configure the registry auditing specifically for the AD CS registry keys. If you decided to enable auditing for Registry keys at the Windows Audit Policy. It is possible to configure auditing for the Certificate Services registry key as well. HKLMSystemCurrentControlSetServicesCertSvcConfiguration  Click on Permission  Click on Configuration -> Permissions -> Auditing -> Select a principal: Authenticated Users -> Type: All -> Show advanced permissions
  30. 30.  AD-CS-003: Events of CA Registry Keys to monitor We have enabled ‘’Audit Registry changes’’to keep track when an registry value has been modified. An event 4657 ‘’Aregistry was modified’’ will be generated, when this happens. Source: pro/windows-server-2012-r2-and-2012/dn786423(v=ws.11)
  31. 31.  AD-CS-003: Optional ‘’Advanced’’ Auditing rules Reference:Windows Security Baseline PolicyPath PolicySettingName Rule AccountLogon AuditCredential Validation Successand Failure AccountManagement AuditSecurityGroup Management Success AccountManagement AuditUserAccountManagement Successand Failure DetailedTracking AuditPNPActivity Success DetailedTracking AuditProcessCreation Success Logon/Logoff AuditAccountLockout Failure Logon/Logoff AuditGroupMembership Success Logon/Logoff AuditLogon Successand Failure Logon/Logoff AuditOtherLogon/Logoff Events Successand Failure Logon/Logoff AuditSpecial Logon Success ObjectAccess AuditDetailedFile Share Failure ObjectAccess AuditFile Share Successand Failure ObjectAccess AuditOtherObjectAccessEvents Successand Failure ObjectAccess AuditRemovable Storage Successand Failure PolicyChange AuditAuditPolicyChange Success PolicyChange AuditAuthenticationPolicy Change Success PolicyChange AuditMPSSVCRule-Level Policy Change Successand Failure PolicyChange AuditOtherPolicyChange Events Failure PrivilegeUse Auditsensitive privilege use Successand Failure System AuditOtherSystemEvents Successand Failure System AuditSecurityState Change Success System AuditSecuritySystemExtension Success System AuditSystemIntegrity Successand Failure
  32. 32.  AD-CS-003: Reading event logs without login to the CA server After all the auditing rules have been set you should use a jump host to log on and retrieve the event logs through Event Viewer by connecting to the CAserver. Connect to the CAserver Now we can read logs from the CA server
  33. 33.  AD-CS-003: Other Event ID’s to watch for Windows Event ID Description Log Type Priority 4624 An account was successfully logged on Security Medium 4625 An account failed to log on Security Medium 4648 An logon was attempt using explicit credentials Security Medium 4769 A Kerberos service ticket was requested Security Medium 4768 A Kerberos authentication ticket (TGT) was requested Security Medium 4672 Special Privileges assigned to new logon Security Low 4720 A User account was created Security Low 4738 A User account was changed Security Medium 4732 A Member was added to a security-enabled local group Security High 4741 A computer account was created Security Medium 4728 A Member was added to a security enabled global group Security Medium 4799 A Security-enabled local group was enumerated Security High 4698 A Schedule Task was created Security High 4699 A Schedule Task was deleted Security Medium 4702 A Schedule Task was updated Security High 4697 A Service was installed in the system Security High 7045 A Service was installed on the system System High
  34. 34. 7040 A service config was changed System High 5156 The Windows Filtering Platform has allowed a connection Security High 5158 The Windows Filtering Platform has permitted a bind to a local port Security High 5152 The Windows Filtering Platform has blocked a port Security High 5140 A network share object was accessed Security High 5145 A network share object was checked to see whether client can be granted desired access Security High 4688 A new process has been created Security Critical 4661 A handle to an object was requested Security High 4662 An Operation was performed on an object Security Medium 4616 The System Time was changed Security High 1102 The Audit Log was cleared Security High 104 The System Log was cleared Security High 7036 Service entered the stopped state System Medium 4715 The audit policy (SACL) on an object was changed Security Medium 4907 Auditing settings on object were changed Security Medium 4717 System security access was granted to an account System High 4718 System security access was removed from an account System Low
  35. 35. 4719 System audit policy was changed System Medium 4950 A Windows Firewall setting has been changed Security Medium 4947 A change has been made to Windows Firewall exception list. A rule was modified Security High 4948 A change has been made to Windows Firewall exception list. A rule was deleted Security Medium 5025 The Windows Firewall Service has been stopped Security Critical 5157 The Windows Filtering Platform has blocked a connection. Security Medium 4701 A Schedule Task was disabled Security Medium 4705 A User right was removed Security Medium 4670 Permissions on an object were changed Security High 4776 The computer attempted to validate the credentials for an account. Security Medium
  36. 36.  AD-CS-004: Rename Local Administrator & Guest account Rename the following local accounts on all CA servers:  Administrator  Guest If the following accounts have not been renamed. This is a finding.
  37. 37.  AD-CS-005: Ensure Local Administrator is disabled and a long password has been set  Set a 25-28 long password character for the LocalAdministrator account.  Disable the LocalAdministrator accounts
  38. 38.  AD-CS-006: Disable unnecessary services & schedule tasks Log on the CAservers and open ''services'' Disable the following services:  Services  Xbox Live Auth Manager  Xbox Live Game Save Disable the following Schedule Task:  XblGameSaveTask  XblGameSaveTaskLogon
  39. 39.  AD-CS-007: Improve the security of the insecure ''NTLM'' If you are curious, why you should do this? Read this: PolicySetting Name Rule Network security: LAN Manager authentication level Send NTLMv2 responses only. Refuse LM & NTLM Network security: Minimum session security for NTLM SSPbased (including secure RPC)clients Require NTLMv2 session security, Require 128-bit encryption Network security: Minimum session security for NTLM SSPbased (including secure RPC)servers Require NTLMv2 session security, Require 128-bit encryption
  40. 40.  AD-CS-008: Check your latest patches Log on the CAservers Open PowerShell -> Get-Hotfix Ensure you have installed the latest patches.
  41. 41.  AD-CS-009: Enable SMB Signing on CA servers Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a sessionin progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions.  Enable Microsoft network server: Digitally sign communications (always)
  42. 42.  AD-CS-010: Blocking recommended rules via Applocker Apply these settings on the CA servers. Microsoft recommends blocking these rules as well to mitigate any kind of application whitelisting bypass. Use Applocker to do this. Path Rule C:WindowsSystem32addinprocess.exe C:WindowsSysWOW64addinprocess.exe Deny for Everyone C:WindowsSystem32addinprocess32.exe C:WindowsSysWOW64addinprocess32.exe Deny for Everyone C:WindowsSystem32addinutil.exe C:WindowsSysWOW64addinutil.exe Deny for Everyone C:WindowsSystem32bash.exe C:WindowsSysWOW64bash.exe Deny for Everyone C:WindowsSystem32bginfo.exe C:WindowsSysWOW64bginfo.exe Deny for Everyone C:WindowsSystem32cdb.exe C:WindowsSysWOW64cdb.exe Deny for Everyone C:WindowsSystem32csi.exe C:WindowsSysWOW64csi.exe Deny for Everyone C:WindowsSystem32dbghost.exe C:WindowsSysWOW64dbghost.exe Deny for Everyone C:WindowsSystem32dbgsvc.exe C:WindowsSysWOW64dbgsvc.exe Deny for Everyone C:WindowsSystem32dnx.exe C:WindowsSysWOW64dnx.exe Deny for Everyone C:WindowsSystem32fsi.exe C:WindowsSysWOW64fsi.exe Deny for Everyone C:WindowsSystem32fsiAnyCpu.exe C:WindowsSysWOW64fsiAnyCpu.exe Deny for Everyone C:WindowsSystem32kd.exe C:WindowsSysWOW64kd.exe Deny for Everyone C:WindowsSystem32ntkd.exe C:WindowsSysWOW64ntkd.exe Deny for Everyone C:WindowsSystem32lxssmanager.dll C:WindowsSysWOW64lxssmanager.dll Deny for Everyone C:WindowsSystem32msbuild.exe C:WindowsSysWOW64msbuild.exe Deny for Everyone C:WindowsSystem32mshta.exe C:WindowsSysWOW64mshta.exe Deny for Everyone C:WindowsSystem32ntsd.exe C:WindowsSysWOW64ntsd.exe Deny for Everyone
  43. 43. Path Rule C:WindowsSystem32rcsi.exe C:WindowsSysWOW64rcsi.exe Deny for Everyone C:WindowsSystem32windbg.exe C:WindowsSysWOW64windbg.exe Deny for Everyone C:WindowsSystem32wmic.exe C:WindowsSysWOW64wmic.exe Deny for Everyone C:WindowsSystem32presentationhost.exe C:WindowsSysWOW64presentationhost.exe Deny for Everyone
  44. 44.  AD-CS-011: Deny Write permission on open path folders Credits to @mattifestation Any Authenticated User has write permission on these folders. Path Rule C:WindowsSystem32MicrosoftCryptoRSAKey Deny ''Write'' permission for ''Everyone'' C:WindowsSysWOW64TasksMicrosoftWindowsPLASystem Deny ''Write'' permission for ''Everyone'' C:WindowsRegistrationCRMLog Deny ''Write'' permission for ''Users'' C:WindowsSystem32Comdmp Deny ''Write'' permission for ''Users'' C:WindowsSystem32spooldriverscolor Deny ''Write'' permission for ''Users C:WindowsSystem32spoolPRINTERS Deny ''Write'' permission for ''Users'' C:WindowsSystem32spoolSERVERS Deny ''Write'' permission for ''Users'' C:WindowsSysWOW64Comdmp Deny ''Write'' permission for ''Users'' C:WindowsTracing Deny ''Write'' permission for ''Users'' Example:
  45. 45.  AD-CS-012: Remote Desktop Services Microsoft recommends blocking Remote Desktop Services, but I am not quite sure if people would like to do this, since RDP is (still) an important protocol. My suggestion would be monitor the successfully RDP logons on the CAservers as well. Log on the CAServer(s) -> Open Event Viewer -> Click on View -> ShowAnalytic and Debug Logs -> Expand Application and Services Logs -> Expand Microsoft -> Expand Windows -> Expand TerminalServices-LocalSessionManager
  46. 46.  AD-CS-013: Disable LLMNR & NetBIOS Log on the CAServers – These are old legacy protocols… 1. Open the Group Policy Editor in your version of Windows. 2. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client. 3. Under DNS Client, make sure that "Turn OFF Multicast Name Resolution" is set to Enabled.
  47. 47.  Disable NetBIOS on CA servers HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetBTParametersInterfaces  HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetBTParameters Interfaces  The DWORD value for ‘NetbiosOptions’ will need to be changed to ‘2’  Value ‘0’ keeps the default setting, which is to use the NetBIOS settings from the DHCP server, whilst setting this value as ‘1’ enables NetBIOS over TCP/IP
  48. 48.  AD-CS-014: Limit Local Administrators on CA servers Limit the amount of LocalAdministrators on the CA servers. Only dedicated PKI admins should be a local admin.  Remove users and groups that are not dedicated in managing CA servers.
  49. 49.  AD-CS-015: Auditing the CA Server Object These configurations has been made in real environments. The purposeis to show you what you should not do. In one of my audit. I've notice that the following groups were added to the DACL of the CA Server Object.  Domain Controllers  Domain Computers Do not add random groups to the DACL of the CA ServerObject, but only groups that are dedicated in managing CA. Groups suchas Domain Computers should not be there, and it is a group that only contains computer objects.
  50. 50.  AD-CS-016: 15+ years of validity with an 2048 RSA key Here we can see that this created certificate template has been configured for a 20 years of validity. The Key Size of a certificate template that has a validity period of 15+ years should have a 4096 RSAkey length
  51. 51.  AD-CS-017: CA Manager needs to approve pending request Requirement CA Manager needs to be approved when creating a certificate template Description By default, no CA manager has been approved to issue or deny the pending request. When creating a new certificate template. Ensure that ''CA certificate managerapproval'' checkboxis enabled Supplement A CA Manager needs to approve if the certificate will be enrolled. This is to ensure that the purposeof the certificate template is clear for both parties. You could also enforce this policy, but it depends on the political reasons of every organization. ID AD-CS-0017 Exception <Insert your exception>
  52. 52. If you want to enforce that, every certificate will be on hold. Open Certificate Authority -> Policy Module -> Properties This is not enabled by default, but it is up to you to decide.
  53. 53. You can also do it for specific certificate templates that have been created. Right click on the certificate template -> Properties -> Issuance Requirements -> Enable the ''CA certificate managerapproval''
  54. 54.  AD-CS-018: Weak RSA Key Size Sometimes Certificate Templates from 10 year ago still exist, but they should actually already been revoked. It is a common thing to find certificate templates with a 1024 or lower RSAkey. Change this to at least 2048 keysize length.
  55. 55.  AD-CS-019: Weak Hashing Algorithm It is an industry best practice to not use SHA1, but to use at least SHA2 or higher. If you still have any SHA1 hashing algorithm. Change this to SHA256
  56. 56.  AD-CS-020: Who can modify a template? Ensure that no unauthorized users or groups have the ''Write'' permission, because this allow them to modify the certificate template. I have once discovered that Domain Users had ''Write'' permission on a certificate template.
  57. 57.  AD-CS-021: Do not use ''Supply in Request'' Supply in request All subject information is provided by the requestor. If you use the default CA policy module, no additional checks are done to confirm the mapping of the subject information to a user account in Active Directory®. When using “supply in request”, a user can request a certificate that would potentially allow them to authenticate as another user if no other security mechanisms are in place. Rather use the option: ''Build from this Active Directoryinformation''
  58. 58.  AD-CS-022: Unauthorized users can enroll in critical templates High value templates are not frequently issued by others and should be monitored if someone did. A few examples are the following certificate templates:  EFS RecoveryAgent  EnrollAgent  Key RecoveryAgent  Data RecoveryAgent It is always good to look at the ''Intended Purposes'' and find keywords like:  File Recovery  Key RecoveryAgent This kind of certificate templates usually have a high value and if unauthorized users are able to request these certificates. There is a potential high risk.
  59. 59. Here is an example of a duplicate of the EFS RecoveryAgent Template. EFS can be used to encrypt files and document for example. What would happen when unauthorized users were able to request the EFS Recovery Agent Template? They would be able to decrypt, encrypted data of users. Recommendation:  Ensure no unauthorized users are able to request these certificates  When duplicating one of the high value templates. Ensure ''CA certificate managerapproval'' is enabled
  60. 60.  AD-CS-023: Key Recovery Agent It is normal when a normal user lost his private key and calls helpdesk to restore it for XYZ reasons. There is a high valuable template that can be used to have the key to the kingdom and restore everything, when a user lost his private key. We can do that by duplicating the ''Key RecoveryAgent'' certificate. Users or groups that have the ''Enroll'' permission on high valuable templates are considered as high-privileged users. Ensure no unauthorized users or groups have been added. Besides of that make sure to monitor the group you have granted Enroll permission. Last but not least – Enable ''CAcertificate manager approval''
  61. 61. Open the CAServer Object -> Click on RecoveryAgents -> Archive the key -> Add -> Add the created duplicated template Click on ''OK''
  62. 62. Now we need to enable Key Archival or otherwise if we do not do that. We would not be able to restore any ''key loss'' problems. Start with making a duplicate of the certificate template that the user has, which he or she has lost the private key of it.
  63. 63. Now we have made a duplicate of the Contoso Computer template. Template name is ''Copy of Contoso Computer'' We also enabled Key Archival for it, which allow us to restore the private key. Now click on ''SupersededTemplates'' Add Contoso Computer, because this is the certificate of the user in this example. Now re-enroll the certificate.
  64. 64. Now we need to go ''Issued Certificates'' and use the certutil tool to restore the private key. Recommendations:  If you encrypt sensitive data somewhere or perhaps your colleagues. You need to have a back-up plan if your private key is lost. Ensure that there are a few security folks, who act as a Recovery Key Agent.  Only use this if you do use AD CS to encrypt sensitive data otherwise it is ok to leave this out.
  65. 65.  AD-CS-024: Use safe Eliptic Curve Cryptography Using safe curve cryptography is required and an industry best practice. If using ECC for CAkeys, use P-256, P-384 orP-521 curves