Classification of ADCS components in the Administrative Tiering Model

If, in addition to the Active Directory Certificate Services, the administrative tiering model is also implemented for the Active Directory directory service, the question arises as to how the individual PKI components are to be assigned to this model in order to be able to perform targeted security hardening.

ComponentClassification
Certification AuthorityTier-0
Access to Authority Information Access (AIA) and CRL Distribution Points (CDP).Tier-1
Online responder (Online Certificate Status Protocol, OCSP)Tier-1
Network Device Enrollment Service (NDES)Tier-0
Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP and Certificate Enrollment Web Service, CES)Tier-0
Certificate Authority Web Enrollment (CAWE)Tier-0

Details on the classification of the Certification Authority

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

The Certification Authority is clearly Tier-0 for the following reasons:

Details on the classification of Authority Information Access (AIA) and CRL Distribution Points (CDP).

Authority Information Access (AIA) distribution points and CRL distribution points (CDPs) are clearly Tier 1 for the following reasons:

  • The systems require none direct access to the Certification Authority.
  • The server does not have to be installed as a domain member.
  • The systems may also be accessed by clients outside the internal network (e.g. Internet). The servers can be placed in a demilitarized zone (DMZ), for example.

Details on the classification of the online certificate status protocol (OCSP)

The Online Responder (Online Certificate Status Protocol, OCSP) is an alternative way of providing revocation status information for certificates. Entities that want to check the revocation status of a certificate do not have to download the complete list of all revoked certificates thanks to OCSP, but can make a specific request for the certificate in question to the online responder. For a more detailed description, see the article "Basics Online Responder (Online Certificate Status Protocol, OCSP)„.

Online responders (OCSPs) are clearly Tier 1 for the following reasons:

  • Although the online responder normally needs direct access to the certification authority, it does not have any increased permissions in this regard. Access to the certification authority can also be prevented altogether. In this case, the server does not have to be installed as a domain member.
  • Access under certain circumstances also from clients outside the internal network (e.g.: Internet). The servers can be placed in a demilitarized zone (DMZ), for example.

Details of the Network Device Enrollment Service (NDES) classification.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

The Network Device Enrollment Service (NDES) is Tier-0 for the following reasons:

In some circumstances, a downgrade to Tier-1 may occur if the following are considered:

Details on the classification of the Certificate Enrollment Policy Web Service (CEP).

The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.

The Certificate Enrollment Policy Web Service (CEP) is Tier-0 for the following reasons:

  • The role installation requires Enterprise Administrator permissions. There is no workaround for this either.
  • Must be a domain member.
  • (Requires none direct access to the Certification Authority)

Details on the classification of the Certificate Enrollment Web Service (CES).

The Certificate Enrollment Web Service (CES) is Tier-0 for the following reasons:

Details on the classification of Certificate Authority Web Enrollment (CAWE).

Certificate Authority Web Enrollment (CAWE) is a website that enables applicants to send their certificate requests to a certification authority via a web interface. It is thus particularly suitable for submitting manual certificate requests. For a more detailed description, see the article "Basics Certificate Authority Web Enrollment (CAWE)„.

The certificate authority web registration is a very old feature from Windows 2000 times - and was last adapted with the release of Windows Server 2003. Accordingly, the code is old and potentially insecure. Likewise, the function supports No certificate templates with version 3 or newer - This means that certificate templates that use functions introduced with Windows Vista / Windows Server 2008 or newer cannot be used. It is recommended that you do not use the certificate authority web registration and instead request certificates via on-board resources or the PSCertificateEnrollment PowerShell module.

Certificate Authority Web Enrollment (CAWE) is Tier-0 for the following reasons:

A downgrade in Tier-1 can occur if only Basic Authentication is used, and thus Kerberos delegation with protocol transition is not required.

Related links:

One thought on “Einordnung der ADCS-Komponenten in das administrative Schichtenmodell (Administrative Tiering Model)”

Comments are closed.

en_USEnglish