If, in addition to the Active Directory Certificate Services, the administrative tiering model is also implemented for the Active Directory directory service, the question arises as to how the individual PKI components are to be assigned to this model in order to be able to perform targeted security hardening.
| Component | Classification |
|---|---|
| Certification Authority | Tier-0 |
| Access to Authority Information Access (AIA) and CRL Distribution Points (CDP). | Tier-1 |
| Online responder (Online Certificate Status Protocol, OCSP) | Tier-1 |
| Network Device Enrollment Service (NDES) | Tier-0 |
| Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP and Certificate Enrollment Web Service, CES) | Tier-0 |
| Certificate Authority Web Enrollment (CAWE) | Tier-0 |
Details on the classification of the Certification Authority
The Certification Authority is clearly Tier-0 for the following reasons:
- The role installation requires Enterprise Administrator permissions (can be delegated, see article "Delegate the installation of an Active Directory integrated certificate authority„).
- The configuration of certificate templates requires elevated rights in Active Directory (can be delegated, see article "Delegate the creation and management of certificate templates„).
- Compromising the certificate authority allows the attacker to issue arbitrary certificates and possibly take over the Active Directory forest (see article "Attack vector on Active Directory directory service via smartcard logon mechanism„).
- As a rule, the certification authority is only accessed via systems from the internal network.
Details on the classification of Authority Information Access (AIA) and CRL Distribution Points (CDP).
Authority Information Access (AIA) distribution points and CRL distribution points (CDPs) are clearly Tier 1 for the following reasons:
- The systems require none direct access to the Certification Authority.
- The server does not have to be installed as a domain member.
- The systems may also be accessed by clients outside the internal network (e.g. Internet). The servers can be placed in a demilitarized zone (DMZ), for example.
Details on the classification of the online certificate status protocol (OCSP)
The Online Responder (Online Certificate Status Protocol, OCSP) is an alternative way of providing revocation status information for certificates. Entities that want to check the revocation status of a certificate do not have to download the complete list of all revoked certificates thanks to OCSP, but can make a specific request for the certificate in question to the online responder. For a more detailed description, see the article "Basics Online Responder (Online Certificate Status Protocol, OCSP)„.
Online responders (OCSPs) are clearly Tier 1 for the following reasons:
- Although the online responder normally needs direct access to the certification authority, it does not have any increased permissions in this regard. Access to the certification authority can also be prevented altogether. In this case, the server does not have to be installed as a domain member.
- Access under certain circumstances also from clients outside the internal network (e.g.: Internet). The servers can be placed in a demilitarized zone (DMZ), for example.
Details of the Network Device Enrollment Service (NDES) classification.
The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.
The Network Device Enrollment Service (NDES) is Tier-0 for the following reasons:
- Requires Enterprise Administrator permissions for role installation (can be bypassed, see article "Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions„).
- The server must be a domain member.
- The server has direct network access to the certification authority with rights to request certificates.
- The server has a certificate enrollment agent certificate (Enrollment Agent), which can be misused under certain circumstances to issue certificates via Enroll on Behalf of (EOBO) to apply.
In some circumstances, a downgrade to Tier-1 may occur if the following are considered:
- The role is installed without enterprise administrator rights (see above, but is not officially supported by the vendor).
- The connection to the NDES Server administration web page is only established via Secure Sockets Layer (see article "Enabling Secure Sockets Layer (SSL) for the Network Device Enrollment Service (NDES).") allowed.
- Hardened Registration Authority certificates (see article "Using custom Registration Authority (RA) certificate templates for the Network Device Enrollment Service (NDES).") certificates and device templates (see article "Configure Device Template for Network Device Enrollment Service (NDES)") used.
- The server is connected to a certificate authority, which has a correspondingly low trust level and is security hardened accordingly (see article "Security hardening of a Certification Authority") is.
- The associated Certification Authority is not a member of NTAuthCertificates in the Active Directory.
- The possibilities for the certificate content that can be applied for are defined by Name restrictions of the Certification Authority or the TameMyCerts Policy Module for the Certification Authority restricted.
Details on the classification of the Certificate Enrollment Policy Web Service (CEP).
The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.
The Certificate Enrollment Policy Web Service (CEP) is Tier-0 for the following reasons:
- The role installation requires Enterprise Administrator permissions. There is no workaround for this either.
- Must be a domain member.
- (Requires none direct access to the Certification Authority)
Details on the classification of the Certificate Enrollment Web Service (CES).
The Certificate Enrollment Web Service (CES) is Tier-0 for the following reasons:
- The role installation requires Enterprise Administrator permissions. There is no workaround for this either.
- Must be a domain member.
- Has direct network access to the certification authority.
- Requires Kerberos delegation with or without protocol transition depending on configuration (See article "Overview of the possible delegation settings for the Certificate Enrollment Web Service (CES)„).
Details on the classification of Certificate Authority Web Enrollment (CAWE).
Certificate Authority Web Enrollment (CAWE) is a website that enables applicants to send their certificate requests to a certification authority via a web interface. It is thus particularly suitable for submitting manual certificate requests. For a more detailed description, see the article "Basics Certificate Authority Web Enrollment (CAWE)„.
The certificate authority web registration is a very old feature from Windows 2000 times - and was last adapted with the release of Windows Server 2003. Accordingly, the code is old and potentially insecure. Likewise, the function supports No certificate templates with version 3 or newer - This means that certificate templates that use functions introduced with Windows Vista / Windows Server 2008 or newer cannot be used. It is recommended that you do not use the certificate authority web registration and instead request certificates via on-board resources or the PSCertificateEnrollment PowerShell module.
Certificate Authority Web Enrollment (CAWE) is Tier-0 for the following reasons:
- Must either be installed directly on the certificate authority (not recommended) or requires Kerberos delegation with protocol transition for proper functioning (see article "Overview of possible delegation settings for certification authority web registration (CAWE)„).
- Must be a domain member.
- Has direct network access to the certification authority.
- Delegation settings can be used to attack the certification authority under certain circumstances.
A downgrade in Tier-1 can occur if only Basic Authentication is used, and thus Kerberos delegation with protocol transition is not required.
Related links:
- Basics and risk assessment Delegation settings
- Firewall rules required for Active Directory Certificate Services
- Installation of a standalone root certification authority (Standalone Root CA)
- Installing a Certificate Enrollment Web Service (CES)
- Installing a Certificate Enrollment Policy Web Service (CEP)
- Installing Certification Authority Web Enrollment (CAWE)
- Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions
English 
Deutsch
One thought on “Einordnung der ADCS-Komponenten in das administrative Schichtenmodell (Administrative Tiering Model)”
Comments are closed.