Configuring the Network Device Enrollment Service (NDES) to work with a static password.

There are situations in which you cannot operate NDES with changing passwords. This is usually the case when there is either no management solution for the devices to be managed, or when it cannot handle changing passwords.

In this case, you can configure NDES to generate a static password that will not change afterwards.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

This configuration is latently insecure, since anyone with knowledge of the password can arbitrarily request certificates for the certificate template stored in the NDES. If there are several applications in the network that require the use of a static password, it is advisable to provide a separate NDES server for each of them and - if feasible - to use a separate password for each application. renew the password at regular intervals.

Solution

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

The desired setting can be found in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\UseSinglePassword

Below this is a 32-bit DWORD value called UseSinglePassword, which is set to 0 in the default installation. Setting the value to 1 enables the use of a static password.

Since the static password is stored in the registry, the NDES service account must be granted write permission to the MSCEP registry key.

This is achieved via the "Full Control" authorization.

Provided that the NDES service runs with the identity of the IIS application pool, this can be entered with the following syntax:

IIS APPPOOL\SCEP

Please also limit the search range (Locations...) to the local machine.

If the NDES service account is a domain account, the "Load User Profile" option must still be enabled in the advanced configuration of the IIS application pool.

Likewise, a user profile must exist, i.e. the NDES service account must log in to the NDES server interactively once for this to be generated.

This setting can also be set with the following Windows PowerShell command:

Import-Module -Name WebAdministration
Set-ItemProperty IIS:\AppPools\SCEP -name processModel -value @{LoadUserProfile="true"} 

Afterwards, the NDES service can be restarted with the iisreset command so that the new configuration can be read in.

Each time the NDES server is started, it will display the Event no. 50 log to point out the configuration with the static password.

The NDES administration web page (mscep_admin) should now indicate that the password will not change.

Related links:

11 thoughts on “Den Registrierungsdienst für Netzwerkgeräte (NDES) für den Betrieb mit einem statischen Passwort konfigurieren”

Comments are closed.

en_USEnglish