Configuring the Network Device Enrollment Service (NDES) to operate without a password.

There are situations in which you cannot operate NDES with changing passwords. This is usually the case when there is either no management solution for the devices to be managed, or when it cannot handle changing passwords. Some solutions cannot handle a password at all.

In this case, you can configure NDES not to generate or require a password.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

This configuration is latently insecure, since anyone who can connect to the NDES server, can arbitrarily request certificates for the certificate template stored in the NDES, which under certain circumstances undermines the security of the entire network. If there are multiple applications on the network that require use without a password, it is advisable to provide a separate NDES server for each. If possible Firewall rules be set up, which restrict the connections to NDES to the authorized systems.

Solution

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

The desired setting can be found in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword

Below this is a 32-bit DWORD value called EnforcePassword, which is set to 1 in the default installation. Setting the value to 0 enables operation without a password.

Afterwards, the NDES service can be restarted with the iisreset command so that the new configuration can be read in.

The NDES administration web page (mscep_admin) should now no longer display a password. Unfortunately, there is no explicit indication that NDES is configured without a password.

Related links:

en_USEnglish