Microsoft Windows Security Resource Kit

Securing Certificate Services

To prevent the likelihood of these threats, you can take the following measures:

• Implement physical security measures.

• Implement logical security measures.

• Modify CRL and CA certificate publication points.

• Enable CRL checking in all applications.

• Manage permissions of certificate templates.

Implementing Physical Security Measures

Physical security measures prevent attackers from gaining physical access to the computer running Certificate Services. When an attacker gains physical access to a computer, any number of attacks can take place. Physical security measures can include the following:

• Creating a three-tier hierarchy that deploys the root CA and the second-level CAs (also referred to as policy CAs) as offline CAs. An offline CA is removed from the network and is turned on only to issue new CA certificates and to publish updated CRLs.

• Deploying hardware-based key modules, such as hardware storage modules, for the generation and protection of the CA key pair and for the signing of all issued certificates.

• Removing offline CAs from the network and storing them in physically secure locations, such as vaults, safes, or secured server rooms, based on your company s security policy.

Implementing Logical Security Measures

In addition to physical security measures, modifying the configuration of Certificate Services can increase the security of a CA. Logical security measures can include these:

• Restricting membership in the local Administrators group at the CA. Only local administrators can modify CA configuration by default.

• Modifying permissions of the %systemroot%\system32\Certsrv folder so that Administrators and System have Full Control permissions and Authenticated Users have Read & Execute, List Folder Contents, and Read permissions.

• Modifying the permissions to the %systemroot%\system32\Certlog folder so that Administrators, System, and Enterprise Admins have Full Control permissions.

• Assigning the Administrators, System, and Enterprise Admins security principals Full Control permissions if a shared folder location is specified in the configuration of the CA for the CertEnroll share.

• Monitoring the membership of the Cert Publishers group in each domain. Membership in the Cert Publishers group allows member CA computer accounts to publish certificates in user objects. Only members of the Cert Publishers group have this permission.

  The Cert Publishers group is a global group. If multiple domains exist in your forest, a CA in one domain cannot publish certificates to user account objects in other domains. You can change this behavior by modifying permissions in Active Directory, as described in 281271, Windows 2000 Certification Authority Configuration to Publish Certificates in Active Directory of Trusted Domain. This Knowledge Base article recommends creating a custom universal group that contains the Cert Publishers group from each domain in the forest, as well as assigning required permissions to the universal group.

Modifying CRL and CA Certificate Publication Points

Publish CRLs and Authority Information Access (AIA) to locations accessible by all users. The certificate chaining engine must have access to the CRL and CA certificate for each CA in the certificate chain. If any CA in the certificate chain s CRL or CA certificate is not available, the chaining engine will prevent that certificate from being used if certificate revocation is enabled.

Enabling CRL Checking in All Applications

When you enable CRL checking in all applications, you ensure that every presented certificate is validated. Doing so confirms that the certificate has not been revoked, is time valid, and meets any constraints defined for the application. If an application does not perform CRL checking, it is possible for an attacker to use a certificate that was revoked for authentication or encryption purposes.

Managing Permissions of Certificate Templates

You can modify the default permissions for any certificate template so that only specific security groups have the necessary Read and Enroll permissions. If the permissions of a certificate template are modified, attackers could acquire a certificate with special privileges, such as an Enrollment Agent certificate that allows the subject to request certificates on behalf of other users.