Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Securing PKI: Technical Controls for Securing PKI
In this articleApplies To: Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012 While a large percentage of the work required to operate a successful PKI is in the creation of the correct policies, standards and procedures, the work required to implement a secure design should not be discounted. This section introduces a number of technical recommendations for implementing a secure design. Implementing strong technical controls will introduce barriers that will make successful exploitation very difficult or cost prohibitive. Many of the recommendations are specific to AD CS-based online PKI deployments, although the concepts are universally applicable. Not all recommendations apply to all environments. Each recommendation is provided in the appendixTechnical Controls for Securing PKI along with the recommended impact level to which it applies. Securing the CA Operating SystemThe following are recommendations for securing the CA operating system. Creating a Baseline Configuration for all CAs and RAsCritical systems such as CAs should be locked down from the moment they are introduced onto the network. Several freely available tools exist (discussed below) that either ship with Microsoft Windows® or can be downloaded to assist in creating a baseline and then deploying it via Group Policy Objects (GPO) to all domain-joined certification authorities. Microsoft Security Compliance ManagerMicrosoft Security Compliance Manager (SCM) provides comprehensive security baseline recommendations for Microsoft operating systems and server roles. Use SCM to create a detailed baseline that can be deployed and enforced on all domain-joined CAs via GPO. Microsoft Security Configuration WizardMicrosoft Security Configuration Wizard (SCW) is a guide for the process of creating, editing, applying, or rolling back a security policy. In conjunction with SCM, use it to create a baseline configuration that can be applied across other similar servers via GPO. SCW is included with Microsoft Windows Server®. For more information on SCW, refer to the links below: Microsoft Windows Server 2008®: Security Configuration Wizard Microsoft Windows Server 2008 R2® and Microsoft Windows Server 2012®: Security Configuration Wizard Online CA Hardening RecommendationsBelow are several recommendations to consider when creating a secure baseline for an online CA. This list is not complete, and the recommendations provided should be extensively tested before deploying in a production environment.
Additional Roles on Certification AuthoritiesA common misconfiguration Microsoft sees during PKI assessments is an enterprise root or enterprise subordinate CA being run on the same system as a domain controller. Running a CA on the same system where other roles are hosted exposes the CA to a broader attack surface that introduces potential problems with performance and troubleshooting. Additionally, this may introduce issues when attempting to upgrade the environment in the future, as there may be requirements to run different components at different operating system levels. A CA system should run with only those roles and features installed that are required for its operation. Another common role installed on a CA is Internet Information Services (IIS) to support the CA web enrollment pages. Do not install the web enrollment pages or IIS as part of a standard CA install unless there is a known business requirement. Alternate Administrative AccountsAdministrators managing the day-to-day operations of the PKI should not use the same accounts used on personal productivity workstations to check email and browse the Internet. Instead, they should use dedicated alternate accounts with the required permissions necessary to manage the PKI. Updating Online Certification AuthoritiesAlthough it may seem counterintuitive, consider updating CAs and other critical infrastructure components separately from the general Microsoft Windows® infrastructure. If an organization leverages enterprise configuration management software for all computers in the infrastructure, compromise of the systems management software can be used to compromise or destroy all infrastructure components managed by that software. By separating updates and systems management for online certificate authorities from the general system population, the amount of software installed on CAs is reduced, and their management more tightly controlled. Internet Access from Certification AuthoritiesLaunching web browsers on CAs should be prohibited not only by policy but by technical controls, and CAs should not be permitted to access the Internet except to validate CRLs. Although detailed configuration instructions are outside the scope of this document, there are a number of controls to implement in order to restrict the misuse or misconfiguration and subsequent compromise of CAs. Local Administrators Group MembershipIn many organizations the baseline system configuration includes a large number of groups or user accounts included in the local administrators group of the system. With highly secure systems such as CAs, the number of accounts that are members of the local administrators group should be kept to a minimum. In an AD CS deployment, if an attacker gains access to an account with administrative access to the CA, there is a high likelihood they will be able to create certificates that will allow them to gain privileged access to the Active Directory®. For online CAs, consider limiting administrative access to only dedicated accounts used for management of the PKI, and enforce the members of the local administrators group via GPO. Enterprise Admins and Domain Admins can be removed from the local administrators group. Accounts that are of particular interest to attackers are accounts with wide and/or deep access across an environment. Often these are accounts that perform an important function, such as security scanning, update management, backup, inventory, etc. and require administrative rights to operate. Where possible, remove these accounts from CAs and consider how the function could be performed without requiring administrative rights on the CA. Additionally, eliminate or limit the number of system/service accounts that are permanent members of the local administrators group. Actions that are performed on a CA should be traceable back to the person that performed the action. Application WhitelistingUse AppLocker or a third-party application whitelisting tool to configure services and applications that are permitted to run on CAs. These permitted applications and services should be comprised of only what is required for the computer to host AD CS plus any system security software such as antivirus software. Whitelisting permitted applications on CAs adds an additional layer of security so that even if an unauthorized application is installed, the application cannot run. A CA is an excellent candidate for AppLocker because the list of software required to run on a CA should be minimal and relatively static. Testing is vital to an AppLocker deployment. Prior to deployment, test a list of rules in a test environment and then migrate the rules to a production server and run using Audit only enforcement to profile the CA. Once the rule set is established, enforce the rules. For more information on deploying AppLocker, refer to the AppLocker Overview. Securing Remote Management TasksFor highly secure CAs, it is very common for remote access to management tasks be very limited or disallowed by policy. Remote management should only originate from authorized users and systems. This can be accomplished through a combination of user rights settings and Microsoft Windows® Firewall with Advanced Security settings. A recommendation to consider when creating a remote access design is to use secure administrative hosts or jump hosts, as described in the Best Practices for Securing Active Directory whitepaper. While the whitepaper discusses in detail the approaches for securing domain controllers, the same strategies can be applied to other highly sensitive systems such as CAs. Microsoft Windows Server 2012 R2® and Microsoft Windows 8.1® introduce a new featurein mstsc.exe called “Restricted Admin Mode”. If mstsc.exe is started with the /restrictedAdmin parameter, the credentials used to authenticate will not be sent to the remote computer, which limits the ability of attackers to steal and reuse credentials. In addition to restricting access via Remote Desktop Protocol (RDP), control access to the CA through other channels as well. If you use physical hardware to host the CA, there is a high likelihood that the hardware contains a Remote Management Board (RMB) that can be used to access the system. Account for access via the RMB and any other channels (Microsoft Windows PowerShell® Remoting, DCOM, SMB, etc.) when designing a firewall policy. In high security deployments, consider disabling RMBs. After defining the acceptable methods of access, implement the controls using GPOs to apply them consistently. Consider using a dedicated Organizational Unit (OU) in Active Directory® to manage the application of GPOs to PKI systems. Many of the recommendations provided throughout this whitepaper can be applied through the use of GPOs. Multi-factor Authentication for Certification Authority AccessA recommendation for implementing a secure design is the implementation of multifactor authentication such as smart cards for online CA access. Smart cards implement hardware-enforced protection of private keys in a public-private key pair, preventing a user’s private key from being accessed or used unless the user presents the proper PIN, passcode, or biometric identifier to the smart card. Even if a user’s PIN or passcode is intercepted by a keystroke logger on a compromised computer, the card must also be physically present for an attacker to reuse the PIN or passcode. For cases in which long and complex passwords have proven difficult to implement because of user resistance, smart cards provide a mechanism by which users may implement relatively simple PINs or passcodes without the credentials being susceptible to brute force or rainbow table attacks. Smart card PINs are not stored in Active Directory® or in local SAM databases, although credential hashes may still be stored in LSASS protected memory on computers on which smart cards have been used for authentication. A common misconception when requiring smart cards for interactive access for a CA is that if there is a problem with the PKI used for the smart card certificates, the CA will be inaccessible to resolve the problem because it requires smart card logon. This is untrue because it is possible to continue to use the local administrator account in the case of an emergency. Even if the local administrator account is disabled, the system can still be booted to recovery mode to enable the account, or if GPOs can be edited, the account can be enabled via GPO to perform the tasks required. Securing Offline Certification AuthoritiesFor highly secure CAs that issue very few certificates, a strong preventive control is to keep the CA offline. The lack of network connectivity provides a boundary for potential attackers and exploits. The purpose for adding an additional security boundary and removing root and policy CAs from the network is that a compromise of a root CA has broader impact because it can be used to sign additional issuing CAs valid for any use cases and are inherently trusted. Additionally, root and policy CAs typically have very little use that would even require them to be powered on. However, keeping a CA offline introduces some new challenges, such as updating, maintenance and access. Offline CAs are often one of the most undervalued assets of an organization. If an attacker gains control of an offline CA that subordinates to an enterprise CA in Active Directory®, this could lead to full compromise of the directory by taking advantage of the inherited trust relationship. If an attacker gains control of an offline CA that subordinates to a CA used to issue certificates for financial transactions, intellectual property, or critical communication between partner organizations, this could jeopardize the business partnership or lead to regulatory penalties. Consider the following recommendations when designing and managing offline certification authorities. Protect CA Private KeysThe most important logical piece of data is the CA private key. Every time a CA performs a signing of a certificate or CRL, the CA private key is being used. If the CA private key were compromised, the attacker could perform operations as the CA, undermining any other security controls. Offline CAs Should Be Truly Offlinefor potential attackers and exploits. They are only accessible physically and never connect to a network. If the offline CA is installed on a physical server chassis, a network cable should never be plugged into the server. Ideally the server would be built without a network card, or the network card disconnected from the motherboard, disabled in the BIOS, or at minimum disabled logically in the operating system. Offline CAs can also be virtualized; refer to the Virtualizing Certification Authorities section for more information. Regardless if the CA is physical or virtual, when an offline CA is not in use, the systems and dependent components should be shut down completely. This includes host computers for virtualized offline CAs and HSMs. Managing Data TransferWith an offline CA, typical data transfer techniques such as file shares are not available. However, data will still need to be transferred to and from the system periodically. It is essential to scan USB or other transfer media for malware and only use authorized devices for file transfer or updating the server. Consider using a dedicated USB, SD card, or other removable media to transfer data to and from the offline system. Updating Offline Certification AuthoritiesWith strong processes in place to control the data introduced to the system, monthly security updates could be considered optional. For offline CAs, consider updating the operating system with service packs and any updates that affect the logical operation of the CA. This includes CA software updates, and updates for changes to time zone boundaries or Daylight Savings adjustments. Additional updates may be necessary to ensure supportability in case of a functional problem or for compliance reasons. If an HSM is used, ensure that updates to the HSM software and hardware are applied as appropriate. HSM vendors will provide updates that address security issues as well as additional functionality. Account ManagementIf you need built-in auditing capacity for tracking purposes, it may be necessary to create and assign separate local accounts for administration. However, if accessing the CA is protected with entry auditing and surveillance, extra accounts may not be necessary and the standard built-in administrator account can be used. In either case, it is recommended that any activity performed on an offline CA can be attributed back to the individual who performed the activity. If an HSM is not used, additional care is needed for administrative accounts. Virtualizing Certification AuthoritiesVirtualization of online or offline CAs may make sense in some scenarios. Virtualizing an AD CS CA in a Microsoft virtual server environment is a supported configuration. Refer to the Microsoft Virtual Server support policy for more information. This section provides guidance for securely implementing offline or online CAs using virtualization technology. Offline Certification AuthoritiesBefore virtualizing offline CAs (root, policy), consider the following recommendations:
Online Certification AuthoritiesWhen considering using virtualization for online CAs, consider the following recommendations:
Delegating PKI TasksManaging an Active Directory®-based AD CS CA deployment requires account permissions for a number of common activities. Generally speaking, the activities can be broken down into two major categories: Certification Authority Management These are infrequent configuration tasks that you may only perform once or a few times over the life of a CA:
Certificate Management These are more frequent operational tasks that regularly occur over the life of a CA:
By default, after installing a CA, ongoing operations require at least the occasional use of an account in the domain administrators or enterprise administrators groups. In some organizations it may be desirable to delegate the rights required to perform common PKI tasks to a separate group. It may also be desirable to delegate the rights required to perform infrequent operations to a separate team or set of accounts. If an organization operates a large number of CAs or the organizational structure is such that it makes sense to delegate these rights, refer to Securing PKI: Appendix C: Delegating Active Directory PKI Permissions for details on what permissions must be delegated. Role SeparationAn AD CS CA offers the option to enforce Common Criteria (CC) role separation, which is used to separate CA support into predefined CA roles. Each role is eligible to perform a specific subset of CA functionality. Users can be assigned to only one role, and if they are assigned to more than one role, they are unable to perform any CA-related activities. The table below describes the different roles available that are subject to role separation:
Role separation offers some benefits, but it also introduces some challenges that should be considered when evaluating its usefulness for your environment. Separating roles allows for a stronger separation of responsibilities for individuals or teams, and can provide a clear technical separation for systems that are subject to compliance requirements that require separation of duties. However, implementing role separation does require a sizable support staff. To ensure that there is adequate coverage for all critical roles, an organization would require multiple individuals for each role, which is often not possible. Give careful consideration to the operational impact enabling role separation may have before enabling it in your environment. If you use role separation, ensure that its configuration is monitored for changes, as it can be easily disabled by someone with administrative rights on the CA. Refer to the Securing PKI: Monitoring Public Key Infrastructure section for more information. For more details on role separation refer to the following resources: Implement Role-Based Administration Role Separation Defining PKI Management and Delegation Protecting CA BackupsWhen performing a backup of a CA, there are three items necessary to fully recover:
Several options exist for backing up a CA. If you are using an HSM, consult the HSM vendor documentation for details on what is required to back up and restore HSM protected keys. CA backup options include:
A common issue Microsoft finds in many PKI assessments is that once a backup of a CA is taken, the same level of protection is not always provided to the backup that exists on the CA. If you are not utilizing an HSM and you are performing regular backups that include the private key, the private key and certificate are stored in a PKCS#12 (PFX) file. If an attacker is able to gain access to the PKCS#12 file, they have the opportunity to brute force the password on the file and gain access to the CA key. If the password can be cracked, the attacker has compromised your PKI and can create certificates of their choosing. The same applies when performing system state backups. If an attacker gains access to a system state backup, they can restore it and gain access to the private key(s). When designing a backup strategy for the CA, consider the following recommendations:
Note In Microsoft Windows Server 2008® and Microsoft Windows Server 2008 R2®, private keys were not included in the system state backup. A hotfix was released that addressed this issue and private keys are included with the system state backup image if the hotfix is applied. Network IsolationCAs should only be accessible by the users and systems that require access to them. There are many deployment scenarios for a CA and many front end systems that may require access to a CA. Supporting some out-of-box scenarios such as auto enrollment of user or computer certificates requires broad access to the CA from most, if not all, domain joined client computers and users on the internal network. Other deployments, such as deploying with a RA such as Forefront Identity Manager Certificate Management, may only require the RA system to interact directly with the CA. When developing the security design for PKI, consider the following recommendations:
Securing Certificate TemplatesAttackers will take the path of least resistance when attempting to compromise an environment. If a simple attack vector is available, attackers will use it rather than using exploits that are more difficult to execute or more difficult to detect. One method attackers use to compromise environments is to employ misconfigured certificate templates to get credentials that can then be used to access additional systems or sensitive data. The following are several recommendations to consider in order to secure certificate templates:
Controlling User Added Subject Alternative NamesAn Active Directory® Certificate Services CA offers several methods to add subject alternative names (SANs) to a certificate:
Allowing users to define arbitrary alternative names poses risk to the PKI if it is not implemented with proper controls. Anytime you allow a user to define SANs, implement the following additional controls:
It is strongly recommended not to enable the EDITF_ATTRIBUTESUBJECALTNAME2 flag on an enterprise CA. If this is enabled, alternative names are allowed for any Certificate Template issued, regardless of how the subject of the certificate is determined according to the Certificate Template. Using this feature, a malicious user could easily generate a certificate with an alternative name that would allow them to impersonate another user. For example, depending on the issuance requirements, it may be possible for a malicious user to request a new certificate valid for smart card logon and request a SAN which contains the UPN of a different user. Since smart card logon uses UPN mapping by default to map a certificate to a user account, the certificate could be used to log on interactively as a different user, which could be a domain administrator or other VIP account. If this flag is enabled, the CA should be limited to require Certificate Manager approval or limit enrollment permissions to only trusted accounts. To see if EDITF_ATTRIBUTESUBJECALTNAME2 is enabled on the CA, run the following command: certutil –getreg policy\EditFlagsIf EDITF_ATTRIBUTESUBJECTALTNAME2 is included, it is turned on. To disable the setting, run the following command: certutil –setreg policy\EditFlags –EDITF_ATTRIBUTESUBJECTALTNAME2Then restart the CA service: net stop certsvc && net start certsvcFor more information on subject alternative names, refer to How to Request a Certificate With a Custom Subject Alternative Name. ConclusionImplementing strong technical controls can mitigate many of the common attack vectors used to compromise an ADCS PKI installation. This section has detailed some of the common misconfigurations that can lead to compromise, including securing access to certificate templates, and template enrollment options that lead to the issuance of unauthorized credentials. Limiting access to PKI systems through network controls and treating PKI systems as high value assets that are not managed like common infrastructure helps mitigate the risk of the PKI being compromised through supporting systems and overly broad access. Strong key protection help mitigate the threat of a CA key being exported and used outside of authorized hardware by an insider threat or an attacker. For a complete list of the recommendations for technical controls, along with the level of Determining the Level of Protection Required at which you should consider implementing them for, refer to Securing PKI: Appendix F: List of Recommendations by Impact Level. See AlsoSecuring Public Key Infrastructure (PKI) Securing PKI: Introduction Securing PKI: Planning a CA Hierarchy Securing PKI: Physical Controls for Securing PKI Securing PKI: PKI Process Security Securing PKI: Planning Certificate Algorithms and Usages Securing PKI: Protecting CA Keys and Critical Artifacts Securing PKI: Monitoring Public Key Infrastructure Securing PKI: Compromise Response Securing PKI: Appendix A: Events to Monitor Securing PKI: Appendix B: Certification Authority Audit Filter Securing PKI: Appendix C: Delegating Active Directory PKI Permissions Securing PKI: Appendix D: Glossary of Terms Securing PKI: Appendix E: PKI Basics Securing PKI: Appendix F: List of Recommendations by Impact Level Security and Protection Secure Windows Server 2012 R2 and Windows Server 2012 What is the role of the operating system in managing security?OS provides antivirus protection against malicious attacks and has inbuilt firewall which acts as a filter to check the type of traffic entering into the system.
In which multi tasking mode can an operating system take control of the processor without consent from the task?Preemptive multitasking differs from non-preemptive multitasking in that the operating system can take control of the processor without the task's cooperation. (A task can also give it up voluntarily, as in non-preemptive multitasking.) The process of a task having control taken from it is called preemption.
What are security and protection policies in operating system?In general, an OS security policy is a document that specifies the procedures for ensuring that the operating system maintains a specific level of integrity, confidentiality, and availability. OS Security protects systems and data from worms, malware, threats, ransomware, backdoor intrusions, viruses, etc.
Which method scans systems to identify common security misconfigurations and missing security updates?MBSA can be used to improve your security management process by analyzing a computer or a group of computers and detecting missing patches/updates and common security misconfigurations. After you run a MBSA scan, the tool will provide you with specific suggestions for remediating security vulnerabilities.
|