280 Part II: Establishing a PKI Figure 12-12 OCSP Response Signing enables the OCSP No Revocation Checking extension Case Study: Certificate Template Design You are responsible for designing certificate templates for your organization. The software development department has created several custom applications that require digital signing prior to network deployment. Digital signatures are required to meet the company’s security policy regarding custom application security. The company uses a mix clients running Windows XP and Windows Vista and servers running Windows Server 2003 and Windows Server 2008. Requirements To meet the security policy, the manager of the security department has provided you with the following requirements: ■ The code-signing certificate must be stored on a Gemalto .NET Base CSP smart card. ■ Only members of the Code Signing group can request a code-signing certificate. ■ All initial code-signing certificate requests are subject to the approval of the company’s notary public. Chapter 12: Designing Certificate Templates 281 ■ If you already have a code-signing certificate, you can reenroll without having to meet with the notary public again. ■ The code-signing certificate must be valid for four years. ■ The code-signing certificate must never reuse a previous key pair. ■ The code-signing certificate must have a key length of 1,024 bits. Case Study Questions 1. What MMC console do you use to perform certificate template management? 2. Does the default Code Signing certificate template meet the design requirements? 3. Can you modify the default Code Signing certificate template? If not, what would you do? 4. Should you create a version 2 or a version 3 certificate template? 5. In the following table, specify the settings on the General tab to meet the design requirements for your custom code-signing certificate template. 6. In the following table, specify the settings on the Request Handling tab to meet the design requirements for the custom code-signing certificate template. Attribute Your recommended design Template display name Template name Validity period Publish certificate in Active Directory Do not automatically reenroll if a duplicate certificate exists in Active Directory For automatic renewal of smart card certificates, use the existing key if a new key cannot be created Attribute Your recommended design Purpose Allow private key to be exported Minimum key size Do the following when the subject is enrolled and when the private key associated with this certificate is used CSPs 282 Part II: Establishing a PKI 7. In the following table, specify the settings on the Issuance Requirements tab to meet the design requirements for the custom code-signing certificate template. 8. How must you configure the settings on the Superseded Templates tab to ensure that all certificates a CA issues for code signing use the version 2 certificate template? 9. What permission assignment modifications are required for the custom code signing certificate? Best Practices for Certificate Template Design When designing certificate templates, the following best practices should be employed: ■ Determine whether a default version certificate template meets your business goals. A default template does not require any modifications other than permission assignment. ■ If you need to change settings in a certificate template other than permissions, duplicate a template that is closest to the required template. This minimizes the number of changes required. ■ If you replace an existing certificate template with an updated template, ensure that you add the previous template to the Superseded Templates tab. ■ To enroll a certificate, a user or computer must be assigned Read and Enroll permissions, either directly or through group membership. ■ To enroll a certificate with autoenrollment, a user or computer must be assigned Read, Enroll, and Autoenroll permissions. ■ To modify a certificate template, a user must be assigned Write permissions. ■ Determine whether you should deploy fewer certificates with multiple purposes or many certificates with specific purposes. The decision is based on the purposes you require and whether you foresee removing a purpose from a certificate holder. ■ Do not create certificate templates that exceed the lifetime of the issuing CA or the values declared in the CA\ValidityPeriodUnits and CA\ValidityPeriod registry entries. A CA will issue the certificate with a lifetime equal to the lowest value of the three entries. Attribute Your recommended design CA certificate manager approval This number of authorized signatures Require the following for reenrollment Chapter 12: Designing Certificate Templates 283 ■ Use version 3 certificate templates only if the operating systems of the computers that will use the certificate template and the applications that will use the certificate tem- plates support CNG algorithms. Currently, CNG–based algorithms are supported only on Windows Vista and Windows Server 2008. Table 12-2 summarizes common applications and their support for version 3 certificates. Additional Information ■ Microsoft Official Curriculum, Course 2821: “Designing and Managing a Windows Public Key Infrastructure” (http://www.microsoft.com/traincert/syllabi/2821afinal.asp) ■ “Implementing and Administering Certificate Templates” (http://www.microsoft.com/ downloads/details.aspx?FamilyID=3c670732-c971-4c65-be9c-c0ebc3749e24& displaylang=en) ■ 283218: “A Certification Authority Cannot Use a Certificate Template” ■ 281260: “A Certificate Request That Uses a New Template Is Unsuccessful” ■ 313629: “A Custom Smart Card Template Is Unavailable on the Smart Card Enrollment Station” ■ 330238: “Users Cannot Enroll for a Certificate When the Include E-Mail Name in Subject Name Option Is Selected on the Template” Note The last four articles in the list above can be accessed through the Microsoft Knowl- edge Base. Go to http://support.microsoft.com and enter the article number in the Search the Knowledge Base text box. Table 12-2 Application Support for Version 3 Certificates Application name Verify a certificate chain with version 3 certificates using CNG algorithms Use algorithms that are not supported by CAPI (CSP) EFS Yes No IPsec Yes Yes Kerberos No No S/MIME Microsoft Office Outlook 2003: no Outlook 2007: yes Outlook 2003: no Outlook 2007: yes Smart Card Logon No No SSL Yes Yes Wireless Yes Yes 285 Chapter 13 Role Separation An important step in designing and implementing a public key infrastructure (PKI) is determining the groups or users who will manage it. To facilitate secure administration of Certificate Services, both the Windows Server 2003 Certificate Services and Windows Server 2008 Active Directory Certificate Services (AD CS) support Common Criteria role separation. Common Criteria role separation requires that PKI management be configured so that no single person has full control, thereby protecting an organization against a “malicious PKI administrator.” There are other roles that must be considered when designing and implementing your organization’s PKI in addition to the roles defined in the Common Criteria protection profile. This chapter will discuss how to plan PKI management and implement role separation. Note Because there is no difference in implementing Common Criteria role separation in Windows Server 2003 and Windows Server 2008, the rest of this chapter will refer to Windows Server 2008. Common Criteria Roles According to Common Criteria guidelines, no user can hold more than one PKI management role—and any user who does hold two or more PKI management roles must be blocked from all management functions. Note You can assign multiple users the same role when defining role-holders. Enforcing Common Criteria role separation on a Windows Server 2008 certification authority (CA) ensures that a single user cannot hold multiple roles, but multiple users can hold the same role. Common Criteria Levels “Certificate Issuing and Management Components Family of Protection Profiles” is a stan- dards document that defines requirements for the issuance, revocation, and management of X.509 certificates. Taking into consideration that different security levels are required for dif- ferent organizations, the standards document describes four protection profiles. Each profile provides additional safety through increased security and assurance requirements for X.509 certificate distribution. 286 Part II: Establishing a PKI More Info Windows Server 2008 Certificate Services is designed to meet the role definitions listed in version 1.0 of “Certificate Issuing and Management Components Family of Protection Profiles,” which can be found at http://niap.bahialab.com/cc-scheme/pp/ PP_CIMC_SL1-4_V1.0.pdf. Security Level 1 Certificate Issuing and Management Components (CIMC) Security Level 1 defines the mini- mum level of certificate management security for environments in which threats against the PKI are considered to be low. It defines two PKI management roles: ■ CA administrator Responsible for account administration, key generation of the CA certificate’s key pair, and auditing configuration ■ Certificate manager Responsible for certificate management. Management functions include issuing and revoking certificates In addition to these two roles, the PKI must restrict access to only authorized PKI users and implement only cryptographic algorithms that are validated against Federal Information Processing Standards (FIPS) 140-1, “Security Requirements for Cryptographic Modules.” Security Level 2 CIMC Security Level 2 increases the level of certificate management security for environments in which the risks and consequences of data disclosure are not considered a significant issue. It also increases security by rejecting certificate requests by unauthorized users. All users must authenticate with the PKI before certificate issuance. Security Level 2 uses the same two management roles as Security Level 1. The difference is that Level 2 requires increased auditing and cryptographic protection of audit logs and system backups. In addition, FIPS 140-1 Level 2 cryptographic modules are required for the protection of a CA’s key pair. Security Level 3 CIMC Security Level 3 further raises the security level and is intended for environments in which it is considered a moderate risk if data is disclosed or loss of data integrity. As compared to Security Level 2, CIMC Security Level 3 implements additional integrity controls to ensure that an unauthorized person cannot modify data. This includes protection against an unauthorized person who gains physical access to a CA. Security Level 3 defines three PKI management roles: ■ CA administrator Responsible for account administration, key generation of the CA certificate’s key pair, and auditing configuration. Chapter 13: Role Separation 287 Choosing Auditing Behavior Windows Server 2003 Service Pack 1 and Windows Server 2008 allow you to choose which Common Criteria role can define audit settings. The default behavior in Windows Server 2003 and Windows Server 2008 is to allow the Auditor role to both define audit settings at the CA and to view and maintain the audit logs. With Windows Server 2003 Service Pack 1 or Windows Server 2008 installed, you can instead choose to have the CA administrator role define the audit settings at a specific CA. This is accomplished by having a local administrator run the following certutil command: certutil -setreg CA\InterfaceFlags +IF_ENABLEADMINASAUDITOR Once the command executes and Certificate Services is restarted, the task of defining the CA audit settings is allocated to the CA administrator role rather than the CA auditor role. ■ Certificate manager Responsible for certificate management. Management functions include issuing and revoking certificates. ■ Auditor Responsible for maintaining the CA audit logs. Additional security measures include having at least two persons involved in the control and management of private keys, implementing FIPS 140-1 Level 3 protection of CA keys, and requiring digital signatures for all data transferred between the CA and the hardware security module (HSM). Security Level 4 CIMC Security Level 4 provides the highest PKI security protection. It is intended for environments in which the consequences of data disclosure and loss of data integrity by either authorized or unauthorized users are significant to the organization. Security Level 4 defines four PKI management roles: ■ CA administrator Responsible for account administration and key generation of the CA certificate’s key pair ■ Certificate manager Responsible for certificate management, including functions such as issuing and revoking certificates ■ Auditor Responsible for maintaining and viewing the CA audit log entries in the Windows Security log ■ Backup operator Responsible for performing backups of PKI information 288 Part II: Establishing a PKI Security Level 4 requires signed third-party timestamping of audit logs to increase integrity. In addition, cryptographic modules at each CA must be validated to FIPS 140-1 Level 4. Note The only cryptographic module rated at FIPS 140-1 Level 4 at the time of this book’s publication is the AEP Keyper Enterprise (http://www.aepnetworks.com/products/ key_management/keyper/ent_overview.aspx). More FIPS 140-1 Level 4 devices should be available in the near future. Windows Implementation of Common Criteria Windows Server 2008 allows you to define PKI management roles in compliance with the four roles defined in CIMC Security Level 4. The Windows Server PKI management roles are: ■ CA administrator ■ Certificate manager ■ Backup operator ■ Auditor The following sections detail information on Windows Server Common Criteria roles and how to implement each role. Note AD CS does not require the user to have local administrative rights on the CA computer for day-to-day PKI management. The user must be assigned only the CA permissions or the user rights associated with one of the four Common Criteria roles. Important The only tasks where administrative rights are required at a CA are the installation of a new CA or the renewal of a CA certificate. You must be a member of the local administrators to install AD CS and to generate key material in the local machine store. In addition, you must be a member of Enterprise Admins to install or renew an enterprise CA. CA Administrator A CA administrator configures and maintains the CA. A user assigned the CA administrator role can designate other CA administrators, assign certificate managers, and perform the following CA management tasks: ■ Configure extensions Define URLs for both CRL Distribution Points (CDPs) and Authority Information Access (AIA). ■ Configure policy and exit modules Policy and exit modules determine the actions a CA takes during certificate issuance. For example, the default policy module allows a CA Chapter 13: Role Separation 289 administrator to configure whether all certificate requests are pended or issued based on the user’s credentials. An exit module allows you to define whether the certificate information is published to preconfigured file share locations. Using Exit Modules Exit modules can be used in many ways to enhance the functionality of a Windows Server 2008 CA. For example, Microsoft has deployed a custom exit module that performs a real-time, centralized logging function that tracks all issued certificates into a Microsoft SQL Server database. This functionality is discussed in the article “Microsoft IT Showcase: Deploying PKI Inside Microsoft,” available at http://www.microsoft.com/ downloads/details.aspx?FamilyId=46CA7043-0433-4140-853A-05F01430A30D&display- lang=en. In the default exit module for Certificate Services, you can enable additional functional- ity by enabling the Simple Mail Transfer Protocol (SMTP) functionality within the exit module. The SMTP functionality allows the CA to send SMTP e-mail messages to desig- nated e-mail recipients when specific CA activities take place, such as the publication of a certificate revocation list (CRL), revocation of a certificate, or stopping and starting of Certificate Services. The SMTP exit module functionality is discussed in the “Win- dows Server 2003 PKI Operations Guide,” available at http://www.microsoft.com/down- loads/details.aspx?FamilyID=8e25369f-bc5a-4083-a42d-436bdb363e7e&DisplayLang=en. ■ Define certificate manager restrictions Restrict each certificate manager to management of specific combinations of global groups and certificate templates. ■ Define enrollment agent restrictions Restrict each defined enrollment agent to manage- ment of specific combinations of global groups and certificate templates. ■ Define certificate managers Designate certificate managers to issue and deny certificate requests and to extract encrypted private keys from the CA database for key recovery. ■ Define key recovery agents Designate key recovery agent certificates at a CA for the archival and recovery of private keys at the CA database. ■ Define other CA administrators Designate CA administrators to perform CA management tasks. ■ Delete a single record in the CA database By using the certutil –deleterow command to delete the record associated with the certificate, you can remove specific certificate information from the CA database. ■ Enable, publish, or configure the CRL schedule Manage all aspects of publishing CRLs and delta CRLs at a CA. ■ Read the CA configuration information View the CA’s current configuration and modify only those areas enabled for modification by CA administrators. [...]... windowsserver/en/library/e1d5a892-10e1-417c-be13-99d7147989a91033.mspx?mfr=true) ■ “Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure” (http://technet2 .microsoft. com/windowsserver/en/library/091cda67-79ec481d-8a96-03e0be7374ed1033.mspx?mfr=true) Chapter 13: Role Separation 3 05 ■ PKI Enhancements in Windows XP Professional and Windows Server 2003” (http://www .microsoft. com/technet/prodtechnol/winxppro/Plan/PKIEnh.asp)... Backup In Windows Server 2008, a system state backup is performed at a command prompt by using the Wbadmin.exe tool This is a major change from Windows Server 2003 where a commandline system state backup was performed using the command line version of Microsoft NT Backup Important The previous form of backup used in Windows Server 2003, Windows NT Backup, is deprecated in Windows Server 2008 If you... (http://www .microsoft. com/technet/prodtechnol/winxppro/Plan/PKIEnh.asp) ■ “Active Directory Certificate Server Enhancements in Windows Server Code Name ‘Longhorn’” white paper (http://www .microsoft. com/downloads/details.aspx? familyid=9bf17231-d832-4ff9-8fb8- 053 9ba21ab 95& displaylang=en) ■ Microsoft IT Showcase: Deploying PKI Inside Microsoft (http://www .microsoft. com/ downloads/details.aspx?FamilyId=46CA7043-0433-4140- 853 A-05F01430A30D& displaylang=en)... Command Prompt 3 At the command prompt, type the following command, and then press Enter: Wbadmin start systemstatebackup –backuptarget:DriveLetter The command starts a system state backup to the root of the designated drive letter (for example D:) Performing Windows Server Backups To perform a Windows server backup, users can use Windows Server Backup, the backup software that ships with Windows Server. .. have upgraded from Windows Server 2003 and need to access Windows Server 2003 backups, you must download the Windows NT Backup—Restore utility at http://go .microsoft. com/fwlink/?LinkId=82917 You cannot restore system state backups created with Windows NT Backup by using WBAdmin Installing Windows Server Backup Before you can run a system state backup, you must install the Windows Server Backup feature... Certificate Services? Additional Information ■ Microsoft Official Curriculum, Course 2821: “Designing and Managing a Windows Public Key Infrastructure” (http://www .microsoft. com/learning/syllabi/en-us/ 2821Afinal.mspx) ■ “PKCS #7: Cryptographic Message Syntax Standard” (ftp://ftp.rsasecurity.com/pub/ pkcs/doc/pkcs-7.doc) ■ Windows Server 2003 PKI Operations Guide” (http://technet2 .microsoft. com/ windowsserver/en/library/e1d5a892-10e1-417c-be13-99d7147989a91033.mspx?mfr=true)... formatted for use, and the backup schedule is created 13 On the Summary page, click Close Backups will now execute based on the schedule you set in the wizard Note For more details on configuring Windows Server Backup, see the Windows Server 2008 Backup and Recovery Step-by-Step Guide” at http://technet2 .microsoft. com/ windowsserver2008/en/library/40bdcbc9-ce96-4477-8df3-7a20d4bc42a51033.mspx?mfr=true... Criteria role separation on the Windows Server 2003 Enterprise and Datacenter Editions and Windows Server 2008 Enterprise and Datacenter Editions By enforcing role separation, AD CS blocks any user account that is assigned two or more Common Criteria roles from all Certificate Services management activities For example, if a user is assigned both the CA Administrator and Certificate Manager roles, the... settings Certificate Manager This role approves or denies certificate enrollment requests and revokes issued certificates Specifically, a user assigned the certificate manager role can: ■ Issue or deny pending certificate requests At a standalone CA all certificate requests are pended by default until a certificate manager approves the certificate requests Likewise, Chapter 13: Role Separation 291 a certificate. .. can be defined so that a certificate manager must approve a certificate request before the CA issues the certificate ■ Revoke issued certificates A certificate manager can revoke a certificate if the organiza- tion’s revocation policy requires certificate revocation For example, a certificate can be revoked if the private key is compromised Certificate revocation terminates the certificate s validity . company’s security policy regarding custom application security. The company uses a mix clients running Windows XP and Windows Vista and servers running Windows Server 2003 and Windows Server 2008. Requirements To. Behavior Windows Server 2003 Service Pack 1 and Windows Server 2008 allow you to choose which Common Criteria role can define audit settings. The default behavior in Windows Server 2003 and Windows. implementing Common Criteria role separation in Windows Server 2003 and Windows Server 2008, the rest of this chapter will refer to Windows Server 2008. Common Criteria Roles According to Common