CA Windows Server 2003 Enterprise - (on a DMZ) Default Templates
In our current environment we have an AD (2003) DMZ Forest with some services.... our PKI Serves SSL certificates for partners..... Now, we are trying to "enhance" our DMZ Security and we´ve run into some "Best Practices Approach" related to the "Domain Controllers" Certificates..... We define two approaches: Option 1: Define a Domain Controller Offline Process to request certificates from our DMZ CA http://technet.microsoft.com/en-us/library/cc786029(WS.10).aspx Duplicate the "Domain Controller Authentication / Offline Directory e-mail replication" (and define the superseded templates) following the process described on the previous URL: Enroll all the DMZ Domain Controllers... Option 2: Publish the Default "Domain Controller Authentication" template into our DMZ CA with the default security options............ /// As we are in a DMZ, i prefer to go with the Option 1, and not publish any "Default Templates" on the DMZ CA Issuing..... taking into account the "enhancement" adopted on the Windows Server 2008 "capolicy.inf" flag allowing to "Not install the default templates" from the installation of any CA. What do you think??? Brian Komar??? any suggestions?? Thanks in advance.... Mariano Alegre
March 17th, 2011 12:47pm

I would recommend using option 1. Having a DMZ server that can issue DC certificates does not sound like a good security practice.fr3dd
Free Windows Admin Tool Kit Click here and download it now
March 17th, 2011 1:41pm

Go with option 1. I would not personally place a CA in the DMZ - too many ports to open up - Too much risk - Would publish enrollment pages that I need for subscriber certs through firewall (if needed) I have used the method for option 2 for both DMZ and for distribution of Domain Controller certificates to other forests that do not have a PKI deployed (and no cross forest trust) to the resource forest where the CA exists. BRian
March 17th, 2011 3:52pm

So, Brian, from the "Best Practices" Approach you will decide the Option 1, Agree? - Duplicate & Supersed the Default Templates, hardening the Security Default Options & require "Offline Requests" (Option 1) - Use the Default Templates and enroll all our Domain Controllers with the Default Template (Option 2) ..... or it depends on......(based on your experience) I dont like to "Publish" Certificate Templates into our DMZ CA not used by anyone and with the "Defaults" naming convention (lowering the surface attack...) Thanks in advance for your recommendations!
Free Windows Admin Tool Kit Click here and download it now
March 17th, 2011 4:07pm

I would do the manual enrollment method. Sorry for the typo tht caused the confusion To be honest, the default naming convention is not really an attack as all of the certificate templates are ACL'd. If they have permissions, they would see the template no matter what the name is if they provide acceptable credentials Brian
March 17th, 2011 5:29pm

Thanks for your cooperation and feedback. I appreciate your help and your GREAT contribution to our PKI community with your Books! / I agree that the default permissions of the templates must been "removed" or "changed" from defaults, and my "approach" was to add a layer of security to avoid "script generated attacks" to our DMZ PKI (not externally accesable..but...)
Free Windows Admin Tool Kit Click here and download it now
March 17th, 2011 5:41pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics