You can use role-based administration to organize certification
authority (CA) administrators into separate, predefined CA roles, each
with its own set of tasks. Roles are assigned by using each user's
security settings. You assign a role to a user by assigning that user
the specific security settings that are associated with the role. A user
that has one type of permission, such as Manage CA permission, can
perform specific CA tasks that a user with another type of permission,
such as Issue and Manage Certificates permission, cannot perform.
The following table describes the roles, users, and groups that
can be used to implement role-based administration. To assign a role to
a user or group, you must assign the role's corresponding security
permissions, group memberships, or user rights to the user or group.
These security permissions, group memberships, and user rights are used
to distinguish which users have which roles.
All CA roles are assigned and modified by members of local Administrators, Enterprise Admins, or Domain Admins.
On enterprise CAs, local administrators, enterprise administrators, and
domain administrators are CA administrators by default. Only local
administrators are CA administrators by default on a stand-alone CA. If a
stand-alone CA is installed on a server that is joined to an Active
Directory domain, domain administrators are also CA administrators.
The CA administrator and certificate manager roles can be assigned to Active Directory users or local users in the Security Accounts Manager (SAM) of the local computer, which is the local security account database. As a best practice, you should assign roles to group accounts instead of individual user accounts.
Only CA administrator, certificate manager, auditor, and backup operator are CA roles. The other users described in the table are relevant to role-based administration and should be understood before assigning CA roles.
Only CA administrators and certificate managers are assigned by using the Certification Authority snap-in. To change the permissions of a user or group, you must change the user's security permissions, group membership, or user rights.
 Note |
|---|
| Role-based administration is supported by both Windows Server® 2008 and Windows Server 2003 enterprise and stand-alone CAs. |
| Roles and groups | Security permission | Description |
|---|---|---|
|
CA administrator |
Manage CA |
Configure and maintain the CA. This is a CA role and
includes the ability to assign all other CA roles and renew the CA
certificate. These permissions are assigned by using the Certification
Authority snap-in. |
|
Certificate manager |
Issue and Manage Certificates |
Approve certificate enrollment and revocation requests.
This is a CA role. This role is sometimes referred to as CA officer.
These permissions are assigned by using the Certification Authority
snap-in. |
|
Backup operator |
Back up file and directories Restore file and directories |
Perform system backup and recovery. Backup is an operating system feature. |
|
Auditor |
Manage auditing and security log |
Configure, view, and maintain audit logs. Auditing is an operating system feature. Auditor is an operating system role. |
|
Enrollees |
Read Enroll |
Enrollees are clients who are authorized to request certificates from a CA. This is not a CA role. |
The CA administrator and certificate manager roles can be assigned to Active Directory users or local users in the Security Accounts Manager (SAM) of the local computer, which is the local security account database. As a best practice, you should assign roles to group accounts instead of individual user accounts.
Only CA administrator, certificate manager, auditor, and backup operator are CA roles. The other users described in the table are relevant to role-based administration and should be understood before assigning CA roles.
Only CA administrators and certificate managers are assigned by using the Certification Authority snap-in. To change the permissions of a user or group, you must change the user's security permissions, group membership, or user rights.
To set CA administrator and certificate manager security permissions for a CA
-
Open the Certification Authority snap-in.
-
In the console tree, click the name of the CA.
-
On the Action menu, click Properties.
-
Click the Security tab, and specify the security permissions.
Roles and activities
Each CA role has a specific list of CA administration tasks
associated with it. The following table lists all the CA administration
tasks along with the roles in which they are performed.
| Activity | CA administrator | Certificate manager | Auditor | Backup operator | Local administrator | Notes |
|---|---|---|---|---|---|---|
|
Install CAs |
|
|
|
|
X |
|
|
Configure policy and exit modules |
X |
|
|
|
|
|
|
Stop and start the Active Directory Certificate Services (AD CS) service |
X |
|
|
|
|
|
|
Configure extensions |
X |
|
|
|
|
|
|
Configure roles |
X |
|
|
|
|
|
|
Renew CA keys |
|
|
|
|
X |
|
|
Define key recovery agents |
X |
|
|
|
|
|
|
Configure certificate manager restrictions |
X |
|
|
|
|
|
|
Delete a single row in the CA database |
X |
|
|
|
|
|
|
Delete multiple rows in the CA database (bulk deletion) |
X |
X |
|
|
|
The user must be both a CA administrator and a
certificate manager. This activity cannot be performed when role
separation is enforced. |
|
Enable role separation |
|
|
|
|
X |
|
|
Issue and approve certificates |
|
X |
|
|
|
|
|
Deny certificates |
|
X |
|
|
|
|
|
Revoke certificates |
|
X |
|
|
|
|
|
Reactivate certificates that are placed on hold |
|
X |
|
|
|
|
|
Renew certificates |
|
X |
|
|
|
|
|
Enable, publish, or configure certificate revocation list (CRL) schedules |
X |
|
|
|
|
|
|
Recover archived keys |
|
X |
|
|
|
Only a certificate manager can retrieve the encrypted
key data structure from the CA database. The private key of a valid key
recovery agent is required to decrypt the key data structure and
generate a PKCS #12 file. |
|
Configure audit parameters |
|
|
X |
|
|
By default, the local administrator holds the system audit user right. |
|
Audit logs |
|
|
X |
|
|
By default, the local administrator holds the system audit user right. |
|
Back up the system |
|
|
|
X |
|
By default, the local administrator holds the system backup user right. |
|
Restore the system |
|
|
|
X |
|
By default, the local administrator holds the system backup user right. |
|
Read the CA database |
X |
X |
X |
X |
|
By default, the local administrator holds the system audit and system backup user rights. |
|
Read CA configuration information |
X |
X |
X |
X |
|
By default, the local administrator holds the system audit and system backup user rights. |
Additional considerations
-
Enrollees are allowed to read CA properties and CRLs, and can request
certificates. On an enterprise CA, a user must have Read and Enroll
permissions on the certificate template to request a certificate. CA
administrators, certificate managers, auditors, and backup operators
have implicit Read permissions.
-
An auditor holds the system audit user right.
-
A backup operator holds the system backup user right.
In addition, the backup operator has the ability to start and stop the
Active Directory Certificate Services (AD CS) service.
Assigning roles
The CA administrator for a CA assigns users to the separate
roles of role-based administration by applying the security settings
required by a role to the user's account. The CA administrator can
assign a user to more than one role, but the CA is more secure when each
user is assigned to only one role. When this delegation strategy is
used, fewer CA tasks can be compromised if a user's account becomes
compromised.
Administrator concerns
The default installation setting for a stand-alone CA is to
have members of the local Administrators group as CA administrators. The
default installation setting for an enterprise CA is to have members of
the local Administrators, Enterprise Admins, and Domain Admins groups
as CA administrators. To limit the power of any of these accounts, they
should be removed from the CA administrator and certificate manager
roles when all CA roles are assigned.
As a best practice, group accounts that have been assigned CA administrator or certificate manager roles should not be members of the local Administrators security group. Also, CA roles should only be assigned to group accounts and not individual user accounts.
As a best practice, group accounts that have been assigned CA administrator or certificate manager roles should not be members of the local Administrators security group. Also, CA roles should only be assigned to group accounts and not individual user accounts.
|
Note |
|---|
| Membership in the local Administrators group on the CA is required to renew a CA certificate. Members of this group can assume administrative authority over all other CA roles. |
No comments:
Post a Comment