Guide to AD CS Policies and Enforcement

What is AD CS Used For?

Active Directory Certificate Services (AD CS), a Windows server software solution, is used for issuing and managing x.509 digital certificates and provides Active Directory clients with the infrastructure to build and implement an on-premise Public Key Infrastructure (PKI). Once established, the PKI can be used to issue certificates for a range of use cases, including certificates for client authentication, server authentication, document signing, code signing, and more.  

The key features AD CS provides for certificate management are:

• Certificate Authorities: It is an HDM trusted to handle PKI certificate management for users, devices, and websites. CA hierarchy includes a root certificate authority and one or more levels of intermediate CA that are optional. Root and intermediate CAs are used for issuing certificates and managing certificate validity.

• Web Enrollment: Web Enrollment enables users and devices to request a certificate through an interactive web page via the hypertext transfer protocol (HTTP) in AD. As an interface, web enrollment facilitates certificate issuance, renewal, or revocation requests, retrieval of certificate revocation lists (CRLs), and download of the CA certificate.

• Online Responder: Online responder is an alternative to Certificate Revocation Lists (CRLs). It manages and implements the Online Certificate Status Protocol (OCSP) used for checking the revocation status of an 802.1x certificate. Upon receiving a revocation status request, the Online Responder service decodes it, accesses the status of the requested certificate, and sends back a signed response with the certificate status.

• Network Device Enrollment Service: The Network Device Enrollment Service (NDES) is a feature of AD CS that issues certificates to routers and other network devices without AD domain accounts. Based on the Simple Certificate Enrollment Protocol (SCEP), NDES is used by network administrators to handle tasks related to certificate management, such as public key distribution, certificate enrollment, inquiries, and revocations.

• TPM Key Attestation: Trusted Platform Module (TPM) Key Attestation is cryptographic proof that the key is generated on the device or stored inside the TPM on the device, making the key non-exportable to ensure no unauthorized device can access or copy the key.  TPM key attestation, like a signature, proves that the private key is protected by a hardware-based TPM that the CA trusts.

• Certificate Enrollment Policy Web Service: Certificate Enrollment Policy Web Service for AD CS allows users and devices to obtain certificate enrollment policy information, such as available certificate templates and lists of mandatory and optional attributes for each template,  from Active Directory. It is especially beneficial in creating a certificate request for clients who are not from the organization’s network.

• Certificate Enrollment Web Service: Certificate Enrollment Web Service, in conjunction with the Certificate Enrollment Policy Web Service, enables users and devices that are not members of the domain to enroll for a certificate. Certificate Enrollment Web Service facilitates secure communication between the client and the device from outside of the organization using HTTPS protocol.

Applications & Use Cases Supported by AD CS

Applications supported by AD CS include the following.

1. Secure/Multipurpose Internet Mail Extensions (S/MIME) for sending digitally signed and encrypted messages.
2. Secure wireless or Wi-Fi networks
3. Virtual private network (VPN)
4. Internet Protocol security (IPsec)
5. Encrypting File System (EFS)
6. Smart card sign-in
7. Secure Socket Layer/Transport Layer Security (SSL/TLS)
8. Digital signatures.

Installing Active Directory Certificate Services (AD CS)

1. To start, log on as a member of both the Enterprise Admins group and the root domain’s Domain Admins group.

2. In Server Manager, click Manage, then Add Roles and Features. The Add Roles and Features Wizard opens.

3. In Before You Begin, click Next.

4. In Select Installation Type, ensure that Role-Based or feature-based installation is selected, and then click Next.

5. In Select destination server, ensure that Select a server from the server pool is selected. In the Server Pool, ensure that the local computer is selected. Click Next.

6. In Select Server Roles, in Roles, select Active Directory Certificate Services. When prompted to add required features, click Add Features and then click Next.

7. In Select Features, click Next.

8. In Active Directory Certificate Services, read the provided information, and then click Next.

9. In Confirm installation selections, click Install. Do not close the wizard during the installation process. When installation is complete, click Configure Active Directory Certificate Services on the destination server. The AD CS Configuration wizard opens. Read the credentials information and, if needed, provide the credentials for an account that is a member of the Enterprise Admins group. Click Next.

10. In Role Services, click Certification Authority, and then click Next.

11. On the Setup Type page, verify that Enterprise CA is selected, and then click Next.

12. On the Specify the type of the CA page, verify that Root CA is selected, and then click Next.

13. On the Specify the type of the private key page, verify that Create a new private key is selected, and then click Next.

14. On the Cryptography for CA page, keep the default settings for CSP (RSA#Microsoft Software Key Storage Provider) and the hash algorithm (SHA2), and determine the best key character length for your deployment. Large key character lengths provide optimal security; however, they can impact server performance and might not be compatible with legacy applications. It is recommended that you keep the default setting of 2048. Click Next.

15. On the CA Name page, keep the suggested common name for the CA or change the name according to your requirements. Ensure that the CA name is compatible with your naming conventions and purposes, as you cannot change it after you have installed AD CS. Click Next.

16. On the Validity Period page, Specify the validity period, type the number, and select a time value (Years, Months, Weeks, or Days). The default setting of five years is recommended. Click Next.

17. On the CA Database page, in Specify the database locations, specify the folder location for the certificate database and the certificate database log. If you specify locations other than the default locations, ensure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files. Click Next.

In Confirmation, click Configure to apply your selections, and then click Close.

Installing Active Directory Certificate Services (AD CS)

To install it, you will need access to both the Enterprise Admins group and the root domain’s Domain Admins group. The Installation Type has to be selected as Role-Based or Feature-Based to enable the Select Server Roles. In Roles, select Active Directory Certificate Services (under Select Server Roles) to initiate installing AD CS. Click here for detailed steps to install Active Directory Certificate Services (AD CS).

What are AD CS Policies?

AD CS policies, or Active Directory Certificate Services policies, are rules and configurations that govern the issuance, management, and usage of digital certificates within an Active Directory environment. These policies define the security measures and constraints applied to certificates, ensuring digital communication and transactions’ confidentiality, integrity, and authenticity. These policies are crucial in enforcing an organization’s PKI (Public Key Infrastructure) security.

AD CS policies determine the certificate templates available for issuance and the specific settings associated with each template. These templates outline the properties and constraints for different types of certificates, such as user, computer, or web server certificates.

Types of AD CS Policies 

Validity Period Policy

This policy determines the period a certificate remains valid before expiration. It helps enforce security by ensuring credentials automatically expire after a specific time, reducing the chances of unauthorized usage.

Certificate Request Handling Policy

This policy is about how certificate requests are processed and authorized. It specifies the requirements for certificate approval, such as validation methods, authentication procedures, and authorization rules. This policy safeguards the issuance process, preventing unauthorized or fraudulent certificates.

Certificate Revocation Policy

This policy determines how certificates that have been compromised or are no longer trusted are revoked and removed from circulation. It outlines the procedures for revoking and updating certificate revocation lists (CRLs) or using alternative mechanisms like Online Certificate Status Protocol (OCSP) for real-time revocation checking.

Certificate Enrollment Policy

This policy governs the rules and requirements for certificate enrollment, specifying the information and authentication needed to request a certificate. This policy ensures that certificates are only issued to authorized individuals or devices, maintaining the integrity of the certificate-based security infrastructure.

Practical Advantages of Enforcing AD CS Policies

Enforcing AD CS policies can offer several practical advantages, including the following:

• Enhanced security
• Simplified certificate management
• Compliance with industry standards
• Increased trust and interoperability
• Centralization
• Cost savings

Enhanced Security

AD CS policies help implement strong security measures by ensuring certificates are issued only to trusted entities. This prevents unauthorized access and reduces the risk of data breaches, identity theft, and fraud.

Simplified Certificate Management

AD CS policies streamline the process of managing certificates within an organization. They allow administrators to define rules and settings for different types of certificates, making it easier to issue, renew, and revoke certificates as needed. This simplifies the overall certificate management process and reduces the burden on IT teams.

Compliance with Industry Standards

Many industries, such as healthcare, finance, and government, have specific regulatory requirements regarding using certificates. Enforcing AD CS policies helps organizations comply with these industry standards by ensuring that certificates are issued and managed according to the required guidelines.

Increased Trust and Interoperability

Adhering to AD CS policies ensures that other entities and applications trust certificates issued by an organization. This enhances trust and interoperability with external systems, enabling secure communication and data exchange.

Centralization and Standardization

AD CS policies allow for centralized certificate management, eliminating the need for individual applications or departments to manage their credentials. This centralization helps maintain a standard and consistent approach to certificate management across the organization, increasing efficiency and reducing the risk of misconfiguration.

Cost Savings

Enforcing AD CS policies can help organizations save costs associated with certificate management. This includes reducing the risk of certificate-related incidents that result in financial losses, avoiding fines for non-compliance, and minimizing the time spent on manual certificate management tasks.

Different Ways to Enforce AD CS Policies

Different methods can be used to enforce AD CS policies, with the main ones being certificate templates, certificate revocation lists (CRLs), and additional methods as listed below:

Certificate Templates

• Certificate templates set rules for issuing certificates
• Templates control the content, validity period, key usage, and other properties of certificates
• Customization of templates allows organizations to meet their specific requirements
• Various templates cater to different purposes (user, computer, email certificates, etc.)
• Enforcing templates ensures consistent and standardized certificate issuance
• Increases security and compliance within the organization 

Certificate Revocation Lists (CRLs)

• CRLs are lists of revoked or invalid certificates
• Published by the CA
• Made available to systems that use the CA’s certificates for validation
• Client systems consult CRLs to check certificate validity
• Regularly updated and distributed to ensure up-to-date revocation information
• Clients can manually download and update CRLs or retrieve them from a distribution point  

Certificate Enrollment Policies

• Specify CA for certificate enrollment
• Specify the template to be applied for certificate enrollment
• Define allowed certificate usage
• Enforce enrollment policies to ensure cert. are issued only from specific CAs and templates
• Maintain control over the certificate issuance process

Certificate Trust Lists (CTLs)

• CTLs are lists of trusted CAs used for certificate validation. 
• Administrators use CTLs to control the CAs that can validate certificates. 
• CTLs enable organizations to enforce policies for trusted CA usage

Configuring and Creating AD CS Policies for Network Security

With a step-by-step approach, creating AD CS policies can be simplified and easily implemented. In this section, we will guide you through the process, ensuring you clearly understand each step involved.

Step 1. Start by accessing the Certification Authority (CA) console on your Windows Server. This can be done by navigating to the Administrative Tools and selecting Certification Authority

Step 2. Once you have accessed the CA console, locate and expand the Certification Authority node. Right-click on Certificate Templates and choose Manage

Step 3. You will find a list of existing templates in the Certificate Templates Console. 

Right-click on a suitable template and select Duplicate Template. This will create a copy of the template that can be customized to meet your needs

Step 4. Configure the duplicated template according to your requirements. This includes defining the certificate template’s name, validity period, key usage, and other relevant properties. Carefully review and adjust the settings to align with your organization’s security policies

Step 5. After configuring the template, return to the CA console and right-click on Certificate Templates. This time, select New -> Certificate Template to Issue

Step 6. In the Enable Certificate Templates dialog box, select the template you just configured and click OK. This will make the template available for issuance by the CA

Step 7. Now, return to the Certification Authority console and right-click on Certificate Templates. Choose New -> Certificate Template to Issue. Select the newly created template from the list and click OK

Step 8. The AD CS policy is now successfully configured and created. You can test the policy by requesting a certificate using the newly created template.

Best Practices for Creating AD CS Policies

Creating policies in Active Directory Certificate Services (AD CS) can be complicated. The effectiveness of the policy enforcement is dependent on following certain best practices that help ensure clarity, consistency, and ease of certificate management.

Naming Conventions

Active Directory objects require unique names, and naming conventions help in naming them in effective ways as they provide guidelines on using abbreviations and acronyms. Naming conventions are also useful for their recommendations on ways to stay away from using language-specific names. Some of the best practices recommended for defining naming conventions are:

• Use descriptive names
• Consistency across policies
• Use standard prefixes or suffixes
• Avoid special characters and spaces

Documentation

Documentation created for AD CS policies should be clear and concise. Some of the best practices that can help improve documentation are:

• Document policy purpose and scope
• List all settings and configurations
• Document policy dependencies
• Include deployment instructions
• Regularly review and update documentation

Additional Best Practices

Additionally, following these best practices can help strengthen the implementation of AD CS policies.

• Segregate policies by purpose
• Custom policy templates
• Regular auditing and monitoring

Challenges With AD CS Policies Enforcement

As mentioned in the section about AD CS, it provides a foundation for building an on-premise PKI for certificate-based authentication. However, as with any on-premise server, AD CS is expensive due to its heavy dependency on physical servers and the expertise of highly skilled professionals in designing and managing these on-premise servers.

Here are some of the challenges that organizations face in AD CS policy enforcement:

Expensive Infrastructure

1. The infrastructure cost for AD CS is very high, both for the initial setup and maintenance. The hardware, licensing, and installation costs are also higher.
2. The facilities that need to be built to store these servers are expensive. On-premise facilities also require high-level security, both manpower and technology, throughout the year and are susceptible to physical theft, vandalism, and natural calamities.
3. Maintenance is often on-site, so it requires experts to fly down to locations to fix any issues with the physical server and may need to travel to and from the location if it doesn’t work properly. This makes it very expensive to maintain each server location compared to Managed PKI solutions for cloud-based services such as SecureW2.

Challenges with Scalability and Compliance

1. Large organizations with several locations may require multiple facilities that are expensive.
2. Building the facility and procuring the hardware is time-consuming, slowing the process down, and inefficient from a scalability standpoint.
3. The AD CS policies must comply with regulations and standards. Inadequate auditing and documentation may lead to compliance issues and penalties.

Personnel

1. Setting up AD CS with on-premise PKI requires a team of cryptography and server experts, who are highly demanded and few in the market.
2. It requires teams of experts for maintenance, making it a solution that is heavily dependent on Human Resources to run smoothly.

Challenges With Setting Up AD CS and Certificate Lifecycle Management

1. Misconfigurations or inadequate deployment can cause certificate issues or validation failures.
2. Older systems or applications can cause problems when integrating these systems and may need different setups or custom solutions.
3. Organizations must establish efficient processes and maintain up-to-date revocation lists.
4. Administrators’ inconsistent application of policies can lead to security risks. Regular auditing and monitoring are crucial for policy enforcement.
5. Tracking expiration, renewals, and replacement certificates can be a significant administrative burden.

Effective AD CS policy enforcement is crucial for maintaining a secure and reliable communication infrastructure. One critical aspect is enforcing solid passwords for certificate requests, ensuring unauthorized individuals cannot access sensitive information. Additionally, implementing certificate revocation is essential to promptly terminate certificates that may have been compromised or are no longer valid.

SecureW2 Managed PKI Solutions for Certificate Lifecycle Management

Public Key Infrastructure for network security and authentication is becoming more prevalent because of its high level of security. However, an on-premise PKI is complicated and very expensive to set up and maintain. Building and maintaining your own PKI through AD CS is time-consuming, difficult, and requires a lot of expertise

Done well, AD CS is really expensive. It can be managed at a lower cost, but that will comprise the security as those will be built without using HSMs and other security measures.

Moreover, in the modern environment where everything is cloud-based, on-prem PKI becomes challenging to integrate with cloud services because of the complexity of infrastructure.

SecureW2 solutions allow you to deploy a feature-rich PKI solution at one-third of the cost of AD CS with better visibility over which certificates are equipped to which devices and users. Our team has the prerequisite PKI expertise needed and is available to address any issues you may face. Our Cloud RADIUS helps you enable passwordless authentication with seamless integration with all major cloud vendors and automates the entire certificate lifecycle management from onboarding to revocation.

Unlock the Power of Cloud Security with SecureW2

AD CS, in theory, is simple in that it manages certificates. However, it is a complicated piece of technology considering the complex infrastructure possibilities involved with getting to the point where it manages the certificates efficiently, effectively, and with absolute accuracy. The need for an on-premise PKI solution makes it also very expensive. Especially with the advancement of cloud and PKI technology, AD CS, in comparison, is fairly outdated and expensive from both an infrastructure and manpower perspective. 

SecureW2 is a comprehensive solution that integrates seamlessly with popular platforms like Active Directory and Azure. It leverages the benefits of the cloud, including scalability, flexibility, and cost-effectiveness. With SecureW2, organizations can quickly scale their identity and access management without significant infrastructure investments. The solution also allows employees to securely access resources from anywhere, enhancing productivity for mobile workforces. SecureW2 provides expert support for transitioning to the cloud and seamlessly integrates with Intune for device management. Its unique auto-revocation feature ensures the highest level of security by automatically revoking access in certain conditions.

By reaching out to SecureW2 today, organizations can use their comprehensive solution to address their identity and access management needs. Whether leveraging the benefits of the cloud, simplifying device management, or ensuring the highest level of security, SecureW2 provides the tools and support necessary to secure your organization efficiently.