Home > Articles

  • Print
  • + Share This
This chapter is from the book

Securing Certificate Services

Standalone and Enterprise Root servers contain the single copy of the company's private key. This component is essential in authenticating any and all access to the PKI-secured data and entry points.

Physical security and data security are both very important tasks in an administrator's role.

Locking Down Servers

Microsoft provides very well-defined baseline security guidelines for locking down the operating system, IIS, and administrative access.

Change the local administrator and guest account names. Don't use the same administrator and guest account name on every server.

Separating Server Roles

Placing more than a single role on a server makes an attacker's job easier. It then becomes possible to compromise several roles in the company's PKI infrastructure. Certificate Services storage and enrollment can be separated. The following list includes some of the tiers that can be physically placed on separate servers:

  • Root CA Server

  • Root Subordinates (Intermediate CA)

  • Issuing CA Server

  • Certificate Storage in Active Directory

  • IIS

Assigning Administrative Roles

Administrators need to work with senior executives to define the roles that will be assigned to personnel within the company when it comes to managing the PKI and smartcard system.

The persons entrusted with issuing smartcards within an organization are known as enrollment agents. Enrollment agents are typically members of the help desk, IT security, or company security staff. In locations where one of these personnel isn't readily available another trusted individual such as that location's supervisor or manager can be the enrollment agent.

Delegating the authority to issue smartcards has administrative as well as security benefits. Some of those benefits are listed here:

  • Administrators can delegate this time-consuming process.

  • Enrollment agents process all certificate and smartcard requests.

  • Smartcard users can be stepped through the enrollment process.

There are also some disadvantages to delegating smartcard enrollment. Here are several points to consider:

  • The trustworthiness of the enrollment agent could come into question.

  • Overcoming concerns could require more personnel resources.

  • Remote locations might not have an available enrollment agent full-time.

  • An agent can perform only a limited number of smartcard enrollments per work day.

  • + Share This
  • 🔖 Save To Your Account