Windows Server 2003 PKI and Role-Based Administration
Applies To: Windows Server 2003 with SP1
Windows 2000 Server CA administration is changed significantly with Windows Server 2003 CA role-based administration. Windows 2000 Server administrators can perform any activity on a Windows 2000 Server CA, but once CA roles are assigned on a Windows Server 2003 CA, its administrators are subject to its roles. Administrators who could perform all tasks on a Windows 2000 Server CA will only be able to perform the tasks associated with their role on the Windows Server 2003 CA. After upgrading a Windows 2000 Server CA to a Windows Server 2003 CA, its administrators need to be assigned to the roles defined in the role-based administration for the Windows Server 2003 CA.
Windows Server 2003 was designed with the needs of organizations in mind to provide role-based administration of a public key infrastructure. Windows Server 2003 certification authorities were also designed to meet the role definitions defined in version 1.0 of Certificate Issuing and Management Components Family of Protection Profiles found at https://go.microsoft.com/fwlink/?LinkId=59668
Role-based administration can be used to organize CA Administrators into separate, predefined task-based roles, each with its own set of tasks. Roles are assigned using each user's security settings. Roles are assigned to a user by assigning that user the specific security settings that are associated with the role. A user who has one type of permission, such as Manage CA permission, may perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, may not perform. Role-based administration is supported by both Windows Server 2003 enterprise and stand-alone certification authorities.
Role-based administration involves CA roles users and groups. To assign a role to a user or group, you must assign the role's corresponding security permissions, group memberships, or user rights to the user or group. These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the CA roles of role-based administration and the groups relevant to role-based administration.
| Roles and Groups | Security Permission | Description |
|---|---|---|
CA Administrator |
Manage CA permission |
Configure and maintain the CA. This is a CA role and includes the ability to assign all other CA roles and renew the CA certificate. This is a separate role from the local Administrator role. |
Certificate Manager |
Issue and Manage Certificates permission |
Approve certificate enrollment and revocation requests. This is a CA Officer role. |
Backup Operator |
Back up files and directories and Restore files and directories permissions |
Perform system backup and recovery. This is an operating system role. |
Auditor |
Manage auditing and security log permissions |
Configure, view, and maintain audit logs. This is an operating system role. |
Enrollees |
Authenticated Users |
Enrollees are clients who are authorized to request certificates from the CA. This is not a CA role for the purposes of administration. |
Read |
All (except Enrollees) |
Allows an entity to read records from the database. |
With the default installation, all CA roles are assigned and modified by local Administrators on the computer, Enterprise Admins and Domain Admins (if joined to a domain). Local Administrators, Enterprise Admins and Domain Admins are CA Administrators by default on an Enterprise CA. Only local Administrators are CA Administrators by default on a stand-alone CA. If the stand-alone CA is joined to an Active Directory domain, Domain Admins are also CA Administrators.
The CA Administrator and Certificate Manager roles can be assigned to either Active Directory users or local users in the local Security Accounts Manager (SAM) database. As a best practice, it is recommended to assign roles to group accounts instead of individual user accounts. Only CA Administrator, Certificate Manager (as Officer in the CIMC), Auditor (as Auditor in the CIMC), and Backup Operator (as Operator in the CIMC) are CA roles. The other users described in the following table are relevant to role-based administration and should be understood before assigning CA roles.
Only CA Administrators and Certificate Managers are assigned using the Certification Authority Microsoft Management Console (MMC) snap-in. Other roles, users, and groups are specified in their related consoles. To change the roles of a user, you must change the user's security permissions, group membership, or user rights.
When key archival is configured on an enterprise CA running Windows Server 2003 Enterprise Edition, the subject obtaining a certificate from a CA will provide their private key to the CA. The CA stores that private key in its database until key recovery is desired. Only a Certificate Manager can get the encrypted private key blob out of the CA database, which is then passed on to key recovery agents (KRAs). For more information, see the Key Archival and Management in Windows Server 2003 white paper.
Roles and Activities
Each CA role has a specific list of CA administration tasks associated with it. The following table lists all the CA administration tasks along with the roles in which they are performed. One of the most important distinctions is the local Administrator versus CA Administrator role. The local Administrator applies to the local operating system privilege which may be required to perform some tasks associated with the operations of the CA. The CA Administrator role applies only to specific tasks within the functionality of the CA. The local Administrator will always have full control of the system including the CA and cannot be blocked from taking control of the CA. Therefore, it is very important to keep this fact in mind when assigning operational and delegated roles to the CA for management purposes.
| Activity | CA Administrator | Certificate Manager | Auditor | Backup Operator | Local Administrator | Notes |
|---|---|---|---|---|---|---|
Install CA |
|
|
|
|
X |
|
Configure policy and exit module |
X |
|
|
|
|
|
Stop and start the Certificate Services service |
X |
|
|
X (only stop) |
|
|
Configure extensions |
X |
|
|
|
|
|
Configure roles |
X |
|
|
|
|
|
Renew CA keys and certificates |
|
|
|
|
X |
|
Define key recovery agents |
X |
|
|
|
|
|
Configure Certificate Managers restrictions |
X |
|
|
|
|
|
Delete single row in database |
X |
|
|
|
|
|
Delete multiple rows in database (bulk deletion) |
|
|
|
|
X |
|
Enable role separation |
|
|
|
|
X |
|
Issue and approve certificates |
|
X |
|
|
|
|
Deny certificates |
|
X |
|
|
|
|
Revoke certificates |
|
X |
|
|
|
|
Reactivate certificates placed on hold |
|
X |
|
|
|
|
Enable, publish, or configure CRL schedule |
X |
|
|
|
|
|
Recover archived key |
|
X |
|
|
|
Only a Certificate Manager can retrieve the encrypted key data structure from the database. The private key of a valid Key Recovery Agent is required to decrypt the key data structure and generate a PKCS#12 file. |
Configure audit parameters |
|
|
X |
|
|
By default, the local Administrator holds the system audit privilege. |
Audit logs |
|
|
X |
|
|
By default, the local Administrator holds the system audit privilege. |
Back up system |
|
|
|
X |
|
By default, the local Administrator holds the system backup privilege. |
Restore system |
|
|
|
X |
|
By default, the local Administrator holds the system restore (backup) privilege. |
Read CA database |
X |
X |
X |
X |
X |
By default, the local Administrator holds the system audit and backup privileges. |
Read CA configuration information |
X |
X |
X |
X |
X |
By default, the local Administrator holds the system audit and backup privileges. |
Note
By default, enrollees are allowed to read CA properties and certificate request lists (CRLs), and can request certificates. On an Enterprise CA, a user must also have Read and Enroll permissions on the certificate template to request a certificate. CA Administrators, Certificate Managers, the Auditor, and Backup Operators have implicit Read privileges on the CA. An Auditor is based on a user that holds the system audit privilege. The local Administrator by default on each machine always holds the system audit privilege. If role separation is enabled, a separate user must be configured to hold the system audit privilege.> A Backup Operator is based on a user that holds the system backup privilege. In addition, the Backup Operator has the ability to stop the Certificate Services service (but not start it). As many or as few roles may be configured and used. It is not necessary to define all roles if only one specific role is assigned to a security group. It is required to have both CA Administrator and CA Manager roles to do bulk deletion, so any person who has both the roles will be able to perform bulk deletion. If role separation is enabled, this feature is not available. For issuing failed requests, it is required to have both CA Administrator and CA Manager permissions. If role separation is enabled, this feature is not available.
Assigning Roles
The CA Administrator for a CA assigns users to the separate roles of role-based administration by giving each user the security settings required by a role. The CA Administrator can assign a user to more than one role, but the CA is more secure when each user belongs to one role only. When each CA role belongs to one user only, fewer CA tasks can be compromised if a user's account becomes compromised.
The default installation setting for a stand-alone CA is to have members of the local Administrators security group as CA Administrators. The default installation setting for an Enterprise CA is to have local Administrators, Enterprise Administrators, and Domain Administrators as CA Administrators. To limit the power of any of these accounts, they should be removed from the CA Administrator and Certificate Manager roles once all CA roles are assigned; and they should also be removed from the Administrators group on the CA computer if it is not a Domain Controller. To list the roles a current user holds with a given CA, see the sample script in Appendix A.
Best Practice As a best practice, group accounts that have been assigned CA Administrator or Certificate Manager roles should not be members of the local Admin security group. Also, CA roles should only be assigned to group accounts and not individual user accounts.
Note
Membership in the local Administrators group on the CA is required to renew the CA certificate. Members of this group are considered to be all powerful on the CA with administrative authority over all other CA roles.