First published on TECHNET on Apr 26, 2015
Hallo everybody, this is Andy and Dagmar from Austrian Premier Field Engineering (PFE) describing how to implement NDES using a gMSA (instead of a normal domain user account).
When creating a lab on how to implement NDES (Network Device Enrollment Service) on Windows Server 2012 R2, we decided to go for gMSA to be more secure and to get rid of monolithic service accounts that could be misused. Unfortunately it turned out that it was not as straight forward as we expected and we decided to write down the steps and publish them.
Why all the effort? NDES works like a charm when installed with default settings… The answer is short and simple: Security. NDES acts as a registration authority for a CA thereby leveraging the Simple Certificate Enrollment Protocol (SCEP). Because of the way this protocol was designed, the CA has to fully trust the NDES regarding the verification of incoming certificate requests. The result of this design is that the NDES owns an extremely powerful type of certificate (Exchange Enrollment Agent (Offline request) by default) which allows NDES to request certificates with almost any subject from the CA. Therefore, putting as much effort as possible into securing NDES absolutely makes sense.
Be aware that the whole process of securing NDES should comprise a bunch of measures (e.g. enrolling the NDES certificates to a HSM) and that using a gMSA to run it, is only one of the recommended hardening steps. Please refer to this whitepaper focusing on NDES security: http://www.microsoft.com/en-us/download/details.aspx?id=46406&WT.mc_id=Blog_Intune_General_PCIT
(Standalone) Managed Service Accounts were introduced in Windows Server 2008 R2 and are managed domain accounts that provide automatic password management and simplified SPN management, including delegation of management to other administrators but limited to only one server. Group Managed Service accounts were introduced with Windows Server 2012 and provide the same functionality within the domain but also extend their availability to multiple servers.
From the security as well as from the manageability perspective, gMSA are the preferred way to configure services wherever it is supported to use them. For more details regarding gMSA, please refer to https://technet.microsoft.com/en-us/library/hh831782.aspx
When setting up NDES you have to decide in which security context the NDES application pool should run. From the NDES wiki (see http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-n... for more details) we learn that the NDES app pool account needs to fulfill the following requirements:
All these requirements can be fulfilled by a gMSA, we simply need to configure the SCEP app pool to run in the security context of the gMSA, perform some additional steps and that’s it. But oooops, it wasn’t so simple then…
Many of the steps below are described in more detail in the NDES wiki. We are repeating them here in a summarized way in order to provide a complete guide of all steps required. Wherever gMSA specific steps are required, we describe them in detail.
Let’s assume the following parameters for our lab environment:
1. Type the following command to create a new gMSA:
New-ADServiceAccount -name NDESgMSA -DNSHostName NDESgMSA.fabrikam.com -PrincipalsAllowedToRetrieveManagedPassword ADCSWEB02$
2. Then configure the gMSA on the NDES host machine:
a. To load the AD PowerShell RSAT feature, type: Add-WindowsFeature RSAT-AD-PowerShell
b. To install the gMSA on ADCSWEB02 type: Install-ADServiceAccount NDESgMSA
c. To verify if the gMSA has been configured properly, type: Test-ADServiceAccount NDESgMSA
Note : The answer has to be true, otherwise it does not make any sense to continue.
3. Next, add the NDESgMSA account to the IIS_IUSRS group on the NDES host machine.
Note : we are assuming for easiness that you are going to use the default templates. We recommend using custom (version 2) templates in production as stated at http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-n... .
1. Grant Read and Enroll permissions on Exchange Enrollment Agent (Offline Request) template to NDESAdmin.
2. Grant Read and Enroll permissions on CEP Encryption template to NDESAdmin .
3. Grant Read and Enroll permissions on IPSec (Offline Request) template to NDESgMSA and DeviceAdmin .
4. Publish all three templates on the Certification Authority.
Unfortunately, the setup wizard does not provide support for running the NDES application pool in the security context of a gMSA. That’s why we are processing the installation using more or less the default settings.
Alternatively, using the famous PowerShell:
Add-WindowsFeature Adcs-Device-Enrollment -includeManagementTools
Install-AdcsNetworkDeviceEnrollmentService -ApplicationPoolIdentity -CAConfig "CA02.fabrikam.com\FabrikamIssuingCA" -RAName "Fabrikam NDES RA" -RACountry "DE" -RACompany "Fabrikam" -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength 2048 -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength 2048
a. Still in IIS MMC, select the Default Web Site.
b. Click View Applications on the Actions pane on the right side.
c. Double-click Handler Mappings on the middle pane.
d. On the Actions pane, click View Ordered List…
e . On the Details pane in the middle, select ExtensionlessUrlhandler-ISAPI-4.0_64bit and click Move Down . Click Yes to move it below the StatifFile item .
f. Repeat steps a to f for the /Certsrv/mscep_admin application.
g. Restart IIS by typing iisreset on an elevated command prompt.
Configure permissions on private keys
Note: again, we assumed for easiness that you are going to use the default templates. If you followed our recommendations and prepared custom templates instead, you can skip this step.
During the initial configuration of NDES, two certificates were requested in the security context of the NDES Admin (account used to install NDES role service) and permissions on the corresponding keys were configured for the built-in app pool identity. However, we need to configure permissions to the keys for the gMSA:
a. Open local computer certificate store ( certlm.msc ) on the NDES machine
b. Right-click the CEP Encryption certificate , select All Tasks > Manage Private Keys
c. Add the NDESgMSA account and add the Read permission.
d. Repeat the steps a – c for the Exchange Enrollment Agent (Offline) certificate.
e. Restart IIS by typing iisreset on an elevated command prompt.
Starting with Windows Server 2012 R2, NDES supports policy module integration which can provide additional security for the SCEP. This enhancement lets an organization or mobile device management solution address the issue described in CERT Vulnerability Note VU#971035 “Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests.” See http://www.kb.cert.org/vuls/id/971035 for more details on this vulnerability.
Find more details about the NDES Policy Module support at https://technet.microsoft.com/en-us/library/dn473016.aspx
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.