Secure Configuration and Hardening of Active Directory Certificate Services
This blog provides a detailed guide on securing and hardening Active Directory Certificate Services (ADCS), emphasizing best practices based on extensive Microsoft customer engagements. It covers four critical focus areas: maintaining an offline root certificate authority (CA), auditing certificate services correctly, applying role separation, and cleaning up certificate templates and their permissionsFirewall Rules for Active Directory Certificate Services
First published on TECHNET on Jun 25, 2010 Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment The information was developed by Microsoft Consultant Services during one of our customer engagementsProtocolPortFromToActionCommentsKerberos464Certificate Enrollment Web Services Domain Controllers (DC)AllowSource Certificate Enrollment Web ServicesDestination: DCService: Kerberos (network port tcp/464)LDAP389Certificate Enrollment Web Services Domain Controllers (DC)AllowSource Certificate Enrollment Web ServicesDestination: DCService: LDAP (network port tcp/389)LDAP636Certificate Enrollment Web Services Domain Controllers (DC)AllowSource Certificate Enrollment Web ServicesDestination: DCService: LDAP (network port tcp/636)DCOM/RPCRandom port above port 1023· Certificate Enrollment Web Services· All XP clients requesting certs CAAllowPlease see for details on RPC/DCOM configuration: http://support.Setting up NDES using a Group Managed Service Account (gMSA)
First published on TECHNET on Apr 26, 2015 Setting up NDES using a Group Managed Service Account (gMSA)Hallo everybody, this is Andy and Dagmar from Austrian Premier Field Engineering (PFE) describing how to implement NDES using a gMSA (instead of a normal domain user account).
