Re: Securing a Web Enrollment Server

From: Phil Bailey (pbailey_at_mindspring.com)
Date: 05/06/04 

Date: Wed, 5 May 2004 23:45:09 -0400

I would recommend you work through this solution in testing first, it's
important to simulate any different client scenarios for enrollment. In a
recent project, we intended to deploy web enrollment on a seperate server as
well, (I mean, the virtual directory defaults to a folder inside systemroot,
if someone starts crawling around there on your issuer ...) it makes perfect
sense to have a seperate box.

In testing all was well, the enrollment site and the issuer are trusted for
delegation, the site is ssl secured and we do digest or basic
authentication, domain member computers go to the site, grab their cert ...
sweeeet

We order another box for deployment ...

In production, the first attempted enrollment is from our contracted PM on a
machine that was not in our domain, .... (get your kleenex, this part is sad
...)
2 days on the phone with PSS (both IIS and Directory Services) and we put
web enrollment on our issuer ... (hmmm....I really ought to re-open that
case) The problem was attributed to the 2 hop rule on authentication (there
are some articles out there ...)

Deploy on W2003 and you've got the IIS lockdown pretty much by default. So,
you at least have the option. As far as locking it down, be very careful
when manipulating perms on certsrv and it's subfolders, you can jack the CA
up pretty bad.

For 2K clients, beware of the ActiveX control failed to download issue. saw
that one a bunch.

"Eric Chamberlain" <eric.chamberlain@newsgroups.nospam> wrote in message
news:e6bOGUwMEHA.2468@TK2MSFTNGP11.phx.gbl...
>
> "Max" <maxroberts1@yahoo.com> wrote in message
> news:3a37fa17.0405051325.60fd4741@posting.google.com...
> > We're in the designing phase for a Windows 2003 PKI. We plan to
> > separate the Web Enrollment IIS server from the Issuing CA. Is this
> > good practice?
> >
> I think it is a good idea to separate the functions, especially if your
> users are connecting remotely and requesting certificates.
>
> > Furthermore, is there any security reason not to host the Web
> > Enrollment server on the web farm, or is there reason to host it on a
> > dedicated server?
> >
>
> We host our RA in a web farm. The only issue I can think of is if you
need
> to trust the machine for delegation, other sites would also be trusted for
> delegation.
>
>
>

Relevant Pages

  • Re: Use Enrollment Agent for cards but require user logon as well?
    ... Best Practices for implementing Windows Server 2003 PKI: ... Windows Server 2003 web enrollment and troubleshooting guide: ...
    (microsoft.public.platformsdk.security)
  • Re: L2TP/IPSec Computer Certificates for non domain computers
    ... I tried the web enrollment with the IPsec and the ... IPSec template. ... The subject is the FQDN of the client computer. ...
    (microsoft.public.win2000.security)
  • Re: Certificate Web Enrollment Options Defaults?
    ... How about simply customizing the HTML of the web enrollment pages? ... Rob McShinsky wrote: ... > I have created a specific User template that, ...
    (microsoft.public.windows.server.security)
  • Logging on Problems
    ... specified domain either does not exist or could not be ... Enrollment will not be performed. ... Windows cannot obtain the domain controller name for your ... connection with the server cifs/LEGAL. ...
    (microsoft.public.windows.server.general)
  • Network hanging from client to domain
    ... specified domain either does not exist or could not be ... Enrollment will not be performed. ... Windows cannot obtain the domain controller name for your ... connection with the server cifs/LEGAL. ...
    (microsoft.public.windows.server.general)
Quantcast