AD CS: Policy Settings

  • Article

Applies To: Windows Server 2008

In the Windows Server® 2008 operating system, certificate-related Group Policy settings enable administrators to manage certificate validation settings according to the security needs of the organization.

What are certificate settings in Group Policy?

Certificate settings in Group Policy enable administrators to manage the certificate settings on all the computers in the domain from a central location. Configuring the settings by using Group Policy can effect changes throughout the entire domain. The following are a few examples where administrators can use the new certificate-related settings to:

  • Deploy intermediate certification authority (CA) certificates to client computers.

  • Ensure that users never install applications that have been signed with an unapproved publisher certificate.

  • Configure network timeouts to better control the chain-building timeouts for large certification revocation lists (CRLs).

  • Extend CRL expiration times if a delay in publishing a new CRL is affecting applications.

Who will be interested in this feature?

This feature applies to organizations that have public key infrastructures (PKIs) with one or more Windows-based CAs and use Group Policy to manage client computers.

Using certificate validation settings in Group Policy can significantly enhance the ability of:

  • Security architects to enhance the use of certificate-based trust.

  • Security administrators to manage PKI-enabled applications in their environment.

What new functionality does this feature provide?

As X.509 PKIs become more widely used as a foundation of trust, many organizations need more options to manage certificate path discovery and path validation. Previous versions of Windows operating systems had few settings to implement this kind of control.

Certificate-related Group Policy settings can be found in the Group Policy Management Console (GPMC), under Computer Configuration\Windows Settings\Security Settings\Public Key Policies. The following policy options can be managed under separate tabs on the Certificate Path Validation Settings dialog box:

  • Stores

  • Trusted Publishers

  • Network Retrieval

  • Revocation

In addition, four new policy stores have been added under Public Key Policies for use in distributing different types of certificates to clients:

  • Intermediate Certification Authorities

  • Trusted Publishers

  • Untrusted Certificates

  • Trusted People

These new policy stores are in addition to the Enterprise Trust and Trusted Root Certification Authorities stores that were available in Windows Server 2003.

These path validation settings and certificate stores can be used to complete the following tasks:

  • Managing the peer trust and trusted root certificate stores

  • Managing trusted publishers

  • Blocking certificates that are not trusted according to policy

  • Managing retrieval of certificate-related data

  • Managing expiration times for CRLs and Online Certificate Status Protocol (OCSP) responses

  • Deploying certificates

Managing peer trust and trusted root CA stores

By using the Stores tab on the Certificate Path Validation Settings dialog box, administrators can regulate the ability of users to manage their own trusted root certificates and peer trust certificates. This control can be implemented so that users are not allowed to make any root or peer trust decisions, or it can be used to control the number of specific certificate purposes, such as signing and encryption, that users can manage for peer trust.

The Stores tab also allows administrators to specify whether users on a domain-joined computer can trust only enterprise root CAs or both enterprise root and non-Microsoft root CAs.

If an administrator needs to distribute selected trusted root certificates to computers in the domain, the administrator can do so by copying the certificates into the Trusted Root Certification Authorities store, and the certificates will be propagated to the appropriate certificate store the next time Group Policy is refreshed.

Why is this functionality important?

Because of the growing variety of certificates in use today and the growing importance of decisions that need to be made about whether to recognize or not recognize these certificates, some organizations might want to manage certificate trust and prevent users in the domain from configuring their own set of trusted root certificates.

How should I prepare for this change?

Using certificate trust–related Group Policy settings requires careful planning to determine the certificate needs of users and computers in your organization, and the amount of control they should have over those certificates. You might be able to provide users with greater leeway if you combine the use of these settings with clear and effective training so that users understand the importance of certificates, the risks of poor certificate management, and how to manage their certificates responsibly.

Managing trusted publishers

The policy options in the Trusted Publishers tab of the Certificate Path Validation Settings dialog box allow administrators to control which certificates can be accepted as coming from a trusted publisher.

Why is this change important?

Software signing is being used by a growing number of software publishers and application developers to verify that their applications come from a trusted source. However, many users do not understand or pay little attention to the signing certificates associated with applications that they install.

Specifying organization-wide trusted publisher policy options allows organizations to decide whether Authenticode® certificates can be managed by users and administrators, only administrators, or only enterprise administrators.

In addition, this section of the path validation policy can require that additional revocation and time stamp checks are completed before a trusted publisher certificate is accepted.

How should I prepare for this change?

Using certificate trust–related Group Policy settings requires careful planning to determine the certificate needs of users and computers in your organization, and the amount of control they should have over those certificates. You might be able to provide users with greater leeway if you combine the use of these settings with clear and effective training so that users understand the importance of certificates, the risks of poor certificate management, and how to manage their certificates responsibly.

Blocking certificates that are not trusted according to policy

You can prevent certain certificates from ever being used in your organization by adding them to the Untrusted Certificates store.

Why is this change important?

Just as network administrators are responsible for preventing viruses and other malicious software from entering their environments, administrators in the future might want to block certain certificates from being used. A certificate issued by your own CA can be revoked, and it will be added to a CRL. You cannot revoke certificates issued by external CAs. However, you can disallow these untrusted certificates by adding them to the Untrusted Certificates store. These certificates will be copied to the Untrusted Certificates store of each client computer in the domain the next time Group Policy is refreshed.

How should I prepare for this change?

Using certificate trust–related Group Policy settings requires careful planning to determine the certificate needs of users and computers in your organization, and the amount of control they should have over those certificates. You might be able to provide users with greater leeway over which certificates they can manage if you combine the use of these settings with clear and effective training so that users understand the importance of certificates, the risks of poor certificate management, and how to manage their certificates responsibly.

CRLs can become very large and subsequently fail to download because it takes longer to download them than the default timeout of 15 seconds. Options on the Network Retrieval tab of the Certificate Path Validation Settings dialog box allow administrators to modify the default retrieval timeouts to solve this problem.

In addition, network retrieval and path validation settings allow administrators to:

  • Automatically update certificates in the Microsoft® Root Certificate Program.

  • Configure retrieval timeout values for CRLs and path validation (larger default values may be useful if network conditions are not optimal).

  • Enable issuer certificate retrieval during path validation.

  • Define how frequently cross-certificates are downloaded.

Why is this change important?

To be effective, certificate-related data such as trusted root certificates, cross- certificates, and CRLs must be updated in a timely manner. But network conditions are not always optimal, such as for remote users or branch offices. These Group Policy settings allow you to ensure that certificate-related data will be updated even when network conditions are less than optimal.

How should I prepare for this change?

Determine whether network conditions are impacting CRL download times.

Managing expiration times for CRLs and OCSP responses

Revocation of a certificate invalidates a certificate as a trusted security credential prior to the natural expiration of its validity period. A PKI depends on distributed verification of credentials in which there is no need for direct communication with the central trusted entity that vouches for the credentials.

To effectively support certificate revocation, the client must determine whether the certificate is valid or has been revoked. To support a variety of scenarios, Active Directory® Certificate Services (AD CS) supports industry-standard methods of certificate revocation.

These include publication of CRLs and delta CRLs in several locations for clients to access, including Active Directory Domain Services, Web servers, and network file shares. In Windows, revocation data can also be made available in a variety of settings through OCSP responses.

Why is this change important?

Network conditions can prevent the latest CRLs from being published, which can cause all certificate chain validations to fail. Extending the expiration time of the existing CRL or the OCSP response can prevent this from happening.

How should I prepare for this change?

Using certificate revocation data–related Group Policy settings requires careful planning to determine the appropriate balance between strict adherence to the standard CRL publication schedule and the potential consequences of extending the CRL validity period if an updated CRL is not available.

Deploying certificates

User and computer certificates can be deployed by using a number of mechanisms, including autoenrollment, the Certificate Request Wizard, and Web enrollment. But deploying other types of certificates to a large number of computers can be challenging. In Windows Server 2003 it was possible to distribute trusted root CA certificates and enterprise trust certificates by using Group Policy. In Windows Server 2008 all of the following types of certificates can be distributed by placing them in the appropriate certificate store in Group Policy:

  • Trusted root CA certificates

  • Enterprise trust certificates

  • Intermediate CA certificates

  • Trusted publisher certificates

  • Untrusted certificates

  • Trusted people (peer trust certificates)

Why is this change important?

The growing variety of certificates and certificate uses requires that administrators have an efficient means of distributing these certificates to users and computers in their organizations.

How should I prepare for this change?

Using certificate trust–related Group Policy settings requires careful planning to determine the certificate needs of users and computers in your organization, and the amount of control they should have over those certificates. You might be able to provide users with greater leeway if you combine the use of these settings with clear and effective training so that users understand the importance of certificates, the risks of poor certificate management, and how to manage their certificates responsibly.

How should I prepare to deploy this feature?

You must be a member of the Domain Admins group to configure Group Policy in the domain.

Additional references

For information about other features in AD CS, see Active Directory Certificate Services Role.