Best Practices for Certificate Management
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
If you use Microsoft System Center Configuration Manager 2007 native mode, you are using certificates created by a PKI. You might also be using PKI certificates if you are using mobile devices or managing custom software updates.
Carefully plan for and secure your PKI If you have an existing PKI, Configuration Manager 2007 should be able to use certificates issued by it. However, if you do not have an existing PKI and you want to implement a PKI to support Configuration Manager 2007, you must plan your PKI implementation very carefully. For example, failure to adequately plan for a secure root CA in your PKI hierarchy could compromise every certificate issued by your CA. Also, designing a PKI to support one application without considering possible future PKI requirements could force you to tear down and redeploy your PKI, which could compromise Configuration Manager 2007 security and availability. For information about planning for and securing your PKI, consult the documentation from your PKI vendor.
Follow industry and organizational best practices for certificate management Configuration Manager 2007 does not have specific requirements for certificate management. For example, Configuration Manager 2007 does not recommend a minimum key length, maximum certificate expiration date, or issuance policy.
Enable CRL checking on native mode clients Certificates can be revoked by a certification authority administrator—for example, if an issued certificate is known or suspected to be compromised. Enabling Certificate Revocation Checking (CRL) on clients is more secure, although it introduces additional performance and administrative overhead. For more information, see Determine Whether You Need to Enable Certificate Revocation Checking (CRL) On Clients (Native Mode)
|CRL checking is enabled by default in IIS, so no additional action is required for Configuration Manager 2007 site systems in native mode.|
Protect the integrity of your client authentication certificates Configuration Manager 2007 can use client authentication certificates from any certification store. If the permissions on the certification store allow access to a low-rights user, that low-rights user could use the certificate to access Configuration Manager 2007 policy and obtain credential information for the Network Access account and the Task Sequence Editor Domain Joining Account. The low-rights user could also tamper with the state, status, and inventory information sent by that client computer.
Use a certificate trust list to define the trusted root certification authorities A certificate trust list (CTL) is a defined list of trusted root certification authorities. By default, the Windows operating systems are configured to trust some well-known certification authority certificates, such as VeriSign and Thawte, because the certification authority certificates are preinstalled in the operating system. If you do not explicitly define the CTL, all clients that have client authentication certificates issued by these preinstalled certification authorities are accepted as valid Configuration Manager clients. If you configure the CTL, only the trusted root certification authorities specified in the CTL will be trusted by Configuration Manager. For more information, see Determine If You Need to Configure a Certificate Trust List (CTL) with IIS (Native Mode).
Use Active Directory Domain Services to deploy the site server signing certificate For the client to receive the site server signing certificate, the following options are available:
Being installed with it by using the SMSSIGNCERT parameter
Querying Active Directory Domain Services
Automatically obtaining it from the management point
Automatically deploying the certificate with the management point is the least secure solution and should not be used if you have any doubts about the security of your management point. For example, a management point that resides in a perimeter network to accept connections from the Internet for Internet-based client management is considered less secure than a management point within your intranet that accepts only connections from intranet clients. However, automatically deploying a copy of the site server signing certificate through the management point might be an appropriate solution if the management point accepts only connections from intranet clients and you do not want the administrative overhead of manual deployment. For more information, see Decide How to Deploy the Site Server Signing Certificate to Clients (Native Mode).
Guard the security of the site server signing certificate If the site server signing certificate is compromised, all policy in the hierarchy is suspect. Even in native mode, attackers could create the policy of their choice and have it run with high rights on all Configuration Manager 2007 clients. Verify that the site server signing certificate is securely backed up. Follow PKI security best practices for managing critical certificates. For example, consider the appropriate issuance policy for your environment and create a plan for securely deploying the certificate.
Use a new key pair when renewing the site server signing certificate Keeping the original key pair reduces administrative overhead and does not disrupt Configuration Manager 2007 site functions, but it allows attackers more time to attempt to decrypt the keys. If the new site server signing certificate chains to the same trusted root authority as the previous site server signing certificate, Configuration Manager 2007 clients will automatically download a copy of the new site server signing certificate from either Active Directory Domain Services or from the management point. They then validate their policy signed by the new site server signing certificate and continue to function. This might delay clients from receiving new policies, especially if large numbers of clients need to retrieve the new certificate. For more information, see Renewing or Changing the Site Server Signing Certificate.
|When the site server signing certificate is due to expire in 10 days time, Configuration Manager 2007 sends status message 5112 one time per day. You can create a status filter rule to trigger an action when you receive 5112. For example, you might configure a status filter rule to send a text message notifying you that the certificate is about to expire.|
Verify that all certificates are stored in secure certificate stores By default, Configuration Manager 2007 looks for its client authentication certificates in the local computer Personal store, which is restricted to administrator access. However, it is possible to use client certificates from any computer certificate store. Failure to adequately secure the store where the client authentication certificate is stored could allow a low-rights user to gain control of the certificate.
Other ResourcesSecurity Best Practices for Configuration Manager
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.