Defining PKI Management and Delegation
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
It is important to define a PKI management model early in the process of designing your CA infrastructure. This PKI management model must complement your existing security management delegation plan and help you to meet Common Criteria requirements for role separation. To ensure that a single individual cannot compromise PKI services, it is best to distribute management roles across different individuals in your organization. This involves deciding which individuals are to perform each of the following tasks:
Creating or modifying existing CAs
Managing certificate templates
Issuing cross certificates
Issuing or revoking user certificates
Configuring and viewing audit logs
You can use discretionary access control lists (DACLs) to manage CA permissions and delegate CA management tasks.
Windows Server 2003 includes the following CA management roles:
Service Manager. Configures and manages Certificate Services for local users, assigns certificate managers, and renews CA certificates.
Certificate Manager. Issues and revokes certificates.
Auditor. Audits the actions of local administrators, service managers, and certificate managers.
The extent to which you separate roles depends on the level of security that you require for a particular service. Assign the fewest possible rights to users in order to achieve the greatest level of security. For example, you can adopt the following rules:
No user can assume the roles of both CA Administrator and Certificate Manager.
No user can assume the roles of both User Manager and Certificate Manager.
If you need stricter guidelines, you can include the following:
- No user can assume the roles of both Auditor and Certificate Manager.
To facilitate this delegation process, you need to understand how various PKI administrative roles align with Windows Server 2003 administrative roles. Table 16.1 lists the Windows Server 2003 administrative roles that correspond to each PKI administrative role.
Table 16.1 PKI Administrative Roles and Their Corresponding Windows Server 2003 Administrative Roles
| PKI Administrative Role | Description | Windows Server 2003 Administrative Role |
|---|---|---|
PKI Administrator |
Configures, maintains, and renews the CA. |
User |
Backup Operator |
Performs system backup and recovery. |
Backup Operator on the server on which the CA is running |
Audit Manager |
Configures, views, and maintains audit logs. |
Local Administrator on the server on which the CA is running |
Key Recovery Manager |
Requests retrieval of a private key stored by the service. |
User |
Certificate Manager |
Approves certificate enrollment and revocation requests. |
User |
User Manager |
Manages users and their associated information. |
Account Operators (or person delegated to create user accounts in Active Directory) |
Enrollee |
Requests certificates form the CA |
Authenticated Users |
Table 16.2 lists the actions that each PKI administrative role can perform.
Table 16.2 Actions Performed By PKI Administrative Roles
| Action | Enrollee | CA Admin | Certificate Manager | Audit Manager | Backup Operator | Local Server Admin |
|---|---|---|---|---|---|---|
Install a CA |
.gif "Table Bullet") |
|||||
Configure a CA |
|
|
||||
Policy and exit module configuration |
|
|||||
Stop/start service |
|
|
||||
Change configuration |
|
|||||
Assign user roles |
|
|||||
Establish user accounts |
|
|
||||
Maintain user accounts |
|
|
||||
Configure profiles |
|
|
||||
Renew CA keys |
|
|||||
Define key recovery agent(s) |
|
|||||
Define officer roles |
|
|||||
Enable role separation |
|
|||||
Issue/Approve certificates |
|
|||||
Deny certificates |
|
|||||
Revoke certificates |
|
|||||
Unrevoke certificates |
|
|||||
Renew certificates |
|
|||||
Enable, publish, or configure CRL schedule |
|
|||||
Configure audit parameters |
|
|
||||
Audit logs |
|
|
||||
Back up system |
|
|
||||
Restore system |
|
|
||||
Read CA properties, CRL |
|
|||||
Request certificate |
|
|||||
Read CA database |
|
|
|
|
||
Read CA configuration information |
|
|
|
|
||
Read issued, Revoked, pending certificates |
|
|
|
|
Note
- As you delegate roles and responsibilities, be sure to keep track of the permissions that you configure on certificate directories. Distributing access to a PKI to a number of individuals creates greater security risks.