Role Separation

Applies To: Windows Server 2003 with SP1

The separation of CA roles can be enforced using role separation. Once enforced, role separation only allows a user to be assigned a single role. If a user is assigned to more than one role and attempts to perform an operation on the CA, the operation is denied. For this reason, before role separation is enabled, a user should be assigned only one CA role. This feature is valuable for large enterprises where the separation of roles ensures that the compromise of a user's account does not compromise the entire CA administered by the user.

Important

Before role separation is enabled, each user assigned a CA role on the CA must only be assigned a single CA role on that CA. If a user is assigned more than one CA role, when role separation is enabled, the Certificate Services service will detect that a user has more than one role and deny the user's attempts to operate the CA.

Only members of the local Administrators security group on a CA can enable and disable role separation. Enabling role separation requires editing the registry of the Windows Server 2003 Enterprise Edition running the Certificate Services service. Once this registry setting is edited to enable role separation, any assigned roles are in effect until the local Administrator of the server disables role separation through the registry. CA roles can be assigned and changed by the CA Administrator while role separation is enabled or disabled. While role separation is enabled, the CA Administrator cannot assign a user to more than one CA role. If the CA Administrator attempts to assign a user to a second CA role, the operation is refused.

Important

It is possible for a user assigned a role to become locked out of administering a CA when role separation is enabled if the user is also assigned to a second CA role. If the CA Administrator is assigned to a second role, or assigns another role holder to a second role, the CA Administrator violates the rules of role separation by allowing a user to have two roles. Once the user is assigned to two roles, role separation will not allow that user to perform any activity on the CA, including, in the case of the CA Administrator, the activity of removing himself from one of the roles.

To correct this configuration, the local Administrator of the server must disable role separation, remove the CA Administrator from the second role, and then restart the Certificate Services service. Following these steps, role separation can be enabled again.

Windows 2000 and Windows Server 2003 Role-Based Administration

During the upgrade from a Windows 2000 CA to a Windows Server 2003 CA, Windows 2000 CA permissions are upgraded to Windows Server 2003 CA roles according to the rules in the following table.

Windows 2000 Permission Windows Server 2003 Role or Permission

Manage CA permission

CA Administrator and Certificate Manager

Revoke Certificate permission

Certificate Manager

Approve/Issue Certificate permission

Certificate Manager

Enroll permission

Enroll permission

Read permission

Read permission

All other permissions listed in the Windows 2000 CA advanced security settings

Read permission

Note

You can assign certification authority roles for role-based administration on servers running any version of the Windows Server 2003 family, but you can only enable role separation on servers running Windows Server 2003 Enterprise Edition and Windows Server 2003 Datacenter, including the 64-bit version of Windows Server 2003 Enterprise Edition and 64-bit version of Windows Server 2003 Datacenter.

To enable role separation, open a command prompt window and type

certutil -setreg ca\RoleSeparationEnabled 1 

The Certificate Services service must now be stopped and started.

To stop and start the Certificate Services service, at the command prompt, type

net stop certsvc 
net start certsvc 

To disable role separation, open a command prompt and type

certutil -delreg ca\RoleSeparationEnabled 

Again, the Certificate Services service must be stopped and started.

To display the role separation setting, at the command prompt, type

certutil -getreg ca\RoleSeparationEnabled 

The following command will display all CA information including CA role separation status:

Certutil.exe –cainfo role 

Role Separation Validation

All role operations are performed through the ICertAdminD DCOM interface once the CA is configured into role separation mode. Role separation may not be enabled nor enforced when role assignments are made. Role separation validation is only enforced when a person (administrator, operator, and so on) performs an action. Role separation enforcement rules are stored and read by the CA in the registry as binary blobs. Each role is defined as a bit (allow/deny). For more information about this interface, see the Platform SDK in MSDN.

Certificate Managers

The capability of Certificate Managers is supported to prevent a CA Officer from issuing certificates to everyone. This is implemented through an authorization callback and is stored in a virtual Security Descriptor in the registry of the CA. A second access check is performed on the Officer role to validate what user(s) and group(s) they manage (approve and revoke certificates). The GUI for each Certificate Manager has a list of users and groups that the Officer can approve, revoke, and so on.

If an Officer attempts to approve a request for a user to which the Officer is not authorized to manage, an access denied error will occur. This does not reject the request or remove it from the pending approval queue. In addition, a new user or group may be added to the Certificate Managers authorized list AFTER the certificate request has been made.

Backup/Restore and Auditing under Role Separation

When you enable Role Separation, members of the local Administrators group, including the local Administrator account, will not be able to back up or restore the CA, nor will they be able to enable auditing on the CA. Because Administrators have the permission to back up and restore the CA as well as enable auditing on the CA, the CA will not allow them to do any tasks because they are assigned multiple roles.

To assign the backup permission to another user, either add the user to the local Backup Operators group, or assign the user the Backup files and directories privilege in the Local Security Policy snap-in under User Rights Assignment. To assign the restore permission to another user, either add the user to the local Backup Operators group, or assign the user the Restore files and directories privilege in the Local Security Policy snap-in under User Rights Assignment. To give the permission needed to enable auditing, assign the user the Manage auditing and security log in the Local Security Policy snap-in under User Rights Assignment.

Note

You may need to refresh the local security policy by typing gpupdate.exe at the command prompt. To open the Local Security Policy, type secpol.msc at the command prompt.