Windows Server
United States (English) Sign in
Home Windows Server 2012 Windows Server 2008 R2 Windows Server 2003 Library Forums
This topic has not yet been rated - Rate this topic

AD CS: Deploying Network Device Enrollment Service

Published: August 25, 2010

Updated: August 25, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

This topic describes NDES deployments and procedures for installing NDES.

In this topic:

In general, there are two possible NDES deployment scenarios: enterprise and standalone.

Enterprise NDES deployments are used by organizations that already have a PKI with at least one enterprise CA, in order to extend their PKI to include certificates used by network devices.

NDES is installed on a domain member web server and configured to use an enterprise CA for certificate enrollment and certificate query operations.

Example NDES enterprise deployment

Example enterprise NDES deployment

Standalone NDES deployments are used by organizations that do not have a PKI but must issue certificates to network devices.

NDES is installed on the same computer as a standalone root CA.

Example NDES standalone deployment

Example standalone NDES deployment

Ensure your environment meets the following requirements before beginning an NDES deployment:

  • CA running on one of the following operating systems:

    • Windows Server 2008 R2

    • Windows Server 2008

    • Windows Server 2003



  • Certificate templates for service certificate enrollment. The following two certificate templates are required during NDES setup and service certificate renewal.

    • Exchange Enrollment Agent (Offline request)

    • CEP Encryption

Custom certificate templates can be configured after setup, for example when the initial service certificates are near expiration. See Configuring service certificate templates.

Domain accounts must be created for each of the three SCEP roles. Alternatively, users or groups in your environment that are currently members of a required group can be granted certificate templates permissions.

See Security best practices for NDES for guidance about SCEP accounts and privileges.

  • SCEP administrator account is used to install the NDES role service and must meet the following requirements:

    • Member of local administrators group. (Standalone)

    • Member of Domain Admins or Enterprise Admins. (Enterprise)

    • Enroll permissions on NDES service certificate templates. (Enterprise)



  • SCEP Service account is used by the NDES application pool and must meet the following requirements:

    • Member of the local IIS_IUSRS group.

    • Request permission on the configured CA.

    • Read and Enroll permissions on configured device certificate templates.

    • A Service Principal Name (SPN) must be added by using the command SetSpn –a HTTP/<ComputerName><AccountName>. <ComputerName> is the name of the computer where NDES is installed. <AccountName> is the computer account name when NetworkService is used, or the domain user account when a custom application pool identity is configured. See Setspn for syntax and examples.



  • Device administrator account is used to request password challenges from NDES and must meet the following requirements:

    • Enroll permissions on all configured device certificate templates. (Enterprise)

    • Member of the local administrators group. (Standalone)

Because device certificate templates are configured to allow subject names to be specified in the request by a user, device administrators are able to request certificates with arbitrary subject names. This is necessary for device administrators to complete device enrollment tasks by using NDES.

A malicious user could exploit this privilege to impersonate other accounts and gain escalated privileges.

There are several best practices you can implement to mitigate the risk associated with user-defined subject names and NDES.

  • Enable SSL on the mscep_admin site to ensure confidentiality of the password.

  • Install IIS and use the Security Configuration Wizard to secure the computer for the web server role before installing NDES. See Security Policies Step-by-Step Guide: Creating and Deploying Role-Based Policies.

  • Restrict the number of device administrators by using ACLs on the MSCEP_ADMIN site and device certificate templates. For information about configuring certificate template security, see Issuing Certificates Based on Certificate Templates

  • Implement enrollment agent restrictions on the Exchange Enrollment Agent (Offline Request) certificate templates to ensure NDES has permissions only on device certificate templates. See Establish Restricted Enrollment Agents.

  • Implement separation of duties and role-based administration to ensure that individuals who can request device certificates cannot also approve them. See Implement Role-Based Administration.

  • Certificate requests for device certificates should be held in a pending state until they can be reviewed by a certificate manager. For information about configuring certificate templates to require certificate manager approval, see Issuance Requirements.

  • Use each password only once whenever possible. Organizations with a large number of devices to enroll may choose to reuse a password on multiple devices. Because password reuse increases the risk a password could be compromised, it is recommended to use a longer password. See Configuring NDES to configure the PasswordLength setting.

  • Stop NDES when it is not in use. Because NDES is an ISAPI application for IIS, you can stop IIS if NDES is the only web site on the computer. Alternatively, you can stop the NDES application pool.

Complete the following procedure to install NDES.

You must be a member of the local administrators group for a standalone NDES deployment.

You must be a member of the Enterprise Admins or Domain Admins group for an enterprise NDES deployment.

For enterprise NDES deployments, the CA must be online to complete NDES installation.

For standalone NDES deployments, complete CA setup before installing NDES on the same machine.

See Setting Up a Certification Authority for procedures to setup a CA.

  1. Start Server Manager.

  2. Expand Server Manager, and click Roles.

  3. Click Add Roles.

  4. On the Select Server Roles page, click Active Directory Certificate Services , and click Next.

  5. Enterprise deployments: On the Select Role Services page, clear the Certification Authority check box, and click Network Device Enrollment Service.

    OR

    Standalone deployments: Add the CA role service first, complete CA setup and reboot the computer before adding NDES. Then repeat procedures 1 through 3 to add NDES.

  6. Click Add Required Role Services to add required IIS components, and click Next three times.

  7. On the Specify User Account page, click Select User, and type the user name and password for the NDES service account. Alternatively, click Use the application pool identity instead of a user account. Click OK, and click Next.

    noteNote
    In standalone NDES deployments, because NDES is installed on a computer with a CA, you cannot use the application pool identity and the option is not displayed.

  8. On the Specify CA page, select either the CA name or Computer name check box, click Browse to locate the CA that will issue the Network Device Enrollment Service certificates, TEST_CA_ISSUE1, and click Next.

    noteNote
    In standalone NDES deployments, the Specify CA page is not displayed because the local CA is used.

  9. On the Specify Registry Authority Information page, type the RA name. Provide optional information as required by your organization’s security policy.

  10. On the Configure Cryptography page, specify the cryptographic service provider (CSP) and key length settings required by your security policy and supported by your network device, or accept the default values, and click Next.

  11. Review the summary of configuration options, and click Install.

  12. After the installation is complete, review the status page for messages and warnings.

MSCEP for Windows Server 2003 is an earlier version of the service that is named NDES in Windows Server 2008.

If you have MSCEP installed and upgrade from Windows Server 2003 to Windows Server 2008 or Windows Server 2008 R2, you must use an Enterprise or Datacenter edition in order to upgrade from MSCEP to NDES. During the upgrade process, NDES components are installed to replace MSCEP.

Because only Enterprise and Datacenter editions of Windows Server 2008 and Windows Server 2008 R2 include NDES, MSCEP cannot be upgraded by any other edition. Additionally, MSCEP is not supported on any edition of Windows Server 2008 or Windows Server 2008 R2.

After upgrading, if you do not configure NDES to use the default MY certificate store on the computer, service certificates will be stored in the custom CEP certificate store created by MSCEP. Review the CertsInMyStore setting description in Configuring NDES.

Did you find this helpful?
(1500 characters remaining)

Community Additions

ADD
© 2013 Microsoft. All rights reserved.