Role-based administration

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Role-based administration

You can use role-based administration to organize your certification authority (CA) administrators into separate, predefined CA roles, each with its own set of tasks. Roles are assigned using each user's security settings. You assign a role to a user by assigning that user the specific security settings that are associated with the role. A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, cannot perform. For more information, see Role explanation.

Note

  • Role-based administration is supported by both Windows server 2003 enterprise and stand-alone certification authorities. For information about using Windows 2000 server certification authorities and role-based administration, see Windows 2000 roles andWindows server 2003role-based administration.

Role explanation

Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you must assign the role's corresponding security permissions, group memberships, or user rights to the user or group. These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the CA roles of role-based administration and the groups relevant to role-based administration.

Roles and groups Security permission Description

CA Administrator

Manage CA permission

Configure and maintain the CA. This is a CA role and includes the ability to assign all other CA roles and renew the CA certificate.

Certificate Manager

Issue and Manage Certificates permission

Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA Officer.

Backup Operator

Back up file and directories and Restore file and directories permissions

Perform system backup and recovery. This is an operating system role.

Auditor

Manage auditing and security log permission

Configure, view, and maintain audit logs. This is an operating system role.

Enrollees

Authenticated Users

Enrollees are clients who are authorized to request certificates from the CA. This is not a CA role.

All CA roles are assigned and modified by local Administrators, Enterprise Admins, and Domain Admins. Local Administrators, Enterprise Admins, and Domain Admins are CA Administrators by default on an Enterprise CA. Only local Administrators are CA Administrators by default on a stand-alone CA. If the stand-alone CA is logged on to an Active Directory domain, Domain Admins are also CA Administrators.

The CA Administrator and Certificate Manager roles can be assigned to both Active Directory users or local users in the Security Accounts Manager (SAM) of the local computer, which is the local security account database. As a best practice, assign roles to group accounts instead of individual user accounts.

Only CA Administrator, Certificate Manager, Auditor, and Backup Operator are CA roles. The other users described in the table are relevant to role-based administration and should be understood before assigning CA roles.

Only CA Administrators and Certificate Managers are assigned using the Certification Authority Microsoft Management Console (MMC) snap-in. Other roles, users, and groups are specified in their related consoles. To change the roles of a user, you must change the user's security permissions, group membership, or user rights. For information about assigning roles, see Assigning roles.

When key archival is configured, the subject obtaining a certificate from a CA will provide their private key to the CA. The CA stores that private key in its database until key recovery. Only a Certificate Manager can get the encrypted private key blob out of the CA database, which is then passed on to key recovery agents (KRAs). For more information, see Key archival and recovery.

Roles and activities

Each CA role has a specific list of CA administration tasks associated with it. The following table lists all the CA administration tasks along with the roles in which they are performed.

Activity CA Administrator Certificate Manager Auditor Backup Operator Local Administrator Notes

Install CA

 

 

 

 

X

 

Configure policy and exit module

X

 

 

 

 

 

Stop and start the Certificate Services service

X

 

 

 

 

 

Configure extensions

X

 

 

 

 

 

Configure roles

X

 

 

 

 

 

Renew CA keys

 

 

 

 

X

 

Define key recovery agents

X

 

 

 

 

 

Configure Certificate Managers restrictions

X

 

 

 

 

 

Delete single row in database

X

 

 

 

 

 

Delete multiple rows in database (bulk deletion)

X

X

 

 

 

The user must be both a CA Administrator and a Certificate Manager. This does not work when Role Separation is enforced.

Enable role separation

 

 

 

 

X

 

Issue and approve certificates

 

X

 

 

 

 

Deny certificates

 

X

 

 

 

 

Revoke certificates

 

X

 

 

 

 

Reactivate certificates placed on hold

 

X

 

 

 

 

Renew certificates

 

X

 

 

 

 

Enable, publish, or configure CRL schedule

X

 

 

 

 

 

Recover archived key

 

X

 

 

 

Only a Certificate Manager can retrieve the encrypted key data structure from the database. The private key of a valid Key Recovery Agent is required to decrypt the key data structure and generate a PKCS#12 file.

Configure audit parameters

 

 

X

 

 

By default, the local Administrator holds the system audit user right.

Audit logs

 

 

X

 

 

By default, the local Administrator holds the system audit user right.

Back up system

 

 

 

X

 

By default, the local Administrator holds the system backup user right.

Restore system

 

 

 

X

 

By default, the local Administrator holds the system backup user right.

Read CA database

X

X

X

X

 

By default, the local Administrator holds the system audit and backup user rights.

Read CA configuration information

X

X

X

X

 

By default, the local Administrator holds the system audit and backup user rights.

Notes

  • Enrollees are allowed to read CA properties and certificate request lists (CRLs), and can request certificates. On an Enterprise CA, a user must have Read and Enroll permissions on the certificate template to request a certificate. For more information, see Allow subjects to request a certificate that is based on the template.

  • CA Administrators, Certificate Managers, Auditor, and Backup Operators have implicit Read permissions.

  • An Auditor holds the system audit user right.

  • A Backup Operator holds the system backup user right. In addition, the Backup Operator has the ability to start and stop the Certificate Services service.

Assigning roles

The CA Administrator for a CA assigns users to the separate roles of role-based administration by giving each user the security settings required by a role. The CA Administrator can assign a user to more than one role, but the CA is more secure when each user belongs to one role only. When each CA role belongs to one user only, then there are fewer CA tasks that can be compromised if a user's account becomes compromised.

For more information on assigning roles, see Manage Role-based Administration.

Administrator concerns

The default installation setting for a stand-alone CA is to have members of the local Administrators security group as CA Administrators. The default installation setting for an Enterprise CA is to have local Administrators, Enterprise Admins, and Domain Admins as CA Administrators. To limit the power of any of these accounts, they should be removed from the CA Administrator and Certificate Manager roles once all CA roles are assigned.

As a best practice, group accounts that have been assigned CA Administrator or Certificate Manager roles should not be members of the local Administrators security group. Also, CA roles should only be assigned to group accounts and not individual user accounts.

Note

  • Membership in the local Administrators group on the CA is required to renew the CA certificate. Members of this group are considered to be all powerful on the CA, with administrative authority over all other CA roles.

Windows 2000 roles and Windows server 2003 role-based administration

Windows 2000 server CA administration is changed in Windows Server 2003, Standard Edition CA role-based administration. Windows 2000 server administrators can perform any activity on a Windows 2000 server CA, but once CA roles are assigned using Windows server 2003 role-based administration, its administrators are subject to its roles. An administrator that could perform all tasks on a Windows 2000 server CA will only be able to perform the tasks associated with his or her role on the Windows server 2003 CA. After upgrading a Windows 2000 server CA to a Windows server 2003 CA, its administrators need to be assigned to the roles defined in the role-based administration for the Windows server 2003 CA.

Certificate Services service level functionality

Role-based administration applies to the Certificate Services service only. Any services other than Certificate Services service are unaffected by the assignment of CA roles.

Role separation

The separation of CA roles can be enforced using role separation. Once enforced, role separation allows a user to be assigned only a single role. If a user is assigned to more than one role and attempts to perform an operation on the CA, the operation is denied. For this reason, before role separation is enabled, a user should be assigned only one CA role.

This feature is valuable for large enterprises where the separation of roles ensures that the compromise of a user's account does not compromise the entire CA administered by the user. For more information, see Using role separation.