Security and Privacy for Certificate Profiles in Configuration Manager
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
The information in this topic applies only to System Center 2012 R2 Configuration Manager versions only.
This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide.
This topic contains security and privacy information for certificate profiles in System Center 2012 Configuration Manager.
Use the following security best practices when you manage certificate profiles for users and devices.
Security best practice
Identify and follow any security best practices for the Network Device Enrollment Service, which includes configuring the Network Device Enrollment Service website in Internet Information Services (IIS) to require SSL and ignore client certificates.
See Network Device Enrollment Service Guidance in the Active Directory Certificate Services library on TechNet.
When you configure SCEP certificate profiles, choose the most secure options that devices and your infrastructure can support.
Identify, implement, and follow any security best practices that have been recommended for your devices and infrastructure.
Manually specify user device affinity instead of allowing users to identify their primary device. In addition, do not enable usage-based configuration.
If you click the Allow certificate enrollment only on the users primary device option in a SCEP certificate profile, do not consider the information that is collected from users or from the device to be authoritative. If you deploy SCEP certificate profiles with this configuration and a trusted administrative user does not specify user device affinity, unauthorized users might receive elevated privileges and be granted certificates for authentication.
Do not add Read and Enroll permissions for users to the certificate templates, or configure the certificate registration point to skip the certificate template check.
Although Configuration Manager supports the additional check if you add the security permissions of Read and Enroll for users, and you can configure the certificate registration point to skip this check if authentication is not possible, neither configuration is a security best practice. For more information, see Planning for Certificate Template Permissions for Certificate Profiles in Configuration Manager.
You can use certificate profiles to deploy root certification authority (CA) and client certificates, and then evaluate whether those devices become compliant after the profiles are applied. The management point sends compliance information to the site server, and Configuration Manager stores that information in the site database. Compliance information includes certificate properties such as subject name and thumbprint. The information is encrypted when devices send it to the management point, but it is not stored in encrypted format in the site database. The database retains the information until the site maintenance task Delete Aged Configuration Management Data deletes it after the default interval of 90 days. You can configure the deletion interval. Compliance information is not sent to Microsoft.
Certificate profiles use information that Configuration Manager collects by using discovery. For more information about privacy information for discovery, see the Privacy Information for Discovery section in Security and Privacy for Site Administration in Configuration Manager.
Certificates that are issued to users or devices might allow access to confidential information.
By default, devices do not evaluate certificate profiles. In addition, you must configure the certificate profiles, and then deploy them to users or devices.
Before you configure certificate profiles, consider your privacy requirements.