Securing PKI: Appendix F: List of Recommendations by Impact Level
Applies To: Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012
Below is a complete list of all recommendations made throughout this paper, classified according to the Determining the Level of Protection Required of the CA. Recommendations are broken out according to the chapter in which they were found. Some of the recommendations are strategic in nature, and require planning and potentially redesign to implement, while some are tactical and focused on specific components and infrastructure.
Planning a CA Hierarchy
Recommendation |
Tactical or Strategic |
Impact Level |
|---|---|---|
Do not use a one-tier hierarchy |
Strategic |
High Internal |
Plan for upcoming PKI uses cases as part of the initial design |
Strategic |
Medium |
Physical Security
Recommendation |
Tactical or Strategic |
Rating |
|---|---|---|
Leverage existing data center controls for physical security where possible |
Strategic |
Medium |
Track and audit requests for physical access to PKI assets |
Tactical |
High Internal |
Use biometrics as an authentication mechanism to access PKI assets |
Tactical |
High Internal |
Prevent tailgating to sensitive areas where PKI assets are stored |
Tactical |
High Internal |
Use alarm systems to detect access to PKI assets |
Tactical |
High Internal |
Use cameras to monitor physical access to PKI assets |
Tactical |
High Internal |
Geographically separate primary and backup sites |
Strategic |
High Internal |
Use obscurity carefully to not disclose unnecessary information about PKI assets |
Tactical |
High Internal |
PKI Process Security
Recommendation |
Tactical or Strategic |
Rating |
|---|---|---|
Develop a Certificate Policy to govern the use of the PKI |
Strategic |
High External |
Develop a formal Certification Practice Statement |
Strategic |
High External |
Document issuance controls and certificate usage (informal CP/CPS) |
Tactical |
High Internal |
Document CA standard operating procedures |
Tactical |
High Internal |
Utilize any existing policy structure to store and maintain PKI policy |
Tactical |
Medium |
Involve your policy team in the creation of PKI policy |
Strategic |
High Internal |
Involve your legal department in policy creation if your PKI may affect external customers or partners |
Strategic |
High Internal |
Form a Policy Authority to provide governance for the PKI |
Strategic |
High Internal |
Formalize the work performed by the Policy Authority with auditable change control and meeting minutes |
Tactical |
High Internal |
Meet regularly as a Policy Authority to review and update the PKI policy |
Tactical |
High Internal |
Establish formal PKI roles and responsibilities and assign specific individuals to each roles |
Tactical |
High Internal |
Provide role specific training for all individuals responsible for the PKI |
Strategic |
Medium |
Vet individuals who fill trusted roles with a comprehensive background check (in accordance with local privacy law) or other mechanism |
Strategic |
High Internal |
Perform formal key ceremonies that follow a script and include a witness |
Tactical |
High Internal |
Technical Controls for Securing PKI
Recommendation |
Tactical or Strategic |
Rating |
|---|---|---|
Create baseline system configurations for CA and RA systems |
Tactical |
Medium |
Disable CD-ROM Autoplay |
Tactical |
Medium |
Rename local administrator and guest accounts |
Tactical |
Medium |
Disable local administrator and guest accounts |
Tactical |
Medium |
Use a distinct password for the local administrator account that is not used on other systems |
Tactical |
Medium |
Enable the Windows Firewall with Advanced Security and block all traffic that is not required |
Tactical |
Medium |
Disable services that are not required for the CA to function |
Tactical |
Medium |
Disable LM and NTLMv1 authentication protocols |
Tactical |
Medium |
Only install software that is necessary for the CA to perform its function |
Tactical |
Medium |
Disable Direct Memory Access (DMA) devices |
Tactical |
Medium |
Disable Remote Desktop Services |
Tactical |
High Internal |
Do not install additional server roles on Certification Authorities, such as running a CA on a domain controller |
Tactical |
Medium |
Use alternate accounts separate from the standard accounts used on productivity workstations to manage the PKI |
Tactical |
Medium |
Update CA regularly using update infrastructure separate from what is used to manage the general Windows server®/workstation population |
Strategic |
High Internal |
Prevent access to the internet from CAs |
Tactical |
Medium |
Limit local administrator group membership to only users in trusted roles who manage the PKI |
Tactical |
Medium |
Remove Enterprise Admins and Domain Admins from local administrators group on CAs |
Tactical |
Medium |
Eliminate or limit the number of service accounts with administrative rights on CAs and RAs |
Tactical |
Medium |
Enable application whitelisting using AppLocker or another third party application |
Tactical |
High Internal |
Use secure administrative hosts or jump hosts to perform remote management tasks |
Strategic |
High Internal |
Disable Remote Management Boards on physical servers |
Tactical |
High Internal |
Require PKI administrators to use smart cards for all accounts that manage the PKI |
Strategic |
High Internal |
Use a Hardware Security Module in offline CAs |
Strategic |
High Internal |
Keep offline CAs truly offline, allow only physical access to all components |
Tactical |
Medium |
Use only authorized, dedicated devices to transfer files to/from offline CAs |
Tactical |
Medium |
Update offline CAs with service packs, security updates specific to CA software, and updates related to system time (time zone changes) |
Tactical |
Medium |
Update HSM software and firmware when released |
Tactical |
Medium |
Ensure that any activity performed on an offline CA can be traced to an individual, either through individual accounts or additional auditing and surveillance |
Strategic |
Medium |
When virtualizing offline CAs, decouple the guest files from the physical hardware so the hardware can be easily replaced |
Tactical |
Medium |
When virtualizing offline CAs, use a dedicated host machine that is secured in a locked rack or safe. If dedicated hardware cannot be used, build a clean host OS each time the CA VMs need to be brought online |
Tactical |
Medium |
When virtualizing offline CAs, securely build the VM on the dedicated hardware, do not build it on an online host and migrate it to the dedicated hardware |
Tactical |
Medium |
Prior to performing any operations on an offline CA, verify the system time is correct. |
Tactical |
Medium |
When virtualizing offline CAs, perform regular backups of hard disk files. Securely store the backups along with any required software at a backup site |
Tactical |
Medium |
When virtualizing online CAs, limit access to the host to only those who should have access to the PKI |
Tactical |
High Internal |
When virtualizing online CAs, use network attached HSMs for key protection |
Tactical |
High Internal |
When virtualizing online CAs, continue to take regular CA backups with all data needed to restore the CA |
Tactical |
Medium |
If using software keys, protect all key backups (PKCS#12, PFX files) with the same level of protection provided to the CA |
Tactical |
Medium |
Do not include backups of the private key as part of the standard backup process. Backup the key(s) as needed and physically protect them by storing in a safe, within a tamper-evident bag and audit all access to the backup |
Tactical |
Medium |
Do not connect backup systems directly to the CA. Backup the CA to another location which is backed up regularly to eliminate the need for backup software on the CA |
Tactical |
High Internal |
Isolate certificate systems from other systems on the network |
Strategic |
High External |
Implement “security zones” to isolate certificate systems based on their criticality and relationship to each other |
Strategic |
High External |
Only allow inbound and outbound connections that are necessary for the CA and supporting systems to function |
Tactical |
Medium |
Restrict access to network HSM devices to only the systems that utilize them |
Tactical |
High Internal |
Restrict management access to originate from a limited set of administrative hosts |
Strategic |
High Internal |
Control “enroll” access to certificate templates and only provide the access to accounts that require the certificate |
Tactical |
Medium |
Remove unused certificate templates from CAs |
Tactical |
Medium |
Use additional enrollment controls for templates that allow you to specify the subject in the request |
Tactical |
Medium |
Do not use the EDITF_ATTRIBUTESUBJECTALTNAME2 flag on any CA without additional issuance controls |
Tactical |
Medium |
Planning Certificate Algorithms and Usages
Recommendation |
Tactical or Strategic |
Rating |
|---|---|---|
Use 2048 bit and above key length for RSA keys |
Strategic |
Medium |
If using ECC for CA keys, use P-256, P-384 or P-521 curves |
Strategic |
Medium |
Use RSA 4096 for CA certificates that expire more than 15 years in the future |
Strategic |
Medium |
Use the SHA-2 family of hash algorithms |
Strategic |
Medium |
Root CA certificate should not be valid for more than 25 years |
Strategic |
Medium |
Issuing CA certificates should not be valid for more than 5 years |
Strategic |
Medium |
Renew an issuing CA certificate once before replacing the key pair |
Strategic |
Medium |
Use certificate expiration events in Windows 8® and Windows Server 2012® and above to assist in expiration notification |
Strategic |
Medium |
Match the strength of asymmetric key algorithms with the strength of the hash algorithm |
Strategic |
Medium |
Use the correct key usage for each certificate use case |
Strategic |
Medium |
Determine the extended key usages for each PKI use case |
Strategic |
Medium |
Constrain issuing CAs (use the path length constraint to ensure that CA can only issue end-entity certificates and limit application policies) |
Strategic |
Medium |
Protecting CA Keys and Critical Artifacts
Recommendation |
Tactical or Strategic |
Impact Level |
|---|---|---|
If using network HSMs for offline CAs, do not connect the HSM to a routable network |
Tactical |
High Internal |
Create enough HSM tokens to account for disaster recovery |
Strategic |
Medium |
Use tamper-evident containers/packaging to store PKI artifacts such as HSM tokens or backup data |
Tactical |
High Internal |
Store PKI artifacts in a climate controlled location |
Tactical |
Medium |
Maintain an auditable chain of custody of PKI artifacts |
Strategic |
High Internal |
Maintain an inventory of PKI artifacts |
Strategic |
High Internal |
Monitoring Public Key Infrastructure
Recommendation |
Tactical or Strategic |
Impact Level |
|---|---|---|
Monitor Active Directory® for changes groups that control access to CAs, membership in the “Cert Publishers” group, changes to privileged and VIP accounts, and unauthorized changes to certificate templates |
Tactical |
High Internal |
Record and review physical access events |
Tactical |
High Internal |
Record and review all physical access to HSMs |
Tactical |
High Internal |
Record and review logs from network equipment that supports PKI |
Tactical |
High Internal |
Record and review physical access to PKI artifacts, such as access to safes |
Tactical |
High Internal |
Configure Windows® audit policy to enable auditing for Certification Services |
Tactical |
Medium |
Monitor changes to the CA registry |
Tactical |
High Internal |
Monitor for changes to certificate templates |
Tactical |
High Internal |
Compromise Response
Recommendation |
Tactical or Strategic |
Impact Level |
|---|---|---|
Identify critical systems and processes that are dependent on PKI |
Strategic |
Medium |
Develop a basic plan of action for compromise before a compromise occurs |
Strategic |
Medium |
See Also
Securing Public Key Infrastructure (PKI)
Securing PKI: Introduction
Securing PKI: Planning a CA Hierarchy
Securing PKI: Physical Controls for Securing PKI
Securing PKI: PKI Process Security
Securing PKI: Technical Controls for Securing PKI
Securing PKI: Planning Certificate Algorithms and Usages
Securing PKI: Protecting CA Keys and Critical Artifacts
Securing PKI: Monitoring Public Key Infrastructure
Securing PKI: Compromise Response
Securing PKI: Appendix A: Events to Monitor
Securing PKI: Appendix B: Certification Authority Audit Filter
Securing PKI: Appendix C: Delegating Active Directory PKI Permissions
Securing PKI: Appendix D: Glossary of Terms
Securing PKI: Appendix E: PKI Basics
Security and Protection
Secure Windows Server 2012 R2 and Windows Server 2012