Implementing Certificate Authorities to Tighten Domain Security

Computers operate in a world where security is of the utmost importance and staying guarded from viruses and malware have become key components in protecting your computer. Unfortunately this isn’t the only form of security breach we need to be concerned about. Something as simple as a few small network security practices can be performed to improve network integrity.

Essentially, a Certificate Authority (CA) accepts a request from the server and uses a private key to apply its digital signature to the certificate. The CA then issues the certificate to the subject for use as a security credential within a public key infrastructure. The CA is also responsible for revoking certificates and publishing a certificate revocationlist. This denies any fraudulent systems from accessing the server on the network. In turn, the Certificate Authority uses a person’s user account credentials as proof of identity. In layman’s terms, if you are logged onto a Windows domain, the server knows you are who you say you are based on the CA issued by the Active Directory services.

One of the advantages of joining computers to an Active Directory domain with an enterprise certificate authority is that computer certificates can be deployed automatically using autoenrollment. This greatly reduces the amount of administrative overhead required to deploy certificates to each member. Review the following steps to configure group policy to assign machine certificates on the Certificate Authority.

  1. Click Start point to Administrative Tools and click Active Directory Users and Computers.
  2. Right click on your domain name and click the Properties command.
  3. In the domain Properties dialog box, click on the Group Policies tab. Then click on the Default Domain Policy and click the Edit button.
  4. Then drill down to the Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies node. Right click the Autoenrollment Settings entry in the right pane of the console and click the Properties command.
  5. Select the Enroll certificates automatically option. Confirm that both Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates checkboxes are checked. Click Apply and then click OK.

The next few steps set up domain Group Policy to automatically issue machine certificates to domain members.

  1. Click on the Computer ConfigurationWindows SettingsSecurity SettingsPublic Key PoliciesAutomatic Certificate Request Settings node in the left pane of the console, then right click it. Point to New and click on the Automatic Certificate Request command.
  2. An Automatic Certificate Request Setup Wizard box will appear and you will select Next to advance through the wizard.
  3. On the Certificate Template page, click on the Computer template in the list of Certificate Templates, click Next and then Finish. You can then close the Group Policy Object Editor’s console.
  4. Click OK in the domain Properties dialog box and close the Active Directory  Users and Computers console.

This completes the configuration of the autoenrollment feature using Group Policy. Keep in mind that, by default, group policy updates every 90 minutes, but can be pushed out manually from each computer. By opening a command prompt, a gpupdate/force can be executed to apply the new policy to the computer. Generally this requires a reboot so save your data prior to this operation. The computer will then pull a certificate from the server and populate in the Certification Authority queue found under Administrative Tools. A certified connection has then been established from the server to the workstation and basic network security has been implemented.

Pin It on Pinterest

Share This