7 Appendix B: Product Behavior
The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.
Windows Server Releases
Windows Server 2008 operating system
Windows Server 2008 R2 operating system
Windows Server 2012 operating system
Windows Server 2012 R2 operating system
Windows Server 2016 operating system
Windows Server 2019 operating system
Windows Server 2022 operating system
Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.
Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.
<1> Section 3.2.1.2: The name of the machine used in the Microsoft implementation is the fully qualified domain name (FQDN) of the machine.
<2> Section 3.2.1.2: The names of the machines used in the Microsoft implementation are the FQDNs of the machines.
<3> Section 3.2.1.3: A Microsoft Online Responder defines two permissions: Read and Administer. For responder security methods GetSecurity, SetSecurity, and GetMyRoles, the Microsoft Online Responder assigns permissions to principals (identified by the access control entry (ACE) in the following manner.
|
Permission |
Bit value |
Meaning |
|---|---|---|
|
Read |
0x00000100 |
The caller can read the configuration information and properties of the responder. |
|
Administer |
0x00000001 |
The caller can update the configuration information and properties of the responder. |
If a principal has Administer permission, Read permission is implied (does not need to be explicitly set).
The responder can enforce Online Responder security for each of the following methods by checking for the permissions identified in the following table.
|
Method name |
Acceptable permissions |
|---|---|
|
Read |
|
|
Administrator |
|
|
Read |
|
|
Administrator |
|
|
Read |
|
|
Administrator |
The security descriptor on the responder controls which security principal can manage or read configuration information or request certificate status from the responder. Whenever a Read method on the responder is invoked, the responder checks this security descriptor to ensure that the calling entity has read access; if the entity doesn't have read access, the responder returns 0x80070005 as the error code. Whenever any Write method is invoked, the responder checks this security descriptor to ensure that the calling entity has manage access on the responder; if it does not, 0x80070005 is returned by the responder.
These methods require read access:
GetOCSPProperty
GetCAConfigInformation
GetSecurity
These methods require manage access:
SetOCSPProperty
SetCAConfigInformation
SetSecurity
The following method can be invoked by any caller:
<4> Section 3.2.1.3: A Microsoft Online Responder defines two permissions: Read and Administer. For responder security methods GetSecurity, SetSecurity, and GetMyRoles, the Microsoft Online Responder assigns permissions to principals (identified by the ACE) in the following manner.
|
Permission |
Bit value |
Meaning |
|---|---|---|
|
Read |
0x00000100 |
The caller can read the configuration information and properties of the responder. |
|
Administer |
0x00000001 |
The caller can update the configuration information and properties of the responder. |
If a principal has Administer permission, Read permission is implied (does not need to be explicitly set).
The responder can enforce Online Responder security for each of the following methods by checking for the permissions identified in the following table.
|
Method name |
Acceptable permissions |
|---|---|
|
GetOCSPProperty |
Read |
|
SetOCSPProperty |
Administrator |
|
GetCAConfigInformation |
Read |
|
SetCAConfigInformation |
Administrator |
|
GetSecurity |
Read |
|
SetSecurity |
Administrator |
The security descriptor on the responder controls which security principal can manage or read configuration information or request certificate status from the responder. Whenever a read method on the responder is invoked, the responder checks this security descriptor to ensure that the calling entity has read access; if the entity does not have read access, the responder returns 0x80070005 as the error code. Whenever any write method is invoked, the responder checks this security descriptor to ensure that the calling entity has manage access on the responder; if it does not, 0x80070005 is returned by the responder.
These methods require read access:
GetOCSPProperty
GetCAConfigInformation
GetSecurity
GetSigningCertificates
GetHashAlgorithms
Ping
These methods require manage access:
SetOCSPProperty
SetCAConfigInformation
SetSecurity
The following method can be invoked by any caller:
GetMyRoles
<5> Section 3.2.4.1.1: For the Microsoft responder, this property has values between 5 and 9999.
<6> Section 3.2.4.1.1: The Microsoft responder uses integer values between 0 and 6.
|
Value |
Meaning |
|---|---|
|
CERTLOG_MINIMAL 0x00000000 |
Log events for errors and warnings that occur on the responder. |
|
CERTLOG_TERSE 0x00000001 — 0x00000003 |
Log errors, warnings, and informational events. |
|
CERTLOG_VERBOSE 0x00000004 |
Log extended events. |
|
CERTLOG_EXHAUSTIVE 0x00000005 — 0x00000006 |
Throttling is removed for events that can be generated quickly, such as MSG_E_POSSIBLE_DENIAL_OF_SERVICE_ATTACK. |
<7> Section 3.2.4.1.1: The Microsoft responder uses a value of 0xffffffe3 to indicate that debug tracing is enabled and 0 to indicate that it is not.
<8> Section 3.2.4.1.1: The Microsoft responder uses values between 1 and 24.
<9> Section 3.2.4.1.1: The Microsoft responder uses a default value of 20.
<10> Section 3.2.4.1.1: The Microsoft responder uses a value of 0xffffffe3 to indicate that debug tracing is enabled and 0 to indicate that it is not.
<11> Section 3.2.4.1.1: The MaxNumOfRequestEntries property is not supported in Windows Server 2008 through Windows Server 2012 R2.
<12> Section 3.2.4.1.1: Windows does not return any vendor defined properties.
<13> Section 3.2.4.1.2: The type must match the value specified in section 3.2.4.1.1 if the server is a Windows responder. Otherwise, the responder might not function correctly.
<14> Section 3.2.4.1.3: The Microsoft responder uses the hash algorithms supported by the cryptographic provider specified in the CSPName property.
<15> Section 3.2.4.1.3: The Microsoft Online Responder returns a value of {4956d17f-88fd-4198-b287-1e6e65883b19} for this property.
<16> Section 3.2.4.1.3: The IssuedSerialNumbersDirectories property is not supported in Windows Server 2008 through Windows Server 2012 R2.
<17> Section 3.2.4.1.5: By default the Responder SD is as follows:
Owner: SID for Builtin\Administrators (S-1-5-32-544)
Group: SID for Builtin\Administrators (S-1-5-32-544)
2 ACE's with ACE_TYPE ACCESS_ALLOWED_ACE_TYPE (0x00):
Allow Builtin Admins to read and manage the responder.
Allow Network Service account to proxy requests.
2 ACE's with ACE_TYPE SYSTEM_AUDIT_ACE_TYPE (0x02):
Audit Success and Failure for everyone when they try to access for the 0xffff (any) access rights.
Audit Success and Failure for anonymous users when they try to access for the 0xffff access rights.
Within the ACCESS_MASK, the bit values have the following meanings:
|
Permission |
Bit Value |
Meaning |
|---|---|---|
|
Read |
0x00000100 |
Read the configuration information and properties of the responder. |
|
Administer |
0x00000001 |
Update the configuration information and properties of the responder. |
|
Proxy requests |
0x00000300 |
Proxy requests (if the responder is split into a front end and back end service). |
<18> Section 3.2.4.1.8: The Microsoft Online Responder returns the hash algorithms supported by the "Microsoft Strong Cryptographic Provider" CSP in the default list of hash algorithms.
<19> Section 6: The Microsoft implementation of the OCSP admin interface has a CLSID whose value is { 0x6d5ad135, 0x1730, 0x4f19, { 0xa4, 0xeb, 0x3f, 0x78, 0xe7, 0xc9, 0x76, 0xbb}}.