Securing PKI: Appendix C: Delegating Active Directory PKI Permissions

 

Applies To: Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012

In order to install an enterprise root or subordinate CA in Active Directory®, typically the account performing the installation should be a member of the Enterprise Admins (EA) group for the forest, as well as a member of the local administrators group on the CA computer. In some cases it may be desirable to delegate the permissions required to perform installation, or other PKI related activities to accounts that are not members of privileged Active Directory® groups such as Enterprise Admins or Domain Admins. Regardless of which groups are used to perform PKI activities, group membership should be tightly controlled and monitored.

The instructions below do not address the permissions required to install other AD CS roles such as NDES. It might not be possible to perform other AD CS-related tasks based on the permissions delegated through the steps below.

Permissions for Enterprise CA Installation

Delegating rights to a non-Enterprise Admin user to perform complete CA installations requires delegating the following permissions:

  • Rights to create new objects underneath the Public Key Infrastructure container underneath the Configuration partition. This includes creating new Certificate Template objects, adding objects to the Certification Authorities node, the Enrollment Services node, the AIA node, and the CDP node.

  • Rights to add members to the Cert Publishers groups in each domain in the forest. The computer account of the CA is added to the Cert Publishers group of its domain during the CA installation.

  • Rights to add members to the Pre-Windows 2000 Compatible Access group

  • Membership in the local administrators group of the soon-to-be CA

Note

If installation of the first CA in a forest is done using delegated permissions, it will be necessary to install the default templates separately as an Enterprise Admin. This can be done prior to installing the CA by running the command certutil –installdefaulttemplates.

Delegating Rights to the Public Key Infrastructure Container

  1. In the Organizational Unit (OU) where you will be storing the groups and/or accounts that will be managing the PKI, right-click the OU where you want to create the group, click New and click Group.

  2. In the New Object – Group dialog box, enter a name for the group. If you plan to have certification authorities in multiple domains in your forest, make it a universal group. Otherwise, create a global group. Click OK to create the group.

  3. Right-click the group you just created, click Properties, and click the Object tab. In the group’s Object property dialog box, select Protect object from accidental deletion, which will not only prevent otherwise-authorized users from deleting the group, but also from moving it to another OU unless the attribute is first deselected.

  4. Open Active Directory Sites and Services with an account in the Enterprise Admins group.

  5. Click the View menu option and select Show Services Node.

  6. Under the Services node, right-click Public Key Services, click Properties and click the Security tab.

  7. Click Advanced.

  8. Click Add... and search for the newly created management group and click OK.

  9. Grant the new management group full control and click OK.

  10. Click OK to close the Public Key Services Properties dialog box.

Delegating Group Permissions

  1. Open Active Directory Users and Computers with an account that has rights to modify security permissions for Pre-Windows 2000 Compatible Access and Cert Publishers groups.

  2. Under Builtin, right-click Pre-Windows 2000 Compatible Access and click Properties.

  3. Click the Security tab. Click Add… and select the newly created management group. Grant the group Read and Write access and click OK.

  4. Under Users, right click Cert Publishers and click Properties.

  5. Click the Security tab. Click Add… and select the newly created management group. Grant the group Read and Write access and click OK.

  6. If you have a multi-domain forest, you will need to repeat the step of granting Write access to the management group to Cert Publishers for each domain in the forest. Each domain has its own Cert Publishers group. During installation, the CA computer account will be added to the Cert Publishers group in the domain in which the CA resides.

Permissions for Managing Certificate Templates

For guidance on implementing delegation for management of certificate templates, refer to Administering Certificate Templates.

See Also

Securing Public Key Infrastructure (PKI)
Securing PKI: Introduction
Securing PKI: Planning a CA Hierarchy
Securing PKI: Physical Controls for Securing PKI
Securing PKI: PKI Process Security
Securing PKI: Technical Controls for Securing PKI
Securing PKI: Planning Certificate Algorithms and Usages
Securing PKI: Protecting CA Keys and Critical Artifacts
Securing PKI: Monitoring Public Key Infrastructure
Securing PKI: Compromise Response
Securing PKI: Appendix A: Events to Monitor
Securing PKI: Appendix B: Certification Authority Audit Filter
Securing PKI: Appendix D: Glossary of Terms
Securing PKI: Appendix E: PKI Basics
Securing PKI: Appendix F: List of Recommendations by Impact Level
Security and Protection
Secure Windows Server 2012 R2 and Windows Server 2012