Certificate Settings StepByStep Guide
Transcript of Certificate Settings StepByStep Guide
-
8/12/2019 Certificate Settings StepByStep Guide
1/20
Certificate Settings in Group Policy Step-by-Step Guide for Windows ServerCode Name "Longhorn"
Microsoft Corporation
Published (for Beta 2): May 2006
Updated: August 2006
Updated for Beta : May 200!
bstract
Certificate settings in "roup Policy in the #indo$s %er&er Code 'a e *onghorn Beta operating syste allo$ you to anage the settings for certificate path disco&ery and&alidation using "roup Policy ob+ects, -his guide includes syste re.uire ents/installation instructions/ and step by step instructions for enforcing trust anage entdecisions and anaging certificate settings according to your organi1ation s securityre.uire ents,
-
8/12/2019 Certificate Settings StepByStep Guide
2/20
-his is a preli inary docu ent and ay be changed substantially prior to finalco ercial release of the soft$are described herein,
-he infor ation contained in this docu ent represents the current &ie$ of MicrosoftCorporation on the issues discussed as of the date of publication, Because Microsoft
ust respond to changing ar3et conditions/ it should not be interpreted to be aco it ent on the part of Microsoft/ and Microsoft cannot guarantee the accuracy of anyinfor ation presented after the date of publication,
-his #hite Paper is for infor ational purposes only, M4C5 % 7- MA89% '#A55A'-49%/ 9 P59%%/ 4MP*49; 5 %-A-U- 5press $ritten per ission of Microsoft Corporation,
Microsoft ay ha&e patents/ patent applications/ trade ar3s/ copyrights/ or otherintellectual property rights co&ering sub+ect atter in this docu ent, 9>cept as e>presslypro&ided in any $ritten license agree ent fro Microsoft/ the furnishing of this docu entdoes not gi&e you any license to these patents/ trade ar3s/ copyrights/ or otherintellectual property,
? 200! Microsoft Corporation, All rights reser&ed,
Acti&e ;irectory/ Microsoft/ M% ; %/ %harePoint/ #indo$s/ #indo$s '-/ #indo$s%er&er/ are either registered trade ar3s or trade ar3s of Microsoft Corporation in theUnited %tates and@or other countries,
All other trade ar3s are property of their respecti&e o$ners,
-
8/12/2019 Certificate Settings StepByStep Guide
3/20
ContentsCertificate %ettings in "roup Policy %tep by %tep "uide for #indo$s %er&er Code 'a e
*onghorn ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Contents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Certificate %ettings in "roup Policy %tep by %tep "uide for #indo$s %er&er Code 'a e*onghorn ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
#hat is Certificate %ettings in "roup Policy ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4n -his "uide,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, !
%cenario : Managing -rusted 5oot Certificates,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,D%cenario 2: Managing -rusted Publishers,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,, 0%cenario : ;eploying 4nter ediate CA Certificates,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 2%cenario E: Bloc3ing Certificates that are not -rusted According to "roup Policy,, ,,,, ,, E%cenario : =andling *arge Certificate 5e&ocation *ists,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%cenario 6: 9>tending 9>piration -i es for C5*s and C%P responses,,,,,,,,,,,,,,,,,,,,, !
Additional 5esources,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 20
-
8/12/2019 Certificate Settings StepByStep Guide
4/20
Certificate Settings in Group Policy Step-by-Step Guide for Windows ServerCode Name "Longhorn"
-his step by step guide pro&ides the instructions that you need to set up certificatesettings in "roup Policy in a test lab en&iron ent, #e reco end that you do not usethis guide in a production en&iron ent, %tep by step guides are not necessarily eant tobe used to deploy #indo$s %er&erF Code 'a e *onghorn operating syste features$ithout additional docu entation (as listed in the Additional 5esources section) andshould be used $ith discretion as a stand alone docu ent,
What is Certificate Settings in Group Policy! As , 0G public 3ey infrastructures beco e ore pro inent in applications and afoundation of trust anage ent/ any organi1ations need ore options to anagecertificate path disco&ery and path &alidation settings, Pre&ious &ersions of #indo$soperating syste s did not ha&e tools to custo i1e certificate settings, Certificate settingsin "roup Policy pro&ide this ability in the #indo$s %er&er Code 'a e *onghorn Beta operating syste , 4t enables you to anage the certificate &alidation settings according tothe security needs of your organi1ation,
-
8/12/2019 Certificate Settings StepByStep Guide
5/20
Configure the retrie&al settings for certificates and certificate re&ocation lists (C5*s),
-he follo$ing i age is a screenshot of the "roup Policy Manage ent console,
4n the "roup Policy Manage ent console/ you can find the certificate settings underComputer Configuration / Windows Settings / Security Settings / and Public $ey
Policies ,
-he #indo$s %er&er Code 'a e *onghorn certificate settings in "roup Policy no$include four ne$ "roup Policy stores:
4nter ediate Certification Authorities
-rusted Publishers
Untrusted Certificates
-rusted People
-he Certificate Path Halidation %ettings ob+ect is also ne$ and includes options to
configure path &alidation settings/ such as net$or3 retrie&al ti eouts and re&ocationsettings,
%
-
8/12/2019 Certificate Settings StepByStep Guide
6/20
Who should use certificate settings in Group Policy!-his guide is intended for the follo$ing audiences:
4- planners and analysts $ho are e&aluating the product
%ecurity architects $ho are responsible for i ple enting -rust$orthy Co puting
%ecurity ad inistrators $ho run public 3ey infrastructure (P84) enabled applicationsin their en&iron ent
&enefits of certificate settings in Group Policy
-
8/12/2019 Certificate Settings StepByStep Guide
7/20
Scenario *+ ,anaging (rusted ootCertificates
4n this scenario/ you are responsible for anage ent of the security en&iron entfor your do ain/ and you $ant to co pletely anage trust and disallo$ users inthe do ain to configure their o$n set of trusted root certificates and peer trustcertificates,
-
8/12/2019 Certificate Settings StepByStep Guide
8/20
D, Clear the llow users to trust peer trust certificates option in the Per usercertificate stores section,
G, %elect the root CAs that the client co puters can trust in the oot certificatestores section,
0, Clic3 1$ to apply the ne$ setting,
-he follo$ing figure is a screenshot of the Stores tab on the Certificate Path 5alidationSettings Properties page,
8
-
8/12/2019 Certificate Settings StepByStep Guide
9/20
Scenario 9+ ,anaging (rusted Publishers4n this scenario/ you are responsible for anaging the security en&iron ent of yourdo ain, -he security policy of your co pany re.uires that only the ad inistrators canadd certificates used for code signing,
-
8/12/2019 Certificate Settings StepByStep Guide
10/20
(o allow only administrators to manage certificates used for code signing
, Clic3 Start / clic3 Start Search / type mmc / and then press .N(. ,
2, n the /ile enu/ clic3 dd0 emove Snap-in , 4f you are editing the "roup Policy ob+ect for the local co puter/ under
vailable snap-ins / double clic3 Local Group Policy 1b2ect .ditor /clic3 dd / and then clic3 /inish ,
4f you are editing the "roup Policy ob+ect for the do ain/ undervailable snap-ins / double clic3 Group Policy ,anagement .ditor3
clic3 &rowse and select the ;efault ;o ain Policy b+ect or select thedo ain/ then clic3 /inish ,
, 4f you ha&e no ore snap ins to add to the console/ clic3 1$ ,
E, 4n the console tree/ go to 4efault 4omain Policy or Local ComputerPolicy / Computer Configuration / Windows Settings / Security Settings and clic3 Public $ey Policies , -hen select the (rusted Publishers tab,
, 4n the dding (rusted Publishers section/ select llow only alladministrators to manage (rusted Publishers ,
6, Clic3 pply to apply the ne$ settings/ and 1$ $hen you are done a3ingchanges,
-he follo$ing figure is a screenshot of the (rusted Publishers tab on the CertificatePath 5alidation Settings Properties page,
**
-
8/12/2019 Certificate Settings StepByStep Guide
11/20
Scenario ;+ 4eploying 'ntermediate CCertificates
4n this scenario/ you are responsible for anaging the security en&iron ent of yourdo ain, pired
inter ediate CA certificates, -his is affecting re&ocation chec3ing for your applications, -osol&e this proble / you need to deploy ne$ inter ediate CA certificates on all co putersin the do ain,
-
8/12/2019 Certificate Settings StepByStep Guide
12/20
&efore you start
-
8/12/2019 Certificate Settings StepByStep Guide
13/20
6, Clic3 'mport to i port the certificates and follo$ the steps in the Certificate4 port $i1ard,
Scenario =+ &loc>ing Certificates that are not(rusted ccording to Group Policy
4n this scenario/ you are responsible for anaging the security en&iron ent ofyour do ain, Based on "roup Policy re.uire ents/ you do not $ant applicationsand clients to trust specific certificates, =o$e&er you cannot re&o3e thesecertificates because they are issued by e>ternal CAs,
-
8/12/2019 Certificate Settings StepByStep Guide
14/20
6, Clic3 'mport to i port the certificates and follo$ the steps in the Certificate4 port $i1ard,
(o bloc3 certificates for the local computer
, Clic3 Start / clic3 Start Search / type mmc / and then press .N(. ,
2, n the /ile enu/ clic3 dd0 emove Snap-in ,
Under vailable snap-ins / double clic3 Certificates / clic3 dd< 4n theoption/ this snap-in will always manage certificates for / select theComputer ccount and then select Local Computer and clic3 /inish ,
, 4f you ha&e no ore snap ins to add to the console/ clic3 1$ ,
E, 9>pand the Certificates snap in,
, 5ight clic3 on the 6ntrusted Certificates store,6, Clic3 'mport to i port the certificates and follo$ the steps in the Certificate
4 port $i1ard,
Scenario #+ ?andling Large Certificateevocation Lists
4n this scenario/ you are responsible for anaging the security en&iron ent of yourdo ain,
-
8/12/2019 Certificate Settings StepByStep Guide
15/20
2, n the /ile enu/ clic3 dd0 emove Snap-in ,
4f you are editing the "roup Policy ob+ect for the local co puter/ under
vailable snap-ins / double clic3 Local Group Policy 1b2ect .ditor / clic3dd / and then clic3 /inish ,
4f you are editing the "roup Policy ob+ect for the do ain/ under vailablesnap-ins / double clic3 Group Policy ,anagement .ditor3 clic3 &rowse and select the ;efault ;o ain Policy b+ect or select the do ain/ then clic3/inish ,
, 4f you ha&e no ore snap ins to add to the console/ clic3 1$ ,
E, 4n the console tree/ go to 4efault 4omain Policy or Local Computer Policy /Computer Configuration / Windows Settings / Security Settings and clic3Public $ey Policies , -hen select Certificate Path 5alidation Settings ,
, %elect the Networ> etrieval tab,6, 4n the 4efault retrieval timeout settings section/ select the 4efault 6 L
retrieval timeout @in secondsA option
!, 9nter the desired ti eout &alue,
D, Clic3 1$ to apply the ne$ settings,
-he follo$ing figure is a screenshot of the Networ> etrieval tab of the Certificate Path5alidation Settings Properties dialog bo>