Step by Step Active Directory Certificate Service – Part 2

Introduction

In part 1 of this blog series, we have successfully installed Active Directory Certificate Services and performed post-installation tasks. In this blog series, we will configure certificate template for client and workstation authentication and configure a group policy to auto enrollment of certificate.

To secure AD CS infrastructure, It’s highly recommended to deploy subordinate certificate authority and shutdown your root certificate authority.

Step by Step Configure Certificate Template

So far, we have AD CS installed and configured. To proceed with further configuration of AD CS, we need to configure a certificate template for workstations and clients authentication. To configure a certificate template, perform the following steps.

  • Navigate to Server Manager > Tools > Certification Authority

Step by Step Active Directory Certificate Service – Part 2

  • Navigate to Certification Authority > Machine Name > Certificate Template. Right click on Certificate Template and click on Manage

Step by Step Active Directory Certificate Service – Part 2

  • Duplicate the template for “Workstation Authentication

Step by Step Active Directory Certificate Service – Part 2

Step by Step Active Directory Certificate Service – Part 2

  • Setup the template properties as per your requirement. Under General Template, define the name of the duplicate template and setup validity period

Step by Step Active Directory Certificate Service – Part 2

  • Under Security Tab, Ensure that domain joined machines has permissions to Read, Enroll and auto-enroll

Step by Step Active Directory Certificate Service – Part 2

  • Click on Extension Tab and edit Application Policies to add Server Authentication to the template

Step by Step Active Directory Certificate Service – Part 2 Step by Step Active Directory Certificate Service – Part 2 Step by Step Active Directory Certificate Service – Part 2 Step by Step Active Directory Certificate Service – Part 2

  • Click on Subject Name and ensure DNS and User Principal Name options are selected

Step by Step Active Directory Certificate Service – Part 2

  • Click on Apply and close the certificate properties.
  • Navigate to Certification Authority > Certificate Template > Right Click New > Certificate Template to Issue

Step by Step Active Directory Certificate Service – Part 2

  • Select the certificate and click ok

Step by Step Active Directory Certificate Service – Part 2So far we have the certificate template created for workstations authentication. Next step is to create a group policy to configure the automatic enrollment of the certificate via Group Policy.

Group Policy for Automatic Certificate Enrollment

As of now, we have our AD CS setup ready for certificate enrollment. With the help of group policy we will setup our workstations on domain joined machines to request AD CS for certificate. To configure a group policy for AD CS, perform the following steps.

  • Login to domain controller and launch Group Policy Management Console from Control Panel > Administrative Tools > Group Policy Management

  • Navigate to the OU where you have all your domain joined computers. In my case, I’ve a server OU that contains all domain joined computers.

  • Right click on Servers OU and click on “Create a GPO in this domain, and link it here”

  • Define the name of the GPO and Click ok

  • Select the GPO, Right Click and click on Edit to modify the GPO Settings

  • Navigate to Computer Configuration > Windows Settings > Security Settings > Public Key Policies

  • Select the Certificate Services Client – Certificate Enrollment Policy and click on Properties

  • Under configuration model, select enable

  • Next step is to select “Certificate Services Client – Auto Enrollment” and go to properties and enable configuration model

  • Once done, Right click on GPO and click on Enforce and then Group Policy Update

  • Click ok on Group policy pop up message to finish the process

Now your Group policy deployment for certificate authority is completed now. You can now navigate to Issued certificate to see that the computer accounts has started to receive the certificate from your AD CS infrastructure.

Conclusion

In this blog article we have configured the Active Directory Certificate authority template for end user workstations and deployed a group policy on server OU to request the certificate from internal CA. Hope this series help you deploy your PKI infrastructure using AD CS.

 

 

Step by Step Active Directory Certificate Service – Part 1

Introduction

Microsoft Active Directory Certificate Service (AD CS) provides an infrastructure for securely issuing and managing your public key infrastructure. Active Directory Certificate Services can also be leverage to authenticate the computer, user or devices on corporate network based on Infrastructure security requirements.

In this blog series, we will setup a single server AD CS on a domain joined machine and configure active directory group policy to auto enroll the certificate on one OU. Please note that it’s a single server deployment and enterprise deployments of Active Directory Certificate Service requires a detailed planning and designing of the solution.

To secure AD CS infrastructure, It’s highly recommended to deploy subordinate certificate authority and shutdown your root certificate authority.

Active Directory Certificate Service design options are discussed on TechNet. AD CS includes programmable interfaces so that developers can create support for additional transports, policies, and certificate properties and formats. Active Directory Certificate Service service architecture is defined here that helps customizing AD CS.

Step by Step Active Directory Certificate Service Role Installation

Below is a step by step active directory certificate service role installation guide to deploy the services.

  • Login to Active Directory Certificate Service server and launch Server Manager
  • On Server Manager, Click on Add Roles and Feature

Step by Step Active Directory Certificate Service - Part 1

 

  • Click Next on the following screen

Step by Step Active Directory Certificate Service - Part 1

  • By default, Role based or feature based installation is selected, click next

Step by Step Active Directory Certificate Service - Part 1

  • Select the server you want to install this role and click Next

Step by Step Active Directory Certificate Service - Part 1

 

  • Select Active Directory Certificate Service. Click on Add Features in the pop up window and click on Next

 

  • Click on Next as we don’t need to install any additional feature for AD CS

Step by Step Active Directory Certificate Service - Part 1

 

  • Click Next on AD CS Page

 

  • On Role Services page, Select Certificate Authority and Click Next

 

  • Click Install to start the installation process

 

  • Once the installation is completed, Click on Close to exit the wizard.

Configure Active Directory Certificate Service

As of now, We have our Active Directory Certificate Service server role installed. Next step is to perform post installation steps and configure active directory certificate service. To configure active directory certificate service, perform the following steps.

  • Click on Configure Active Directory Certificate Services on target computer. This will open a configuration wizard for certificate authority

  • Provide the credential of a user account that has Enterprise Admin and Local Admin rights and click next

  • Select the Role Service to configure, We’re setting up on Certificate Authority

 

  • As we are using a domain joined machine and setting up for Domain infrastructure, select Enterprise CA and click Next

  • As it’s our first Active Directory Certificate Services server, select Root CA and Click next

  • Select “Create a new private key” and click next

  • Select your cryptography options and Click next

We are using SHA256 as SHA1 is depreciated by all browsers and Microsoft Server Authentication.

  • CA Name will be automatically pop up and click next

  • Define validity period and click Next

 

  • Specify the database location for certificate and click Next

 

  • Review the configurations and Click Configure

 

  • Once the configuration is completed, click on Close to exit the configuration wizard.

Conclusion

In this blog article of Active Directory Certificate Services series, we have successfully installed and completed post installation tasks Active Directory Certificate services. In part 2 of this series we will Configure the certificate template and group policy for Certificate authority auto enrollment.

Setting up Unified Data Loss Prevention Policies in Office 365

Introduction to Unified Data Loss Prevention Policies in Office 365

Every organization is concern about their data security. Regardless of the size of the organization or industry they deal in, organizations want to ensure the security of their data. Office 365 Data Loss Prevention (DLP) helps organizations protect their sensitive information from getting into the wrong hands. Data Loss Prevention policies in Office 365 help organization to protect the confidential data based on business requirements. Earlier this month, Microsoft introduced unified Data Loss Prevention policies in Office 365 to empower IT admins to create, manage and report DLP policies for Exchange Online, SharePoint online and OneDrive for Business from single admin pane.

Administrators are no longer required to setup and manage DLP policies separately for Exchange online, SharePoint Online and OneDrive for Business.

Unified Data Loss Prevention Policies in Office 365 is provided via the the Office 365 Security and Compliance Center. We have discussed Office 365 Security and compliance center in my previous blog post for enabling the auditing of admin users in Office 365. Now with new enhancements in Office 365, admins can create a single DLP policy in the Office 365 Security and Compliance Center that covers Exchange Online, SharePoint Online and OneDrive for Business. The unified DLP platform allows organizations to manage multiple workloads from a single management experience, reducing the time and complexity required to set up and maintain security and compliance within your organization.

New unified DLP Policies experience in Office 365 do not impact any existing policies configuration created

Setting up Unified Data Loss Prevention Policies in Office 365

Setting up unified DLP policies in Office 365 requires you to perform the following steps.

Setting up Unified Data Loss Prevention Policies in Office 365

  • Click on icon to create a new DLP policy.
  • In new policy wizard, select the DLP policy type and click next. In my case, I have selected the policy type of “Medical and Health Regulation” and creating a HIPPA compliance policy

Setting up Unified Data Loss Prevention Policies in Office 365

  • Next step is to select the services to which you would like to apply the DLP policy. I have selected all the workloads to apply the policy

Setting up Unified Data Loss Prevention Policies in Office 365

By default, SharePoint online and OneDrive is selected. You can also specify the users to whom you would like to apply the policy in SharePoint online and OneDrive for Business.

  • Click next and customize the rule if required.

Setting up Unified Data Loss Prevention Policies in Office 365

  • Once you finalized the policies, click next and define the name and description of the policy. You are also required to turn on or off your compliance policy. By default, when you create a compliance policy from Office 365 Security and Compliance center, it’s setup with the option of “Test it out”.

Setting up Unified Data Loss Prevention Policies in Office 365

Once the policies are being created, it will be applied to the users based on your criteria defined during the policy creation.

Unified Data Loss Prevention Policies Reporting in Office 365

With Office 365 Security and Compliance center, Microsoft also provide you unified reporting capabilities for your DLP policies. You can view reports for your DLP policies across Exchange Online, SharePoint Online and OneDrive for Business. This makes it easier to understand the business impact of your DLP polices and uncover actions that violate policies across multiple workloads. To view the report of your DLP policies, you are required to perform the following steps.

Setting up Unified Data Loss Prevention Policies in Office 365

DLP Policy matches will give you a unified report of your DLP policies across all platform.

Security Vulnerability in AD FS 3.0

Security Vulnerability in AD FS 3.0

Security Vulnerability in AD FS 3.0

April 2015, Microsoft has released an important security update for ADFS 3.0 in Security Bulletin which prevent you from security breach reported in ADFS 3.0. Security Vulnerability in AD FS 3.0 was found which helped hackers / intruders to gain access of your application using the existing token.

According to the Microsoft Security Bulletin MS15-040 the vulnerability allows an attacker to gain access to your application using ADFS 3.0 SSO like Office 365. The flaw is with the logoff process of ADFS 3.0 which didn’t could allow intruder to reuse the existing token to access the application. The log off failed allowing an intruder to reuse the existing token to access the application as the user.

This security update resolves a vulnerability in Active Directory Federation Services (AD FS). The vulnerability could allow information disclosure if a user leaves their browser open after logging off from an application and an attacker reopens the application in the browser immediately after the user has logged off.

The Security bulletin claims that Microsoft has no knowledge of any cases where this vulnerability was exploited and i hope no one is impacted or could be impacted and everyone can patch their ADFS servers as i did my servers before writing up this article 🙂

Detail information on security bulletin can be found on Technet.  Be safe 🙂