certificate settings stepbystep guide

8/12/2019 Certificate Settings StepByStep Guide

1/20

Certificate Settings in Group Policy Step-by-Step Guide for Windows ServerCode Name "Longhorn"

Microsoft Corporation

Published (for Beta 2): May 2006

Updated: August 2006

Updated for Beta : May 200!

bstract

Certificate settings in "roup Policy in the #indo$s %er&er Code 'a e *onghorn Beta operating syste allo$ you to anage the settings for certificate path disco&ery and&alidation using "roup Policy ob+ects, -his guide includes syste re.uire ents/installation instructions/ and step by step instructions for enforcing trust anage entdecisions and anaging certificate settings according to your organi1ation s securityre.uire ents,


2/20

-his is a preli inary docu ent and ay be changed substantially prior to finalco ercial release of the soft$are described herein,

-he infor ation contained in this docu ent represents the current &ie$ of MicrosoftCorporation on the issues discussed as of the date of publication, Because Microsoft

ust respond to changing ar3et conditions/ it should not be interpreted to be aco it ent on the part of Microsoft/ and Microsoft cannot guarantee the accuracy of anyinfor ation presented after the date of publication,

-his #hite Paper is for infor ational purposes only, M4C5 % 7- MA89% '#A55A'-49%/ 9 P59%%/ 4MP*49; 5 %-A-U- 5press $ritten per ission of Microsoft Corporation,

Microsoft ay ha&e patents/ patent applications/ trade ar3s/ copyrights/ or otherintellectual property rights co&ering sub+ect atter in this docu ent, 9>cept as e>presslypro&ided in any $ritten license agree ent fro Microsoft/ the furnishing of this docu entdoes not gi&e you any license to these patents/ trade ar3s/ copyrights/ or otherintellectual property,

? 200! Microsoft Corporation, All rights reser&ed,

Acti&e ;irectory/ Microsoft/ M% ; %/ %harePoint/ #indo$s/ #indo$s '-/ #indo$s%er&er/ are either registered trade ar3s or trade ar3s of Microsoft Corporation in theUnited %tates and@or other countries,

All other trade ar3s are property of their respecti&e o$ners,


3/20

ContentsCertificate %ettings in "roup Policy %tep by %tep "uide for #indo$s %er&er Code 'a e

*onghorn ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Contents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Certificate %ettings in "roup Policy %tep by %tep "uide for #indo$s %er&er Code 'a e*onghorn ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

#hat is Certificate %ettings in "roup Policy ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4n -his "uide,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, !

%cenario : Managing -rusted 5oot Certificates,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,D%cenario 2: Managing -rusted Publishers,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,, 0%cenario : ;eploying 4nter ediate CA Certificates,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 2%cenario E: Bloc3ing Certificates that are not -rusted According to "roup Policy,, ,,,, ,, E%cenario : =andling *arge Certificate 5e&ocation *ists,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%cenario 6: 9>tending 9>piration -i es for C5*s and C%P responses,,,,,,,,,,,,,,,,,,,,, !

Additional 5esources,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 20


4/20

Certificate Settings in Group Policy Step-by-Step Guide for Windows ServerCode Name "Longhorn"

-his step by step guide pro&ides the instructions that you need to set up certificatesettings in "roup Policy in a test lab en&iron ent, #e reco end that you do not usethis guide in a production en&iron ent, %tep by step guides are not necessarily eant tobe used to deploy #indo$s %er&erF Code 'a e *onghorn operating syste features$ithout additional docu entation (as listed in the Additional 5esources section) andshould be used $ith discretion as a stand alone docu ent,

What is Certificate Settings in Group Policy! As , 0G public 3ey infrastructures beco e ore pro inent in applications and afoundation of trust anage ent/ any organi1ations need ore options to anagecertificate path disco&ery and path &alidation settings, Pre&ious &ersions of #indo$soperating syste s did not ha&e tools to custo i1e certificate settings, Certificate settingsin "roup Policy pro&ide this ability in the #indo$s %er&er Code 'a e *onghorn Beta operating syste , 4t enables you to anage the certificate &alidation settings according tothe security needs of your organi1ation,


5/20

Configure the retrie&al settings for certificates and certificate re&ocation lists (C5*s),

-he follo$ing i age is a screenshot of the "roup Policy Manage ent console,

4n the "roup Policy Manage ent console/ you can find the certificate settings underComputer Configuration / Windows Settings / Security Settings / and Public $ey

Policies ,

-he #indo$s %er&er Code 'a e *onghorn certificate settings in "roup Policy no$include four ne$ "roup Policy stores:

4nter ediate Certification Authorities

-rusted Publishers

Untrusted Certificates

-rusted People

-he Certificate Path Halidation %ettings ob+ect is also ne$ and includes options to

configure path &alidation settings/ such as net$or3 retrie&al ti eouts and re&ocationsettings,

%


6/20

Who should use certificate settings in Group Policy!-his guide is intended for the follo$ing audiences:

4- planners and analysts $ho are e&aluating the product

%ecurity architects $ho are responsible for i ple enting -rust$orthy Co puting

%ecurity ad inistrators $ho run public 3ey infrastructure (P84) enabled applicationsin their en&iron ent

&enefits of certificate settings in Group Policy


7/20

Scenario *+ ,anaging (rusted ootCertificates

4n this scenario/ you are responsible for anage ent of the security en&iron entfor your do ain/ and you $ant to co pletely anage trust and disallo$ users inthe do ain to configure their o$n set of trusted root certificates and peer trustcertificates,


8/20

D, Clear the llow users to trust peer trust certificates option in the Per usercertificate stores section,

G, %elect the root CAs that the client co puters can trust in the oot certificatestores section,

0, Clic3 1$ to apply the ne$ setting,

-he follo$ing figure is a screenshot of the Stores tab on the Certificate Path 5alidationSettings Properties page,

8


9/20

Scenario 9+ ,anaging (rusted Publishers4n this scenario/ you are responsible for anaging the security en&iron ent of yourdo ain, -he security policy of your co pany re.uires that only the ad inistrators canadd certificates used for code signing,


10/20

(o allow only administrators to manage certificates used for code signing

, Clic3 Start / clic3 Start Search / type mmc / and then press .N(. ,

2, n the /ile enu/ clic3 dd0 emove Snap-in , 4f you are editing the "roup Policy ob+ect for the local co puter/ under

vailable snap-ins / double clic3 Local Group Policy 1b2ect .ditor /clic3 dd / and then clic3 /inish ,

4f you are editing the "roup Policy ob+ect for the do ain/ undervailable snap-ins / double clic3 Group Policy ,anagement .ditor3

clic3 &rowse and select the ;efault ;o ain Policy b+ect or select thedo ain/ then clic3 /inish ,

, 4f you ha&e no ore snap ins to add to the console/ clic3 1$ ,

E, 4n the console tree/ go to 4efault 4omain Policy or Local ComputerPolicy / Computer Configuration / Windows Settings / Security Settings and clic3 Public $ey Policies , -hen select the (rusted Publishers tab,

, 4n the dding (rusted Publishers section/ select llow only alladministrators to manage (rusted Publishers ,

6, Clic3 pply to apply the ne$ settings/ and 1$ $hen you are done a3ingchanges,

-he follo$ing figure is a screenshot of the (rusted Publishers tab on the CertificatePath 5alidation Settings Properties page,

**


11/20

Scenario ;+ 4eploying 'ntermediate CCertificates

4n this scenario/ you are responsible for anaging the security en&iron ent of yourdo ain, pired

inter ediate CA certificates, -his is affecting re&ocation chec3ing for your applications, -osol&e this proble / you need to deploy ne$ inter ediate CA certificates on all co putersin the do ain,


12/20

&efore you start


13/20

6, Clic3 'mport to i port the certificates and follo$ the steps in the Certificate4 port $i1ard,

Scenario =+ &loc>ing Certificates that are not(rusted ccording to Group Policy

4n this scenario/ you are responsible for anaging the security en&iron ent ofyour do ain, Based on "roup Policy re.uire ents/ you do not $ant applicationsand clients to trust specific certificates, =o$e&er you cannot re&o3e thesecertificates because they are issued by e>ternal CAs,


14/20

6, Clic3 'mport to i port the certificates and follo$ the steps in the Certificate4 port $i1ard,

(o bloc3 certificates for the local computer

, Clic3 Start / clic3 Start Search / type mmc / and then press .N(. ,

2, n the /ile enu/ clic3 dd0 emove Snap-in ,

Under vailable snap-ins / double clic3 Certificates / clic3 dd< 4n theoption/ this snap-in will always manage certificates for / select theComputer ccount and then select Local Computer and clic3 /inish ,


E, 9>pand the Certificates snap in,

, 5ight clic3 on the 6ntrusted Certificates store,6, Clic3 'mport to i port the certificates and follo$ the steps in the Certificate

4 port $i1ard,

Scenario #+ ?andling Large Certificateevocation Lists

4n this scenario/ you are responsible for anaging the security en&iron ent of yourdo ain,


15/20

2, n the /ile enu/ clic3 dd0 emove Snap-in ,

4f you are editing the "roup Policy ob+ect for the local co puter/ under

vailable snap-ins / double clic3 Local Group Policy 1b2ect .ditor / clic3dd / and then clic3 /inish ,

4f you are editing the "roup Policy ob+ect for the do ain/ under vailablesnap-ins / double clic3 Group Policy ,anagement .ditor3 clic3 &rowse and select the ;efault ;o ain Policy b+ect or select the do ain/ then clic3/inish ,


E, 4n the console tree/ go to 4efault 4omain Policy or Local Computer Policy /Computer Configuration / Windows Settings / Security Settings and clic3Public $ey Policies , -hen select Certificate Path 5alidation Settings ,

, %elect the Networ> etrieval tab,6, 4n the 4efault retrieval timeout settings section/ select the 4efault 6 L

retrieval timeout @in secondsA option

!, 9nter the desired ti eout &alue,

D, Clic3 1$ to apply the ne$ settings,

-he follo$ing figure is a screenshot of the Networ> etrieval tab of the Certificate Path5alidation Settings Properties dialog bo>

certificate settings stepbystep guide

Documents