In any enterprise there are tens of thousands, if not hundreds of thousands, of digital certificates in use to protect things like web servers through device authentication and data encryption. At this scale, it may seem like a never-ending battle to inventory and keep track of every certificate. Due to limited IT resources, many organizations choose to narrow the scope of the certificates they manage rather than take on the task of securing everything. Manually issued certificates get all the attention (i.e. SSL/TLS certificates), while Active Directory (AD) auto-enrollment certificates are easily overlooked.
AUTO-ENROLLMENT OVERVIEW
If you are not familiar with auto-enrollment, it is a function of Active Directory Certificate Services (ADCS) enabled by Group Policy (GPO), which allows users and devices to enroll for certificates. In most cases, there’s no user interaction required.
Auto-enrollment automates the issuance of certificates to the Microsoft certificate store on Windows PCs and servers. For example, Internet Information Services (IIS) and Exchange Server use the Microsoft certificate store. It also allows certificates to be automatically renewed and updated. Simple, right?
CERTIFICATES IN A HAYSTACK
In a perfect world, IT and security teams who are responsible for public key infrastructure (PKI) would never have to worry about auto-enrolled certificates. But the reality is that these certificates can cause considerable security gaps or disruptive outages if not properly monitored throughout their lifecycle.
Every certificate expires. Monitoring auto-enrollment means looking past all the successful certificate renewals to locate those that may soon fail. Imagine for a moment that you have 10,000 workstations, each with a client certificate, and a handful of them have not renewed within the renewal threshold defined in your group policy object (GPO). Finding and replacing these certificates before they expire can be a lot like finding a needle in a haystack, especially if you’re not utilizing a certificate lifecycle automation platform.
WHY AUTO-ENROLLEMENT MATTERS
With increased pressure on IT teams today, it comes as no surprise that IT and security professionals sometimes ignore issues if they do not see an immediate problem. However, these issues often worsen over time if they are overlooked, leading to more serious problems down the line. Here are three reasons why your auto-enrolled certificates must be part of your overall (public key infrastructure (PKI) strategy.
Crypto Agility
As cryptographic standards evolve, there is a constant need to audit your issued certificates and identify any that are out-of-policy or using outdated keys or algorithms. Your organization is counting on you to be proactive and preventative. As such, you must be able to report on the security profile for your entire certificate landscape, which of course includes auto-enrolled certificates. For example, an AD admin could issue 1048-bit auto-enrolled certificates that are still within their validity period, even if the current template is changed to 2048-bit. Having the ability to quickly identify and re-issue these non-compliant certificates in bulk can prevent disruptive situations that require remediation.
Misconfiguration
Group policies drive the issuance and usage of auto-enrolled certificates, requiring regular changes and updates over time. Since these changes are performed manually, errors and oversights are not uncommon. In a high-volume PKI environment, a minor misconfiguration can lead to a large-scale issue. Certificate templates can easily be misconfigured leaving you with thousands of certificates to locate, revoke and re-issue across your network.
Without the right tools to monitor your Microsoft CA (certificate authority), a misconfigured policy can lead to over-issuance of certificates, or worse, certificates that are out of compliance with your security policies. In some cases, we’ve seen auto-enrolled user certificates granted a validity period beyond what is acceptable by their organization. Other times, we’ve seen more serious issues, such as allowing the export of private keys (a big security concern). This is where setting issuance thresholds on your Microsoft CA and continuously monitoring your certificate landscape can help you get in front of rogue or non-compliant certificates that can wreak havoc in your environment.
Missed Renewals
Auto-enrolled certificates sometimes fail to renew, which can be difficult to catch – that is, until the end-user is impacted. Depending on your deployment, the impact of an expired certificate can range from a minor inconvenience for a single user to a widespread or mission-critical application outage. Either way, it causes unnecessary interruptions to productivity and generally some downtime to fix.
Not every organization is in the life-saving business, but for those who are, an expired certificate could mean the difference between life and death. Take the example of healthcare – and a surgical team who requires continuous access to their workstations in the operation room. Surgeons cannot risk losing access to critical medical information during surgical procedures simply because a certificate on the machine failed to renew. This is where monitoring tools can provide alerts about upcoming expirations and prevent downtime that could affect the patient’s life.
THE SOLUTION
Whether it’s staying ahead of evolving security standards or avoiding certificate-related outages, your Microsoft CA and all certificates issued from it should be actively managed and monitored. Not only will this help you avoid unnecessary downtime, it’s simply best practice to keep an inventory of ALL keys and digital certificates across your environment.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.