If you have a large network with many network devices that need to be issued with a certificate that must also be trusted by Windows clients, Windows Server 2008 R2’s Network Device Enrollment Service (NDES) provides a solution for issuing and managing certificates.
NDES is Microsoft’s implementation of the Simple Certificate Enrollment Protocol. SCEP is an Internet-Draft standard developed by Cisco Systems and submitted to the Internet Engineering Task Force that helps solve the problem of manually requesting and installing certificates by enabling devices to enroll for x509 v3 certificates from any CA that supports SCEP.
NDES in Server 2008 and later includes some welcome improvements over the old SCEP add-on, such as the ability to renew certificates using a previously issued certificate to validate the request.
Distributing certificates to Windows OSs from an Active Directory (AD) enterprise Certification Authority (CA) is relatively simple and can be automated using Group Policy Certificate Autoenrollment after a PKI is in place.
But to issue certificates to devices that don’t have accounts in AD, sysadmins must manually create Public-Key Cryptography Standards (PKCS) requests and install certificates on those devices. This can be a time-consuming task in organizations that have hundreds of devices that aren’t part of AD.
This article provides an overview of how to set up NDES as part of an already existing PKI, and the steps for issuing a network device with a certificate.
Due to the complexity of PKIs and the varying requirements for different scenarios, you should carefully study “Microsoft SCEP Implementation Whitepaper” for how to implement NDES. You should also test thoroughly in a lab environment before deploying NDES in your production environment.
SCEP in Windows Server
NDES is a native component of Server 2008 (Enterprise and Datacenter editions only) and later, and can be installed on a machine that’s running a standalone CA or on a dedicated server that communicates with an issuing enterprise CA.
The NDES server role shouldn’t be installed on a device that’s running the enterprise CA role, to minimize the attack surface and protect the CAs private key. NDES is intended for organizations that already have a PKI in place and want to issue certificates to network devices, such as routers and firewalls, to improve security by protecting network traffic with IPsec.
For example, this could include IPsec VPNs between routers or from notebooks to network edge devices. Not all devices support SCEP, so you should check with the equipment manufacturer.
Previous implementations of SCEP were available in the Windows Server 2003 Resource Kit or as a downloadable add-on for Windows 2000 Server, but differ from what’s outlined in this article. So if you’re working with versions of Windows earlier than Server 2008, you should check Microsoft’s website for details.
You can download the add-on for Windows 2003 at Microsoft’s site. For additional information, check out the Windows IT Pro article “Setting Up a VPN that Uses Certificates,” InstantDoc ID 49738.
NDES in Windows Server 2008 R2
Server 2008 R2 and Server 2008 SP2 include changes to NDES that let administrators more easily request and renew expired certificates. Single Password Mode, which can be enabled on the NDES machine by setting the HKEY_LOCAL_MACHINE\Microsoft\Cryptography\MSCEP\UseSinglePassword REG_DWORD registry value to 1, lets admins request a password for certificate enrollment that doesn’t expire, and is stored and encrypted in the system registry
This makes it easier to renew expired certificates and a single password can be deployed to multiple network devices. Certificate renewal is enabled by default in Server 2008 R2 and Server 2008 SP2.
Design Considerations
If your PKI consists of a standalone CA, it should be in an isolated certification hierarchy that serves only SCEP-enabled devices. The root CA shouldn’t be trusted by other devices on the network.
If your organization uses Cisco equipment and Windows clients don’t need to trust network devices, you might be able to deploy a Cisco IOS Certification Authority server—a CA that runs on a Cisco device running Internetwork Operating System. Additionally, some devices have limited support for certain PKI configurations, including long encryption key lengths, subordinate CAs, and multi-tier PKI hierarchies.
Standalone or Enterprise CA?
Implementing NDES with a standalone CA that’s dedicated to providing network devices with certificates might be better suited to situations where Windows clients aren’t required to trust network devices; for instance, where router-to-router VPNs will be configured with IPsec encryption. An enterprise CA and an NDES server might be more convenient if Windows clients need to trust network devices for the purposes of establishing VPN connections.
Setting up NDES
Let’s install the NDES server role to communicate with an issuing enterprise CA. This is a typical setup where certificates are issued to network devices that will be trusted by domain-joined Windows clients. You’ll need an AD enterprise CA already in place, with a root CA configured and taken offline.
Prerequisites
Before installing NDES, we need to create two domain user accounts: NDES_Admin and NDES_ServiceAccount. The NDES_Admin account is used for installing the NDES server role and requesting an enrollment password.
The NDES_ServiceAccount is used to run the service and is specified during the setup process. Add NDES_Admin to the local Administrators group on the NDES box and to the Enterprise Admins group in the AD domain. Add the NDES_ServiceAccount group to the local IIS_IUSRS group on the NDES box.
Duplicate the Certificates
Now we need to duplicate the CEP Encryption, Exchange Enrollment Agent (Offline Request) and IPsec (Offline Request) certificates. To do so, log in to your issuing CA as a domain administrator.
1. Open the Certification Authority Microsoft Management Console (MMC) from Administrative Tools on the Start menu.
2. In the left pane of MMC, expand the CA. Right-click the Certificate Templates folder and select Manage from the menu. The Certificate Templates MMC will open.
3. In the Certificate Templates MMC, right-click the Exchange Enrollment Agent (Offline request) template and select Duplicate Template from the menu.
4. In the Duplicate Template dialog box, select Windows Server 2008 Enterprise and click OK.
5. In the Properties dialog box on the General tab, enter NDES Exchange Enrollment Agent (Offline request) into the Template display name box.
6. Switch to the Security tab and click Add to assign permissions for the NDES_Admin group. Enter NDES_Admin into the box and click OK.
7. Set permissions on the Security tab for NDES_Admin to Read and Enroll.
8. Repeat steps 3 through 7 for the CEP Encryption template.
9. Repeat steps 3 through 7 again for the IPsec (Offline Request) template. Additionally, we need to set permissions for NDES_ServiceAccount on the NDES IPsec (Offline Request) template to Read and Enroll.
10. Close the Certificate Templates MMC.
11. In the Certification Authority MMC, click the Certificate Templates folder in the left pane. The currently published templates will be displayed on the right.
12. Right-click the Certificate Templates folder in the left pane and select New, Certificate Template to Issue from the menu.
13. In the Enable Certificate Templates dialog box, which Figure 1 shows, select the three NDES templates and click OK.
Assign Permissions
We’ve got the necessary templates in place. Next, we need to assign accounts appropriate permissions to the issuing CA.
1. In the Certification Authority MMC, right-click the CA in the left pane and select Properties from the menu.
2. Select the Security tab and click Add to assign permissions for NDES_ServiceAccount.
3. Type NDES_ServiceAccount into the box and click OK.
4. Set permissions on the Security tab for NDES_ServiceAccount to Read and Request Certificates (see Figure 2).
5. Click OK to close the properties dialog box.