subject: Operating System Roles That Can Use Certificate Services [print this page] Operating System Roles That Can Use Certificate Services
In addition to using the CA-specific roles, you can use several operating system roles to strengthen the role-based security model for certificate services. The roles either exist as default groups or can be created as custom groups that have been granted specific user rights and permissions. Operating system roles are: MCSE Certification
Backup Operator Has the backup files and directories right and the restore files nd directories right. Backup operators can also stop the Certificate Service (but they cannot start it again).
Auditor Has the manage auditing and security log permission. Users with this permission can configure, view, and maintain the audit logs. The role of auditor should be held by someone outside of normal IT operations as well as by IT employees.
Enrollees Have the authority to request certificates from the CA. By default, the
Enroll permission is granted to Authenticated Users. This can be changed by granting the Enroll permission to some other built-in or custom group or groups and removing the permission from Authenticated Users. Note that Enrollees are authorized to request certificates. Certificate requests can be refused. If certificates are manually accepted, each request can be reviewed and either granted or denied. If certificates are automatically issued, permissions on certificate templates should be used to restrict issuance to authorized security principals. MCSE Exam
Administrator Has full control by default. If separation of roles is enabled, the Administrator retains the right to renew CA keys and certificates, and perform bulk deletion of rows in the CA database.
By default, all CA roles are assigned to Administrators of the CA computer. Enterprise CAs are always domain member computers and thus can be managed by members of the local Administrators group of the CA computer, the Enterprise Administrators group, and the Domain Administrators group. Stand-alone CAs are managed by Domain Administrators and local Administrators when joined to a domain, and by local Administrators when their systems are stand-alone. CA-specific roles are assigned to groups or users (local or domain, depending on computer domain membership) by using the Certification Authority console. Operating system roles are assigned in the usual manner, by using Active Directory Users and Computers in a domain, and Computer Management on a stand-alone system.
The operating system administrator is not the same as the CA Administrator. However, while the computer administrator role might be necessary to perform some duties necessary for the CA, the assignment of the CA Administrator role does not provide a user with computer Administrator privileges. The CA Administrator role applies only to specific CA-related tasks.
Off the Record Key archival provides an example of how the role separation between CA Administrator and Certificate Manager provides separation of duties. When key archival is used, the copy of the private key is encrypted and the key "blob" (the encrypted key) is stored in the CA database. Only the Certificate Manager can retrieve this blob, but only the valid Key Recovery Agent can decrypt the key data. This is an example of separation of duties. The Key Recovery Agent role is not a CA administrative role, but it is important to proper CA functioning. The Key Recovery Agent cannot, on his own, retrieve user keys and decrypt them. The Certificate Manager can retrieve the key blob but cannot decrypt it. Thus either, on his own, cannot obtain and use private keys that belong to others. One would have to be in cahoots with the other, a situation that is not likely to happen.
