You need to ensure that you can manage the certificates on the CA What should you do?

Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1 that runs Windows Server 2012 R2. Server1 is an
enterprise root certification authority (CA) for contoso.com.
Your user account is assigned the certificate manager role and the auditor role on the
contoso.com CA. Your account is a member of the local Administrators group on Server1.
You enable CA role separation on Server1.
You need to ensure that you can manage the certificates on the CA
What should you do?

Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1 that runs Windows Server 2012 R2. Server1 is an
enterprise root certification authority (CA) for contoso.com.
Your user account is assigned the certificate manager role and the auditor role on the
contoso.com CA. Your account is a member of the local Administrators group on Server1.
You enable CA role separation on Server1.
You need to ensure that you can manage the certificates on the CA
What should you do?

A.
Remove your user account from the local Administrators group.

B.
Assign the CA administrator role to your user account.

C.
Assign your user account the Bypass traverse checking user right.

D.
Remove your user account from the Manage auditing and security log user right.



Leave a Reply 18

Your email address will not be published. Required fields are marked *


Nuvin

Nuvin

https://technet.microsoft.com/en-us/library/cc773161(v=ws.10).aspx

Before role separation is enabled, each user assigned a CA role on the CA must only be assigned a single CA role on that CA. If a user is assigned more than one CA role, when role separation is enabled, the Certificate Services service will detect that a user has more than one role and deny the user’s attempts to operate the CA.

Nuvin

Nuvin

So D is correct.

Rick

Rick

This is a catch 22 question.

First, you cannot remove any roles until you disable role separation. Then you could remove the auditor role. (https://technet.microsoft.com/en-us/library/cc773161(v=WS.10).aspx).

However, this is a local admin account, and by default, the local admin holds the system audit user right (https://technet.microsoft.com/en-us/library/cc732590.aspx). So you can only remove the auditor role by removing the user account from the local admin group.

Then, since only local admins can enable role separation, you would have to have another member of the local admin group enable role separation.

Horrible question to put in a test, since none of the answers on the test are correct.

Joe

Joe

Initially thought A (remove your account from local administrators) but this won’t change anything, you still have 2 roles assigned to your account. For role separation to work you must only have 1 role, so you must remove 1 of the roles.
If you assign yourself to be CA administrator, you still have the same problem of being assigned more than 1 role. C would also still leave you with more than 1 role.
D is the only one that makes sense as you will then only be assigned 1 role (certificate manager)
Therefore D is the obvious answer.

Joe

Joe

but then again, you are assigned auditor rights by being local administrator so it could still be A as you cannot remove rights without removing your account from local administrators group unless you remove right to auditor role for local administrator.

Mohamed Bendary

Mohamed Bendary

To correct this configuration, the local Administrator of the server must disable role separation, remove the CA Administrator from the second role, and then restart the Certificate Services service. Following these steps, role separation can be enabled again.

following this link….https://technet.microsoft.com/en-us/library/cc773161(v=ws.10)

So answer must be : A

den

den

question states that the roles are assigned on domain level, not local. So because two roles are assigned and it will only work with one assignment, you will have to remove membership of the audit role. Just removing local administrator privilege will not accomplish mission.

joe

joe

I think this may be A after looking further into it…

If you remove the user account from the local administrators group this will also remove the auditor rights from the users account. This is assuming that the user has only got these rights as a result of being a local admin and has not also had their user account added to the auditor rights. If the user has only gotten their auditor rights as a result of being a local admin, then removing them from local admins would be the only way to remove auditor rights.
You could remove local admins from the auditor rights assignment but I would have thought it is not very smart to start removing the local admins rights.

So I would go with remove your user account from the local administrator group which would also accomplish removing the auditor rights from your account.

de babba

de babba

A
local Administrators group = admin right and audit right
so you do not have to grant the audit right separately.
So you have two roles certificate manager role + local administrators role which includes audit role. That conflicts with role separation. Role separation just allows one role!
When you remove the local administrators role everything works fine. I just tried it in a lab!

Rick

Rick

An AD CS CA offers the option to enforce Common Criteria (CC) role separation, which is used to separate CA support into predefined CA roles. Each role is eligible to perform a specific subset of CA functionality. Users can be assigned to only one role, and if they are assigned to more than one role, they are unable to perform any CA-related activities. The table below describes the different roles available that are subject to role separation:

BobSmith is right. Read the article he posted.

D is the answer.

Alexandre Ferreira

Alexandre Ferreira

Correct Answer: D
:
The separation of CA roles can be enforced using role separation.
Once enforced, role separation only allows a user to be assigned a single role.
If a user is assigned to more than one role and attempts to perform an operation on the CA, the operation is denied.
For this reason, before role separation is enabled, a user should be assigned only one CA role.

Aberdeen Angus

Aberdeen Angus

I think de babba is right, A.

I can’t see what D achieves because the “Manage auditing and security log” right is assigned to the local Administrators group by default, and the scenario says “Your account is a member of the local Administrators group on Server1”. This right can’t be taken away from Administrators obviously or other admins won’t be able to do it. So the only way to remove this right from your account is to be out of the local Administrators group.

Plus MS say this is good practice anyway, from https://technet.microsoft.com/en-us/library/dn786426.aspx:
” With highly secure systems such as CAs, the number of accounts that are members of the local administrators group should be kept to a minimum. In an AD CS deployment, if an attacker gains access to an account with administrative access to the CA, there is a high likelihood they will be able to create certificates that will allow them to gain privileged access to the Active Directory®. For online CAs, consider limiting administrative access to only dedicated accounts used for management of the PKI”
And the requirement is only “You need to ensure that you can manage the certificates on the CA”

Also by default the local Administrators group has the “Manage CA” permission, the requirement is for this account not to have that.

Aberdeen Angus

Aberdeen Angus

I agree with de babba, Remove your user account from the local Administrators group.

I can’t see what D achieves because the “Manage auditing and security log” right is assigned to the local Administrators group by default, and the scenario says “Your account is a member of the local Administrators group on Server1”. This right can’t be taken away from Administrators obviously or other admins won’t be able to use it. So the only way to remove this right from your account is to be out of the local Administrators group.

Plus MS say this is good practice anyway, from https://technet.microsoft.com/en-us/library/dn786426.aspx:
” With highly secure systems such as CAs, the number of accounts that are members of the local administrators group should be kept to a minimum. In an AD CS deployment, if an attacker gains access to an account with administrative access to the CA, there is a high likelihood they will be able to create certificates that will allow them to gain privileged access to the Active Directory®. For online CAs, consider limiting administrative access to only dedicated accounts used for management of the PKI”
And the requirement is only “You need to ensure that you can manage the certificates on the CA”

Also by default the local Administrators group has the “Manage CA” permission, the requirement is for this account not to have that.

WhiteNight

WhiteNight

Answer: A. Remove your user account from the local Administrators group

After 2 days of research and finally breaking down to do this in my lab, I have come to the conclusion which most of you already know, the answer is A. “A. Remove your user account from the local Administrators group”. I created the lab, same as the question and tried access the AD CS server. I was able to read and view certs, but could not save any changes or create a new cert. I removed my local Administrator role and I was able to work within the AD CA as normal. I didn’t have to disable my permissions for manage auditing and security log as I knew what the answer was, but I did and enabled my local Administrator. I could not work in AD CS. I could read and access, but could not change anything.

Explanation:
Local Administrator: Manages Administrator Role Separation for a read-only domain controller (RODC). Administrator role separation provides a non-administrative user with the permissions to install and administer an RODC, without granting that user permissions to do any other type of domain administration.

Local Administrator: Install CA’s, Renew CA keys, Enable/Disable Role separation.
CA Administrator: domain administrators are also CA administrators Configure policy and exit modules, Stop and start the AD CS service, configure extensions, configure roles, define key recovery agents, configure certificate manager restrictions, delete a single row in the CA Database, Enable, publish, or configure certificate revocation list (CRL) schedules, Read the CA database, Read CA configuration information.
Auditor: Configure audit parameters, Audit logs, Read the CA database, Read CA configuration information

CA administrator: Manage CA: Configure and maintain the CA. This is a CA role and includes the ability to assign all other CA roles and renew the CA certificate. These permissions are assigned by using the Certification Authority snap-in.

Auditor: Manage auditing and security log: Configure, view, and maintain audit logs. Auditing is an operating system feature. Auditor is an operating system role.

All CA roles are assigned and modified by members of local Administrators, Enterprise Admins, or Domain Admins. On enterprise CAs, local administrators, enterprise administrators, and domain administrators are CA administrators by default. Only local administrators are CA administrators by default on a stand-alone CA.

If a stand-alone CA is installed on a server that is joined to an Active Directory domain, domain administrators are also CA administrators.

To ensure that a Windows account is assigned only a single CA management role-for example, either the CA administrator or certificate manager role-you must enable role separation on your Windows CA. When role separation is enabled, the Windows CA automatically blocks a user that is assigned two different CA management roles from performing any CA management-related tasks.

Manage auditing and security log
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Description
Determines which users can specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. A user with this right can use the security tab in the security permission set editor’s Properties dialog box to specify auditing options for the selected object.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, only administrators have the privilege to manage auditing and the security log.

Note
This policy does not allow a user to specify that file and object access auditing be enabled in general. In order for such auditing to take place, the Audit object access setting under Audit Policies must be configured. Audited events are viewed in the security log of the Event Viewer . A user with this policy can also view and clear the security log.

Local Administrator and Domain Admin are roles
Manage auditing and security log is a user right and not a role

Source:
https://technet.microsoft.com/en-us/library/cc957161.aspx
https://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance.aspx#Roles_and_activities (very helpful)
https://technet.microsoft.com/en-us/library/cc732590(v=ws.11).aspx
https://social.technet.microsoft.com/Forums/en-US/71458d7a-a6e1-4865-a242-b8e4da2150d9/role-separation-would-a-local-ca-server-admin-be-considered-to-hold-a-ca-role?forum=winserversecurity
http://windowsitpro.com/security/q-how-can-i-make-sure-given-windows-account-assigned-only-single-certification-authority-ca
https://www.youtube.com/watch?v=J8y4G0dD-hg
https://technet.microsoft.com/en-us/library/dn786426(v=ws.11).aspx
https://technet.microsoft.com/en-us/library/cc731885(v=ws.11).aspx

Wayne Fulton

Wayne Fulton

not my strongest area this but WhiteNight clearly knows what he is talking about, like to see if tested as well!

The following did it for me…
Local Administrator and Domain Admin are roles
Manage auditing and security log is a user right and not a role

I shall be answering with A in the exam tomorrow.

BlinTUZ

BlinTUZ

Did you pass exam? )