NDES Configuration Checklist

NDES Configuration Recommendations Checklist

(The Network Device Enrollment Service (NDES) is one of the role services of the Active Directory Certificate Services (AD CS) Windows Server role.)

 

The following recommendations should be followed when implementing and configuring NDES.

 

·         Dedicated Server Roles – The NDES service should be installed on a dedicated server. The Issuing CA should also be on its own dedicated server.

·         Enterprise Subordinate CAs – An Enterprise CA should be used to issue certificates as requested by the NDES service.

·         Device Certificate Cryptography – A custom template should be used to improve the validity period and key sizes used for device certificates.

·         Role Separation – Separate accounts should be used for the three distinct roles in installing, managing, and requesting certificates in NDES.

·         Policy Modules – A policy module should be used to enhance the security and validity of enrollment requests submitted to NDES.

·         Private Key Protection – The private keys for the two NDES certificates (Key Exchange and Key Signature) should be protected with a HSM device to protect these keys against unauthorized use. Operator Card Sets or other administrative authorization for use of NDES keys is unsupported – module protection should be used instead.

 

Microsoft Intune is a cloud based solution that provides mobile device and application management across platforms, such as Windows, Windows Phone, Android, and iOS.. It is also available in a hybrid solution that leverages System Center Configuration Manager on premises. Both solutions can be use a NDES policy module that enables provisioning and enrollment for device certificates.

The implementation of the policy module for Microsoft Intune usages a modified process flow for enrollment. This process leverages Intune to create the challenge password as well as the additional details for enrollment and eliminates the requirement to interact with the NDES administrative interface. It also eliminates an extra transmission of the challenge password to reduce disclosure of the password.