Microsoft Always On VPN administrators have two choices when deploying enterprise PKI certificates using Intune; PKCS and SCEP. I prefer using PKCS because it is easier to configure and manage. Also, PKCS requires no inbound connectivity, simplifying the deployment and reducing the organization’s public attack surface. Provisioning certificates using Intune is inherently risky. However, there are some steps administrators can take to mitigate much of this risk.
PKCS Security
The service account is the most critical aspect of configuring the Intune Certificate Connector for PKCS securely. The service account has permission to enroll for an exceedingly dangerous published certificate template. Specifically, the PKCS certificate template has the deadly combination of supplying the subject information in the request, and the Client Authentication enhanced key usage (EKU). Further, the scenario does not allow administrative approval to be enabled on the certificate template. If an attacker were to gain access to this certificate template, they could enroll as any principal they chose, including a domain administrator, and their request would be processed automatically. Subsequently, they could authenticate to Active Directory using only the certificate without knowing the account’s password.
Service Account
Using a Group Managed Service Account (GMSA) would be ideal in this scenario. However, the Intune Certificate Connector does not support using GMSA when using PKCS. With that, administrators must use a regular domain service account instead, which introduces additional risk. To enhance the overall security of the solution, consider performing the following PKCS service account hardening tasks when using the Intune Certificate Connector to issue PKCS certificates with Intune.
Standard User
The service account should be a standard domain user with no special privileges. The service should be dedicated to PKCS and not shared with other services in the enterprise. Create the account from scratch (do not duplicate another account!), and use a long, complex password. Document this password securely. In addition, ensure the PKCS service account is not a member of any other security groups. It does not require local administrator access, either.
Account Hardening
After creating the service account, click the Log On To button and ensure the account can only log on to the server(s) where you have installed the Intune Certificate Connector.
Next, check the box next to Account is sensitive and cannot be delegated in the Account options section.
In addition, select the option Deny access in the Network Access Permission section of the Dial-In properties page.
Finally, uncheck Enable remote control on the Remote control properties page.
Local Access Rights
Open the Local Group Policy Editor (gpedit.msc) on each server where you installed the Intune Certificate Connector. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Enable the following policy settings for the PKCS service account.
- Deny access to this computer from the network
- Deny log on as a batch job
- Deny log on locally
- Deny log on through Remote Desktop Services
Optionally these settings can be enforced on the Intune Certificate Connector server using Active Directory group policy.
Disclaimer
I am not an Active Directory security expert! The guidance provided here is based on my many years of Windows administrative experience, conversations with Identity and Access security professionals, and published guidance found on the Internet. If you have suggestions to further improve service account security, don’t hesitate to let me know! Please share in the comments, below.
Additional Information
Overview of the Certificate Connector for Microsoft Intune
Configure and use PKCS Certificates with Microsoft Intune
Microsoft Intune Certificate Connector Service Account Requirements
9 Tips for Preventing Active Directory Servie Accounts Misuse
