Announcement

Collapse
No announcement yet.

Hardening CA server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hardening CA server

    Hi,

    Yesterday I performed a hardening of acan AD server which is also a CA server.

    The hardening I do is pretty mild and basic - I disable various services, change security options and change user rights in the local policy all via GPO.

    Usually I have no issues but this was the first time the server was a CA and despite having no obvious dependencies, once I disabled services, The Active Directory Certificate Services service would not start. The other GPO changes had no effect.

    I didn't disable any IIS services and IIS kept on running.

    So, I'm searching for the service which did affect The Active Directory Certificate Services service, even though you cannot see the dependency when check The Active Directory Certificate Services service properties.

    Any clues?

    Thanks,

    Vered

  • #2
    Re: Hardening CA server

    You will, of course, have documented the changes you made, so I suggest you undo things one at a time until it starts working again
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Hardening CA server

      Thanks... that will be the next stage, but I was hoping somebody would know and save me some time

      Comment


      • #4
        Re: Hardening CA server

        Unfortunately my psychic powers must have been on strike as I completely failed to pick up which services you had disabled -- with that information it might have been possible to help more
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Hardening CA server

          Apparently my post immediately above has caused some offence -- perhaps I should have included a smilie as it was intended to be a light-hearted request for more information to allow a more informed set of responses to be given.

          The point I was trying to make was that there are so many possible server configurations (think of all the roles and features in Win2K8 ) that it would be almost impossible to say which settings must be enabled for a particular role to work without knowing what else is on the server, so the easiest way of dealing with the issue is to find out what the OP actually did to mess things up in the first place.

          If anyone has taken umbrage at the request for further information or the way it was worded, I apologise.
          Last edited by biggles77; 11th January 2011, 20:15. Reason: Fix 8) smilie issue
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Hardening CA server

            Vered, I would suggest you look in the Server Manager, under Roles -> ADCS. You should find there event log entries related to this service and what's going on with it. You even might find there the solution to your issue.

            Sorin Solomon


            In order to succeed, your desire for success should be greater than your fear of failure.
            -

            Comment


            • #7
              Re: Hardening CA server

              Originally posted by veredgf View Post
              I disable various services, change security options and change user rights in the local policy all via GPO.
              Vered,

              Seriously, did you really expect us (or any human for that matter) to be able to tell, from far away, without being given ANYTHING else besides this vague phrase, what YOU did wrong?

              Seriously?

              Please read http://support.microsoft.com/kb/555375 and get back to us.
              Cheers,

              Daniel Petri
              Microsoft Most Valuable Professional - Active Directory Directory Services
              MCSA/E, MCTS, MCITP, MCT

              Comment

              Working...
              X