Home configmgr SCCM 2012 – Security (Part 3)

SCCM 2012 – Security (Part 3)

raphaelPosted on Posted in configmgr, how-to, security, system center
SCCM 2012 – Security (Part 3)

Hi All,

If you missed the Part I you can find it here and Part II can be found here

today we go ahead with the Part 3 of the series of posts about security and now it is time to talk about the web certificates.

The web certificate is the certificate that is used by any SCCM Site role that used IIS (well…not any as FSP will not use certificate as it only accept non-encrypted traffic).

Anyway, if you go to the documentation (http://technet.microsoft.com/en-us/library/gg699362.aspx) you will notice that the following services/site roles need web certificate: Management point, Distribution point, Software update point, State migration point, Enrollment point, Enrollment proxy point, Application Catalog web service point, Application Catalog website point, Cloud-based distribution point, Network Load Balancing (NLB) cluster for a software update point**, Site system servers that run Microsoft SQL Server, SQL Server cluster: Site system servers that run Microsoft SQL Server and the Certificate purpose is server authentication.

Note: NLB for Software Update Point only applied to a SCCM 2012 without any Service Pack. if you’re using SCCM 2012 SP1 or R2, you will not use NLB for SUP anymore.
Note2: In this post, we’ll be focusing on the following site roles: Management point, Distribution point, Software update point, State migration point, Enrollment point, Enrollment proxy point, Application Catalog web service point, Application Catalog website point, Cloud-based distribution point

In a Microsoft PKI environment, the certificate that you can use as base is the Web Server, however, if you don’t want to use it, make sure that you add Server Authentication (1.3.6.1.5.5.7.3.1) to the Enhanced Key Usage.

Well…the 1st part, is to create the certificate. To do it you need:
01. Create an Active Directory Group Called ConfigMgr Web Servers and add all SCCM Servers that uses IIS
cert01

02. In the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.
cert01

03. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.
cert01

04. If your PKI is Windows Server 2012/2012 R2, In the Properties of New Template dialog box, on the Compability tab, make sure that Windows Server 2003 is selected under Certification Authority and Windows XP / Windows Server 2003 under Certificate
cert01

04. If your PKI is Windows Server 2008/2008 R2, In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
cert01

05. In the Properties of New Template dialog box, on the General tab, enter ConfigMgr Web Server Certificate as template display name.
cert01

06. Click the Subject Name tab, and make sure that Supply in the request is selected.
cert01

07. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
cert01

08. Click Add, enter ConfigMgr Web Servers in the text box, and then click OK and Select the Enroll permission, and do not clear the Read permission.
cert01

09. Click OK, and close the Certificate Templates Console. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select ConfigMgr Web Servers Certificate and then click OK.
cert01

Great, now that we now how to create the certificate template, we need to request the certificate, do this on the each computer running the IIS
01. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.
cert01

02. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. In the Certificate snap-in dialog box, select Computer account, and then click Next.
cert01

03. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish and In the Add or Remove Snap-ins dialog box, click OK.
cert01

04. In the console, expand Certificates (Local Computer), and then click Personal.
cert01

05. Right-click Certificates, click All Tasks, and then click Request New Certificate.
cert01

06. On the Before You Begin page, click Next.
cert01

07. If you see the Select Certificate Enrollment Policy page, click Next.
cert01

08. On the Request Certificates page, identify the ConfigMgr Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.
cert01

09. In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS. and In the Value box, specify the FQDN name of the server (ie SCCMSERVER.COMPANY.LOCAL) and click Add. Repeat the step for for any other name that is needed, ie. if the server will also be connected from the internet, you will need to add the internet name
cert01

10. On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.
cert01

11. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.
cert01

12. Close Certificates (Local Computer).

Now it is time to configure the IIS (I’m doing it on a Windows server 2012 R2, older versions the steps may be different)
01. click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
cert01

02. Expand Sites, right-click Default Web Site, and then select Edit Bindings.
cert01

03. Click the https entry, and then click Edit. (if the https entry does not exist, click add)
cert01

04. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then click OK twice and then click close.
cert01

05. Open Internet Explorer and navigate to the HTTPS Site using one of the DNS entries that was used to create the certificate (ie. https://sccmserver.company.local). Confirm that there is no certificate issue and the website opens without any problem
cert01

About

Raphael is a 9 times Microsoft MVP with over 20 years of experience in IT, in which 13 years have been dedicated to System Center and Automation. His extended experience has been developed through several IT roles, from first-line support to principal consultant, towards a wide range of clients and sectors. One of the four MVPs in Enterprise Client Management in the UK, Raphael holds more than 30 Microsoft certifications and is an MCT (Microsoft Certified Trainer). Since 2008, Raphael has been providing Microsoft trainings from basic to advanced levels in several categories. Throughout his career, Raphael has joined as speaker in well-known events such as TechEd and Gartner Security Risk Management. He also organised community events and lectured around the world, sharing best practices and knowledge within the industry. Bilingual in English and Portuguese, Raphael has authored diverse articles published in Microsoft's TechEd, served as the editor-in-chief of a magazine focused on System Center in Brazil and wrote two books: "Understanding System Center 2012 SP1 Configuration Manager: The walkthrough book" and "System Center 2012 R2 Configuration Manager: Automation from Zero to Hero".

Tagged with: , , ,