Microsoft introduced a great security improvement in Windows Server 2012 R2 to alter the standard Network Device Enrollment Service (NDES) security process. If you are familiar with the whitepaper I wrote for Microsoft (Securing and Hardening NDES) you’ll know I wrote about the disadvantages of using NDES for BYOD and Internet accessible enrollment solutions. The Microsoft InTune product team has been the only product so far to write a Policy Module that improves on the security and issuance model for NDES.
While Microsoft wrote the Policy Module capabilities with an open platform, to-date no other solutions have written a policy module. That is a real shame. Whether it’s a lack of information or visibility, I constantly work with my clients to make sure they are aware of how to secure NDES in their environments. If poorly deployed, it can present a significant thread gateway to your environment and a threat to your PKI.
Thankfully, Tochi Ezebube, an Engineer at Microsoft has written a paper on how to interface to, and write your own Policy Module. The paper is available here: https://msdnshared.blob.core.windows.net/media/2016/11/How-to-write-an-NDES-policy-module.pdf
While it is geared to developers, it goes a long way to bring light to the process and will certainly be a help to anyone looking to create an improved authentication mechanism for NDES.