Microsoft NDES Monitoring, Alerting and Best Practice Checks

Microsoft NDES Cards

What does this feature do?

New Cards to provide visibility into the operational status and important configurations for all your Microsoft NDES instances.

Visibility into whether NDES passwords are enforced and are dynamically generated 

The status of the Microsoft NDES encryption and signing certificates

Status of NDES signing and encryption certificates, whether these certificates are valid, what CA they were issued from and how far from expiration.

The registry and IIS web server Microsoft NDES configurations

For each IIS server associated with NDES, PKI admins have a single spot to get details on configurations such as application paths, https binding with details on associated TLS certificates and their validity.

PKI admins also have visibility into trust delegation settings and service principal names that are attached to the IIS application pools.

Certificate templates configured for certificate issuance to users and/or devices

Identify the certificate templates that Microsoft NDES is using to fulfill requests.

Is Alive checks for Microsoft NDES

What does this feature do?

Is Alive status  makes 7 granular and regular  checks  on Microsoft NDES and associated IIS servers. These checks include:

• Whether the NDES role is installed
• Whether IIS is running
• Whether the NDES server can connect to its associated CA to be able to submit requests
• Whether the NDES signing and encryption certificates are present and valid
• Verify NDES has access to it’s cryptographic key store and HSM protected NDES keys are accessible

In the event of a failure the check provides the exact reason for the failure such as service un-available, certificate missing or invalid certificates. If Hardware Security Modules (HSMs) are used to manage access to NDES keys, an in-accessible key store can also point to issues with HSMs.

Why does it matter

NDES cert expirations are the most common causes for NDES outages, which subsequently has  direct business impact on end user productivity.

Operationally Resilient end user experience

End user interruptions and outages that are caused by NDES errors are difficult to trouble shoot and the information that PKI consolidates in NDES display cards is not easily accessible.

End user interruptions and outages that are caused by Microsoft NDES errors are difficult to trouble shoot and the information that PKI Spotlight consolidates in NDES display cards is not easily accessible.

• Firstly, the administrators should know where to look for the relevant information.
• Secondly, they need to access multiple areas like registry keys, IIS configurations, local certificate stores, run low level tools such as ADSI Edit.
• Current tools like PKI View or standard monitoring do not provide any information on NDES configurations.
• Lastly, Microsoft NDES is a Single Point of Failure (SPOF). NDES servers cannot be securely load-balanced because the server that gets the initial request must also send the response.

Likelihood of an NDES Outage

Med to High

Business Impact of an NDES Outage

Med to High

Security Impact of an NDES Outage

Med to High

Microsoft NDES Best Practice Checks

Checks for static and no password NDES settings

PKI Spotlight monitors the following

• whether NDES is configured to use static or no password.
• Whether the TLS web certificate is present, bound in IIS, is valid and whether it is approaching expiry

Why does it matter

Configuring NDES with static or no password for certificate enrollment introduces a serious security risk in the environment. It is important to check that all NDES roles are configured to follow best practices and exceptions are alerted on and reverted to desired state.

TLS web certificates must be maintained in a valid state for Microsoft NDES to remain online and available.

Advanced Notification for NDES Registration Authority (RA), CEP, IIS TLS bindings certificates

Automatic checks and alerts for NDES Registration Authority (RA), CEP, IIS TLS bindings certificates prior to expiration.

Expired NDES Registration Authority (RA), CEP, IIS TLS bindings certificates

Automated alerts on expired NDES Registration Authority (RA), CEP, IIS TLS bindings certificates