This article is contributed. See the original author and article here.
The crucial role of backup and restore in ADCS
Active Directory Certificate Services (ADCS) serves as a pivotal part within identity and access management (IAM), playing a critical role in ensuring secure authentication and encryption. These functionalities are integral for fostering trust across the enterprise application and service ecosystem. In modern organizations, the significance of Active Directory Certificate Services has grown exponentially, fortifying digital identities, communication channels and data. Given its pervasive role, the potential loss of this service due to systemic identity compromise or a ransomware attack could be catastrophic. Microsoft advocates platform owners adopt an “assume breach” mindset as an initiative-taking measure against these sophisticated cybersecurity threats to ensure and preserve confidentiality, integrity, and availability of IAM based services.
As part of an “assume breach” approach, organizations must prioritize comprehensive backup and restore strategies within their ADCS infrastructure. These strategies are paramount for ensuring swift recovery and restoration of essential certificate services following a cyberattack or data breach. By keeping up-to-date backups and implementing effective restoration procedures, organizations can minimize downtime, mitigate potential damage, and uphold operational continuity amidst evolving security challenges.
Let us look at some of the services and features of an ADCS platform which organizations are dependent on:
Certificate enrollment and renewal: ADCS facilitates automated enrolment and renewal processes, ensuring prompt issuance and rotation of cryptographic keys to maintain security.
Key archival and recovery: Organizations can utilize ADCS to archive private keys associated with issued certificates, enabling authorized personnel to recover encrypted data or decrypt communications when necessary.
Certificate revocation and management: ADCS provides mechanisms for revoking and managing certificates in real-time, allowing organizations to promptly respond to security incidents or unauthorized access attempts.
Public Key Infrastructure (PKI) integration: ADCS seamlessly integrates with existing PKI infrastructures, enabling organizations to use established cryptographic protocols and standards to enhance security across their networks.
Enhanced security controls: ADCS offers advanced security controls, such as role-based access control (RBAC) and audit logging, empowering organizations to enforce granular access policies and keep visibility into certificate-related activities.
Now that we know what this service offers, imagine your organization as a fortified stronghold, wherein Active Directory Certificate Services and Active Directory Domain Services form the bedrock of the Identity and Access Management infrastructure. In case of a cybersecurity breach penetrating this stronghold, the backup and restoration process acts as a crucial defensive measure. It is not merely about restoring ADCS services: it is about swiftly and effectively rebuilding the stronghold. This guarantees the continuation of trust relationships and the seamless operation of vital IT services within the stronghold, such as remote access VPNs, consumer web services, and third-party self-service password reset tools—each of which are essential components for operational continuity, customer experience and business productivity. Without effective backup measures, the stronghold is vulnerable, lacking the protective mechanisms akin to a portcullis or moat.
The significance of thoroughly assessing all backup and recovery procedures cannot be overstated. This is akin to conducting regular fire drills, ensuring that the IT team is adept and prepared to respond to crises effectively. IT administrators must have the requisite knowledge and readiness to execute restoration operations swiftly, thereby upholding the integrity and security of the organization’s IT environment. Additionally, recognizing the potential exploitation of ADCS for keeping persistence underscores the imperative for vigilance in monitoring and securing ADCS components against unauthorized manipulation or access.
What are the key elements for a successful backup and recovery?
From a technical perspective, Active Directory Certificate Services (ADCS) backups must cover the foundational pillars of the service. These include the private key, the Certificate Authority (CA) database, the server configuration (registry settings) and the CAPolicy.inf file. Let us explain each in detail:
CA private key: The most critical logical part of a CA is its private key material. This key is stored in an encrypted state on the local file system by default. The use of devices like Hardware Security Modules (HSMs) is encouraged to protect this material. The private key is static, so it is recommended to create a backup directly after the deployment and to store it in a safe, redundant location.
CA database: By default, this repository holds a copy of all issued certificates, every revoked certificate, and a copy of failed and pending requests. If the CA is configured for Key Archival and recovery, the database will include the private keys for those issued certificates whose templates are configured for the feature.
Server configuration: These are the settings and configurations that dictate ADCS operations. From security policies to revocation lists settings, safeguarding the server configurations ensures that the ADCS can be restored with identical functionality.
CAPolicy.inf: The CAPolicy.inf file is used during the setup of ADCS and then during CA certificate renewal. This file may be used to specify default settings, prevent default template installation, define the hierarchy, and specify a Certificate Policy and Practice Statement.
How is ADCS backed up?
A practical approach to performing a backup involves utilizing ‘certutil,’ a command-line tool integrated into the Windows operating system. This tool offers a range of functions tailored for managing certificates and certificate services. Other methods encompass employing the graphical user interface (GUI) or PowerShell. To start a backup of the CA database using ‘certutil,’ adhere to the outlined example below:
certutil -backupdb -backupkey "C:BackupFolder"
The command syntax is as follows:
backupdb: Starts the backup process for the database.
backupkey: Safeguards the private key of the CA (requires providing a password).
C:BackupFolder: Specifies the path where the backup will be stored. It is important to use a secure location, ideally on a separate drive or device. Note: this folder must be empty.
Running this command starts the creation of a backup encompassing the CA database and the CA’s private key, thereby guaranteeing the safeguarding of the fundamental elements of the CA. Safeguarding these components is imperative, as malevolent actors may exploit the backup for nefarious purposes.
In addition to preserving the CA Database and the CA’s private key, for comprehensive restoration onto a new server, it is crucial to back up the registry settings associated with ADCS using the following command:
All settings on the earlier location of the CA database, as well as configurations related to certificate validity settings, CRL and AIA extensions, can be utilized during the recovery process.
If the source CA utilizes a custom CAPolicy.inf, it is advisable to replicate the file to the identical backup location. The CAPolicy.inf file is typically found in the %windir% directory (default location being C:Windows).
How can the service be restored?
Remove ADCS role(s)
If the source server is still available and a CA Backup is available, remove the CA role from it. This is required for Enterprise CAs that are domain-joined. If present, remove the “Web Server” based roles/features before the Certification Authority role.
Remove the source server from the domain
Reusing the same host name on the destination server requires that the source server either be renamed or removed from the domain and the associated computer object removed from Active Directory before renaming and joining the destination server to the domain.
Adding ADCS role(s)
After ensuring that the destination server has the correct hostname and is successfully integrated into the domain, continue to assign the CA role to it. If the destination server is already part of the domain, it needs Enterprise Admin permission to configure the ADCS role as an Enterprise CA.
Before advancing, transfer the backup folder to a local drive, and, if accessible, move the original CAPolicy.inf file to the %windir% folder on the destination server.
Launch the Add Roles wizard from Server Manager.
Review the “Before You Begin” page, then select Next.
On the “Select Server Roles” page, select Active Directory Certificate Services, then Next, then Next again on the Intro to ADCS page.
On the “Select Role Services” page, ensure only Certificate Authority is selected, then click Next. (Do not choose any other roles)
Configuring ADCS:
Now configure a clean ‘empty’ CA. This is done prior to restoring the configuration and database content:
Select the choice to “Configure Active Directory Certificate Services on this server.”
Confirm that the correct credentials are in place depending on the installation: Local Admin for Standalone CA, Enterprise Administrator needed for Enterprise certification authority.
Check the box for “Certification Authority.”
Select the desired option based on the source CA configuration (“Standalone” or “Enterprise”) on the “Specify Setup Type” page, then click “Next.”
Select “Root” or “Subordinate CA” on the “Specify CA Type” page, then click “Next.”
Select “Use existing key” on the “Set Up Private Key” page, then click “Next.”
Import the Private key from the backup folder copied previously. Select the key and click “Next.”
Configure the desired path on the “Configure Certificate Database” page, then select “Next,” then “Install.”
At this point we have restored the CA and have an empty database with default server settings.
Open “Certificate Authority” manager from Server Manager or from Administrative Tools.
Expand “Certificate Authority (Local)” right click “CAName,” and select “All Tasks,” and click on “Restore CA.”
Click “OK” to stop the service.
Select “Next” on the “Welcome to the Certification Authority Restore Wizard.”
Check only “Certificate Database” and “Certificate Database Log,” click “Browse” and target the backup folder. “C:BackupFolder”, click “Next” and click “Finish” then wait until the restore completes.
Click “Yes” to continue and start the service.
Expand “Certificate Authority (Local)” right click “CAName” and select “Issued Certificates” to verify the database was restored.
Restore registry settings:
After the database is restored, import the configuration settings that were backed up from the source CA’s registry.
Create a registry backup of the destination server:
Locate the “C:BackupFolderCAConfig.reg” file and double click on it to merge the settings, click “Yes” to continue and then “OK” on the Registry Editor confirmation window.
Restart the ADCS Service to verify the restored settings.
After everything is verified, restart the server to ensure it belongs to the “Cert Publishers” group.
Verify server status:
Open “Certificate Authority” manager from Server Manager or from Administrative Tools.
Expand “Certificate Authority (Local),” then “CAName” right click “Revoked Certificates” select “All tasks” then “Publish.” Select “OK” at the popup.
Run ADCSView.msc to verify the health of the destination CA server.
Test certificate issuance:
With the CA restored, test certificate issuance to ensure full functionality.
Publish any templates that were published before and ensure the CA issues certificates are issued as expected.
Note! We recommend an assessment be conducted on all certificate templates to confirm security settings and to reduce the number of templates if possible.
Conclusion
This article highlights the necessity of setting up and upholding a robust “back-and-restore” strategy as a primary defence mechanism against cyber threats. it becomes much more likely that recovery for ADCS will not be successful, and a complete rebuild will be required.
In addition to this, adopting a defence-in-depth approach is equally imperative. This involves implementing supplementary protective measures such as endpoint detection and response through Defender for Endpoint (MDE), or monitoring user and entity behaviour analytics with Microsoft Defender for Identity (MDI). These measures empower cybersecurity operatives to swiftly respond across multiple phases of MITRE ATT&CK, thereby safeguarding the organization’s digital ecosystem, particularly the pivotal identity and access management services.
Integrating the strategic management of ADCS (Active Directory Certificate Services) with these advanced security solutions further strengthens organizational defences against the continually evolving landscape of cyber threats. This strategy augments the resilience of the cybersecurity framework and ensures the continuity and integrity of organizational operations, particularly during the transition to a more secure ADCS infrastructure.
In conclusion, the adoption of a robust backup and restoration strategy, complemented by a multi-faceted defence framework that integrates ADCS management with innovative security solutions, creates a formidable shield against cyber threats. This approach bolsters cybersecurity resilience and fortifies organizational continuity and operational integrity in the dynamic landscape of evolving security challenges.
This article is contributed. See the original author and article here.
Microsoft Copilot is already helping individual employees boost productivity, creativity and time savings. With the announcements at Microsoft Build 2024, we’re delivering an entirely new set of capabilities that unlock Copilot’s ability to drive bottom-line business results for every organization.
This article is contributed. See the original author and article here.
In today’s fast-paced sales landscape, prioritizing core selling activities over low-value tasks is crucial. Time spent on tasks that don’t directly contribute to sales represents missed opportunities to connect with prospects and close deals. With Dynamics 365 Sales, we’re committed to using AI to support sellers in focusing their time on what truly matters: forging meaningful connections, establishing trust, and nurturing long-term relationships to increase their sales productivity. Copilot empowers sellers to achieve greater results with less effort, enhancing your sales organization’s effectiveness. We’re happy to share that the following features are releasing this month.
Copilot chat Q&A in Dynamics 365 Sales
Copilot chat with Q&A transforms how sellers access data in your customer relationship management (CRM) system. Instead of building complicated queries or manually searching for information, sellers can ask questions using natural language. They can access vital information immediately, allowing them to focus on high-value activities like engaging customers and closing deals. The result is more time for meaningful interactions, potentially leading to higher conversion rates and increased revenue.
Natural-language Q&A is particularly valuable in fast-paced sales environments, ensuring quick, informed actions. This feature elevates customer interactions, positioning teams for higher sales productivity. Its impact extends beyond convenience, shaping the efficiency and effectiveness of the entire sales process.
Copilot chat in Dynamics 365 Sales makes it easy to retrieve information from Dataverse and your CRM system.
Sales-specific chat experience
One of the key features of Copilot in Dynamics 365 Sales is that the chat experience is specific to the sales process. Sellers can use common sales terms and phrases to ask questions and get answers from the CRM system, without having to navigate through complex menus or screens. This saves time and effort for sellers, allowing them to focus on their customers and prospects.
Some of the sales terms that Copilot understands are conversion rate, deal cycle, pipeline, deal size, win rate, and deal value. Sellers and managers can use these terms to query various aspects of the sales process, like the performance of individual sellers, teams, or regions, the progress of opportunities, and the trends and forecasts of sales outcomes. Copilot can also handle complex queries with multiple terms, filters, and aggregations.
For example, you can ask Copilot:
“Show the opportunity conversion rate for the last 4 quarters by quarter.”
“What’s the win rate for Kenny Smith?”
“What is the average deal size for successful opportunities?”
Copilot in Dynamics 365 Sales understands sales-specific terms expressed in natural language.
These examples illustrate how Copilot can help sellers access relevant information from your CRM system in a natural and intuitive way, using sales-specific terms in a chat experience. Copilot chat Q&A enhances your sales team’s productivity and efficiency and their ability to meaningfully engage with customers and prospects.
Your CRM data is always secure
Copilot respects the security and user access privilege settings of your CRM system. This means that if a seller doesn’t have permission to view or edit certain records, those records aren’t included in Copilot’s responses. For example, if you ask Copilot about the pipeline value for a region that you aren’t assigned to, Copilot informs you that you don’t have sufficient privileges to view the requested data. This ensures that Copilot maintains the integrity and confidentiality of your CRM data while providing insights and recommendations.
Immersive Copilot workspace
We are also launching the public preview of a new immersive Copilot experience in Dynamics 365 Sales. An expanded workspace enhances focus on productive conversations with Copilot, while real-time insights and effortless natural language chat functionality help sellers efficiently manage sales activities, nurture customer relationships, and drive sales success. Seamless access to insights from CRM data simplifies prioritizing actions and smarter decision-making.
The new immersive Copilot workspace in Dynamics 365 Sales helps sellers focus on sales activities.
The immersive experience works in sync with the Copilot chat pane. Start a conversation in the immersive workspace, select a record, and continue the conversation in the Copilot chat. The coherent experience makes it easy to navigate in the app without losing context.
Use the immersive workspace
The immersive experience is in preview so that we can make improvements based on your valuable feedback. To use the immersive experience in your environment, you’ll need to turn on preview features for Copilot in Dynamics 365 Sales. In the Sales Hub app, Copilot is automatically added to the site map under My Work. If you use a custom app, add the Copilot page to your app’s site map. To enter the immersive workspace, select My Work > Copilot.
Enter Copilot in immersive mode through the site map in Sales Hub or your custom app.
Transform your sales processes with Copilot
Copilot in Dynamics 365 Sales helps your sellers save time and stay focused on the things that really matter. They get the information they need faster with less context switching, making their day-to-day activities more efficient and boosting your team’s overall sales productivity.
This article is contributed. See the original author and article here.
Sellers are often faced with situations where they need to sift through a lot of information to find the one piece they need. There are often extensive knowledge bases where sellers need to search for information, and lots of precious time is lost in the process.
We are here to help with that!
With our new features outlined below, sellers can access relevant sales information from SharePoint through the Copilot chat interface in Dynamics 365 Sales.
By automating the extraction of critical insights from sales documents, Copilot in Dynamics 365 Sales frees up valuable time for sales teams to focus on nurturing leads, closing deals, and delivering exceptional customer experiences. With Copilot in Dynamics 365 Sales, businesses can streamline their sales processes, gain deeper customer insights, and ultimately drive greater revenue growth. Copilot in D365 Sales empowers sales teams to work smarter, not harder, and achieve unparalleled efficiency in their daily operations.
Contextual content recommendations
With this feature, the system seamlessly reads the CRM context, and intelligently recommends relevant product and account-related files. For example, sellers are provided with content recommendations regarding the products added to opportunities. From PDFs to Word documents and PowerPoint presentations, the Copilot pane in D365 Sales provides instant access to the most pertinent sales materials, empowering sales reps to make informed decisions and deliver personalized experiences to customers. This could include sales pitch decks, account strategy collaterals, product brochures and training materials that are made available to sellers. As a result, sales interactions are tailored and impactful, driving stronger customer engagement and business growth.
“Show product-related files” appears as a trailing prompt to opportunity summary
Users effortlessly access contextual file recommendations in Copilot in D365 Sales by selecting from the sparkle icon (marked in the image below) or typing queries in their preferred language. Sorted by relevance, the latest files and most popular results appear first. Files can be viewed, downloaded, or shared via email, ensuring seamless collaboration. Additionally, users can specify keywords for targeted searches, enhancing efficiency while upholding data security. Copilot in D365 Sales respects user permissions, displaying only accessible SharePoint files.
Access related files in Copilot in D365 Sales – through sparkles menu, natural language prompts, associated products.
SharePoint Q&A
Sellers can now easily navigate through sales documents and literature by simply asking questions. Leveraging Azure OpenAI technology, Copilot in D365 Sales swiftly scans through data and literature, summarizing pertinent information from SharePoint documents. This seamless integration empowers sellers to swiftly access insights, enhancing productivity and enabling quick, informed responses to customer inquiries.
Invoke SharePoint Q&A and get summaries from relevant documents, with citations of references.
In Copilot in D365 Sales, accessing answers is seamlessly integrated with your SharePoint documents. Simply type your question in the Copilot pane using natural language and hit Enter – no need to navigate through any of your files and folders! For instance, inquire about warranty periods or prices directly. Copilot initiates a search in SharePoint. Should the answer reside in one or more files in SharePoint, Copilot offers a concise response alongside links to relevant documents, ensuring comprehensive insights are just a click away.
Next steps
Increasing your sales team’s efficiency could be as simple as having all the information just a click away!
Not a Dynamics 365 Sales customer yet? Take a guided tour and sign up for a free trial at Dynamics 365 Sales overview.
AI solutions built responsibly.
Enterprise grade data privacy at its core. Azure OpenAI offers a range of privacy features, including data encryption and secure storage. It allows users to control access to their data and provides detailed auditing and monitoring capabilities. Copilot is built on Azure OpenAI, so enterprises can rest assured that it offers the same level of data privacy and protection.
Responsible AI by design. We are committed to creating responsible AI by design. Our work is guided by a core set of principles: fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability. We are putting those principles into practice across the company to develop and deploy AI that will have a positive impact on society.
Dan Kershaw
Normal
Dan Kershaw
3
6436
2024-05-15T17:40:00Z
2024-05-15T17:43:00Z
1
786
4484
37
10
5260
16.00
Clean
Clean
false
false
false
false
EN-GB
X-NONE
X-NONE
We’re thrilled to announce that Bicep templates for Microsoft Graph resources will be in public preview starting May 21st. Bicep templates bring declarative infrastructure-as-code (IaC) capabilities to Microsoft Graph resources. This new capability will initially be available for core Microsoft Entra ID resources.
Bicep templates for Microsoft Graph resources allow you to define the tenant infrastructure you want to deploy, such as groups or applications, in a file, then use the file throughout the development lifecycle to repeatedly deploy your infrastructure. The file uses the Bicep language, a domain-specific language (DSL), that uses declarative syntax to deploy resources typically used in DevOps and infrastructure-as-code solutions.
What problems does this solve?
Azure Resource Manager or Bicep templates allow you to declare Microsoft Azure resources in files and deploy those resources into your infrastructure. Configuring and managing your Azure services and infrastructure often includes managing Microsoft Entra ID resources, like applications and groups. Until now, you had to orchestrate your deployments between two mechanisms using ARM or Bicep template files for Azure resources and Microsoft Graph PowerShell for Microsoft Entra ID resources.
Now, with the Microsoft Graph Bicep release, you can declare the Microsoft Entra ID resources in the same Bicep files as your Azure resources, making configurations easier to define, and deployments more reliable and repeatable.
Let’s look at how this works and then we’ll run through an example.
The Microsoft Graph Bicep extension
To provide support for Bicep templates for Microsoft Graph resources, we have released the new Microsoft Graph Bicep extension that allows you to author, deploy, and manage supported Microsoft Graph resources (initially Microsoft Entra ID resources) in Bicep template files either on their own, or alongside Azure resources.
Authoring experience
You get the same first-class authoring experience of the Bicep Extension for VS Code when you use it to create your Microsoft Graph resource types in Bicep files. The editor provides rich type-safety, IntelliSense, and syntax validation.
Editing a Bicep file containing Microsoft Graph resources
Once you have authored your Bicep file, you can deploy it using familiar tools such as Azure PowerShell and Azure CLI. When the deployment request is made to the Azure Resource Manager the deployments engine orchestrates the deployment of interdependent resources so they’re created in the correct order, including the Microsoft Graph resources.
The following image shows a Bicep template file where the Microsoft Graph group creation is dependent on the managed identity resource, as it is being added as a group member. The deployments engine first sends the managed identity request to the Resource Manager, which routes it to the Microsoft.ManagedIdentity resource provider. Next, the deployments engine sees that Microsoft.Graph/groups is an extensible resource, so it knows to route this resource request to the Microsoft Graph Bicep extension. The Microsoft Graph Bicep extension then translates the groups resource request into a request to Microsoft Graph.
Deploying a Bicep file containing Microsoft Graph resources
Scenario: Using managed identities with security groups and app roles
Using a Microsoft Entra ID group to assigned roles to managed identities
However, this configuration isn’t possible using a Bicep or Resource Manager template. With Microsoft Graph Bicep extension, this limitation is removed. Rather than assigning and managing multiple Microsoft Azure role assignments, role assignments can be managed via a security group through a single Bicep file.
Bicep file declaring an Microsoft Entra ID group with a managed identity member In the example above, a security group can be created and referenced, whose members can be managed identities. With Bicep templates for Microsoft Graph resources, declaring Microsoft Graph and Microsoft Azure resources together in the same Bicep files, enables new and simplifies existing deployment scenarios, bringing reliable and repeatable deployments.
Recent Comments