History of Network Device Enrollment Service (NDES) and Considering its New Features in Windows Server 2008/2008 R2

NDES is not the first implementation of SCEP for Microsoft CAs. SCEP has previously been implemented as an add-on service for both Microsoft Windows 2000 Server and Windows Server 2003. NDES is the first native implementation of SCEP for a Microsoft CA, that is introduced in Windows Server 2008 and later server operating systems.

There are several changes in features in NDES that were not available in previous Microsoft implementations of SCEP:

• Designate Certificate Templates   Previous versions of SCEP did not allow you to configure certificate templates for each request type.

• Certificate Renewal   NDES now supports renewing the service certificates.

• More secure default settings   NDES changes the default settings to more secure values. For example, a password is now required by default for SCEP requests. Also, the maximum number of passwords it caches in memory was reduced from 100 to 5.

• Allow SCEP to be installed on a computer other than a CA   Previous versions of Microsoft SCEP required that the SCEP service be installed on an existing CA.

• New default signing algorithm   Previous versions of Microsoft SCEP used MD5 as the default hash algorithm. NDES now uses SHA1 as the default but allows you to revert to MD5 through a registry change.

• Service credentials   NDES can now run with a dedicated service account or the Network Service account rather than using the Local System account.

• Request size limit   NDES limits the request size to 64 KB to prevent buffer overflow attacks.