Post on 12-Jul-2020
IMPLEMENTING HTTPS, TLS AND SCLOGON
Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |ondrej@sevecek.com | www.sevecek.com |
DOMAIN CONTROLLER CERTIFICATE AND LDAPS
Implementing HTTPS and TLS
Publish the Kerberos Authentication template in CA
Pulse computer autoenrollment cycle on a DC to let it enroll for the certificate if none is present yet
Verify the DC certificate has been issued from the Kerberos Authentication template and by the correct CA
Verify the DC certificate parameters
Verify the DC certificate parameters
Verify LDAPS connection from a client computer with LDP tool, use TCP 636 port only
Change template parameters to include Subject name
Reenroll all certificate holders to update even valid clients (increments major version of the template)
Pulse autoenrollment on the DC to update the certificate
HTTPS SERVER TLS CERTIFICATE
Implementing HTTPS and TLS
Certificate template management
Duplicate Web Server template
Verify that the template is of computer type
Expiration and Compatibility
Request handling and Cryptography
Certificate purpose in case of TLS server certificates
Encryption
usable for RSA key exchange
any SSL/TLS version with RSA server certificate
Signature
usable for (EC)DH key agreement with PFS
for RSA server certificate, it requires TLS 1.1+
Subject and Issuance policy
EKU and Key Usage
Security - Read and Enroll permissions
Add the template to issuing CA
On WFE1 verify the rootCA is trusted
Display Physical certificate stores in the console
Verify origin of the two trusted root CAs
Start the Request new certicate wizard
Select the custom web server certificate template
Reasons for other certificate templates invisibilityShow all templates - permissions
Reasons for other certificate templates invisibilityShow all templates – not published by a CA
The specified role was not configured for the application.This type of certificate can be issued only to a user
Subject and SAN values, Friendly name and private key options
Key usage and EKU
Enrollment pending
Self-signed certificate request stored locally together with its private key
Investigate the pending certificate request in CA
Issue the certificate
Issued certificate serial number and other parameters
SAN and CDP (CRL distribution points)
On WFE1 pulse computer auto-enrollment
Export the certificate into CER file
Verify the web server's certificate URL paths (CDP, AIA)
Verify the web server's certificate revocation and validity
Bind the TLS certificate within IIS web site
HTTP.SYS binding (no DS mapper)
Require TLS to limit downgrade attacks
From Client7 verify the TLS/HTTPS connection and certificate validity
ECDSA certificate template
ECDSA certificate issuedsmaller key, 10 times faster cryptography
ECDH certificate template and the issued certificate
ECDH key usage extension
Combinations recap
RSA key exchange encrypted key transport
RSA certificate Key Encipherment
(EC)DH key agreement public transport signed
DSA certificate Digital Signature
RSA certificate Digital Signature
ECC+ECDSA certificate Digital Signature
ECC+ECDH certificate (e.g. not supported in Chrome) Key Agreement
Upgrade signature algorithm
Current IE/Edge/Chrome/FireFox compatibility
RSA Signature + Encryption
ECDSA Signature
IIS ECDSA-256, ECDSA-384 only
RootCA SHA1
SubordinateCAs SHA256+ (I/E/F eat SHA1)
LeafCert SHA256+
TLS CLIENT AUTHENTICATION CERTIFICATE
Implementing HTTPS and TLS
Issuing CA must be NTAuth super-trusted
Issuing CA must be NTAuth super-trusted
Require TLS client certificate on IIS web site, disable HTTP authentication
Enable DS mapper server-wide
HTTP.SYS binding (with DS mapper)IIS requests client certificate (TLS renego)
Or do not disable Windows Authentication and enforce client certificate on HTTP.SYS
NETSH HTTP ADD SSLCERT
ipport | hostnameport
certhash
appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
clientcertnegotiation=enable
dsmapperusage=enable
verifyclientcertrevocation=enable
Duplicate User certificate template
Verify the template is of user type
Validity periods and Compatibility
Request handling and Cryptography
Subject and Issuance requirements
EKU as Client AuthenticationKey usage as Digital Signature
Verify the template is of User type, Enroll and Autoenroll permissions
Publish the certificate template in CAPulse auto-enrollment on the Client7
Verify certificate presence with MMC and PowerShell
Prompt for client certificate selection when only one certificate exists
Verify Internet Explorer behavior
ADVANCED OPERATIONS WITH CLIENT CERTIFICATES
Implementing HTTPS and TLS
Enroll for another user certificate manually
Expand details of the certificate request
Mark private key exportableSpecify friendly name
Verify IE behavior with more compliant certificates
Export the certificate with its private key into PFX file
Switch user to Kamil and verify successful autoenrollment of his cert
Import the other PFX file
Try logon with different user identity certificate with IE
No certificates published in AD
82
PRIVATE KEY STORAGE
Enterprise PKI
Private Key Storage
Users CSP: %APPDATA%\Roaming\Microsoft\Crypto\RSA
CNG: %APPDATA%\Roaming\Microsoft\Crypto\Keys
SYSTEM/Network Service/Local Service CSP: %ALLUSERPROFILE%\AppData\Microsoft\Crypto
CNG SYSTEM: %ALLUSERPROFILE%\AppData\Microsoft\Crypto\Sy
stemKeys
CNG Network/Local Service: %WINDIR%\ServiceProfiles\
83
Private Key Storage
Smart Card, Hardware Security Module (HSM)
CERTUTIL -scinfo
Strong Private Key Protection!
requires user consent
encrypted with password in the storage
84
User Profile%USERPROFILE%\AppData\Roaming
User Password
Private Keys in Software CSPs (basic)
85
Private Key #1
User Password
Private Key #2
User Password
Private Key #3
User Profile%USERPROFILE%\AppData\Roaming
Profile Key
Private Keys in Software CSPs (better)
86
Private Key #1
Profile Key
Private Key #2
Profile Key
Private Key #3
User Password
Profile Key
Profile Key
Private Keys in Software CSPs
87
Private Key
Private Key
Private Key
User Password
Profile Key
AD User Account
Profile Key
Extended Protection for Keys
Require user interaction only
Requre additional “PIN”
key encrypted on disk with the PIN
88
Deleting private keys
You are not responsible for private keys after their expiration/revocation
except for data/backup decryption
Rather delete document/code signing private keys to prevent after-expiration fakes
Request new certificate and enable Strong private key protection
Specify the password and grant permission when using the private key
Request strong protection on template and autoenroll for the certificate
Strong private key protection user experience during auto-enrollment
System cryptography: Force strong key protection for user keys stored on the computer – User must enter a password
TPM private key storage
TPM protection only no PIN no smart card logon (no Kerberos PKINIT) hardware bound, non-exportable, attestation KSP: Microsoft Platform Crypto Provider
TPM virtual smart card PIN smart card logon (Kerberos PKINIT) more cards for testing removable cards/tokens hardware bound, non-exportable CSP: Microsoft Base Smart Card Crypto Provider KSP: Microsoft Smart Card Key Storage Provider
Virtual TPM smart cards (TPMVSCMGR)
More TPM cards
98
KERBEROS PKINIT – SMART CARD LOGON
Enterprise PKI
Smart Card Logon EKU
Allow signature-only keys valid for logon GPO
Integrated GUI unblock
AdminKey unblock response calculator (only when no PUK)
103
CREDENTIALS ROAMING
Enterprise PKI
Problems with roaming users
Local profiles
enroll automatically for the same templates on several workstations
especially problematic for encryption keys
Roaming profiles
lost with profile deletion (automatic)
offline nature if logged on simultaneously on several machines
Solution for roaming users
Smart cards
Credentials roaming
Credential roaming
Saves private keys and certificates into Active Directory
excluded from roaming profiles
Accessible by the user and administrators
identity theft!
Remains on workstations wherever the user logs on
Cannot be considered a backup
users can delete certificates
106
Enable credential roaming
Update group policy and pulse auto-enrollment on client
gpupdate
certutil -user -pulse
Consumption in AD
msPKIAccountCredentials
msPKIDPAPIMasterKeys RSA 2048 = 4500 B + 4500 B
RSA 4096 = 7500 + 5300 B
Normal certificate publishing userCertificate attribute
maximum of <800 certificates (FFL 2000)
maximum of <1200 certificates (FFL 2003+)
DER binary encoded certificate (1500 B or 1750 B)
CERTIFICATE LIFECYCLE
Implementing HTTPS
Request certificate with new key
Allow renewal based on ownership of previous still valid certificate
Renew certificate with new key
Renewal requests and “old certificate” field in CA
The certificate renewalrequest is signed with the previous certificate
Autoenrollment renewal and old key archiving
Autoenrollmentrenewal always at least at 80% of certificate expiration, or sooner according to template settings
Since Windows 7 and Windows 2008 R2 clients use autoenrollment for renewal of manual subjects as well
Manual IIS binding after renewal
Certificate lifecycle events since Windows 2012 R2
Certificate lifecycle events since Windows 2012 R2 (event 1001, CertificateServicesClient-Lifecycle-System)
IIS automatic certificate rebinding since Windows 2012 R2
IIS automatic certificate rebinding since Windows 2012 R2
Revoke certificate
Revocation reasonsReason code Reason
Unspecified
Key compromise private key stolen or otherwise compromisedpolicy breach on private key such as fire or maintenance in the server room
CA compromise the same as with Key compromise on part of the private key of a CA
Change of affiliation although the purpose for which the certificate exists didn’t cease, the Subject does not fall under the original certification policy (certificate template) anymorefor instance – this CA issues certificates for people from Prague, but the employee moved to New York
Superseded the Subject received a new certificate for the same purpose under the same certification policy (certificate template)
Cease of operation the purpose for which the Subject would be using the certificate disappearedfor instance – the server does not run HTTPS anymore, thus the certificate is not necessary
Hold disabled temporarily, can be unrevokedconsider the fact it will disappear from CRL later and for ever
Always publish new CRL immediately to let clients which do not cache the CRL yet to update asap
GUI does not check CRL and does not display revoked certificates’ status. You must use CERTUTIL -verifyCERTUTIL -urlfetch -verify exported-cert.cer
TLS FOR SQL SERVER
Implementing HTTPS and TLS
The need for trusted TLS certificate
No MITM possible
TLS self-signed + Kerberos
TLS trusted
MITM possible
TLS self-signed + NTLM
TLS self-signed + SQL authentication
Normally, SQL server creates a volatile self-signed TLS certificate (ID 26018)
Do not use KSP/CNG providers
Standalone instance uses computer’s DNS name
Clustered SQL server requires the cluster virtual name in the certificate
GUI requires Subject
Assign TLS certificate in the SQL server's configuration manager
You can also force encryption on the SQL server side
SQL server will not start (error event ID 26014)
SQL TLS certificate's private key must have read permission
Manage private key dialog for the certificate in Certificates console
Restart SQL server and verify application event log (ID 26013)
Verify certificate thumbprint in registry
HKLM\Software\Microsoft\Microsoft SQL Server\<instance>\MSSqlServer\SuperSocketNetLib
Certificate = REG_SZ = <certificate thumbprint>
SQL on failover cluster
GUI bug, does not work
create certificate for the cluster name
manually set the registry value
You can also force encryption on the SQL server side
Enforce protocol encryption on the client with both the 64bit and 32bit CLICONFG and SysWow64\CLICONFG
Enforce protocol encryption on client through GPO in registry
HKLM\Software\Microsoft\Microsoft SQL Server\Client\SuperSocketNetLib
Encrypt = DWORD = 1
HKLM\Software\Wow6432Node\Microsoft\...
Automatic SQL server certificate selection
Modify default accounts on CA (CA 2012+, SQL on 2012+, use legacy CSP)
TLS FOR RDP
Implementing HTTPS and TLS
When
non-domain machines
local accounts
IP address
no Kerberos
Autogenerated RDP certificate by default since Windows 2008 and Vista versus manual config on 2003 SP1
Certificate errors due to the non-trusted self-signed certificate
Yet on intranets the connection is authenticated with Kerberos regardless of the certificate. Requires domain account. Requires Windows 2008+, mstsc client 6+
The self-signed automatically generated RDP server certificate
Define new template with both display and template names the same
Add and use new RDP EKU OID 1.3.6.1.4.1.311.54.1.2(Remote Desktop Authentication instead of Server Authentication)
Autoenroll permission is not necessary
Define server authentication certificate template in a GPO
Group Policy based RDP certificate visible on 2008 R2 GUI
Restart Remote Desktop Configuration service and verify registry value WinStations/TemplateCertificate
Event 1063, TerminalServices-RemoteConnectionsManager
Manually selected RDP certificateSSLCertificateSHA1Hash
RDP server identity verified by both the certificate and Kerberos
Possibility of downgrade attacks
MS
TS
C
RD
P S
erve
r
RDP Security Layer
Att
acke
r
RDP TLS
Certificate
Require TLS on RDP servers to limit downgrade attacks
Require server authentication on clients to prevent downgrade attacks
THANK YOU!
Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |ondrej@sevecek.com | www.sevecek.com |