PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon...
Transcript of PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon...
![Page 1: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/1.jpg)
TPM and certificate logon
Ing. Ondřej Ševeček | GOPAS a.s. |
MCSM:Directory | MVP:Enterprise Security | CEH | CHFI | CISA |
[email protected] | www.sevecek.com |
PLATINUM PARTNER
DEVCON HALL SHOWIT HALL
GOLD PARTNER
SILVER PARTNER
GENERAL PARTNER
GLAB007 - capture the flag 1 - hackni si podnikovou síť
GLAB008 - capture the flag 2 - hackni si podnikovou síť
GOC175 - implementace bezpečnosti
GOC169 - ISO 27001
GOC172 - Kerberos troubleshooting
GOC161 - Cryptography
moje kurzy v GOPASu
![Page 2: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/2.jpg)
Agenda
• Why not passwords?
• Why two-factor authentication?
• What is TPM and how it is 1.5 authentication?
• AD CS installation quickly
• DC certificates
• TPM virtual smart card
• Can users obtain logon certificates by themselves?
• Registration authority for issuing TPM logon certificates
• TPM attestation
![Page 3: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/3.jpg)
Passwords
• Easily compromised
– hardware keyloggers
– software keyloggers
– surveillance cameras
• Very long validity
– can be used from anywhere without user knowing
– no incident investigation when compromised
• Bad quality
– lockout vs. availability vs. DoS
![Page 4: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/4.jpg)
Multifactor authentication
• know
– password
– PIN
• have
– card
– phone
– notebook
• be
– biometrics
![Page 5: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/5.jpg)
1.5 authentication
• biometrics on mobile phones
• TPM module on laptops
• must have the device
• must not allow others to the device
![Page 6: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/6.jpg)
Certificate logon with TPM
• bound to the device
• certificate using strong keys
• incident investigation
![Page 7: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/7.jpg)
Certificate logon
• Active Directory
– AD CS
– DC certificates
– user logon certificates
– RA certificates
– usage
• CTRL-ALT-DEL
• RDP
• HTTPS
• VPN
• ADFS vs. Office365
• Outlook, ActiveSync
• AAD and Office365
– CA trusted - Get-AzureADTrustedCertificateAuthority
– individual certificates mapped to user accounts in AAD
![Page 8: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/8.jpg)
AD CS installation
• keep it safe
– install on a DC guarantees security
• Domain Admins
• physical security
![Page 9: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/9.jpg)
Simplest AD CS installation
![Page 10: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/10.jpg)
Simplest AD CS installation
![Page 11: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/11.jpg)
Simplest AD CS installation
![Page 12: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/12.jpg)
Simplest AD CS installation
![Page 13: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/13.jpg)
Simplest AD CS installation
![Page 14: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/14.jpg)
Simplest AD CS installation
![Page 15: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/15.jpg)
Simplest AD CS installation
![Page 16: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/16.jpg)
Simplest DC certificates with auto-enrollment
![Page 17: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/17.jpg)
TPM virtual smart card
• TPMVSCMGR
– create /name ... /pinpolicy minlen 4 uppercase ALLOWED lowercase ALLOWED digits ALLOWED ...
/generate
• PUK
– user knows
• AdminKey
– 48 digits
– admin PIN reset by computing a challenge
![Page 18: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/18.jpg)
Issuing logon certificates
• Self service
– free "duplication" and renewal
– no attestation
• Attestation by workstation admins
• Attestation by TPM key hash
– machine certificates for 802.1x VPN and WiFi
![Page 19: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/19.jpg)
Simple user logon certificate template
![Page 20: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/20.jpg)
Simple user logon certificate template
![Page 21: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/21.jpg)
Simple user logon certificate template
![Page 22: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/22.jpg)
Simple user logon certificate template
![Page 23: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/23.jpg)
Simple user logon certificate template
![Page 24: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/24.jpg)
Simple user logon certificate template
![Page 25: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/25.jpg)
Attestation with RA
• Enrollment Agent = Registration Authority
• workstation admins issue certificates on behalf of the users
• using RA smart-card
![Page 26: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/26.jpg)
RA certificate for workstation admins
![Page 27: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/27.jpg)
RA certificate for workstation admins
![Page 28: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/28.jpg)
RA certificate for workstation admins
![Page 29: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/29.jpg)
User certificate requiring the RA signature
![Page 30: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/30.jpg)
TPM attestation for machine certificates
• Get-TpmEndorsementInfo -Hash sha256
• certutil.exe -setreg CA\EndorsementKeyListDirectories +"C:\TpmEndorsement"
![Page 31: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/31.jpg)
TPM attestation for machine certificates
![Page 32: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/32.jpg)
Summary
• Strong credentials bound to device
![Page 33: PLATINUM PARTNER GOLD PARTNER DEVCON HALL SHOWIT HALL TPM ...€¦ · TPM and certificate logon Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH](https://reader033.fdocuments.in/reader033/viewer/2022042918/5f5d460e75f62f55cb41b14c/html5/thumbnails/33.jpg)
Děkuji za pozornost
www.gopas.cz
GLAB007 - capture the flag 1 - hackni si podnikovou síť
GLAB008 - capture the flag 2 - hackni si podnikovou síť
GOC175 - implementace bezpečnosti
GOC169 - ISO 27001
GOC172 - Kerberos troubleshooting
GOC161 - Cryptography
moje kurzy v GOPASu