IMPLEMENTING HTTPS, TLS AND SCLOGON

Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |ondrej@sevecek.com | www.sevecek.com |

DOMAIN CONTROLLER CERTIFICATE AND LDAPS

Implementing HTTPS and TLS

Publish the Kerberos Authentication template in CA

Pulse computer autoenrollment cycle on a DC to let it enroll for the certificate if none is present yet

Verify the DC certificate has been issued from the Kerberos Authentication template and by the correct CA

Verify the DC certificate parameters

Verify the DC certificate parameters

Verify LDAPS connection from a client computer with LDP tool, use TCP 636 port only

Change template parameters to include Subject name

Reenroll all certificate holders to update even valid clients (increments major version of the template)

Pulse autoenrollment on the DC to update the certificate

HTTPS SERVER TLS CERTIFICATE

Implementing HTTPS and TLS

Certificate template management

Duplicate Web Server template

Verify that the template is of computer type

Expiration and Compatibility

Request handling and Cryptography

Certificate purpose in case of TLS server certificates

Encryption

usable for RSA key exchange

any SSL/TLS version with RSA server certificate

Signature

usable for (EC)DH key agreement with PFS

for RSA server certificate, it requires TLS 1.1+

Subject and Issuance policy

EKU and Key Usage

Security - Read and Enroll permissions

Add the template to issuing CA

On WFE1 verify the rootCA is trusted

Display Physical certificate stores in the console

Verify origin of the two trusted root CAs

Start the Request new certicate wizard

Select the custom web server certificate template

Reasons for other certificate templates invisibilityShow all templates - permissions

Reasons for other certificate templates invisibilityShow all templates – not published by a CA

The specified role was not configured for the application.This type of certificate can be issued only to a user

Subject and SAN values, Friendly name and private key options

Key usage and EKU

Enrollment pending

Self-signed certificate request stored locally together with its private key

Investigate the pending certificate request in CA

Issue the certificate

Issued certificate serial number and other parameters

SAN and CDP (CRL distribution points)

On WFE1 pulse computer auto-enrollment

Export the certificate into CER file

Verify the web server's certificate URL paths (CDP, AIA)

Verify the web server's certificate revocation and validity

Bind the TLS certificate within IIS web site

HTTP.SYS binding (no DS mapper)

Require TLS to limit downgrade attacks

From Client7 verify the TLS/HTTPS connection and certificate validity

ECDSA certificate template

ECDSA certificate issuedsmaller key, 10 times faster cryptography

ECDH certificate template and the issued certificate

ECDH key usage extension

Combinations recap

RSA key exchange encrypted key transport

RSA certificate Key Encipherment

(EC)DH key agreement public transport signed

DSA certificate Digital Signature

RSA certificate Digital Signature

ECC+ECDSA certificate Digital Signature

ECC+ECDH certificate (e.g. not supported in Chrome) Key Agreement

Upgrade signature algorithm

Current IE/Edge/Chrome/FireFox compatibility

RSA Signature + Encryption

ECDSA Signature

IIS ECDSA-256, ECDSA-384 only

RootCA SHA1

SubordinateCAs SHA256+ (I/E/F eat SHA1)

LeafCert SHA256+

TLS CLIENT AUTHENTICATION CERTIFICATE

Implementing HTTPS and TLS

Issuing CA must be NTAuth super-trusted

Issuing CA must be NTAuth super-trusted

Require TLS client certificate on IIS web site, disable HTTP authentication

Enable DS mapper server-wide

HTTP.SYS binding (with DS mapper)IIS requests client certificate (TLS renego)

Or do not disable Windows Authentication and enforce client certificate on HTTP.SYS

NETSH HTTP ADD SSLCERT

ipport | hostnameport

certhash

appid={4dc3e181-e14b-4a21-b022-59fc669b0914}

clientcertnegotiation=enable

dsmapperusage=enable

verifyclientcertrevocation=enable

Duplicate User certificate template

Verify the template is of user type

Validity periods and Compatibility

Request handling and Cryptography

Subject and Issuance requirements

EKU as Client AuthenticationKey usage as Digital Signature

Verify the template is of User type, Enroll and Autoenroll permissions

Publish the certificate template in CAPulse auto-enrollment on the Client7

Verify certificate presence with MMC and PowerShell

Prompt for client certificate selection when only one certificate exists

Verify Internet Explorer behavior

ADVANCED OPERATIONS WITH CLIENT CERTIFICATES

Implementing HTTPS and TLS

Enroll for another user certificate manually

Expand details of the certificate request

Mark private key exportableSpecify friendly name

Verify IE behavior with more compliant certificates

Export the certificate with its private key into PFX file

Switch user to Kamil and verify successful autoenrollment of his cert

Import the other PFX file

Try logon with different user identity certificate with IE

No certificates published in AD

82

PRIVATE KEY STORAGE

Enterprise PKI

Private Key Storage

Users CSP: %APPDATA%\Roaming\Microsoft\Crypto\RSA

CNG: %APPDATA%\Roaming\Microsoft\Crypto\Keys

SYSTEM/Network Service/Local Service CSP: %ALLUSERPROFILE%\AppData\Microsoft\Crypto

CNG SYSTEM: %ALLUSERPROFILE%\AppData\Microsoft\Crypto\Sy

stemKeys

CNG Network/Local Service: %WINDIR%\ServiceProfiles\

83

Private Key Storage

Smart Card, Hardware Security Module (HSM)

CERTUTIL -scinfo

Strong Private Key Protection!

requires user consent

encrypted with password in the storage

84

User Profile%USERPROFILE%\AppData\Roaming

User Password

Private Keys in Software CSPs (basic)

85

Private Key #1

User Password

Private Key #2

User Password

Private Key #3

User Profile%USERPROFILE%\AppData\Roaming

Profile Key

Private Keys in Software CSPs (better)

86

Private Key #1

Profile Key

Private Key #2

Profile Key

Private Key #3

User Password

Profile Key

Profile Key

Private Keys in Software CSPs

87

Private Key

Private Key

Private Key

User Password

Profile Key

AD User Account

Profile Key

Extended Protection for Keys

Require user interaction only

Requre additional “PIN”

key encrypted on disk with the PIN

88

Deleting private keys

You are not responsible for private keys after their expiration/revocation

except for data/backup decryption

Rather delete document/code signing private keys to prevent after-expiration fakes

Request new certificate and enable Strong private key protection

Specify the password and grant permission when using the private key

Request strong protection on template and autoenroll for the certificate

Strong private key protection user experience during auto-enrollment

System cryptography: Force strong key protection for user keys stored on the computer – User must enter a password

TPM private key storage

TPM protection only no PIN no smart card logon (no Kerberos PKINIT) hardware bound, non-exportable, attestation KSP: Microsoft Platform Crypto Provider

TPM virtual smart card PIN smart card logon (Kerberos PKINIT) more cards for testing removable cards/tokens hardware bound, non-exportable CSP: Microsoft Base Smart Card Crypto Provider KSP: Microsoft Smart Card Key Storage Provider

Virtual TPM smart cards (TPMVSCMGR)

More TPM cards

98

KERBEROS PKINIT – SMART CARD LOGON

Enterprise PKI

Smart Card Logon EKU

Allow signature-only keys valid for logon GPO

Integrated GUI unblock

AdminKey unblock response calculator (only when no PUK)

103

CREDENTIALS ROAMING

Enterprise PKI

Problems with roaming users

Local profiles

enroll automatically for the same templates on several workstations

especially problematic for encryption keys

Roaming profiles

lost with profile deletion (automatic)

offline nature if logged on simultaneously on several machines

Solution for roaming users

Smart cards

Credentials roaming

Credential roaming

Saves private keys and certificates into Active Directory

excluded from roaming profiles

Accessible by the user and administrators

identity theft!

Remains on workstations wherever the user logs on

Cannot be considered a backup

users can delete certificates

106

Enable credential roaming

Update group policy and pulse auto-enrollment on client

gpupdate

certutil -user -pulse

Consumption in AD

msPKIAccountCredentials

msPKIDPAPIMasterKeys RSA 2048 = 4500 B + 4500 B

RSA 4096 = 7500 + 5300 B

Normal certificate publishing userCertificate attribute

maximum of <800 certificates (FFL 2000)

maximum of <1200 certificates (FFL 2003+)

DER binary encoded certificate (1500 B or 1750 B)

CERTIFICATE LIFECYCLE

Implementing HTTPS

Request certificate with new key

Allow renewal based on ownership of previous still valid certificate

Renew certificate with new key

Renewal requests and “old certificate” field in CA

The certificate renewalrequest is signed with the previous certificate

Autoenrollment renewal and old key archiving

Autoenrollmentrenewal always at least at 80% of certificate expiration, or sooner according to template settings

Since Windows 7 and Windows 2008 R2 clients use autoenrollment for renewal of manual subjects as well

Manual IIS binding after renewal

Certificate lifecycle events since Windows 2012 R2

Certificate lifecycle events since Windows 2012 R2 (event 1001, CertificateServicesClient-Lifecycle-System)

IIS automatic certificate rebinding since Windows 2012 R2

IIS automatic certificate rebinding since Windows 2012 R2

Revoke certificate

Revocation reasonsReason code Reason

Unspecified

Key compromise private key stolen or otherwise compromisedpolicy breach on private key such as fire or maintenance in the server room

CA compromise the same as with Key compromise on part of the private key of a CA

Change of affiliation although the purpose for which the certificate exists didn’t cease, the Subject does not fall under the original certification policy (certificate template) anymorefor instance – this CA issues certificates for people from Prague, but the employee moved to New York

Superseded the Subject received a new certificate for the same purpose under the same certification policy (certificate template)

Cease of operation the purpose for which the Subject would be using the certificate disappearedfor instance – the server does not run HTTPS anymore, thus the certificate is not necessary

Hold disabled temporarily, can be unrevokedconsider the fact it will disappear from CRL later and for ever

Always publish new CRL immediately to let clients which do not cache the CRL yet to update asap

GUI does not check CRL and does not display revoked certificates’ status. You must use CERTUTIL -verifyCERTUTIL -urlfetch -verify exported-cert.cer

TLS FOR SQL SERVER

Implementing HTTPS and TLS

The need for trusted TLS certificate

No MITM possible

TLS self-signed + Kerberos

TLS trusted

MITM possible

TLS self-signed + NTLM

TLS self-signed + SQL authentication

Normally, SQL server creates a volatile self-signed TLS certificate (ID 26018)

Do not use KSP/CNG providers

Standalone instance uses computer’s DNS name

Clustered SQL server requires the cluster virtual name in the certificate

GUI requires Subject

Assign TLS certificate in the SQL server's configuration manager

You can also force encryption on the SQL server side

SQL server will not start (error event ID 26014)

SQL TLS certificate's private key must have read permission

Manage private key dialog for the certificate in Certificates console

Restart SQL server and verify application event log (ID 26013)

Verify certificate thumbprint in registry

HKLM\Software\Microsoft\Microsoft SQL Server\<instance>\MSSqlServer\SuperSocketNetLib

Certificate = REG_SZ = <certificate thumbprint>

SQL on failover cluster

GUI bug, does not work

create certificate for the cluster name

manually set the registry value

You can also force encryption on the SQL server side

Enforce protocol encryption on the client with both the 64bit and 32bit CLICONFG and SysWow64\CLICONFG

Enforce protocol encryption on client through GPO in registry

HKLM\Software\Microsoft\Microsoft SQL Server\Client\SuperSocketNetLib

Encrypt = DWORD = 1

HKLM\Software\Wow6432Node\Microsoft\...

Automatic SQL server certificate selection

Modify default accounts on CA (CA 2012+, SQL on 2012+, use legacy CSP)

TLS FOR RDP

Implementing HTTPS and TLS

When

non-domain machines

local accounts

IP address

no Kerberos

Autogenerated RDP certificate by default since Windows 2008 and Vista versus manual config on 2003 SP1

Certificate errors due to the non-trusted self-signed certificate

Yet on intranets the connection is authenticated with Kerberos regardless of the certificate. Requires domain account. Requires Windows 2008+, mstsc client 6+

The self-signed automatically generated RDP server certificate

Define new template with both display and template names the same

Add and use new RDP EKU OID 1.3.6.1.4.1.311.54.1.2(Remote Desktop Authentication instead of Server Authentication)

Autoenroll permission is not necessary

Define server authentication certificate template in a GPO

Group Policy based RDP certificate visible on 2008 R2 GUI

Restart Remote Desktop Configuration service and verify registry value WinStations/TemplateCertificate

Event 1063, TerminalServices-RemoteConnectionsManager

Manually selected RDP certificateSSLCertificateSHA1Hash

RDP server identity verified by both the certificate and Kerberos

Possibility of downgrade attacks

MS

TS

C

RD

P S

erve

r

RDP Security Layer

Att

acke

r

RDP TLS

Certificate

Require TLS on RDP servers to limit downgrade attacks

Require server authentication on clients to prevent downgrade attacks

THANK YOU!

Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |ondrej@sevecek.com | www.sevecek.com |