Ing. Ondřej Ševeček GOPAS a.s. MCM: Directory Services MVP: Enterprise Security Certified Ethical Hacker ondrej@sevecek.com www.sevecek.com CERTIFICATES AND CRYPTOGRAPHY Troubleshooting Remote Access MOTIVATION
Motivation for encryption Ethernet/WiFi prone to ARP poisoning and other attacks Public internet is insecure Motivation for Certificates TLS (SSL) encryption HTTPS, SMTPS, RDP, LDAPS, FTPS, POP3S, IMAP4S, SSTP VPN, IP-HTTPS TLS (SSL) authentication 802.1x for Ethernet, 802.1x for WiFi, EAP-TLS for VPN, SSL Client Authentication for HTTPS IPSec Smart Card Logon Encrypting File System Digital Signing documents, macros, scripts, executables Secure Email (S/MIME) signed and/or encrypted
Motivation for Certificates Better than simple user passwords RSA 2048 + SHA-1 comparable with 12 characters complex password RSA 2048 + SHA256 comparable with 16 characters complex password Can be stored in smart card hardware item cannot be copied multifactor authentication and access with PIN Troubleshooting Remote Access CERTIFICATION AUTHORITY
Certification Authority Certificate Issuer Must be trusted by users and servers May construct hierarchies CA Hierarchy
CA Types Enteprise CA AD integrated automatically trusted by domain members issues certifcates online autoenrollment Standalone workgroup computer receives requests in.req files and issues.cer files manual copy/download Enterprise CA Installation User must be member of Enterprise Admins Choose public key lenght: RSA 2048 signature: SHA-1 or SHA256 (only 2008/Vista+)
Troubleshooting Remote Access CERTIFICATE TEMPLATES Certificate Templates Certification Policies Define certificate parameters Versions Windows 2000 cannot be modified Windows 2003 can be used by XP, 2003 and newer Windows 2008 can be use by Windows 2008/Vista and newer, with exceptions! Windows 2012 can be used by all clients according to its compatibility settings
Certificate Templates Certificate Template Options
Subject Name Manually defined by requester Automatically filled in by CA from Active Directory Subject Name
Enhanced Key Usage Defines uses of the certificate KDC Authentication certificate for Domain Controllers Server Authentication TLS/SSL server Remote Desktop Authentication RDP/TS server Client Authentication TLS/SSL user authentication Encrypting File System file encryption Code Signing code file signing such as.exe,.ps1,.vbs, macros in.xlsm Document Signing document files such as.doc,.txt,.xls Secure Email digitally signed and/or encrypted email Enhanced Key Usage (EKU)
Permissions Read read the definition of the template Write modify template Enroll manually ask for the certificate submit the request to CA Autoenroll client computers can automatically ask for the certificates without user interaction Permissions
Troubleshooting Remote Access AUTOENROLLMENT Autoenrollment Automatic management of certificates Automatic enrollement if Autoenroll permission is granted Renews expiring certificates Archives expired/revoked certificates Occured at logon and every 8 hours CERTUTIL -pulse CERTUTIL -user -pulse
Autoenrollment Group Policy Autoenrollment Group Policy
Troubleshooting Remote Access TLS CERTIFICATE APPLICATIONS Why TLS and Certificates? Key Key Client Server Attacker Passive eavesdropping Key A Key A Key B Key B Client Attacker Server Active MITM
IIS (HTTPS) EKU: Server Authentication SAN: manual or DNS name Enroll: Web Servers IIS (HTTPS)
IIS (HTTPS) Remote Desktop over TLS Available since Windows 2003 SP1 Authenticates server identity RDP Security Layer only establishes encryption keys with D/H prone to MITM attacks
Remote Desktop EKU: Server Authentication or EKU: Remote Desktop Authentication 1.3.6.1.4.1.311.54.1.2 SAN: DNS name Enroll: Domain Computer + Domain Controllers GPO: Server Authentication Certificate Template RDP with Server Authentication
RDP with Remote Desktop Authentication RDP with Remote Desktop Authentication
Remote Desktop Single sign on to RDP Credentials delegation
SSO and TERMSRV SPN for RDP