Upload
vivien-hancock
View
241
Download
1
Tags:
Embed Size (px)
Citation preview
Top 10 Mistakes in Microsoft Public Key Infrastructure Deployments
Mark B. CooperPresident & FounderPKI Solutions Inc.
CDP-B242
About PKI Solutions Inc.• 10 years as Microsoft Senior Engineer for PKI• Numerous books and whitepapers• Services include:
• ADCS Architecture, Deployment and Consulting• PKI Assessment and Remediation Services• In-Depth PKI Training• Retainer and Support Services
“A poorly designed, executed or managed PKI can introduce more security issues than it solves.”
Compiled over 10 years @ MicrosoftMCS, Engineering and “RedZone” sourcesPrivate and public sectors around the world
Hundreds of customer environments
Lead to Microsoft PKI Best Practice ReviewEvolved over the years to ADCS Assessment
Genesis of The List
Benefits of ADCS AssessmentsProblems can lay-in-waitMany manifest after first CA renewalTesting and validation often insufficientFresh perspective to spot deficiencies
Validity & publishing intervals• Intervals balanced with need to know• Identification versus authorization• Highly affected by caching behavior on clients• Windows caches for lifetime of CRL• Certutil.exe –setreg chain\ChainCacheResyncFiletime @now
• Less effective: Certutil.exe -URLcache delete
Validity versus publishing• Next Update versus Next CRL Publish• Leverage overlaps to provide redundancy• CRLOverlapPeriod/Units & CRLDeltaOverlapPeriod/Units
#1 - CRL Management
Effective date Sept 12 @ 1:42pm• CA backdates CRL 10 minutes for clock skew
Defines Next CRL Publish• September 19 @ 1:42pm• Next CRL Publish = Base Interval (7 Days)• Clients will expect a new CRL at this time• Will continue to use until expired if no update
• Next Update defines expiration• September 20 @1:42pm• Next Update = Base Interval + Overlap
• Overlap <= Base Interval
#1 - CRL Management
Distribution Mechanisms• Active Directory versus HTTP• Driven by accessibility and client compatibilities
Availability• CRL versus CA issuance• Organizational requirements• Redundant delivery mechanisms• Active Directory• HTTP
Delta CRLGenerally unneeded in most environments
#1 - CRL Management
Designed for efficient CRL processing• Overcomes large CRL file transfers (MB+)• Certificate specific enquiries from OCSP Responder• Dependent on CRLs• CRL interval dependent
• Not real-time information• Deterministic results• CAB Forum• Available in Server 2012 R2 & 2008 R2 w/Hotfix 2960124
#2 - Misuse of OCSP
OCSP signing certificate• Required from EACH CA serviced• Signed by CA
CA signs with current key pairOCSP uses signing certificate on-behalf
Signs responses like a CA wouldCertificate represents a CA signing key
Services older key pairs/CRLDefault configuration can break OCSP on CA renewal
#3 – OCSP Renewal
OCSP key renewal issue
#3 – OCSP Renewal
CA Key 1 CA Key 2
CA Key 1Created
OCSPCert 1
ClientCert 1
ClientCert 2
OCSPCert 2
CA Key 2Created
CA Key 1Expiration
OCSPCert 3
ClientCert 1
CA Key 2Expiration
OCSP requests specify correct CAcertutil -setreg ca\UseDefinedCACertInRequest 1
#3 – OCSP Renewal
CA Key 1 CA Key 2
CA Key 1Created
OCSPCert 1
ClientCert 1
ClientCert 2
OCSPCert 2
CA Key 2Created
CA Key 1Expiration
OCSPCert 3
ClientCert 1
CA Key 2Expiration
OCSPCert 4
ClientCert 3
Distinct from Product UpdatesNot distributed by Windows Update
Product/issue specific fixPreviously reported issue with remediationTest and apply only if needed philosophy
Preventative use• If possible in the environment, consider the Hotfix
Don’t need to wait for problem
Time consuming to findComprehensive list: http://pkisolutions.com/adcs-hotfixes
#4 – ADCS Hotfixes
15 Hotfixes
18 Hotfixes
7 Hotfixes
#4 – ADCS Hotfixes
Windows Server 2003
4 Hotfixes5 Hotfixes
15 Hotfixes
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012
R2
ADCS Client Issues
1 Known Issue
3 Known Issues
3 Known Issues
As of September 12, 2014
Microsoft’s SCEP implementation• Cisco designed for non-authentication integrated devices• Routers & switches• Available since server 2000 in Windows Resource Kit• Integrated starting with Server 2008
Leveraged for many BYOD scenarios• VoIP, tablets, phones, Internet of Things
Security and architecture• Authentication and enrollment disjointed• BYOD often necessitates DMZ exposure
• New Whitepaper from Microsoft – Link TBD
#5 – Network Device Enrollment Service
Manage URI access to server
Does solution require exposure of admin page?Firewall & SSL protection
NDES key protection
Hardware Security Module (think Heartbleed exploit)
#5 – Network Device Enrollment Service
Client Devices
Offline Root CA
Exterior Firewall
Interior Firewall
Domain Controllers
Issuing CA
Internal Network
Isolated Network/DMZ
NDES
Server 2012 R2 NDES Policy Module
Offloaded authentication and enrollment managementAuthorization tied to enrollment request
#5 – Network Device Enrollment Service
Hierarchy lifetimes truncate children• Plan from the client and up• 2x child lifetime
Balance with cryptographic usefulness• Longer validity with more complex crypto
#6 – Certificate Validity Periods
Root CA
Enterprise CA
10 Years
5 Years
Device Cert 2 Years
Half-life renewals with same key• Harder to track but fewer keys
#6 – Certificate Validity Periods
Root CA
Enterprise CA
10 Years
5 Years
Device Cert 2 Years 2 Years1
Year
Root CA
10 Years
Enterprise CA 5 Years
Device Cert 2 Years 2 Years
2.5 Years2.5 Years
Same Key Renewal
New Key Renewal
2 Years
Paramount to integrity of PKI• Exposure negates cryptographic strength
Soft versus Hard Keys• Heartbleed exploit
Cheaper to protect then remediate compromiseHardware Security Modules
CA and NDES rolesThales e-Security & Gemalto/SafeNet
TPM CA keys – a word of caution
#7 - CA Key Protection
PKI hierarchy deployment mismatch• Not designed to security/operational needs• Designed on labs/books/Whitepapers blindly
Single and three-tier most often incorrectPolicy/Intermediate CA
Is there a CAPolicy.Inf?
Single tier/Enterprise Root CAUsing Smart cards, S/MIME, code signing, file encryption, large number of non-AD clients?
#8 - Architecture
“Today, I just need a …… certificate”Design for next 12-18 months minimum• What else is approved?• What does organization need?• Easy to under-engineer, hard to over do it
Security and architecture key aspects• Security can be improved, but integrity can’t• Architecture is generally inflexible
#8 - Architecture
Physical isolation of Root• Reduces attack surfaces• Requires physical access• Eliminates remote attacks
“Sometimes” offline• Turned off when unused, brought on the network for maintenance
Offline means OFFLINE!• Define & use USB flash/virtual floppy drives
#9 – “Offline” Root
Design – no single person access• Collusion procedures define multi-person access• Cradle to grave operational controls
Enforce procedures • Easily broken without accountability, controls, and auditing• HSMs can enforce some controls• Locks and card keys, never the same person
A moment alone can never be undone
#10 - Collusion Requirements
Questions?
Related content
Find Me Later At. . .TechExpo Welcome Reception, Hall 7, Immediately Following This Session
TechExpo Happy Hour, Hall 7, Thursday 4pm – 5pm
Ask the Experts, Hall 5, Thursday 6:30pm – 8:pm
Stay Connected:www.pkisolutions.com
www.pkisolutions.com/adcs-hotfixes
@pkisolutions
Come visit us in the Microsoft Solutions Experience (MSE)!Look for the Cloud and Datacenter Platform area TechExpo Hall 7
For more informationWindows Server Technical Previewhttp://technet.microsoft.com/library/dn765472.aspx
Windows Server
Microsoft Azure
Microsoft Azurehttp://azure.microsoft.com/en-us/
System Center
System Center Technical Previewhttp://technet.microsoft.com/en-us/library/hh546785.aspx
Azure Pack Azure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC
TechEd Mobile appPhone or Tablet
QR code
Evaluate this session
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.