Embed Size (px)
Citation preview
CERTIFICATES AND CRYPTOGRAPHY
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker |[email protected] | www.sevecek.com |
MOTIVATIONAdvanced Windows Security
Motivation for encryption
Ethernet/WiFi prone to ARP poisoning and other attacks
Public internet is insecure
Motivation for Certificates
SASL/GSSAPI Windows protocols NTLM/Kerberos symmetric generated keys
TLS (SSL) encryption HTTPS, SMTPS, RDP, LDAPS, FTPS, POP3S, IMAP4S, SSTP VPN, IP-HTTPS
TLS (SSL) authentication 802.1x for Ethernet, 802.1x for WiFi, EAP-TLS for VPN, SSL Client Authentication
for HTTPS
IPSec
Smart Card Logon
Encrypting File System
Digital Signing documents, macros, scripts, executables
Secure Email (S/MIME) signed and/or encrypted
SASL encryption
# by default SASL encrypted
Enter-PSSession gps-data
# by default SASL signed only
gwmi win32_logicaldisk -computer gps-wks10 -
Authentication PacketPrivacy
Motivation for Certificates
Better than simple user passwords
RSA 2048 + SHA-1 comparable with 12 characters complex password
RSA 2048 + SHA256 comparable with 16 characters complex password
Can be stored in smart card
hardware item
cannot be copied
multifactor authentication and access with PIN
SMB SIGNING AND ENCRYPTION
Advanced Windows Security
SMB signing
Data integrity only no encryption
Requires Kerberos/NTLM authentication
Prevents SMB reflection attack in case of NTLMv2 session security
Compatibility Windows 2000+
SAMBA?
SMB signing
SMB encryption
Encrypts with session keys from Kerberos/NTLM
Compatibility
Windows 8/2012+ (SMB v3)
Access denied for older clients
SMB encryption
SMB encryption error from Windows 2008 R2 (SMBv1 and SMBv2 clients)
LDAP signing
LDAP signing requirements
SASL client (TCP 389)
Windows, ...
TLS Server Authentication certificate + TLS client (TCP 636)
any
CERTIFICATION AUTHORITY
Advanced Windows Security
Certification Authority
Certificate Issuer
Must be trusted by users and servers
May construct hierarchies
CA Hierarchy
CA Types
Enteprise CA AD integrated
automatically trusted by domain members
issues certifcates online
autoenrollment
Standalone workgroup computer
receives requests in .REQ files and issues .CER files
manual copy/download
Enterprise CA Installation
User must be member of Enterprise Admins
Choose
public key lenght: RSA 2048
signature: SHA-1 or SHA256 (only 2008/Vista+)
Lab: Installing CA
Log on to server GPS-POLICY as domain-admin
Add role: role: Active Directory Certificate Services
type: Enteprise
public key: RSA 2048
signature: SHA-256
name: GOPAS Root Online CA
After installation open Certification Authority console and remove all Certificate Templates
Lab: Veryfying CA Installation
Log on to GPS-WKS as Kamil
Update Group Policy with GPUPDATE
Start MMC
Add Certificates snap-in for Local Computer
Verify that the GOPAS Root Online CA is present in the Trusted Root Certification Authorities
CERTIFICATE TEMPLATESAdvanced Windows Security
Certificate Templates
Certification Policies
Define certificate parameters
Versions Windows 2000 – cannot be modified
Windows 2003 – can be used by XP, 2003 and newer
Windows 2008 – can be use by Windows 2008/Vista and newer, with exceptions!
Windows 2012 – can be used by all clients according to its compatibility settings
Certificate Templates
Certificate Template Options
Subject Name
Manually defined by requester
Automatically filled in by CA from Active Directory
Subject Name
Enhanced Key Usage
Defines uses of the certificate
KDC Authentication certificate for Domain Controllers
Server Authentication TLS/SSL server
Remote Desktop Authentication RDP/TS server
Client Authentication TLS/SSL user authentication
Encrypting File System file encryption
Code Signing code file signing such as .EXE, .PS1, .VBS, macros in .XLSM
Document Signing document files such as .DOC, .TXT, .XLS
Secure Email digitally signed and/or encrypted email
Enhanced Key Usage (EKU)
Permissions
Read read the definition of the template
Write modify template
Enroll manually ask for the certificate
submit the request to CA
Autoenroll client computers can automatically ask for the
certificates without user interaction
Permissions
Lab: Define basic certificate templates On GPS-POLICY open Certificate Templates console
Duplicate Computer template: name: GOPAS TLS Server private key: exportable application policies: Server Authentication permissions: GPS-WFE – Enroll, Autoenroll
Duplicate User template: name: GOPAS User Logon private key: non-exportable application policies: Client Authentication, Smart Card Logon permissions: Domain Users – Enroll, Autoenroll
Publish certificate templates in AD CS: Kerberos Authentication, GOPAS TLS Server, GOPAS User Logon
AUTOENROLLMENT
Advanced Windows Security
Autoenrollment
Automatic management of certificates
Automatic enrollement
if Autoenroll permission is granted
Renews expiring certificates
Archives expired/revoked certificates
Occured at logon and every 8 hours
CERTUTIL -pulse
CERTUTIL -user -pulse
Autoenrollment Group Policy
Autoenrollment Group Policy
Lab: Autoenrollment
On GPS-DC create a new GPO called Autoenrollment
Enable autoenrollment both for users and computers
On GPS-WKS pulse autoenrollment for user GPUPDATE CERTUTIL -user –pulse
Verify that Kamil has received a logon certificate MMC, Certificates, Current User
On GPS-WFE pulse autoenrollment for computer GPUPDATE CERTUTIL –pulse
Verify that the server has receive a TLS server certificate MMC, Certificates, Local Computer
TLS CERTIFICATE APPLICATIONS
Advanced Windows Security
Why TLS and Certificates?
Client Attacker Server
Client Server
Attacker
Passive eavesdropping
Active MITM
Key Key
Key A Key A Key B Key B
LDAPS (LDAP over TLS)
Protects LDAP Simple Bind credentials
VPN gateways and network devices
NAS devices
VMWare VSphere
Enforce TLS for Simple Bind in GPO
LDAP Server Signing Requirements: Require Signing
Usually must import internal CA into the device
Testing LDAPS
Testing LDAPS and Simple Bind
IIS (HTTPS)
EKU: Server Authentication
SAN: manual or DNS name
Enroll: Web Servers
IIS (HTTPS)
IIS (HTTPS)
Remote Desktop over TLS
Available since Windows 2003 SP1
Authenticates server identity
RDP Security Layer only establishes encryption keys with D/H
prone to MITM attacks
Remote Desktop
EKU: Server Authentication or EKU: Remote Desktop Authentication
1.3.6.1.4.1.311.54.1.2 SAN:
DNS name (autoenrollment) short name (manual) IP address (manual)
Autoenrollment Enroll: Domain Computer + Domain Controllers GPO: Server Authentication Certificate Template
RDP with Server Authentication
RDP with Remote Desktop Authentication
RDP with Remote Desktop Authentication
Remote Desktop
Kerberos for RDP alias(required for /RemoteGuard)
Require RDP server identity authentication
Two access types
User access - Terminal Servers
problem - must type password every time
implement SSO
mstsc /remoteGuard (Credential Guard)
Admin access - servers/workstations
problem - sending full-text password to unsecure systems
use /restrictedAdmin
ssl encrypted
secondhop server
The default scenario
clientRDP
serversecond
hop serversecond
hop server
secondhop server
secondhop server
secondhop server
Kerberos NLApre-authentication
full password
cert
ssl encrypted
secondhop server
The default scenario
clientRDP
serversecond
hop serversecond
hop server
secondhop server
secondhop server
secondhop server
Kerberos NLApre-authentication
full password
TGT
TGS
TGS
cert
Single sign on to RDPCredentials delegation
SSO and TERMSRV SPN for RDP
ssl encrypted
secondhop server
RDP SSO for limited users (2012R2/8.1 and older)
clientRDP
serversecond
hop serversecond
hop server
secondhop server
secondhop server
secondhop server
Kerberos NLApre-authentication
full password
TGT
TGS
TGS
certfull
password
ssl encrypted
secondhop server
Remote Guard for limited users (2016/10 and newer)
clientRDP
serversecond
hop serversecond
hop server
secondhop server
secondhop server
secondhop server
Kerberos NLApre-authentication
TGS
TGS
certTGT
RDP RestrictedAdmin mode
Higher security account to lower security machine
No plain-text password into RDP session only Kerberos authentication
no double-hop credentials (as machine$)
RDP server update 7/2008r2 and newer RDP client Windows 8.1/2012 R2 and newer
mstsc /RestrictedAdmin user must be member of Administrators on RDP
side
Enabling RestrictedAdmin mode in registry
ssl encrypted
secondhop server
Restricted Admin mode (Windows 2012 R2/8.1 and update for 2008 R2/7 and newer)
clientRDP
serversecond
hop serversecond
hop server
secondhop server
secondhop server
secondhop server
Kerberos NLApre-authentication
cert
Authentication Policies (DFL 2012 R2)+ Kerberos Armoring (client 2012/8+)
Authentication Policies
Authentication Policies
IP SECURITY
Advanced Windows Security
Motivation
TLS must be supported by the application
TLS must be manually configured and enabled
SMB encryption must be supported by SMB3 clients and servers
IPSec protects generic IP traffic
Central policy based rules
may provide firewall/identity filters but it is not the primary goal
Brief IPSec Terminology
AH - authentication header
signs IP header plus data
does not work over NAT
ESP - encapsulating security payload
may encrypt or just sign but data only
may work over NAT with NAT-T
IPSec
EKU: Client Authentication + IPSec IKE Intermediate + Server Authentication
SAN: DNS name
Autoenroll: Domain Computers + Domain Controllers
IPSec Policies
IPSec Policies
IPSec Policies
IPSec SA Auditing
IPSec Modes
Main Mode
mutually authenticates remote endpoint
establishes keys to protect Quick Mode exchange
single SA per host-host
Quick Mode
ESP/AH/AES/3DES/SHA1/SHA2 and PFS for particular IP/TCP policy rule
single SA per IP/TCP policy rule
IPSecSAAuditing
Enterprise Implementation Risks
Client without or with an invalid certificate
must be able to obtain a new one from CA
Public/Domain network switchover
how would client determine domain network if it could not connect to a DC
Registry settings
HKLM\System\CCS\Services\PolicyAgent\Oakley
Windows XP and Windows 2003
HKLM\System\CCS\Services\IKEEXT\Parameters
Disable AuthIP
IKEFlags = DWORD = + 0x40
Disable CRL checking
IKEFlags = DWORD = + 0x8000
CREDENTIALS ROAMING
Advanced Windows Security
Credential Roaming
Private keys are stored in user profile
on individual workstations
in case of non-roaming profiles it would not roam
Credentials Roaming
upload/download certificates with private keys into user account in AD
roams smoothly with user
secures keys against profile loss
Credentials Roaming Policy
Lab: Credentials Roaming
On GPS-DC create a new GPO called Credentials Roaming
Enable credentials roaming
Update policy on GPS-WKS and GPS-DATA
gpupdate
Log off Kamil from GPS-WKS and log Kamilon GPS-DATA and verify that his certificates has been roamed to his new profile
EFS
Advanced Windows Security
Encrypting File System
Encrypts individual files
one ore more user certificates
EKU: Encrypting File System
Folders can be marked to encrypt all new files inside them
AES 256
Public key
Storage encryption
Symmetric encryption key (random)
Symmetric key
Document
Public key (Judit)Public key (Judit)Public key (Judit)
Symmetric key
Public key (My)
Storage encryption (sharing)
Symmetric encryption key (random)
Symmetric key
Document
Public key (Kamil)
Symmetric key
Features and Limitations
Cannot encrypt system files
En/Decrypted locally on file servers
No group certificates
No simple GUI to share more files at once
Can use smart cards since Windows Vista
Private keys may be backed up on CA
EFS on File Servers
File Servers must be trusted for delegation
either enroll the EFS certificate
or roam the certificates from AD
Data transferred in clear
EFS Group Policy
Lab: Preparing for EFS
Define new certificate template as duplicate of the default User template name: GOPAS EFS
EKU: Encrypting File System
Enroll: Domain Users
On GPS-DC create new GPO called EFS EFS: allow
self/signed certificate: disabled
certificate template: GOPAS EFS
Update group policy on GPS-WKS and
Lab: EFS on a File Server
On GPS-DC open Active Directory Users and Computers Console
Find GPS-DATA computer object, open its properties on the Delegation tab
Enable Trust this computer to any service Create and encrypt a file on \\GPS-DATA\Doc
shared folder Log off from GPS-WKS and log on again and
verify that the credentials roaming uploaded you the newly created certificate from the GPS-DATA file server
CODE SIGNINGAdvanced Windows Security
certutil -hashfile
any file type
just an unsigned hash
Motivation
Prevent own scripts or third-party code from being tempered
security analysis after an attack
Restrict running unsigned code
.PS1, .VBS, .JS, .EXE, .MSI
Sign .EXE/.PS1 with PowerShell
Timestamping
The signature is not trusted after certificate expires "Required certificate is not within its validity period"
You must use trusted timestamp to verify it was valid at the time of signing (RFC 3161 timestamp protocol) http://timestamp.verisign.com/scripts/timstamp.dll
http://timestamp.digicert.com
http://timestamp.globalsign.com/scripts/timestamp.dll
http://www.startssl.com/timestamp
Sign .VBS/.JS with PowerShell
Signing .NET assemblies, installers etc.
T:\WindowsSDK\signtool.exe
much more powerful
Set-AuthenticodeSignature
easier, simpler
Trusted Publisher
App whitelisting
Software Restriction Policies
XP+, all corporate editions
Application Control Policies (AppLocker)
Vista+, Enterprise edition
Server 2008+, all editions
Software Restriction Policies
Available since Windows XP
all professional version
AppLocker in Enterprise/Ultimate Windows 7+
Block all with exceptions
or allow all with block rules
Rules
path
hash
certificate
Implementing SRP
Implementing SRP
Implementing SRP
Implementing SRP
Enforce PowerShell execution policy
Recap
Recap
GPRESULT gps-wks or all GPO report
$dc = Get-ADDomainController -Discover -Service PrimaryDC
Get-GPOReport -All -Domain gopas.virtual -Server $dc -
ReportType HTML -Path \\10.2.20.63\e$\goc175\ReportAll.html
