CERTIFICATES AND CRYPTOGRAPHY

Transcription

1 Ing. Ondřej Ševeček GOPAS a.s. MCM: Directory Services MVP: Enterprise Security Certified Ethical Hacker CERTIFICATES AND CRYPTOGRAPHY Advanced Windows Security MOTIVATION

2 Motivation for encryption Ethernet/WiFi prone to ARP poisoning and other attacks Public internet is insecure Motivation for Certificates SASL/GSSAPI Windows protocols NTLM/Kerberos symmetric generated keys TLS (SSL) encryption HTTPS, SMTPS, RDP, LDAPS, FTPS, POP3S, IMAP4S, SSTP VPN, IP-HTTPS TLS (SSL) authentication 802.1x for Ethernet, 802.1x for WiFi, EAP-TLS for VPN, SSL Client Authentication for HTTPS IPSec Smart Card Logon Encrypting File System Digital Signing documents, macros, scripts, executables Secure (S/MIME) signed and/or encrypted

3 Motivation for Certificates Better than simple user passwords RSA SHA-1 comparable with 12 characters complex password RSA SHA256 comparable with 16 characters complex password Can be stored in smart card hardware item cannot be copied multifactor authentication and access with PIN Advanced Windows Security SMB SIGNING AND ENCRYPTION

4 SMB signing Data integrity only no encryption Requires Kerberos/NTLM authentication Prevents SMB reflection attack in case of NTLMv2 session security Compatibility Windows SAMBA? SMB signing

5 SMB encryption Encrypts with session keys from Kerberos/NTLM Compatibility Windows 8/2012+ (SMB v3) Access denied for older clients SMB encryption

6 SMB encryption error from Windows 2008 R2 (SMBv1 and SMBv2 clients) LDAP signing

7 LDAP signing requirements SASL client (TCP 389) Windows,... TLS Server Authentication certificate + TLS client (TCP 636) any Advanced Windows Security CERTIFICATION AUTHORITY

8 Certification Authority Certificate Issuer Must be trusted by users and servers May construct hierarchies CA Hierarchy

9 CA Types Enteprise CA AD integrated automatically trusted by domain members issues certifcates online autoenrollment Standalone workgroup computer receives requests in.req files and issues.cer files manual copy/download Enterprise CA Installation User must be member of Enterprise Admins Choose public key lenght: RSA 2048 signature: SHA-1 or SHA256 (only 2008/Vista+)

10 Lab: Installing CA Log on to server GPS-POLICY as domainadmin Add role: role: Active Directory Certificate Services type: Enteprise public key: RSA 2048 signature: SHA-256 name: GOPAS Root Online CA After installation open Certification Authority console and remove all Certificate Templates Lab: Veryfying CA Installation Log on to GPS-WKS as Kamil Update Group Policy with GPUPDATE Start MMC Add Certificates snap-in for Local Computer Verify that the GOPAS Root Online CA is present in the Trusted Root Certification Authorities

11 Advanced Windows Security CERTIFICATE TEMPLATES Certificate Templates Certification Policies Define certificate parameters Versions Windows 2000 cannot be modified Windows 2003 can be used by XP, 2003 and newer Windows 2008 can be use by Windows 2008/Vista and newer, with exceptions! Windows 2012 can be used by all clients according to its compatibility settings

12 Certificate Templates Certificate Template Options

13 Subject Name Manually defined by requester Automatically filled in by CA from Active Directory Subject Name

14 Enhanced Key Usage Defines uses of the certificate KDC Authentication certificate for Domain Controllers Server Authentication TLS/SSL server Remote Desktop Authentication RDP/TS server Client Authentication TLS/SSL user authentication Encrypting File System file encryption Code Signing code file signing such as.exe,.ps1,.vbs, macros in.xlsm Document Signing document files such as.doc,.txt,.xls Secure digitally signed and/or encrypted Enhanced Key Usage (EKU)

15 Permissions Read read the definition of the template Write modify template Enroll manually ask for the certificate submit the request to CA Autoenroll client computers can automatically ask for the certificates without user interaction Permissions

16 Lab: Define basic certificate templates On GPS-POLICY open Certificate Templates console Duplicate Computer template: name: GOPAS TLS Server private key: exportable application policies: Server Authentication permissions: GPS-WFE Enroll, Autoenroll Duplicate User template: name: GOPAS User Logon private key: non-exportable application policies: Client Authentication, Smart Card Logon permissions: Domain Users Enroll, Autoenroll Publish certificate templates in AD CS: Kerberos Authentication, GOPAS TLS Server, GOPAS User Logon Advanced Windows Security AUTOENROLLMENT

17 Autoenrollment Automatic management of certificates Automatic enrollement if Autoenroll permission is granted Renews expiring certificates Archives expired/revoked certificates Occured at logon and every 8 hours CERTUTIL -pulse CERTUTIL -user -pulse Autoenrollment Group Policy

18 Autoenrollment Group Policy Lab: Autoenrollment On GPS-DC create a new GPO called Autoenrollment Enable autoenrollment both for users and computers On GPS-WKS pulse autoenrollment for user GPUPDATE CERTUTIL -user pulse Verify that Kamil has received a logon certificate MMC, Certificates, Current User On GPS-WFE pulse autoenrollment for computer GPUPDATE CERTUTIL pulse Verify that the server has receive a TLS server certificate MMC, Certificates, Local Computer

19 Advanced Windows Security TLS CERTIFICATE APPLICATIONS Why TLS and Certificates? Key Key Client Server Attacker Passive eavesdropping Key A Key A Key B Key B Client Attacker Server Active MITM

20 LDAPS (LDAP over TLS) Protects LDAP Simple Bind credentials VPN gateways and network devices NAS devices VMWare VSphere Enforce TLS for Simple Bind in GPO LDAP Server Signing Requirements: Require Signing Usually must import internal CA into the device Testing LDAPS

21 Testing LDAPS and Simple Bind IIS (HTTPS) EKU: Server Authentication SAN: manual or DNS name Enroll: Web Servers

22 IIS (HTTPS) IIS (HTTPS)

23 Remote Desktop over TLS Available since Windows 2003 SP1 Authenticates server identity RDP Security Layer only establishes encryption keys with D/H prone to MITM attacks Remote Desktop EKU: Server Authentication or EKU: Remote Desktop Authentication SAN: DNS name Enroll: Domain Computer + Domain Controllers GPO: Server Authentication Certificate Template

24 RDP with Server Authentication RDP with Remote Desktop Authentication

25 RDP with Remote Desktop Authentication Remote Desktop

26 Require RDP server identity authentication Two access types User access - Terminal Servers problem - must type password every time implement SSO mstsc /remoteguard (Credential Guard) Admin access - servers/workstations problem - sending full-text password to unsecure systems use /restrictedadmin

27 Single sign on to RDP Credentials delegation SSO and TERMSRV SPN for RDP

28 RDP RestrictedAdmin mode Higher security account to lower security machine No plain-text password into RDP session only Kerberos authentication no double-hop credentials (as machine$) RDP server update 7/2008r2 and newer RDP client Windows 8.1/2012 R2 and newer mstsc /RestrictedAdmin user must be member of Administrators on RDP side Enabling RestrictedAdmin mode in registry

29 Advanced Windows Security IP SECURITY Motivation TLS must be supported by the application TLS must be manually configured and enabled SMB encryption must be supported by SMB3 clients and servers IPSec protects generic IP traffic Central policy based rules may provide firewall/identity filters but it is not the primary goal

30 Brief IPSec Terminology AH - authentication header signs IP header plus data does not work over NAT ESP - encapsulating security payload may encrypt or just sign but data only may work over NAT with NAT-T IPSec EKU: Client Authentication + IPSec IKE Intermediate + Server Authentication SAN: DNS name Autoenroll: Domain Computers + Domain Controllers

31 IPSec Policies IPSec Policies

32 IPSec Policies IPSec SA Auditing

33 IPSec Modes Main Mode mutually authenticates remote endpoint establishes keys to protect Quick Mode exchange single SA per host-host Quick Mode ESP/AH/AES/3DES/SHA1/SHA2 and PFS for particular IP/TCP policy rule single SA per IP/TCP policy rule IPSec SA Auditing

34 Enterprise Implementation Risks Client without or with an invalid certificate must be able to obtain a new one from CA Public/Domain network switchover how would client determine domain network if it could not connect to a DC Registry settings HKLM\System\CCS\Services\PolicyAgent\Oa kley Windows XP and Windows 2003 HKLM\System\CCS\Services\IKEEXT\Parame ters Disable AuthIP IKEFlags = DWORD = + 0x40 Disable CRL checking IKEFlags = DWORD = + 0x8000

35 Advanced Windows Security CREDENTIALS ROAMING Credential Roaming Private keys are stored in user profile on individual workstations in case of non-roaming profiles it would not roam Credentials Roaming upload/download certificates with private keys into user account in AD roams smoothly with user secures keys against profile loss

36 Credentials Roaming Policy Lab: Credentials Roaming On GPS-DC create a new GPO called Credentials Roaming Enable credentials roaming Update policy on GPS-WKS and GPS-DATA gpupdate Log off Kamil from GPS-WKS and log Kamil on GPS-DATA and verify that his certificates has been roamed to his new profile

37 Advanced Windows Security EFS Encrypting File System Encrypts individual files one ore more user certificates EKU: Encrypting File System Folders can be marked to encrypt all new files inside them AES 256

38 Storage encryption Document Symmetric encryption key (random) Symmetric key Public key Storage encryption (sharing) Document Symmetric encryption key (random) Symmetric key Public key (My) Symmetric key Symmetric key Public key (Kamil) Public Public key key key (Judit) (Judit)

39 Features and Limitations Cannot encrypt system files En/Decrypted locally on file servers No group certificates No simple GUI to share more files at once Can use smart cards since Windows Vista Private keys may be backed up on CA EFS on File Servers File Servers must be trusted for delegation either enroll the EFS certificate or roam the certificates from AD Data transferred in clear

40 EFS Group Policy Lab: Preparing for EFS Define new certificate template as duplicate of the default User template name: GOPAS EFS EKU: Encrypting File System Enroll: Domain Users On GPS-DC create new GPO called EFS EFS: allow self/signed certificate: disabled certificate template: GOPAS EFS Update group policy on GPS-WKS and

41 Lab: EFS on a File Server On GPS-DC open Active Directory Users and Computers Console Find GPS-DATA computer object, open its properties on the Delegation tab Enable Trust this computer to any service Create and encrypt a file on \\GPS-DATA\Doc shared folder Log off from GPS-WKS and log on again and verify that the credentials roaming uploaded you the newly created certificate from the GPS- DATA file server Advanced Windows Security CODE SIGNING

42 Motivation Prevent own scripts or third-party code from being tempered security analysis after an attack Restrict running unsigned code.ps1,.vbs,.js,.exe,.msi Sign.EXE/.PS1 with PowerShell

43 Timestamping The signature is not trusted after certificate expires "Required certificate is not within its validity period" You must use trusted timestamp to verify it was valid at the time of signing (RFC 3161 timestamp protocol) Sign.VBS/.JS with PowerShell

44 Signing.NET assemblies, installers etc. T:\WindowsSDK\signtool.exe much more powerful Set-AuthenticodeSignature easier, simpler Trusted Publisher

45 Software Restriction Policies Available since Windows XP all professional version AppLocker in Enterprise/Ultimate Windows 7+ Block all with exceptions or allow all with block rules Rules path hash certificate Implementing SRP

46 Implementing SRP Implementing SRP

47 Implementing SRP Enforce PowerShell execution policy