ing. | gopas a.s. | [email protected] | | certificates and cryptography · 2019-07-23 · windows...
TRANSCRIPT
![Page 1: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/1.jpg)
CERTIFICATES AND CRYPTOGRAPHY
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker |[email protected] | www.sevecek.com |
MOTIVATIONAdvanced Windows Security
![Page 2: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/2.jpg)
Motivation for encryption
Ethernet/WiFi prone to ARP poisoning and other attacks
Public internet is insecure
Motivation for Certificates
SASL/GSSAPI Windows protocols NTLM/Kerberos symmetric generated keys
TLS (SSL) encryption HTTPS, SMTPS, RDP, LDAPS, FTPS, POP3S, IMAP4S, SSTP VPN, IP-HTTPS
TLS (SSL) authentication 802.1x for Ethernet, 802.1x for WiFi, EAP-TLS for VPN, SSL Client Authentication
for HTTPS
IPSec
Smart Card Logon
Encrypting File System
Digital Signing documents, macros, scripts, executables
Secure Email (S/MIME) signed and/or encrypted
![Page 3: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/3.jpg)
SASL encryption
# by default SASL encrypted
Enter-PSSession gps-data
# by default SASL signed only
gwmi win32_logicaldisk -computer gps-wks10 -
Authentication PacketPrivacy
Motivation for Certificates
Better than simple user passwords
RSA 2048 + SHA-1 comparable with 12 characters complex password
RSA 2048 + SHA256 comparable with 16 characters complex password
Can be stored in smart card
hardware item
cannot be copied
multifactor authentication and access with PIN
![Page 4: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/4.jpg)
SMB SIGNING AND ENCRYPTION
Advanced Windows Security
SMB signing
Data integrity only no encryption
Requires Kerberos/NTLM authentication
Prevents SMB reflection attack in case of NTLMv2 session security
Compatibility Windows 2000+
SAMBA?
![Page 5: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/5.jpg)
SMB signing
SMB encryption
Encrypts with session keys from Kerberos/NTLM
Compatibility
Windows 8/2012+ (SMB v3)
Access denied for older clients
![Page 6: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/6.jpg)
SMB encryption
SMB encryption error from Windows 2008 R2 (SMBv1 and SMBv2 clients)
![Page 7: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/7.jpg)
LDAP signing
LDAP signing requirements
SASL client (TCP 389)
Windows, ...
TLS Server Authentication certificate + TLS client (TCP 636)
any
![Page 8: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/8.jpg)
CERTIFICATION AUTHORITY
Advanced Windows Security
Certification Authority
Certificate Issuer
Must be trusted by users and servers
May construct hierarchies
![Page 9: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/9.jpg)
CA Hierarchy
CA Types
Enteprise CA AD integrated
automatically trusted by domain members
issues certifcates online
autoenrollment
Standalone workgroup computer
receives requests in .REQ files and issues .CER files
manual copy/download
![Page 10: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/10.jpg)
Enterprise CA Installation
User must be member of Enterprise Admins
Choose
public key lenght: RSA 2048
signature: SHA-1 or SHA256 (only 2008/Vista+)
Lab: Installing CA
Log on to server GPS-POLICY as domain-admin
Add role: role: Active Directory Certificate Services
type: Enteprise
public key: RSA 2048
signature: SHA-256
name: GOPAS Root Online CA
After installation open Certification Authority console and remove all Certificate Templates
![Page 11: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/11.jpg)
Lab: Veryfying CA Installation
Log on to GPS-WKS as Kamil
Update Group Policy with GPUPDATE
Start MMC
Add Certificates snap-in for Local Computer
Verify that the GOPAS Root Online CA is present in the Trusted Root Certification Authorities
CERTIFICATE TEMPLATESAdvanced Windows Security
![Page 12: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/12.jpg)
Certificate Templates
Certification Policies
Define certificate parameters
Versions Windows 2000 – cannot be modified
Windows 2003 – can be used by XP, 2003 and newer
Windows 2008 – can be use by Windows 2008/Vista and newer, with exceptions!
Windows 2012 – can be used by all clients according to its compatibility settings
Certificate Templates
![Page 13: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/13.jpg)
Certificate Template Options
Subject Name
Manually defined by requester
Automatically filled in by CA from Active Directory
![Page 14: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/14.jpg)
Subject Name
Enhanced Key Usage
Defines uses of the certificate
KDC Authentication certificate for Domain Controllers
Server Authentication TLS/SSL server
Remote Desktop Authentication RDP/TS server
Client Authentication TLS/SSL user authentication
Encrypting File System file encryption
Code Signing code file signing such as .EXE, .PS1, .VBS, macros in .XLSM
Document Signing document files such as .DOC, .TXT, .XLS
Secure Email digitally signed and/or encrypted email
![Page 15: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/15.jpg)
Enhanced Key Usage (EKU)
Permissions
Read read the definition of the template
Write modify template
Enroll manually ask for the certificate
submit the request to CA
Autoenroll client computers can automatically ask for the
certificates without user interaction
![Page 16: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/16.jpg)
Permissions
Lab: Define basic certificate templates On GPS-POLICY open Certificate Templates console
Duplicate Computer template: name: GOPAS TLS Server private key: exportable application policies: Server Authentication permissions: GPS-WFE – Enroll, Autoenroll
Duplicate User template: name: GOPAS User Logon private key: non-exportable application policies: Client Authentication, Smart Card Logon permissions: Domain Users – Enroll, Autoenroll
Publish certificate templates in AD CS: Kerberos Authentication, GOPAS TLS Server, GOPAS User Logon
![Page 17: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/17.jpg)
AUTOENROLLMENT
Advanced Windows Security
Autoenrollment
Automatic management of certificates
Automatic enrollement
if Autoenroll permission is granted
Renews expiring certificates
Archives expired/revoked certificates
Occured at logon and every 8 hours
CERTUTIL -pulse
CERTUTIL -user -pulse
![Page 18: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/18.jpg)
Autoenrollment Group Policy
Autoenrollment Group Policy
![Page 19: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/19.jpg)
Lab: Autoenrollment
On GPS-DC create a new GPO called Autoenrollment
Enable autoenrollment both for users and computers
On GPS-WKS pulse autoenrollment for user GPUPDATE CERTUTIL -user –pulse
Verify that Kamil has received a logon certificate MMC, Certificates, Current User
On GPS-WFE pulse autoenrollment for computer GPUPDATE CERTUTIL –pulse
Verify that the server has receive a TLS server certificate MMC, Certificates, Local Computer
TLS CERTIFICATE APPLICATIONS
Advanced Windows Security
![Page 20: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/20.jpg)
Why TLS and Certificates?
Client Attacker Server
Client Server
Attacker
Passive eavesdropping
Active MITM
Key Key
Key A Key A Key B Key B
LDAPS (LDAP over TLS)
Protects LDAP Simple Bind credentials
VPN gateways and network devices
NAS devices
VMWare VSphere
Enforce TLS for Simple Bind in GPO
LDAP Server Signing Requirements: Require Signing
Usually must import internal CA into the device
![Page 21: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/21.jpg)
Testing LDAPS
Testing LDAPS and Simple Bind
![Page 22: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/22.jpg)
IIS (HTTPS)
EKU: Server Authentication
SAN: manual or DNS name
Enroll: Web Servers
IIS (HTTPS)
![Page 23: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/23.jpg)
IIS (HTTPS)
Remote Desktop over TLS
Available since Windows 2003 SP1
Authenticates server identity
RDP Security Layer only establishes encryption keys with D/H
prone to MITM attacks
![Page 24: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/24.jpg)
Remote Desktop
EKU: Server Authentication or EKU: Remote Desktop Authentication
1.3.6.1.4.1.311.54.1.2 SAN:
DNS name (autoenrollment) short name (manual) IP address (manual)
Autoenrollment Enroll: Domain Computer + Domain Controllers GPO: Server Authentication Certificate Template
RDP with Server Authentication
![Page 25: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/25.jpg)
RDP with Remote Desktop Authentication
RDP with Remote Desktop Authentication
![Page 26: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/26.jpg)
Remote Desktop
Kerberos for RDP alias(required for /RemoteGuard)
![Page 27: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/27.jpg)
Require RDP server identity authentication
Two access types
User access - Terminal Servers
problem - must type password every time
implement SSO
mstsc /remoteGuard (Credential Guard)
Admin access - servers/workstations
problem - sending full-text password to unsecure systems
use /restrictedAdmin
![Page 28: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/28.jpg)
ssl encrypted
secondhop server
The default scenario
clientRDP
serversecond
hop serversecond
hop server
secondhop server
secondhop server
secondhop server
Kerberos NLApre-authentication
full password
cert
ssl encrypted
secondhop server
The default scenario
clientRDP
serversecond
hop serversecond
hop server
secondhop server
secondhop server
secondhop server
Kerberos NLApre-authentication
full password
TGT
TGS
TGS
cert
![Page 29: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/29.jpg)
Single sign on to RDPCredentials delegation
SSO and TERMSRV SPN for RDP
![Page 30: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/30.jpg)
ssl encrypted
secondhop server
RDP SSO for limited users (2012R2/8.1 and older)
clientRDP
serversecond
hop serversecond
hop server
secondhop server
secondhop server
secondhop server
Kerberos NLApre-authentication
full password
TGT
TGS
TGS
certfull
password
ssl encrypted
secondhop server
Remote Guard for limited users (2016/10 and newer)
clientRDP
serversecond
hop serversecond
hop server
secondhop server
secondhop server
secondhop server
Kerberos NLApre-authentication
TGS
TGS
certTGT
![Page 31: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/31.jpg)
RDP RestrictedAdmin mode
Higher security account to lower security machine
No plain-text password into RDP session only Kerberos authentication
no double-hop credentials (as machine$)
RDP server update 7/2008r2 and newer RDP client Windows 8.1/2012 R2 and newer
mstsc /RestrictedAdmin user must be member of Administrators on RDP
side
Enabling RestrictedAdmin mode in registry
![Page 32: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/32.jpg)
ssl encrypted
secondhop server
Restricted Admin mode (Windows 2012 R2/8.1 and update for 2008 R2/7 and newer)
clientRDP
serversecond
hop serversecond
hop server
secondhop server
secondhop server
secondhop server
Kerberos NLApre-authentication
cert
Authentication Policies (DFL 2012 R2)+ Kerberos Armoring (client 2012/8+)
![Page 33: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/33.jpg)
Authentication Policies
Authentication Policies
![Page 34: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/34.jpg)
IP SECURITY
Advanced Windows Security
Motivation
TLS must be supported by the application
TLS must be manually configured and enabled
SMB encryption must be supported by SMB3 clients and servers
IPSec protects generic IP traffic
Central policy based rules
may provide firewall/identity filters but it is not the primary goal
![Page 35: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/35.jpg)
Brief IPSec Terminology
AH - authentication header
signs IP header plus data
does not work over NAT
ESP - encapsulating security payload
may encrypt or just sign but data only
may work over NAT with NAT-T
IPSec
EKU: Client Authentication + IPSec IKE Intermediate + Server Authentication
SAN: DNS name
Autoenroll: Domain Computers + Domain Controllers
![Page 36: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/36.jpg)
IPSec Policies
IPSec Policies
![Page 37: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/37.jpg)
IPSec Policies
IPSec SA Auditing
![Page 38: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/38.jpg)
IPSec Modes
Main Mode
mutually authenticates remote endpoint
establishes keys to protect Quick Mode exchange
single SA per host-host
Quick Mode
ESP/AH/AES/3DES/SHA1/SHA2 and PFS for particular IP/TCP policy rule
single SA per IP/TCP policy rule
IPSecSAAuditing
![Page 39: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/39.jpg)
Enterprise Implementation Risks
Client without or with an invalid certificate
must be able to obtain a new one from CA
Public/Domain network switchover
how would client determine domain network if it could not connect to a DC
Registry settings
HKLM\System\CCS\Services\PolicyAgent\Oakley
Windows XP and Windows 2003
HKLM\System\CCS\Services\IKEEXT\Parameters
Disable AuthIP
IKEFlags = DWORD = + 0x40
Disable CRL checking
IKEFlags = DWORD = + 0x8000
![Page 40: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/40.jpg)
CREDENTIALS ROAMING
Advanced Windows Security
Credential Roaming
Private keys are stored in user profile
on individual workstations
in case of non-roaming profiles it would not roam
Credentials Roaming
upload/download certificates with private keys into user account in AD
roams smoothly with user
secures keys against profile loss
![Page 41: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/41.jpg)
Credentials Roaming Policy
Lab: Credentials Roaming
On GPS-DC create a new GPO called Credentials Roaming
Enable credentials roaming
Update policy on GPS-WKS and GPS-DATA
gpupdate
Log off Kamil from GPS-WKS and log Kamilon GPS-DATA and verify that his certificates has been roamed to his new profile
![Page 42: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/42.jpg)
EFS
Advanced Windows Security
Encrypting File System
Encrypts individual files
one ore more user certificates
EKU: Encrypting File System
Folders can be marked to encrypt all new files inside them
AES 256
![Page 43: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/43.jpg)
Public key
Storage encryption
Symmetric encryption key (random)
Symmetric key
Document
Public key (Judit)Public key (Judit)Public key (Judit)
Symmetric key
Public key (My)
Storage encryption (sharing)
Symmetric encryption key (random)
Symmetric key
Document
Public key (Kamil)
Symmetric key
![Page 44: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/44.jpg)
Features and Limitations
Cannot encrypt system files
En/Decrypted locally on file servers
No group certificates
No simple GUI to share more files at once
Can use smart cards since Windows Vista
Private keys may be backed up on CA
EFS on File Servers
File Servers must be trusted for delegation
either enroll the EFS certificate
or roam the certificates from AD
Data transferred in clear
![Page 45: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/45.jpg)
EFS Group Policy
Lab: Preparing for EFS
Define new certificate template as duplicate of the default User template name: GOPAS EFS
EKU: Encrypting File System
Enroll: Domain Users
On GPS-DC create new GPO called EFS EFS: allow
self/signed certificate: disabled
certificate template: GOPAS EFS
Update group policy on GPS-WKS and
![Page 46: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/46.jpg)
Lab: EFS on a File Server
On GPS-DC open Active Directory Users and Computers Console
Find GPS-DATA computer object, open its properties on the Delegation tab
Enable Trust this computer to any service Create and encrypt a file on \\GPS-DATA\Doc
shared folder Log off from GPS-WKS and log on again and
verify that the credentials roaming uploaded you the newly created certificate from the GPS-DATA file server
CODE SIGNINGAdvanced Windows Security
![Page 47: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/47.jpg)
certutil -hashfile
any file type
just an unsigned hash
Motivation
Prevent own scripts or third-party code from being tempered
security analysis after an attack
Restrict running unsigned code
.PS1, .VBS, .JS, .EXE, .MSI
![Page 48: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/48.jpg)
Sign .EXE/.PS1 with PowerShell
Timestamping
The signature is not trusted after certificate expires "Required certificate is not within its validity period"
You must use trusted timestamp to verify it was valid at the time of signing (RFC 3161 timestamp protocol) http://timestamp.verisign.com/scripts/timstamp.dll
http://timestamp.digicert.com
http://timestamp.globalsign.com/scripts/timestamp.dll
http://www.startssl.com/timestamp
![Page 49: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/49.jpg)
Sign .VBS/.JS with PowerShell
Signing .NET assemblies, installers etc.
T:\WindowsSDK\signtool.exe
much more powerful
Set-AuthenticodeSignature
easier, simpler
![Page 50: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/50.jpg)
Trusted Publisher
App whitelisting
Software Restriction Policies
XP+, all corporate editions
Application Control Policies (AppLocker)
Vista+, Enterprise edition
Server 2008+, all editions
![Page 51: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/51.jpg)
Software Restriction Policies
Available since Windows XP
all professional version
AppLocker in Enterprise/Ultimate Windows 7+
Block all with exceptions
or allow all with block rules
Rules
path
hash
certificate
Implementing SRP
![Page 52: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/52.jpg)
Implementing SRP
Implementing SRP
![Page 53: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/53.jpg)
Implementing SRP
Enforce PowerShell execution policy
![Page 54: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/54.jpg)
Recap
Recap
![Page 55: Ing. | GOPAS a.s. | ondrej@sevecek.com | | CERTIFICATES AND CRYPTOGRAPHY · 2019-07-23 · Windows 2000 –cannot be modified Windows 2003 –can be used by XP, 2003 and newer Windows](https://reader033.vdocuments.mx/reader033/viewer/2022041613/5e3980f54d4ad54dd61eaa1b/html5/thumbnails/55.jpg)
GPRESULT gps-wks or all GPO report
$dc = Get-ADDomainController -Discover -Service PrimaryDC
Get-GPOReport -All -Domain gopas.virtual -Server $dc -
ReportType HTML -Path \\10.2.20.63\e$\goc175\ReportAll.html