Installing Active Directory Certificate Services in the default configuration automatically configures the environment to accept smart card logins from domain controllers.
Therefore, if the use of smart card logins is not desired, it makes sense to disable the functionality so that, in the event the certificate authority is compromised, it can not to jeopardize the Active Directory.
See also article "Changes to Certificate Issuance and Certificate-Based Logon to Active Directory with the May 10, 2022 Patch for Windows Server (KB5014754)„.
Under what circumstances is the smartcard logon functionality enabled?
See also article "What requirements must be met on the infrastructure side for smartcard logins to be possible?„.
When installing an Active Directory integrated certificate authority, its certificate authority certificate is copied to the NTAuthCertificates object in Active Directory forest. This step marks the certificate authority as usable for certificate-based logins in the environment, which includes smartcard logon.
If the publication of the default certificate templates is not prevented during the installation, the certification authority automatically provides the "domain controller" certificate template, which is then also automatically requested by the domain controllers.
Also, if, the publishing of the default certificate templates was prevented during the installation, but another one of the default domain controller certificate templates is published, this will lead to the same result. See also article "Domain Controller Certificate Templates and Smartcard Logon„.
Ways to disable the smartcard logon functionality
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
The following options are available to render the smartcard logon functionality unusable:
- Operate domain controller without certificates
- Distribute customized domain controller certificates
- Remove certificate authorities from NTAuthCertificates object
- Restrict certification authority certificates
Details: Operating domain controllers without certificates
It is of course possible to operate the domain controllers without certificates, i.e. not to offer them a certificate template for requesting certificates.
The disadvantage here, however, is that LDAP over SSL (LDAPS) connections cannot then be offered either. This is not practical in most cases.
Details: Distribute customized domain controller certificates
It is possible to issue certificates to domain controllers that allow them to accept LDAP over SSL (LDAPS) connections, but at the same time not to be able to process smartcard logins.
For the configuration of such a certificate template, see the article "Configuring a Certificate Template for Domain Controllers„.
A domain controller will receive the events 19 and 29 log when a logon is made via smartcard. This event can therefore be followed by an alert.
Details: Remove certificate authorities from NTAuthCertificates object
It is possible to remove the certificate authority certificate from the NTAuthCertificates object of the Active Directory forest after installing the certificate authority. See the article "Editing the NTAuthCertificates object in Active Directory„.
The disadvantage with this method, however, is that some functions depend on the presence of the certificate authority certificate in NTAuthCertificates:
Function | Description |
---|---|
Enroll on Behalf Of (EOBO) | The CA certificate of the certification authority that issues the certificates for the enrollment agents must be located in NTAuthCertificates. |
Key Recovery / Private Key Archiving | The CA certificate of the certification authority that archives the keys must be located in NTAuthCertificates. |
Smartcard Logon | The CA certificate of the certification authority that issues the certificates of the domain controllers and logon users must be located in NTAuthCertificates. |
Windows Hello for Business | Identical to Smartcard Logon. If Windows Hello for Business is used without certificates, only the certification authority for domain controllers must be entered. |
Network Policy Server (Network Policy Server, NPS) when certificate-based logins are processed (e.g. 802.1x over wireless or wired network, DirectAccess, Always ON VPN). | The CA certificate of the certification authority that issues the certificates of the logging in users or computers must be located in NTAuthCertificates. |
EFS File Recovery Agents | The CA certificate of the certification authority that issues the certificates of the file recovery agents must be located in NTAuthCertificates. |
IIS Client Certificate Mapping (against Active Directory) | The CA certificate of the certification authority that issues the certificates of the logging in users must be located in NTAuthCertificates. |
Network Device Enrollment Service (Network Device Enrollment Service, NDES), Renewal mode only | Only affects renewal mode, i.e. signing a certificate request with an existing certificate. The CA certificate of the certification authority that issued the certificates of the certificates to be renewed must be located in NTAuthCertificates. |
Details: Restrict certification authority certificates
The disadvantage with this method, however, is that domain controllers in the default configuration do not check the restrictions on the certification authority certificate. While it is possible to customize the configuration of the domain controllers, a residual risk remains here as well, depending on which restrictions are defined on the certification authority certificate. For more details, see the article "Domain controller does not check extended key usage on smart card login„.
Conclusion
It is possible to adjust the environment so that smartcard logins are no longer possible. However, almost every method listed has disadvantages.
Probably the best option with the fewest drawbacks is to distribute customized domain controller certificates so that they cannot process smart card logins - unless this feature is used.
If the use of Smartcard Logon or Windows Hello for Business is required, it makes sense to think about using OCSP in conjunction with deterministic "Good". See article "Force domain controller (or other participants) to use an online responder (OCSP)„.
Related links:
- Attack vector on Active Directory directory service via smartcard logon mechanism
- What requirements must be met on the infrastructure side for smartcard logins to be possible?
- Domain Controller Certificate Templates and Smartcard Logon
- Domain controller does not check extended key usage on smart card login
- Configuring a Certificate Template for Domain Controllers
- Editing the NTAuthCertificates object in Active Directory
One thought on “Smartcard Anmeldung im Netzwerk unterbinden”
Comments are closed.