Certificate usage - Uwe Gradenegger

How securing printers can turn into a security disaster - and how the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can prevent it

Nowadays, it is essential to protect the authentication of devices on the company network and administrative interfaces. As a rule, digital certificates are used for this purpose.

Printers therefore also generally require digital certificates in order to be operated securely. From a certain number of devices, there is no getting around automatic certificate distribution.

Some printer manufacturers offer centralized management solutions for certificate distribution.

Unfortunately, it has been shown time and again that the secure handling of digital certificates requires a great deal of knowledge, experience and care, which is often not the case.

New ESC15 vulnerability discovered in Active Directory Certificate Services - easy-to-implement countermeasures

The purposes for which a digital certificate may be used are controlled via the "Key Usage" and "Extended Key Usage" certificate extensions. In the "Extended Key Usage" certificate extension, the extended key uses for which the certificate may be used.

However, there is another certificate extension called "Application Policies" for certificates issued by a Microsoft Certification Authority, which also contains a list very similar to the Extended Key Usages extension.

Justin Bollinger from TrustedSec has found outthat there are offline certificate requests against Schema version 1 certificate templates is possible (similar to the Security identifier extension), any Application Policies in the certificate request, which are transferred unchanged to the issued certificate and can then be used for an attack on the overall Active Directory structure. The attack was christened ESC15.

How the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can prevent attacks against the ESC1 attack vector

Attacks on Microsoft certification authorities can be aimed at exploiting authorizations on certificate templates. In many cases, certificate templates must be configured to grant the applicant the right to apply for any identities. This can lead to the attacker taking over the identities of Active Directory accounts and subsequently to the elevation of rights. Attacks of this type are known in the security scene as "ESC1" is labeled.

How the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can detect and prevent attacks against the ESC6 and ESC7 attack vectors

With the supposedly good intention of making it possible to issue such certificate requirements with a SAN, guess unfortunately much at many Instructions to set the flag on the certification authority EDITF_ATTRIBUTESUBJECTALTNAME2 to activate.

If this flag is activated, a very large attack surface is offered, as any applicant can now instruct the certification authority to issue certificates with any content. This type of attack is known in the security scene as ESC6 and ESC7 known.

How the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can help secure scenarios with Microsoft Intune and other Mobile Device Management (MDM) systems

Companies use Mobile Device Management (MDM) Products for managing, configuring and updating mobile devices such as smartphones, tablet computers or desktop systems via the Internet (over-the-air, OTA).

Common mobile device management products are:

Microsoft Intune
VMware Workspace One (previously known under the brand name AirWatch)
Ivanti MobileIron UEM
Jamf Pro
Baramundi Enterprise Mobility Management
BlackBerry Enterprise Mobility Suite
Sophos Mobile Control
SOTI MobiControl

How the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can help establish digital signature processes in the company

Nowadays, many companies want to rely on paperless processes to speed up internal approval and signature processes. In times when most employees are working from home, this has become even more important.

Although the Microsoft certification authority is able to implement automatic certificate issuance processes, their ability to influence the content of the certificate is severely limited.

The TameMyCerts Policy Module for Microsoft Active Directory Certificate Services (AD CS) allows the definition of extended Rules for the Subject Distinguished Name and also the Subject Alternative Name certificates issued.

How the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can repair incoming certificate requests to make them RFC compliant

Starting with version 58, Google has decided to remove support for the Subject Distinguished Name of web server certificates in the Chrome browser and instead only accept certificates with Subject Alternative Name.

Since this moment, web server certificates without a subject alternative name in the form of a dNSName from Google Chrome and others Chromium-based browsers (i.e. also Microsoft Edge) was rejected. Other browser manufacturers quickly adopted this approach, so that this problem now affects all popular browsers.

Automatically enter DNS names in the Subject Alternate Name (SAN) of issued certificates - with the TameMyCerts Policy Module for Microsoft Active Directory Certificate Services (ADCS)

Google is a major player with the Chromium project and products based on it such as Google Chrome and Microsoft Edge have moved to implement the RFC 2818 and to no longer trust certificates that no longer fulfill this requirement.

For us, the following sentence is of great explosiveness:

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead
https://tools.ietf.org/html/rfc2818

Change the Subject Alternative Name (SAN) of a certificate before it is issued - but do it securely!

In net circulate unfortunately much at many Instructions (also the big players are not excluded from this, not even Microsoft itself or the Grand Master Komar), which fatally recommend that the flag EDITF_ATTRIBUTESUBJECTALTNAME2 should be set on the certification authority - supposedly to be able to issue certificates with Subject Alternative Name (SAN) extension for manually submitted certificate requests.

Unfortunately, this procedure is not only unnecessary, it also has some unpleasant side effects, which in the worst case can help an attacker to take over the entire Active Directory structure.

Configuring a Certificate Template for Online Responders (OCSP) Response Signing Certificates

To use the Online Certificate Status Protocol (OCSP), it is necessary to configure an appropriate certificate template.

Sending S/MIME encrypted messages with Outlook for iOS is not possible: "There's a problem with one of your S/MIME encryption certificates."

Assume the following scenario:

The certificates were transferred to the smartphone via the Intune Connector.
Reading encrypted messages works.
However, when enabling encryption for outgoing messages, the following error message is displayed:

There's a problem with one of your S/MIME encryption certificates. Contact your IT help desk for more info.

There is a problem with one of your S/MIME encryption certificates. Contact your IT help desk for more information.

Logins via the Network Policy Server (NPS) fail with reason "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

Assume the following scenario:

A certificate-based login is performed with user or computer accounts to connect them to a wireless (IEEE 802.11 or Wireless LAN) or wired network (IEEE 802.3), or a remote access connection (e.g. DirectAccess, Routing and Remote Access (RAS), Always on VPN) to register.
As a server for authentication, authorization and accounting (AAA), the company uses the Network Policy Server (NPS) from Microsoft.
Logging on to the network is no longer possible.
The network policy server logs the following event when a login attempt is made:

Network Policy Server denied access to a user. [...] Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

The network policy server has denied access to a user. [...] Authentication error due to mismatch of user credentials. The specified username is not associated with an existing user account, or the password was incorrect.

Subsequent archiving of private keys

For the encryption of e-mail messages, companies usually use the Secure / Multipurpose Internet Message Extensions (S/MIME) standard and provide their users with appropriate certificates for this purpose.

An important aspect here is that the users' private keys should be secured centrally - in contrast to the signature certificates that are otherwise mostly used. Incoming messages are encrypted for a specific private key and can only be decrypted again by the same person. Thus a backup of these keys must absolutely be available - also for the Synchronization to mobile devices this is indispensable. For this purpose, the Microsoft Active Directory Certificate Services offer the function of the Private Key Archival.

But what if private key archiving has not been set up and users have already applied for corresponding certificates?

Requesting certificates for endpoints managed with Microsoft Intune

In a networked world, it has become standard to work from anywhere, and also to work with mobile end devices such as smartphones or tablets in addition to classic desktop computers. Such end devices are usually connected by means of Mobile Device Management (MDM) managed by systems such as Microsoft Intune.

In most cases, users of mobile devices need digital certificates to prove their identity in order to gain access to corporate resources. Thus, it is necessary to provide these devices with an automatable yet secure interface for applying for these certificates.

Transferring S/MIME certificates to Microsoft Intune

In a modern networked world, the confidential transmission of messages in the corporate environment is essential for business success. Despite their Age it is still impossible to imagine modern corporate communications without e-mail. However, its use has changed significantly over the decades.

Nowadays, it is common to be able to read and write business e-mails on mobile devices such as smartphones and tablets. Such end devices are usually connected by means of Mobile Device Management (MDM) managed by systems such as Microsoft Intune.

For the encryption of e-mail messages, companies usually use the Secure / Multipurpose Internet Message Extensions (S/MIME) standard and provide their users with the corresponding certificates. How do these certificates get to the end devices of the users in a scalable way?