Author: Uwe Gradenegger

Attack vector on Active Directory directory service via smartcard logon mechanism

In simple terms, public key cryptography can be reduced to the assumption that the private part of each key pair is known only to its owner.

A certification authority is responsible for the correct identification of users, computers or resources. Its issued certificates are therefore granted a trust status because all participants assume that their private key is known only to it.

If an attacker succeeds in gaining knowledge of a certification authority's private key, or at least Perform signatures using the private key, the integrity of the certification authority is no longer guaranteed.

Continue reading „Angriffsvektor auf den Active Directory Verzeichnisdienst über den Smartcard Logon Mechanismus“

Basics: Restricting Extended Key Usage (EKU) in Certification Authority Certificates

A useful hardening measure for Certification Authorities is to restrict the Certification Authority certificates so that they are only used for the actually issued extended key usage (Extended Key Usage) becomes familiar.

In the event of a compromise of the certification authority, the damage is then (at least) limited to the defined extended key usages.

The Smart Card Logon Extended Key Usage, which is of interest for many attacks (in conjunction with the certification authority's membership in NTAuthCertificates) would then only be present in the certification authority certificate of the certification authority that actually issues such certificates.

Continue reading „Grundlagen: Einschränken der erweiterten Schlüsselverwendung (Extended Key Usage, EKU) in Zertifizierungsstellen-Zertifikaten“

The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot create or modify the registry key Software\Microsoft\Cryptography\MSCEP\EncryptedPassword."

Assume the following scenario:

  • An NDES server is configured on the network.
  • The NDES server is configured to work with a static password.
  • When accessing the NDES administration web page (certsrv/mscep_admin), users are repeatedly prompted for authentication despite having correct credentials.
  • The following event is stored in the application event log:
The Network Device Enrollment Service cannot create or modify the registry key "Software\Microsoft\Cryptography\MSCEP\EncryptedPassword". Grant Read and Write permissions on the registry key "Software\Microsoft\Cryptography\MSCEP" to the account that the Network Device Enrollment Service is running as.
Continue reading „Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot create or modify the registry key Software\Microsoft\Cryptography\MSCEP\EncryptedPassword.““

The Network Device Enrollment Service (NDES) administration web page (certsrv/mscep_admin) reports "You do not have sufficient permission to enroll with SCEP. Please contact your system administrator."

Assume the following scenario:

  • An NDES server is configured on the network.
  • When calling the administration web page (certsrv/mscep_admin) the following message appears:
You do not have sufficient permission to enroll with SCEP. Please contact your system administrator. 
Continue reading „Die Network Device Enrollment Service (NDES) Administrations-Webseite (certsrv/mscep_admin) meldet „You do not have sufficient permission to enroll with SCEP. Please contact your system administrator.““

When calling the Network Device Enrollment Service (NDES) administration web page (certsrv/mscep_admin), one is always prompted to log in.

Assume the following scenario:

  • An NDES server is configured on the network.
  • The NDES server is called under a DNS alias.
  • Despite entering the correct login data, you are always prompted to log in again when you access the NDES administration web page (certsrv/mscep_admin).
Continue reading „Bei Aufruf der Network Device Enrollment Service (NDES) Administrations-Webseite (certsrv/mscep_admin) wird man immer wieder zur Anmeldung aufgefordert.“

Role configuration for Network Device Enrollment Service (NDES) fails with error message "CMSCEPSetup::Install: The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)".

Assume the following scenario:

  • One installs a Network Device Enrollment Service (NDES) server.
  • The role configuration fails with the following error message: 
CMSCEPSetup::Install: The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)
Continue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „CMSCEPSetup::Install: The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)““

The Network Device Enrollment Service (NDES) Administration web page (certsrv/mscep_admin) reports "The password cache is full."

Assume the following scenario:

  • An NDES server is configured on the network.
  • When calling the administration web page (certsrv/mscep_admin) the following message appears:
The password cache is full.
Continue reading „Die Network Device Enrollment Service (NDES) Administrations-Webseite (certsrv/mscep_admin) meldet „The password cache is full.““

What key lengths should be used for certificate authorities and certificates?

When planning a public key infrastructure, the question naturally arises as to which key lengths should be selected for certification authority and end certificates.

Continue reading „Welche Schlüssellängen sollten für Zertifizierungsstellen und Zertifikate verwendet werden?“

Generating a RFC 2818 compliant certificate request for SSL certificates

Google is a major player with the Chromium project and products based on it such as Google Chrome and Microsoft Edge have moved to implement the RFC 2818 and to no longer trust certificates that no longer fulfill the RFC.

For us, the following sentence is of great explosiveness:

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead

https://tools.ietf.org/html/rfc2818
Continue reading „Erzeugen einer RFC 2818 konformen Zertifikatanforderung für SSL Zertifikate“

Configure Device Template for Network Device Enrollment Service (NDES)

By default, the Network Device Enrollment Service (NDES) requests certificates from the "IPsec (Offline Request)" template. This certificate template is from Windows 2000 times and cannot be edited. Therefore, it is recommended to change the default settings and use your own certificate templates that serve your personal requirements.

Continue reading „Gerätevorlage für den Registrierungsdienst für Netzwerkgeräte (NDES) konfigurieren“

Enabling Secure Sockets Layer (SSL) for the Network Device Enrollment Service (NDES).

In the default configuration, the Network Device Enrollment Service (NDES) only accepts unencrypted connections via HTTP. It is recommended that at least the NDES administration web page be configured for HTTP over TLS (HTTPS) to make it difficult to capture network traffic. The following is a guide.

For a closer look at the need to use SSL, see the article "Should HTTPS be used for the Network Device Enrollment Service (NDES)?„.

Continue reading „Secure Sockets Layer (SSL) für den Registrierungsdienst für Netzwerkgeräte (NDES) aktivieren“

Moving Network Device Enrollment Service (NDES) to another certification authority

Assume the following scenario:

  • There is one NDES instance installed on the network.
  • The Certification Authority issuing to NDES is to be changed.

The official statement on this is that NDES must be reinstalled and reconfigured in this case. However, this is not necessary. The necessary steps are described below.

Continue reading „Network Device Enrollment Service (NDES) auf eine andere Zertifizierungsstelle umziehen“

Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions

Assume the following scenario:

  • One installs a Network Device Enrollment Service (NDES) server.
  • The role configuration fails with the following error message: 
Insufficient access rights to perform this operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS

Typically, the NDES roll configuration requires, that the installing user is a member of the Enterprise Admins group. However, this is not technically necessary and contradicts Microsoft's security hardening recommendations, since NDES is not (necessarily) a system that is assigned to the highest security layer (Tier-0).

Below is a way to configure the NDES role even without the required permissions.

Continue reading „Den Registrierungsdienst für Netzwerkgeräte (NDES) ohne Enterprise Administrator Berechtigungen installieren“

Role configuration for Network Device Enrollment Service (NDES) fails with error message "CMSCEPSetup::SetMSCEPSetupProperty: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario

  • One installs a Network Device Enrollment Service (NDES) server
  • The role configuration fails with the following error message: 
CMSCEPSetup::SetMSCEPSetupProperty: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
Continue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „CMSCEPSetup::SetMSCEPSetupProperty: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)““

Using custom Registration Authority (RA) certificate templates for the Network Device Enrollment Service (NDES).

The Network Device Enrollment Service (NDES) uses two certificate templates for its internal function to make it act as a Registration Authority (RA). These are published during role configuration of the NDES service on the configured certificate authority and certificates are requested:

  • CEP Encryption
  • Exchange Enrollment Agent (Offline Request)

These certificate templates are standard templates from the Windows 2000 world (version 1 templates), i.e. they cannot be edited. In addition, the Exchange Enrollment Agent (Offline Request) template is marked as a user template, i.e. during NDES role configuration the certificate is requested in the context of the installing user and then imported into the machine store. At the latest when the certificates are to be renewed after two years, things get complicated here.

It is therefore a good idea to use your own certificate templates for NDES. These can be adapted in terms of their key length, for example. The use of hardware security modules (HSM) is also possible in this way. Even automatic renewal can be configured.

Continue reading „Eigene Registration Authority (RA) Zertifikatvorlagen für den Registrierungsdienst für Netzwerkgeräte (NDES) verwenden“
en_USEnglish
de_DEDeutsch en_USEnglish