During penetration tests and also for attackers searching the network for potential targets, insights into the configuration of the certification authority are highly interesting.
In addition to possible misconfigurations, attackers can obtain information about the policy module used on the certification authority.
Continue reading „Auslesen der Konfiguration der Zertifizierungsstelle durch unprivilegierte Konten unterbinden“Since the recently released version 1.7, the TameMyCerts Policy Module for Microsoft Active Directory Certificate Services Personal Identity Verification (PIV) attestation for YubiKeys.
A YubiKey is a compact security token that can be used like a smartcard for the secure storage and use of certificates and can therefore also be used for passwordless logon to Active Directory environments.
This cool function was developed by Oscar Virot and integrated into TameMyCerts. This makes it possible to provide cryptographic proof when issuing certificates and thus ensure that a key pair is actually generated with a YubiKey and secured by it and cannot be exported.
This can be particularly helpful in complying with the NIS2 directive if companies decide to use certificates as a second factor for logging in with security-critical accounts in the Active Directory.
Continue reading „YubiKey Personal Identity Verification (PIV) Attestation – mit dem TameMyCerts Policy Modul für Microsoft Active Directory Certificate Services (ADCS)“Someone recently approached me with an interesting problem.
A certification authority has been installed. Linux is used as the basis, i.e. (presumably) OpenSSL. The revocation lists work on Linux clients, but are not accepted by Windows systems. The following error message always appears when checking the revocation lists.
0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE) -- 2148081683 (-2146885613)
Text der Fehlermeldung: Die Sperrfunktion konnte die Sperrung nicht überprüfen, da der Sperrserver offline war.
The error message reads as follows:
0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE) -- 2148081683 (-2146885613)Continue reading „Sperrlisten werden (nur) auf Windows nicht als gültig erkannt (CRYPT_E_REVOCATION_OFFLINE)“
The revocation function was unable to check revocation because the revocation server was offline.
Nowadays, it is essential to protect the authentication of devices on the company network and administrative interfaces. As a rule, digital certificates are used for this purpose.
Printers therefore also generally require digital certificates in order to be operated securely. From a certain number of devices, there is no getting around automatic certificate distribution.
Some printer manufacturers offer centralized management solutions for certificate distribution.
Unfortunately, it has been shown time and again that the secure handling of digital certificates requires a great deal of knowledge, experience and care, which is often not the case.
Continue reading „Wie das Absichern von Druckern zum Security-Desaster werden kann – und wie das TameMyCerts Policy Modul für Active Directory Certificate Services (ADCS) dieses verhindern kann“The purposes for which a digital certificate may be used are controlled via the "Key Usage" and "Extended Key Usage" certificate extensions. In the "Extended Key Usage" certificate extension, the extended key uses for which the certificate may be used.
However, there is another certificate extension called "Application Policies" for certificates issued by a Microsoft Certification Authority, which also contains a list very similar to the Extended Key Usages extension.
Justin Bollinger from TrustedSec has found outthat there are offline certificate requests against Schema version 1 certificate templates is possible (similar to the Security identifier extension), any Application Policies in the certificate request, which are transferred unchanged to the issued certificate and can then be used for an attack on the overall Active Directory structure. The attack was christened ESC15.
Continue reading „Neue Sicherheitslücke ESC15 in Active Directory Certificate Services entdeckt – einfach umzusetzende Gegenmaßnahmen“Attacks on Microsoft certification authorities can be aimed at exploiting authorizations on certificate templates. In many cases, certificate templates must be configured to grant the applicant the right to apply for any identities. This can lead to the attacker taking over the identities of Active Directory accounts and subsequently to the elevation of rights. Attacks of this type are known in the security scene as "ESC1" is labeled.
Continue reading „Wie das TameMyCerts Policy Modul für Active Directory Certificate Services (ADCS) Angriffe gegen den ESC1 Angriffsvektor verhindern kann“With the supposedly good intention of making it possible to issue such certificate requirements with a SAN, guess unfortunately much at many Instructions to set the flag on the certification authority EDITF_ATTRIBUTESUBJECTALTNAME2 to activate.
If this flag is activated, a very large attack surface is offered, as any applicant can now instruct the certification authority to issue certificates with any content. This type of attack is known in the security scene as ESC6 and ESC7 known.
Continue reading „Wie das TameMyCerts Policy Modul für Active Directory Certificate Services (ADCS) Angriffe gegen die ESC6 und ESC7 Angriffsvektoren erkennen und verhindern kann“Companies use Mobile Device Management (MDM) Products for managing, configuring and updating mobile devices such as smartphones, tablet computers or desktop systems via the Internet (over-the-air, OTA).
Common mobile device management products are:
Nowadays, many companies want to rely on paperless processes to speed up internal approval and signature processes. In times when most employees are working from home, this has become even more important.
Although the Microsoft certification authority is able to implement automatic certificate issuance processes, their ability to influence the content of the certificate is severely limited.
The TameMyCerts Policy Module for Microsoft Active Directory Certificate Services (AD CS) allows the definition of extended Rules for the Subject Distinguished Name and also the Subject Alternative Name certificates issued.
Continue reading „Wie das TameMyCerts Policy Modul für Active Directory Certificate Services (ADCS) beim Etablieren digitaler Signaturprozesse im Unternehmen helfen kann“Starting with version 58, Google has decided to remove support for the Subject Distinguished Name of web server certificates in the Chrome browser and instead only accept certificates with Subject Alternative Name.
Since this moment, web server certificates without a subject alternative name in the form of a dNSName from Google Chrome and others Chromium-based browsers (i.e. also Microsoft Edge) was rejected. Other browser manufacturers quickly adopted this approach, so that this problem now affects all popular browsers.
Continue reading „Wie das TameMyCerts Policy Modul für Active Directory Certificate Services (ADCS) eingehende Zertifikatanträge reparieren kann, um sie RFC-konform zu machen“Google is a major player with the Chromium project and products based on it such as Google Chrome and Microsoft Edge have moved to implement the RFC 2818 and to no longer trust certificates that no longer fulfill this requirement.
For us, the following sentence is of great explosiveness:
Continue reading „DNS-Namen automatisch in den Subject Alternate Name (SAN) ausgestellter Zertifikate eintragen – mit dem TameMyCerts Policy Modul für Microsoft Active Directory Certificate Services (ADCS)“If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead
https://tools.ietf.org/html/rfc2818
In net circulate unfortunately much at many Instructions (also the big players are not excluded from this, not even Microsoft itself or the Grand Master Komar), which fatally recommend that the flag EDITF_ATTRIBUTESUBJECTALTNAME2 should be set on the certification authority - supposedly to be able to issue certificates with Subject Alternative Name (SAN) extension for manually submitted certificate requests.
Unfortunately, this procedure is not only unnecessary, it also has some unpleasant side effects, which in the worst case can help an attacker to take over the entire Active Directory structure.
Continue reading „Den Subject Alternative Name (SAN) eines Zertifikats vor dessen Ausstellung verändern – aber sicher!“Certificate revocation lists (CRLs) are used to remove issued certificates from circulation before the end of their validity period.
A CRL is a signed list of the serial numbers of certificates that have been revoked by the certification authority. The revocation list has an expiration date (usually a few days short) and is reissued and signed by the associated certification authority at regular intervals.
Certificate revocation lists can reach a considerable size if the volume of revoked certificates is high (as a rule of thumb, you can expect about 5 megabytes per 100,000 entries). The regular download of large certificate revocation lists by subscribers can generate a large network load. To address this problem, there is the concept of delta revocation lists.
Continue reading „Grundlagen: Deltasperrlisten“There are many instructions for setting up and commissioning IT services. However, the associated instructions for decommissioning are usually forgotten.
The following describes how to correctly decommission a certification authority (Enterprise Certification Authority) integrated into Active Directory.
Continue reading „Rückbau einer Active Directory integrierten Zertifizierungsstelle (Enterprise CA)“For the encryption of e-mail messages, companies usually use the Secure / Multipurpose Internet Message Extensions (S/MIME) standard and provide their users with appropriate certificates for this purpose.
An important aspect here is that the users' private keys should be secured centrally - in contrast to the signature certificates that are otherwise mostly used. Incoming messages are encrypted for a specific private key and can only be decrypted again by the same person. Thus a backup of these keys must absolutely be available - also for the Synchronization to mobile devices this is indispensable. For this purpose, the Microsoft Active Directory Certificate Services offer the function of the Private Key Archival.
But what if private key archiving has not been set up and users have already applied for corresponding certificates?
Continue reading „Nachträgliche Archivierung privater Schlüssel“
English 
Deutsch