Name restrictions are a part of the X.509 standard and in the RFC 5280 described. They are a tool that can be used within the qualified subordination can be used to control the validity range of a certification authority certificate in a fine-grained manner.
Continue reading „Grundlagen: Namenseinschränkungen (Name Constraints)“Category: Security
Limits of Microsoft Active Directory Certificate Services
Active Directory Certificate Services have existed (albeit under a different name) in their basic form since Windows NT 4.0. The Active Directory-based architecture used today was introduced with Windows 2000 Server. AD CS is very well integrated into the Windows ecosystem and continues to enjoy great popularity worldwide in companies and government agencies of all sizes.
People like to point out the many possibilities offered by Active Directory Certificate Services. Rarely, however, is reference made to what can be done with them. not is possible. In the meantime, the product has also reached its limits in many places.
What these are will be explained in more detail below in order to better decide whether the AD CS can be the right solution for planned projects.
Continue reading „Grenzen der Microsoft Active Directory Certificate Services“Basics: Path Length Constraint
The attack on the MD5 signature algorithm demonstrated in late 2008 could only be used to create a usable forged certification authority certificate because the attacked certification authority had not configured any path length restriction.
The limitation of the path length is defined in the RFC 5280 described. The idea behind this is that the maximum depth of the certification authority hierarchy is stored in the "Basic Constraints" extension of a certification authority certificate.
Continue reading „Grundlagen: Einschränkung der Pfadlänge (Path Length Constraint)“Configuring the Trusted Platform Module (TPM) Key Attestation
Since Windows 8 it is possible, that private keys for certificates are protected with a - if available - Trusted Platform Module (TPM). This makes the key non-exportable - even with tools like mimikatz.
However, it is not obvious at first glance that it cannot be guaranteed that a TPM is really used. Although no application via Microsoft Management Console or AutoEnrollment possible if the computer does not have a TPM.
However, the configuration in the certificate template is only a default setting for the client. The certification authority will, when requesting do not explicitly check whether a Trusted Platform Module was really used.
To ensure that the private key of a certificate request has really been protected with a Trusted Platform Module, only the TPM Key Attestation remains.
Continue reading „Konfigurieren der Trusted Platform Module (TPM) Key Attestation“Signing certificates bypassing the certification authority
Time and again in discussions about the security of a certification authority, it comes up that abuse of the certification authority could be contained by its security settings.
However, the fact that the integrity of a certification authority is directly tied to its key material and can therefore also be compromised by it is not obvious at first glance.
one must think of the certification authority software as a kind of management around the key material. For example, the software provides a Online interface for Certificate Enrollment takes care of the authentication of the enrollees, the automated execution of signature operations (issuing certificates and Brevocation lists) and their logging (Certification Authority Database, Audit log, Event log).
However, signature operations require nothing more than the private key of the certification authority. The following example shows how an attacker, given access to the certification authority's private key, can generate and issue certificates without the certification authority software and its security mechanisms being aware of this.
With such a certificate, it would even be possible in the worst case, take over the Active Directory forest undetected.
Continue reading „Signieren von Zertifikaten unter Umgehung der Zertifizierungsstelle“Is there a dependency of the Network Devices Registration Service (NDES) with the NTAuthCertificates object?
The Network Device Registration Service (NDES) has two Registration Authority Certificates. With the enrollment agent certificate, certificate requests are signed and one can use the Configure NDES device template accordingly so that certificates are also only issued if the submitted certificate requests also have a corresponding signature..
Do you plan to use the Certification Authority connected to the NDES remove from the NTAuthCertificates objectThe question may arise as to whether mutual dependencies need to be taken into account here - after all, this requires Enroll on Behalf Of (EOBO) the presence of the certificate authority certificate in NTAuthCertificates.
Continue reading „Gibt es eine Abhängigkeit des Registrierungsdienstes für Netzwerkgeräte (NDES) mit dem NTAuthCertificates Objekt?“Force domain controller (or other participants) to use an online responder (OCSP)
By default, Windows systems, even if an online responder (OCSP) is configured, will be sent to a certain number of OCSP requests fall back to a (if available) brevocation list, because this is usually more efficient in such a case. However, this behavior is not always desired.
For example, if one uses smart card logins, one might want to know if Logins were executed with unauthorized issued certificates. In conjunction with the deterministic good of the online responder you can thus create an (almost) seamless Audit trail create for all smartcard logins.
Continue reading „Domänencontroller (oder andere Teilnehmer) zwingen, einen Onlineresponder (OCSP) zu verwenden“Details of the event with ID 5127 of the source Microsoft-Windows-Security-Auditing
| Event Source: | Microsoft Windows Security Auditing |
| Event ID: | 5127 (0x1407) |
| Event log: | Security |
| Event type: | Information |
| Event text (English): | The OCSP Revocation Provider successfully updated the revocation information. CA Configuration ID: %1 Base CRL Number: %2 Base CRL This Update: %3 Base CRL Hash: %4 Delta CRL Number: %5 Delta CRL Indicator: %6 Delta CRL This Update: %7 Delta CRL Hash: %8 |
| Event text (German): | The OCSP response service has successfully updated the revocation information. Certification authority configuration ID: %1 Base revocation list number: %2 Base revocation list, this update: %3 Base revocation list hash: %4 Delta revocation list number: %5 Delta revocation list display: %6 Delta revocation list, this update: %7 Delta revocation list hash: %8 |
Details of the event with ID 5125 of the source Microsoft-Windows-Security-Auditing
| Event Source: | Microsoft Windows Security Auditing |
| Event ID: | 5125 (0x1405) |
| Event log: | Security |
| Event type: | Information |
| Event text (English): | A request was submitted to OCSP Responder Service. |
| Event text (German): | A request is transmitted to the OCSP response service. |
Details of the event with ID 5126 of the source Microsoft-Windows-Security-Auditing
| Event Source: | Microsoft Windows Security Auditing |
| Event ID: | 5126 (0x1406) |
| Event log: | Security |
| Event type: | Information |
| Event text (English): | Signing Certificate was automatically updated by the OCSP Responder Service. CA Configuration ID: %1 New Signing Certificate Hash: %2 |
| Event text (German): | The signing certificate was automatically updated by the OCSP response service. Certification authority configuration ID: %1 New signature certificate hash: %2 |
Details of the event with ID 5059 of the source Microsoft-Windows-Security-Auditing
| Event Source: | Microsoft Windows Security Auditing |
| Event ID: | 5059 (0x13C3) |
| Event log: | Security |
| Event type: | Information |
| Event text (English): | Key migration operation. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Cryptographic Parameters: Provider Name: %5 Algorithm Name: %6 Key Name: %7 Key Type: %8 Additional Information: Operation: %9 Return Code: %10 |
| Event text (German): | Schlüsselmigrationsvorgang. Antragsteller: Sicherheits-ID: %1 Kontoname: %2 Kontodomäne: %3 Anmelde-ID: %4 Kryptografische Parameter: Anbietername: %5 Algorithmusname: %6 Schlüsselname: %7 Schlüsseltyp: %8 Zusätzliche Informationen: Vorgang: %9 Rückgabecode: %10 |
Details of the event with ID 5120 of the source Microsoft-Windows-Security-Auditing
| Event Source: | Microsoft Windows Security Auditing |
| Event ID: | 5120 (0x1400) |
| Event log: | Security |
| Event type: | Information |
| Event text (English): | OCSP Responder Service Started. |
| Event text (German): | The OCSP response service has been started. |
Details of the event with ID 5121 of the source Microsoft-Windows-Security-Auditing
| Event Source: | Microsoft Windows Security Auditing |
| Event ID: | 5121 (0x1401) |
| Event log: | Security |
| Event type: | Information |
| Event text (English): | OCSP Responder Service Stopped. |
| Event text (German): | The OCSP response service has been terminated. |
Details of the event with ID 5122 of the source Microsoft-Windows-Security-Auditing
| Event Source: | Microsoft Windows Security Auditing |
| Event ID: | 5122 (0x1402) |
| Event log: | Security |
| Event type: | Information |
| Event text (English): | A Configuration entry changed in the OCSP Responder Service. CA Configuration ID: %1 New Value: %2 |
| Event text (German): | A configuration entry was changed in the OCSP response service. Certification authority configuration ID: %1 New value: %2 |
Details of the event with ID 5123 of the source Microsoft-Windows-Security-Auditing
| Event Source: | Microsoft Windows Security Auditing |
| Event ID: | 5123 (0x1403) |
| Event log: | Security |
| Event type: | Information |
| Event text (English): | A configuration entry changed in the OCSP Responder Service. Property Name: %1 New Value: %2 |
| Event text (German): | A configuration entry has been changed in the OCSP response service. Property name: %1 New value: %2 |