/
Top 10 Mistakes in Microsoft Public Key Infrastructure Depl Top 10 Mistakes in Microsoft Public Key Infrastructure Depl

Top 10 Mistakes in Microsoft Public Key Infrastructure Depl - PowerPoint Presentation

ellena-manuel
ellena-manuel . @ellena-manuel
Follow
376 views
Uploaded On 2017-05-25

Top 10 Mistakes in Microsoft Public Key Infrastructure Depl - PPT Presentation

Mark B Cooper President amp Founder PKI Solutions Inc CDPB242 About PKI Solutions Inc 10 years as Microsoft Senior Engineer for PKI Numerous books and whitepapers Services include ADCS Architecture Deployment and Consulting ID: 552171

key microsoft cert years microsoft key years cert ocsp server windows crl hotfixes client amp adcs http renewal pki

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Top 10 Mistakes in Microsoft Public Key ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1
Slide2

Top 10 Mistakes in Microsoft Public Key Infrastructure Deployments

Mark B. CooperPresident & FounderPKI Solutions Inc.

CDP-B242Slide3

About PKI Solutions Inc.

10 years as Microsoft Senior Engineer for PKINumerous books and whitepapers

Services include:

ADCS Architecture, Deployment and Consulting

PKI Assessment

and Remediation Services

In-Depth PKI Training

Retainer and Support ServicesSlide4

“A poorly designed, executed

or managed PKI can introduce more security issues than it solves.”Slide5

Compiled

over 10 years @ MicrosoftMCS, Engineering and “RedZone” sourcesPrivate and public sectors around

the

world

Hundreds of

customer environments

Lead to Microsoft PKI Best Practice ReviewEvolved over the years to ADCS Assessment

Genesis of The ListSlide6

Benefits of ADCS Assessments

Problems can lay-in-waitMany manifest after first CA renewal

Testing and

validation often insufficient

Fresh

perspective

to spot deficienciesSlide7

Validity & p

ublishing intervalsIntervals balanced with need to know Identification versus

authorization

Highly

affected

by

caching behavior on clients

Windows

caches

for

lifetime of CRL Certutil.exe –setreg chain\ChainCacheResyncFiletime @now Less effective: Certutil.exe -URLcache deleteValidity versus publishing Next Update versus Next CRL Publish Leverage overlaps to provide redundancy CRLOverlapPeriod/Units & CRLDeltaOverlapPeriod/Units

#1 - CRL ManagementSlide8

Effective date Sept 12 @ 1:42pm

CA backdates CRL 10 minutes for clock skewDefines Next CRL PublishSeptember 19 @ 1:42pm

Next CRL Publish = Base Interval (7 Days)

Clients will expect a new CRL at this time

Will continue to use until expired if no update

Next Update defines expiration

September

20 @1:42pm

Next Update = Base Interval + Overlap

Overlap <= Base Interval

#1 - CRL ManagementSlide9

Distribution Mechanisms

Active Directory versus HTTPDriven by accessibility and client compatibilitiesAvailabilityCRL

versus CA issuance

Organizational

requirements

Redundant delivery mechanisms

Active

Directory

HTTP

Delta CRLGenerally unneeded in most environments#1 - CRL ManagementSlide10

Designed for

efficient CRL processingOvercomes large CRL file transfers (MB+)

Certificate

specific enquiries

from

OCSP Responder

Dependent on CRLs

CRL

interval dependent

Not

real-time informationDeterministic resultsCAB ForumAvailable in Server 2012 R2 & 2008 R2 w/Hotfix 2960124#2 - Misuse of OCSPSlide11

OCSP

signing certificateRequired from EACH CA servicedSigned by CACA signs

with

current key pair

OCSP

uses signing certificate on-behalf

Signs responses like a CA wouldCertificate represents a CA signing key

Services older

key pairs/CRL

Default

configuration can break OCSP on CA renewal#3 – OCSP RenewalSlide12

OCSP key renewal issue

#3 – OCSP Renewal

CA Key 1

CA Key 2

CA Key 1

Created

OCSP

Cert 1

Client

Cert 1

Client

Cert 2

OCSP

Cert 2

CA Key 2

Created

CA Key 1

Expiration

OCSP

Cert 3

Client

Cert 1

CA Key 2

ExpirationSlide13

OCSP

requests specify correct CAcertutil -setreg ca\UseDefinedCACertInRequest 1#3 – OCSP Renewal

CA Key 1

CA Key 2

CA Key 1

Created

OCSP

Cert 1

Client

Cert 1

Client

Cert 2

OCSP

Cert 2

CA Key 2

Created

CA Key 1

Expiration

OCSP

Cert 3

Client

Cert 1

CA Key 2

Expiration

OCSP

Cert 4

Client

Cert 3Slide14

Distinct from

Product UpdatesNot distributed by Windows UpdateProduct/issue specific fixPreviously reported issue with

remediation

Test and

apply only

if

needed philosophyPreventative use

If

possible in

the

environment, consider the Hotfix Don’t need to wait for problemTime consuming to findComprehensive list: http://pkisolutions.com/adcs-hotfixes#4 – ADCS HotfixesSlide15

15 Hotfixes

18 Hotfixes

7 Hotfixes

#4 – ADCS Hotfixes

Windows Server

2003

4 Hotfixes

5 Hotfixes

15 Hotfixes

Windows Server

2008

Windows Server

2008 R2

Windows Server

2012

Windows Server

2012 R2

ADCS Client Issues

1 Known Issue

3 Known Issues

3 Known Issues

As of September 12, 2014Slide16

Microsoft’s SCEP i

mplementationCisco designed for non-authentication integrated devices

Routers

&

switches

Available

since server 2000 in Windows Resource Kit

Integrated

starting with Server

2008

Leveraged for many BYOD scenariosVoIP, tablets, phones, Internet of ThingsSecurity and architectureAuthentication and enrollment disjointedBYOD often necessitates DMZ exposureNew Whitepaper from Microsoft – Link TBD

#5

– Network Device Enrollment

ServiceSlide17

Manage URI

access to serverDoes solution require exposure of admin page?Firewall & SSL

protection

NDES key protection

Hardware Security Module (think Heartbleed exploit)

#5

– Network Device Enrollment ServiceSlide18

Server

2012 R2 NDES Policy ModuleOffloaded authentication and enrollment managementAuthorization tied to enrollment request

#5

– Network Device Enrollment ServiceSlide19

Hierarchy

lifetimes truncate childrenPlan from the client and up2x

child lifetime

Balance with

cryptographic

u

sefulnessLonger validity

with

more complex crypto

#6

– Certificate Validity Periods

Root CA

Enterprise CA

10 Years

5 Years

Device Cert

2

YearsSlide20

Half-life

renewals with same keyHarder to track but fewer keys

#6 – Certificate Validity Periods

Root CA

Enterprise CA

10 Years

5 Years

Device Cert

2 Years

2 Years

1 Year

Root CA

10 Years

Enterprise CA

5 Years

Device Cert

2 Years

2 Years

2.5 Years

2.5 Years

Same Key Renewal

New Key Renewal

2 YearsSlide21

Paramount to

integrity of PKIExposure negates cryptographic strengthSoft versus Hard KeysHeartbleed

exploit

Cheaper

to

protect then remediate compromise

Hardware Security ModulesCA and NDES roles

Thales e-Security & Gemalto/SafeNet

TPM CA keys – a word

of

caution#7 - CA Key ProtectionSlide22

PKI

hierarchy deployment mismatchNot designed to security/operational needsDesigned on

labs/books/Whitepapers blindly

Single and

three-tier most often incorrect

Policy/Intermediate CA

Is there a CAPolicy.Inf? Single tier/Enterprise Root CA

Using Smart cards, S/MIME,

code signing

,

file encryption, large number of non-AD clients?#8 - ArchitectureSlide23

“Today, I

just need a …… certificate”Design for next 12-18 months minimum

What

else

is

approved

?What does organization need?

Easy to

under-engineer

,

hard to over do itSecurity and architecture key aspectsSecurity can be improved, but integrity can’tArchitecture is generally inflexible#8 - ArchitectureSlide24

Physical

isolation of RootReduces attack surfacesRequires physical access

Eliminates

remote attacks

“Sometimes”

offline

Turned off when unused

,

brought on the network

for

maintenanceOffline means OFFLINE!Define & use USB flash/virtual floppy drives#9 – “Offline” RootSlide25

Design –

no single person accessCollusion procedures define multi-person accessCradle to

grave operational controls

Enforce

procedures

Easily b

roken without accountability, controls, and auditing

HSMs

can enforce some controls

Locks and

card keys, never the same personA moment alone can never be undone#10 - Collusion RequirementsSlide26

Questions?Slide27

Related content

Find Me Later At. .

.

TechExpo Welcome Reception, Hall

7, Immediately Following This Session

TechExpo

Happy Hour, Hall

7, Thursday 4pm – 5pm

Ask

the Experts, Hall

5, Thursday 6:30pm – 8:pm

Stay Connected:

www.pkisolutions.com

www.pkisolutions.com/adcs-hotfixes

@pkisolutionsSlide28

Come

visit us

in the Microsoft Solutions Experience (MSE)!

Look for the

Cloud and Datacenter Platform

area

TechExpo

Hall 7

For

more information

Windows Server Technical Preview

http://technet.microsoft.com/library/dn765472.aspx

Windows Server

Microsoft Azure

Microsoft Azure

http://azure.microsoft.com/en-us/

System Center

System Center Technical Preview

http://

technet.microsoft.com/en-us/library/hh546785.aspx

Azure Pack

Azure Pack

http://

www.microsoft.com/en-us/server-cloud/products/

windows-azure-packSlide29

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

Developer Network

http

://developer.microsoft.com

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEdSlide30

Please Complete An Evaluation Form

Your input is important!

TechEd Schedule Builder

CommNet

station

or PC

TechEd Mobile

app

Phone or Tablet

QR codeSlide31

Evaluate this sessionSlide32

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.