Mark B Cooper President amp Founder PKI Solutions Inc CDPB242 About PKI Solutions Inc 10 years as Microsoft Senior Engineer for PKI Numerous books and whitepapers Services include ADCS Architecture Deployment and Consulting ID: 552171
Download Presentation The PPT/PDF document "Top 10 Mistakes in Microsoft Public Key ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Top 10 Mistakes in Microsoft Public Key Infrastructure Deployments
Mark B. CooperPresident & FounderPKI Solutions Inc.
CDP-B242Slide3
About PKI Solutions Inc.
10 years as Microsoft Senior Engineer for PKINumerous books and whitepapers
Services include:
ADCS Architecture, Deployment and Consulting
PKI Assessment
and Remediation Services
In-Depth PKI Training
Retainer and Support ServicesSlide4
“A poorly designed, executed
or managed PKI can introduce more security issues than it solves.”Slide5
Compiled
over 10 years @ MicrosoftMCS, Engineering and “RedZone” sourcesPrivate and public sectors around
the
world
Hundreds of
customer environments
Lead to Microsoft PKI Best Practice ReviewEvolved over the years to ADCS Assessment
Genesis of The ListSlide6
Benefits of ADCS Assessments
Problems can lay-in-waitMany manifest after first CA renewal
Testing and
validation often insufficient
Fresh
perspective
to spot deficienciesSlide7
Validity & p
ublishing intervalsIntervals balanced with need to know Identification versus
authorization
Highly
affected
by
caching behavior on clients
Windows
caches
for
lifetime of CRL Certutil.exe –setreg chain\ChainCacheResyncFiletime @now Less effective: Certutil.exe -URLcache deleteValidity versus publishing Next Update versus Next CRL Publish Leverage overlaps to provide redundancy CRLOverlapPeriod/Units & CRLDeltaOverlapPeriod/Units
#1 - CRL ManagementSlide8
Effective date Sept 12 @ 1:42pm
CA backdates CRL 10 minutes for clock skewDefines Next CRL PublishSeptember 19 @ 1:42pm
Next CRL Publish = Base Interval (7 Days)
Clients will expect a new CRL at this time
Will continue to use until expired if no update
Next Update defines expiration
September
20 @1:42pm
Next Update = Base Interval + Overlap
Overlap <= Base Interval
#1 - CRL ManagementSlide9
Distribution Mechanisms
Active Directory versus HTTPDriven by accessibility and client compatibilitiesAvailabilityCRL
versus CA issuance
Organizational
requirements
Redundant delivery mechanisms
Active
Directory
HTTP
Delta CRLGenerally unneeded in most environments#1 - CRL ManagementSlide10
Designed for
efficient CRL processingOvercomes large CRL file transfers (MB+)
Certificate
specific enquiries
from
OCSP Responder
Dependent on CRLs
CRL
interval dependent
Not
real-time informationDeterministic resultsCAB ForumAvailable in Server 2012 R2 & 2008 R2 w/Hotfix 2960124#2 - Misuse of OCSPSlide11
OCSP
signing certificateRequired from EACH CA servicedSigned by CACA signs
with
current key pair
OCSP
uses signing certificate on-behalf
Signs responses like a CA wouldCertificate represents a CA signing key
Services older
key pairs/CRL
Default
configuration can break OCSP on CA renewal#3 – OCSP RenewalSlide12
OCSP key renewal issue
#3 – OCSP Renewal
CA Key 1
CA Key 2
CA Key 1
Created
OCSP
Cert 1
Client
Cert 1
Client
Cert 2
OCSP
Cert 2
CA Key 2
Created
CA Key 1
Expiration
OCSP
Cert 3
Client
Cert 1
CA Key 2
ExpirationSlide13
OCSP
requests specify correct CAcertutil -setreg ca\UseDefinedCACertInRequest 1#3 – OCSP Renewal
CA Key 1
CA Key 2
CA Key 1
Created
OCSP
Cert 1
Client
Cert 1
Client
Cert 2
OCSP
Cert 2
CA Key 2
Created
CA Key 1
Expiration
OCSP
Cert 3
Client
Cert 1
CA Key 2
Expiration
OCSP
Cert 4
Client
Cert 3Slide14
Distinct from
Product UpdatesNot distributed by Windows UpdateProduct/issue specific fixPreviously reported issue with
remediation
Test and
apply only
if
needed philosophyPreventative use
If
possible in
the
environment, consider the Hotfix Don’t need to wait for problemTime consuming to findComprehensive list: http://pkisolutions.com/adcs-hotfixes#4 – ADCS HotfixesSlide15
15 Hotfixes
18 Hotfixes
7 Hotfixes
#4 – ADCS Hotfixes
Windows Server
2003
4 Hotfixes
5 Hotfixes
15 Hotfixes
Windows Server
2008
Windows Server
2008 R2
Windows Server
2012
Windows Server
2012 R2
ADCS Client Issues
1 Known Issue
3 Known Issues
3 Known Issues
As of September 12, 2014Slide16
Microsoft’s SCEP i
mplementationCisco designed for non-authentication integrated devices
Routers
&
switches
Available
since server 2000 in Windows Resource Kit
Integrated
starting with Server
2008
Leveraged for many BYOD scenariosVoIP, tablets, phones, Internet of ThingsSecurity and architectureAuthentication and enrollment disjointedBYOD often necessitates DMZ exposureNew Whitepaper from Microsoft – Link TBD
#5
– Network Device Enrollment
ServiceSlide17
Manage URI
access to serverDoes solution require exposure of admin page?Firewall & SSL
protection
NDES key protection
Hardware Security Module (think Heartbleed exploit)
#5
– Network Device Enrollment ServiceSlide18
Server
2012 R2 NDES Policy ModuleOffloaded authentication and enrollment managementAuthorization tied to enrollment request
#5
– Network Device Enrollment ServiceSlide19
Hierarchy
lifetimes truncate childrenPlan from the client and up2x
child lifetime
Balance with
cryptographic
u
sefulnessLonger validity
with
more complex crypto
#6
– Certificate Validity Periods
Root CA
Enterprise CA
10 Years
5 Years
Device Cert
2
YearsSlide20
Half-life
renewals with same keyHarder to track but fewer keys
#6 – Certificate Validity Periods
Root CA
Enterprise CA
10 Years
5 Years
Device Cert
2 Years
2 Years
1 Year
Root CA
10 Years
Enterprise CA
5 Years
Device Cert
2 Years
2 Years
2.5 Years
2.5 Years
Same Key Renewal
New Key Renewal
2 YearsSlide21
Paramount to
integrity of PKIExposure negates cryptographic strengthSoft versus Hard KeysHeartbleed
exploit
Cheaper
to
protect then remediate compromise
Hardware Security ModulesCA and NDES roles
Thales e-Security & Gemalto/SafeNet
TPM CA keys – a word
of
caution#7 - CA Key ProtectionSlide22
PKI
hierarchy deployment mismatchNot designed to security/operational needsDesigned on
labs/books/Whitepapers blindly
Single and
three-tier most often incorrect
Policy/Intermediate CA
Is there a CAPolicy.Inf? Single tier/Enterprise Root CA
Using Smart cards, S/MIME,
code signing
,
file encryption, large number of non-AD clients?#8 - ArchitectureSlide23
“Today, I
just need a …… certificate”Design for next 12-18 months minimum
What
else
is
approved
?What does organization need?
Easy to
under-engineer
,
hard to over do itSecurity and architecture key aspectsSecurity can be improved, but integrity can’tArchitecture is generally inflexible#8 - ArchitectureSlide24
Physical
isolation of RootReduces attack surfacesRequires physical access
Eliminates
remote attacks
“Sometimes”
offline
Turned off when unused
,
brought on the network
for
maintenanceOffline means OFFLINE!Define & use USB flash/virtual floppy drives#9 – “Offline” RootSlide25
Design –
no single person accessCollusion procedures define multi-person accessCradle to
grave operational controls
Enforce
procedures
Easily b
roken without accountability, controls, and auditing
HSMs
can enforce some controls
Locks and
card keys, never the same personA moment alone can never be undone#10 - Collusion RequirementsSlide26
Questions?Slide27
Related content
Find Me Later At. .
.
TechExpo Welcome Reception, Hall
7, Immediately Following This Session
TechExpo
Happy Hour, Hall
7, Thursday 4pm – 5pm
Ask
the Experts, Hall
5, Thursday 6:30pm – 8:pm
Stay Connected:
www.pkisolutions.com
www.pkisolutions.com/adcs-hotfixes
@pkisolutionsSlide28
Come
visit us
in the Microsoft Solutions Experience (MSE)!
Look for the
Cloud and Datacenter Platform
area
TechExpo
Hall 7
For
more information
Windows Server Technical Preview
http://technet.microsoft.com/library/dn765472.aspx
Windows Server
Microsoft Azure
Microsoft Azure
http://azure.microsoft.com/en-us/
System Center
System Center Technical Preview
http://
technet.microsoft.com/en-us/library/hh546785.aspx
Azure Pack
Azure Pack
http://
www.microsoft.com/en-us/server-cloud/products/
windows-azure-packSlide29
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http
://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEdSlide30
Please Complete An Evaluation Form
Your input is important!
TechEd Schedule Builder
CommNet
station
or PC
TechEd Mobile
app
Phone or Tablet
QR codeSlide31
Evaluate this sessionSlide32
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.