Top 10 Mistakes in Microsoft Public Key Infrastructure Deployments

Mark B. CooperPresident & FounderPKI Solutions Inc.

CDP-B242

About PKI Solutions Inc.• 10 years as Microsoft Senior Engineer for PKI• Numerous books and whitepapers• Services include:

• ADCS Architecture, Deployment and Consulting• PKI Assessment and Remediation Services• In-Depth PKI Training• Retainer and Support Services

“A poorly designed, executed or managed PKI can introduce more security issues than it solves.”

Compiled over 10 years @ MicrosoftMCS, Engineering and “RedZone” sourcesPrivate and public sectors around the world

Hundreds of customer environments

Lead to Microsoft PKI Best Practice ReviewEvolved over the years to ADCS Assessment

Genesis of The List

Benefits of ADCS AssessmentsProblems can lay-in-waitMany manifest after first CA renewalTesting and validation often insufficientFresh perspective to spot deficiencies

Validity & publishing intervals• Intervals balanced with need to know• Identification versus authorization• Highly affected by caching behavior on clients• Windows caches for lifetime of CRL• Certutil.exe –setreg chain\ChainCacheResyncFiletime @now

• Less effective: Certutil.exe -URLcache delete

Validity versus publishing• Next Update versus Next CRL Publish• Leverage overlaps to provide redundancy• CRLOverlapPeriod/Units & CRLDeltaOverlapPeriod/Units

#1 - CRL Management

Effective date Sept 12 @ 1:42pm• CA backdates CRL 10 minutes for clock skew

Defines Next CRL Publish• September 19 @ 1:42pm• Next CRL Publish = Base Interval (7 Days)• Clients will expect a new CRL at this time• Will continue to use until expired if no update

• Next Update defines expiration• September 20 @1:42pm• Next Update = Base Interval + Overlap

• Overlap <= Base Interval

#1 - CRL Management

Distribution Mechanisms• Active Directory versus HTTP• Driven by accessibility and client compatibilities

Availability• CRL versus CA issuance• Organizational requirements• Redundant delivery mechanisms• Active Directory• HTTP

Delta CRLGenerally unneeded in most environments

#1 - CRL Management

Designed for efficient CRL processing• Overcomes large CRL file transfers (MB+)• Certificate specific enquiries from OCSP Responder• Dependent on CRLs• CRL interval dependent

• Not real-time information• Deterministic results• CAB Forum• Available in Server 2012 R2 & 2008 R2 w/Hotfix 2960124

#2 - Misuse of OCSP

OCSP signing certificate• Required from EACH CA serviced• Signed by CA

CA signs with current key pairOCSP uses signing certificate on-behalf

Signs responses like a CA wouldCertificate represents a CA signing key

Services older key pairs/CRLDefault configuration can break OCSP on CA renewal

#3 – OCSP Renewal

OCSP key renewal issue

#3 – OCSP Renewal

CA Key 1 CA Key 2

CA Key 1Created

OCSPCert 1

ClientCert 1

ClientCert 2

OCSPCert 2

CA Key 2Created

CA Key 1Expiration

OCSPCert 3

ClientCert 1

CA Key 2Expiration

OCSP requests specify correct CAcertutil -setreg ca\UseDefinedCACertInRequest 1

#3 – OCSP Renewal

CA Key 1 CA Key 2

CA Key 1Created

OCSPCert 1

ClientCert 1

ClientCert 2

OCSPCert 2

CA Key 2Created

CA Key 1Expiration

OCSPCert 3

ClientCert 1

CA Key 2Expiration

OCSPCert 4

ClientCert 3

Distinct from Product UpdatesNot distributed by Windows Update

Product/issue specific fixPreviously reported issue with remediationTest and apply only if needed philosophy

Preventative use• If possible in the environment, consider the Hotfix

Don’t need to wait for problem

Time consuming to findComprehensive list: http://pkisolutions.com/adcs-hotfixes

#4 – ADCS Hotfixes

15 Hotfixes

18 Hotfixes

7 Hotfixes

#4 – ADCS Hotfixes

Windows Server 2003

4 Hotfixes5 Hotfixes

15 Hotfixes

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012

R2

ADCS Client Issues

1 Known Issue

3 Known Issues

3 Known Issues

As of September 12, 2014

Microsoft’s SCEP implementation• Cisco designed for non-authentication integrated devices• Routers & switches• Available since server 2000 in Windows Resource Kit• Integrated starting with Server 2008

Leveraged for many BYOD scenarios• VoIP, tablets, phones, Internet of Things

Security and architecture• Authentication and enrollment disjointed• BYOD often necessitates DMZ exposure

• New Whitepaper from Microsoft – Link TBD

#5 – Network Device Enrollment Service

Manage URI access to server

Does solution require exposure of admin page?Firewall & SSL protection

NDES key protection

Hardware Security Module (think Heartbleed exploit)

#5 – Network Device Enrollment Service

Client Devices

Offline Root CA

Exterior Firewall

Interior Firewall

Domain Controllers

Issuing CA

Internal Network

Isolated Network/DMZ

NDES

Server 2012 R2 NDES Policy Module

Offloaded authentication and enrollment managementAuthorization tied to enrollment request

#5 – Network Device Enrollment Service

Hierarchy lifetimes truncate children• Plan from the client and up• 2x child lifetime

Balance with cryptographic usefulness• Longer validity with more complex crypto

#6 – Certificate Validity Periods

Root CA

Enterprise CA

10 Years

5 Years

Device Cert 2 Years

Half-life renewals with same key• Harder to track but fewer keys

#6 – Certificate Validity Periods

Root CA

Enterprise CA

10 Years

5 Years

Device Cert 2 Years 2 Years1

Year

Root CA

10 Years

Enterprise CA 5 Years

Device Cert 2 Years 2 Years

2.5 Years2.5 Years

Same Key Renewal

New Key Renewal

2 Years

Paramount to integrity of PKI• Exposure negates cryptographic strength

Soft versus Hard Keys• Heartbleed exploit

Cheaper to protect then remediate compromiseHardware Security Modules

CA and NDES rolesThales e-Security & Gemalto/SafeNet

TPM CA keys – a word of caution

#7 - CA Key Protection

PKI hierarchy deployment mismatch• Not designed to security/operational needs• Designed on labs/books/Whitepapers blindly

Single and three-tier most often incorrectPolicy/Intermediate CA

Is there a CAPolicy.Inf?

Single tier/Enterprise Root CAUsing Smart cards, S/MIME, code signing, file encryption, large number of non-AD clients?

#8 - Architecture

“Today, I just need a …… certificate”Design for next 12-18 months minimum• What else is approved?• What does organization need?• Easy to under-engineer, hard to over do it

Security and architecture key aspects• Security can be improved, but integrity can’t• Architecture is generally inflexible

#8 - Architecture

Physical isolation of Root• Reduces attack surfaces• Requires physical access• Eliminates remote attacks

“Sometimes” offline• Turned off when unused, brought on the network for maintenance

Offline means OFFLINE!• Define & use USB flash/virtual floppy drives

#9 – “Offline” Root

Design – no single person access• Collusion procedures define multi-person access• Cradle to grave operational controls

Enforce procedures • Easily broken without accountability, controls, and auditing• HSMs can enforce some controls• Locks and card keys, never the same person

A moment alone can never be undone

#10 - Collusion Requirements

Questions?

Related content

Find Me Later At. . .TechExpo Welcome Reception, Hall 7, Immediately Following This Session

TechExpo Happy Hour, Hall 7, Thursday 4pm – 5pm

Ask the Experts, Hall 5, Thursday 6:30pm – 8:pm

Stay Connected:www.pkisolutions.com

www.pkisolutions.com/adcs-hotfixes

@pkisolutions

Come visit us in the Microsoft Solutions Experience (MSE)!Look for the Cloud and Datacenter Platform area TechExpo Hall 7

For more informationWindows Server Technical Previewhttp://technet.microsoft.com/library/dn765472.aspx

Windows Server

Microsoft Azure

Microsoft Azurehttp://azure.microsoft.com/en-us/

System Center

System Center Technical Previewhttp://technet.microsoft.com/en-us/library/hh546785.aspx

Azure Pack Azure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

Developer Network

http://developer.microsoft.com

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC

TechEd Mobile appPhone or Tablet

QR code

Evaluate this session

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.