enabling piv cards for windows - secure technology alliance
TRANSCRIPT
Serving Those Who Serve Our Country 1
Prepared by: Tim Baldridge
Date: 06.10.2015
Enabling PIV Cards for Windows
Serving Those Who Serve Our Country 2
• Unprivileged vs Privilege Network Logon
• Explicit User Action for Privileged Network Logon
• Subject Name Mapped Windows Smartcard logon
• Authentication Mechanism Assurance
Briefing Goals
Serving Those Who Serve Our Country 3
• Unprivileged
• FICAM Roadmap and Implementation Guidance, V2.0 Chapter 9, 11
• OMB M-11-11
• NIST SP 800-53 r4, IA-2 (2)
• Privileged
• FICAM Roadmap and Implementation Guidance, V2.0, Chapter 9, 11
• OMB M-11-11
• NIST SP 800-53 r4, IA-2 (1)
Unprivileged vs Privileged Network Logon
Technically Required To Log Onto The Network With A Two-factor PIV Card
NISTIR 7849 A methodology for Developing Authentication Assurance level Taxonomy for Smart Card-based Identity Verification http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7849.pdf
Serving Those Who Serve Our Country 4
• There is an implied HSPD-12 requirement for single PIV Card use for both unprivileged and privileged network logon accounts and potentially multiples of one or both types of accounts for a given user
• FIPS 201-2 does not require explicit user action for an activated PIV Card to perform PIV Authentication private key operations
• Once a PIV card is activated the PIV Authentication Key may be used without further user input. There exist a vulnerability, that once activated a PIV Card that is mapped to multiple accounts may be exploited without user knowledge for privilege elevation
PIV Authentication
Serving Those Who Serve Our Country 5
• NISTIR 7863 (Draft) Cardholder Authentication for the PIV Digital Signature Key (DSK) clarifies the requirement for “explicit user action” for DSK private key operations
• A similar approach is needed for the PIV Authentication private key operations to identify possible architectures and minimum security objectives and controls that constitute explicit user action required to change user elevate privilege or account context
• The principal minimum security objective is to enforce a mandatory explicit user action prior to elevating privilege or activating a new user account context
Explicit User Action for Privileged Network Logon
Serving Those Who Serve Our Country 6
• Hardware Appliance
• PIV Authentication To In-line Appliance As Proxy To Elevated Privilege Or Protected User Accounts
• Alternate Token
• Contradicts Standing Single Issued PIV Card Principal
• Integrity Contingent On Following PIV Issuance Processes
• Subject Name Mapped Windows Smartcard Logon
• Limited Cross-Platform Support For Username Hint Entry
Possible Architectures
Serving Those Who Serve Our Country 7
• FY15 CIO Annual FISMA Metrics v1.1 • http://www.dhs.gov/sites/default/files/publications/FY15%20CIO%20Annual%20FISMA%20Metrics%
20v1%201.pdf
• FAQ HSPD-12 • http://www.idmanagement.gov/homeland-security-presidential-directive-12/faqs
• Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2 • http://www.microsoft.com/en-us/download/details.aspx?id=36036
References
Serving Those Who Serve Our Country 8
• Eliminates Dependencies on UPN Domain Mapping and NT_AUTH Policies for Smartcard Issuing CAs and Eliminates UPN Hijacking Risk at Smartcard Logon
• One Smartcard to Many Domain Account Mapping
• Default username hint is determined by UPN
• Example: separate routine and elevated privilege accounts
• Many Smartcards to One Account Mapping
• Must Provide Username Hint at Smartcard Logon
• Example: Multiple Operators for NOC display systems
Subject Name Mapped Windows Smartcard Logon
Serving Those Who Serve Our Country 9
• When UPN mapping is disabled the “altSecurityIdentities” user account must specify one of the five available mapping options for smartcard logon to function.
• Username Hints do not need to be turned on for every system in the domain. Only the systems where users need to select multiple accounts for smartcard logon.
• Windows 2003 and below will only support one-to-one user to smartcard mapping.
• All User Accounts in the Domain Must Specify the “altSecurityIdentities” Attribute – Implies Automation for Replication and Synchronization of “altSecurityIdentities” and UPN From Issuance and Registration Systems to AD
Subject Name Mapped Windows Smartcard logon
Serving Those Who Serve Our Country 10
• Disabling the UPN mapping enables certificate mapping in Microsoft Windows Active Directory.
• User Principal Name (UPN) mapping is a special case of one-to-one mapping used in Active Directory. In Windows Server® 2008 R2 and later, it is possible to turn off UPN mapping on a domain and use other explicit mapping by disabling the Subject Alternative Name (SAN) through the Registry Editor.
• This setting is typically used when the deployed client certificate contains a SAN extension with a value you wish to ignore in favor of an explicit mapping.
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc.
• Change the value of the DWORD UseSubjectAltName to 00000000.
• The value of UseSubjectAltName must be set on all KDCs (Domain Controllers) for the domain.
Subject Name Mapped Windows Smartcard logon
Serving Those Who Serve Our Country 11
• Subject and Issuer fields
• altSecurityIdentities: X509:<I> C=US,O=U.S. Government, OU=Agency, OU=Certification Authorities, OU=Agency Issuing CA<S>CN=iamauser
• Subject DN (Requires NT_AUTH config)
• altSecurityIdentities: X509:<S>CN=iamauser
• Subject Key Identifier
• altSecurityIdentities: X509:<SKI>ddde2ca4b86db8a908b95c6cbcc8bb1ac7a09a41
• Issuer, and Serial Number
• altSecurityIdentities: X509:<I> C=US, O=U.S. Government, OU=Agency, OU=Certification Authorities, OU=Agency Issuing CA <SR>32000000000003bde810
• RFC822 name (Requires NT_AUTH config)
• altSecurityIdentities: X509:<RFC822>[email protected]
• Caveat – DNs compared as string, not as X.500 for multivalued names
“altSecurityIdentities” User Attribute Certificate Mapping Options
Serving Those Who Serve Our Country 12
• How to disable the Subject Alternative Name for UPN mapping:
http://technet.microsoft.com/en-us/library/ff520074(WS.10).aspx
• Windows Vista Smartcard Infrastructure:
https://msdn.microsoft.com/en-us/library/bb905527.aspx
• Map a user to a certificate via all the methods available in the altSecurityIdentities attribute:
http://blogs.msdn.com/b/spatdsg/archive/2010/06/18/howto-map-a-user-to-a-certificate-via-all-the-methods-available-in-the-altsecurityidentities-attribute.aspx
• Mapping one smartcard certificate to multiple accounts:
http://blogs.technet.com/b/askds/archive/2009/08/10/mapping-one-smartcard-certificate-to-multiple-accounts.aspx
• Smartcard Authentication Changes:
http://technet.microsoft.com/en-us/library/cc721959(WS.10).aspx
Useful Links
Serving Those Who Serve Our Country 13
• Authentication mechanism assurance is an added capability in Windows Server 2008 R2 AD DS that you can use when the domain functional level is set to Windows Server 2008 R2. When it is enabled, authentication mechanism assurance adds an administrator-designated global group membership to a user’s Kerberos token when the user’s credentials are authenticated during logon using a certificate-based logon method
• Authentication Mechanism Assurance (AMA) for AD DS in Windows Server 2008 R2
• https://technet.microsoft.com/en-us/library/dd378897(v=WS.10).aspx
• Power Shell Script for Common Federal/DoD Certificate Policies simplifies implementation as compared to TechNet Step-by-Step Guide.
Authentication Mechanism Assurance
Serving Those Who Serve Our Country 14
AMA Example Logon Groups
Serving Those Who Serve Our Country 15
• The Windows Server® 2008 R2 patch to correct the KDC not setting the certificate issuance policy when the KDC validates the smartcard certificate is now available via the following link.
• http://support.microsoft.com/kb/2771254
• Windows Server® 2012 and after -- no patch required
• Enable AMA Priority above Most Recently Issued Superior Certificate Heuristic with the following
• Windows Registry Editor Version 5.00
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kdc]
• "ChainWithIssuancePolicyOIDs"=dword:00000001
Authentication Mechanism Assurance