Serving Those Who Serve Our Country 1

Prepared by: Tim Baldridge

Date: 06.10.2015

Enabling PIV Cards for Windows

Serving Those Who Serve Our Country 2

• Unprivileged vs Privilege Network Logon

• Explicit User Action for Privileged Network Logon

• Subject Name Mapped Windows Smartcard logon

• Authentication Mechanism Assurance

Briefing Goals

Serving Those Who Serve Our Country 3

• Unprivileged

• FICAM Roadmap and Implementation Guidance, V2.0 Chapter 9, 11

• OMB M-11-11

• NIST SP 800-53 r4, IA-2 (2)

• Privileged

• FICAM Roadmap and Implementation Guidance, V2.0, Chapter 9, 11

• OMB M-11-11

• NIST SP 800-53 r4, IA-2 (1)

Unprivileged vs Privileged Network Logon

Technically Required To Log Onto The Network With A Two-factor PIV Card

NISTIR 7849 A methodology for Developing Authentication Assurance level Taxonomy for Smart Card-based Identity Verification http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7849.pdf

Serving Those Who Serve Our Country 4

• There is an implied HSPD-12 requirement for single PIV Card use for both unprivileged and privileged network logon accounts and potentially multiples of one or both types of accounts for a given user

• FIPS 201-2 does not require explicit user action for an activated PIV Card to perform PIV Authentication private key operations

• Once a PIV card is activated the PIV Authentication Key may be used without further user input. There exist a vulnerability, that once activated a PIV Card that is mapped to multiple accounts may be exploited without user knowledge for privilege elevation

PIV Authentication

Serving Those Who Serve Our Country 5

• NISTIR 7863 (Draft) Cardholder Authentication for the PIV Digital Signature Key (DSK) clarifies the requirement for “explicit user action” for DSK private key operations

• A similar approach is needed for the PIV Authentication private key operations to identify possible architectures and minimum security objectives and controls that constitute explicit user action required to change user elevate privilege or account context

• The principal minimum security objective is to enforce a mandatory explicit user action prior to elevating privilege or activating a new user account context

Explicit User Action for Privileged Network Logon

Serving Those Who Serve Our Country 6

• Hardware Appliance

• PIV Authentication To In-line Appliance As Proxy To Elevated Privilege Or Protected User Accounts

• Alternate Token

• Contradicts Standing Single Issued PIV Card Principal

• Integrity Contingent On Following PIV Issuance Processes

• Subject Name Mapped Windows Smartcard Logon

• Limited Cross-Platform Support For Username Hint Entry

Possible Architectures

Serving Those Who Serve Our Country 7

• FY15 CIO Annual FISMA Metrics v1.1 • http://www.dhs.gov/sites/default/files/publications/FY15%20CIO%20Annual%20FISMA%20Metrics%

20v1%201.pdf

• FAQ HSPD-12 • http://www.idmanagement.gov/homeland-security-presidential-directive-12/faqs

• Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2 • http://www.microsoft.com/en-us/download/details.aspx?id=36036

References

Serving Those Who Serve Our Country 8

• Eliminates Dependencies on UPN Domain Mapping and NT_AUTH Policies for Smartcard Issuing CAs and Eliminates UPN Hijacking Risk at Smartcard Logon

• One Smartcard to Many Domain Account Mapping

• Default username hint is determined by UPN

• Example: separate routine and elevated privilege accounts

• Many Smartcards to One Account Mapping

• Must Provide Username Hint at Smartcard Logon

• Example: Multiple Operators for NOC display systems

Subject Name Mapped Windows Smartcard Logon

Serving Those Who Serve Our Country 9

• When UPN mapping is disabled the “altSecurityIdentities” user account must specify one of the five available mapping options for smartcard logon to function.

• Username Hints do not need to be turned on for every system in the domain. Only the systems where users need to select multiple accounts for smartcard logon.

• Windows 2003 and below will only support one-to-one user to smartcard mapping.

• All User Accounts in the Domain Must Specify the “altSecurityIdentities” Attribute – Implies Automation for Replication and Synchronization of “altSecurityIdentities” and UPN From Issuance and Registration Systems to AD

Subject Name Mapped Windows Smartcard logon

Serving Those Who Serve Our Country 10

• Disabling the UPN mapping enables certificate mapping in Microsoft Windows Active Directory.

• User Principal Name (UPN) mapping is a special case of one-to-one mapping used in Active Directory. In Windows Server® 2008 R2 and later, it is possible to turn off UPN mapping on a domain and use other explicit mapping by disabling the Subject Alternative Name (SAN) through the Registry Editor.

• This setting is typically used when the deployed client certificate contains a SAN extension with a value you wish to ignore in favor of an explicit mapping.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc.

• Change the value of the DWORD UseSubjectAltName to 00000000.

• The value of UseSubjectAltName must be set on all KDCs (Domain Controllers) for the domain.

Subject Name Mapped Windows Smartcard logon

Serving Those Who Serve Our Country 11

• Subject and Issuer fields

• altSecurityIdentities: X509:<I> C=US,O=U.S. Government, OU=Agency, OU=Certification Authorities, OU=Agency Issuing CA<S>CN=iamauser

• Subject DN (Requires NT_AUTH config)

• altSecurityIdentities: X509:<S>CN=iamauser

• Subject Key Identifier

• altSecurityIdentities: X509:<SKI>ddde2ca4b86db8a908b95c6cbcc8bb1ac7a09a41

• Issuer, and Serial Number

• altSecurityIdentities: X509:<I> C=US, O=U.S. Government, OU=Agency, OU=Certification Authorities, OU=Agency Issuing CA <SR>32000000000003bde810

• RFC822 name (Requires NT_AUTH config)

• altSecurityIdentities: X509:<RFC822>iamauser@agency.gov

• Caveat – DNs compared as string, not as X.500 for multivalued names

“altSecurityIdentities” User Attribute Certificate Mapping Options

Serving Those Who Serve Our Country 12

• How to disable the Subject Alternative Name for UPN mapping:

http://technet.microsoft.com/en-us/library/ff520074(WS.10).aspx

• Windows Vista Smartcard Infrastructure:

https://msdn.microsoft.com/en-us/library/bb905527.aspx

• Map a user to a certificate via all the methods available in the altSecurityIdentities attribute:

http://blogs.msdn.com/b/spatdsg/archive/2010/06/18/howto-map-a-user-to-a-certificate-via-all-the-methods-available-in-the-altsecurityidentities-attribute.aspx

• Mapping one smartcard certificate to multiple accounts:

http://blogs.technet.com/b/askds/archive/2009/08/10/mapping-one-smartcard-certificate-to-multiple-accounts.aspx

• Smartcard Authentication Changes:

http://technet.microsoft.com/en-us/library/cc721959(WS.10).aspx

Useful Links

Serving Those Who Serve Our Country 13

• Authentication mechanism assurance is an added capability in Windows Server 2008 R2 AD DS that you can use when the domain functional level is set to Windows Server 2008 R2. When it is enabled, authentication mechanism assurance adds an administrator-designated global group membership to a user’s Kerberos token when the user’s credentials are authenticated during logon using a certificate-based logon method

• Authentication Mechanism Assurance (AMA) for AD DS in Windows Server 2008 R2

• https://technet.microsoft.com/en-us/library/dd378897(v=WS.10).aspx

• Power Shell Script for Common Federal/DoD Certificate Policies simplifies implementation as compared to TechNet Step-by-Step Guide.

Authentication Mechanism Assurance

Serving Those Who Serve Our Country 14

AMA Example Logon Groups

Serving Those Who Serve Our Country 15

• The Windows Server® 2008 R2 patch to correct the KDC not setting the certificate issuance policy when the KDC validates the smartcard certificate is now available via the following link.

• http://support.microsoft.com/kb/2771254

• Windows Server® 2012 and after -- no patch required

• Enable AMA Priority above Most Recently Issued Superior Certificate Heuristic with the following

• Windows Registry Editor Version 5.00

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kdc]

• "ChainWithIssuancePolicyOIDs"=dword:00000001

Authentication Mechanism Assurance

Serving Those Who Serve Our Country 16

Questions?

tim.w.baldridge.civ@mail.mil