| Author |
Message |
Art Vandeley
Guest
|
 Posted:
Wed Jan 26, 2005 9:05 pm Post subject:
Prevent logon without certificate |
|
|
Hi there,
We're messing about with certificate services on a test windows 2003 server
at the moment. We have it installed and apparently working. Other PCs are
able to log onto the CA and request a certificate.
What we don't know though, is how to stop a PC without a certificate from
logging on to the domain. I presume it's a group policy but I can't find it
anywhere.
Cheers. |
|
| Back to top |
|
 |
Mark Gamache
Guest
|
| Posted:
Wed Jan 26, 2005 10:55 pm Post subject:
Re: Prevent logon without certificate |
|
|
There is no direct setting for this, but you can use other technologies for
this such as port based authentication (802.1X) or requiring IPSec using a
policy that uses certs for the auth type. You should also require users to
use smartcards to logon. This would use a cert on the smart card, however
the machine account would have already logged in. IPSec and 802.1X both can
prevent the computer account from gaining access, however, IPSec can pretty
complex if you are new to it.
Mark Gamache
CSS
"Art Vandeley" <idozaf@gmail.com> wrote in message
news:35ppp5F4pakqqU1@individual.net...
| Quote: | Hi there,
We're messing about with certificate services on a test windows 2003
server at the moment. We have it installed and apparently working. Other
PCs are able to log onto the CA and request a certificate.
What we don't know though, is how to stop a PC without a certificate from
logging on to the domain. I presume it's a group policy but I can't find
it anywhere.
Cheers.
|
|
|
| Back to top |
|
|
Miha Pihler [MVP]
Guest
|
| Posted:
Wed Jan 26, 2005 11:49 pm Post subject:
Re: Prevent logon without certificate |
|
|
Hi,
There are few things to watch out for. You can't really use IPSec between
client and DC if you use Kerberos as authentication protocol (you could use
IPSec if you used Certificates based authentication or pass phrase -- which
should not be used in production environment). Last thing I heard on using
IPSec between clients and DCs is that it is not supported by PSS.
One of the problem with IPSec, Kerberos, domain controllers and clients is
that clients must first be able to talk to the DC before it can establish
IPSec and it can not establish IPSec if you set domain controller to "Secure
Server - (Require Security)"...
802.1x also has it's limitations and can be bypassed, but physical security
and quite some knowledge is required...
My main question is, why would certificate be a requirement (I can see some
advantages, but I would like to see if Art has a good reason for this or is
there a better solution -- e.g. Smart Card for users)? Who can add computers
to domain? By default "Authenticated Users can add 10 computers to domain,
but if you change the policy only domain administrators (or another group of
users) will be able to add computers to domain...
--
Mike
Microsoft MVP - Windows Security
"Mark Gamache" <gsdf> wrote in message
news:u4GTZf8AFHA.1524@TK2MSFTNGP09.phx.gbl...
| Quote: | There is no direct setting for this, but you can use other technologies
for this such as port based authentication (802.1X) or requiring IPSec
using a policy that uses certs for the auth type. You should also require
users to use smartcards to logon. This would use a cert on the smart
card, however the machine account would have already logged in. IPSec and
802.1X both can prevent the computer account from gaining access, however,
IPSec can pretty complex if you are new to it.
Mark Gamache
CSS
"Art Vandeley" <idozaf@gmail.com> wrote in message
news:35ppp5F4pakqqU1@individual.net...
Hi there,
We're messing about with certificate services on a test windows 2003
server at the moment. We have it installed and apparently working. Other
PCs are able to log onto the CA and request a certificate.
What we don't know though, is how to stop a PC without a certificate from
logging on to the domain. I presume it's a group policy but I can't find
it anywhere.
Cheers.
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Thu Jan 27, 2005 2:04 am Post subject:
Re: Prevent logon without certificate |
|
|
You can not on a normal network. Keep in mind that a computer may not need
to logon to the domain anyhow to access domain resources. A windows 98
laptop for example could access network shares if the user knows a domain
logon/password. Ipsec with a require policy can prevent such access to non
domain computers or any computer without a proper computer certificate if
certificate authentication is used for the ipsec. Implementing ipsec is not
a trivial process that must not be done without thorough planning and
testing as if improperly done it can bring down the whole domain. A VPN
server configured to accept only l2tp connections could be able to exclude
access through that VPN server to any computer without a computer
certificate. VPN servers can be used to isolate sensitive networks within
the lan. -- Steve
"Art Vandeley" <idozaf@gmail.com> wrote in message
news:35ppp5F4pakqqU1@individual.net...
| Quote: | Hi there,
We're messing about with certificate services on a test windows 2003
server at the moment. We have it installed and apparently working. Other
PCs are able to log onto the CA and request a certificate.
What we don't know though, is how to stop a PC without a certificate from
logging on to the domain. I presume it's a group policy but I can't find
it anywhere.
Cheers.
|
|
|
| Back to top |
|
|
Art Vandelay
Guest
|
| Posted:
Thu Jan 27, 2005 2:36 am Post subject:
Re: Prevent logon without certificate |
|
|
| Quote: | My main question is, why would certificate be a requirement (I can see
some
advantages, but I would like to see if Art has a good reason for this or
is there a better solution -- e.g. Smart Card for users)? Who can add
computers to domain? By default "Authenticated Users can add 10 computers
to domain, but if you change the policy only domain administrators (or
another group of users) will be able to add computers to domain...
|
Hi, thanks for your reply. Maybe knowing what we want to achieve is the way
forward as it looks like certificates are not what I thought :-)
We can get access to our server at the office from remote sites if we enable
"remote desktop" and forward port 3389 through our firewall. We haven't
actually done that yet, as we are, of course, worried about the security
implications. We thought that if we enabled certificate services on our
network and allowed only computers that had a certificate to log on, then
that extra level of security would be enough. Our staff could then connect
to the server remotely only using their laptops which would be certificated.
Am I way off line thinking like this?
Thanks guys. |
|
| Back to top |
|
|
Mark Gamache
Guest
|
| Posted:
Thu Jan 27, 2005 3:10 am Post subject:
Re: Prevent logon without certificate |
|
|
Ahhhh... That makes more sense. What you want to do is create an IPSec
policy specifically for TS. The article below does just that.
http://support.microsoft.com/default.aspx?scid=kb;en-us;q315055&sd=tech
Mark Gamache
CSS
"Art Vandelay" <idozaf@gmail.com> wrote in message
news:35qdanF4q1j2qU1@individual.net...
| Quote: |
My main question is, why would certificate be a requirement (I can see
some
advantages, but I would like to see if Art has a good reason for this or
is there a better solution -- e.g. Smart Card for users)? Who can add
computers to domain? By default "Authenticated Users can add 10 computers
to domain, but if you change the policy only domain administrators (or
another group of users) will be able to add computers to domain...
Hi, thanks for your reply. Maybe knowing what we want to achieve is the
way forward as it looks like certificates are not what I thought :-)
We can get access to our server at the office from remote sites if we
enable "remote desktop" and forward port 3389 through our firewall. We
haven't actually done that yet, as we are, of course, worried about the
security implications. We thought that if we enabled certificate services
on our network and allowed only computers that had a certificate to log
on, then that extra level of security would be enough. Our staff could
then connect to the server remotely only using their laptops which would
be certificated.
Am I way off line thinking like this?
Thanks guys.
|
|
|
| Back to top |
|
|
Mark Gamache
Guest
|
| Posted:
Thu Jan 27, 2005 3:12 am Post subject:
Re: Prevent logon without certificate |
|
|
Mike, can you tell me a bit about how 802.1X can be bypassed?
Thanks
Mark G.
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:%23r$hb88AFHA.1296@TK2MSFTNGP10.phx.gbl...
| Quote: | Hi,
There are few things to watch out for. You can't really use IPSec between
client and DC if you use Kerberos as authentication protocol (you could
use IPSec if you used Certificates based authentication or pass phrase --
which should not be used in production environment). Last thing I heard on
using IPSec between clients and DCs is that it is not supported by PSS.
One of the problem with IPSec, Kerberos, domain controllers and clients is
that clients must first be able to talk to the DC before it can establish
IPSec and it can not establish IPSec if you set domain controller to
"Secure Server - (Require Security)"...
802.1x also has it's limitations and can be bypassed, but physical
security and quite some knowledge is required...
My main question is, why would certificate be a requirement (I can see
some advantages, but I would like to see if Art has a good reason for this
or is there a better solution -- e.g. Smart Card for users)? Who can add
computers to domain? By default "Authenticated Users can add 10 computers
to domain, but if you change the policy only domain administrators (or
another group of users) will be able to add computers to domain...
--
Mike
Microsoft MVP - Windows Security
"Mark Gamache" <gsdf> wrote in message
news:u4GTZf8AFHA.1524@TK2MSFTNGP09.phx.gbl...
There is no direct setting for this, but you can use other technologies
for this such as port based authentication (802.1X) or requiring IPSec
using a policy that uses certs for the auth type. You should also
require users to use smartcards to logon. This would use a cert on the
smart card, however the machine account would have already logged in.
IPSec and 802.1X both can prevent the computer account from gaining
access, however, IPSec can pretty complex if you are new to it.
Mark Gamache
CSS
"Art Vandeley" <idozaf@gmail.com> wrote in message
news:35ppp5F4pakqqU1@individual.net...
Hi there,
We're messing about with certificate services on a test windows 2003
server at the moment. We have it installed and apparently working. Other
PCs are able to log onto the CA and request a certificate.
What we don't know though, is how to stop a PC without a certificate
from logging on to the domain. I presume it's a group policy but I can't
find it anywhere.
Cheers.
|
|
|
| Back to top |
|
|
Art Vandelay
Guest
|
| Posted:
Thu Jan 27, 2005 3:18 am Post subject:
Re: Prevent logon without certificate |
|
|
Thanks very much for that, Mark, I will run through that tomorrow.
Clearly, I have no idea why certificates are used then. What are the most
common real 'world uses' of certificates then? |
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Thu Jan 27, 2005 3:42 am Post subject:
Re: Prevent logon without certificate |
|
|
That [ipsec transport] would be good advice within the lan but for remote
access using a VPN server with a L2TP connection and then accessing Remote
Desktop through the tunnel would work well. --- Steve
"Mark Gamache" <mark.gamache@css-security.com> wrote in message
news:%23Igbyt%23AFHA.3596@TK2MSFTNGP12.phx.gbl...
| Quote: | Ahhhh... That makes more sense. What you want to do is create an IPSec
policy specifically for TS. The article below does just that.
http://support.microsoft.com/default.aspx?scid=kb;en-us;q315055&sd=tech
Mark Gamache
CSS
"Art Vandelay" <idozaf@gmail.com> wrote in message
news:35qdanF4q1j2qU1@individual.net...
My main question is, why would certificate be a requirement (I can see
some
advantages, but I would like to see if Art has a good reason for this or
is there a better solution -- e.g. Smart Card for users)? Who can add
computers to domain? By default "Authenticated Users can add 10
computers to domain, but if you change the policy only domain
administrators (or another group of users) will be able to add computers
to domain...
Hi, thanks for your reply. Maybe knowing what we want to achieve is the
way forward as it looks like certificates are not what I thought :-)
We can get access to our server at the office from remote sites if we
enable "remote desktop" and forward port 3389 through our firewall. We
haven't actually done that yet, as we are, of course, worried about the
security implications. We thought that if we enabled certificate services
on our network and allowed only computers that had a certificate to log
on, then that extra level of security would be enough. Our staff could
then connect to the server remotely only using their laptops which would
be certificated.
Am I way off line thinking like this?
Thanks guys.
|
|
|
| Back to top |
|
|
Mark Gamache
Guest
|
| Posted:
Thu Jan 27, 2005 3:47 am Post subject:
Re: Prevent logon without certificate |
|
|
Certificates are specifically used in order to exchange information securely
without pre-arranging secret keys between systems. In the past, to
communicate securely the sender and recipient had to have pre-arranged a key
and found a secure way to communicate it. This was a catch-22, you can't
securely deliver the key until you've arranged for a secure way to securely
deliver a key. Certificates reference a public key. The public key has a
corresponding key called the private key. There is no way to derive one key
from the other. If you encrypt data using one key, only the other key can
decrypt the data. A single member of the pair can not encrypt then decrypt
a piece of data. By keeping your private key secure, and advertising your
public key to the world (usually in a certificate), anyone can encrypt data
for you that can only be opened with the private key that you posses. This
allows for a secure exchange without ever having to have exchanged any
private data.
There are a lot of uses for the certificates. They are a stronger form of
authentication that a username and password, assuming the private key is
properly secured. The MS white paper below is good and too the point.
http://www.microsoft.com/windows2000/docs/cryptPKI.doc
Cheers,
Mark
CSS
"Art Vandelay" <idozaf@gmail.com> wrote in message
news:35qfpmF4quq8oU1@individual.net...
| Quote: | Thanks very much for that, Mark, I will run through that tomorrow.
Clearly, I have no idea why certificates are used then. What are the most
common real 'world uses' of certificates then?
|
|
|
| Back to top |
|
|
Miha Pihler [MVP]
Guest
|
| Posted:
Thu Jan 27, 2005 3:56 am Post subject:
Re: Prevent logon without certificate |
|
|
Hi Mark,
http://blogs.msdn.com/steve_lamb/archive/2004/11/20/267076.aspx
To add to the blog, TCP will work if legitimate computer on the network has
personal firewall enabled.
--
Mike
Microsoft MVP - Windows Security
"Mark Gamache" <mark.gamache@css-security.com> wrote in message
news:OROe7u%23AFHA.2880@TK2MSFTNGP14.phx.gbl...
| Quote: | Mike, can you tell me a bit about how 802.1X can be bypassed?
Thanks
Mark G.
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:%23r$hb88AFHA.1296@TK2MSFTNGP10.phx.gbl...
Hi,
There are few things to watch out for. You can't really use IPSec between
client and DC if you use Kerberos as authentication protocol (you could
use IPSec if you used Certificates based authentication or pass phrase --
which should not be used in production environment). Last thing I heard
on using IPSec between clients and DCs is that it is not supported by
PSS.
One of the problem with IPSec, Kerberos, domain controllers and clients
is that clients must first be able to talk to the DC before it can
establish IPSec and it can not establish IPSec if you set domain
controller to "Secure Server - (Require Security)"...
802.1x also has it's limitations and can be bypassed, but physical
security and quite some knowledge is required...
My main question is, why would certificate be a requirement (I can see
some advantages, but I would like to see if Art has a good reason for
this or is there a better solution -- e.g. Smart Card for users)? Who can
add computers to domain? By default "Authenticated Users can add 10
computers to domain, but if you change the policy only domain
administrators (or another group of users) will be able to add computers
to domain...
--
Mike
Microsoft MVP - Windows Security
"Mark Gamache" <gsdf> wrote in message
news:u4GTZf8AFHA.1524@TK2MSFTNGP09.phx.gbl...
There is no direct setting for this, but you can use other technologies
for this such as port based authentication (802.1X) or requiring IPSec
using a policy that uses certs for the auth type. You should also
require users to use smartcards to logon. This would use a cert on the
smart card, however the machine account would have already logged in.
IPSec and 802.1X both can prevent the computer account from gaining
access, however, IPSec can pretty complex if you are new to it.
Mark Gamache
CSS
"Art Vandeley" <idozaf@gmail.com> wrote in message
news:35ppp5F4pakqqU1@individual.net...
Hi there,
We're messing about with certificate services on a test windows 2003
server at the moment. We have it installed and apparently working.
Other PCs are able to log onto the CA and request a certificate.
What we don't know though, is how to stop a PC without a certificate
from logging on to the domain. I presume it's a group policy but I
can't find it anywhere.
Cheers.
|
|
|
| Back to top |
|
|
Art Vandeley
Guest
|
| Posted:
Thu Jan 27, 2005 3:03 pm Post subject:
Re: Prevent logon without certificate |
|
|
"Mark Gamache" <mark.gamache@css-security.com> wrote in message
news:%23Igbyt%23AFHA.3596@TK2MSFTNGP12.phx.gbl...
So, that will allow us to make a RDC to the server. How about if we want to
log onto the domain normally from a remote site. What kind of setup should
we be using then? |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in