Protect Yourself From Malicious PKI Administrator – Role Separation In PKI

Let’s start with some theoretical background about public key role separation. An important step in designing and implementing our public infrastructure is that reminding the groups or users who will manage it, and here, I would like to point out that we should always use active directory groups when we are talking about security managing certification authorities that are a member of active directory, because it is much easier from the management perspective. This design step determines the security of your public infrastructure, so please don’t treat it lightly.

Availability of Role Separation

Role separation is available on Windows certification authorities since Windows 2003. Right now, we have Windows 2016. This year, Microsoft will release Windows 2019, but still, when I do some projects and audits in companies, I see that many companies are failing to use this functionality, and actually role separation is the only way to protect ourselves from a malicious public infrastructure administrator. Even if you completely tasked your employees, please bear in mind that their accounts can be hacked, and if a single person can do everything on your certification authority, it’s not the best option from the security perspective.

Looking for some helpful tools?

How Does Role Separation Work in Windows?

Windows approach to role separation is implementation of common criteria standard. Common criteria have four levels, starting from level one that offers the weakest protections, up to level four that gives us the strongest protection. Today we won’t focus too much on the differences.

Common criteria role separation requires that public infrastructure management must be configured so that no single person has full control, and this is the most important for you to remember. No single person has the full power of managing your certification authorities.

So, let’s dig into Windows implementation of common criteria. Today, we’ll implement four distinct roles as described in common criteria level four. Those roles are CA Administrator, Certificate Manager, Backup Operator, and Auditor.

Microsoft offers even more options for separating management task by defining permissions based on certificate template, but this is a topic for another Hacks Weekly. So let’s briefly discuss what are the responsibilities assigned to each of the roles?

Certification Authority Administrator Responsibilities

The first and the most privileged role is, obviously, Certification Authority Administrator. He can configure extension which means that he can define URLs for both CRL distribution points, which we refer as CDP and authority information access. CA Administrator can also configure policy and exit modules. Policy and exit modules for those who are not so familiar with certification authorities determine the action as CA takes during certificate issuance. For example, we can configure our certification authority server to make all certificate request, with a status of pending instead of issuing them automatically to the users if there’s a server.

Enroll permission. Then, certification authority administrator can define certificate manager restrictions, which means that he can assign permissions for each certificate manager to manage a specific combination of certificate templates and global groups. And the same applies to enrollment agents and certificate managers. So certification administrator can say members of this group will become certificate managers. Also, certificate administrator is responsible for defining key recovery agents, so the people who are responsible for archival and recovery of the private keys at certification authority database.

Obviously, when it comes to security, CA Admin can also define other certification authority administrators. One of the other crucial responsibilities for this role is to configure CRL schedules and also publish it, and it applies to both base CRLs and Delta CRLs. Obviously, CA Admin has the permissions to recall CA configuration and restart the service.

Certificate Manager Responsibilities

The next role we’ll be implementing today is Certificate Manager. The responsibilities of this role are pretty straightforward as the name implies. He can issue or deny pending certificate requests, revoke issued certificates, for instance, will revoke a certificate that was issued when the private key is compromised, or maybe an employee leaves the company. Also, certificate manager determines key recovery agent and he can also extract archived private keys from certification authority database. However, it doesn’t mean that certificate manager can perform a key recover. No. After the extraction of an archived private key, only that designed key recovery agent can actually recover this key. And here, we can go even further, but it’s not for today.

Some organizations decide to limit certification manager to manage only certain certificate templates. So for instance, we define a template for our web servers, and we assign the WebCert Managers active directory group for managing this template. We also defined a second certificate template based on user certificate template called EFS, and we created a group, EFS Cert Managers, which is responsible for managing certificates based on that template.

Auditor Responsibilities

The next role is Auditor role. This is a very simple role. This person or group of person are responsible for auditing certification authority operations. Here, this is a small trick to assign auditor role, we are using group policy object instead of tools designed for managing certification authorities. And you have to remember one thing when we are talking about auditor role, there is no way we can actually restrict CA Auditor from doing all events in Windows Security Log, so please keep that in mind.

Backup Operator Responsibilities

The last role is Backup Operator. Backup Operators can perform certification authority database backups. Obviously, certification authority configuration backups, those are stored in Windows registry and backup of the private and public keeper of the certification authority.

The Importance of Role Separation Enforcement

And now, this is a crucial point from the security perspective, role separation enforcement.

PKI administrator

We should always have this enabled to ensure that our infrastructure is protected. With role enforcement, we prevent the situation when CA Administrator can assign himself another role.

When he tries to do it, we’ll see a catastrophic failure on our CA server and he will be locked. The configuration of role separation is pretty straightforward, we use certutil to enable it, and then we just restart certification authority, and everything should work without any issue. When we need to disable role enforcement, again, we’re using certutil. With, this time, delreg to remove it. Please bear in mind that local administrator can always delete this registry key, which means that you should remember that a person who is a CA Admin shouldn’t be a member of local admins groups.

The Limitations of Role Separation Enforcement

Okay, when we are speaking about role separation enforcement, we have to know its limitation. Actually, there is only one limitation, easy to memorize. During the certification authority certificate renewal process, we must disable role separation. Why? Because in that situation, a single user must have the following properties. He must be a member of Enterprise Admins if we are talking, obviously, about Enterprise certification authority integrated with an active directory. He must be a member of local administrators, and he must have managed CA permission on certification authority server.

Live Demonstration Time!

Okay, and with that done, let’s begin with some demo. Okay, how we can implement it? I’ve got an offline group and online enterprise issuing CA configured with my active directory. Standard setup, nothing was modified so far.

Creating Users

So first, I need to create some users. Let me just execute this command, so I can get credentials of the main administrator, I will enter remote powers session. Obviously, where I could just log in to the main controller, but this should be good enough. And first, we create CA Admin user. I’ve created the whole organization of unit structure before.

Then, after we are done with CA Admin, I will create Certificate Manager. Bam, CA Auditor, and CA Backup. I will just show you my structure. Public Infrastructure groups, so far none. Servers, one. Certification authority server and users that I’ve just created. Cool.

Creating Groups

Now, let’s create a group. As I told you before, it’s very important to assign permissions to the group instead of active directory users, it’s better to practice when it comes to managing. So my group would be CA Admins group, done. Certificate Managers, Certificate Auditors, and Certification Authority Backup Operators.

Now I will just add my users to my newly created groups. I will just show you the entries out on the mind controller. Users, groups, as you can see, all users are in a proper group. Cool.

But that is not enough, as I told you, we have to use, also, group policy, and group policies required for specifying auditing, and also rides for backup operators and auditor. So, let’s create a new GPO Public Infrastructure config. Okay, let’s edit it, and computer configuration policies, Windows settings, security settings, and it will start from advanced audit policy configuration. Let me just enlarge it a little bit so it’s easier for you to see. Auditing policies and we’re after object access. As you can see, we’ve got special object audit specification services. Configure the settings, and we’ll be auditing both success and failure.

User Right Assignments

Okay. Now, user right assignments. So, local policies, user assignment, and we’ll start with backup operators. We need to give them backup files and directories. I make too many typos so let me just search, let’s see, backup operators, perfect. Okay, and apply, and also restore files and directories. It’s required for backup operators. Backup Operators. Apply. Okay.

PKI Administrator

For auditor, we have to define, manage auditing and security log. Perfect. Policies, defined. Let’s go back. Here, exit remote session, refresh GPO. It will take a while. Okay, all set.

So now, let’s play with security tab and properties of our certification authority.

By default, local administrators will have permission, domain admins and enterprise admins. Okay, so, let’s quickly review them, authenticated users can request certificates. Please bear in mind that authenticated user means both users and computers that successfully authenticated against active directory database. Domain not means, by default, have issuant manage certificates and manage CA, the same goes for enterprise admins and local administrators.

As we discussed, not the most secure option. So, let’s change it. Let’s start from CA Admins.

Manage CA. We can apply the settings at cert, and typos. Let’s use search, cert managers, we have permission, issue and manage certificates. Perfect. So, let’s remove enterprise admins, administrators, and domain admins and let’s apply the settings. Okay, just to prove that everything is defined correctly, I will restart the service, should be fine. So, give me my tools. Yep, as you can see, everything is cool. Still up and running, and access is denied. Why? Access is denied, let me just show you with PowerShell, who am I? I’m a domain administrator. I just removed domain admins from manage CA, so I cannot manage CA anymore. Okay? As you can see, I even cannot preview, so, so far, so good. However, it’s not enough for me.

Enforcing Role Separation

So let’s enforce role separation. Okay, and let’s, again, restart role separation, restart certification authority. Perfect. And right now, I will put on my certification authority tools as CA Admin.

PKI Administrator

Okay. What can I do? I can, obviously, start and stop service. But, as you can see, I’m certification authority administrator, I cannot backup or restore a CA. What else? I can publish both base and delta CRLs. It will take a second to load the GUI. Come on. Okay, let’s try it. CRL, no issue. Can I revoke a certificate? No. I can’t. Okay? So, those are the basic restrictions. What else can I do? I can publish a certificate template on the certification authority. This takes a second to load, as you can see I’ve got two templates published, but I can publish another one, for instance, let it be basic EFS. Okay, this one works just fine.

If I go to properties of my certification authority, as you can see, I cannot define auditing. However, I can define recovery agents. I can reconfigure the extensions, both CRL. Distribution points and authority information access and I also have access to the security tab, but we’ll discuss this a little bit later.

Reviewing Certificate Manager Capabilities

Okay, so, let’s review what certificate manager can do. Let’s start the tools best. Certificate manager, this will take a second, yep, we are good to go. So, can I publish delta? No, I can’t. However, let’s try backup CA. No, I can’t. I also cannot start and stop the service. This is only for either local administrator or CA Admin. However, I should be able to revoke a certificate. Let’s try that. Cool. Certification, the certificate was revoked as you can see, no groups so far. So this is a pretty neat option. Do I have access to properties? Let’s check that.

I have. But as you can see, the majority of options are greyed-out for me. Security, I can review, nice, but I cannot modify anything. The same goes for auditing. By default, auditing is disabled, I’ve already enabled it. Okay. So, pretty straightforward.

Reviewing CA Auditor Capabilities

Now, we’ll review what can be done if I’m logged in as CA Auditor. Actually, CA Auditor has almost no permissions on certification authorities, so I cannot publish delta. Obviously, I cannot revoke the certificate. However, I can set up auditing. Let’s say that I will disable the stacks, why not? And click okay. And I also cannot restart anything. So, let’s close this one. I will restart the service as domain admin because I’m local admin also, so this is allowed, nice. Service restarted. So, as CA auditor, I should be able to review Windows security log and dig into events related to certification authorities.

So, let’s go to security tab, and as you can see here in the source, we’ve got certification services.

PKI Administrator

Okay, so, restart, permission change, and so on. But all separation enabled everything. I want to review as an auditor is defined here, just please remember before this works, you have to configure GPO correctly, refresh GPO on your certification authority server, and we are good to go.

Reviewing CA Backup Capabilities

The last role I would like to discuss today is CA Backup. This role is designed to perform backups and restores of the certification authority. So, as you can see, I’m not able to do much, but I can backup CA. And let’s try to do it just to prove that everything is fine. I will create, let’s say, this PC Backup. I will just clear the folder. I’ve got some older backups here, so let me clear it. Backup, and finish. Okay? And as you can see, I’ve got the database back.

Okay, so far so good. We’ve created really secure certification authority server, with roles correctly separated just to prove it. As a backup operator, you cannot revoke certificates, you cannot publish, and obviously, you cannot modify the properties of the certification authority. But what would this critical failure that could happen when we have a malicious admin? So, let me just quickly prove it.

Testing a Malicious Administrator Situation

Let’s say that my user, CA Admin, is a malicious administrator. So, let me start those as CA Admin, open properties in the security tab, select CA Admins group, and assign additional permission, issue and manage certificates. Apply. I’ve got role separation. Role separation says that no single user should be able to hold multiple roles, but I’ve just picked up light, and it worked. What is going on? Everything is correct. Actually, role separation kicks-in when you try to use the permission, not when you grant the permission. So let me demonstrate it. Click okay, issue certificates, and let me try to …

Okay, this is a glitch in the GUI, I will open the tools again as CA Admin. This happens. Issue certificates, and let me try to revoke the certificate. And we see a catastrophic failure.

PKI Administrator

The operation is denied because the user has multiple roles assigned. Okay? And CA server is obviously configured with role separation enabled. Okay. Let’s say that I would like to correct myself and modify the security tab again. We’ll wait a second for this to come. Issuant manage, CA, I took this privilege from CA Admins, and as you can see, this operation is denied. So, basically, malicious admin just logged himself out. Okay? And right now, someone would detect this, and we would take actions against this person. Obviously, if CA Admin would be, a single certification administrator would have to disable role separation by deleting the key. For that, you need to be a local admin. Restart the service. Restart the tools and we can correct the server. If it was done solely by mistake, properties, security tab, and we should be good to go.

Let me take this permission, and everything works. So, thank you very much for today, and I hope you’ll watch my new webcast soon.

Be prepared for any malicious move. Take training on advanced attacks against Active Directory and stay secure.

Advanced Active Directory Attacks