Active Directory Domains mitigation plan for vulnerability in TPM

Applies to: Windows Server 2016 DatacenterWindows Server 2016 EssentialsWindows Server 2016 Standard

Summary


A security vulnerability exists in certain Trusted Platform Module (TPM) chipsets. The vulnerability weakens key strength.

To learn more about the vulnerability, go to ADV170012.

More Information


Overview

The following sections will help you identify and remedy problems in Active Directory (AD) domains and domain controllers that are affected by the vulnerability that is described in Microsoft Security Advisory ADV170012.

This mitigation process focuses on the following Active Directory public key scenario:

  • Domain-joined computer credential keys

For information about revoking and issuing new KDC certificates, see Mitigation Plan for Active Directory Certificate Services-based scenarios

Determining domain-joined computer credential key risk workflow

Determining domain-joined computer credential key risk workflow

Do you have Windows Server 2016 (or later) domain controllers?

Credential keys were introduced for Windows Server 2016 domain controllers. Domain controllers add the well-known SID KEY_TRUST_IDENTITY (S-1-18-4) when a credential key is used to authenticate. Earlier domain controllers didn't support credential keys, so the AD doesn't support credential key objects, and down-level domain controllers can't authenticate principals by using credential keys.

Previously, the altSecurityIdentities (frequently referred to as altSecID) attribute could be used to provide similar behavior. Provisioning altSsecID is not supported natively by Windows. Therefore, you would need a third-party solution that provides this behavior. If the key that is provisioned is vulnerable, the corresponding altSsecID would have to be updated in AD.

Are any domains Windows Server 2016 (or later) DFL?

Windows Server 2016 domain controllers support Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Freshness Extension [RFC 8070], although not by default. When Support for PKInit Freshness Extension is enabled on domain controllers in Windows Server 2016 DFL or later domains, the domain controllers add the well-known SID FRESH_PUBLIC_KEY_IDENTITY (S-1-18-3) when the extension is successfully used. For more information, see Kerberos client and KDC support for RFC 8070 PKInit Freshness Extension.

Patching computers

Servicing Windows 10 computers that have the October 2017 security updates will remove the existing TPM credential key. Windows will only provision Credential Guard-protected keys to ensure Pass-the-Ticket protection for domain-joined device keys. Because many customers are adding Credential Guard well after domain-joining their computers, this change ensures that devices that have Credential Guard enabled can ensure that any TGTs issued by using the credential key are protected by Credential Guard.

Temporary domain protection

Until Microsoft has released the domain controller servicing fix and you have rolled it out, attackers can use the bad credential keys in AD to authenticate as that domain-joined device. The level of severity depends on the device that is targeted. For example, you may decide to prioritize protecting your domain controller computer accounts ahead of some other kinds of computer accounts.

You can protect computer accounts from this vulnerability by setting an unusable credential key on the computer object in Active Directory. This causes authentication by using the credential key to fail for the computer. The computer then uses password authentication instead of the credential key.

Note make sure that the Group Policy to force Device authentication by using certificate isn't configured. For more information, see "Configuring device to only use public key" in Domain-joined Device Public Key Authentication.

First, download the Windows PowerShell Module for Active Directory computer credential keys.

Next, use the following examples to disable the computer credential key on your computer accounts in Active Directory

Example: Disable the credential key on a single computer account

In this example, we set an unusable credential key on a single computer object in Active Directory:

Import-Module .\ADComputerKeys.psm1;

Set-DRComputerKey -SamAccountName "MyComputer$" -Domain "contoso.com" -ReplaceWithUnusableKey;

Example: Disable the credential key on multiple computer accounts

In this example, we set an unusable credential key on multiple computer objects in Active Directory. To do this, we combine this module with the ActiveDirectory PowerShell module.

For example, target all the computers in the fictional Shipping Department organizational unit.

Import-Module .\ADComputerKeys.psm1;

Import-Module ActiveDirectory;

$computers = Get-ADComputer -SearchBase "OU=Shipping Department,DC=contoso,DC=com" -LDAPFilter "(CN=*)" -Server "contoso.com";

foreach($comp in $computers)

{

    Set-DRComputerKey -SamAccountName $comp.SamAccountName -Domain "contoso.com" -ReplaceWithUnusableKey;

}

Removing temporary domain protection

After the DCs are serviced, you can remove the unusable key from all computer objects in Active Directory. Doing this will allow the computer accounts to generate a new credential key that they can use instead of password authentication.

First, download the Windows PowerShell Module for Active Directory computer credential keys.

Next, follow this example to remove the credential key from computer objects:

Example: Remove the credential key from multiple computer accounts

In this example, we remove the credential key from multiple computer objects in Active Directory. To do this, we combine this module with the ActiveDirectory PowerShell module.

For example, target all the computers in the fictional Shipping Department organizational unit.

Import-Module .\ADComputerKeys.psm1;

Import-Module ActiveDirectory;

$computers = Get-ADComputer -SearchBase "OU=Shipping Department,DC=contoso,DC=com" -LDAPFilter "(CN=*)" -Server "contoso.com";

foreach($comp in $computers)

{

    Set-DRComputerKey -SamAccountName $comp.SamAccountName -Domain "contoso.com" -RemoveKey

}