Mitigation Plan for Active Directory Certificate Services-based scenarios

Applies to: Windows 10, version 1703Windows Server 2016 DatacenterWindows Server 2016 Essentials More

Summary


A security vulnerability exists in certain Trusted Platform Module (TPM) chipsets. The vulnerability weakens key strength.

To learn more about this vulnerability, go to ADV170012.

More Information


Overview

The following sections will help you to identify, mitigate, and remedy Active Directory Certificate Services (AD CS)-issued certificates and requests that were affected by the vulnerability that is identified in Microsoft Security Advisory ADV170012.

The mitigation process focuses on identifying the issued certificates that are affected by the vulnerability, and also focuses on revoking them.

Are the x.509 certificates that are issued inside your enterprise based on a template that specifies TPM KSP?

If your enterprise uses TPM KSP, it is likely that scenarios in which these certificates are being used are susceptible to the vulnerability identified in the security advisory.


Mitigation

  1. Until an appropriate firmware update is available for your device, update Certificate Templates that are set to use TPM KSP to use a software-based KSP. This will prevent creating any future certificates that use TPM KSP and are, therefore, vulnerable. For more information, see Firmware update later in this article.
  2. For already created certificates or requests:
     
    1. Use the enclosed script to list all the issued certificates that could be vulnerable. 
       
      1. Revoke these certificates by passing the list of serial numbers that you obtained in the previous step.
      2. Enforce enrollment of new certificates based on the template configuration that now specifies software KSP.
      3. Rerun all the scenarios by using the new certificates wherever you can.
    2. Use the enclosed script to list all the requested certificates that could be vulnerable:
       
      1. Reject all these certificate requests.
    3. Use the enclosed script to list all the expired certificates. Make sure that these are not encrypted certificates that are still used to decrypt data. Are the expired certificates encrypted?
       
      1. If yes, make sure the data is decrypted and then encrypted by using a new key that is based off a certificate that is created by using software KSP.
      2. If no, you can safely ignore the certificates.
    4. Make sure that there is a process that prohibits these revoked certificates from being accidentally unrevoked by the administrator.


Make sure that new KDC certificates meet current best practices

Risk: Many other servers may meet the Domain Controller and Domain Controller Authentication verification criteria. This can introduce well-known rogue KDC attack vectors.


Remediation

All domain controllers should be issued certificates that have the KDC EKU, as specified in [RFC 4556] Section 3.2.4. For AD CS, use the Kerberos Authentication template, and configure it to supersede any other KDC certificates that were issued.

For more information, [RFC 4556] Appendix C explains the history of the various KDC certificate templates in Windows.

When all Domain Controllers have RFC-compliant KDC certificates, Windows can protect itself by Enabling Strict KDC Validation in Windows Kerberos.

Note By default, newer Kerberos public key features will be required.


Make sure that revoked certificates fail the respective scenario

AD CS is used for various scenarios in an organization. It might be used for Wi-Fi, VPN, KDC, System Center Configuration Manager, and so on.

Identify all the scenarios in your organization. Make sure that these scenarios will fail if they have the revoked certificates, or that you have replaced all the revoked certificates with valid software based certificates and that the scenarios are successful.

If you are using OCSP or CRLS, these will update as soon as they expire. However, you typically want to update the cached CRLs on all computers. If your OCSP relies on CRLs, make sure that it obtains the latest CRLs immediately.

To make sure that the caches are deleted, run the following commands on all the affected computers:

certutil -urlcache * delete

certutil –setreg chain\ChainCacheResyncFiletime @now


Firmware update

Install the update that is released by the OEM to fix the vulnerability in the TPM. after the system is updated, you can update the certificate templates to use TPM-based KSP.