Restricting which Certificate is allowed to authenticate a VPN connection

mpoulson — Wed, 19 Jan 2005 21:35:00 GMT

So I had a requirement on a VPN server I was setting up not long ago. This requirement was that only a "smartcard logon" cert would be permitted for EAP access into my VPN server. The normal setup information

(http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_RRAS-Ch1_70.asp) tells you how to setup RRAS to allow authentication via CERT but it does not tell you how to limit which certs are allowed to be used to make that connection.

What is the issue?

Well for example lets say you work for a company that uses 802.1x and a "Client authentication" cert for wireless access. A valid employee would have a client auth cert on their workstation.

Now for security reasons you don't want that user to be able to use that same cert (the client Auth cert for wireless) to connect to the VPN servers. So how do you do it? By default when RRAS is setup to do smart card or certificate authentication it will allow any valid (issued by the correct CA) to connect.

What we want to do is limit it so only a Smart card Logon Cert will work. The key here is the OID for the smart card logon Cert (which is 1.3.6.1.4.1.311.20.2.2)

So follow the directions on setting up your VPN server for "Smart card or Certificate Authentication"

(http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ras_sc_logon.asp).

For a little better control of who I let into my VPN servers I also created a Security Group Called "Smart Card VPN Users". The users that I have issued a smart card to are members of this Group.

So after the users are created, the group is created and the smart cards are issued do the following:
Open your RAS manager and goto Remote Access Policies
Create a new Policy called "Smart Card VPN Access" (I did not run the wizard but instead did a custom policy)
Add a condition where windows-group = "Smart Card VPN Users"
Add a condition where Authentication Type = "EAP"
Nas-Port-Type should also be "Virtual (VPN)"

Now Click "Edit Profile"
Select the Authentication Tab
Unselect MS-CHAP v2 and MS-CHAP (at this point we only want EAP authentication)

Follow the steps in the http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ras_sc_logon.asp doc to set up EAP in general
Now Click the Advanced Tab

Click Add to add a New attribute
Select "Allowed-Certificate-OID"
Enter the value of the OID that you want to permit into the value; In this case we want to only permit Smart Card Logon Certs which has an OID of 1.3.6.1.4.1.311.20.2.2.

Now test your connection. With the smart card cert it should allow you to connect. But if you use a Client Auth Cert it should fail.

Please let me know if this works for does not work out for you! :) And enjoy

Securing a TS connection with Smart Cards

mpoulson — Sun, 12 Dec 2004 00:23:00 GMT

Well today is going to be a busy day here at the Microsoft Enterprise Engineering Center. At about 11:30 I am going to have lunch some of the RedvsBlue people (http://www.redvsblue.com). Then I have the job of setting up and testing a remote access solution for a customer. Note that the steps below are technical and you should know a little something about Active Directory and PKI before you start.

The problem: How do you provide a customer secure remote access into a scenario?

Solution: Smart cards and Terminal Services on Windows Server 2003! Smart cards keep the Private PKI key stored on the card, and cannot be removed from the card. It requires two-factor authentication. Something you have (the smart card) and something you know (the PIN).

How: First we set up a DC (or 2). Then install cert services on box (domain member). Then install Terminal Services on to another box (aka the Jump box).

We are using the Microsoft Base CSP (http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_certs_how.asp) on some Amtel Smart cards.

I create user accounts in the Domain for each person that will need remote access. Each Account has a Very LONG and Very RANDOM password. This is because the user will never use a password. They will not be able to use their smart card. Once the users are created make sure that you go in the properties of each user and under the Account tab select the following options: User Cannot change password, Password never expires and Smart Card is required for interactive logon.

Now create a separate Admin account. This will be the account that I use to manage the TS (terminal Services) jump box and issue the smart cards. Make sure it has a secure password.

To issue a smart card the issuing user account must have an Enrollment Agent Cert. To get this cert you must first enable it on the CA. (Open the CA MMC snapin -> select Certificate Templates -> Right-click on Certificate Templates -> Select New -> Select Certificate Template to issue. In the list select Enrollment Agent.

Repeat the steps above to also add the Smart Card Logon Cert. This is the cert that we will put on each Smart Card.

After you have enabled that cert (Enrollment Agent) you must now request it with the user account that will be issuing the Smart Cards. So for my solution that is the separate admin account. I will use runas.exe /u:<domainName>\<adminUser> "mmc certmgr.msc". This will allow me to open the MMC without logging in as that user.

To request the new cert select personal -> right-click on personal -> select all tasks -> select Request new Cert... Once the Wizard opens select Next to start it -> Select Enrollment Agent -> Select Next -> Enter a Name (like SC enrollment Cert) -> Select Next -> then Select Finish to issue the cert.

Now we will need to make sure we have our smart card reader installed on the machine that has our enrollment Cert and http access to the CA. With all of the above done you can now open a web browser to http://<CA Machine Name>/certsrv/certsces.asp (note: that you might have to add this site to your trusted sites to get the Active X control to load).

From this browser window we can select the type of Cert we want to put on the Smart Card. We are going to use Smart Card Logon Cert. You will need to select the Microsoft Base Smart Card Crypto Provider as your CSP. The Administrator Signing Certificate is the Enrollment Cert that we requested earlier. At this point you can select any user in the domain to issue a smart card for.

One thing to note is that when you have a smart card for user account it does not matter if the user changes their password. The smart card will allow the user to be authenticated without a password. So make sure that you keep accounts that have the Enrollment Agent Cert secure.

In the future I will also write about how to use the AD to further secure the Solution.

Thanks for reading my first Full Blog Entry J

Mike Poulson

Mike Poulson's Thoughts on lots of stuff : Smart Cards

Restricting which Certificate is allowed to authenticate a VPN connection

Securing a TS connection with Smart Cards