microsoft.public.inetserver.iis.security: Flaws IIS6 with AD (2003) Cert Mapping
Flaws IIS6 with AD (2003) Cert Mapping
Source: http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2003−10/0011.html
From: Craig Humphrey (Craig.Humphrey_at_nospam.chapmantripp.com) Date: 09/30/03
Date: Tue, 30 Sep 2003 14:49:48 −0700
Hi People, anyone come across this: Test Setup: Win2003 AD server, with CA [including CA web interface] Win2003 Web Server CA set up to automatically issue certs to users (via public CA web interface). [Not ideal, but this has been done for business reasons, a manual step is included later to associate a cert with an AD account.] IIS6 setup to use AD Certificate mapping. [We're NOT using IIS cert mapping, see References below.] Two client certs, issued from same CA (above) with the same "subject" (user details), but at different times. One certificate (public key) is mapped (AD | Advanced | Name Mappings | X.509...). The other isn't. Security Flaw: Both certs can be used to authenticate for the same user! This is nice, since if a cert expires and is renewed, AD doesn't have to be updated. But it's also very bad. Historically, we set up a public facing CA web server and let users issue their own certs. We would then manually or automatically map the certs in IIS (using IIS cert mapping, not ADs). IIS would use the public key to achieve the mapping when a user presented their cert to a website. But when you use IIS − AD Cert mapping, it only uses the Flaws IIS6 with AD (2003) Cert Mapping 1
�microsoft.public.inetserver.iis.security: Flaws IIS6 with AD (2003) Cert Mapping subject line and issuer from the cert (as it's most restrictive setting), rather than the public key itself! Admittedly, that's what the tickbox option states, but wouldn't it be more secure to use the public key itself (or one of it's unique properties?). So now it seems that the CA's web interface must be heavily restricted, since if two different people submit the same user details, even if only one cert is mapped (manually or automatically) in AD, they both are able to authenticate (via Cert) as the same user! Even if you set up the CA to require a manual validation step (by an Administrator), the onus is on the validator to check that a cert with the same credentials has never been issued before, or that the person requesting the new (duplicate) cert, has legitimate reasons for doing so. We issue 1000's of certs each year, if IIS − AD Cert mapping used the public key for mapping, then this level of responsibility could be diminished. It can't be that hard, after all, IIS Cert Mapping already does it. Or is this the prime reason why IIS Cert Mapping doesn't scale well (see ref below)? Cert Mapping Bug: If "Use Subject for alternate security identity" is turned off on the Add Certificate box, when setting up a cert mapping in AD, then instead of any cert from the same root CA being auth'ed, none are. Cert Mapping Bug (or security configuration setting somewhere?) The "Use Issuer for alternate security identity" is greyed out on the Add Certificate box, when setting up a cert mapping in AD. Not that you'd ever want to use this, talk about a security hole! References: AD 2003 Cert mapping http://www.microsoft.com/technet/treeview/default.asp? url=/technet/prodtechnol/windowsserver2003/proddocs/standar d/dsadmin_CertmapAD.asp [Note: procedure I followed to set up IIS AD Cert mappings] IIS Cert mapping "doesn't scale" http://support.microsoft.com/?id=216906 [Note: just some of the reasons why I want to us IIS AD Cert mapping] IIS5 & Win2k preSp4 cert mapping problem http://support.microsoft.com/default.aspx?scid=kb;en− us;324377 Flaws IIS6 with AD (2003) Cert Mapping 2
�microsoft.public.inetserver.iis.security: Flaws IIS6 with AD (2003) Cert Mapping [Note: what are the odds of Win2003 having some of the same problems as preSP4 Win2k?] Soon'ish Craig
Flaws IIS6 with AD (2003) Cert Mapping
3
�