In trying to learn about Internal PKI in order to enhance network security, I (like others) became intrigued with the notion of an offline Root CA.
On the other hand, two mechanisms exist to push Root certificates out to domain members that I know of (DSPublish and GPO: Trusted Root certification Authorities) and a third mechanism exists, via script, to wipe Root certificates off domain machines via GPO.
It occurs to me that if one had possession of the Root CA and its password, somehow, bogus certificates could be created to gain access to a network.
It also occurs to me that a rogue domain adminstrator could either plant his/her own bogus Root certificate in all systems via the domain push mechanisms, or even grant themselves sufficient permissions to access the CA machine and grant bogus certificates.
I'm still trying to grasp the bigger picture here and at this point, my question is really, who has the "keys" to the network: the individuals that control the root certificate; or any domain administrator smart enough to elevate themselves to an Enterprise Admin and take over control of PKI?
It may come down ultimately to trusting domain admins, but can PKI offer any protection or warning from rogue admins, hacked in or otherwise?
I don't expect a quick answer on this. If anyone could contribute theoretical situations or relate their own experience, I believe it would be helpful.
To begin with, I suspect that there might not ultimately be any real value of owning a secure Root CA in practice, especially since an attack could wipe the original Root Certificate off all domain machines via GPO and replace it with a new one.
Secondly, there maybe something to be said for using multiple domains/forests or non domain member machines and users in order to protect against a rogue administrator in one domain.
Would adding the complexity of a Root CA help at all? Would it make intrusion more difficult overall or actually simplify it? Would it help in cleanup afterwards? Would it reduce the time it takes to detect a rogue operation?
What about remote access - how protected are machines that connect remotely via VPN, even with NPS (Network Policy Server) in place, from an attack from inside the host network?
Can any of this be improved upon by using a public certificate?
Thanks in advance for any contributions.
Bob.
On the other hand, two mechanisms exist to push Root certificates out to domain members that I know of (DSPublish and GPO: Trusted Root certification Authorities) and a third mechanism exists, via script, to wipe Root certificates off domain machines via GPO.
It occurs to me that if one had possession of the Root CA and its password, somehow, bogus certificates could be created to gain access to a network.
It also occurs to me that a rogue domain adminstrator could either plant his/her own bogus Root certificate in all systems via the domain push mechanisms, or even grant themselves sufficient permissions to access the CA machine and grant bogus certificates.
I'm still trying to grasp the bigger picture here and at this point, my question is really, who has the "keys" to the network: the individuals that control the root certificate; or any domain administrator smart enough to elevate themselves to an Enterprise Admin and take over control of PKI?
It may come down ultimately to trusting domain admins, but can PKI offer any protection or warning from rogue admins, hacked in or otherwise?
I don't expect a quick answer on this. If anyone could contribute theoretical situations or relate their own experience, I believe it would be helpful.
To begin with, I suspect that there might not ultimately be any real value of owning a secure Root CA in practice, especially since an attack could wipe the original Root Certificate off all domain machines via GPO and replace it with a new one.
Secondly, there maybe something to be said for using multiple domains/forests or non domain member machines and users in order to protect against a rogue administrator in one domain.
Would adding the complexity of a Root CA help at all? Would it make intrusion more difficult overall or actually simplify it? Would it help in cleanup afterwards? Would it reduce the time it takes to detect a rogue operation?
What about remote access - how protected are machines that connect remotely via VPN, even with NPS (Network Policy Server) in place, from an attack from inside the host network?
Can any of this be improved upon by using a public certificate?
Thanks in advance for any contributions.
Bob.