From 1b50b54df076ecc04a43420e1d24985eafeecc9d Mon Sep 17 00:00:00 2001 From: John Tobin Date: Mon, 10 Apr 2017 15:39:04 -0700 Subject: [PATCH] Move duplicate content --- windows/keep-secure/additional-mitigations.md | 477 ++++++++++++++ .../credential-guard-protection-limits.md | 596 ------------------ 2 files changed, 477 insertions(+), 596 deletions(-) diff --git a/windows/keep-secure/additional-mitigations.md b/windows/keep-secure/additional-mitigations.md index ba119db5fa..706bdef10b 100644 --- a/windows/keep-secure/additional-mitigations.md +++ b/windows/keep-secure/additional-mitigations.md @@ -128,6 +128,483 @@ To make tracking authentication failures due to authentication policies easier, To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx). +### Appendix: Scripts + +Here is a list of scripts mentioned in this topic. + +#### Get the available issuance policies on the certificate authority + +Save this script file as get-IssuancePolicy.ps1. + +``` syntax +####################################### +## Parameters to be defined ## +## by the user ## +####################################### +Param ( +$Identity, +$LinkedToGroup +) +####################################### +## Strings definitions ## +####################################### +Data getIP_strings { +# culture="en-US" +ConvertFrom-StringData -stringdata @' +help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted. +help2 = Usage: +help3 = The following parameter is mandatory: +help4 = -LinkedToGroup: +help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. +help6 = "no" will return only Issuance Policies that are not currently linked to any group. +help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. +help8 = The following parameter is optional: +help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. +help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. +help11 = Examples: +errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" +ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". +ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". +ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: +LinkedIPs = The following Issuance Policies are linked to groups: +displayName = displayName : {0} +Name = Name : {0} +dn = distinguishedName : {0} + InfoName = Linked Group Name: {0} + InfoDN = Linked Group DN: {0} +NonLinkedIPs = The following Issuance Policies are NOT linked to groups: +'@ +} +##Import-LocalizedData getIP_strings +import-module ActiveDirectory +####################################### +## Help ## +####################################### +function Display-Help { + "" + $getIP_strings.help1 + "" +$getIP_strings.help2 +"" +$getIP_strings.help3 +" " + $getIP_strings.help4 +" " + $getIP_strings.help5 + " " + $getIP_strings.help6 + " " + $getIP_strings.help7 +"" +$getIP_strings.help8 + " " + $getIP_strings.help9 + "" + $getIP_strings.help10 +"" +"" +$getIP_strings.help11 + " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" + " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" + " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" +"" +} +$root = get-adrootdse +$domain = get-addomain -current loggedonuser +$configNCDN = [String]$root.configurationNamingContext +if ( !($Identity) -and !($LinkedToGroup) ) { +display-Help +break +} +if ($Identity) { + $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * + if ($OIDs -eq $null) { +$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity +write-host $errormsg -ForegroundColor Red + } + foreach ($OID in $OIDs) { + if ($OID."msDS-OIDToGroupLink") { +# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. + $groupDN = $OID."msDS-OIDToGroupLink" + $group = get-adgroup -Identity $groupDN + $groupName = $group.Name +# Analyze the group + if ($group.groupCategory -ne "Security") { +$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName + write-host $errormsg -ForegroundColor Red + } + if ($group.groupScope -ne "Universal") { + $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName +write-host $errormsg -ForegroundColor Red + } + $members = Get-ADGroupMember -Identity $group + if ($members) { + $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName +write-host $errormsg -ForegroundColor Red + foreach ($member in $members) { + write-host " " $member -ForeGroundColor Red + } + } + } + } + return $OIDs + break +} +if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { + $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" + $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * + write-host "" + write-host "*****************************************************" + write-host $getIP_strings.LinkedIPs + write-host "*****************************************************" + write-host "" + if ($LinkedOIDs -ne $null){ + foreach ($OID in $LinkedOIDs) { +# Display basic information about the Issuance Policies + "" + $getIP_strings.displayName -f $OID.displayName + $getIP_strings.Name -f $OID.Name + $getIP_strings.dn -f $OID.distinguishedName +# Get the linked group. + $groupDN = $OID."msDS-OIDToGroupLink" + $group = get-adgroup -Identity $groupDN + $getIP_strings.InfoName -f $group.Name + $getIP_strings.InfoDN -f $groupDN +# Analyze the group + $OIDName = $OID.displayName + $groupName = $group.Name + if ($group.groupCategory -ne "Security") { + $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + } + if ($group.groupScope -ne "Universal") { + $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + } + $members = Get-ADGroupMember -Identity $group + if ($members) { + $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + foreach ($member in $members) { + write-host " " $member -ForeGroundColor Red + } + } + write-host "" + } + }else{ +write-host "There are no issuance policies that are mapped to a group" + } + if ($LinkedToGroup -eq "yes") { + return $LinkedOIDs + break + } +} +if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { + $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" + $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * + write-host "" + write-host "*********************************************************" + write-host $getIP_strings.NonLinkedIPs + write-host "*********************************************************" + write-host "" + if ($NonLinkedOIDs -ne $null) { + foreach ($OID in $NonLinkedOIDs) { +# Display basic information about the Issuance Policies +write-host "" +$getIP_strings.displayName -f $OID.displayName +$getIP_strings.Name -f $OID.Name +$getIP_strings.dn -f $OID.distinguishedName +write-host "" + } + }else{ +write-host "There are no issuance policies which are not mapped to groups" + } + if ($LinkedToGroup -eq "no") { + return $NonLinkedOIDs + break + } +} +``` +> [!NOTE] +> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. +  +#### Link an issuance policy to a group + +Save the script file as set-IssuancePolicyToGroupLink.ps1. + +``` syntax +####################################### +## Parameters to be defined ## +## by the user ## +####################################### +Param ( +$IssuancePolicyName, +$groupOU, +$groupName +) +####################################### +## Strings definitions ## +####################################### +Data ErrorMsg { +# culture="en-US" +ConvertFrom-StringData -stringdata @' +help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. +help2 = Usage: +help3 = The following parameters are required: +help4 = -IssuancePolicyName: +help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy. +help6 = The following parameter is optional: +help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container. +help8 = Examples: +help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. +help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. +MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" +NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". +IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} +MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". +confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? +OUCreationSuccess = Organizational Unit "{0}" successfully created. +OUcreationError = Error: Organizational Unit "{0}" could not be created. +OUFoundSuccess = Organizational Unit "{0}" was successfully found. +multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". +confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? +groupCreationSuccess = Univeral Security group "{0}" successfully created. +groupCreationError = Error: Univeral Security group "{0}" could not be created. +GroupFound = Group "{0}" was successfully found. +confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? +UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. +UnlinkError = Removing the link failed. +UnlinkExit = Exiting without removing the link from the issuance policy to the group. +IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. +ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". +ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". +ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: +ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? +LinkSuccess = The certificate issuance policy was successfully linked to the specified group. +LinkError = The certificate issuance policy could not be linked to the specified group. +ExitNoLinkReplacement = Exiting without setting the new link. +'@ +} +# import-localizeddata ErrorMsg +function Display-Help { +"" +write-host $ErrorMsg.help1 +"" +write-host $ErrorMsg.help2 +"" +write-host $ErrorMsg.help3 +write-host "`t" $ErrorMsg.help4 +write-host "`t" $ErrorMsg.help5 +"" +write-host $ErrorMsg.help6 +write-host "`t" $ErrorMsg.help7 +"" +"" +write-host $ErrorMsg.help8 +"" +write-host $ErrorMsg.help9 +".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " +"" +write-host $ErrorMsg.help10 +'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' +"" +} +# Assumption: The group to which the Issuance Policy is going +# to be linked is (or is going to be created) in +# the domain the user running this script is a member of. +import-module ActiveDirectory +$root = get-adrootdse +$domain = get-addomain -current loggedonuser +if ( !($IssuancePolicyName) ) { +display-Help +break +} +####################################### +## Find the OID object ## +## (aka Issuance Policy) ## +####################################### +$searchBase = [String]$root.configurationnamingcontext +$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * +if ($OID -eq $null) { +$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +elseif ($OID.GetType().IsArray) { +$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +else { +$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName +write-host $tmp -ForeGroundColor Green +} +####################################### +## Find the container of the group ## +####################################### +if ($groupOU -eq $null) { +# default to the Users container +$groupContainer = $domain.UsersContainer +} +else { +$searchBase = [string]$domain.DistinguishedName +$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} +if ($groupContainer.count -gt 1) { +$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase +write-host $tmp -ForegroundColor Red +break; +} +elseif ($groupContainer -eq $null) { +$tmp = $ErrorMsg.confirmOUcreation +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName +if ($?){ +$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU +write-host $tmp -ForegroundColor Green +} +else{ +$tmp = $ErrorMsg.OUCreationError -f $groupOU +write-host $tmp -ForeGroundColor Red +break; +} +$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} +} +else { +break; +} +} +else { +$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name +write-host $tmp -ForegroundColor Green +} +} +####################################### +## Find the group ## +####################################### +if (($groupName -ne $null) -and ($groupName -ne "")){ +##$searchBase = [String]$groupContainer.DistinguishedName +$searchBase = $groupContainer +$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase +if ($group -ne $null -and $group.gettype().isarray) { +$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +elseif ($group -eq $null) { +$tmp = $ErrorMsg.confirmGroupCreation +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" +if ($?){ +$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName +write-host $tmp -ForegroundColor Green +}else{ +$tmp = $ErrorMsg.groupCreationError -f $groupName +write-host $tmp -ForeGroundColor Red +break +} +$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase +} +else { +break; +} +} +else { +$tmp = $ErrorMsg.GroupFound -f $group.Name +write-host $tmp -ForegroundColor Green +} +} +else { +##### +## If the group is not specified, we should remove the link if any exists +##### +if ($OID."msDS-OIDToGroupLink" -ne $null) { +$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" +if ($?) { +$tmp = $ErrorMsg.UnlinkSuccess +write-host $tmp -ForeGroundColor Green +}else{ +$tmp = $ErrorMsg.UnlinkError +write-host $tmp -ForeGroundColor Red +} +} +else { +$tmp = $ErrorMsg.UnlinkExit +write-host $tmp +break +} +} +else { +$tmp = $ErrorMsg.IPNotLinked +write-host $tmp -ForeGroundColor Yellow +} +break; +} +####################################### +## Verify that the group is ## +## Universal, Security, and ## +## has no members ## +####################################### +if ($group.GroupScope -ne "Universal") { +$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +break; +} +if ($group.GroupCategory -ne "Security") { +$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +break; +} +$members = Get-ADGroupMember -Identity $group +if ($members -ne $null) { +$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} +break; +} +####################################### +## We have verified everything. We ## +## can create the link from the ## +## Issuance Policy to the group. ## +####################################### +if ($OID."msDS-OIDToGroupLink" -ne $null) { +$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName +write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} +set-adobject -Identity $OID -Replace $tmp +if ($?) { +$tmp = $Errormsg.LinkSuccess +write-host $tmp -Foreground Green +}else{ +$tmp = $ErrorMsg.LinkError +write-host $tmp -Foreground Red +} +} else { +$tmp = $Errormsg.ExitNoLinkReplacement +write-host $tmp +break +} +} +else { +$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} +set-adobject -Identity $OID -Add $tmp +if ($?) { +$tmp = $Errormsg.LinkSuccess +write-host $tmp -Foreground Green +}else{ +$tmp = $ErrorMsg.LinkError +write-host $tmp -Foreground Red +} +} +``` + +> [!NOTE] +> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. + ## See also **Deep Dive into Credential Guard: Related videos** diff --git a/windows/keep-secure/credential-guard-protection-limits.md b/windows/keep-secure/credential-guard-protection-limits.md index d76a71f4d1..f159c931c3 100644 --- a/windows/keep-secure/credential-guard-protection-limits.md +++ b/windows/keep-secure/credential-guard-protection-limits.md @@ -34,602 +34,6 @@ Some ways to store credentials are not protected by Credential Guard, including: - Windows logon cached password verifiers (commonly called "cached credentials") do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available. -## Additional mitigations - -Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust. - -### Restricting domain users to specific domain-joined devices - -Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. - -#### Kerberos armoring - -Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. - -**To enable Kerberos armoring for restricting domain users to specific domain-joined devices** - -- Users need to be in domains that are running Windows Server 2012 R2 or higher -- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. -- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. - -#### Protecting domain-joined device secrets - -Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. - -Domain-joined device certificate authentication has the following requirements: -- Devices' accounts are in Windows Server 2012 domain functional level or higher. -- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: - - KDC EKU present - - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension -- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. -- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. - -##### Deploying domain-joined device certificates - -To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. - -For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template. - -**Creating a new certificate template** - -1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** -2. Right-click **Workstation Authentication**, and then click **Duplicate Template**. -3. Right-click the new template, and then click **Properties**. -4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**. -5. Click **Client Authentication**, and then click **Remove**. -6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values: - - Name: Kerberos Client Auth - - Object Identifier: 1.3.6.1.5.2.3.4 -7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**. -8. Under **Issuance Policies**, click**High Assurance**. -9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. - -Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created. - -**Enrolling devices in a certificate** - -Run the following command: -``` syntax -CertReq -EnrollCredGuardCert MachineAuthentication -``` - -> [!NOTE] -> You must restart the device after enrolling the machine authentication certificate. -  -##### How a certificate issuance policy can be used for access control - -Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. - -**To see the issuance policies available** - -- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. - From a Windows PowerShell command prompt, run the following command: - - ``` syntax - .\get-IssuancePolicy.ps1 –LinkedToGroup:All - ``` - -**To link an issuance policy to a universal security group** - -- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. - From a Windows PowerShell command prompt, run the following command: - - ``` syntax - .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" - ``` - -#### Restricting user sign on - -So we now have completed the following: - -- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on -- Mapped that policy to a universal security group or claim -- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. - -Authentication policies have the following requirements: -- User accounts are in a Windows Server 2012 domain functional level or higher domain. - -**Creating an authentication policy restricting users to the specific universal security group** - -1. Open Active Directory Administrative Center. -2. Click **Authentication**, click **New**, and then click **Authentication Policy**. -3. In the **Display name** box, enter a name for this authentication policy. -4. Under the **Accounts** heading, click **Add**. -5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**. -6. Under the **User Sign On** heading, click the **Edit** button. -7. Click **Add a condition**. -8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. -9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. -10. Click **OK** to close the **Edit Access Control Conditions** box. -11. Click **OK** to create the authentication policy. -12. Close Active Directory Administrative Center. - -> [!NOTE] -> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. - -##### Discovering authentication failures due to authentication policies - -To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. - -To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx). - -### Appendix: Scripts - -Here is a list of scripts mentioned in this topic. - -#### Get the available issuance policies on the certificate authority - -Save this script file as get-IssuancePolicy.ps1. - -``` syntax -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$Identity, -$LinkedToGroup -) -####################################### -## Strings definitions ## -####################################### -Data getIP_strings { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted. -help2 = Usage: -help3 = The following parameter is mandatory: -help4 = -LinkedToGroup: -help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. -help6 = "no" will return only Issuance Policies that are not currently linked to any group. -help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. -help8 = The following parameter is optional: -help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. -help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. -help11 = Examples: -errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" -ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". -ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". -ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: -LinkedIPs = The following Issuance Policies are linked to groups: -displayName = displayName : {0} -Name = Name : {0} -dn = distinguishedName : {0} - InfoName = Linked Group Name: {0} - InfoDN = Linked Group DN: {0} -NonLinkedIPs = The following Issuance Policies are NOT linked to groups: -'@ -} -##Import-LocalizedData getIP_strings -import-module ActiveDirectory -####################################### -## Help ## -####################################### -function Display-Help { - "" - $getIP_strings.help1 - "" -$getIP_strings.help2 -"" -$getIP_strings.help3 -" " + $getIP_strings.help4 -" " + $getIP_strings.help5 - " " + $getIP_strings.help6 - " " + $getIP_strings.help7 -"" -$getIP_strings.help8 - " " + $getIP_strings.help9 - "" - $getIP_strings.help10 -"" -"" -$getIP_strings.help11 - " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" - " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" - " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" -"" -} -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -$configNCDN = [String]$root.configurationNamingContext -if ( !($Identity) -and !($LinkedToGroup) ) { -display-Help -break -} -if ($Identity) { - $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * - if ($OIDs -eq $null) { -$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity -write-host $errormsg -ForegroundColor Red - } - foreach ($OID in $OIDs) { - if ($OID."msDS-OIDToGroupLink") { -# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $groupName = $group.Name -# Analyze the group - if ($group.groupCategory -ne "Security") { -$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - } - } - return $OIDs - break -} -if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" - $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*****************************************************" - write-host $getIP_strings.LinkedIPs - write-host "*****************************************************" - write-host "" - if ($LinkedOIDs -ne $null){ - foreach ($OID in $LinkedOIDs) { -# Display basic information about the Issuance Policies - "" - $getIP_strings.displayName -f $OID.displayName - $getIP_strings.Name -f $OID.Name - $getIP_strings.dn -f $OID.distinguishedName -# Get the linked group. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $getIP_strings.InfoName -f $group.Name - $getIP_strings.InfoDN -f $groupDN -# Analyze the group - $OIDName = $OID.displayName - $groupName = $group.Name - if ($group.groupCategory -ne "Security") { - $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - write-host "" - } - }else{ -write-host "There are no issuance policies that are mapped to a group" - } - if ($LinkedToGroup -eq "yes") { - return $LinkedOIDs - break - } -} -if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" - $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*********************************************************" - write-host $getIP_strings.NonLinkedIPs - write-host "*********************************************************" - write-host "" - if ($NonLinkedOIDs -ne $null) { - foreach ($OID in $NonLinkedOIDs) { -# Display basic information about the Issuance Policies -write-host "" -$getIP_strings.displayName -f $OID.displayName -$getIP_strings.Name -f $OID.Name -$getIP_strings.dn -f $OID.distinguishedName -write-host "" - } - }else{ -write-host "There are no issuance policies which are not mapped to groups" - } - if ($LinkedToGroup -eq "no") { - return $NonLinkedOIDs - break - } -} -``` -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. -  -#### Link an issuance policy to a group - -Save the script file as set-IssuancePolicyToGroupLink.ps1. - -``` syntax -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$IssuancePolicyName, -$groupOU, -$groupName -) -####################################### -## Strings definitions ## -####################################### -Data ErrorMsg { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. -help2 = Usage: -help3 = The following parameters are required: -help4 = -IssuancePolicyName: -help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy. -help6 = The following parameter is optional: -help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container. -help8 = Examples: -help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. -help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. -MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" -NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". -IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} -MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". -confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? -OUCreationSuccess = Organizational Unit "{0}" successfully created. -OUcreationError = Error: Organizational Unit "{0}" could not be created. -OUFoundSuccess = Organizational Unit "{0}" was successfully found. -multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". -confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? -groupCreationSuccess = Univeral Security group "{0}" successfully created. -groupCreationError = Error: Univeral Security group "{0}" could not be created. -GroupFound = Group "{0}" was successfully found. -confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? -UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. -UnlinkError = Removing the link failed. -UnlinkExit = Exiting without removing the link from the issuance policy to the group. -IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. -ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". -ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". -ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: -ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? -LinkSuccess = The certificate issuance policy was successfully linked to the specified group. -LinkError = The certificate issuance policy could not be linked to the specified group. -ExitNoLinkReplacement = Exiting without setting the new link. -'@ -} -# import-localizeddata ErrorMsg -function Display-Help { -"" -write-host $ErrorMsg.help1 -"" -write-host $ErrorMsg.help2 -"" -write-host $ErrorMsg.help3 -write-host "`t" $ErrorMsg.help4 -write-host "`t" $ErrorMsg.help5 -"" -write-host $ErrorMsg.help6 -write-host "`t" $ErrorMsg.help7 -"" -"" -write-host $ErrorMsg.help8 -"" -write-host $ErrorMsg.help9 -".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " -"" -write-host $ErrorMsg.help10 -'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' -"" -} -# Assumption: The group to which the Issuance Policy is going -# to be linked is (or is going to be created) in -# the domain the user running this script is a member of. -import-module ActiveDirectory -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -if ( !($IssuancePolicyName) ) { -display-Help -break -} -####################################### -## Find the OID object ## -## (aka Issuance Policy) ## -####################################### -$searchBase = [String]$root.configurationnamingcontext -$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * -if ($OID -eq $null) { -$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($OID.GetType().IsArray) { -$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -else { -$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName -write-host $tmp -ForeGroundColor Green -} -####################################### -## Find the container of the group ## -####################################### -if ($groupOU -eq $null) { -# default to the Users container -$groupContainer = $domain.UsersContainer -} -else { -$searchBase = [string]$domain.DistinguishedName -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -if ($groupContainer.count -gt 1) { -$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase -write-host $tmp -ForegroundColor Red -break; -} -elseif ($groupContainer -eq $null) { -$tmp = $ErrorMsg.confirmOUcreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName -if ($?){ -$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU -write-host $tmp -ForegroundColor Green -} -else{ -$tmp = $ErrorMsg.OUCreationError -f $groupOU -write-host $tmp -ForeGroundColor Red -break; -} -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name -write-host $tmp -ForegroundColor Green -} -} -####################################### -## Find the group ## -####################################### -if (($groupName -ne $null) -and ($groupName -ne "")){ -##$searchBase = [String]$groupContainer.DistinguishedName -$searchBase = $groupContainer -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -if ($group -ne $null -and $group.gettype().isarray) { -$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($group -eq $null) { -$tmp = $ErrorMsg.confirmGroupCreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" -if ($?){ -$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName -write-host $tmp -ForegroundColor Green -}else{ -$tmp = $ErrorMsg.groupCreationError -f $groupName -write-host $tmp -ForeGroundColor Red -break -} -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.GroupFound -f $group.Name -write-host $tmp -ForegroundColor Green -} -} -else { -##### -## If the group is not specified, we should remove the link if any exists -##### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" -if ($?) { -$tmp = $ErrorMsg.UnlinkSuccess -write-host $tmp -ForeGroundColor Green -}else{ -$tmp = $ErrorMsg.UnlinkError -write-host $tmp -ForeGroundColor Red -} -} -else { -$tmp = $ErrorMsg.UnlinkExit -write-host $tmp -break -} -} -else { -$tmp = $ErrorMsg.IPNotLinked -write-host $tmp -ForeGroundColor Yellow -} -break; -} -####################################### -## Verify that the group is ## -## Universal, Security, and ## -## has no members ## -####################################### -if ($group.GroupScope -ne "Universal") { -$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -if ($group.GroupCategory -ne "Security") { -$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -$members = Get-ADGroupMember -Identity $group -if ($members -ne $null) { -$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} -break; -} -####################################### -## We have verified everything. We ## -## can create the link from the ## -## Issuance Policy to the group. ## -####################################### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName -write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Replace $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} else { -$tmp = $Errormsg.ExitNoLinkReplacement -write-host $tmp -break -} -} -else { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Add $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} -``` - -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. - ## See also **Deep Dive into Credential Guard: Related videos**