Security

I've inherited a wireless network (WPA-TKIP) that has an active directory setup with NPS configured.  The machines that are apart of the domain have the CA cert pushed to them via GPO as well the wireless network so they connect automatically using their AD credentials and already accept the internal CA signed server cert.

 

Unfortunately with this setup anyone can bring in any wiress device and login to the network assuming they have valid AD credentials.  Non-corporate devices won't have the internal CA trusted but it's bypassed by just accepting the cert.

 

What I've been tasked to do is REQUIRE the machine cert (AFAIK) to be signed by the internal CA for successful authentication to the wireless network. My colleague who asked me to research if this is possible thinks we can't do this because we only have Windows 2008 R2 Standard, (Running at Windows 2003 level if that matters) we can't issue machine certs without Windows 2008 Server Enterpise.  We can't upgrade at the moment to 2012 because we still have some Windows 2003 servers lurking. 

 

So the questions I have unasnwered are:

 

1) Is it possible to setup client machine certification authentication with Windows 2008 R2 Standard?

2) Are there security wholes with this plan?  Do we still need authentication of AD credentials in addition to authentication the client certificate to prevent outside devices from connecting.

 

Thanks

 

 

1) Yes. In your connection request policy, remove the Protected EAP option leaving only the "Smartcard or other certificate" option.

 

2) If you're only allowing certificate based authentication from corporate assets, there's nothing else you need to do. From a security standpoint, you should configure the 802.1X settings via Group Policy so end users can't change them.

Doesn't the server need to verify that the client cert is signed by the internal CA? Maybe I'm not grasping the idea of the machine cert. I'm not really a Windows Admin. AD isn't my strong suit.

Yes, you would need to issue machine certificates from your ADCS. This can happen automagically via Group Policy.

Can this be done without an Enterprise CA though?

Yes, but it would be a manual, painful process.

Is there a login script that someone has made to automate this?  We just don't have Windows Server 2008 Enterprise and I doubt we'll get it soon. 

 

 

 

Not that I know of. Maybe someone else has some ideas.

A coworker is telling me we can't build an Enterprise CA since we just have Windows Server 2008 R2 Standard.  I'm not finding confirmation of that fact. Can anyone confirm?

 

Thanks

im not a microsoft engineer but this seems to be point it can be a CA fine.

 

http://blogs.technet.com/b/askds/archive/2009/09/04/windows-2008-r2-standard-edition-supports-version-2-and-3-templates.aspx\

 

just check if you can do this

 

http://blogs.msdn.com/b/sowmyancs/archive/2010/02/12/how-to-enable-active-directory-certificate-service-in-your-windows-server-2008-r2.aspx

All I see is a blank post, cjoseph.