7

I've been fiddling with the Windows firewall configuration of some computers within a VMWare based LAN (no domain). To aid in my testing and debugging, I created a small, self-hosted console application that will answer HTTP requests, an "answering machine" if you will, so that I can easily check connectivity between computers on a specific port.

I immediately got it all running fine using "Preshared keys" for First authentication (Connection Security Rules / Authentication / Advanced / Customize), but when attempting to switch to "Computer certificate from this certification authority", everything stops working.

I've tried the following:

  • Creating my own CA and configured the firewall to use it on all computers.
  • Configuring the firewall to use a Verisign CA on all computers.
  • Created additional "allow all" in and outbound rules for the firewall.
  • Calling the "answering machine" from both the host computer and another virtual machine.
  • Tried with and without requiring authentication for outbound traffic.
  • Tried specifying the port etcetera.

My feeling is that I'm somehow fundamentally backwards in this, so I have two questions:

  • Is the certificate solution not possible with computers not connected to a domain (with enrollment etcetera)?
  • If it should be possible, what am I missing?
Oskar Lindberg
  • 393
  • 3
  • 10
  • Possibly a dumb question, but do the hosts have the means to access the CRL of the CA? If they can't access the CRL, then the certificates may fail validation. – D.H. Aug 10 '17 at 12:05

2 Answers2

1

I perused the Microsoft TechNet article here: http://technet.microsoft.com/en-us/library/deploy_ipsec(v=ws.10).aspx (googled "windows firewall certificate authentication") and a little bit lower it says that it doesn't cover: Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication. For this information, see Active Directory Certificate Services (ADCS)(http://go.microsoft.com/fwlink/?linkid=110820).

That leads us to the AD TechNet article on the subject: http://technet.microsoft.com/en-US/library/cc770357.aspx

It looks like that you will need a domain to implement ADCS to authenticate with certificates. (The TechNet sources I found were all for windows server 2008.) Active Directory is a whole boatload of fun, (some sarcasm some not!), and it looks like you will have to go that route to configure the advanced security options in the windows firewall (at least for CAs).

Desthro
  • 1,007
  • 5
  • 5
1

I understand that you're testing and exploring a feature, but I suspect what you're looking at may not be the solution you're after. What problem are you trying to solve?

The MSFT firewall allows for secure networking, and (from the MSCS consulting perspective), has evolved over the years from the following concepts:

  • Kerberos
  • IPSec VPN + Windows Firewall
  • Using IPSec as a way to separate "authorized" computers from unauthorized. (primitive NAP)
  • DirectAccess

A PKI is needed for most if not all of those features. ADCS is a valid choice, and can work well as a single server CA, or scaled out into an N tier solution as needed.

Authentication with HTTP using certificates is orthogonal to all those solutions, and has a set of browser side issues if humans will be using it (see this also). If you're looking for modern client authentication that also protects from certain cookie attacks, you should look at Fido.

If you're writing an app that authenticates using a certificate, you may be interested in the ADCS web enrollment WSDL. Note that the network device enrollment service is not intended to be internet facing and there is guidance against using it in certain situations.

Community
  • 1
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • Imagine, if you will, a LAN of computers with tightly hardened OS configurations, without superfluous features like domains - just a network of cloned clients. I would like to make it so that these clients will not accept communications from an arbitrary computer jacked into the same LAN. – Oskar Lindberg Jan 07 '15 at 12:18
  • @OskarLindberg - unless everything is SSLF, you're better off with a domain - https://technet.microsoft.com/en-us/network/bb545651.aspx – user2320464 Jul 20 '15 at 23:38
  • A domain is not possible due to environment specifications. Kerberos is out (i.e. there is no such or similar authentication concept between nodes in the network, which are arbitrary). There are other network components (hardware) that inspect and filter network data and restrict traffic. Physical access to the network is also restricted. The extra protection is not required, but I thought it would have been nice if native certificate authentication were possible. (Pre-shared keys are not practically valid for several reasons.) – Oskar Lindberg Aug 01 '15 at 09:47