Let's start the conversation

Computer security can be a scary thing. If you just have a quick question, feel free to drop Dan a line.

Send
jwsecure_blog_imagery_mbkandsn

StrongNet Cloud Setup

Posted On June 20, 2016 By Dan In Cloud Computing, StrongNet, Walkthrough /  

This walkthrough demonstrates the deployment and configuration of StrongNet. For this walkthrough, I’m using Active Directory in a public cloud virtual network. The desired outcome is that sensitive enterprise data are accessible only to servers that are compliant with security policy. The following diagram shows the architecture of the resulting environment.
sn1

In the above diagram:

  1. The Server, at the top, is assumed to be any Windows workload running on premise or in the cloud. The walkthrough below discusses the installation of the StrongNet Secure Endpoint software. Once installed, Secure Endpoint gathers security-related device measurements from the host and sends them over SSL/TLS to the StrongNet Remote Attestation Service (AS). Installation of the AS is also discussed below.
  2. The Server requests a certificate. This is driven by the Secure Endpoint and/or the built-in Windows auto-enrollment client. The certificate template is configured on the CA to be available only to “healthy” computers.
  3. In order to verify that the certificate requester is healthy, the CA queries the AS
  4. If the Server has demonstrated to the AS that it is compliant with security policy, the CA issues the requested certificate
  5. The certificate may then be used for any PKI-capable authentication/authorization scenario
  6. As a result, only computers that don’t pose a data loss risk are granted access to sensitive data

The next steps describe how to setup the above.

  1. Start with an environment that includes an Active Directory Domain Services (AD DS) Domain Controller (DC) and an Enterprise Certificate Authority (CA).
  2. The environment also requires an IIS web server to host the StrongNet Attestation Service (AS). The web server must have ASP.NET 4.6 installed. In this demo, the web server is joined to the above AD domain and has a server certificate issued by the CA (this is an optional step – the AS works fine without AD). Configure the web server to use the server certificate by default for listening for HTTPS traffic on port 443 (which should be open in your local and cloud firewalls, as appropriate). Since this web server will only be hosting one app in my demo environment, I configured this HTTPS binding on the Default Web Site:

    sn2

  3. On the web server, run the StrongNet Attestation Service installation package:
    sn3
  4. Specify the SQL connection information for the attestation database. For convenience when setting up public demos, I almost always use SQL Azure for this type of thing. (However, if you’re not using SQL Azure, I recommend enforcing Windows Integrated Authentication for all SQL Server authentication.)
    sn4
  5. You’ll only see this screen if you’re not using Windows Integrated Authentication to connect to SQL:
    sn5
  6. Finally, press the Install button:
    sn6
  7. Confirm that the AS installation procedure completes successful, as shown in the following dialog. (If an installation error occurs, it’s usually because of a failure to authenticate to SQL. Check the StrongNet-JWSecure application event log to know for sure.)
    sn7
  8. Configure the remaining site-specific settings of the AS. Launch an elevated PowerShell window and import the StrongNet PowerShell Cmdlet. Then point the AS at the certificate that you want to use for TPM key management. (This particular demo doesn’t include the use of TPMs, but I configure the AS server certificate anyway in anticipation of future use.)

    PS C:\Program Files\JWSecure\StrongNet\AttestationService\BhtMvc\bin> Import-Module .\StrongNetCmdlet.dll
    PS C:\Program Files\JWSecure\StrongNet\AttestationService\BhtMvc\bin> $mcert = gci Cert:\LocalMachine\My\954BA263D634D4A6E91D2D4E1880C0923ADE15E7
    PS C:\Program Files\JWSecure\StrongNet\AttestationService\BhtMvc\bin> Set-StrongNetKeyArchivalCertificate -KeyArchivalCertificate $mcert

  9. Now that the AS configuration is complete, login to your Enterprise CA. Open the Certification Authority management console. Right-click on Certificate Templates and select Manage.
  10. In Certificate Templates Console, right-click on the Computer template and select Duplicate.
  11. For the duplicated template properties, set the Compatibility tab as follows:
    sn8
  12. In the General tab, give the template a name:
    sn9
  13. Update the Cryptography tab to use CNG (i.e., rather than legacy CAPI):
    sn10
  14. In the Extensions tab, select Issuance Policies and click Edit:
    sn11
  15. In the Add Issuance Policy window, click New:
    sn12
  16. Give the new Issuance Policy OID a name:
    sn13
  17. Click OK twice to dismiss the dialogs. Check the Make this extension critical box and click OK:
    sn14
  18. Back in the Extensions tab again, select Application Policies and click Edit:
    sn15
  19. In the Edit Application Policies Extension dialog, click Add:
    sn16
  20. In the Add Application Policy dialog, click New:
    sn17
  21. In the New Application Policy dialog, give it a name and then press the OK button, as shown in the following screen. Then click OK three more times to complete the creation of the new certificate template.
    sn18
  22. After the new template has been created, return to the Certification Authority management window, right-click on Certificate Templates, select New, and select Certificate to issue. Select the template you just created and then click OK:
    sn19
  23. Configure a cloud virtual machine to be protected by StrongNet policies. Start by logging into a domain-joined member server as a local administrator. Launch the StrongNet Secure Endpoint package installer:
    sn20
    sn21
  24. Either via GPO, PowerShell, or manually in the registry, change the existing HKLM \SOFTWARE\JWSecure\StrongNetClient, MachineTemplate value to the name of the certificate template you created above. Then change the existing ServiceUri value to the URI of the Attestation Service, installed previously.
  25. Confirm, via the presence of the circular green key icon in the system desktop tray area (see the cropped image below), that the StrongNet Secure Endpoint is running and that the host computer is compliant with security policy. In this demo, my public cloud VM is running a pre-release version of Windows Server 2016 in Windows Azure.
    sn22
  26. Confirm via the StrongNet Dashboard that the device is registered. As the following dashboard screenshot indicates, the demo host is indeed registered as compliant. (However, since the computer in question is not equipped with a TPM security chip, the expected red X is visible in the Attested column.)
    sn23

Now the cloud virtual machine is protected by StrongNet. The VM will only have access to a certificate from the template created above when the computer is compliant with security policy. Thus, you know that if the computer if capable of authenticating to other resources using that certificate, that the computer is trustworthy. Likewise, if the computer falls out of compliance and isn’t trustworthy, it won’t be able to access other critical resources.

In the next posts, I’ll demonstrate various enforcement scenarios, including high-assurance/low-overhead protection for big data, hybrid cloud, and DevOps.

Related posts:

  1. One more detail on using an Enterprise CA with NAP
  2. Accelerating enterprise cloud adoption, safely
  3. Security as a Business Enabler: StrongNet Secure Admin
  4. Cloud Computing: The First Trip to the Cloud
StrongNet Datacenter Walkthrough
Techniques for High-Assurance Data Protection

Leave a Reply

Dan Griffin’s Books:

The Four Pillars of Endpoint Security
(CreateSpace – June, 2013)
Cloud Security and Control
(CreateSpace – May, 2014)

CONTACT INFO

JW Secure, Inc.
1752 NW Market St.
Suite 227
Seattle, WA 98107-5224
 
sales@jwsecure.com  
Copyright 2017 JW Secure, Inc. All rights reserved. Site design by Page 3 Design.