This walkthrough demonstrates the deployment and configuration of StrongNet. For this walkthrough, I’m using Active Directory in a public cloud virtual network. The desired outcome is that sensitive enterprise data are accessible only to servers that are compliant with security policy. The following diagram shows the architecture of the resulting environment.
In the above diagram:
- The Server, at the top, is assumed to be any Windows workload running on premise or in the cloud. The walkthrough below discusses the installation of the StrongNet Secure Endpoint software. Once installed, Secure Endpoint gathers security-related device measurements from the host and sends them over SSL/TLS to the StrongNet Remote Attestation Service (AS). Installation of the AS is also discussed below.
- The Server requests a certificate. This is driven by the Secure Endpoint and/or the built-in Windows auto-enrollment client. The certificate template is configured on the CA to be available only to “healthy” computers.
- In order to verify that the certificate requester is healthy, the CA queries the AS
- If the Server has demonstrated to the AS that it is compliant with security policy, the CA issues the requested certificate
- The certificate may then be used for any PKI-capable authentication/authorization scenario
- As a result, only computers that don’t pose a data loss risk are granted access to sensitive data
The next steps describe how to setup the above.
- Start with an environment that includes an Active Directory Domain Services (AD DS) Domain Controller (DC) and an Enterprise Certificate Authority (CA).
- The environment also requires an IIS web server to host the StrongNet Attestation Service (AS). The web server must have ASP.NET 4.6 installed. In this demo, the web server is joined to the above AD domain and has a server certificate issued by the CA (this is an optional step – the AS works fine without AD). Configure the web server to use the server certificate by default for listening for HTTPS traffic on port 443 (which should be open in your local and cloud firewalls, as appropriate). Since this web server will only be hosting one app in my demo environment, I configured this HTTPS binding on the Default Web Site:
- On the web server, run the StrongNet Attestation Service installation package:
- Specify the SQL connection information for the attestation database. For convenience when setting up public demos, I almost always use SQL Azure for this type of thing. (However, if you’re not using SQL Azure, I recommend enforcing Windows Integrated Authentication for all SQL Server authentication.)
- You’ll only see this screen if you’re not using Windows Integrated Authentication to connect to SQL:
- Finally, press the Install button:
- Confirm that the AS installation procedure completes successful, as shown in the following dialog. (If an installation error occurs, it’s usually because of a failure to authenticate to SQL. Check the StrongNet-JWSecure application event log to know for sure.)
- Configure the remaining site-specific settings of the AS. Launch an elevated PowerShell window and import the StrongNet PowerShell Cmdlet. Then point the AS at the certificate that you want to use for TPM key management. (This particular demo doesn’t include the use of TPMs, but I configure the AS server certificate anyway in anticipation of future use.)
PS C:\Program Files\JWSecure\StrongNet\AttestationService\BhtMvc\bin> Import-Module .\StrongNetCmdlet.dll
PS C:\Program Files\JWSecure\StrongNet\AttestationService\BhtMvc\bin> $mcert = gci Cert:\LocalMachine\My\954BA263D634D4A6E91D2D4E1880C0923ADE15E7
PS C:\Program Files\JWSecure\StrongNet\AttestationService\BhtMvc\bin> Set-StrongNetKeyArchivalCertificate -KeyArchivalCertificate $mcert - Now that the AS configuration is complete, login to your Enterprise CA. Open the Certification Authority management console. Right-click on Certificate Templates and select Manage.
- In Certificate Templates Console, right-click on the Computer template and select Duplicate.
- For the duplicated template properties, set the Compatibility tab as follows:
- In the General tab, give the template a name:
- Update the Cryptography tab to use CNG (i.e., rather than legacy CAPI):
- In the Extensions tab, select Issuance Policies and click Edit:
- In the Add Issuance Policy window, click New:
- Give the new Issuance Policy OID a name:
- Click OK twice to dismiss the dialogs. Check the Make this extension critical box and click OK:
- Back in the Extensions tab again, select Application Policies and click Edit:
- In the Edit Application Policies Extension dialog, click Add:
- In the Add Application Policy dialog, click New:
- In the New Application Policy dialog, give it a name and then press the OK button, as shown in the following screen. Then click OK three more times to complete the creation of the new certificate template.
- After the new template has been created, return to the Certification Authority management window, right-click on Certificate Templates, select New, and select Certificate to issue. Select the template you just created and then click OK:
- Configure a cloud virtual machine to be protected by StrongNet policies. Start by logging into a domain-joined member server as a local administrator. Launch the StrongNet Secure Endpoint package installer:
- Either via GPO, PowerShell, or manually in the registry, change the existing HKLM \SOFTWARE\JWSecure\StrongNetClient, MachineTemplate value to the name of the certificate template you created above. Then change the existing ServiceUri value to the URI of the Attestation Service, installed previously.
- Confirm, via the presence of the circular green key icon in the system desktop tray area (see the cropped image below), that the StrongNet Secure Endpoint is running and that the host computer is compliant with security policy. In this demo, my public cloud VM is running a pre-release version of Windows Server 2016 in Windows Azure.
- Confirm via the StrongNet Dashboard that the device is registered. As the following dashboard screenshot indicates, the demo host is indeed registered as compliant. (However, since the computer in question is not equipped with a TPM security chip, the expected red X is visible in the Attested column.)
Now the cloud virtual machine is protected by StrongNet. The VM will only have access to a certificate from the template created above when the computer is compliant with security policy. Thus, you know that if the computer if capable of authenticating to other resources using that certificate, that the computer is trustworthy. Likewise, if the computer falls out of compliance and isn’t trustworthy, it won’t be able to access other critical resources.
In the next posts, I’ll demonstrate various enforcement scenarios, including high-assurance/low-overhead protection for big data, hybrid cloud, and DevOps.