Windows 10: What if I remove the write permissions for authenticated users for client CMG certificate?

Hello Guys,Ad CS vulnerabilities.IntuneClientCertificate -> ESC1:"Domain Users" can enroll with the CA and specify the "Subject Alternative Name". Therefore, a user can request a client authenticate certificate, specifying a DA as the SAN, and have a certificate to impersonate the DA using the certificate for authentication.ClientCMGCert -> ESC4:"Authenticated Users" have full write permission over this certificate, and therefore, can modify ClientCMGCert to become vulnerable to ESC1 as above.To Fix this can I go ahead and Edit the authenticated USers' permissions I..e., can I revoke the

:)

 

Radius server + WLC and Client Certificate Authentication

Hello people,

We have an issue with our radius server.

I will explain what is our goal and what configuration we have so far:

Our goal is to authenticate clients in the domain using WLC and Client Certificate Authentication.

Each client in our domain has a unique personal certificate.

The idea is when an employee opens his PC automatically connects to the specified by the GPO recommended network by using the certificate and not the username and password.



Currently, we configured the WLC Cisco controller to receive the client certificate, authenticate it and provide the IP address(of course if the policies are validated).

Afterward that the WLC controller has to send the request to the radius server. The radius should check if the certificate is valid (not expired) and not included in the revocation list.

Here our issue came. It seems that the radius cannot access the revocation list and cannot check if the certificate is revoked.

We validated that by disabling the revocation list check in the Radius server registry settings.

If we set it to ignore the revocation list check, the authentication succeeds, and the client is authenticated successfully.

The thing is that this way we lower the security of the connection significantly and we would like to make sure the certificate is validated against the revocation list.

At the same time, there are no issues in the connection between the RADIUS server and the server where the revocation list is stored/published.



Could you please let me know if there is any specific configuration that should be made in order for the radius to be able to check the status of the authenticated certificate in the revocation list?

Is there any configuration guide that we have to follow in order to implement the necessary configuration in the most proper way?

 

Removing folder permissions from 'Authenticated Users' and/or 'SYSTEM'

Hi,

I am using Windows 10 Professional. While logged in as myself (account name 'PWK' and member of the 'Administrators' group), I created a folder at the root of my hard drive called C:\MySecureFolder

I would like to secure this folder as much as I possibly can so that only the following permissions will exist:

• Members of a Group called 'Artists' can read files from this folder but can do nothing else
  
• Members of a Group called 'ArtManagers' can copy files to this folder and can read files, but can do nothing else.
  
• Members of the 'Administrators' have full control (can read, write, modify, delete, etc)
  
• Aside from the groups mentioned above, no one else will have permission to do anything in or with this folder
  

When I created this folder, I found that by default, the following Groups and Users had been assigned permissions:

• Authenticated Users
  
• SYSTEM
  
• Administrators
  
• Users
  

It was obvious to me that I wanted permissions to remain for the 'Administrators' Group and that I wanted to remove permissions for the 'Users' group, but I was not sure what the ramifications would be if I were to remove permissions from 'Authenticated Users' and 'SYSTEM'.

I anyone here can advise me whether I can safely do this, or if removing permissions from either of these groups would be a bad idea, I would greatly appreciate it.

Thanks in advance,
Paul

 

Web Client Authentication via SSL Certificate

Nope, that did not work.

I even tried removing the CA certificate and just leaving the client certificate. It still fails on the user authentication.

I'm going to try going thru the CA-Int-Client route... last ditch effort now.

If this doesn't work then Win Mobile is useless to me...