Skip to main content

Greetings,

We’ve been excited about enabling the prelogon tunnel feature for NPA for some time now, but have been hesitant to do so without properly securing access by machines via the certificate method outlined in the following article: https://docs.netskope.com/en/windows-autopilot-with-private-access-prelogon/

Per this article’s “Generate and Distribute Machine Certificates” section, “This section covers an optional but highly recommended set of steps required for machine certificates generation, signing, distribution and enforcement, which improves security and reduces risks associated with unauthorized access over a prelogon tunnel.”

It strikes me that the best practice for prelogon enablement would be coupled with Netskope verifying machine certificates as part of its device classification; I went through the steps of setting up the certificate template in our environment, in addition to configuring the Intune Certificate Connector. However, not long after a third-party assessment/penetration test of our environment, our vendor discovered the following details related to this certificate template:

“In our findings, the certificate template is vulnerable to escalation. It allows client authentication, doesn’t have any restrictions, and allows alternative subject names to be set. It currently allows Domain Computers to enroll. By default, domain users can create up to 10 machine accounts on the domain, which is what your team caught with the test account’s notifications. Once I created that account, I could then enroll in the certificate template setting a Domain Admin as the alternative subject name, and I then was able to able to authenticate as that administrator.”

Thankfully this was only a test, and while I can’t 100% say for certain that the template’s setup wasn’t without error from the documentation, if that’s not the case and the documentation is accurate, I worry about configuring this in our environment. 

Has anyone successfully configured this or any other machine certificate validation? And, are we certain that the template doesn’t allow for this behavior to assume/authenticate as a domain administrator?

 

 

 

Hello ​@extra_ranch

A few observations and notes.    

  1.  Prelogon is separate from the device classification certificate check to decouple the requirements as they are distinct.  Prelogon access may be provided as part of Intune Autopilot before full device and user certificates are issued so it may be possible that the same CA is used for both but this varies by environment.  Additionally Prelogon only supports device certificate while device classification supports both user and device certificates.  
  2. As for the broader concern, this template is provided as a sample but I will ask some internal resources to review as I don’t believe this is the case and the exact settings are dependent on your environment.  

     

Hi Sam,


Thank you for your response. While it’d be great to ultimately use Autopilot in tandem with certificates (we are definitely Autopilot fans), my primary goal is to ensure Prelogon for workstations (prior to activation/use) is verifying that an issued certificate is present on the workstations by a known/trusted CA; ideally this would validate against a known revocation list if any machine were to go “rogue”.

 

I appreciate you looking into the template/resources related to the certificate generation; I’ll keep my eyes peeled!


Hello ​@extra_ranch

Apologies for the delay.  Prelogon does support CRL based validation for certificate validity.   Once enabled in the Client Configuration the CRL check will query your provided CRL (specified in the signing CA certificate you provide) when the certificate check is performed as prelogon connections are established.  

The CRL you provide must be accessible from the Netskope management plane IP addresses specified in the support portal.  

As for the template itself, it was provided from a specific environment where the cert may be used for multiple purposes.  You likely do not need the SAN in that template as our Prelogon check is looking that the cert is signed properly and the revocation status (if enabled, see above). 

I do also want to stress one other thing.  If your organization already issues device certificates then creating a new template is not actually necessary.  You can use the existing infrastructure and validate against your existing signing CA. 


Reply