Skip to main content
  • EN

Greetings,

We’ve been excited about enabling the prelogon tunnel feature for NPA for some time now, but have been hesitant to do so without properly securing access by machines via the certificate method outlined in the following article: https://docs.netskope.com/en/windows-autopilot-with-private-access-prelogon/

Per this article’s “Generate and Distribute Machine Certificates” section, “This section covers an optional but highly recommended set of steps required for machine certificates generation, signing, distribution and enforcement, which improves security and reduces risks associated with unauthorized access over a prelogon tunnel.”

It strikes me that the best practice for prelogon enablement would be coupled with Netskope verifying machine certificates as part of its device classification; I went through the steps of setting up the certificate template in our environment, in addition to configuring the Intune Certificate Connector. However, not long after a third-party assessment/penetration test of our environment, our vendor discovered the following details related to this certificate template:

“In our findings, the certificate template is vulnerable to escalation. It allows client authentication, doesn’t have any restrictions, and allows alternative subject names to be set. It currently allows Domain Computers to enroll. By default, domain users can create up to 10 machine accounts on the domain, which is what your team caught with the test account’s notifications. Once I created that account, I could then enroll in the certificate template setting a Domain Admin as the alternative subject name, and I then was able to able to authenticate as that administrator.”

Thankfully this was only a test, and while I can’t 100% say for certain that the template’s setup wasn’t without error from the documentation, if that’s not the case and the documentation is accurate, I worry about configuring this in our environment. 

Has anyone successfully configured this or any other machine certificate validation? And, are we certain that the template doesn’t allow for this behavior to assume/authenticate as a domain administrator?

 

 

 

Hello ​@extra_ranch

A few observations and notes.    

  1.  Prelogon is separate from the device classification certificate check to decouple the requirements as they are distinct.  Prelogon access may be provided as part of Intune Autopilot before full device and user certificates are issued so it may be possible that the same CA is used for both but this varies by environment.  Additionally Prelogon only supports device certificate while device classification supports both user and device certificates.  
  2. As for the broader concern, this template is provided as a sample but I will ask some internal resources to review as I don’t believe this is the case and the exact settings are dependent on your environment.  

     

Reply


Terms & ConditionsCookie settings