HOW TO - Use Yubikey To Secure Your Domain Network

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] oh yeah i hope that you're hearing me this is the future all about cyber security talking about the hackers i'm just trying to warn you from the one and only legend the cyber informer hey yeah yeah this is the cyber reformer this is the cyber reformer let's go it's time for the cyber security business connect and protect central coast how-to video i am michael trimblet the cyber informer at cyber underscore informer on twitter today we'll be continuing the ubk series in this video we'll be setting up the ub key to secure your login to your business network if your network is running a domain in other words running a windows server you are likely configured as a domain i will show you how to configure your windows server and workstations to securely log in with a ub key get your propeller hats ready this is very technical let's go for details on what a ubi key is go back and watch the q a video how do i use multi-factor authentication without a phone introducing yubikey as we've already covered what a ubi key is in that video we'll move on windows and mac use the personal identity verification or piv card standard for smart card verification to log into the windows operating systems piv uses security certificates to prove your identity the way certificates determine your identity is out of scope for these videos but take my word for it it is mathematically secure and computationally infeasible to try and guess keys this is why they are the preferred method of identification validation the us federal government uses piv for accessing federally controlled facilities and information systems as we'll be logging into a windows domain we will see how certificates are configured on the server and workstation the ub key piv is secure storage for the user certificate warning this is not for the faint-hearted this requires configuration of servers and workstations it requires renewal of certificates after the expiration time which if not planned for could cause downtime for the entire organization this configuration requires a specific set of ubi keys this demonstration will use a ubc 5 series key we need to make sure both your servers and workstations support ub keys the rule of thumb is you must be running windows server 2012 r2 or above as your server and windows 8 or above on your workstation installation of the ubc mini driver is required on all computers the key will be used on if used in a remote desktop environment the mini driver must be installed on both the source or the client and the destination or the server there are plenty of gotchas in this configuration as mentioned in the warning slide earlier certificates expire by default the root certificate expires at five years by default the user certificates expire at one year by default user certificates auto-renew six weeks prior to expiration computers which ubkey is used on must be on the network to renew the certificate in other words if you have a laptop that is used in the office and taken home and the renewal prompt appears at home the certificate can't be updated on the ub key unless it is connected to a vpn or on the network at the office non-renewal of certificates will mean that the user will be locked out and probably the biggest gotcha is a non-renewal of the root certificate which will mean the entire organization will be locked out once it expires it's very important to diarise these expiration dates to make sure reminders are set to ensure smooth transition at time of expiry i'm not sure about you but in five years i won't remember the key is about to expire management of this is important remote desktop requires a special configuration of the mini driver on the server remote desktop connections must not be enabled for network level authentication or the connection will fail there is a technical reason behind this involving kerberos tickets but this is way out of scope for this video just know that this needs to be unticked if you want to use remote desktop connection to that workstation or server using ubikey to administer hyper-v servers can only be done with generation 2 servers enhanced session mode must be enabled on the guest server to pass through usb when connecting to a server set local resources to pass through smart cards we're going to configure a server and workstation from scratch to support ubq login this is hard whilst this video shows you how to easily configure servers support of such systems may go above the heads of some it professionals who are not experienced with digital certificates this can get complex and if you're not familiar with digital certificates or active directory it's best to call in the it professionals this demonstration is rated five propeller hats out of five let's set up ub key on a domain network in other words on a network with a server first things first we need to install the certificate services role on either your domain controller or a member server we do that through the server manager dashboard add the active directory certificate services role then hit next a few times make sure certification authority is ticked and click next and now hit install wait for it to install sometimes you need to restart the server sometimes you don't so be prepared you might have to restart this can take a few minutes to install once it's done hit configure active directory certificate services on the destination server we give it the login credentials which is usually just the administrator account where we'll hit next make sure we tick the box certification authority and click next we're going to make sure it's a enterprise ca next we want to select root ca and click next new private key is fine so we'll click next we can accept the defaults here we'll click next we can keep the default name so we'll just click next keep the validity period of 5 years which is fine we'll click next the default location for logs is fine as well next and then click on configure by default windows does not recognize the security key format that we've just created we need to update group policy to allow us to use elliptic curve cryptography certificates to do this open up group policy editor and we're going to create a new gpo just for the ub key right click on the domain and select create a gpo in this domain i'll give it the name ubikey then we'll edit the new group policy object right click on it and select edit now we need to update the group policy to allow for elliptic curve certificates under computer configuration go to policies administrative templates windows components smart card now enable the group policy allow ecc certificates to be used for logon and authentication and click ok we could either wait for group policy to update or we could force a group policy update let's force a group policy update go into powershell and use the command gpupdate force group policy updates so we're good to go on the server we can check to make sure that this group policy has updated by using the rsop.msc command this gives you the resultant set of policies screen we can now confirm from this screen that that policy is enabled this will show all of the policies that are enabled for this user or computer all we have to do is find the policy that we're interested in this one's going to be under computer configuration administrative templates windows components and smart card we can see there that the setting is enabled and it's under the gpo name ub key which is exactly where we put it we'll close out of some of these screens back to the group policy now there is one more section i want to show you under windows settings security settings local policies and security options we can set a group policy to determine how your computer responds to the ubc being unplugged scroll down and find the group policy interactive logon smart card removal behavior double click on it and we can then define this policy by default there is no action but if we remove the key we can set it to either lock the workstation force a log off or disconnect if it is a remote desktop session it is up to the business management to determine which one they would prefer i'll just define it as no action i'll apply an ok now we need to create a certificate template now this certificate template will be used by each user to populate your ub key with an authentication certificate go to the run command and type in cert tmpl.msc and hit ok this brings up the certificate templates console scroll down and right click on smart card logon select duplicate template there are quite a number of changes that we need to make to this template to make it work first things first we need to look at the compatibility certification authority and certificate recipient we need to make sure are at the same levels as what your server and your workstations are so if you have a 2016 or 2019 server you choose server 2016 in the certification authority section now we need to know the minimum operating system that you have on your network if you have a windows 7 machine but everything else is windows 10 we still need to select windows 7. if everything is windows 10 we select windows 10 which is what we'll do in this demonstration click ok to the screen that pops up click on the general tab in there we'll type in the name of the template in this case we're going to call it ubikey we can see the validity period of one year and renewal period of six weeks they're both okay to stay as they are now we need to tick the box next to publish certificate in active directory and also do not automatically re-enroll if a duplicate certificate exists in active directory and click the apply button click on request handling tab keep the purpose as signature and encryption tick the box include symmetric algorithms allowed by the subject tick the box for automatic renewal of smart card certificates use the existing key if a new key cannot be created change the radio button to prompt the user during enrollment and click apply go to the cryptography tab update the provider category to key storage provider change the algorithm name to ecdhp384 minimum key size can stay the same hit the radio button requests must use one of the following providers and put a tick next to microsoft smart card key storage provider with a request hash of sha256 and hit the apply button now in the security tab we add in the user or group that this certificate is going to apply to in this case it's going to be all users in the network or domain users we'll add in domain users check name to make sure it's spelt correctly and then click ok click on domain users and now we need to set the permissions for these users we need to make sure we have read in the allow column ticked we need to also tick enroll and auto re-enroll once this is done we can click apply and ok and now we have successfully set up the template that we're going to use with the ub key we're not done on the server yet there are a couple of additional settings that we need to change right click on the start button and go to the run command type in cert srv.msc and press enter we need to add the certificate template to the certification authority to do that we go to certificate templates under the server name right click in a white space and select new certificate template to issue scroll down to the ub key select it and click ok we can see now it's added to the top of the certificate template section this can take up to eight hours to populate throughout your network depending on how complex your network is most networks it will update instantly now we need to update four more group policies go to the run command and type in gpmmc.msc to open up group policy management under the domain we should see our ub key group policy right click on this and select edit in computer configuration go to policies windows settings security settings public key policies and click on that click on public key policies right click on certificate services client auto enrolment and click on properties change the configuration model to enabled tick the boxes next to renew expired certificates and update certificates that use certificate templates click ok now right click on certificate services client certificate enrollment policy and click properties change configuration model to enabled and then click ok now we must update the same policies under user configuration under user configuration go to policies windows settings security settings and click on public key policies right click on certificate services client certificate enrollment policy and click on properties change configuration model to enabled and click ok right click on certificate services client auto enrolment and then click on properties change configuration model to enabled and put the ticks in the boxes that we did last time next to renew expires certificates and update certificates that use certificate templates and click ok to save it now group policy has been updated we need to do a group policy update to do this right click on the start button go to powershell admin and type in the command gpupdate force and press enter once group policy is updated we now can go to the workstation to update the ub key on the windows 11 workstation you may get an icon down by the time that looks like a certificate if you click onto that it should launch the enrollment wizard if the certificate is not there we need to run the command manually open up windows terminal or command prompt and type in the command c-e-r-t-r-e-q space dash enroll space ub key this will now launch a wizard that will allow us to put a certificate on our ub key using the ub key template that we created earlier on the wizard screen click next and then click enroll we now have the ubk plugged in it will ask us for the pin of the ub key which we will type in it will now enrolled our certificate on the ub key we can now click finish the current user can now log into the windows domain using that ub key i'll sign out so we can see how it works on the login screen click on sign in options and click on the smart card we can see that it's read our login details from the smart card we enter our pin and now we log in no need to enter a password note that we don't have to use ub keys to log in for all users only those that have been enrolled so if i go back to login with another user like the admin of the network which is loyality we can pop the loyality password in and it will log us in now that we've tested the yubikey login we need to now enforce the login of the ub key for that user to do that we need to be back on the server in server manager we go to active directory users and computers we select the user by double clicking on it go to the account tab and in the account options section put a tick next to smart card is required for interactive logon and then click ok back on the workstation if we try entering in the cyberinformer's password we will get denied it tells us we must use windows hello or a smart card to sign in we'll plug in the smart card and then click on smart card button now we can enter the pin and it will log us in that is everything to do with the setup of the ub key but let's have a look at what's actually on the ub key so if we go into the start button and type in ub key manager click on ubc manager and that will open up the ubc manager screen when we insert the key we can then see the ub key that we have inserted go to applications and down to piv piv this screen allows us to configure our pins under pin management we can change the pin change management key we can see the certificates loaded when we go in there we can see the security server ca cyberinformer that's the certificate on the key that's what allows us to log into windows we can see that there's other slots for different types of certificates and we can also reset the piv so we can reset everything back to factory defaults if we want and finally under interfaces we can see it has usb and nfc we can turn on and off the different types of authentication based on the type of connection usb or nfc in this case we're just going to leave them all on we don't want to deny anything and that concludes our walkthrough of the ub key on domain networks let's exit the propeller hat zone and wrap up the video what do we learn this can be hard once configured it offers bulletproof security to domain networks ubk brings enterprise grade security to your small medium business certificate management needs to be considered and planned for during implementation for admins it is complex but for end users secure login couldn't be easier thank you for joining me for a look at configuring yubikey on a domain network multi-factor authentication on domain networks can be complex and expensive in comparison to these expensive systems ubq makes the infrastructure cheap and simple by using certificate services already available in windows don't let the complexities of certificate management deter you from using it it is a brilliant solution to securing your windows domain login don't forget you can contact me via email instagram facebook or twitter also check out the podcast at loyolait.compodcast until next time stay safe online this is the cyber reformer this is the cyber reformer heck are you going down [Music]
Info
Channel: Loyal I.T. Solutions
Views: 33,100
Rating: undefined out of 5
Keywords:
Id: KsGcSCqs4Ps
Channel Id: undefined
Length: 19min 46sec (1186 seconds)
Published: Sun Jan 30 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.