HTTP Strict Transport Security (HSTS) is a feature commonly used by websites to protect against protocol downgrade attacks, where an attacker forces the use of insecure HTTP instead of HTTPS. If successful, the attacker can intercept unencrypted communication between the client and the web server. This is undesirable for obvious reasons. As such, web server administrators implement an HTTP response header named Strict-Transport-Security with some additional settings that instruct the user agent, in this case, a web browser, to only use secure HTTPS when communicating with the web server. Attempts to use HTTP will not work.
VPN and SSTP
As security is always a top concern when building an Always On VPN infrastructure, careful attention must be paid to VPN protocol configuration to ensure optimal security. Secure Socket Tunneling Protocol (SSTP) is a popular VPN protocol for Always On VPN user tunnel connections. SSTP uses Transport Layer Security (TLS) for encryption, so administrators are encouraged to implement recommended security configurations, such as disabling insecure protocols like TLS 1.0 and TLS 1.1 and optimizing TLS cipher suites as described here.
SSTP with HSTS
It would seem that enabling HSTS on a Windows RRAS VPN server would be ideal for improving SSTP security. However, that’s not the case. HSTS prevents protocol downgrade attacks from HTTPS to HTTP, but SSTP already uses HTTPS exclusively, making the use of HSTS irrelevant. If an attacker attempted a protocol downgrade attack on an SSTP VPN connection, it would fail because the service does not support HTTP between the client and the VPN gateway. Additionally, even if it were possible to configure RRAS to send an HSTS response header, it would be ignored by the client because the user agent is not a web browser.
Microsoft introduced important changes affecting certificate-based authentication on Windows domain controllers as part of the May 10, 2022 update KB5014754 that may affect Always On VPN deployments. The update addresses privilege escalation vulnerabilities when a domain controller is processing a certificate-based authentication request. The recommendation from Microsoft is that the update be applied to all Windows domain controllers and Active Directory Certificate Services (AD CS) servers as soon as possible.
After applying the update to certification authority (CA) servers, a non-critical extension with Object Identifier (OID) 1.3.6.1.4.1.311.25.2 is added to all issued certificates with the user or device security identifier (SID) included. Domain controllers with the update installed will use this information to validate the certificate used for authentication and ensure that it matches the information in Active Directory.
Domain Controllers
The update operates in Compatibility Mode, by default, when applied to domain controllers. Windows monitors authentication requests and records audit events for certificates presented for authentication under the following conditions.
No strong mapping (event ID 39) – The certificate has not been mapped explicitly to a domain account, and the certificate did not include the new SID extension.
Certificate predates account (event ID 40) – A certificate was issued before the user existed in Active Directory, and no explicit mapping could be found.
User’s SID does not match certificate (event ID 41) – A certificate contains the new SID extension, but it does not match the SID of the corresponding user account.
Certificate Mapping
Administrators can map certificates explicitly to accounts in Active Directory, but this results in a significant administrative burden in most environments. A better option is to reissue user and device authentication certificates after applying the KB5014754 update to all issuing CA servers.
Reenroll Certificates
Administrators should reissue user and device authentication certificates after applying the KB5014754 update. Open the Certificate Templates management console (certtmpl.msc), identify the user or device authentication certificate template, then right-click on the template and choose Reenroll All Certificate Holders.
Enforcement Mode
After applying update KB5014754, administrators should monitor domain controller event logs for event IDs 39, 40, and 41. Once all certificates have been updated, and none of these events have been recorded for 30 days, administrators can switch to Full Enforcement Mode by enabling it in the registry on all domain controllers.
Updated 12/8/2022: Microsoft has pushed back the original enforcement date of May 9, 2023, to November 14, 2023 “or later”. Stay tuned!
Updated 11/29/2022: Microsoft now states that the full enforcmenet mode date is now February 11, 2025 “or later”. Once again, stay tuned!
Known Issues
There have been some reports of authentication issues after installing the KB5014754 update. Early indications are that device authentication certificates missing a Subject Alternative Name (SAN) entry are to blame. Administrators are encouraged to update their device certificates to include the SAN entry. Optionally, but not recommended, administrators can place the update in disabled mode by editing the registry.
Note: An out-of-band update for these authentication issues is now available. See the reference links at the top of this article for more information.
Caveat
It’s important to understand that this new OID is added only to online templates. Online templates are those that build the subject information from Active Directory. Unfortunately, this new OID is NOT applied to offline templates (templates where the subject name is supplied in the request), such as those used for delivering certificates with Microsoft Endpoint Manager/Intune using PKCS or SCEP. It is impossible to move to enforcement mode when issuing user or device authentication certificates with Microsoft Endpoint Manager or Intune today. Microsoft is aware of this limitation and is working to address this issue as we speak. I expect a fix to be available sometime before the May 2023 deadline when Microsoft permanently switches on enforcement mode.
Windows Server Routing and Remote Access Service (RRAS) is popular for Always On VPN deployments because it supports the Secure Socket Tunneling Protocol (SSTP). The SSTP VPN protocol is recommended for use with the Always On VPN user tunnel because it is firewall friendly. Installing a TLS certificate on the VPN server is necessary to support SSTP VPN connections. Administrators should use a TLS certificate signed by a public certification authority (CA) for optimal reliability and performance.
Click here to view a video demonstration of the procedures outlined in this article.
Certificate Expiration
Of course, all certificates expire, and the TLS certificate used for SSTP is no exception. When using a public TLS certificate, the certificate lifetime is typically no more than one year, which means Always On VPN administrators will be renewing this certificate regularly.
Certificate Renewal
The process of “renewing” an SSTP TLS certificate is essentially the same as installing a new one, as it is best to create a new public/private key pair when renewing a certificate. The following outlines the steps required to generate a Certificate Signing Request (CSR), import the certificate, then assign the certificate to the SSTP listener on the VPN server.
Note: The guidance provided here assumes using an ECC certificate, which is best for optimal security and performance. More details here.
Certificate Request
Open the local computer certificate store (certlm.msc) on the VPN server and perform the following steps to generate a new CSR.
Expand Certificates – Local Computer > Personal.
Right-click the Certificates folder and choose All Tasks > Advanced Operations > Create Custom Request.
Click Next.
Highlight Proceed without enrollment policy.
Click Next.
Select (No template) CNG key from the Template drop-down list.
Select PKCS #10 in the Request format section.
Click Next.
Click on the down arrow next to Details.
Click on the Properties button.
Select the General tab.
Enter the public hostname for the certificate in the Friendly name field.
Select the Subject tab.
Select Common name from the Type drop-down list in the Subject name section.
Enter the public hostname for the certificate in the Value field.
Click Add.
In the Alternative name section, select DNS from the Type drop-down list.
Enter the public hostname for the certificate in the Value field.
Click Add.
Select the Extensions tab.
Expand the Extended Key Usage section.
Select Server Authentication from the Available options section.
Click Add.
Select the Private Key tab.
Expand the Cryptographic Service Provider section.
Uncheck the box next to RSA,Microsoft Software Key Storage Provider.
Check the box next to ECDSA_P256,Microsoft Software Key Storage Provider.
Expand the Key options section.
Check the box next to Make private key exportable.
Click Ok.
Click Next.
Enter a name for the file in the File Name field.
Select Base 64 in the File format section.
Click Finish.
Import Certificate
Once complete, submit the file created to a public CA for signing. When the CA returns the signed certificate, perform the following steps to import it to the local compute certificate store.
Right-click the Certificates folder and choose All Tasks > Import.
Click Next.
Enter the name of the certificate file returned by the public CA in the File name field.
Click Next.
Select Place all certificates in the following store and ensure that Personal is listed in the Certificate store field.
Click Next.
Click Finish.
Click Ok.
Assign Certificate
After importing the new TLS certificate in the local computer’s certificate store, open the Routing and Remote Access management console (rrasmgmt.msc) and perform the following steps to assign the TLS certificate to the SSTP listener.
Right-click the VPN server and choose Properties.
Select the Security tab.
Select the new TLS certificate from the Certificate drop-down list in the SSL Certificate Binding section. When replacing an existing certificate, you may see a certificate with the same name more than once. Click the View button and ensure the new certificate is selected.
Click Ok.
Click Yes to restart the RemoteAccess service.
Demonstration Video
A recorded video demonstration of this process can be found here. The video recording also includes guidance for making these changes on Windows Server Core servers.
