Vadims Podāns
Vadims Podāns 21.03.2019 19:07 (GMT+2) 34 PKI & ADCS Whitepapers You Must Read

> Do do you have a copy of the 2008 updated white paper titled “Microsoft IT Showcase: Deploying PKI inside Microsoft”?

yes, I do. But only a 40 page .doc version, no slides unfortunately. Last update was in 2011. though, it is not a whitepaper in my understanding and I didn't publish it here. And this document doesn't provide any information on custom Exit Module development.

 

DTK
DTK 21.03.2019 18:33 (GMT+2) 34 PKI & ADCS Whitepapers You Must Read

Vladims,

 

Thank you for aggregating and curating this great collection of PKI knowledge, some of which has become hard to find. The knowledge and the perspective of how our profession has evolved over the last two decades has been invaluable.

 

Do do you have a copy of the 2008 updated white paper titled “Microsoft IT Showcase: Deploying PKI inside Microsoft”? Brian Komar’s seminal “PKI and Certificate Security” references it as illustrating how to build an exit module. Microsoft no longer seems to host this, and while the Wayback Machine on the Internet Archive has the page to download it, the .DOC and .PPT files are not archived there. 

 

 

Thanks,

 

 - DTK 

 

 

Vadims Podāns
Vadims Podāns 15.03.2019 18:53 (GMT+2) Retrieve CNG key container name and unique name

> Can you do the reverse?

with some degree of accuracy it is possible. The idea is the same: get the container name from a file and enumerate all certificates in the store and check if particular certificate contains key information that points to specified file name. Though, I would go in a bit different way: load the key in provider and extract public key. Again, enumerate certificate in the store and check if there is matching public key in certificate. This is how "certutil -repairstore" works.

AndrePKI
AndrePKI 15.03.2019 18:39 (GMT+2) Retrieve CNG key container name and unique name

Can you do the reverse? I.e. given a file name in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ or C:\Users\<name>\AppData\Roaming\Microsoft\Crypto\RSA\<SID>\, find which certificate is associated with this key(container)file? Or is it just a one-way thing?

Vadims Podāns
Vadims Podāns 10.03.2019 23:05 (GMT+2) PowerShell 5.0 and Applocker. When security doesn’t mean security (part 2)

> Why do you want to screen .PS1 files yet have the interactive prompt fully open?

the idea behind this is that PS1 screening still helps to prevent automatic (mostly accidental) script execution. SRP is bypassable, Applocker too. These are not security features and they won't get fixed. This means that PS constrained mode makes very little sense. Maybe against unexperienced users only.

> If the interactive prompt is open, your system is open.

If I have interactive access, nothing will keep me from executing arbitrary PS code. I won't even use powershell.exe console. There are plenty ways to execute arbitrary PS code without executing powershell.exe console and these ways are not protected in any way.