Enable Schannel logging

To enable logging for Secure Channel logging (Schannel), use the following guide.

Add the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging (REG_DWORD)

Set one of the following values:

0x0000 Do not log
0x0001 Log error messages
0x0002 Log warnings
0x0004 Log informational and success events

When troubleshooting I like to set it to 0x0007 (0x0001 + 0x0002 + 0x0004). Reboot your machine to start the logging process.

The data will end up in the “System” eventlog with the source name of “Schannel”. You would want to keep an eye out for event id 36880, indicating a succesful event. It would look something like:

A SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.

Protocol: TLS 1.2
CipherSuite: 0xc028
Exchange strength: 256

To translate the CipherSuite use the following site:
http://www.thesprawl.org/research/tls-and-ssl-cipher-suites/

In the example above this would translate to: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Reference


TLS/SSL Settings

https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx

TLS/SSL Security Considerations

https://technet.microsoft.com/en-us/library/dn786446(v=ws.11).aspx

Cipher Suites in TLS/SSL (Schannel SSP)

https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

Prioritizing Schannel Cipher Suites

https://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx

How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll

https://support.microsoft.com/en-gb/kb/245030

Update to add new cipher suites to Internet Explorer and Microsoft Edge in Windows

https://support.microsoft.com/en-gb/kb/3161639

IIS Crypto

https://www.nartac.com/Products/IISCrypto/

The Microsoft Root Certificate Program

A couple of days ago I had to deal with a situation where our vulnerability tool was complaining that the root certificate store wasn’t updated for a while. After doing some research it turned out that the update service for the Microsoft root certificate program was blocked. That in turn triggered me to dig into the more technical part of the Microsoft Root certificate program. In short the Root Certificate Program makes the end user experience browsing experience a better one. When you visit an https enabled website a check is done if you trust the root authority that handed out the certificate (or the intermediate ca for that matter). If that root certificate is not in the “Trusted Root Certification Authorities” container a list of known participants of the root certificate program is checked if that Root CA is listed. If it is, the certificate is automatically downloaded and stored in the “Trusted Root Certification Authorities”.

Although it sounds like a good plan, it can be a bit confusing. In our case we work in a disconnected environment. Read, not being able to connect to Windows update. In that case you can tell Windows to use an internal web of file server to host the certificate list. The process is exactly the same in that case, it just uses a different repository. The confusing part was when I noticed that the location wasn’t reachable however the root certificates where installed regardless. What kind of magic was at play her? Turns out that it isn’t magic after all. Already with the introduction of Windows Vista, long long time ago Microsoft embedded the current list of Root certificates in the crypt32.dll. So if the automatic root certificate process can’t reach Windows update, an internal web or file server, it extracts the certificate from crypt32.dll. It took a while before I figured that one.

Quick steps to manage your internal certificate list

Use the following steps on your Server:

  • Create a local folder and share it.
  • Use:Certutil -syncWithWU
    This will get all the appropriate data from Windows update site. Being:

    • authrootstl.cab, contains a non-Microsoft Certificate trust List (STL)
    • disallowedcertstl.cab, contains a STL with untrusted certificates
    • disallowedcert.sst, contains a serialized certificate store (SST) for untrusted certificates
    • Pinrulesstl.cab, contains a STL of certificate pining rules (Windows 10 and higher)
    • Pinrulesstl.sst, contains a serialized certificate store (SST) for Certificate pining.
    • *.crt, all individual root certificate files.

Set the following registry key on your Client/Target point to your share:

HKLM\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\RootDirURL=file://\\server\share (REG_SZ)

These setting are effective immediately.

Tips

Enable AutoUpdate of the trusted Certificate Trust List

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate=0 (REG_DWORD)

Setting this to 1 turns off the whole auto update mechanism for both trusted and untrusted certificates

Enable AutoUpdate of the untrusted Certificate Trust List (Default is trusted and untrusted certificates)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\EnableDisallowedCertAutoUpdate=1 (REG_DWORD)

Create a custom serialized certificate store

  • Certutil -generateSSTFromWU <path\file.sst>
  • start explorer.exe <path\file.sst>
  • Select the certificates that you want and export the file to a new sst.
  • Import the file in your group policy

Clean the local downloaded cache (Only with the Windows update download)

locate the “CryptnetUrlCache” folder and delete the content. Usually in your user profile. (“%userprofile%\AppData\LocalLow\Microsoft\CryptnetUrlCache“)

Enable CryptoAPI 2.0 Diagnostics

Enable the Capi2 event log (located in the “Applications and Services Logs”) to get crypto operations logging.

Start a cryptographic operation

To initiate a crypto operation and see the automatic root certificate at work, browse to a HTTPS enabled website or open one of the certificates from the download mentioned above. Removing the certificate from the store and starting a crypto operation will reinitiate the process.

Dump the content of a Certificate Trust List

certutil.exe -dump <path\file.stl>

Reference


An automatic updater of untrusted certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

https://support.microsoft.com/en-us/help/2677070/an-automatic-updater-of-untrusted-certificates-is-available-for-windows-vista,-windows-server-2008,-windows-7,-and-windows-server-2008-r2

Configure Trusted Roots and Disallowed Certificates

https://technet.microsoft.com/en-us/library/dn265983%28v=ws.11%29.aspx

Root update download location

http://www.download.windowsupdate.com/msdownload/update/v3 /static/trustedr/en/authrootstl.cab