none
A couple of questions regards code signing and popup warnings in IE

    Question

  • Hello

    Can someone please help me with the following questions, thanks in advance.

    We have an AD Domain (Windows 2003 R2 SP2) with have a Domain Controller running Microsoft Certificate Services 'Enterprise CA'

    We have a WEB site on another Windows Server in the same domain. This WEB site on this Server has some code written by one of your internal software engineers.

    When a user on the network goes to the web page in question the code is executed, a popup warning is then displayed stating “Publisher: Unknown” do you want to trust this code.

    All the desktop computers in the company have a copy of our internal CA in the Trusted Root Certificate Authority store.

    So the engineer (Jo Blogs) requested a Code Signing certificate  from the CA, and signed the code using this certificate. Now when the user goes to the WEB page they get a different message “Publisher: Job Blogs” do you want to trust this code.

    Next If we then take Jo’s code signing cert and install it into the “Trusted Publishers” store on the desktop computer, when the user goes to the WEB page no more popup warnings and the page works as expected.

    Here are my questions (thanks)

    1: As the code signing cert was issued by our internal CA and the Root certificate for the CA is in the Trusted Root Certificate Authority store on the Desktops computer. I would have thought that IE on the desktop computer would say OK this code was signed by a CA which I trust and therefore I trust the cert and will not need to popup a warning message.

    2: As above we installed Jo Blogs code signing cert in the “Trusted Publishers” store, my concern is someone with admin rights could export the cert, and then use it to sign more code thereby pretending the code is from Jo Blogs when in fact it is not.

    I would point out then when Jo requested a code signing cert he did this by going to the certificate services web site on the CA e.g.  hppt://CA-Server/certsrv

    3: rather than signing the code at all is can we add the WEB site URL or http://WEB-Server/*  to trusted sites, or similar within IE itself, meaning any code that requests execution as long as it comes from an approved URL do not prompt user for approval

    I would be very grateful if someone could answer/clarify the above points for me please.

    Thanks all in advance

    JoB333x1!

     

     

     

     

     


    Saturday, September 07, 2013 7:59 PM

Answers

  • 1) you can add your web site either to Trusted Sites or even to Local Intranet zone (for internal users only).

    2) technically it is possible. To avoid this, you should consider to use smart cards to store code signing certificates. In addition, you should control your CA to verify each incoming request for Code Signing certificate template and require manual approval.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    • Marked as answer by JoB333 Wednesday, September 11, 2013 6:26 AM
    Sunday, September 08, 2013 6:39 PM
  • Thank you very much for taking the time to reply, I would be very grateful if you could please clarify the following points for me, thank<o:p></o:p>

    1:<o:p></o:p>

    So what you are saying is if the site is added to the.<o:p></o:p>

    Trusted Sites or even to Local Intranet zone (for internal users only<o:p></o:p>

    Then any unsigned code which needs to execute would not prompt for user for confirmation? and therefore there is no need to sign the code in the first instance and therefore add the code signing cert used to sign the code to the trusted publishers store?<o:p></o:p>

    2:<o:p></o:p>

    By placing a copy of the code signing cert in the trusted publishers store (e.g. the way I got around the popup warnings) is it possible that someone with admin rights (other than the original AD user who obtained the cert via http://CAServer/certsrv) could export the cert than use it so sign code and thereby pretend to be the original user?<o:p></o:p>

    Thank you<o:p></o:p>

    JoB333x1!<o:p></o:p>


    For the question about being able to export the certificate from the Trusted Publisher store and using it to improperly sign code, the answer is no. Only the certificate and the public key are published to that store. The private key is not, and that is what is used for signing. Having said that, a code signing certificate is a high value certificate for obvious reasons and as Vadims told you, you really should be issuing them so that the private key is protected by hardware, like a smart card. At the very least you should:

    1. Issue the certificate and then export it and the private key and store the resulting file on some kind of removable media which would then be locked up somewhere.
    2. Delete the certificate and private key from the machine on which the request was made.
    3. When code needs to be signed, retrieve the removable media, import the certificate, sign the code, then delete the certificate and private key from the computer where the code was signed.
    4. Return the removable media to the secure location.

    • Marked as answer by JoB333 Wednesday, September 11, 2013 6:25 AM
    Tuesday, September 10, 2013 6:10 PM

All replies

  • 1) you can add your web site either to Trusted Sites or even to Local Intranet zone (for internal users only).

    2) technically it is possible. To avoid this, you should consider to use smart cards to store code signing certificates. In addition, you should control your CA to verify each incoming request for Code Signing certificate template and require manual approval.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    • Marked as answer by JoB333 Wednesday, September 11, 2013 6:26 AM
    Sunday, September 08, 2013 6:39 PM
  • Thank you very much for taking the time to reply, I would be very grateful if you could please clarify the following points for me, thank<o:p></o:p>

    1:<o:p></o:p>

    So what you are saying is if the site is added to the.<o:p></o:p>

    Trusted Sites or even to Local Intranet zone (for internal users only<o:p></o:p>

    Then any unsigned code which needs to execute would not prompt for user for confirmation? and therefore there is no need to sign the code in the first instance and therefore add the code signing cert used to sign the code to the trusted publishers store?<o:p></o:p>

    2:<o:p></o:p>

    By placing a copy of the code signing cert in the trusted publishers store (e.g. the way I got around the popup warnings) is it possible that someone with admin rights (other than the original AD user who obtained the cert via http://CAServer/certsrv) could export the cert than use it so sign code and thereby pretend to be the original user?<o:p></o:p>

    Thank you<o:p></o:p>

    JoB333x1!<o:p></o:p>


    Tuesday, September 10, 2013 7:00 AM
  • Thank you very much for taking the time to reply, I would be very grateful if you could please clarify the following points for me, thank<o:p></o:p>

    1:<o:p></o:p>

    So what you are saying is if the site is added to the.<o:p></o:p>

    Trusted Sites or even to Local Intranet zone (for internal users only<o:p></o:p>

    Then any unsigned code which needs to execute would not prompt for user for confirmation? and therefore there is no need to sign the code in the first instance and therefore add the code signing cert used to sign the code to the trusted publishers store?<o:p></o:p>

    2:<o:p></o:p>

    By placing a copy of the code signing cert in the trusted publishers store (e.g. the way I got around the popup warnings) is it possible that someone with admin rights (other than the original AD user who obtained the cert via http://CAServer/certsrv) could export the cert than use it so sign code and thereby pretend to be the original user?<o:p></o:p>

    Thank you<o:p></o:p>

    JoB333x1!<o:p></o:p>


    For the question about being able to export the certificate from the Trusted Publisher store and using it to improperly sign code, the answer is no. Only the certificate and the public key are published to that store. The private key is not, and that is what is used for signing. Having said that, a code signing certificate is a high value certificate for obvious reasons and as Vadims told you, you really should be issuing them so that the private key is protected by hardware, like a smart card. At the very least you should:

    1. Issue the certificate and then export it and the private key and store the resulting file on some kind of removable media which would then be locked up somewhere.
    2. Delete the certificate and private key from the machine on which the request was made.
    3. When code needs to be signed, retrieve the removable media, import the certificate, sign the code, then delete the certificate and private key from the computer where the code was signed.
    4. Return the removable media to the secure location.

    • Marked as answer by JoB333 Wednesday, September 11, 2013 6:25 AM
    Tuesday, September 10, 2013 6:10 PM
  • Thank you very much Paul and Vadims I very much appreciate your advise on this.

    Jo

    Wednesday, September 11, 2013 6:25 AM
  • Thanks again, sorry one last thing occurred to me, could you kindly clarify the following query

    When he original user Jo Blogs singed into to Active Directory then went to http://CAServer/certsrv and got a code signing cert via the code signing cert template. He then exported to a DER (binary) file e.g. mycodesigningcert.cer 

    Now I understand this .cer files itself does not contain the private key as that would need say a .pfx file. So I assume in this case the private key is the users Kerberos ticket (or similar) when he authenticated to AD, so as long as he is logged in to AD as the same user when be got the cert he can then sign code. Where as anyone using the .cer file does not have the corresponding private key as they are not logged in to AD as him.

    Is my assumption above correct please? as this will help me better understand (in future will do it they way you suggested) just want to try and understand as much as I can.

    Thank you again

    Jo 

    Wednesday, September 11, 2013 6:41 AM