none
SSL certificates autoinstall RRS feed

  • Question

  • Hello all,
    i have a question for you guys,i wonder how can i prevent SSL certificates autoinstallation,what ive been noticing is that some certificates are being installed without consent or promptiing which i think its the default behavior,its probably being installed in a silent mode or something,so i really need to implement something to make it prompt just like in kaspersky firewall that intercepts certificates.....
    kinda need an urgent help and i know where they come from as i commented in other topics...
    thx in advance
    RR
    Tuesday, July 21, 2009 11:46 PM

Answers

  • Curious Kid,

    Can you give the issuer of one of those "auto installed" certificates?
    So, it is easier for us to  dertiminate where they coming from.

    By default microsoft automaticly updates a some verry important root certificates.
    This could be a reason why the certificates are silent installed. More info on http://support.microsoft.com/kb/931125
    (you can turn these off by GPO or you can remove this feature by add /remove > windows components)

    An other way could be that your computer is a member of a domain.
    And your computer recieves some certificates from your domain using auto enrolment.

    Can you give me some more feedback on this issue?

    Kind Regards
    DFT
    IM me - TWiTTer: @DFTER
    • Proposed as answer by daft Wednesday, July 22, 2009 9:26 AM
    • Marked as answer by DÐØŠ_€vader Thursday, July 23, 2009 2:47 PM
    Wednesday, July 22, 2009 9:26 AM
  • Hi daft thanks fro replying,
    the issuer i dont remember coz i put it into untrusted certs and deleted and havent looked at it yet,but what i can assume is they are entrust certs entrust.net and the other is equifax which sounds to me that one is netscape ones ,so i use IE8 with GPO which makes much more secure IMO,and when you talked about autoenrollment i remember that i set to "disabled" from GPO so guess i did the wrong thing,as my nick name says im not an expert im just someone who researches a lot to get more security for many reasons as i mentioned in other topics,but what i can say is that i learned a lot with it and it feels good to know a bit more about security,ok lets get back where i was so how can i turn this feature off from add and remove and is that a smart thing to do? does it make less secure or something? i know that windows update uses the GTE certificate cause i remember once when the first time i connected to internet after setting up all security stuff GPO etc etc,windows wouldnt update then i went back to my GPO settings and i found one thing i did that was blocking it from updating the GTE cert,the feature says turn off automatic windows update certificates something like that...so thats my case hope you can help me further,if that policy autoenrollment works as a solution can you please tell me how ? like which check box should i turn on and off...
    thnks in advance and will be looking forward for replies...
    Wednesday, July 22, 2009 1:54 PM
  • Hi Curious Kid,

    I have a little bit trouble with reading your answer (i am not a native english speaker :)).
    But if you talk about root certificates like entrust.net and equifax.
    These root certificates are members of the "Windows Root Certificate Program". (you verify this here: http://download.microsoft.com/download/1/4/f/14f7067b-69d3-473a-ba5e-70d04aea5929/windows%20root%20certificate%20program%20members.pdf)

    And are updated automaticly by your OS. So try to read the following article on technet. This excelent article tells how this feature works and also how you can stop your OS from installing this root certificates automaticly.
    http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx

    Did this answers your question?

    Kind Regards
    DFT


    IM me - TWiTTer: @DFTER
    • Proposed as answer by daft Wednesday, July 22, 2009 2:33 PM
    • Marked as answer by Sean Zhu -Moderator Thursday, July 23, 2009 6:38 AM
    Wednesday, July 22, 2009 2:33 PM
  • Back again and Daft one thing i can tell you,that was the biggest collabration i could ever have ,just learned new stuff and it seems to be working so far,and i also implemented certificates extended config and erased weird old ones so added new hash thing(i think its hash algoritmth) working with NAP settings so hope this makes sense LOL...
    thx again for your big help and i will defenetly look more in depth about certificates :D
    regards,
    RR
    Wednesday, July 22, 2009 8:58 PM
  • Hehe  the pleasure was all mine. :)
    Can you do one thing and check my post as answer?

    Thx!
    DFT
    IM me - TWiTTer: @DFTER
    Wednesday, July 22, 2009 10:45 PM
  • Oh by the way the record type looks weird and the time to live doesnt correspond to my dnscache implementations and GPO....
    so i think something i really weird...
    will be looking forward
    cheers(changed my nick name btw its Curious Kat now)
    RR
    Thursday, July 23, 2009 12:41 AM
  • yeah i know you might be thinking im a paranoia man lol...nevermind feel free if you want to answer if you dont thats ok too thx anayways :D

    Kind regards,
    RR
    Friday, July 24, 2009 1:06 AM

All replies

  • Curious Kid,

    Can you give the issuer of one of those "auto installed" certificates?
    So, it is easier for us to  dertiminate where they coming from.

    By default microsoft automaticly updates a some verry important root certificates.
    This could be a reason why the certificates are silent installed. More info on http://support.microsoft.com/kb/931125
    (you can turn these off by GPO or you can remove this feature by add /remove > windows components)

    An other way could be that your computer is a member of a domain.
    And your computer recieves some certificates from your domain using auto enrolment.

    Can you give me some more feedback on this issue?

    Kind Regards
    DFT
    IM me - TWiTTer: @DFTER
    • Proposed as answer by daft Wednesday, July 22, 2009 9:26 AM
    • Marked as answer by DÐØŠ_€vader Thursday, July 23, 2009 2:47 PM
    Wednesday, July 22, 2009 9:26 AM
  • Hi daft thanks fro replying,
    the issuer i dont remember coz i put it into untrusted certs and deleted and havent looked at it yet,but what i can assume is they are entrust certs entrust.net and the other is equifax which sounds to me that one is netscape ones ,so i use IE8 with GPO which makes much more secure IMO,and when you talked about autoenrollment i remember that i set to "disabled" from GPO so guess i did the wrong thing,as my nick name says im not an expert im just someone who researches a lot to get more security for many reasons as i mentioned in other topics,but what i can say is that i learned a lot with it and it feels good to know a bit more about security,ok lets get back where i was so how can i turn this feature off from add and remove and is that a smart thing to do? does it make less secure or something? i know that windows update uses the GTE certificate cause i remember once when the first time i connected to internet after setting up all security stuff GPO etc etc,windows wouldnt update then i went back to my GPO settings and i found one thing i did that was blocking it from updating the GTE cert,the feature says turn off automatic windows update certificates something like that...so thats my case hope you can help me further,if that policy autoenrollment works as a solution can you please tell me how ? like which check box should i turn on and off...
    thnks in advance and will be looking forward for replies...
    Wednesday, July 22, 2009 1:54 PM
  • Hi Curious Kid,

    I have a little bit trouble with reading your answer (i am not a native english speaker :)).
    But if you talk about root certificates like entrust.net and equifax.
    These root certificates are members of the "Windows Root Certificate Program". (you verify this here: http://download.microsoft.com/download/1/4/f/14f7067b-69d3-473a-ba5e-70d04aea5929/windows%20root%20certificate%20program%20members.pdf)

    And are updated automaticly by your OS. So try to read the following article on technet. This excelent article tells how this feature works and also how you can stop your OS from installing this root certificates automaticly.
    http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx

    Did this answers your question?

    Kind Regards
    DFT


    IM me - TWiTTer: @DFTER
    • Proposed as answer by daft Wednesday, July 22, 2009 2:33 PM
    • Marked as answer by Sean Zhu -Moderator Thursday, July 23, 2009 6:38 AM
    Wednesday, July 22, 2009 2:33 PM
  • hi Daft im back,
    sorry about the bad english its not my first language sometimes certain´phrases might make no sense,due to the fact i write those on the hurry and dont read it back to check if everything is oka ,which is a bad thing i have to discipline myself to change, so about the links you posted i just quick peeked the second one and will look at those carefully later when i rest a bit but i can tell ya from now that the second one looks pretty hehehe,and all my questions should be answered on those links!!
    really apreciate your big help and im going to post if it worked for me later on!!!
    thx alot dude and cya soon!!
    regards
    RR
    Wednesday, July 22, 2009 2:48 PM
  • Back again and Daft one thing i can tell you,that was the biggest collabration i could ever have ,just learned new stuff and it seems to be working so far,and i also implemented certificates extended config and erased weird old ones so added new hash thing(i think its hash algoritmth) working with NAP settings so hope this makes sense LOL...
    thx again for your big help and i will defenetly look more in depth about certificates :D
    regards,
    RR
    Wednesday, July 22, 2009 8:58 PM
  • Hehe  the pleasure was all mine. :)
    Can you do one thing and check my post as answer?

    Thx!
    DFT
    IM me - TWiTTer: @DFTER
    Wednesday, July 22, 2009 10:45 PM
  • OH just noticed now after you said....so we have that buttom in the bottom(lol lazy reader),but taking advantage of your kindness i also have a small question for ya..would you mind?
    every once in a while when i connect to google or other web site when i type in prompt command ipconfig /displaydns to see dns cache records it shows things like this :

     231.32.69.208.in-addr.arpa
     ----------------------------------------
     Record Name . . . . . : 231.32.69.208.in-addr.arpa
     Record Type . . . . . : 12
     Time To Live  . . . . : 85633
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     PTR Record  . . . . . : google.navigation.opendns.com


     Record Name . . . . . : 231.32.69.208.in-addr.arpa
     Record Type . . . . . : 12
     Time To Live  . . . . : 85633
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     PTR Record  . . . . . : google.navigation.opendns.com

    only sometimes that happens,so i was wondering if that could be MITM attack or something ....you may also consider im using OpenDNS as dns servers cause if you read my older posts i talked about attacks over my network and the attackers have priviledged info about my internet data everytime i connect ,ppl from my internet provider(admins) are also involved but thats not the right time to talk about that them(corruption kinda thing) in old times some ppl had a beef wit me and some have lotta money so its a long story,so getting back where i was i use opendns servers and it works perfect as many experts advises to use to prevent many dns attacks....
    so thats thequestion could that be MIM or spoof thingy?
    thx in advance
    Oka answered and sorry bout taking that long to do it...(english is limited and bad im tired lol)
    Kind regards
    RR

    Wednesday, July 22, 2009 11:36 PM
  • Oh by the way the record type looks weird and the time to live doesnt correspond to my dnscache implementations and GPO....
    so i think something i really weird...
    will be looking forward
    cheers(changed my nick name btw its Curious Kat now)
    RR
    Thursday, July 23, 2009 12:41 AM
  • yeah i know you might be thinking im a paranoia man lol...nevermind feel free if you want to answer if you dont thats ok too thx anayways :D

    Kind regards,
    RR
    Friday, July 24, 2009 1:06 AM