Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

L2TP Certificate Security

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> L2TP Certificate Security Page: [1]
Login
Message << Older Topic   Newer Topic >>
L2TP Certificate Security - 16.Aug.2006 12:37:39 PM   
sxlalan

 

Posts: 16
Joined: 3.Nov.2004
Status: offline 		Hi All

I've just been playing with setting up Client VPN access to an ISA 2006 server using L2TP (pretty much following Tom's excelent how-to for ISA 2004 http://www.isaserver.org/articles/2004vpnserver.html).  I have an issue with certificate security however.  My aim is to only allow computers that I have issued (or authorized the issuing of) a certificate to to connect.  What is to stop users simply exporting their certificates and installing them on other (unauthorized) machines?  Is there a way to lock the certificate down to a specific piece of kit?

In my test of this I used my home PC (not a domain member) to connect to the CA web interface and request a key following Tom's instructions referenced above.  This was issued and I could then VPN in over L2TP - great.  I then exported this key and the root CA key and installed them on a second machine.  The second machine could now also VPN straight in - not so great!  How can I avoid this.

Cheers

Alan
Post #: 1
RE: L2TP Certificate Security - 16.Aug.2006 1:21:05 PM   
sxlalan

 

Posts: 16
Joined: 3.Nov.2004
Status: offline 		Looks like I need to be using Computer or IPSec Certificate templates rather than the Administrator template as the private key can't be exported for these is that correct?

Cheers

Alan

(in reply to sxlalan)
Post #: 2
RE: L2TP Certificate Security - 16.Aug.2006 3:12:48 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Alan,

Only administrators can export their machine account's private keys, so if your users aren't admins, you're safe.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to sxlalan)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> L2TP Certificate Security Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts