SSL Self-Signed Certificate Vulnerability Keeps Returning
When you connect to a machine via Remote Desktop, it has to generate a certificate to use in authenticating that connection. By default, these certificates are self-signed.
(I am baffled as to why these certificates were initially showing up in the Personal store rather than the Remote Desktop store.)
Anyway, this isn't exactly a false positive. Using unsigned certificates does potentially expose you to MitM attacks against your Remote Desktop connections. You will need to consider whether or not this is an acceptable level of risk.
KB2001849 describes how to install a properly signed certificate.
This article from Let's Encrypt describes how to generate and install a Let's Encrypt certificate. (NB: this was written for Windows Server; I am not sure whether or not it will also work on a Windows 10 client.)
Related videos on Youtube
25 : 01
04 : 52
08 : 57
13 : 24
01 : 47
Eric Gibson
Updated on September 18, 2022Comments
-
Eric Gibson almost 2 years
So, I've been dealing with a recurring problem with my workstations self-generating certificates. They're appearing in the "Personal" certificate store. Even after I manually delete them from the machines, they inevitably keep returning.
- We do not use self-signed certificates for anything. All our certs come from a verified CA.
- It's not the Splunk Heartbleed vulnerability.
This is a vulnerability that keeps popping up on our Nessus scans, and I'm trying to understand what causes the workstation to generate it's own certificate. Is there a particular event? Is there a way to stop it? I've been researching this to exhaustion, and I can't get a clear answer.
Have any of you ran into this problem?
-
Admin almost 6 yearsWhat OS is running on the workstations? What is your environment? A little more details would be helpful. -
Admin almost 6 yearsTo which Personal certificate store you refer to? The one for the User account, or the Computer account? You have to figure out what service is generating it and get rid of that service (if it's an unwanted one) or reconfigure it to disable the auto-generation.
-
Admin almost 6 yearsWe're running Windows 10 1607 workstations, and it's the Computer account certificates--not the user certs. As far as the service generating it, that's what I'm trying to figure out. The properties of the certificate don't appear to give any indication as to what exactly is causing the certificate to be generated.
-
Admin almost 6 yearsWhat are the properties of the certificates? I have several system generated certs in my PC, and the issuer is "MS-Organization-P2P-Access" and similar.
-
Admin almost 6 yearsAlso, what exactly is the Nessus scan saying is wrong? Nessus will report incorrect chains of trust, but if that's what you are trying to troubleshoot the issue is almost certainly not arising because self-signed certs appear on your workstations
-
Admin almost 6 yearsHere's the output from Nessus: "The following certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown certificate authority: Subject: [computer name] | Issuer: [computer name]"
-
dortegaoh almost 6 yearsSuch certificates wouldn't show up as personal certificates.
-
Eric Gibson almost 6 yearsWell, I'm not sure if I think it's completely a false positive: I can literally SEE the certificate in the certificate store. For example, it's listed under the Personal certificate store for the workstation as the "Issued To" being the same value as "Issued By"...the workstation. It might not necessarily be something that could easily be exploited--granted--but I'd still like to understand what's causing it to be generated.
-
Eric Gibson almost 6 yearsI know it has SOMETHING to do with SSL. Which would suggest that it's related to some kind of HTTPS function or setting, I just can't figure out what...
