question

tn-57-gs-7096 avatar image
0 Votes"
tn-57-gs-7096 asked tn-57-gs-7096 commented

Security risks by setting "IgnoreNoRevocationCheck = 1" on windows 10 clients

According to the below description [this article][1]. As per my understanding, clients will be allowed to connect even when client certificate does not have CRL Url. but what would be the case when "ignorenorevocationcheck"is set on clients registry EAP 13 & 25 but not on NPS or RRAS? I am pre-assuming from the description below, if NPS cannot complete revocation check still it allows the clients to connect. please correct me if I am wrong in understanding the concept here.

***> IgnoreNoRevocationCheck
When set to 1, NPS allows EAP-TLS clients to connect even when NPS does not perform or cannot complete a revocation check of the certificate chain (excluding the root certificate) of the client. Typically, revocation checks fail because the certificate does not include CRL information.

Blockquote***

on the other hand, what could be the security risks when we set the below registry on the clients computers.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\25 --> NoRootRevocationCheck --> 1









windows-server
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, thanks for posting in our Q&A platform. This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience. If you have any updates during this process, please feel free to let me know.

0 Votes 0 ·

Hi,

Thank you for your patience during my researching.

Before we go further, could you please help to provide more details regarding your environment? I would like to confirm your configure NPS server for what kind of authentication? For VPN connection, for 802.1x or some other type authentication?

Meanwhile, could you please help to provide the link of the article you have referred to for us reference?

Best Regards,
Sunny

0 Votes 0 ·

Authentication method used: Microsoft: Protected EAP (PEAP) and This is the [article I am referring to][1]:



Here is an overview about our environment

8 - RRAS --> Radius Authentication (2 NPS)
Clients - Windows 10 20H2

Devices are managed using Intune and client authentication (user certificate) from our PKI via NDES.

Below are the included/excluded steps during the implementation.

Due to security recommendation, skipped Step 7.1 (ignoring certification revocation on RRAS and NPS).

Skipped adding the below XML as well from Step 7.5 Procedure 3

Added "IgnoreNoRevocationCheck" under: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 & 25" on our managed clients


Steps (7.2 - 7.4) implemented with no difference to the above article.


Result: it is working after following the above steps but it would be much appreciated to know what could be a potential impact by ignoring revocation check from clients end. (1 possible known would be, the clients would fail to do CRL check). what are other security risks involved.

0 Votes 0 ·

Sorry, instead of replying I posted in the answer field which means I am still waiting for your response.

0 Votes 0 ·

0 Answers