Consider the following scenario:
- You are providing VPN access for a number of machines running Windows 10.
- The machines are configured and hardened according to company standards.
- You rely on machine certificates for authentication to the VPN gateway.
- You want to prevent users (or someone impersonating a legitimate user) from extracting the certificate (and private key) from their machines and transferring it to another machine.
- Some of your users need to have a level of permissions sufficient to extract a flat-file certificate/key pair from the machine.
What are good practices to prevent extraction of machine credentials? Approaches that come to mind:
- Use the TPM for key storage. Questions hereâdoes Windows support using the TPM as a key store? How much would it take to transfer the TPM hardware itself to a different machine?
- Use a USB token for key storage. Question hereâtokens are designed to be pluggable; is there an effective way of preventing it from being used on another machine?