Good practices for protecting a machine certificate against extraction

Consider the following scenario:

  • You are providing VPN access for a number of machines running Windows 10.
  • The machines are configured and hardened according to company standards.
  • You rely on machine certificates for authentication to the VPN gateway.
  • You want to prevent users (or someone impersonating a legitimate user) from extracting the certificate (and private key) from their machines and transferring it to another machine.
  • Some of your users need to have a level of permissions sufficient to extract a flat-file certificate/key pair from the machine.

What are good practices to prevent extraction of machine credentials? Approaches that come to mind:

  • Use the TPM for key storage. Questions here—does Windows support using the TPM as a key store? How much would it take to transfer the TPM hardware itself to a different machine?
  • Use a USB token for key storage. Question here—tokens are designed to be pluggable; is there an effective way of preventing it from being used on another machine?

Leave a Reply

Your email address will not be published. Required fields are marked *