AnsweredAssumed Answered

About QID 90934 - Microsoft Improperly Issued Digital Certificates Spoofing Vulnerability

Question asked by Leong Wai Yoong on Dec 28, 2015

Good morning,

 

I have read through the community about this QID but I was not sure about the following solution to be done by client side:

As we know this QID will be automatically protect by Microsoft Windows update, however our client side restricted internet access and they are using Altiris patching tool all the while due to company policy. If what Microsoft said is correct (see the blue font below):

 

If you cannot avoid installing this update on disconnected systems, you can disable the network retrieval of the trusted and untrusted CTLs. To do this, you disable automatic root updates by using Group Policy settings. To disable automatic root updates by using policy settings, follow these steps:

  1. Create a Group Policy or change an existing Group Policy in the Local Group Policy Editor.
  2. In the Local Group Policy Editor, double-click Policies under the Computer Configuration node.
  3. Double-click Windows Settings, double-click Security Settings, and then double-click Public Key Policies.
  4. In the details pane, double-click Certificate Path Validation Settings.
  5. Click the Network Retrieval tab, select Define these policy settings, and then clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box.
  6. Click OK, and then close the Local Group Policy Editor.

After you make this change, automatic root updates are disabled on those systems to which the policy is applied. We recommend that the policy be applied only to those systems that do not have Internet access or that are prevented from accessing Windows Update because of firewall rules.

 

If automatic root updates are disabled, Administrators must manually manage root certificates that are trusted by Windows. Trusted root certificates can be distributed to computers that are running Windows by using Group Policy.


After disabling the automatic root updates, will this be still flagged in Qualys scan? If so, is there another workaround that we can replace these certificates? Currently the vulnerability result stated that the following certificates are missing:

 

HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\8b2e65a5da17fcccbcde7ef87b0c0ed5d0701f9f is missing

HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\8b2e65a5da17fcccbcde7ef87b0c0ed5d0701f9f is missing

HKLM\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate DisallowedCertEncodedCtl is missing.

HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\02c2d931062d7b1dc2a5c7f5f0685064081fb221 is missing

HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\02c2d931062d7b1dc2a5c7f5f0685064081fb221 is missing

HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\98a04e4163357790c4a79e6d713ff0af51fe6927 is missing

HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\98a04e4163357790c4a79e6d713ff0af51fe6927 is missing

HKLM\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate DisallowedCertEncodedCtl is missing.

HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\e1f3591e769865c4e447acc37eafc9e2bfe4c576 is missing

HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\e1f3591e769865c4e447acc37eafc9e2bfe4c576 is missing

HKLM\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate DisallowedCertEncodedCtl is missing.

HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\08e4987249bc450748a4a78133cbf041a3510033 is missing

HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\08e4987249bc450748a4a78133cbf041a3510033 is missing

HKLM\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate DisallowedCertEncodedCtl is missing.

HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4822824ece7ed1450c039aa077dc1f8ae3489bbf is missing

HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\c6796490cdeeaab31aed798752ecd003e6866cb2 is missing

HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\d2dbf71823b2b8e78f5958096150bfcb97cc388a is missing

HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\4822824ece7ed1450c039aa077dc1f8ae3489bbf is missing

HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\c6796490cdeeaab31aed798752ecd003e6866cb2 is missing

HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\d2dbf71823b2b8e78f5958096150bfcb97cc388a is missing

HKLM\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate DisallowedCertEncodedCtl is missing.

HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5CE339465F41A1E423149F65544095404DE6EBE2 is missing#

Outcomes