We would like to starting using over-the-air enrolment to automatically issue certificates to devices to use for WiFi authentication etc. via SCEP (or NDES which is the Microsoft implementation of SCEP).
However, we’ve come across this vulnerability note that states when a device requests a certificate using a legitimate password supplied by MDM, it’s possible to obtain a certificate representing a totally different user (perhaps with a higher level of access such as a network administrator,) or to obtain a different type of certificate than what was intended.
To mitigate against this vulnerability, Microsoft introduced using a Policy Module with NDES function in Win 2012 R2. When a policy module is installed, when a request comes into NDES, it essentially hands off the request to the module to provide additional authentication to ensure the request is proper. Because the policy module needs to integrate with other systems, it’s not supplied by Microsoft but either by the 3rd party solution provider to be written by the end user.
I’ve had a look around the documentation supplied by Heat and there is very little details on how SCEP works in conjunction with LANrev. From what I can gather, the above vulnerability would also apply to LANrev – could anyone confirm if this is the case? If it is, does anyone know if there are plans by LANrev to support Policy Modules with NDES?