Windows Server Reaches out to WindowsUpdate during TLS negotation

Prof Von Lemongargle

7/3/24, 5:47 PM

We deploy hardened Windows Server 2022 servers in AWS. These servers reach out to RDS servers using a TLS encrypted channel. During the TLS negotiation, the Windows server is reaching out to Windows Update, presumably to get a current list of trusted root authorities (we found this by watching network traffic with Wireshark - it was very repeatable). These servers do not have any access to the public internet, so the download times out. The connection to the database times out before the windows update download times out, so the database access fails.

In the old days (say Windows Server 2012 era), there was a registry setting that you could use to control how certificates were verified. I think you could specify 1-5 and it would behave differently depending on how you would pick that. I don't think that had to do with the trusted root update as much as whether it reached out to download a CRL.

My question is "Does anyone know how to stop Windows from downloading a list of trusted roots during the TLS handshake and force trust of the server certificate presented by RDS?" Or some other way to make this connection happen without public Internet access.

2 + 0

windows

ssl

certificate

Score:2

Server

Greg Askew

7/4/24, 12:24 PM

All Windows hosts, server and desktop, will attempt to update root certificates. There is a setting to prevent that specific communication.

https://woshub.com/updating-trusted-root-certificates-in-windows-10/#h2_2

Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication.

The Turn off Automatic Root Certificates Update option in this section allows you to disable automatic updating of root certificates through the Windows Update sites. By default, this policy is not configured and Windows always tries to automatically renew root certificates.

You can also use certutil to download the updated list of trusted root certificates, and store those locally in a path specified by Group Policy.

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#registry-settings-modified

Registry values:

HKLMSOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot!DisableRootAutoUpdate

A value of 1 disables the Windows AutoUpdate of the trusted CTL.

HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot!EnableDisallowedCertAutoUpdate

A value of 1 enables the Windows AutoUpdate of the untrusted CTL.

HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate!RootDirUrl

Configures the shared location (the HTTP or the FILE path).

Probably worth mentioning that this does not cover CRL/AIA access.

+ 0

Score:0

Server

Prof Von Lemongargle

7/10/24, 1:44 PM

Greg Askew's answer provided the clues to the solution. Here is the answer in powershell code:

new-item hklm:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot -ItemType Container
set-itemproperty HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot -Name DisableRootAutoUpdate -Value 1

I tested this on two servers and it resolved the issue on both.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Windows Server Reaches out to WindowsUpdate during TLS negotation

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.