James Thew - Fotolia

How does certificate pinning work within Windows Server?

Certificate pinning allows admins to verify a legitimate certificate once and receive warnings if it changes.

Have you ever been on a forum where a certain thread or set of threads that represent common questions or topics gets "pinned" or "stickied" to the top of the first page of the forum? Well, using a free add-on to Windows, you can do the same sort of thing with security certificates. Let's talk more about certificate pinning.

One of the most common attacks on security infrastructure is the man-in-the-middle attack, where attackers mimic a system you trust in order to convince you that it is safe to turn over your username, password or any other credentials. The attacker is in the middle of the conversation between you and your destination, intercepting your traffic and responding to it in a way that makes you believe you are communicating with the legitimate system. Often these days, man-in-the-middle attacks are carried out by issuing fake certificates that fool your browser into not raising warning flags that the system you are visiting is not what it claims to be. These fake certificates can be made bogus by falsifying certain information, taking advantage of vulnerabilities in otherwise legitimate certification authorities and delivering a trusted root certificate and convincing you to install it on your system through other sorts of malware so that the bogus site certificate is automatically trusted by your machine.

With certificate pinning, you can verify a legitimate certificate once and then tell Windows, via the Enhanced Mitigation Experience Toolkit utility version 4.0 or later, that that certificate is the one on which you want to rely. You pin it. And then if or when Windows or your browser detect that certificate has changed, you will be warned. Specifically, the pin associates a certain security certificate with a certain certificate authority that issued it, so if a bogus certificate gets issued, you will get a warning.

How often does this happen? Well, certification authorities are less robust and secure than you might have thought. Comodo Group, one of the largest suppliers of SSL certificates to websites across the Internet, was compromised in March 2011. Verisign issued two fraudulent certificates to individuals who were faking as if they were affiliated with Microsoft back in 2001.

Next Steps

How to set up certificate pinning.

Dig Deeper on Windows Server troubleshooting