How to Check for Misconfiguration of Active Directory Certificate Services

I read with interest an article about the ‘blind spot’ in corporate network security, Active Directory Certificate Services (AD CS).
ⓒ Getty Images Bank

SecureOps, a security company, developed an audit toolkit called PSPKIAudit written in PowerShell, and introduced two attack tools, Certify and ForgeCert, at the Black Hat USA 2021 conference in early August. will be released However, I wanted to quickly determine whether a domain is vulnerable to attacks that lead to account or domain takeover.

Steps to find misconfiguration of AD CS

I followed these steps:

1. Install Remote Server Administration Tools Certificate Services and Active Directory feature using the following commands from an elevated powershell prompt:

Get-WindowsCapability -Online -Name “Rsat.*” | where Name -match “CertificateServices|ActiveDIrectory” | Add-Windows

2. With the following command PSPKIAuditDownload and unzip to the PSPKIAudit folder.

cd PSPKIAudit
Get-ChildItem -Recurse | Unblock-File

3. Import PSPKIAudit with the following command.

Import-Module .PSPKIAudit.psm1

WARNING: The names of some imported commands from the module ‘PSPKIAudit’ include unapproved verbs that might make them less discoverable), in which case you need to add the -Verbose parameter.

PS C:PSPKIAudit> Import-Module .PSPKIAudit.psm1 -Verbose

Type “Get-Verb” to see a list of approved verbs. Alerts are displayed for verbs that are less likely to be found.

4. Review the status of your organization by running the following command or exporting it to a .csv file.

Invoke-PKIAudit [-CAComputerName CA.DOMAIN.COM | -CAName X-Y-Z]

This command performs an audit check of the existing AD CS environment, including enumerating various Certificate Authorities (CAs) and certificate template settings. Alternatively, you can simply type Invoke-PKIAudit to review the output provided.

How to Remove Unnecessary Certificate Authority Values

This output also tells you whether there are any values ​​left for CAs that are no longer on the network. In my case, I found two servers that were no longer on the network that provided certificate services in Active Directory. They serve no role and must be removed from the network.

It was also reported that there were potentially vulnerable templates in the CA for one server on the network. Fortunately in my case, there were no issues with the main domain certificate. However, there was a problem with other certificate templates for special servers. Two of these templates were ESC1 – a misconfigured certificate template. How to solve this is as follows.

ⓒ Susan Bradley

1. In the Certificate Templates console (certtmpl.msc), right-click the appropriate certificate template.

2. Select ‘Properties’.

3. Uncheck ‘Supply in Request’ and use ‘Subject Name’ CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT remove the flag This will block any SAN specifications in the CSR. Unless you need an alternate name for this template, this is probably the best solution.

ⓒ Susan Bradley

4. Remove the ‘Client Authentication’ or ‘Smart Card Logon’ EKUS via ‘Extensions’ -> “Application Policies”. Domain authentication is blocked.
ⓒ Susan Bradley

5. In ‘Issuance Requirements’, enable ‘CA Certificate Manager Approval’. This puts requests to this template into a ‘Pending Requests’ queue that must be manually approved by the certificate manager.
ⓒ Susan Bradley

6. If there is any automation associated with this template and you have enabled CA Certificate Manager approval, then the automation and scripting of your network may be affected. This impact should be adequately considered.

7. Enable “Authorized Signatures” in “Issuance Requirements”. This way, the CSR must be co-signed by the enrollment agent certificate. Therefore, low-privileged users will not be able to register with this template via “Security” and remove the appropriate registration rights. Again, you should check for any automation or scripting that may affect network operations that relies on this certificate.

Certificates are an important part of the network infrastructure. A CA can provide authentication and clients can request a certificate. Start by treating the certification authority server as the same category as the domain controller. Restrictions are needed on who can access the certificate authority server and the account they use to log in. If the certificate was used maliciously in a breach, not only would the workstation be wiped and rebuilt, but all certificates issued to the user would have to be traced back and revoked from AD CS.

If it is determined that the CA server has been compromised, the certification authority should also be considered compromised. It is recommended that you follow Microsoft’s guide to rebuild and revoke all suspicious certificates.

The key is to review your Active Directory Certificate Services infrastructure and take the time to verify that your existing infrastructure has been deployed using the currently recommended security guidelines. [email protected]

Source: ITWorld Korea by

*The article has been translated based on the content of ITWorld Korea by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!