This morning we provided details to our existing support and co-management customers on a recent notice of vulnerability to certain Microsoft ADCS configurations. The exploit involves NTLM and leveraging some ADCS PKI components. Full details can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV210003.
In environments with NTLM authentication still enabled in Active Directory and when using ADCS Web Enrollment portal (/certsrv) or ADCS CES/CEP (Certificate Enrollment Web Services protocol), an attacker can trick Active Directory into providing NTLM credentials as a domain controller and then self-elevate to Domain or Enterprise Admins. This is essentially an NTLM Relay Attack.
This can be resolved by following recommendations in https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429. These options include:
- Disabling NTLM for Active Directory. The most thorough but potentially large undertaking in an environment due to potential known or unknown compatibility issues.
- Disabling NTLM for servers running ADCS
- Disabling NTLM for the ADCS Web Enrollment and CES/CEP web application pools.
- Enable Extended Protection for ADCS Web Enrollment and CEs/CEP Web application pools.
While this attack vector has not been seen as exploited, we suspect it will be due to the ease of elevation. Additionally, when transitioning from NTLM to Kerberos authentication, you should give careful consideration to the URL being used to access the web enrollment website. If you are using a URL other than the hostname, such as a CNAME alias like https://certs/certsrv or https://certs.contoso.com/certsrv these will need to be added as Kerberos SPNs to the server running the website. NTLM did not require this step.
We will be releasing a script shortly to assist in the discovery of your AD and server configuration to indicate which systems and environments are impacted. If you would like to receive notification of that availability, please do let us know.