We're headed to GridSecCon 2024, October 22-25 in Minneapolis, MN! Learn more here

Mis-Configuration Best Practice Checks for Certificate Templates

Best Practices to prevent Malicious Users from exploiting ADCS certificates to take full control of Active Directory Forests

View All PKI Spotlight® Features
Schedule a Demo

Why do these checks matter?

Watch the video and see an malicious actor take full control* of the AD forest and how PKI Spotlight catches the misconfiguration

*FULL CONTROL = They can do anything they want. Run as domain admins, set up backdoors, intercept communication, sign whatever they want.

What exactly is being checked for?

Template set for Supply in Request, but no CA Manager Approval required

The implication of this setting is that without requiring approval, anyone who has access to enroll certificates from a template that allows the enrollee to supply the certificate subject can impersonate any arbitrary identity.  Although there are valid uses for enrollee-supplied subjects such as issuing certificates on behalf of another person or system, not having an explicit approval workflow in place can lead to abuse and exploits. This can also result in companies failing audits.

Template subject not automatic and DSPublish is enabled

With a template such as this, any authenticated AD user (even non privileged ones) that have enroll permissions can supply their Own subject name in a certificate and have it published to their AD account. This can have serious security implications such as MiTM attacks and privilege escalation (any user can find and use the identity of an AD administrator). This attack can be more lethal as it will make it difficult to distinguish normal behavior from malicious activity. It can also make it easy for attackers to sustain attacks without being discovered

Connect With Us for Certainty in Security

If you’re ready to learn more about our essential solutions for your essential PKI, reach out today. Book time with one of our specialists to discuss your needs and how we can meet and exceed your business requirements.

CONTACT US

Email: hello@pkisolutions.com
Phone: +1 (971) 231-5523

Corporate Headquarters

5331 S. Macadam Ave, Suite 330
Portland, Oregon 97239