Mis-Configuration Best Practice Checks for Certificate Templates

Why do these checks matter?

Watch the video and see an malicious actor take full control* of the AD forest and how PKI Spotlight catches the misconfiguration

*FULL CONTROL = They can do anything they want. Run as domain admins, set up backdoors, intercept communication, sign whatever they want.

What exactly is being checked for?

Template set for Supply in Request, but no CA Manager Approval required

The implication of this setting is that without requiring approval, anyone who has access to enroll certificates from a template that allows the enrollee to supply the certificate subject can impersonate any arbitrary identity.  Although there are valid uses for enrollee-supplied subjects such as issuing certificates on behalf of another person or system, not having an explicit approval workflow in place can lead to abuse and exploits. This can also result in companies failing audits.

Template subject not automatic and DSPublish is enabled

With a template such as this, any authenticated AD user (even non privileged ones) that have enroll permissions can supply their Own subject name in a certificate and have it published to their AD account. This can have serious security implications such as MiTM attacks and privilege escalation (any user can find and use the identity of an AD administrator). This attack can be more lethal as it will make it difficult to distinguish normal behavior from malicious activity. It can also make it easy for attackers to sustain attacks without being discovered