Written by: Matthew Burns
Per Microsoft, Active Directory Certificate Services (AD CS) is, “a Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.” Essentially the AD CS server acts as a certificate authority (CA) that will issue encryption-based certificates for objects in an Active Directory domain to assist with identification and authentication in the domain. Certificates created by the AD CS server are based on certificate templates that are stored on the server, and these templates define how a certificate can be used.
In 2021 SpecterOps published a whitepaper examining the abuse of AD CS. In this white paper, the authors discuss eight different vulnerabilities that could affect an AD CS server if misconfigured. These vulnerabilities range in impact, but each misconfiguration can be abused to generate a certificate from a vulnerable AD CS server and achieve one of the following:
- User credential theft
- Persistence in the network
- Escalation of privileges
- Domain compromise
We have used several of the AD CS abuse techniques during our own internal network penetration tests to escalate our privileges to domain administrators from no domain credentials.
How can this be fixed?
So now that you know some of the potential attacks that a misconfigured AD CS could lead to, you are probably asking yourself, “How do I find and fix these issues?” While Microsoft has acknowledged the security issues with a misconfigured AD CS server, they have said the issues do not warrant the release of a security update. Due to this, the authors of the white paper stress that it is important for system administrators to familiarize themselves with the multiple misconfigurations that could affect an AD CS server.
Finding the problems
It may seem daunting to find every misconfiguration if you have many certificate templates. Luckily there are a number of tools that can be used to help identify misconfigurations in an Active Directory domain. Certify, which was created by the folks at SpecterOps, can be used to find misconfigurations with an AD CS server. All that is needed is to run the command below from a domain join host:
Once the command above is run Certify will connect to the AD CS server to enumerate its configuration and how its templates are configured. Certify will then provide a report with the results of all AD CS misconfigurations found. The issues can then be remediated by following the specific advice in the SpecterOps whitepaper.