Recently discovered Microsoft Windows AD CS configuration errors could give attackers account and domain control. Here's how to audit AD CS for vulnerable configurations. Credit: Thinkstock / Microsoft I read with interest about Active Directory Certificate Services (AD CS) misconfigurations and the risks they present to my network. Security firm SpecterOps have developed an audit toolkit, written in PowerShell and dubbed PSPKIAudit, and will release two offensive tools, Certify and ForgeCert, in early August during the upcoming Black Hat USA 2021 conference. However, I wanted to get a head start to see if my domain was vulnerable to attacks that could result in account or domain takeover.Steps to find AD CS misconfigurationsI followed these steps:With an elevated PowerShell prompt, install the Remote Server Administration Tools Certificate Services and Active Directory features with the command: Get-WindowsCapability -Online -Name "Rsat.*" | where Name -match "CertificateServices|ActiveDIrectory" | Add-WindowsDownload PSPKIAudit and extract it to the folder PSPKIAudit with the commands: cd PSPKIAudit Get-ChildItem -Recurse | Unblock-FileImport PSPKIAudit with the command: Import-Module .PSPKIAudit.psm1 You may need to add the -Verbose parameter as you might receive this message: “WARNING: The names of some imported commands from the module ‘PSPKIAudit’ include unapproved verbs that might make them less discoverable.” To find the commands with unapproved verbs, run the Import-Module command again with the -Verbose parameter. PS C:PSPKIAudit> Import-Module .PSPKIAudit.psm1 -Verbose For a list of approved verbs, type “Get-Verb”. You will then be alerted to verbs that are less discoverable.Run this command or export it to a .csv file to review your organization: Invoke-PKIAudit [-CAComputerName CA.DOMAIN.COM | -CAName X-Y-Z] It performs auditing checks for your existing AD CS environment, including enumerating various certificate authority (CA) and certificate template settings. Or you can merely type in Invoke-PKIAudit and review the output provided.How to remove unneeded certificate authority valuesThe output will also inform you if you have any leftover CA values that are no longer in your network. In my case, it flagged two servers that used to be in my Active Directory that provided certificate services in the network that were no longer in the network. These should be removed from the network as they no longer serve any purpose. It then flagged that a CA for a server on my network has a potentially vulnerable template. The good news in my case was that the main domain certificate had no issues. Rather other certificate templates for specialty servers had the issues. Two of these templates were ESC1 – Misconfigured Certificate Templates: Susan BradleyTo fix this:Right-click the affected certificate template in the Certificate Templates Console (certtmpl.msc)Select “Properties”.Remove the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag via “Subject Name” by unchecking “Supply in Request”. This prevents arbitrary SAN specification in the CSR. Unless alternate names are needed for this template, this is probably the best fix. Susan BradleyRemove the “Client Authentication” or “Smart Card Logon” EKUS via “Extensions” -> “Application Policies”. This prevents domain authentication with this template. Susan BradleyEnable “CA Certificate Manager Approval” in “Issuance Requirements”. This puts requests for this template in the “Pending Requests” queue that must be manually approved by a certificate manager. Susan BradleyIf any automation is connected with this template and you enable CA certificate manager approval, you may impact the automation and scripting in your network. Review the impact accordingly.Enable “Authorized Signatures” in “Issuance Requirements”, which forces CSRs to be co-signed by an enrollment agent certificate. This removes the ability for low-privileged users from enrolling in this template via “Security” and removing the appropriate enroll privilege. Again, review for automation or scripting that is reliant on this certificate that may impact your network operations.Certificates are a key part of a network infrastructure. With a CA, you can provide authentication and clients can request these certificates. Start by treating certificate authority servers in the same category as domain controllers. They should be limited as to who accesses them and what accounts they use to log in. If a certificate has been used maliciously in a breach, not only do you need to wipe the workstation and rebuild it but trace back all certificates issued to the user and revoke them in AD CS. If you feel your CA server has been compromised, consider your certificate authority compromised as well. It’s recommended to follow Microsoft’s guidance to rebuild and revoke all suspect certificates.Bottom line, review your Active Directory Certificate Services infrastructure and take the time to review if your existing infrastructure has been deployed using the current recommended security guidance. Related content news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe