Microsoft
MicrosoftGreat article! I’d like to share a few notes to summarize my point of view:
• Only groups should appear in applied ACL/ACE entries, no direct user or machine accounts.
• "Supply in Request" should always be combined with "Manager Approval". Otherwise, at least restrict it to the specific machine or user groups that truly need it, and remove "Authenticated Users" or "Domain Users".
• The "Modify" permission should never be granted to non-privileged groups.
• "Enroll" permissions combined with "Subject Type = User" and "Client Authentication" should be closely monitored.
• If you have multiple Certification Authorities (CAs), split roles and templates, for example, one CA for machines, one for users, and maybe a dedicated one for critical servers. Avoid duplicating identical templates across all CAs, as this makes management harder.
• Finally, audit and perform forensic checks, especially on SAN fields for service accounts or privileged accounts (adminCount=1). Some certificates are sometimes issued to standard users without any alert, this often goes unnoticed by SOCs.
The PSPKI-Audit tool can really help with this analysis.
