At CRSP we help customers to recover from different types of cyber security incidents. This means that we help more or less with wherever help is needed (from hardening AD and AAD, to restoring Exchange). However, there are some things which are crucial to not getting re-compromised and therefore we don't let our customers come online without: Securing and hardening Active Directory and all kinds of Azure resources.
During the last 1.5 years some papers and articles drew attention to risky misconfiguration of Active Directory Certificate Services (ADCS) and its potential for Active Directory (and Azure) dominance. Therefore, an essential part of our Compromise Recovery engagements deals with introducing unpopular measures like using PAWs (Privileged Access Workstations) or stopping unverified enrollment of certificates allowing custom subjects. The latter involves reviewing certificate template configuration and security settings in Active Directory. Please note that certificate templates are not the only aspect of securing ADCS, but the one we want to focus on in this article.
In short, certificate templates in Active Directory define which information an acceptable certificate request must include, how the request and the subject and/or Subject Alternative Names (SANs) are verified, and which accounts are allowed to request a certificate.
ITU-T X.509 recommendations define the role of a Registration Authority (RA) to complete the task of "identification and authentication of the subject of a public-key certificate to be issued by that certification authority".
ADCS preferably delegates the RA tasks to Active Directory but also provides an interface for so-called "custom Policy Modules", which allow to introduce an individual ruleset for certificate request verification, like block- or whitelists of subjects, comparison of subjects with DNS etc. Custom Policy Modules are available from third-party vendors, published on GitHub and of course you can create your own. Finally, you can verify subject and SANs in certificate requests manually.
Whatever you decide for, you MUST ensure that subject and SANs of every certificate request are verified properly before being issued.
Find an example of a combination of settings which allows domain dominance as soon as a single computer gets compromised in your forest below (assuming that a custom Policy Module is not in place):
Subject Name - Supply in the request |
Issuance Requirements – None |
Certificate templates with the "Supply in the request" radio button enabled are typically called "offline templates", because subject and SAN(s) cannot be verified against Active Directory | |
|
|
Permissions to Enroll this type of certificate | CA Certificate published to NTAuth Store in Active Directory |
|
Note: The screenshot above was taken on a computer with the ADCS RSAT tools installed: Press Start > Run > type pkiview.msc With Enterprise PKI highlighted > select Action from the top menu and choose Manage AD Containers…
|
With the above configuration of a certificate template and the CA published to the NTAuth Store in Active Directory, an attacker could simply request and enroll a certificate with a Domain Admin's or some VIP's User Principal Name as a SAN and immediately use the certificate to logon to Active Directory in the security context of this account.
The NTAuth store is an object in the Services partition of AD. CA certificates which are trustworthy for AD authentication are published to the NTAuth object and from there replicated to the Enterprise certificate store on all members of the AD Forest.
Smart card authentication or Windows Hello for Business (Key Trust or Certificate Trust) only work with the issuing CA certificate published to NTAuth. |
During Compromise Recovery, we typically don't have time to evaluate and acquire custom Certificate Policy modules from third-party vendors. As a quick and cheap alternative we enforce manual verification of pending certificate requests. Customers complained - with good reason – ADCS do not provide a handy tool to complete this task. As described above, it is crucial to precisely verify subject and SANs of certificate request submitted for an offline template. Find more details about certificate template security settings at https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/d....
This problem is now solved because my colleague Andreas Luy published a beautiful little tool on GitHub: GitHub - Bulgwei/CertMangement: Little Front End for ADCS to submit/retrieve/Issue and deny certific...
Some notes on the tool:
And finally, the "killer feature": The one-stop option to fully review certificate requests and finally issue or deny it:
One-stop verification of subject and SAN(s) of pending certificate requests:
We hope you enjoy the tool, and it makes your process of submitting and verifying certificate requests easier!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.