Forum Discussion
CertEnroll folder permission needs a change
Currently, we are using Windows Server 2019 for Certificate Services and as of now, this folder's permissions are set to "Everyone" as read-only. We wanted to change this permission to the "authenticated users". if would change this permission to "authenticated users" will this change breaks anything?
- The short answer is, "it depends".
If you're running the default configuration for the certificate authority then you will probably find your CRL distribution point is also nested under CertEnroll, and there's no good reason to restrict access to CRLs to authenticated clients, as that manifests in other - sometimes hard to identify - issues for non domain-joined machines needing to perform CRL checks.
Also, you have to consider that Enrolment Web Services (as distinct from Web Enrolment services) does not accept anonymous requests in any case, as per the first article below (under the "Authentication Method Considerations" heading). This means you wouldn't deliver any/many benefits even if you affected the change.
If you're looking to tighten up security on this service, have a read of the second and third links below, as this is more relevant.
https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx
https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
Cheers,
Lain
