Active Directory certificate services
Eric Maurer
Introduction to AD CS - from a security point of view.
The goal of this post is to provide a brief introduction to this complex, and frankly sometimes rather dry, but very important topic. We’ll cover some basic functionalities, what certificates look like and how they can be (ab)used.
AD CS can either be deployed as a standalone certificate authority (CA) or as a Enterprise CA. Standalone CAs do not have features like Certificate Templates and AutoEnrollment which makes them more likely to be used as Root and Policy CAs and they only issue certificates to other CAs. Enterprise CAs have features like certificate templates and autoenrollment which is, most of the time, crucial for enterprise environments. So, what are these features and how do they work?
Certificate Templates
can be seen as blueprints with predefined settings for certificates. The settings define things like What is the Certificate used for, Who can request a certificate, How long is the certificate valid and so on. Depending on the usage of a certificate the settings in these Blueprints can be adjusted.AutoEnrollment
allows clients (Users and Computers) to automatically request and receive certificates in an Active Directory domain based on predefined certificate templates.As mentioned, a Certificate has various fields with information on how and what the certificate will be used for. Let’s take a closer look at some of those Fields and the expected Values:
Serial Number
Identifier for a Certificate assigned by the Certificate AuthorityIssuer
Specifies who issued the certificate, normally a CAValid from
and Valid to
Specifies the date from which the certificate is valid until the certificate expires.Subject
Owner of the CertificateEnhanced Key Usages
also known as Extended Key Usages (EKUs) – Object identifiers (OIDs) describe what the certificate can be used for.The information which is included in the certificate binds an identity – the subject – to the key pair.
EKUs and OIDs relate to each other, basically an OID is a string of decimal numbers that uniquely identifies an object. For now, the EKUs that permit authentication to AD are interesting and we’re focusing on those:
EKU Value | OID |
---|---|
Client Authentication | 1.3.6.1.5.5.7.3.2 |
Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 |
Any Purpose | 2.5.29.37.0 |
More Information about OIDs in PKI can be found in this PKI Solutions Post.
After installing the AD CS role as an Enterprise CA, an administrator must first create and define certificate templates that are then published by Enterprise CA and made available to users and computers for enrollment. Without going into too much detail, a client can request a certificate only if it is allowed on the Enterprise CA as well as on the certificate template itself. More technical information about how these permissions are set can be found in the Whitepaper in the Chapter Certificate Enrollment.
If the permissions are granted and a client is allowed to request a certificate it can be done in different ways depending on the AD CS environment:
As an example: A User needs to manually request a new Certificate on his windows machine. The first step is to open the GUI, this can be done by typing certmgr.msc
(certlm.msc
for computer certificates) into the search pane in Windows. Open the Personal folder, right-click the Certificates folder and choose All Tasks, Request a new Certificate.
Now another wizard opens and all the published certificate templates, which the user is allowed to enroll in, are shown and can be enrolled. By default windows will then request the certificate using MS-WCCE.
The offensive techniques are divided into four different categories, based on the different attack technique identifiers from the whitepaper, Theft, Persistence, Escalation and Domain Persistence. The following table helps understand the differences between the Categories:
Technique | Description |
---|---|
Theft | Stealing, extracting, and exporting already issued machine or user certificates and private keys. This is done using Window’s Crypto APIs, DPAPI and PKINIT |
Persistence | Account persistence via authentication certificates for a user and/or computer |
Escalation | Domain escalation via vulnerable/misconfigured AD CS components. This includes misconfigured Certificate Templates, AD Objects and Certificate Enrollment options |
Domain Persistence | Possibility to achieve Domain Persistence via certificate forgery from either stolen CA private Keys, malicious Certificates, or misconfigurations |
To understand what kind of techniques these categories contain we will have a look at one of the Escalation possibilities if AD CS is misconfigured.
As mentioned in the Certificate Enrollment Chapter, several HTTP-based certificate enrollment interfaces are available, if they are installed. These HTTP interfaces are generally vulnerable against NTLM relay attacks. An attacker on a compromised machine could manipulate the Net-NTLMv2 authentication and impersonate any inbound-NTLM-authenticating AD Account, to gain access to certificate requests or perform other operations on behalf of the user. This could lead to security issues such as unauthorized access and the issuance of unauthorized certificates.
Let’s walk through a possible Attack where AD CS is vulnerable to ESC8:
Now, if the offensive Techniques are known it is a bit easier to protect against them. Will Schroeder and Lee Christensen already numbered and categorized these defensive techniques into preventative and detective measures. The Tool PSPKIAudit can be used to enumerate any misconfigured templates. After identifying any misconfigurations, it is highly recommended to dive deeper into the Defensive Techniques and follow the Defensive Guidance section to manage them accordingly. We won’t go into the different controls and how they are mapped to the offensive techniques, since thats well written in the whitepaper, but i quickly want to adress the preventative measure against the ESC8 vulnerability.
The most effective method to prevent the ESC8 vulnerability is to not enable the AD CS HTTP Endpoints in the first place. To enumerate which Endpoints are enabled and remove them, connect to the server, which is running the AD CS Role, open the Server Manager app and use the Remove Roles and Features Wizard.
If the Endpoints are necessary and it is not possible to remove them, these defensive measures against ESC8 could be considered.
Active Directory Certificate Services can become complex very quickly, it is not the easiest to implement and secure in most environments. All the different possibilities for how it can be configured, extended, and adapted for different Use-Cases make it hard to lock it down from a security point of view. The different certificate abuse techniques allow attackers to go from Credential Theft to domain persistence up to Domain Escalation rather fast. The mentioned tools Certify (AD CS Enumeration) and PSPKIAudit (Auditing AD CS) are great to enumerate any weaknesses in the infrastructure which can then be addressed. If not already happening, it is recommended to continously audit the AD CS environment and the certificate templates. To summarize: Not only the domain controllers need to be protected but also the CA servers, treat them like a Tier 0 System
Our experts will get in contact with you!
Eric Maurer
Our experts will get in contact with you!