Science & Technology

Active Directory Certificate Services a big security blindspot

As the core of Windows enterprise networks, Active Directory, the service that handles user and computer authentication and authorization, has been well studied and probed by security researchers for decades. Its public key infrastructure (PKI) component, however, has not received the same level of scrutiny and, according to a team of researchers, deployments are rife with serious configuration mistakes that can lead to account and domain-level privilege escalation and compromise.

“AD CS [Active Directory Certificate Services] is Microsoft’s PKI implementation that provides everything from encrypting file systems, to digital signatures, to user authentication (a large focus of our research), and more,” researchers Will Schroeder and Lee Christensen from security firm SpecterOps said in a new report. “While AD CS is not installed by default for Active Directory environments, from our experience in enterprise environments it is widely deployed, and the security ramifications of misconfigured certificate service instances are enormous.”

How AD CS works

AD CS is used to set up a private enterprise certificate authority (CA), which is then used to issue certificates that tie a user or machine identity or account to a public-private key pair, allowing that key pair to be used for different operations, such as file encryption, signing files or documents and authentication. AD CS administrators define certificate templates that serve as blueprints to how certificates are issued, to whom, for what operations, for how long and what cryptographic settings they have.

In other words, like in HTTPS, a certificate that is signed by the CA is proof that the AD infrastructure will trust a particular public-private key pair. So, to obtain a certificate from AD CS, an authenticated user or computer, generate a key pair and send the public key along with various desired settings to the CA as part of a certificate signing request (CSR). The CSR will indicate the user identity in the form of a domain account in the subject field, the template to be used to generate the certificate, and the type of actions for which the certificate is desired, which is defined in a field called pKIExtendedKeyUsage (EKU).

After performing a variety of checks, including whether the user is allowed to request a certificate and under which conditions, the AD CS server will return the certificate signed by the enterprise CA. Even at first glance, it becomes clear that the checks and validations performed by the server are critical. Otherwise, an attacker who gains code execution with the privileges of a local account by exploiting some vulnerability or through malware can just request a certificate that allows authentication instead of dumping LSASS memory to extract account credentials. This is a common attack technique that defenders know well. Even worse, a certificate will remain valid even if the account password is later changed because an account compromise is detected or suspected. This means authentication certificates can offer attackers much better persistence than credential theft.

Abusing AD CS misconfigurations

While this type of abuse of AD CS can be obvious to defenders, more subtle attacks stem from various certificate template configuration options or combinations of options and are quite common based on SpecterOps’ findings. “Since beginning this research, we have analyzed many networks for these AD CS misconfigurations,” Schroeder and Christensen said in a newly released white paper. “In nearly every network so far, AD privilege escalation has been possible using this technique, and low-privileged users (e.g., members of the “Domain Users” group) have almost always had the ability to immediately compromise the Active Directory forest.”

Copyright © 2021 IDG Communications, Inc.

Active Directory Certificate Services a big security blindspot Active Directory Certificate Services a big security blindspot

Back to top button