As the core of Windows enterprise networks, Active Directory, the service that handles user and computer authentication and authorization, has been well studied and probed by security researchers for decades. Its public key infrastructure (PKI) component, however, has not received the same level of scrutiny and, according to a team of researchers, deployments are rife with serious configuration mistakes that can lead to account and domain-level privilege escalation and compromise.

“AD CS [Active Directory Certificate Services] is Microsoft’s PKI implementation that provides everything from encrypting file systems, to digital signatures, to user authentication (a large focus of our research), and more,” researchers Will Schroeder and Lee Christensen from security firm SpecterOps said in a new report. “While AD CS is not installed by default for Active Directory environments, from our experience in enterprise environments it is widely deployed, and the security ramifications of misconfigured certificate service instances are enormous.”

How AD CS works

AD CS is used to set up a private enterprise certificate authority (CA), which is then used to issue certificates that tie a user or machine identity or account to a public-private key pair, allowing that key pair to be used for different operations, such as file encryption, signing files or documents and authentication. AD CS administrators define certificate templates that serve as blueprints to how certificates are issued, to whom, for what operations, for how long and what cryptographic settings they have.

In other words, like in HTTPS, a certificate that is signed by the CA is proof that the AD infrastructure will trust a particular public-private key pair. So, to obtain a certificate from AD CS, an authenticated user or computer, generate a key pair and send the public key along with various desired settings to the CA as part of a certificate signing request (CSR). The CSR will indicate the user identity in the form of a domain account in the subject field, the template to be used to generate the certificate, and the type of actions for which the certificate is desired, which is defined in a field…