One default configuration deemed problematic failed meet Microsoft’s ‘bar for a security update’

Common misconfigurations in Active Directory Certificate Services can allow attackers to steal credentials, escalate privileges, and achieve domain persistence, security researchers have found.

“In our experience, almost every Active Directory installation we’ve looked at over the last decade has had some kind of misconfiguration issue,” said Lee Christensen and Will Schroeder, Technical Architects at SpecterOps.

The researchers have detailed their findings in a comprehensive white paper (PDF) and a blog post, and will present them at this year’s Black Hat USA security conference.

Flexibility-complexity trade-off

Active Directory Certificate Service (AD CS) is a key component of Microsoft’s public key infrastructure (PKI). It works in concert with other AD services, including Domain Services and Certificate Authority, to manage certificates used in functions such as encryption, message signing, and authentication.

Active Directory has been designed to scale to the needs of organizations of various sizes, from single-office, single-domain start-ups with a few developers to large, multinational corporations with dozens of domains, regional offices, and hundreds of thousands of employees. This flexibility has made AD the directory service of choice for the vast majority of Fortune 1000 companies and government agencies.

However, AD’s flexibility comes with the trade-off of complexity. There are so many configurations and moving parts it is easy to get things wrong and create security holes.

Credential theft, domain persistence, and beyond

In their white paper, Schroeder and Christensen lay out several ways misconfigurations in AD CS can be abused for malicious purposes in three areas:

  • Credential theft by maliciously enrolling users and computers in certificates, and stealing existing certificates. According to the researchers, the credential theft scheme survives password changes and can bypass smart card authentication
  • Privilege escalation methods that allow attackers to become any user in the domain
  • Domain persistence attacks that allow attackers to log on as any Active Directory user

“These areas of research are not new, and no new vulnerability has been discovered, but no one has looked at all these AD CS issues holistically,” the researchers said. “Also, no one has covered offensive weaponization of these attacks, nor how to detect or defend against these issues.”


Catch up on the latest Microsoft security news and analysis


Given AD’s overarching control over the resources of organizations, abusing these vulnerabilities would allow attackers to access Exchange mailboxes, persist in compromised networks for years, distribute malware through companywide update policies, or compromise sensitive data, the researchers warned.

“We’re especially concerned about the potential impact to government and other organizations that heavily rely on certificates for user authentication (e.g., smart cards),” they said.

Is it a vulnerability?

There’s a bit of controversy over whether this is a problem that must be addressed by IT admins or Microsoft.

“There is nothing inherently insecure about AD CS,” the researchers said. “These misconfigurations are most likely the results of system administrators and IT enabling certain settings for other valid reasons without understanding the security implications of what they are doing.”

The researchers did, however, flag one of the default configurations as a serious security issue. They reported it to the Microsoft Security Response Center, but were told: “We determined your finding is valid but does not meet our bar for a security update release.” Microsoft further said the issue of concern has been detailed and addressed in a post on the MSRC blog.

“Based on our extensive experience assessing AD environments, we believe this is very bad. If you find you are vulnerable to this, consider contacting your nearest Microsoft representative and question them as to why this insecure default configuration is allowed,” the researchers wrote in their blog post.

The Daily Swig reached out to Microsoft for comments, but a spokesperson said the company has nothing further to add beyond what it said in the blog post.

The researchers have released PSPKIAudit, a free tool to audit AD CS for vulnerable configurations. Their white paper also contains instructions and guidelines for finding and fixing vulnerable AD CS configurations.


YOU MIGHT ALSO LIKE GitLab fixes serious SSRF flaw that exposed orgs’ internal servers