Skip to main content
banner image
venafi logo

Microsoft AD Vulnerability: Temper Your Certificate Templates

Microsoft AD Vulnerability: Temper Your Certificate Templates

June 29, 2021 | Guest Blogger: Bob Covello

Black Hat USA 2021 is taking place from July 31st through August 5th this year.  As always, it promises to be filled with interesting and educational content. One presentation that is generating some early attention focuses on an overlooked vulnerability in Microsoft’s Active Directory Certificate Services (AD CS) implementation.

The reason this talk is significant is because the researchers, Will Schroeder and Lee Christensen, plan to release two tools to exploit the weaknesses that they uncovered.  Schroeder and Christensen are not merely trying to be thorns in every sysadmin’s side, as they have also developed an auditing tool to reveal if your AD CS is vulnerable. 

Let’s take a very superficial look at what they discovered, and what it means to you if you use AD Certificate Services, and one simple way to avoid the problem. The researchers have also released their full technical report for public consumption.

What was discovered

Schroeder and Christensen have found vulnerabilities in the templates offered in Microsoft’s Certificate Services. A hasty action by an unwary Active Directory administrator can open these templates to easy forgery, leading up to full Domain Administrator permissions for any domain user. 

This revelation should be shocking, as it means that an attacker no longer needs to find an active administrative account to exploit to gain full domain control. They only need to gain access to any account on the domain, including the Default User account.  Think about how easy that is to accomplish. 

Why would anyone use the Certificate Services offered in Active Directory?  As with all things, if it is deceptively easy to implement, and it is already part of a pre-packaged product, such as Microsoft’s Active Directory. The gravitational pull towards using that built-in feature is overwhelming. The real question is, why would anyone alter a template and place it in a vulnerable state?  One reason is because of the power of Active Directory. 

Bigger Than Anticipated

The AD system can be used to administer a small network all the way up to global enterprises.  In some cases, setting up and configuring such a robust system can be challenging if not handled by an experienced, trained professional. To get a system functioning smoothly, a sysadmin may adjust something as trivial as the expiration date on the Default User template, and that alone is enough to create a vulnerability.  As Schroeder and Christensen discovered, something as simple as that action can leave an account vulnerable, even if the affected user changes the account password. 

Why Else Does This Matter

Schroeder and Christensen are not malicious hackers.  Anyone who reads the report will see that they are serious, learned, responsible, and encephalo-elevated researchers, seeking to improve security, not to harm anyone. Their report is well-organized, thorough, and highly technical.  Why are they making this public? They are doing so because, like all researchers, they realize that if they discovered this, so can someone else.

They also took the opportunity to alert Microsoft about their discovery, and Microsoft basically responded that it is not a problem that they seek to correct, as the vulnerability is not set by default, but through a misconfiguration. Microsoft has responded in similar fashion, for example, when a researcher found a multi-factor bypass in Outlook Web Services.

Avoiding the Ghost in The Machine

Schroeder and Christensen’s upcoming presentation is sure to be a fascinating revelation of what can truly go wrong when something as powerful as Microsoft’s Active Directory is not administered or managed correctly.

An easier way for an organization to avoid such a problem is to use a Public Key Infrastructure (PKI) platform that can help you avoid costly and dangerous misconfigurations.

Many modern organizations need the security and trust of a private PKI, but lack the expertise, the architectural know-how, or the money to build their own iron-clad infrastructure. Venafi’s Zero Touch PKI is a fully SaaS-based alternative to creating and running your own internal PKI. It can be configured and managed in any way you need, in conjunction with multiple Certificate Authorities, and with the options you need for security and traceability.     

Let Venafi help you to solidify your Certificate Service implementation.


Related Posts

Like this blog? We think you will love this.
Featured Blog

What Is IP Spoofing?

What is IP Spoofing?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Bob Covello
Guest Blogger: Bob Covello

Bob Covello is a 20-year technology veteran and InfoSec analyst with a passion for security topics.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more