ADCS Hardening

AD Without Eternal Admin Rights

In network security, structure beats improvisation: clear paths, fewer privileges, and explicit trust boundaries.

For ADCS Hardening, privilege cleanup and trust hygiene deliver the greatest reduction in impact.

This limits not only the chance of incidents, but especially the scope and duration when something goes wrong.

Immediate measures (15 minutes)

• Start with MFA, least privilege, and tiering for admin accounts.
• Enforce segmentation and explicit firewall rules on critical paths.
• Embed logging, detection, and recovery testing as a structural operation.

Why this matters

The core of ADCS Hardening is risk reduction in practice. Technical context supports the choice of measures, but implementation and assurance are central.

Defense

Template hardening

The most important measure is checking every certificate template:

# Audit all templates for known vulnerabilities
.\Certify.exe find /vulnerable

# Or from Linux
certipy find -u admin@domain.local -p 'Password!' -dc-ip 10.0.0.1 -vulnerable

For each template, check:

1. Is ENROLLEE_SUPPLIES_SUBJECT needed? In 95% of cases, no. Disable it.
2. Who has enrollment rights? Restrict to specific groups, not Authenticated Users or Domain Users.
3. Is Manager Approval enabled? For sensitive templates, every request should be manually approved.
4. Is the EKU restricted? No Any Purpose. Only the specific key usages that are needed.

CA hardening

# Check if ESC6 flag is active
certutil -config "dc01.domain.local\domain-CA" -getreg "policy\EditFlags"

# Remove the ESC6 flag if active
certutil -config "dc01.domain.local\domain-CA" -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2

# Restart the CA service
net stop certsvc && net start certsvc

Configure Enrollment Agent Restrictions to limit which templates and target accounts Enrollment Agents may use.

Monitoring

Certificate enrollment events are a goldmine for detection, if you enable them:

Specifically monitor for: - Certificate requests with a SAN that differs from the requester - Use of templates that are normally not used - Enrollment Agent certificate requests - Changes to template configuration

Remediation checklist

A practical checklist for securing your ADCS environment:

[ ] Run Certify.exe find /vulnerable or certipy find -vulnerable
[ ] Document all found vulnerable templates
[ ] Per template:
    [ ] Is ENROLLEE_SUPPLIES_SUBJECT needed? If not, disable
    [ ] Are enrollment rights restricted to the right groups?
    [ ] Is Manager Approval enabled for sensitive templates?
    [ ] Is the EKU restricted to what is needed?
    [ ] Is msPKI-RA-Signature > 0 where needed?
[ ] CA level:
    [ ] Is EDITF_ATTRIBUTESUBJECTALTNAME2 disabled?
    [ ] Are Enrollment Agent Restrictions configured?
    [ ] Does the CA Web Enrollment have HTTPS + EPA?
    [ ] Is the CA key stored in an HSM?
[ ] Monitoring:
    [ ] Are Event IDs 4886-4889 enabled?
    [ ] Is there alerting on certificates with deviating SAN?
    [ ] Is there alerting on unusual template requests?
[ ] Organizational:
    [ ] Has an owner been designated for the PKI infrastructure?
    [ ] Are templates periodically reviewed?
    [ ] Is there a procedure for revoking certificates?

PKI best practices summarized

1. Audit your templates -- regularly, not once. Templates get copied, modified, forgotten.
2. Minimal rights -- enrollment only for those who need it.
3. Manager Approval -- for templates that issue identities.
4. No EDITF_ATTRIBUTESUBJECTALTNAME2 -- unless you have a very good reason, and "it was easier that way" is not a good reason.
5. Separate CA roles -- the CA administrator should not be the same person as the domain admin.
6. CRL/OCSP -- ensure that revocation actually works and is verified.
7. HSM -- store the CA private key in a Hardware Security Module, not on the server's hard drive.
8. Tier model -- the CA belongs in Tier 0, just like domain controllers. Treat it accordingly.
9. No Web Enrollment without EPA -- if you offer Certificate Enrollment Web Services, use HTTPS and enable Extended Protection for Authentication.
10. Documentation -- document every template: who created it, why it exists, who may enroll, and when it was last reviewed.

Practical validation of ADCS hardening

Validate ADCS hardening exclusively in an authorized test environment with defensive controls: template audits, permission checks, issuance restrictions, and logging verification.

The true madness

Let's pause and consider what we're seeing here. Active Directory Certificate Services is a fundamental component of the identity infrastructure of virtually every large organization in the world. It was designed to manage trust. And it is so complex, so poorly documented, and so easy to misconfigure that a single checkbox in a template wizard -- a checkbox that is checked by default in certain template types -- is sufficient to promote an attacker from helpdesk employee to domain admin.

Nobody understands PKI. That's not a joke -- it's an observation. I've asked system administrators, security officers, even people who manage the CA. "How do your certificate templates work?" is answered with a look that ranges from mild panic to existential crisis. They set it up. It works. Don't. Touch. It.

And that is precisely the problem. PKI is the foundation on which authentication, encryption, and trust are built. But because nobody understands it, nobody checks it. Because nobody checks it, it doesn't get patched. And because it doesn't get patched, it remains vulnerable for years. The "Certified Pre-Owned" paper described vulnerabilities that had existed since the introduction of ADCS. Not months. Years. Sometimes decades.

It's like a country that doesn't understand its constitution but still trusts it. Everyone assumes that someone else is keeping an eye on it. But nobody does. And one day someone comes along who actually reads the constitution, and discovers that there's a clause in it that says: "Whoever reads this gets to have the country."

In the next chapter, we cover persistence -- the art of staying, even when the defenders think they've kicked you out. Because the only thing worse than a burglar in your house is a burglar who never leaves.