AD CS means "Active Directory is Cheese (Swiss)" - Misconfigurations & Remediation

hello everyone i am jake hildreth i am here to talk to you about active directory certificate services and why it is probably vulnerable in your network uh i am i am a recovering systemism administrator what does that mean uh two months after i started working for trimark i thought to myself maybe i should stand up an exchange server at my house so that's the kind of guy i am been in the business for about 20 years i i started out tier one support uh for a cable modem provider so this is a windows me area or era so if you need to do an ipconfig refresh and ipconfig renew i'm your dude um then i moved on to a security focused

consultancy um but back in 2003 2004 that meant like do you have a firewall do you have antivirus you're probably good um and then since then i've moved on to i moved on to being a network administrator for a small municipality and that meant i was responsible for anything with a wire a chip a screen gobbledy gobbledygook on that screen i had to know it and that is really where i cut my teeth in active directory when i joined on no one was really administering the active directory and i then kind of took it upon myself to figure it out about a year ago then i saw a tweet from one sean metcalf about you know if you're in ops and you

want to move into security get at me and i did and a couple months later i was hired by trimark so now i am an active directory security subject matter expert and i do perform 80 assessments on all sizes of companies the smallest one i've personally done it's been about a thousand users largest one i've done is currently a hundred thousand users so um seen a lot and yeah most importantly though i am a husband and a father and that's pretty much what really defines me as a person so what are we going to talk about today first off we're going to do a very high level overview of pki i mean super high level because we don't have a

week to talk about it and no one i i don't know that anyone that really cares that much about it but then we're going to delve into what makes microsoft's implementation of public key infrastructure also known as active directory certificate services what makes that special we'll just say then we're going to delve into three of the most common misconfigurations that i've seen um we started assessing adcs about six months ago in that time i've seen ten ten different environments approximately um and yeah see what i've what we've come across and then three of the most dangerous misconfigurations that i've also encountered and then we are going to talk about exactly how to remediate those issues bring them into

compliance so you don't need to worry anymore about your adcs then we'll just review it all and i'll be announcing a tool at that point uh and before we go any further i just want to talk about uh prior research that's been performed last year the spectre ops guys will and lee did basically released a i think it's 140 page document talking about adcs all the holes involved um and a little bit on how to prevent or defend against things but really not so much so that's kind of what our focus is going to be here today is going to be on how can you fix the holes quickly and easily that exists in your adcs environment

we will primarily be talking about domain escalation but we will also touch a little bit on persistence

so what is a pki uh it's generally used to confirm the authenticity identity of the entity that you are speaking to um contrary to popular belief it's not required for encryption though it can be used as part of an encryption process the way that i like to explain this is when you visit a website with an expired certificate and they say do you trust the certificate yes i do your connection is still encrypted but you don't really know who you're talking about on talking to on the other side so a pki generally involves a mix of hardware software policies procedures templates which we'll touch on a little bit later and each of those has its own sets of

configuration issues that interact in really weird ways sometimes just like anything in security it's the interactions really that uh that cause the issues here and uh a bare minimum pki is going to require only three things a certificate authority that's trusted by everybody and then two parties that want to talk to each other but do not trust each other so this is this is what it looks like here benny wants to talk to melon melon wants to talk to benny mellon asked benny who are you and benny says i'm benny here's my certificate that proves who i am it's signed by the ca that you trust and melon says okay i can trust you but

who are benny and melon because don't we normally talk about alice and bob in these this is benny he is if i had to describe a cat as a red team cat this is the red team cat i mean this dude is always getting into places he's not supposed to be testing my authority etc etc this is melon and melon is um he's a user we'll just say that so what makes adcs so unique free super easy to set up i mean next next next next finish we're secure we're moving on we never need to do anything why are we even here jake what's going on well there is no security guidance during the deployment of adcs they don't explain

what you're doing at all and uh once you actually get it deployed it's not really any better there's the user interface is pretty terrible a lot of the configuration options are hidden and you know not shown in the ui [Music] if you make changes that are insecure you may you may see a warning about it you may not um and most importantly microsoft provides you like a bunch of templates and those are secure by default like if you use the template as designed especially if you upgrade the uh compatibility levels to like the latest possible they're secure i'm i'm happy with them but you can make an insecure modification with no real no real effort

so speaking of what is a template a template is just like a group of configurations that defines like who can assign uh who can request a certificate who can who needs to approve that certificate what the certificate can be used for so those are used to make your administration of certificate services much more efficient and repeatable the things we like to see um unfortunately adcs says it right in the name relies on active directory and we all know that uh active pretty easy to scare right right um and no one ever misconfigures it or maliciously modifies it nope never and all of the configuration for adcs lives in ad yeah most importantly though certificates are not revoked when a user

when their account is is when their password is changed you go in a user is compromised you change their password you think everything's happy if an attacker still has their certificate for that that user that was compromised they can continue to log in as that user until that certificate expires worst it's everywhere i mean every environment that i have assessed since working with trimark has had some bit of adcs that lives in their environment and that's you know just a side effect of being free and easy to set up so i totally understand why but uh this is kind of what you expect this graphic explains what you're trying to what you would expect to see from adcs

a completely separate uh environment you know certificate services live one place active directory lives another but in reality it looks much more like this and that's really the problem here once you are able to use a certificate to get into an active directory environment you then have earned the rights of that user and can continue to uh you know you've got a foothold you can do your your lateral movement if possible you could do your escalations where possible um for example let's go back to benny and melon here um melon or sorry benny compromises melon's account um by fishing or it's probably tuna fishing actually and uh then steals that password mellon's isd it staff recognizes that

the that the account has been compromised and resets the password like i said benny can continue to log in as melon until that certificate expires this is particularly bad when the user that gets compromised with something like a former domain administrator or a former uh pki administrator and i'll dig into that a little bit uh in one of my most common configurations so just before we move on though pki is hard to secure 80i ad is hard just hard and then combining them it's just we're still discovering new ways to attack this so let's dig into the most common things that i've seen in the wild number one insufficient auditing i don't know why microsoft chooses this

but adcs auditing is not enabled by default i so many different packages they do this with and i just don't understand it um and if you have multiple cas in your environment this setting must be enabled individually on each ca so what that means in reality is you've got seven cas and six of them have auditing enabled that seventh one is the one that attackers are going to hit and they will be able to see that quite easily that auditing is not available but thankfully we can easily enable it via command line and script it another unfortunate thing is depending on your usage of adcs in your environment uh it can be really noisy i mean

there are tons and tons and tons of events created and if you're only using it to say like authenticate your das or something no big deal but if you're creating machine accounts and or machine temp uh certificates and user certificates and vpn certificates and you're gonna have a tough time so uh do not dig into in this talk about event ids that you're going to want to track but we've got we've got a few um that being said like i said i i've not seen this configured in any environment at all so if it's not configured in your environment please do not be ashamed no judgment luckily it's pretty easy to uh re-enable it uh you can just go into

the the certificate sort certification services uh mmc and enable uh auditing unfortunately there's there's a little more to it but uh oh yeah speaking of scripted version this is the scripted version super easy you just gotta enable the auditing restart the services no big deal but then you also need to enable certification services in group policy this is one of the sub policies or more specific policies uh also called advanced auditing that were released in server 2008 um this should be applied i'd probably say put a gpo for this at your domain route um or at the ou that hand or holds all of your your certificate authority posts and last but not least you need to enforce advanced auditing so

in my my role as a as an ad security assessor i've seen multiple organizations that set up all their advanced auditing properly and then do not enforce the advanced auditing if you do not enforce the advanced auditing those advanced auditing settings do not apply so um if you're doing your advanced auditing properly this step is not necessarily necessary but if you are doing it uh or not go ahead and get this going number two single tier architecture what does that mean so in a public key infrastructure you can have a root ca that is the you know root of all of your trusts in your entire environment and in a default configuration that's all you have you've got your one

root ca it assigns some certificates to all your various entities in your network and that's it um unfortunately this is not secure this should not be used for production buy microsoft's guidance but they don't mention that when you're doing your next next nxt finish at all you have to dig into separate documentation in order to figure out that this is not production and there is no implication again when you step through your next next finish uh installation there is no implication of what you are actually doing thankfully the only places that i've found this have been smaller environments that do not have a dedicated security staff i think once you bring in that first security guy

they say nah we're doing two tiers minimum this is what it looks like i mean you've got your your one certificate authority it's handing out your your certificates but if when your ca host is compromised you're going to have to go around and touch every single uh every single device that has that ca as a trusted route for your environment and unless you have like three machines in your network that's going to be a pain so yeah let's remediate that let's actually take a step back first do you really need ad integrated pki are you using it in that fashion um the few single tiers that i saw have an adcs environment stood up but

they they weren't using it it was just sitting there just with gaping holes in it so really consider that if you do decide at least build a two-tier pki we've got a root ca we've got one or multiple cas that actually issue certificates um two tiers probably fine for most people but if you've got a especially a highly distributed environment it's kind of difficult to do it with just two tiers so three tiers might be might make more sense that root ca should be completely disconnected from ad which means it is built in standalone mode uh yeah not domain joined does not communicate with ad lives offline generally doesn't even have a network card installed etc

uh the only time that you would bring that online is to create new intermediate cas or to update the revocation list that the root ca is publishing and then of course updating the o the os occasionally but you can do that on a much slow since it's offline and powered down you could do that at a much slower pace than normal and when possible please use a hsm or a tpm or vta tpm to protect those keys that makes them much more difficult to grab and then your subordinate ca is the ones that actually issue certificates to your users and your computers those will be in enterprise mode those will be active directory integrated um

to go ahead and build a two-tier ca i do i've done this i followed peat nets uh guidance and start to finish it's great um i might make some configuration changes now to it but uh you know for playing with for starting your first two-tier pki it's perfect and just so we can see what this looks like we've got uh our root rca and our other ca now that first ca gets popped it is compromised instead of having to go through and touch all of your computers you can bring the root ca online and revoke the certificate that is assigned to the compromise ca the other ca will pick up to do some work uh on on behalf of the

compromise one and you don't have to go around to every single computer and and touch them all and i'm lazy so that sounds better to me now we're going to get into things that are a little more active directory centric i would say and this this uh non-standard ownership is fairly common uh i would when i say fairly common i mean it's i've seen it in every environment that we've tested when an 80 object is created the owner sorry the creator becomes the owner and that's important because an owner of an 80 object can set any permissions on that object that that they want regardless of how the access control list is set so that means even if they say you know

authenticated users deny re deny write whatever but if i own that that object own that template i can modify it exactly to how i want it to be so again when i get i get compromised guess what you can go and find all of my my templates that i created and modify them to your specifications up to and including allowing yourself to request a certificate on behalf of your domain admin or your domain controller the few places that i have seen this have been probably mid-size organizations that you know have implemented account tiering and never went back to clean up all of the objects that were created before their account tiering went into place for example

in my lab you know jhildreth1234 was formerly a domain administrator creates some templates gets them pushed out and then a few years later you know jake hildreth admin is created and jhildreth1234 still maintains control of this particular object so um jhildreth1234 clicks on a phishing email about mario kart being released and uh yeah now now the attacker owns that specific object so pretty easy to fix fortunately um we just need to reset your ownership to known safe owners and and donate domain admins enterprise admins the domain administrators group if you've created some specific pki admin groups for your environment those are all perfect perfect owners what we prefer is definitely enterprise admins and that is mainly

because enterprise admins should be kept empty unless you're actually using it so um y'all are keeping your enterprise admins empty correct i do not believe you so luckily again pretty easy to find we look through and find uh we we define what we want as our safe owners and you can modify this to yourself oh i i am including all of these snippets on my github which i will link to again later um i'll probably get this posted on the trimark hub got the approval from the boss suite yeah where you could go and grab all of these snippets to find and remediate your own environment so yeah we just look through we define who the your safe owners are and find

all the objects in the public key services container that do not match that in my lab i had six if i have a small number like six i'm probably just going to go through and remediate those by hand that shouldn't take too long but if you're you're over that that's probably my limit got some code here to go through and reset your all the the ones with bad owners reset all of those to domain admins pretty simple so so that wraps up the common misconfigurations in just a review that's no auditing a single tier configuration and non-standard ownership of those objects um now we get to move into the fun stuff and by fun stuff i mean things that will

take like two steps at worst one step to compromise your your domain first one kind of related to the last one overly permissive acls uh the problem with this one is that or why i deem it more dangerous is because typically instead of it being a single user that is assigned uh these dangerous acls they it's it's more assigned to groups which then obviously opens up the attack service low privileged users should have no right access on anything in the public key services container and really the everyone group shouldn't be able to do anything in that container and we'll go ahead and say you know anonymous and yes too because yeah um the few times that i have found this

it is related to a template that was created for testing and just never got cleaned up later uh you know it's got the name of uh copy to web server test or user authentication dev or whatever something like that so obviously not in use probably can just delete that one but oh so this is what it looks like i mean fairly simple here um i'm going to give you an example of how this would be attacked first off user attacks compromises the admins and admins daily driver account and then they go ahead and enumerate that container that i showed you the pks container and they find a template created years ago that that basically the template says if i

request a certificate using this template i get it back in my name but because your attacker has right access to that template they can go ahead and modify that and say i want to request a template or a certificate in the name of someone else so i'm going to go ahead and request it as a domain admin and like we discussed earlier once you've got that domain admin cert you've got domain admin until the certificate expires thankfully again pretty easy to find we go through we define who the safe users of these templates are we uh define what some dangerous rights are that non-safe users unsafe users yeah that's the word i want unsafe users should uh not have and then

we just kind of work through the entire container and find all the templates that match that configuration in my lab i only had a couple unfortunately the code that i've given you as written will spit out things like your ca should not or you know that your ca has rights over templates your ca should have rights so you're going to want to go through this and just kind of manually uh clean up whatever is found in that that code and what that basically does is just takes and unchecks that right uh option for uh the unsafe users now we get into the really fun stuff and by really fun i mean one step this is

this is one step step um like we discussed earlier templates contain basically a set of configurations that define you know who can who can request a ticket or sorry who can request a certificate what it can be used for who the certificate is for and is approval required for the certificate to actually be created those last two are important because in many many instances these certificates are created where a user just a standard user can request a certificate on behalf of any other entity in the environment without any approval up to and including domain admin and domain controller and i have found this exact specification in eight of the ten environments that i have that i've assessed

so it's out there and yeah it's just low hanging your fruit at this point this is what it would look like if you were to actually dig into how the template is configured domain users can enroll the the template is used for client authentication the uh the requester can supply in the request an alternative name for the certificate and no one is required to approve that that certificate is good earlier i was talking about bad bad user interface and bad guidance from from microsoft and this is one of them the more frustrating warnings if you set these four configurations this is the warning you're gonna get read that last sentence combining these certificate options may create a cert

security risk and is not recommended i don't know if they could soften that anymore i mean this is a security risk and should not be completed is what i would rewrite that is uh so how is this attacked it's pretty similar to the last one here user gets phished attacker scans the pks container spectreops actually released a tool shortly after their talk last year called certify that we'll do all this automated for you there are a lot of built-in utilities ds query and then you know get 80 object etc that you can use without having to download and compile certify on on the box but it will scan through and find all of the vulnerable

templates for you so once they find one that's vulnerable like this what do you do request d.a of course and if this one sounds familiar to y'all uh mandiant actually posted on thursday but our good buddies apt29 putting this one into uh into use so yeah it's it's a it's for real now thankfully it's really easy to find a little complex to fix depending on your specific situation but still really easy to find what we're doing here we're just saying you know i'm looking for certificates that require that are used for client authentication and that can set a alternative name and that do not request or that do not require approval again in my lab three

no big deal go through and modify them as needed the options that i like to do for meeting remediating this number one you could just go ahead and remove the ability for the enrollee to request a different name on their certificate unfortunately there are some valid uh use cases where you know one entity will need to request on the behalf of another entity so what i prefer to do instead oh yeah this is what it does it changes uh changes supply and request to build from active directory information so that way you cannot request an additional name so the one that i prefer for remediation would be requiring manager approval what this does is a user can an entity can request a

certificate on behalf of someone else but when they do someone will need to actually go into the certification services mmc and actually say yes i approve the certificate to be created and uh yeah it's a you know just a nice little stopgap to prevent anything from being uh you know privilege escalated without any knowledge all that does checks the box that says ca certificate manager approval there are some other ways that you can resolve these the number of authorized signatures we can do changing who can enroll in in the certificate to make it you know a tighter group etc but these ones these two solutions are are pretty good so now we move on to the last

misconfiguration so imagine we took misconfiguration number two and just assigned it to all the templates just said all the templates you can assign your own name it's fine well let me introduce you to the edit f attribute subject alt name to flag this one basically regardless of how the template is configured you are able to assign an alternative name to the template um manager approval will still take place so if you've got manager approval on your certificates cool unfortunately manager approval really impacts a lot of workflows and things like computer certificates and user certificates that are used for day-to-day use

so yeah like i said previous issue much worse and much like the auditing it's configured on every single ca separately so again you've got seven cas six of them are configured properly that seventh one is not a quick scan through the network can find which ones are not configured properly and all of an attacker's work can be targeted at that misconfigured ca and you would never know thankfully this is this is pretty rare i've seen it in two environments and the two that i saw it in were both environments where they were in the middle of moving from one pki to another pki so thankfully not a huge deal um in both cases the solution was

okay we're just going to speed up our our decommissioning of these old old cas um this is what it looks like it's a mess i i can't read that still so um how would you attack this yeah much like the the rest fish the user if we just eliminate this part we'd probably be good but um and then there's no real scanning required by the use by the attacker it's just request a certificate with an alternative name get yourself da simple as that unfortunately it's there are certain environments and software packages that require this to be set they're very rare anymore uh but if you have this specific flag set on all of your cas

disabling it it's probably going to break stuff so by all means you know test if it's only set on a subset so you've got your six that have it properly set and then you know your seventh has the flag set you're probably going to be fine to just disable that flag and move on but again test can't say that enough i i you know you may have some some weird configuration that i am not aware of and that's totally fine super easy to find this if it's set uh run cert util which is kind of the you know swiss army knife of of old school certificate administration if you run the specific command it'll tell you exactly all the flags that are

set and with a description unfortunately it doesn't really explain a lot of what the what those flags do but if you see this specific flag be be vigilant and uh go ahead and move on to unsetting it so just need to unset that flag again uh because this is just a simple command simple single command super easy to script just need to find all your cas and unset the flag not a huge deal so that is pretty much it so we're gonna we're gonna do a little wrap up here active directory certificate services is incredibly easy to set up and i'm not gonna lie it's very useful i mean you know if you need to do uh vpn authentication

or or machine authentication or smart cards and there's just a lot of things that it can be used for but it is so easy to screw up right now and i don't with microsoft letting active directory kind of die on the vine i don't foresee any changes in user interface uh to help i don't foresee any any changes in you know making it harder to screw up your own configurations so instead let's just focus on remediating things like i said earlier do you really need certificate services in are you only using one or two certificates in your entire environment if so outsource those you know plenty of plenty of third-party pkis that you can you can implement that will serve that

purpose for you but if you're going to move to a two or three tier pki if you already have adcs you're using it you know that you need it etc get your auditing enabled immediately um you know less than probably five minutes per ca to to track down and fix um and then we're going to go ahead and move on to those two that i mentioned at the end those those most dangerous ones should be pretty easy to fix once you do that you're going to be a hell of a lot better off than you were uh you know prior and then we're going to go ahead and fix up your access controls and your

ownership once that's done you're probably probably good i say probably because who knows and this is one uh most importantly you need to protect your ca hosts every environment that i've seen the ca hosts are just living in some generic servers oh you and don't really you know they've got some people that have permissions over them that shouldn't and that sort of thing these are these are just as powerful as your domain controllers protect them like such you know limit the logons to just domain admins or your pki admins uh move it into a top level lu which limits the amount of inheritance issues that you may run across um make sure that the gpos that you assign

to that specific ou are completely separate from your domain controllers are completely separate from your uh domain root you know just ca specific we'll say that and treat your pki admins like tier zero as well i would go uh far enough to say that your pki admins should be a completely separate set of users um just like you've got your tiering for your domain admins and your from regular users you should have pki admins separate from domain admin separate from from regular user accounts so i know it seems like a lot of work to kind of bring everything correct and i yeah i i often have this feeling thankfully already working on putting a tool

together called locksmith that will through your environment find these well-known misconfigurations and then either provide you a report where you can remediate them on your own uh or provide you the code so you can you know fix it specifically for your environment or just fix it just easy button boom we'll do that and if you would like to help out with coding locksmith uh by all means go visit my github the code snippets that we that i showed you will all be available there so you can start uh you know start auditing your own environment um and then locksmith currently has a readme markdown file uh so you know got a little work to go on there

and then feel free to email me i love to talk ad security and love to assess your id if you really want me to and then probably the best way to get hold of me honestly is twitter so there i am dot dot horse and uh yeah it's very weird but a little bit of infosec fun and i'd love to connect with you on linkedin as well but probably won't get to a free few days and last of all i just want to say thanks to will schrader and lee christensen and and the rest of the the pki wizards that have provided the shoulders for me to stand on i wouldn't know any of this stuff

without them um another thanks to sean metcalf and brandon colley who reviewed all of my slides and made sure that my presentation flowed correctly and rest of the trimark team we got tyler and daryl over there [Laughter] and actually everybody in trimark is super supportive and everybody helped me out with my dress rehearsal and then of course my wife for listening to me and my daughter because she actually helped me come up with that um the explanation with bella or melon and benny so yeah many thanks to her and you know resources for if you want to dig in a little deeper i highly recommend reading certified pre-owned it is it is dense but it will

change your certificate services world i don't know that's all we got any questions [Applause] [Music]

say that again i didn't hear the beginning of it

okay

i haven't dug into that at all i must admit anybody else no okay i'm out [Applause] you