Protecting Active Directory Certificate Services (AD CS): Hardening Your Enterprise PKI

| Author: | Guides

Cybersecurity Infrastructure Microsoft

Active Directory Certificate Services (AD CS) is one of the most powerful — and most overlooked — components in a Windows enterprise. It underpins smartcard authentication, LDAPS, VPN auth, device identity, and more. Unfortunately because of it’s power, threat actors often use it as part of their privilege escalation process. Protecting Active Directory Certificate Services quickly becomes a priority as it is one of the most overlooked areas that SysAdmins can quickly setup and forget.

When AD CS is properly secured, it strengthens identity security.
When it’s misconfigured, it can allow full domain compromise — often without touching a password.

If you’re securing Active Directory but ignoring AD CS, you’re leaving a Tier 0 system exposed.

Why AD CS Is So Dangerous When Misconfigured

SpecterOps’ research in Certified Pre-Owned fundamentally changed how we view enterprise PKI. The takeaway was simple but alarming:

Misconfigured certificate templates can allow low-privileged users to escalate to Domain Admin — legitimately.

Attackers don’t “hack” PKI.
They abuse it.

Common misconfigurations include:

  • Certificate templates allowing Client Authentication
  • “Supply in request” enabled (allowing arbitrary SAN values)
  • Overly broad enrollment permissions
  • Templates that allow enrollment agent functionality
  • Weak ACLs on templates or the CA itself

In many environments, these conditions already exist.

Tools like Certify (SpecterOps) and Certipy (widely used in red/blue team engagements) make it trivial to enumerate vulnerable templates and demonstrate exploitability.

If a standard domain user can request a certificate that authenticates as a Domain Admin, you don’t have a password problem — you have a PKI problem.

Treat AD CS as Tier 0

If your CA can issue authentication certificates, it is a Tier 0 asset. Full stop.

Hardening starts with architecture:

  • Offline Root CA (non-domain joined, powered on only when needed)
  • Enterprise subordinate CA for domain issuance
  • Restricted administrative access (separate admin accounts)
  • No casual RDP access
  • No shared admin credentials

Compromise of the CA private key equals permanent trust compromise.

Lock Down Certificate Templates

Most AD CS privilege escalation paths originate at the template level.

Review every template and answer:

  • Who can enroll?
  • Does it allow Client Authentication?
  • Is “Supply in request” enabled?
  • Does it require manager approval?
  • Can the requester specify Subject Alternative Name (SAN)?

If users can request a certificate with arbitrary SAN values and that template supports authentication — that’s a direct escalation path.

Remove enrollment permissions from Authenticated Users unless absolutely required.
Use security groups for controlled issuance.

Enable Proper Auditing

By default, many environments don’t properly monitor certificate activity.

Enable auditing for:

  • Certificate requests (Event ID 4886)
  • Certificate issuance (Event ID 4887)
  • Template changes
  • CA configuration changes

A simple detection strategy:

Alert when:

  • The requester differs from the certificate subject
  • High-value accounts request certificates
  • Unusual authentication templates are used

Black Hills InfoSec outlines strong detection strategies around correlating request and issuance events. This is low effort, high value telemetry.

Validate Your Environment with Certify and Certipy

You don’t need to guess whether you’re vulnerable. Numerous tools exist to help ensure you’re protecting Active Directory Certificate Services.

Use:

Run them from a low-privileged domain account in a controlled assessment to enumerate:

  • Vulnerable templates
  • ESC attack paths (ESC1–ESC13)
  • Misconfigured enrollment rights
  • Dangerous EKU combinations

If these tools return exploitable paths, attackers can find them too.

I recommend incorporating AD CS assessment into:

  • Annual security reviews
  • Pre-audit hardening
  • Purple team exercises
  • M&A due diligence

Treat it like BloodHound for PKI.

Remove What You Don’t Use

Reduce attack surface:

  • Disable Web Enrollment if unused
  • Remove deprecated templates
  • Remove old subordinate CAs
  • Clean up unused certificate authorities from AD
  • Protect CA private keys (HSM preferred)

The less exposed, the better.

Final Thoughts on Protecting Active Directory Certificate Services

Active Directory security conversations often focus on passwords, LAPS, or privileged groups.

But AD CS can silently undermine all of that.

A misconfigured template can bypass MFA.
It can bypass password policies.
It can provide persistent access long after credentials are rotated.

If you secure Active Directory, secure AD CS.

Treat your PKI like the identity infrastructure it is — because attackers already do.

Security Services | Securing Active Directory | Certificate Renewals Made Easy

Related Posts