Over the past few months, we’ve noticed a concerning pattern at CERTAINITY:
In almost 75% of our internal Active Directory penetration tests, we were able to exploit weaknesses in Active Directory Certificate Services (ADCS) and ultimately compromise the entire domain.
The alarming part? Most of these vulnerabilities are well known. Some have had documented mitigations available for more than five years, yet they continue to appear regularly in modern enterprise environments.
What is ADCS?
Active Directory Certificate Services (ADCS) is Microsoft’s Public Key Infrastructure (PKI) solution for managing digital certificates.
These certificates establish trust between users, computers, and services. They enable secure authentication, encrypted communication (such as HTTPS and email encryption), and digital signatures.
In short, ADCS forms the foundation of trust within a Windows Active Directory environment.
Why Misconfigured ADCS Is So Dangerous
If ADCS is improperly configured, attackers may be able to:
- Issue their own certificates
- Impersonate privileged users, including domain administrators
- Intercept or manipulate encrypted communications
- Ultimately gain full control over the Active Directory environment
This is exactly what we observed during our recent assessments—in three out of four organizations.
Common Misconfigurations We Encounter
- Insecure Certificate Templates
→ Standard users are allowed to request certificates while specifying arbitrary identities.
This enables attacks such as ESC1, where an attacker requests a certificate for a privileged account, including a Domain Administrator.
- Insecure Web Enrollment Services
→ Certificate requests are processed through web enrollment portals that are often not protected by HTTPS.
This exposes them to NTLM relay attacks (ESC8).
Excessive Permissions
→ Service accounts or administrators frequently have unnecessary permissions on the Certification Authority, increasing the attack surface.Insufficient Monitoring
→ Certificate requests and certificate issuance are often not monitored.
As a result, malicious certificate abuse frequently goes completely undetected.
A Typical Attack Chain
- The attacker exploits an insecure certificate template or vulnerable web enrollment service.
- They request a certificate on behalf of a privileged user.
- They authenticate to the Domain Controller using the issued certificate.
- Result: Complete compromise of the Active Directory domain.
How to Protect Your ADCS Environment
Review Your Configuration
→ Remove obsolete or unused certificate templates.
→ Grant Enroll permissions only to clearly defined security groups.
→ Enforce HTTPS for Web Enrollment Services.Harden Your PKI
→ Separate Root and Issuing CAs (e.g. an Offline Root CA architecture).
→ Apply the principle of least privilege to administrative permissions.
→ Prefer modern authentication mechanisms such as Kerberos over NTLM wherever possible.Enable Monitoring
→ Enable auditing for certificate requests and certificate issuance.
→ Configure alerts for suspicious enrollment activity.
→ Continuously monitor certificate events using your SIEM platform.Test Regularly
→ Conduct regular Active Directory and ADCS penetration tests.
→ Have your ADCS configuration reviewed by experienced external specialists.
→ Always assess ADCS within the broader Active Directory context, including NTLM, Kerberos, relay attacks, and privilege escalation paths.
Conclusion
ADCS is often overlooked—but it is one of the most security-critical components in an Active Directory environment.
If misconfigured, it can provide attackers with everything they need to compromise your entire enterprise network.
Our recommendation is simple: Regularly assess your ADCS environment or include ADCS as part of a comprehensive Active Directory penetration test.
Across Austria, we continue to encounter organizations that believe their Active Directory environment is secure—until an assessment proves otherwise.
If you’d like to strengthen the security of your Active Directory and PKI environment, our experts are here to help.
