Changing security on a AD CS template

18 views
Skip to first unread message

Mike Leone

unread,
Dec 19, 2025, 4:00:27 PM12/19/25
to NTSysAdmin
So we had a pentest done, and we got dinged for a couple things in our AD CS environment.

The template “PHAUserCertificateTemplate” is vulnerable to ESC4 by any member of the ”Domain Users” group.

- So I opened up certserv, and went to "Manage template". And in the security of the above referenced template, it did have "Domain Users" with WRITE access. So I unchecked that. That should be all I need, right? I don't have to duplicate the template and create a new one, with a slightly different name?

It also has "Authenticated Users" with the same rights as Domain Users (Read, Enroll, Autoenroll), so I'm not sure I need to have Domain Users there at all. Can I remove Domain Users, in this scenario, since I already have Authenticated Users with those rights?

We also got dinged for

The CA “DCTRCERT002” appears to be vulnerable to ESC8.

This seems to be an NTLM relay attack, if I'm reading it correctly? So I would need to turn off NTLM completely? I'm not sure if that would break anything. Is there anything else I can do to alleviate this? I'm reading

network defenders can disable NTLM authentication using GPOs or configuring the associated IIS applications to only accept Kerberos authentication. If organizations cannot remove the endpoints or outright disable NTLM authentication, they should only allow HTTPS traffic and configure the IIS applications to Extended Protection for Authentication .

My web enrollment isn't working (I dunno why, I've just been working around it), so I dunno if I can change the IIS settings on it ...




--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

Kurt Buff

unread,
Dec 19, 2025, 4:12:55 PM12/19/25
to ntsys...@googlegroups.com

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgGz-pW8ZcqA9h-pEs%3D21yUG9sdjN%3Dv5B61yUka4C%2BNhw%40mail.gmail.com.

Mike Leone

unread,
Dec 22, 2025, 9:32:55 AM12/22/25
to ntsys...@googlegroups.com
On Fri, Dec 19, 2025 at 4:12 PM Kurt Buff <kurt...@gmail.com> wrote:

Thanks, but my boss doesn't like us downloading software from the internet, especially for security scans. 
 Thanks. I have a hard time understanding all this, seems like a large data dump of concepts, and not a lot of "Check this setting, turn that off" etc.


Kurt

On Fri, Dec 19, 2025 at 2:00 PM Mike Leone <tur...@mike-leone.com> wrote:
So we had a pentest done, and we got dinged for a couple things in our AD CS environment.

The template “PHAUserCertificateTemplate” is vulnerable to ESC4 by any member of the ”Domain Users” group.

- So I opened up certserv, and went to "Manage template". And in the security of the above referenced template, it did have "Domain Users" with WRITE access. So I unchecked that. That should be all I need, right? I don't have to duplicate the template and create a new one, with a slightly different name?

It also has "Authenticated Users" with the same rights as Domain Users (Read, Enroll, Autoenroll), so I'm not sure I need to have Domain Users there at all. Can I remove Domain Users, in this scenario, since I already have Authenticated Users with those rights?

We also got dinged for

The CA “DCTRCERT002” appears to be vulnerable to ESC8.

This seems to be an NTLM relay attack, if I'm reading it correctly? So I would need to turn off NTLM completely? I'm not sure if that would break anything. Is there anything else I can do to alleviate this? I'm reading

network defenders can disable NTLM authentication using GPOs or configuring the associated IIS applications to only accept Kerberos authentication. If organizations cannot remove the endpoints or outright disable NTLM authentication, they should only allow HTTPS traffic and configure the IIS applications to Extended Protection for Authentication .

My web enrollment isn't working (I dunno why, I've just been working around it), so I dunno if I can change the IIS settings on it ...




--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgGz-pW8ZcqA9h-pEs%3D21yUG9sdjN%3Dv5B61yUka4C%2BNhw%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

Michael B. Smith

unread,
Dec 22, 2025, 10:10:21 AM12/22/25
to ntsys...@googlegroups.com

Jake Hildreth is a Microsoft MVP and works for Semperis as a Principal Security Consultant, one of the premier Windows security partners in the entire ecosystem.

 

If you want to cut off your nose to spite your face, well go for it!

 

Locksmith gives you exactly what you are asking for “check this, turn this on, turn that off”.

Mike Leone

unread,
Dec 22, 2025, 10:20:06 AM12/22/25
to ntsys...@googlegroups.com
On Mon, Dec 22, 2025 at 10:10 AM Michael B. Smith <mic...@smithcons.com> wrote:

Jake Hildreth is a Microsoft MVP and works for Semperis as a Principal Security Consultant, one of the premier Windows security partners in the entire ecosystem.

 

If you want to cut off your nose to spite your face, well go for it!


It's not me, that's what he says. I trust the word of you guys. I'll see if I can download it anyway ...

 

Locksmith gives you exactly what you are asking for “check this, turn this on, turn that off”.


I asked my computer security guy (yes, we actually have one now) if he could download it, but he says he still has 3 days left on a Nessus trial, and doesn't want to mix software. Especially since the pentest that flagged the vulnerability was using Nessus, he says.


Reply all
Reply to author
Forward
0 new messages