Microsoft’s Active Directory is at the core of the Windows enterprise networks system. This system takes care of authenticating and authorizing individual users and computers seeking to access a network system. As such a key part of the network, there have been plenty of reports on the security and potential gaps in the security of this service.
Microsoft’s Active Directory Certificate Services platform, however, has not had the same amount of analysis and study, leaving it rife with potentially serious security weaknesses. Microsoft’s Active Directory Certificate Services is Microsoft’s PKI implementation, which provides digital security features for organizations.
In this article, we will take a look at what Microsoft Active Directory Certificate Services do and how they work. Then we will investigate the security vulnerabilities and weak spots presented by these services. And finally, we will explore how to mitigate these cybersecurity risk factors.
How Do Active Directory Certificate Services Work?
Active Directory Certificate Services, or AD CS, provide services that allow users to customize their Public Key Infrastructure certificates. Public Key Infrastructure, or PKI, can be used for a variety of digital security purposes, including encryption, digital signatures, emails, user authentication, electronic documents, and messaging. AD CS provides the services for organizations to create and manage their specific PKI certificates.
Active Directory Certificate Services support several applications. These applications include Internet Protocol Security, or IPSec, Encrypting File Systems, or EFS, Virtual Private Networks, or VPNs, secure wireless networks, Network Access Protection, or NAP, and smart card logins, among other applications.
Active Directory can be integrated with CRM (customer relationship management) apps and systems, making it a popular choice for merchants. Small businesses often look for a CRM that comes with critical features such as ticketing systems, AI-powered automation, encryption, security, and advanced app integration. Since Active Directory can easily be integrated, it is a popular choice for providing directory and security structures for CRM apps.
Installing AD CS can be a costly endeavor, as it requires not only pricey overheads on the hardware itself, but also installation, deployment, and ongoing maintenance by an expert team.
Here’s how Active Directory Certificate Services work. First, they are used to establish a private enterprise CA (Certificate Authority). Then the CA is used to produce certificates that link a specific account, user, or machine identity to a particular public-private key pair. That key pair can then be used for distinct functions and operations. These actions can include signing documents, encrypting files, and authentication, among others.
Administrators of the AD CS servers create templates for these certificates. The templates act as outlines for future users, detailed maps that guide how to issue certificates, who to issue them for, what operations they can certify, how long these certifications will last, and which encryption settings they will contain.
The AD CS systems are similar to HTTPS in that the certificate authority provides validation that the Active Directory system can accept any specific public-private key pair. An authenticated computer or user must acquire a certificate from AD CS, create a public-private key pair, and send that key pair to the Certificate Authority, alongside any settings preferences and specifications.
All of these steps form part of the certificate signing request or CSR. The identity of the authenticated user or computer submitting the request is listed as a domain account. The CSR includes this user identity domain account, the specific template being used for the requested certificate, and a list of the kind of actions that the certificate will be used for.
Cybersecurity Weaknesses in Microsoft’s Active Directory Certificate Services
A recent report released by cybersecurity analysts has revealed that Microsoft AD CS often includes configuration mistakes that can have deeply damaging consequences. The high frequency of configuration mistakes means that AD CS servers are becoming a frequent target of hackers seeking access to private accounts and hidden domains.
Cross-site scripting attacks or XSS attacks can occur in the Active Directory Certificate Services when Web Enrollment fails to fully sanitize specific user inputs, so that input is stored in a secure database without passing through sufficient testing. Beyond XSS and cross-site scripting attacks, this unsanitized input can directly cause SQL injection attacks. In this type of cyberattack, a bad actor can directly interfere with any queries applications make to their databases, injecting instability and insecurity into data-driven applications.
According to recent studies, 60% of customers today prefer using their phones to communicate with small businesses. If that business uses an AD CS with a security weakness, then receiving user input via a customer smartphone is liable to be cracked open to expose that customer’s sensitive data.
So how serious are the security risks?
While AD CS is not automatically installed in every Active Directory server, it is used widely across enterprise and industrial environments. This means there are huge amounts of potential damage caused by security breaches as a direct result of misconfigured certificate services in the AD CS systems.
In a persistent 2021 attack, for example, a hacker group using a technique known as “FoggyWeb” mounted sustained attacks on Active Directory servers that had been compromised. They used this continuous access to steal data, receive code from within the servers, and implement these malicious codes, causing damage and mayhem.
How to Mitigate Active Directory Certificate Services Weaknesses
Microsoft’s security team has published a number of specific methods to mitigate Active Directory Certificate Services weaknesses from within the system servers. Microsoft recommends first and foremost disabling HTTP and enabling EPA on all Active Directory Certificate Services servers. Microsoft then suggests enabling Require SSL and disabling NTLM authentication wherever that is a feasible option. Disabling NTLM authentication on the Windows domain controller can do a lot of damage control.
Users should also block connections created by the directory certificate that connect with arbitrary hosts and services. A well-functioning directory certificate will only begin to connect with certifiable recipients, such as other directory certificates, or hosts that have been pre-authorized as vital for that specific communication. Any outbound connections must be limited to hosts and services at tier 0 if the domain uses tiering.
In addition to bolstering security from within the AD CS servers, organizations can implement several external security patches to boost overall security. Organizations can use Auto Enrollment Gateway, or AEG, to provide additional layers of security at every endpoint in the network. AEG can fill security gaps and add extra levels of user and computer authentication, to account for any possible cybersecurity oversights and weak points in the AD CS system.
While Microsoft’s Active Directory Certificate Services can provide useful features, such as encryption, digital signatures, file storage, messaging, email, and authentication, the servers have exhibited frequent misconfigurations. These misconfigurations present critical gaps in cybersecurity that will need to be addressed by developers.
In the meantime, users can mitigate the effects of these inherent cybersecurity weaknesses by disabling HTTP and enabling EPA, as well as blocking directory certificate connections to arbitrary hosts. In addition, users can use Auto Enrollment Gateway to provide extra layers of robust security, shoring up security gaps and providing stronger end-to-end encryption and authentication.