Security researchers and technical architects from SpecterOps have found that almost every Active Directory installation they have looked at over the last decade has had some kind of misconfiguration issue. And misconfigurations can lead to security issues, such as privilege escalation methods.
The researchers have written a paper (pdf) about Active Directory Certificate Services (AD CS) to raise awareness for both attackers and defenders alike of the security issues surrounding this complex, widely deployed, and often misunderstood system. They will also present this material at BlackHat USA 2021.
Active Directory Certificate Service
Countless organizations around the world use Windows Server as the base for their IT infrastructure. Many of them also use Public Key Infrastructure (PKI) for their authentication needs. For example, PKI is used for certificate based authentication, securing web servers (SSL), and in digital signatures for documents.
Active Directory Certificate Services (AD CS) is the server-functionality that allows you to set up PKI so it can provide the public keys, digital certificates, and digital signatures for your organization. All these things can be obtained in other ways, but the big advantage for large organizations is that AD CS can do this on a large scale. This is mainly because the Active Directory Domain Service, that has all the relevant information about each member of the domain, is linked to the AD CS and allows it to use that information.
Abusing AD CS
In their paper, the researchers lay out three areas where misconfigurations in AD CS can be abused for malicious purposes:
- Credential theft that can survive password changes and can bypass smart card authentication.
- Privilege escalation methods that allow attackers to act as any user in the domain, including their privileges.
- Domain persistence attacks that allow attackers to log on as any Active Directory user, so they can use their privileges at any time.
As you can see the researchers have really focused on user authentication and how to perform certificate-based authentication.
The paper provides a lot of details and many scenarios to achieve one or more of the above malicious purposes, which can really help a cybercriminal to infiltrate an organization’s network and provide the means for lateral movement once inside the network. It is beyond the scope of this post to go into those details, but I can recommend to read the paper to those interested in the gritty details (142 pages).
The researchers are the first to admit that while there is nothing inherently insecure about AD CS, it is hard to configure in a secure way. Many misconfigurations can be explained by system administrators and IT staff enabling settings for valid reasons, but without a complete understanding of the security implications that come with changing that setting.
An example form the paper:
“There is a GPO (Group Policy Object) setting titled “Allow certificates with no extended key usage certificate attribute” whose documentation makes it sound like you need to flip this switch to allow certificate authentication with the All Purpose EKU (Extended Key Usage), Client Authentication EKU, or no EKU in modern environments. However, this is a client side setting only. An older description for this GPO that states that it affects which smart card-based certificates will show up on a logon screen, which matches the behavior we’ve seen.”
Anyone that has ever worked with Windows GPOs will recognize how hard it sometimes is to work out what the effect of changing a setting will be. Let alone how it will influence security in conjunction with other settings.
The researchers have decided to hold off on presenting any tools that can be used for offensive purposes until their presentation at BlackHat.
“We believe that the issues described in the paper are severe and widespread enough to warrant a delay in the offensive tool release.”
This gives those that are vulnerable some time to fix their issues and security providers to implement protection based on the IOCs/Yara rules that the researchers have published for their tools Certify and ForgeCert.
In response to this paper Microsoft has issued a blog post that details how recent Extended Protection for Authentication related updates can help safeguard authentication credentials on the Windows platform. This includes actions to change a default configuration that was flagged by the researchers as a serious security issue. Microsoft has indicated it has no plans to change this default configuration as part of an update, so system adminsitrators and IT staff are advised to do this themselves.
If you are curious about the security of your own AD CS settings, the researchers have released a tool called PSPKIAudit that performs an audit of AD CS for vulnerable configurations. Their paper also contains instructions and guidelines for finding and fixing vulnerable AD CS configurations.