ADCS (I): concepts
AD CS: Key Concepts
This entry outlines the fundamental concepts behind Active Directory Certificate Services (AD CS) and its critical role in Windows security. Understanding these concepts is essential for securing certificate-based authentication and managing the domain’s trust infrastructure.
1. AD CS as an Internal PKI
AD CS implements an internal Public Key Infrastructure (PKI) to issue, validate, and manage digital certificates for users, computers, and services within a Windows domain. Because certificates issued by AD CS are trusted across the entire domain, any compromise in AD CS can have widespread repercussions.
- Reference:
2. Integration with Active Directory
AD CS is tightly integrated with Active Directory. Certificate templates, enrollment permissions, and attributes (like UPN and SID) are managed via AD, directly linking certificate issuance to domain account privileges.
- Reference:
3. Chain of Trust and CA Roles
AD CS typically operates within a hierarchical model—a Root CA (often kept offline for security) and one or more subordinate CAs that issue certificates for everyday operations. Control over a subordinate CA can allow an attacker to issue certificates trusted by the entire domain.
- Reference:
4. Certificate Templates and Extended Key Usages (EKUs)
Certificate templates define the structure, validity, and allowed usages of certificates through settings such as Extended Key Usages (EKUs). Overly permissive templates or misconfigured EKUs can lead to unauthorized certificate issuance for impersonation or privilege escalation.
- Reference:
5. Identity and Certificate-based Authentication
Certificates in Windows serve as alternative credentials to traditional usernames and passwords. If an attacker obtains a certificate impersonating a privileged account, they can authenticate as that account without knowing the password.
- Reference:
6. Autoenrollment and Automation
Autoenrollment enables devices and users to automatically enroll and renew certificates, streamlining certificate management. However, if misconfigured (e.g., overly broad permissions), it can lead to the widespread issuance of certificates that facilitate attacks.
- Reference:
7. Persistence and Lack of Visibility
Certificates often have long lifetimes and are not rotated as frequently as passwords. Additionally, certificate revocation processes may not be rigorously monitored, allowing compromised certificates to remain active.
- Reference:
8. An Overlooked Role
AD CS is typically configured during initial deployment and then seldom revisited. This neglect can allow outdated or insecure configurations to persist, increasing risk.
9. Interoperability with Other Services
AD CS underpins several services such as VPNs, S/MIME, Smart Card Logon, and Windows Hello for Business. Misconfigurations in AD CS can have cascading effects on the security of these integrated systems.
- Reference:
10. Difference Between “Having the Hash” and “Having the Certificate”
Unlike traditional attacks that rely on stealing password hashes, obtaining a valid certificate allows an attacker to impersonate a privileged account without needing its password, effectively bypassing conventional defenses.