· Threat Hunting Team · Ananta Security Labs · 2 min read
Misconfiguration of Active Directory Certificate Services (ESC8) - A Critical Vulnerability
ESC8 is a critical vulnerability in Active Directory Certificate Services - ADCS - that can lead to a complete compromise of the domain. Here's how to protect against it.
Active Directory Certificate Services (ADCS) are a key component in many Windows infrastructures. However, improper configuration can introduce critical vulnerabilities, such as ESC8, which can allow an attacker to escalate privileges to Domain Administrator rights.
Understanding ESC8 and its Exploitation
ESC8 primarily relies on ADCS Web Enrollment. If this feature is enabled, clients can request certificates through an HTTP interface, opening several attack vectors:
- Unsigned LDAP: This allows attackers to manipulate authentication requests and carry out NTLM relay attacks.
- Coercion on the Domain Controller: An attacker can exploit certain techniques to trick a DC into authenticating in a compromised manner.
Once the vulnerability is exploited, the attacker can obtain a legitimate authentication certificate, use it to impersonate a privileged user, and, in the worst case, take full control of the domain.
How to Protect against it?
There are several approaches to block this attack, and they do not all need to be applied at once. Some may have side effects, such as disabling NTLM.
🔹 Disable HTTP-based web enrollment
- Access Server Manager on the AD CS server.
- Disable Certificate Enrollment Web Service and Certificate Authority Web Enrollment.
- Ensure that IIS services related to ADCS only accept secure HTTPS connections.
🔹 Disable NTLM if Possible
- Apply Group Policies to restrict or block NTLM on critical systems.
- Configure IIS to accept only Kerberos as the authentication method.
⚠️ Warning: Disabling NTLM across the entire domain may cause issues with certain applications. A testing phase is essential before global deployment.
🔹 Enable LDAP signing
- Force the use of signed LDAP to prevent NTLM relay attacks.
- Modify domain controller security policies to require secure LDAP encryption.
See Microsoft’s article here for advanced recommendations.
🔹 Enable Extended Protection for Authentication (EPA)
- In IIS Manager, access the advanced Windows authentication settings.
- Enable Extended Protection for Authentication (EPA) to block identity spoofing attempts via NTLM.
A real but manageable Threat
ESC8 is not the most critical vulnerability, but it is an exploitable link in many Active Directory attack scenarios. By adopting best practices and properly configuring ADCS, it is possible to effectively block this threat while minimizing the impact on the environment.
