Active Directory Certificate Services (AD CS) remains one of the most misconfigured and exploited components in Windows Server environments. Research into AD CS attack paths has revealed that default template configurations frequently provide domain escalation paths, making proper hardening and consideration of modern alternatives urgent priorities.
Common AD CS Misconfigurations and Attacks
The ESC1 through ESC13 attack techniques documented by SpecterOps demonstrate how certificate template misconfigurations enable unprivileged users to request certificates that impersonate domain administrators. Overly permissive enrollment rights, combined with templates that allow subject alternative name specification, create trivial privilege escalation paths.
Hardening AD CS requires auditing all certificate templates for dangerous combinations: client authentication EKU with enrollee-supplied subject, overly broad enrollment permissions, and manager approval disabled on sensitive templates. Tools like Certify and Certipy automate the identification of exploitable configurations across the AD CS infrastructure.
Modern alternatives like EJBCA, step-ca, and Vault PKI provide certificate lifecycle management with stronger security defaults, API-driven workflows, and integration with modern DevOps tooling. For organizations that must retain AD CS, implementing the Windows LAPS-style tiered access model and certificate template restrictions significantly reduces the attack surface.