aka: how to stop trusting blindly and lock down ur Microsoft ca before it ruins ur life
What’s the big deal, why care about some “ca”?
So CA is a topic a spicy one. like, most people don’t even think about certificate authority. it’s just “one of those servers in the corner” that got set up years ago by Bob from IT, and nobody touches it cuz “if it works, don’t break it”, right? well… that’s the exact mindset attackers love. while everyone’s busy patching edge, tightening MFA, building zero trust policies, the ca just chills in the background – wide open, over-trusting, and capable of issuing digital golden tickets. let’s break this down. ca is the core piece that says “yep, this cert is real”. it signs certificates that authenticate people, devices, apps, VPNs, websites, email – basically everything. if someone compromises ur ca? they don’t need to steal passwords or crack encryption. they just mint their own “official” certs and boom – game over. it’s like forging a passport, but worse: it comes with admin access. scariest part? it all looks legit. no antivirus will scream. no EDR will panic. it’s your own ca saying “yeah, looks good”. and get this – companies sometimes get audited and find out attackers were in their systems for months, all because of one misconfigured cert template or an old ca that nobody maintained. so yeah, caring about ca is like caring about the brakes on ur car. they sit there quietly, but if they fail? it’s over.
microsoft agrees, btw: what’s a ca and why it matters
Wat goes wrong with ca setups and why it’s kinda terrifying
ok this part… buckle tf up ))
most ca setups start innocently. someone installs active directory certificate services during a domain build. they go “eh, we’ll just use it for smartcards and maybe a vpn thing”. and then forget about it. here’s what happens when that “default install” stays in place:
- any authenticated user in the domain can request certs
- some templates allow the requester to set their own subject name – which means they can pretend to be someone else (like domain\admin 👀)
- the ca is domain-joined, so any privilege escalation in ad opens the door to ca tampering too
- nobody logs what certs are issued or revoked
- ca runs on a server that also does file sharing, or even worse, it’s exposed to the internet 😱
also, nobody ever rotates the ca certs or checks crl configs. revocation settings often don’t even work outside the corporate LAN. lol. and don’t get me started on enterprise subordinate cas that inherit bad settings from root cas and spread the chaos further.
the templates alone are a landmine field. wanna see a horror story? turn on logging and see who’s been requesting certs at 2am. fun times )) a lot of this is in microsoft docs, if u wanna feel bad: ca hardening overview
Attacker tricks: petitpotam, esc, and why it gets worse
now for the part where nightmares are born ))
petitpotam is this wild attack that uses windows’ rpc protocol (efs in particular) to force ca to authenticate somewhere it shouldn’t. once it does, attacker grabs the ntlm hash and relays it to a real service – like the web enrollment portal – to mint their own certs. no password needed. just trust and timing. then u’ve got enterprise security constraints, or esc. not a new marvel villain – just a bunch of ways to abuse permissions in a ca world.
esc1: u give someone write access to a template and they become domain admin.
esc6: u mess with gpos to change which templates get pushed and who can use them.
esc9: if u control certificate services configuration in ad, u can do whatever u want.
and these aren’t theoretical. red teams do this all the time. ransomware groups too. they get in, abuse cert services, and stay hidden for weeks. sometimes months. some groups even create their own subordinate ca. like “hi, I work here now” but in cryptographic terms. and when they do that, they:
- issue smartcard certs to fake users
- authenticate to adfs and bypass mfa
- spoof vpn gateways
- make legitimate-looking tls certs for phishing
- even fake code-signing certs to sneak in malware
here’s where microsoft breaks this down:
petitpotam and ntlm relay
enterprise ca attack vectors (esc)
Fixing the mess: how to lock ca down without breaking stuff
first rule: treat ca like a vault. not like a printer server from 2007.
step one – if possible, move ur root ca to offline standalone mode. seriously. no domain, no internet, no nothing. u power it up once a year, issue a cert, shut it down. the enterprise ca (the one that lives in domain) needs love too. firewall it hard. disable everything that isn’t explicitly required. then cut template permissions like ur trimming weeds. remove “authenticated users”. set strict security groups. disable subject name input for anything related to authentication. get rid of old templates nobody uses. rename the valid ones with “_SECURE” or something – so u don’t confuse them. audit logs should be piped to ur siem or at least a centralized log collector. configure event subscriptions. alert when someone issues certs for smartcard logon or client authentication out of nowhere. pls enable role separation. one person shouldn’t request and approve certs. even if it’s just u doing both )) and hey, use hardware security modules or tpm wherever u store private keys. if someone gets ur key, it’s game over. finally, keep up with patches. ca server is like a dominos stack – one missed patch can open 5 different bugs.
all of that’s here too:
ca lockdown guide from ms
how to build an offline ca
how to manage templates securely
Final thoughts: be paranoid. your infra needs it
ok real talk. nobody wants to rebuild their PKI from scratch. it sucks. it’s complicated. but doing nothing is what really hurts. review ur ca setup. look at the templates. see who can enroll. search event logs. challenge every default. does it slow u down? yeah, a bit. is it annoying? sure. is it better than waking up to a ransomware note signed with ur own certs? uh… yeah :)))) so if u haven’t looked at ur ca in 6+ months – this is the sign. do it. now.
Additional thanks for asks me to write that article it was really fun for me – more ppl should talk about it. not flashy like AI, but way more real for anyone managing windows infra.
Alex