Security - Uwe Gradenegger

Attack on the Active Directory via Microsoft Intune - and how it can be contained with TameMyCerts

Dirk-jan Mollema recently presented an attack that can be used to obtain a certificate for highly privileged accounts via Intune. This can then be used to compromise the entire Active Directory environment.

The attack is similar in its basic features to what I have already described in the article "From Zero to Enterprise Administrator through Network Device Enrollment Service (NDES) - and What to Do About It" and in the article "Attack vector on Active Directory directory service via smartcard logon mechanism" (generally also known as ESC1).

What is new, however, is to utilize the Mobile Device Management (MDM) system - in this case Microsoft Intune - accordingly.

What is not new, however, is what can be done with the TameMyCerts Policy Module for Active Directory Certificate Services to drastically reduce the attack surface.

Automatically add the Security Identifier (SID) certificate extension to certificates requested via Mobile Device Management (MDM) - with the TameMyCerts Policy Module for Microsoft Active Directory Certificate Services (ADCS)

After several postponements, Microsoft finally decided that the Changes to Certificate Issuance and Certificate-Based Logon to Active Directory with the May 10, 2022 Patch for Windows Server (KB5014754) should now finally come into force.

Domain controllers will therefore automatically switch to full enforcement mode on February 25, 2025, unless configured otherwise. As of September 2025, it has been announced that deviating settings will no longer apply and there will therefore no longer be an alternative to full enforcement.

The consequence of this is that logins via PKInit can only be used for a login if they have the new Security Identifier (SID) certificate extension introduced with the patch.

What at first sounds as if this is not a major problem may well become one when you consider that fewer and fewer certificate-based use cases are using classic autoenrollment these days.

How the TameMyCerts Policy Module for the Active Directory Certificate Services can help with this problem is explained in more detail in the following article.

Prevent unprivileged accounts from reading the configuration of the certification authority

During penetration tests and also for attackers searching the network for potential targets, insights into the configuration of the certification authority are highly interesting.

In addition to possible misconfigurations, attackers can obtain information about the policy module used on the certification authority.

Smartcard login fails with error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

Assume the following scenario:

The company would like to use smartcard logon.
The domain controllers are with certificates that can be used for smartcard logon equipped.
The users are equipped with certificates that can be used for smartcard logon.
The login to the domain via smartcard fails with the following error message:

A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)

New ESC15 vulnerability discovered in Active Directory Certificate Services - easy-to-implement countermeasures

The purposes for which a digital certificate may be used are controlled via the "Key Usage" and "Extended Key Usage" certificate extensions. In the "Extended Key Usage" certificate extension, the extended key uses for which the certificate may be used.

However, there is another certificate extension called "Application Policies" for certificates issued by a Microsoft Certification Authority, which also contains a list very similar to the Extended Key Usages extension.

Justin Bollinger from TrustedSec has found outthat there are offline certificate requests against Schema version 1 certificate templates is possible (similar to the Security identifier extension), any Application Policies in the certificate request, which are transferred unchanged to the issued certificate and can then be used for an attack on the overall Active Directory structure. The attack was christened ESC15.

How the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can prevent attacks against the ESC1 attack vector

Attacks on Microsoft certification authorities can be aimed at exploiting authorizations on certificate templates. In many cases, certificate templates must be configured to grant the applicant the right to apply for any identities. This can lead to the attacker taking over the identities of Active Directory accounts and subsequently to the elevation of rights. Attacks of this type are known in the security scene as "ESC1" is labeled.

How the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can detect and prevent attacks against the ESC6 and ESC7 attack vectors

With the supposedly good intention of making it possible to issue such certificate requirements with a SAN, guess unfortunately much at many Instructions to set the flag on the certification authority EDITF_ATTRIBUTESUBJECTALTNAME2 to activate.

If this flag is activated, a very large attack surface is offered, as any applicant can now instruct the certification authority to issue certificates with any content. This type of attack is known in the security scene as ESC6 and ESC7 known.

How the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can help secure scenarios with Microsoft Intune and other Mobile Device Management (MDM) systems

Companies use Mobile Device Management (MDM) Products for managing, configuring and updating mobile devices such as smartphones, tablet computers or desktop systems via the Internet (over-the-air, OTA).

Common mobile device management products are:

Microsoft Intune
VMware Workspace One (previously known under the brand name AirWatch)
Ivanti MobileIron UEM
Jamf Pro
Baramundi Enterprise Mobility Management
BlackBerry Enterprise Mobility Suite
Sophos Mobile Control
SOTI MobiControl
Samsung Knox
IBM MaaS360

Signing certificates bypassing the certification authority - solely using built-in tools

In the article "Signing certificates bypassing the certification authority"I described how an attacker with administrative rights on the certification authority can generate a logon certificate for administrative accounts of the domain by bypassing the certification authority software, i.e. by directly using the private key of the certification authority.

In the previous article I described the PSCertificateEnrollment Powershell Module is used to demonstrate the procedure. Microsoft supplies with certreq and certutil However, perfectly suitable pentesting tools are already included with the operating system ex works.

A policy module to tame them all: Introducing the TameMyCerts Policy Module for the Microsoft Certification Authority.

As a Certification Authority operator, you are (among other things) responsible for the identification of the enrollees and the confirmation of the requested identities. The fact that this task is carried out conscientiously and without error is the central pillar of the trust placed in the certification authority. Well-known companies are already failed in this task, even had to file for insolvency as a result of misrepresentations and / or were taken over by the big players in the market sensitive punished.

In many cases, we as (Microsoft) PKI operators in companies (regardless of the associated quality) are able to delegate our task of uniquely identifying an applicant to the Active Directory. In many cases, however, we unfortunately also have to instruct our certification authority(ies) to simply issue everything that is requested.

Enabling Basic Authentication for the Network Device Enrollment Service (NDES)

If the Network Device Enrollment Service (NDES) is reinstalled (Preferably without Enterprise Administrator permissions), only the Windows-integrated authentication for the administration web page is activated at first. With this (via NT LAN Manager, NTLM) protocol, authentication via user name and password is also possible. However, not all client applications support this.

Likewise, a company might be willing to, Disable NTLM where possible and enforce Kerberos for login. Enforcing Kerberos removes the ability to log in to the Network Device Registration Service administration page via username and password (since this is done with NTLM credentials). However, Basic Authentication can be retrofitted to provide an option here again.

One way out of this dilemma can be Basic Authentication, the setup of which will be explained below.

Disabling NTLM and enforcing Kerberos at the Network Device Enrollment Service (NDES) administration web page.

Many companies pursue the strategy of (largely) disabling the NT LAN Manager (NTLM) authentication protocol in their networks.

This is also possible for the administration web page of the network device registration service (NDES). How exactly this is implemented and how this may change the application behavior is explained below.

Changes to Certificate Issuance and Certificate-Based Logon to Active Directory with the May 10, 2022 Patch for Windows Server (KB5014754)

With the May 10, 2022 patch, Microsoft is attempting to patch a vulnerability in the Active Directory in which the certificate-based enrollment (commonly known as PKINIT or also Smartcard Logon) to close.

The update changes both the behavior of the Certification Authority as well as the behavior of Active Directory when processing certificate-based logins.

Basics: Name Constraints

Name restrictions are a part of the X.509 standard and in the RFC 5280 described. They are a tool that can be used within the qualified subordination can be used to control the validity range of a certification authority certificate in a fine-grained manner.

Limits of Microsoft Active Directory Certificate Services

Active Directory Certificate Services have existed (albeit under a different name) in their basic form since Windows NT 4.0. The architecture based on Active Directory used today was introduced with Windows 2000 Server. AD CS are very well integrated into the Windows ecosystem and continue to be very popular in enterprises and government agencies of all sizes worldwide.

People like to point out the many possibilities offered by Active Directory Certificate Services. Rarely, however, is reference made to what can be done with them. not is possible. In the meantime, the product has also reached its limits in many places.

What these are will be explained in more detail below in order to better decide whether the AD CS can be the right solution for planned projects.