Tag: MS-WCCE

Attack on the Active Directory via Microsoft Intune - and how it can be contained with TameMyCerts

Dirk-jan Mollema recently presented an attack that can be used to obtain a certificate for highly privileged accounts via Intune. This can then be used to compromise the entire Active Directory environment.

The attack is similar in its basic features to what I have already described in the article "From Zero to Enterprise Administrator through Network Device Enrollment Service (NDES) - and What to Do About It" and in the article "Attack vector on Active Directory directory service via smartcard logon mechanism" (generally also known as ESC1).

What is new, however, is to utilize the Mobile Device Management (MDM) system - in this case Microsoft Intune - accordingly.

What is not new, however, is what can be done with the TameMyCerts Policy Module for Active Directory Certificate Services to drastically reduce the attack surface.

Continue reading „Angriff auf das Active Directory über Microsoft Intune – und wie er mit TameMyCerts eingedämmt werden kann“

How many Subject Alternative Names (SAN) do the Active Directory Certificate Services support?

Like any software Microsoft Active Directory Certificate Services are also subject to certain limitsimposed by their design.

What is not so obvious is the question of how many Subject Alternative Name (SAN) can be issued with the Microsoft certification authority.

The IETF RFC 5280 describes the structure for Subject Alternative Names as follows:

SubjectAltName ::= GeneralNames
Continue reading „Wie viele Alternative Antragstellernamen (engl. Subject Alternative Name, SAN) unterstützen die Active Directory Certificate Services?“

Troubleshooting for automatic certificate request (autoenrollment) via RPC/DCOM (MS-WCCE)

Assume the following scenario:

  • A certificate template is configured for automatic certificate request (autoenrollment).
  • The certificate template is published on a certification authority (Enterprise Certification Authority) integrated into Active Directory.
  • However, the users or computers configured for automatic Certificate Enrollment do not apply for certificates as intended.

The following is a troubleshooting guide.

Continue reading „Fehlersuche für die automatische Zertifikatbeantragung (Autoenrollment) via RPC/DCOM (MS-WCCE)“

Basics of manual and automatic certificate requests via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM) with the MS-WCCE protocol

The following describes the process that runs in the background when certificates are requested manually or automatically in order to achieve the highest possible level of automation.

Continue reading „Grundlagen manuelle und automatische Zertifikatbeantragung über Lightweight Directory Access Protocol (LDAP) und Remote Procedure Call / Distributed Common Object Model (RPC/DCOM) mit dem MS-WCCE Protokoll“
en_USEnglish
de_DEDeutsch en_USEnglish