๐ ๐๐ฟ๐ผ๐บ ๐๐ต๐ฒ ๐๐ถ๐ฒ๐น๐ฑ: Real-World Findings from Security Assessments
๐ฅ ๐ข๐๐ฒ๐ฟ ๐ฒ๐ฌ% of the infrastructures Iโve assessed ๐ฑ๐ผ ๐ป๐ผ๐ ๐ณ๐ผ๐น๐น๐ผ๐ ๐ฏ๐ฒ๐๐ ๐ฝ๐ฟ๐ฎ๐ฐ๐๐ถ๐ฐ๐ฒ๐ for ๐๐ฐ๐๐ถ๐๐ฒ ๐๐ถ๐ฟ๐ฒ๐ฐ๐๐ผ๐ฟ๐ ๐๐ฒ๐ฟ๐๐ถ๐ณ๐ถ๐ฐ๐ฎ๐๐ฒ ๐ฆ๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ๐ (AD CS).
And thatโs a ๐ฏ๐ถ๐ด ๐ฑ๐ฒ๐ฎ๐น.
In many of these environments, AD CS is a ticking time bomb โ a single misconfiguration can lead to the compromise of the entire domain.
๐ ๏ธ ๐๐ผ๐บ๐บ๐ผ๐ป ๐ ๐ถ๐๐๐๐ฒ๐ฝ: ๐ฆ๐ถ๐ป๐ด๐น๐ฒ-๐ง๐ถ๐ฒ๐ฟ ๐๐ถ๐ฒ๐ฟ๐ฎ๐ฟ๐ฐ๐ต๐
Many organizations still run AD CS with a single CA that acts as both the Root and Issuing CA โ often installed on a Domain Controller. Thatโs a dangerous setup.
โ ๐๐ฒ๐๐ ๐ฝ๐ฟ๐ฎ๐ฐ๐๐ถ๐ฐ๐ฒ:
Use a two-tier hierarchy:
๐นOffline Standalone Root CA
๐นOnline Enterprise Issuing CA
This setup dramatically reduces your risk and provides better recovery and separation of duties.
๐ฏ ๐ฆ๐ฒ๐ฐ๐๐ฟ๐ถ๐๐ ๐ป๐ฒ๐ฒ๐ฑ๐ ๐๐ฎ๐ฟ๐ ๐ฏ๐ ๐๐๐ฒ ๐ฐ๐ฎ๐๐ฒ
If you’re only issuing one internal web cert, fine โ but if you’re using AD CS for:
๐ธSmart card logon
๐ธAuthentication across services
๐ธ802.1X
๐ธVPNs
๐ธS/MIME
๐ธApplication identities
… then youโre in ๐ฑ๐ฒ๐ฒ๐ฝ ๐๐ฎ๐๐ฒ๐ฟ ๐ถ๐ณ ๐๐ผ๐๐ฟ ๐๐ ๐ถ๐ ๐ฐ๐ผ๐บ๐ฝ๐ฟ๐ผ๐บ๐ถ๐๐ฒ๐ฑ or misconfigured.
๐ ๐๐ฑ๐ฑ๐ถ๐๐ถ๐ผ๐ป๐ฎ๐น ๐ฏ๐ฒ๐๐ ๐ฝ๐ฟ๐ฎ๐ฐ๐๐ถ๐ฐ๐ฒ๐ ๐๐ผ ๐ถ๐บ๐ฝ๐น๐ฒ๐บ๐ฒ๐ป๐:
๐นUse a Hardware Security Module (HSM) to protect your CAโs private keys
๐นImplement Role-Based Access Control for CA management (CA Admins, Certificate Managers, etc.)
๐นDeploy your issuing CA on Server Core to reduce attack surface
๐นWatchout for out for ESC misconfigurations
๐ Howโs your AD CS setup looking?
