How to check for Active Directory Certificate Services misconfigurations

Recently discovered Microsoft Windows AD CS configuration errors could give attackers account and domain control. Here's how to audit AD CS for vulnerable configurations.

Windows security and protection [Windows logo/locks]
Thinkstock / Microsoft

I read with interest about Active Directory Certificate Services (AD CS) misconfigurations and the risks they present to my network. Security firm SpecterOps have developed an audit toolkit, written in PowerShell and dubbed PSPKIAudit, and will release two offensive tools, Certify and ForgeCert, in early August during the upcoming Black Hat USA 2021 conference. However, I wanted to get a head start to see if my domain was vulnerable to attacks that could result in account or domain takeover.

Steps to find AD CS misconfigurations

I followed these steps:

  1. With an elevated PowerShell prompt, install the Remote Server Administration Tools Certificate Services and Active Directory features with the command:
    Get-WindowsCapability -Online -Name "Rsat.*" | where Name -match "CertificateServices|ActiveDIrectory" | Add-Windows
  2. Download PSPKIAudit and extract it to the folder PSPKIAudit with the commands:
    cd PSPKIAudit
    Get-ChildItem -Recurse | Unblock-File
  3. Import PSPKIAudit with the command:
    Import-Module .\PSPKIAudit.psm1
    You may need to add the -Verbose parameter as you might receive this message: “WARNING: The names of some imported commands from the module 'PSPKIAudit' include unapproved verbs that might make them less discoverable.” To find the commands with unapproved verbs, run the Import-Module command again with the -Verbose parameter.
    PS C:\PSPKIAudit> Import-Module .\PSPKIAudit.psm1 -Verbose
    For a list of approved verbs, type “Get-Verb”. You will then be alerted to verbs that are less discoverable.
  4. Run this command or export it to a .csv file to review your organization:
    Invoke-PKIAudit [-CAComputerName CA.DOMAIN.COM | -CAName X-Y-Z] 
    It performs auditing checks for your existing AD CS environment, including enumerating various certificate authority (CA) and certificate template settings. Or you can merely type in Invoke-PKIAudit and review the output provided.

How to remove unneeded certificate authority values

To continue reading this article register now

22 cybersecurity myths organizations need to stop believing in 2022