access control in AD CS Attacks
Overview
access control is a key concept in Active Directory Certificate Services (AD CS) security. It is involved in several attack vectors that can potentially compromise the security of an AD CS infrastructure.
Related Attacks
ESC3 takes advantage of misconfigured Enrollment Agent restrictions, allowing an attacker with Enrollment Agent privileges to request certificates for accounts they shouldn't have access to, potentially leading to privilege escalation.
Mitigation Strategies
To mitigate attacks related to access control, consider the following strategies:
- Implement and regularly review Enrollment Agent restrictions
- Limit the scope of accounts that Enrollment Agents can request certificates for
- Implement strong authentication and auditing for Enrollment Agent activities
- Regularly review and rotate Enrollment Agent certificates
- Monitor for suspicious certificate enrollment patterns