enrollment agent in AD CS Attacks
Overview
enrollment agent is a key concept in Active Directory Certificate Services (AD CS) security. It is involved in several attack vectors that can potentially compromise the security of an AD CS infrastructure.
Related Attacks
ESC2 abuses misconfigured Enrollment Agent templates, allowing an attacker to request certificates on behalf of other users, potentially leading to privilege escalation and unauthorized access.
ESC3 takes advantage of misconfigured Enrollment Agent restrictions, allowing an attacker with Enrollment Agent privileges to request certificates for accounts they shouldn't have access to, potentially leading to privilege escalation.
Mitigation Strategies
To mitigate attacks related to enrollment agent, consider the following strategies:
- Review and restrict access to Enrollment Agent templates
- Implement strict controls on who can act as an Enrollment Agent
- Monitor and audit certificate requests, especially those made on behalf of other users
- Implement proper certificate lifecycle management
- Use strong authentication for Enrollment Agents
- Implement and regularly review Enrollment Agent restrictions
- Limit the scope of accounts that Enrollment Agents can request certificates for
- Implement strong authentication and auditing for Enrollment Agent activities
- Regularly review and rotate Enrollment Agent certificates
- Monitor for suspicious certificate enrollment patterns