Security - Page 7 - Uwe Gradenegger

Active Directory forest compromised by EDITF_ATTRIBUTESUBJECTALTNAME2 flag

In net circulate unfortunately much at many Instructions (also the big players are not excluded from this, not even Microsoft itself or the Grand Master Komar), which fatally recommends that the EDITF_ATTRIBUTESUBJECTALTNAME2 flag should be set on the certification authority - supposedly to be able to issue Subject Alternative Name (SAN) extension certificates for manually submitted certificate requests.

Unfortunately, this approach is not only unnecessary, it also has some unpleasant side effects, which in the worst case can help an attacker to take over the entire Active Directory forest.

Overview of the different generations of domain controller certificates

Over the generations of Windows operating systems, various certificate templates for domain controllers have been established. In a current Active Directory directory service, one will find three different templates for this purpose.

Domain controller
Domain Controller Authentication
Kerberos Authentication

Below is a description of each template and a recommendation for configuring domain controller certificate templates.

Why Active Directory integrated certificate authorities are members of the "Pre-Windows 2000 Compatible Access" security group

As part of security hardening efforts against the Active Directory directory service, the question of why Active Directory integrated certificate authorities (Enterprise Certification Authority) are members of the Pre-Windows 2000 Compatible Access security group comes up frequently.

Transfer certificate revocation lists to revocation list distribution points using SSH Secure Copy (SCP) with public key authentication (Windows Server 2019).

If the servers providing the revocation list distribution points are located in a Demilitarized Zone (DMZ), for example, or data transfer via Server Message Block (SMB) is not possible for other reasons, the blacklists can be transferred to the distribution points using SSH Secure Copy (SCP). As of Windows Server 2019, the OpenSSH server and client packages are available. The following describes the setup with authentication via public keys (Public Key Authentication) instead of passwords as an example

Requesting a certificate fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)".

Here's the scenario:

A user applies for a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority).
The certificate of the certification authority is trusted, i.e. it is located in the Trusted Root Certification Authorities store.
The certificate request fails with the following error message:

A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)

Required Windows security permissions for the Network Device Enrollment Service (NDES)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will have an impact on NDES components.