Contact Us
Support
Partners
Downloads
Cayosoft®
Trials & Tools
Book a Demo
CTD-000150

Active Directory Certificate Services Risks

Critical
Active Directory Active Directory Certificate Services
Credential Access Persistence Privilege Escalation
v4
Updated 06/22/2026
Signature Identity
CTD-000150
Threat ID
4
Version
IOE
Indicator Type
Threat Description

Misconfigured permissions on Windows authentication certificate templates can enable attackers to request certificates for accounts they do not control, including Domain Admins. The vulnerability occurs when certificate templates grant enrollment rights to overly broad groups, allowing unprivileged users to request certificates for high-value targets.

Once a certificate is obtained for a privileged account, the attacker can authenticate via Kerberos or NTLM without ever knowing the account’s password and without triggering MFA or password-based alerts. The certificate remains valid until it expires or is manually revoked, providing durable access independent of credential rotation.

This misconfiguration is particularly dangerous because:

  • Any user in a broad group such as Authenticated Users or Domain Users can exploit it
  • Authentication succeeds silently through legitimate certificate-based Kerberos flows
  • Resetting a compromised account’s password does not invalidate already-issued certificates

MITRE ATT&CK: Attack Tactics

Credential Access Persistence Privilege Escalation

D3FEND: Defend Tactics

Certificate-Based Authentication Credential Hardening
Remediation

Immediate response:

  • Open the Certificate Templates console (certtmpl.msc) and review the Security tab on every authentication template
  • Remove Enroll and Autoenroll permissions from broad groups such as Authenticated Users or Domain Users
  • Restrict enrollment rights to only the specific administrative or service accounts that require them

Hardening:

  • Disable the “Supply in request” subject name option on all authentication templates unless strictly required
  • Enable Manager Approval or Authorized Signatures on sensitive templates to introduce a human review step
  • Deploy Cayosoft Guardian to continuously monitor ADCS template permissions and alert immediately on any permission changes
  • Conduct periodic audits to ensure no unintended groups retain enrollment access after delegation changes
Frequently Asked Questions

Immediate response:

  • Open the Certificate Templates console (certtmpl.msc) and review the Security tab on every authentication template
  • Remove Enroll and Autoenroll permissions from broad groups such as Authenticated Users or Domain Users
  • Restrict enrollment rights to only the specific administrative or service accounts that require them

Hardening:

  • Disable the “Supply in request” subject name option on all authentication templates unless strictly required
  • Enable Manager Approval or Authorized Signatures on sensitive templates to introduce a human review step
  • Deploy Cayosoft Guardian to continuously monitor ADCS template permissions and alert immediately on any permission changes
  • Conduct periodic audits to ensure no unintended groups retain enrollment access after delegation changes

Stop AD Threats As They Happen

Cayosoft Protector provides continuous monitoring and real-time alerts across your entire Microsoft Identity stack

Free Forever
Microsoft Sentinel

Add to Sentinel Watchlist

Use this deep-link in your Sentinel alert rules to route directly to this threat page from an active incident.
cayosoft.com/threat-directory/CTD-000150/
Copy Sentinel URL
Classification
Systems
Active Directory Active Directory Certificate Services
Themes
Certificate Services Misconfiguration
Attack Tactics
Credential Access Persistence Privilege Escalation
Defend Tactics
Certificate-Based Authentication Credential Hardening
Indicator Types
IOE
Related Threats
CTD-000139
Kerberos Constrained Delegation: krbtgt Risks
Critical
CTD-000122
Active Directory Schema Update Permission Risks
Critical