Skip to main content

© Securetron Inc. All rights reserved.

SaaS | Enterprise | Community Edition

Microsoft Active Directory Certificate Services (ADCS) Vulnerabilities: A Comprehensive Security Analysis

Table of Contents

Introduction

Active Directory Certificate Services (ADCS) is a Windows Server role that enables organizations to build and manage public key infrastructure (PKI) for issuing and managing digital certificates used in secure communication and authentication protocols. While ADCS provides essential cryptographic services for enterprise environments, it has become one of the most frequently exploited attack surfaces in Active Directory deployments. As of August 2025, security researchers have identified 16 unique privilege escalation techniques (ESC1–ESC16) that leverage ADCS misconfigurations.

These vulnerabilities are not theoretical, they represent active attack paths that threat actors routinely exploit to escalate privileges from standard domain users to full domain compromise, impersonating high-value accounts including Domain Admins. This article provides a detailed examination of ADCS security risks, with particular focus on configuration vulnerabilities and specific recommendations to avoid deploying Web Enrollment Service and Network Device Enrollment Service (NDES), while presenting modern alternatives for PKI management.


The ADCS Attack Surface: Understanding the Risk

ADCS vulnerabilities stem primarily from misconfigurations rather than inherent software flaws. Certificate templates, enrollment permissions, and service configurations that are left at default settings create attack pathways that can be exploited with publicly available tools such as Certipy.

The attack surface is extensive:

  • Certificate Templates: ADCS ships with 32 default templates, many with overly broad permissions that allow any authenticated user to enroll. Templates permitting requesters to specify the certificate’s subject name create the conditions for ESC1, the most commonly exploited ADCS vulnerability.

  • Enrollment Services: HTTP-based enrollment endpoints expose organizations to NTLM relay attacks.

  • PKI Object Permissions: Overly permissive access controls on PKI-related domain objects can allow attackers to compromise the entire PKI infrastructure.

The consequences are severe: misconfigurations can lead to elevation to administrator privileges from a standard account, as well as persistence using the “Golden Certificate” technique. Recent research has also demonstrated how these on-premises misconfigurations can lead to full compromise of cloud-based infrastructure in hybrid implementations.


Web Enrollment Service: A Critical Risk Not Worth Taking

What Is Web Enrollment?

Web Enrollment is an optional ADCS service that provides an interactive web interface (typically at /certsrv) allowing users and computers to request certificates via HTTP. While intended to simplify certificate requests for users in separate forests or those without direct domain access, this service introduces severe vulnerabilities that make it a significant security liability.

The ESC8 Vulnerability

The primary risk associated with Web Enrollment is ESC8, an NTLM relay attack against ADCS HTTP endpoints. When Web Enrollment is deployed using default configurations, it becomes vulnerable for two critical reasons:

  1. HTTP supports NTLM authentication but provides no protection against relay attacks: HTTP does not support NTLM authentication signing, allowing attackers to intercept and replay authentication data without verification.

  2. Default certificate templates enable domain controller impersonation: The Machine and DomainController templates allow attackers who coerce authentication from any machine to obtain authentication certificates for that machine.

Exploitation in Practice

An attacker can exploit Web Enrollment through the following attack chain:

  1. Coercion: Using tools like Coercer or PetitPotam, an attacker coerces a domain controller to authenticate via NTLM.

  2. Relay: The authentication attempt is relayed to the ADCS web enrollment service using tools like ntlmrelayx.

  3. Certificate Request: The attacker requests a certificate from the Domain Controller certificate template.

  4. Domain Compromise: The resulting certificate can be used to perform a replication attack (dcsync) against the domain, enabling full domain takeover.

What makes this attack particularly dangerous is that it requires no malware, no zero-day exploits, and can be executed with a standard domain user account. The PetitPotam vulnerability allows any domain user to coerce authentication from any active computer account, including domain controllers.

Why Disabling NTLM Is Not Sufficient

While it is technically possible to disable NTLM specifically for the web enrollment site, this approach addresses only one facet of the problem. Web Enrollment remains an unnecessary attack surface that introduces risk without providing capabilities that cannot be obtained through more secure alternatives. The recommendation is clear: do not deploy Web Enrollment Service unless there is an absolute, business-critical requirement that cannot be met through other means.


Network Device Enrollment Service (NDES): A High-Risk Component

Understanding NDES

NDES is Microsoft’s implementation of the Simple Certificate Enrollment Protocol (SCEP), designed to issue certificates to network devices such as routers, firewalls, and mobile phones that cannot authenticate via Active Directory. NDES acts as a bridge between non-domain-joined devices and the Microsoft Certification Authority.

Security Risks of NDES

NDES introduces several significant security risks:

1. Subject Alternative Name (SAN) Abuse

NDES certificate templates typically require the client to supply a Subject Alternative Name (SAN) and are almost always configured with client authentication Extended Key Usage (EKU). This combination allows any user who can obtain an NDES password to request a certificate for any user they wish to impersonate and authenticate as that user through PKINIT or SChannel.

2. Privilege Escalation Pathways

By default, NDES generates time-limited one-time passwords (OTPs) valid for 60 minutes, with only five unused passwords available per hour. However, administrators can modify these settings through the system registry to:

  • Increase password cache size

  • Set static passwords instead of random OTPs

  • Disable the NDES password entirely

If NDES passwords are disabled, the service introduces an easily exploitable path from no access to full forest compromise.

3. NTLM Relay Vulnerability

NDES servers hosted over HTTPS without Channel Binding are also vulnerable to ESC8-style NTLM relay attacks.

4. Authentication Bypass

The fundamental challenge with NDES is that it issues certificates to devices without network accounts. This creates inherent tension between usability and security, making it difficult to ensure that certificates are not issued to malicious actors.

Microsoft’s Acknowledgment of Risk

Microsoft itself acknowledges these security risks and recommends using a policy module with NDES to address them through additional authentication. However, even with a policy module, NDES remains a complex service to secure properly. As Microsoft notes, “the crucial point for securely operating NDES is as with most security solutions that you are not done when enrolling certificates works as expected”.

The recommendation is to avoid deploying NDES unless absolutely necessary and to implement comprehensive security controls if deployment is unavoidable.


The Root Cause: ADCS Configuration Complexity

The vulnerabilities described above reflect a broader reality: ADCS is notoriously difficult to configure securely. The sheer number of configuration options, certificate templates, and interdependent components creates ample opportunity for misconfiguration.

Key configuration risks include:

  • Overly permissive enrollment permissions on certificate templates

  • Certificate templates that allow requesters to specify subject names (ESC1)

  • HTTP-based enrollment endpoints without proper protection (ESC8)

  • Weak cryptographic settings on certificates and CAs

  • Inadequate access controls on PKI-related domain objects (ESC5)

  • Schema version 1 templates that allow requesters to specify application policies (CVE-2024-49019)

These misconfigurations are not edge cases rather they are common findings in penetration tests and security assessments.


Modern Alternatives: Securing PKI with Securetron Solutions

Given the inherent risks and complexity of managing ADCS natively, organizations should consider modern alternatives that provide robust PKI management without the security pitfalls of traditional ADCS deployments.

PKI Trust Cloud (SaaS)

PKI Trust Cloud is a comprehensive Software-as-a-Service PKI management solution that eliminates the need to maintain on-premises ADCS infrastructure. Key features include:

  • Crypto Agility and Post-Quantum Readiness: Future-proof your PKI against emerging cryptographic threats

  • Phishing-Resistant MFA: Strengthen authentication security

  • 47-Day TLS Automation: Automated certificate lifecycle management

  • Advanced Certificate Discovery: Complete visibility into your certificate inventory

  • Smart Notification Service: Proactive alerts for certificate expirations

PKI Trust Cloud provides enterprise-grade PKI capabilities without the operational overhead and security risks associated with on-premises ADCS deployments.

PKI Trust Manager (On-Premises)

For organizations that require on-premises PKI management, PKI Trust Manager offers advanced capabilities that complement and enhance ADCS deployments:

  • Intelligent Certificate Lifecycle Management: Tracks every certificate issued by the CA

  • Automated Certificate Creation and Renewal: Reduces manual errors and operational overhead

  • Multi-Platform Integration: Bridges on-premises PKI with cloud environments such as Azure Key Vault

  • Policy Enforcement: Enforces enterprise policies across hybrid environments

  • API-Driven Automation: Supports SCEP, EST, ACME, and RESTful APIs for automated certificate lifecycle management

PKI Trust Manager transforms complex PKI management from a manual, error-prone task into a streamlined, automated security practice.

PKI Trust Auditor: Continuous Security Assessment

Perhaps most critically, PKI Trust Auditor provides comprehensive security auditing capabilities for ADCS infrastructure:

  • Automated CA Discovery: Automatically discovers all Certificate Authorities in your Active Directory environment

  • Comprehensive Auditing: Performs connectivity, configuration, cryptographic, template, and operational audits

  • 28+ Controls Across Multi-Tier PKI Environments: Thorough assessment of your entire PKI deployment

  • Multi-Format Reporting: Generates JSON, CSV, web-based, and console reports

  • Executive Reporting: Detailed findings, supporting evidence, risk explanations, and actionable remediation recommendations

  • SIEM Integration: Ingest JSON or CSV output directly to SIEM platforms for continuous monitoring and real-time alerting

PKI Trust Auditor is available as a free, community-driven tool, making it accessible for organizations of all sizes to assess and improve the security posture of their PKI ADCS deployment. The tool transitions from a point-in-time scanner to a continuous monitoring solution, enabling real-time alerting and long-term trend analysis of an organization’s PKI security posture.

The ongoing development and free availability of PKI Trust Auditor demonstrates Securetron’s foundational commitment to proactive security, empowering defenders to identify and eliminate critical ADCS vulnerabilities before they can be weaponized by adversaries.


Recommended Actions

Based on the analysis above, organizations should take the following actions:

1. Audit Your Existing PKI Environment Immediately

Deploy PKI Trust Auditor to conduct a comprehensive security assessment of your ADCS infrastructure. The tool will identify:

  • Misconfigured certificate templates

  • Vulnerable enrollment services

  • Cryptographic weaknesses

  • Operational risks

  • Compliance gaps

2. Remove Web Enrollment Service

If Web Enrollment is currently deployed, disable it immediately unless there is an absolute business requirement. The ESC8 vulnerability makes this service a critical security risk.

3. Evaluate and Remove NDES

Assess whether NDES is truly necessary. If it is, implement robust security controls including:

  • Mandatory policy module with additional authentication

  • Channel Binding enforcement over HTTPS

  • Strict OTP management policies

  • Regular security reviews

However, the preferred recommendation is to avoid NDES deployment entirely.

4. Implement Modern PKI Management

Replace or supplement native ADCS management with modern solutions:

  • For cloud-first organizations: Deploy PKI Trust Cloud (SaaS) for comprehensive PKI management without on-premises infrastructure

  • For hybrid or on-premises requirements: Implement PKI Trust Manager to automate and secure certificate lifecycle management

5. Establish Continuous Monitoring

Use PKI Trust Auditor for ongoing security assessments. Configure it to output JSON or CSV data to your SIEM platform for real-time alerting and trend analysis.


Next Steps:

The security of your Active Directory Certificate Services infrastructure is too important to leave to chance. ADCS misconfigurations represent one of the most critical and frequently exploited attack surfaces in enterprise environments today. The question is not if your ADCS deployment has vulnerabilities, but how many and how severe they are.

Take action today:

  1. Download PKI Trust Auditor (free community tool) and run a comprehensive audit of your ADCS environment

  2. Identify and remediate Web Enrollment, NDES, and other high-risk configurations

  3. Evaluate Securetron PKI Trust Cloud (SaaS) or PKI Trust Manager (on-premises) for modern, secure PKI management

  4. Establish continuous monitoring to maintain security posture over time

Don’t wait for a penetration test or worse an actual breach to reveal the vulnerabilities in your PKI infrastructure. Proactive security assessment and remediation are essential to staying ahead of adversaries who actively hunt for ADCS misconfigurations.

Contact us to learn more about PKI Trust Cloud, PKI Trust Manager, and to download the free PKI Trust Auditor today.


Conclusion

Microsoft Active Directory Certificate Services provides essential PKI capabilities but introduces significant security risks when deployed with default configurations. Web Enrollment Service and Network Device Enrollment Service are particularly dangerous components that should be avoided unless absolutely necessary, and even then, only with comprehensive security controls.

Modern alternatives such as Securetron’s PKI Trust Cloud (SaaS) and PKI Trust Manager (on-premises) provide robust certificate management capabilities without the security pitfalls of traditional ADCS deployments. Combined with PKI Trust Auditor for continuous security assessment, organizations can maintain a strong PKI security posture while reducing operational overhead and risk.

The time to secure your PKI infrastructure is now. The adversaries are not waiting neither should you.