Mitigating Common Active Directory Certificate Services Attacks For Healthcare Organizations

Author: Fabian Crespo

Introduction

Active Directory Certificate Services (AD CS) is a critical component of the security infrastructure in many healthcare organizations. It provides a robust framework for managing authentication and encryption via digital certificates. The sensitive nature of healthcare data, which includes patient records and confidential medical information, makes it imperative for these organizations to implement stringent security measures around their certificate services.

ESC 1 – Misconfigured Certificate Template

Description

The ESC1 vulnerability allows attackers to exploit weak configurations in AD CS, potentially gaining unauthorized elevated privileges within an organization’s network. The ability of users to have an ENROLLEE_SUPPLIES_SUBJECT allows the certificate requestor to provide an alternate Subject Alternative Name (SAN). As a result, if the template allows client authentication and any user to request the certificate, then a malicious actor can authenticate on behalf of another user. As a result, a malicious actor could authenticate on behalf of a Domain Administrator and compromise the domain. With Domain Administrator privileges, malicious actors might be able to access unauthorized patient data and deploy ransomware.

Preventative Measures

  • Disable ENROLLEE_SUPPLIED_SUBJECT to prevent alternative SAN requests.
  • Ensure non-privileged users can request certificates.
  • Enable auditing and logging for AD CS and review logs regularly to detect potential threats.
  • Ensure the latest security updates and patches are applied to your AD CS server and critical systems.

ESC 8 – NTLM Relay To AD CS Web Enrollment Pages

Description

AD CS supports HTTP-based enrollment through the use of dedicated certificate servers. These HTTP-based certificate enrollments are susceptible to NTLM relay attacks. An attacker might be able to elevate privileges by obtaining an authentication certificate on behalf of a Domain Controller (DC). Since Domain Controllers have DC Synchronization capabilities, they would be able to replicate and obtain the credentials of all domain users, including Domain Administrators. As a result, a malicious actor might be able to utilize this vulnerability to elevate privileges within the domain. After elevating privileges, they might be able to access, modify, and deny patient data stored within all domain workstations. Additionally, malicious actors could deploy ransomware via Group Policy with Domain Administrator privileges.

Preventative Measures

  • Refer to Microsoft’s KB5005413 for mitigation guidance
  • Remote Procedure Call (RPC) filters may also be implemented to block remote access to the interface UUIDs necessary for this exploit.
  • Restrict Outbound New Technology LAN Manager (NTLM) Authentication.
  • Disable AD CS Web Enrollment.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Perspective on the Proposed Health Infrastructure Security and Accountability Act

Perspective on the Proposed Health Infrastructure Security and Accountability Act

The Health Infrastructure Security and Accountability Act (HISAA) introduced in the U.S. Senate on September 26 is another good step forward in addressing key factors contributing to the healthcare sector’s deficiency in establishing and maintaining adequate cybersecurity controls and risk management programs. While there are many in the sector that are already implementing recognized standards, having mandated standards would help to make sure everyone is playing by the same rules.

Connect
With Us