For decades the security community – myself included – have largely neglected the Public Key Infrastructure (PKI) that is built into the Windows/Active Directory environment, namely Active Directory Certificate Services (AD CS).
Certificates and PKI are natural outgrowth from amazing, world changing work on asymmetric cryptography done by Diffie, Hellman, Merkle and Rivest, Shamir, and Adleman (RSA) when I was wrestling with long division in the South Carolina public school system. (That is a fascinating story told by Wired’s Steven Levy in his book Crypto). In this webinar, I will quickly explain how asymmetric cryptography uses 2 keys – one of which is arbitrarily designated the public key and the other private and
- Why Anne can freely share her public key with anyone
- How Anne’s public key allows Bob to send Anne a message only she can decrypt
- How the public key allows Bob to verify messages Anne sends really came from her
But that’s just the beginning because how does Bob know a public key really is Anne’s and not an imposter? I’ll show you how that is where certificates come in and how certificates have to be issued by a certificate authority that everyone trusts and how at the end of the day it all goes back to the supremo (i.e. root) CA’s public/private key pair. And how all anyone really needs at the beginning is the top CA’s public key and how it all comes crashing down if the CA’s private key is stolen.
We all participate every day in the Internet’s PKI when we browse websites protected by a web server certificate. Laptop and phone OS’s automatically trust the major commercial CAs and have their root CA’s public key hardcoded. That’s what I call the public PKI of the Internet. AD Certificate Services is an internal version of that for using certificates inside an organization which I call a private PKI. But AD CS is more than a certificate authority – it’s a full-fledged automated PKI that integrates deeply with Active Directory and the Windows base operating system to automate the complicated and otherwise laborious process of certificate enrollment which requires authentication, authorization, key generation, etc.
Unlike the “modern” MS cloud environment that is in a perpetual state of “pardon our dust” remodeling, and like Active Directory itself, AD Certificate Services was actually designed and it makes the onerous burden of running a PKI amazingly simple. But as with all security technologies, there are vulnerabilities. Oddly, as widely deployed as AD Certificate Services is, it hasn’t gotten much attention from security researchers over all this time. But in the last few years that has changed.
In this real training for free event, I will introduce you to the foundational elements of PKI and then show you how AD CS leverages existing computer and user accounts in AD, Kerberos and group policy to automate certificate enrollment.
My guest is security researcher Darryl Baker from Netwrix who specializes in identity security, adversary emulation, and detection strategy across Active Directory, Entra ID, and hybrid identity ecosystems. After my intro to PKI and AD CS, Darryl will take over and show you 3 vulnerabilities in AD CS involving certificate templates.
Certificate templates are one of the key objects in AD CS. They are basically profiles defining common properties associated with different types of certificates needed in an environment. For instance, if you want only corporate-managed devices to join Wi-Fi or use VPN, you can use AD CS autoenrollment to issue machine certificates and enforce EAP-TLS via NPS/RADIUS—so network access is granted based on certificate trust instead of passwords.
Darryl will focus on 3 vulnerabilities involving certificate templates:
- Domain escalation via No Issuance Requirements + Enrollable Client Authentication/Smart Card Logon OID templates + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
- Domain escalation via No Issuance Requirements + Enrollable Any Purpose EKU or no EKU
- Domain escalation via No Issuance Requirements + Certificate Request Agent EKU + no enrollment agent restrictions
Please join us for this in-depth real training for free event.
CAN'T MAKE THE LIVE EVENT? REGISTER ANYWAY TO GET THE RECORDED VERSION.
Title: AD Certificate Services: A Massive Chunk of Windows Security Functionality Finally Gets the Security Research It Deserves
Date: Tuesday, February 24, 2026 12:00 - 1:30 PM ET
This is real training.
Space is limited.
Reserve your Webinar seat now at:
https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=3791
Need CPE credit for this live webinar or any other live webinar you've attended in the past? Just visit www.UltimateWindowsSecurity.com, click on the Webinars section, and then the link for CPE credit transcript. If your email address has changed due to a job change or any other reason, click here to update it.
Thanks as always for reading and best wishes on security,
Randy Franklin Smith
Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2026 Monterey Technology Group, All rights reserved. You may forward this email in its entirety but all other rights reserved.
9450 SW Gemini Drive #53822, Beaverton, OR 97008
Note: We do our best to provide quality information and expert commentary but use all information at your own risk.