Top 10 misconfigurations: NSA checklist for CISOs flags Active Directory Certificate Services

"In some cases, the actor may be restricted or detected by advanced defense-in-depth and zero trust implementations as well, but this has been a rare finding in assessments thus far"

Top 10 misconfigurations: NSA checklist for CISOs flags Active Directory Certificate Services
Something for Red Teams and Blue Teams.

A new advisory from signals intelligence and cybersecurity experts at the National Security Agency (NSA) highlights the top 10 most common cybersecurity misconfigurations in large organisations – including regular exposure of insecure Active Directory Certificate Services. 

It comes as the NSA’s Cybersecurity Director Rob Joyce warned that “if your infrastructure can’t survive a user clicking a link, you are doomed.

"I’m the director of cybersecurity at NSA and you can definitely craft an email link I will click” he added on X – writing as generative AI models make it far easier for non-native speakers to craft convincing phishing emails and as such campaigns remain highly effective for threat actors. 

The list is a useful guidebook to those seeking to secure IT estates and is no doubt based in part on the NSA’s extensive experience of breaching services, as well as support defending CNI. To The Stack, it is also a crisp reminder that strict organisational discipline is critical for cyber hygiene.

1. Default configurations and service permissions

Too many network devices with user access via apps or web portals still hide default credentials for built-in administrative accounts. (Cisco, we’re looking at you, you, you. (Others are also regularly guilty.) The problem extends to printers and scanners with hard coded default credentials on them – but are set up with privileged domain accounts loaded so that users can scan and send documents to a shared drive).

What should I do, in brief?

NSA says: Modify the default configuration of applications and appliances before deployment in a production environment . Refer to hardening guidelines provided by the vendor and related cybersecurity guidance (e.g., DISA's Security Technical Implementation Guides (STIGs) and configuration guides)

Active Directory Certificate Services

More specifically on default permissions risks, NSA says it regularly says issues with configuration of Active Directory Certificate Services (ADCS); a Microsoft feature used to manage Public Key Infrastructure (PKI) certificates, keys, and encryption inside of AD environments.

“ Malicious actors can exploit ADCS and/or ADCS template misconfigurations to manipulate the certificate infrastructure into issuing fraudulent certificates and/or escalate user privileges to domain administrator privileges” it warns, pointing to ADCS servers running with web-enrollment enabled; ADCS templates where low-privileged users have enrollment rights and other associated issues – with external guidance on a handful of known escalation paths here, here and here

What should I do, in brief?

Ensure the secure configuration of ADCS implementations. Regularly update and patch the controlling infrastructure (e.g., for CVE-2021-36942), employ monitoring and auditing mechanisms, and implement strong access controls to protect the infrastructure. Disable NTLM on all ADCS servers. Disable SAN for UPN Mapping. If not required, disable LLMNR and NetBIOS in local computer security settings or by group policy.