|
| 1 | +--- |
| 2 | +# Required metadata |
| 3 | +# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main |
| 4 | +# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main |
| 5 | + |
| 6 | +title: 'Security Assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)' |
| 7 | +description: 'This recommendation directly addresses the recently published CVE-2024-49019, which highlights security risks associated with vulnerable AD CS configurations. ' |
| 8 | +author: LiorShapiraa # GitHub alias |
| 9 | +ms.author: liorshapira |
| 10 | +ms.service: microsoft-defender-for-identity |
| 11 | +ms.topic: article |
| 12 | +ms.date: 12/04/2024 |
| 13 | +--- |
| 14 | + |
| 15 | +# Security assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15) |
| 16 | + |
| 17 | +This article describes Microsoft Defender for Identity's Prevent Certificate Enrollment with arbitrary Application Policies (ESC15) security posture assessment report. |
| 18 | + |
| 19 | +## Why is it important to review the Certificate templates? |
| 20 | + |
| 21 | +This recommendation directly addresses the recently published [CVE-2024-49019](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-49019)__,__ which highlights security risks associated with vulnerable AD CS configurations. This security posture assessment lists all vulnerable certificate templates found in customer environments due to unpatched AD CS servers. |
| 22 | + |
| 23 | +Certificate templates that are vulnerable to [CVE-2024-49019](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-49019) allow an attacker to issue a certificate with arbitrary Application Policies and Subject Alternative Name. The certificate can be used to escalate privileges, possibly resulting with full domain compromise. |
| 24 | + |
| 25 | +These certificate templates expose organizations to significant risks, as they enable attackers to issue certificates with arbitrary Application Policies and Subject Alternative Names (SANs). Such certificates can be exploited to escalate privileges and potentially compromise the entire domain. In particular, these vulnerabilities allow non-privileged users to issue certificates that can authenticate as high-privileged accounts, posing a severe security threat. |
| 26 | + |
| 27 | +## Prerequisites |
| 28 | + |
| 29 | +This assessment is available only to customers who installed a sensor on an AD CS server. For more information, see [New sensor type for Active Directory Certificate Services (AD CS)](/defender-for-identity/whats-new). |
| 30 | + |
| 31 | +## **How do I use this security assessment to improve my organizational security posture?** |
| 32 | + |
| 33 | +1. Review the recommended action at [Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)](https://security.microsoft.com/securescore?viewid=actions). |
| 34 | + |
| 35 | +2. **Identify the vulnerable certificate templates:** |
| 36 | + - Remove enrollment permission for unprivileged users. |
| 37 | + - Disable the **“Supply in the request”** option. |
| 38 | + |
| 39 | +3. Identify the AD CS servers which are vulnerable to CVE-2024-49019 and apply the relevant patch. |
| 40 | + |
| 41 | + For example: |
| 42 | + |
| 43 | + :::image type="content" source="media/prevent-certificate-enrollment-esc15/image.png" alt-text="Screenshot of servers." lightbox="media/prevent-certificate-enrollment-esc15/image.png"::: |
| 44 | + |
| 45 | +## Next steps |
| 46 | + |
| 47 | +- [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) |
| 48 | + |
| 49 | +- [Check out the Defender for Identity forum!](https://aka.ms/MDIcommunity) |
| 50 | + |
0 commit comments