Notifications
Clear all
Topic starter
24/06/2026 6:53 pm
TL;DR: Active Directory Certificate Services misconfigurations can let attackers forge identities and escalate to Domain Admin through abused certificate templates, including SAN abuse, Certificate Request Agent misuse, and overly permissive templates, according to Netwrix. The governance gap is not certificate technology itself, but identity trust encoded into templates and account integration that defenders often under-review.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
Q: What breaks when AD CS certificate templates are too permissive?
A: Permissive templates let an attacker turn certificate enrolment into identity escalation.
Q: Why do certificate-based identity paths create escalation risk in Active Directory?
A: Certificate-based identity paths are powerful because they can satisfy authentication without exposing a password.
Practitioner guidance
- Inventory certificate templates with privileged authentication paths Identify every template that can authenticate to Active Directory, map who can enrol, and flag any template that can influence subject, SAN, or delegate-on-behalf request behaviour.
- Remove requester control over identity assertions Block user-supplied subject and SAN values wherever they are not strictly required, and tighten approval paths for templates that can issue certificates usable for authentication.
- Review Certificate Request Agent delegation and enrollment rights Limit request-against-another-identity capability to named administrative workflows, then recertify those rights on a fixed schedule.
What to expect at the briefing
Netwrix's full webinar covers the operational detail this post intentionally leaves for the source:
- Step-by-step walkthrough of the three AD CS escalation techniques demonstrated by Darryl Baker.
- Defender-focused indicators to look for in misconfigured certificate templates and request paths.
- Mitigation examples for limiting subject, SAN, and request-agent abuse in Active Directory.
- Webinar context from identity security research across Active Directory, Entra ID, and hybrid environments.
👉 Register for Netwrix's webinar on AD CS escalation paths and domain compromise →
AD CS escalation paths: are your certificate templates too permissive?
Explore further
25/06/2026 3:53 am
Certificate template governance is an identity control, not a PKI side issue. AD CS templates decide who can request, what can be requested, and how identity is asserted when the certificate is used. That means a misconfigured template is not just a misrouted request path, it is a privilege decision embedded inside authentication plumbing. Practitioners should treat template review as part of identity governance, not a separate infrastructure exercise.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which leaves privilege review blind spots that certificate abuse can exploit.
A question worth separating out:
Q: Who should be accountable when certificate abuse leads to domain compromise?
A: Accountability should sit with the teams that govern identity trust, template policy, and privileged enrolment, not only with Windows administrators. AD CS compromise is an identity governance failure because it converts a certificate decision into domain-level authority.
👉 Read our full editorial: Active Directory Certificate Services misconfigurations and domain escalation risk
