AD CS Hardening Playbook

Active Directory Certificate Services is the system that issues digital ID cards inside many Windows networks, and a new hardening guide says one bad template can let a low-level user become an administrator in minutes. (encryptionconsulting.com) The guide, published April 14, 2026 by Encryption Consulting, lays out 15 hardening steps for certificate templates and maps them to abuse paths tracked as ESC1 through ESC16. SpecterOps introduced the ESC naming in its 2021 “Certified Pre-Owned” research, which documented how certificate misconfigurations can lead to domain escalation and long-term persistence. (encryptionconsulting.com) (specterops.io) Certificate templates are the prefilled forms a certification authority uses to decide who can get a certificate, what that certificate can do, and whether the requester can choose the identity written into it. Microsoft says templates define settings such as certificate usage, subject name, and issuance requirements, and those settings are stored in Active Directory for enterprise certification authorities. (learn.microsoft.com) That matters because a certificate in Active Directory can work like a password substitute for logon, smart cards, Transport Layer Security, or code signing. Microsoft’s Defender for Identity team has called Active Directory Certificate Services a tier-0 asset, meaning a compromise can be as damaging as taking over a domain controller. (learn.microsoft.com) (techcommunity.microsoft.com) The playbook focuses on template settings because several of the best-known abuse paths start there. Encryption Consulting says defenders should remove “Supply in the request” where possible, strip client authentication from templates that do not need it, require manager approval for high-risk enrollment, and tighten enrollment permissions to the smallest possible groups. (encryptionconsulting.com) Those recommendations line up with Microsoft’s own guidance on template administration and broader public key infrastructure design. Microsoft says certificate templates should be managed by domain administrators, and Microsoft’s 2025 hardening guidance says the most common enterprise design is a two-tier public key infrastructure with an offline root certification authority and one or two issuing certification authorities. (learn.microsoft.com) (techcommunity.microsoft.com) The guide also ties template fixes to outside control frameworks instead of treating them as one-off tweaks. Encryption Consulting maps its steps to Cybersecurity and Infrastructure Security Agency and National Institute of Standards and Technology controls, while NIST Special Publication 1800-16 documents formal certificate management practices and Microsoft’s 2025 guidance cites NIST support for keeping a root certification authority offline. (encryptionconsulting.com) (nvlpubs.nist.gov) (techcommunity.microsoft.com) Government defenders have been warning about the same area. A joint Cybersecurity and Infrastructure Security Agency and National Security Agency advisory in 2023 listed insecure Active Directory Certificate Services among the top 10 cybersecurity misconfigurations and said templates are used to build certificates for servers and other entities on a network. (cisa.gov) Attack tooling has kept pace with the research. The Certipy project’s documentation says there were 16 distinct escalation techniques identified by 2025, and it explains how attackers and defenders can enumerate vulnerable certificate services settings across ESC1 through ESC16. (github.com) The practical message in the new playbook is narrow and old-fashioned: audit every published template, cut permissions, add approval gates, and treat certificate authorities like crown-jewel systems. In networks that still rely on Active Directory Certificate Services for internal identity, that is the difference between a certificate acting like a badge and acting like a skeleton key. (encryptionconsulting.com) (techcommunity.microsoft.com)