AD Tiering – Design and Conception of CAs and Templates

[mstraessner]

This project enables me to further develop PKIs in the area of security and to make vulnerabilities in existing environments visible.

Several years ago, I configured enrollment for duplicated certificate templates based on group permissions. With increasing security requirements and the introduction of AD Tiering, Locksmith now frequently reports ESC1, ESC4, ESC5, and ESC7.

So far, I haven’t found a clear answer regarding the correct implementation of AD Tiering – particularly with respect to permissions for Public Key Services, computer objects, and rights within the Certification Authority. It also remains unclear whether, and why, the use of AD security groups in certificate templates for enrollment is considered a bad practice or critical. My goal is to process and remediate the Locksmith output in a consistent and transparent way.

Open questions:

What does a correct AD Tiering configuration look like with regard to ESC5 and ESC7?

Why should AD security groups not be used for enrollment in certificate templates?