Join Log in
Score:3
avatar Server

Do I need Active Directory Certificate Services

us flag
The ITea Guy

I have an AD setup that apparently has a vulnerability related to the Certificate Services feature. Thinking back through the MS Server courses I've sat, I don't remember anything on it, so I dug about online and I'm leaning towards "no".

I do not generate certs in-house for anything - workstations are allowed to Self-Sign, and my parent org has steps to follow for generating cert requests locally on our servers to be passed up the chain to a third-party CA. This seems to be the primary function of ADCS, and I don't appear to use it.

Users do not use PKI, only username and password, and it seems as if ADCS has something to do with authenticating CAs associated with smart card tokens. I might be mistaken, and it has nothing to do with this.

So is it safe to just remove ADCS? I believe it's just installed by default if you promote something to a Domain Controller (or at least add the role), but I can't think of any time I've interacted with it.

The DCs run Server 2012 and 2019 (with the former on the chopping block sometime in the near future, to be replaced by a Server 2019 one).

118
1 + 5
pki
br flag
garethTheRed
Have a look at the ADCS Management Console and see if it's issued any certificates lately?
3
Reply
us flag
TheCleaner
If you have no actual use case I'm not sure why it was installed to begin with. It's not installed by default as you state. But internal CAs are also used for email signing certs, SCCM certs, workstation and server signing certs for things like SMB signing, etc. and other things. So you'll need to determine if there are reasons to keep it around. So far it sounds like the answer is no...but only you can say for sure.
0
Reply
us flag
The ITea Guy
Thanks for the responses. Had an opportunity to check the server itself (only had access to the scan results earlier). It doesn't appear as if Cert Services is actually installed, making this finding (PetitPotam) somewhat perplexing. Especially as the Microsoft fix revolves around changes in IIS, which is not installed on the Domain Controller at all.
0
Reply
cn flag
Peter Hahndorf
When using Cert Services you can optionally have a web-site hosted on IIS to handle certificate enrolment via a web interface, but you don't have to. As far as I understand PetitPotam is a problem in the web interface with default settings, if you don't have that you should be fine.
0
Reply
us flag
The ITea Guy
Peter, thanks for the response - this does seem to be an erroneous finding, then. Unfortunately the plugin's output does not give much guidance - only that there's a vulnerability because the scanner sent a request and got a certain response it didn't like.
0
Reply
Score:1
avatar Server
de flag
Zoran Jankov

It is safe to remove Active Directory Certificate Services. If you don't use it for any certifications you can remove it. We have removed it in our company recently when we changed our Domain Controllers and DHCP server, and everything is working just fine.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.