We help IT Professionals succeed at work.

CertEnroll Directory Permission for AD CA Servers

We have an audit finding where the certenroll directory has everyone permissions.  can this be further restrictred to say authenticated users?  do computers need access to this directory.


Description¿The remote has one or more Windows shares that can be accessed through the network with the given credentials. ¿¿

Depending on the share rights, it may allow an attacker to read/write confidential data.¿¿

Solution¿To restrict access under Windows, open Explorer, do a right click on each share, go to the 'sharing' tab, and click on 'permissions'.¿¿

Risk Factor: High¿¿CVSS Base Score¿7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)¿¿

CVSS Temporal Score¿7.5 (CVSS2#E:H/RL:U/RC:ND)¿¿Plugin Output¿The following shares can be accessed as nfagent : ¿¿

- CertEnroll - (readable) ¿ + Content of this share : ¿ .. ¿Everyone group has access to this folder.
Watch Question

Depending on what your using the ca for you should be able to restrict to read only for authenticated users and domain computers,
unless you are providing certs to non-domain entities.
Senior Solutions Architect
You can adjust the permissions so that everyone only has read access.
They should not need write access to this folder.

IIRC, this is the default configuration anyways.
Check the share permissions in Computer Manager

I'd like to point out the following:
The remote has one or more Windows shares that can be accessed through the network with the given credentials

I'm guessing this scan was run with an account that had Domain Admin priviledges?
In which case this statement is absolutely true, since a Domain Admin would also be a local admins on the server.

Our company just passed PCI audits in last week, and we just pointed out the scan user had elevated permissions due to the "given credentials" and that ordinary users couldn't write to this location and that read access is needed to see the CRL.
btanExec Consultant
Distinguished Expert 2019