• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4232
  • Last Modified:

CertEnroll Directory Permission for AD CA Servers

We have an audit finding where the certenroll directory has everyone permissions.  can this be further restrictred to say authenticated users?  do computers need access to this directory.


Description¿The remote has one or more Windows shares that can be accessed through the network with the given credentials. ¿¿

Depending on the share rights, it may allow an attacker to read/write confidential data.¿¿

Solution¿To restrict access under Windows, open Explorer, do a right click on each share, go to the 'sharing' tab, and click on 'permissions'.¿¿

Risk Factor: High¿¿CVSS Base Score¿7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)¿¿

CVSS Temporal Score¿7.5 (CVSS2#E:H/RL:U/RC:ND)¿¿Plugin Output¿The following shares can be accessed as nfagent : ¿¿

- CertEnroll - (readable) ¿ + Content of this share : ¿ .. ¿Everyone group has access to this folder.
2 Solutions
James HaywoodCommented:
Depending on what your using the ca for you should be able to restrict to read only for authenticated users and domain computers,
unless you are providing certs to non-domain entities.
Leon FesterSenior Solutions ArchitectCommented:
You can adjust the permissions so that everyone only has read access.
They should not need write access to this folder.

IIRC, this is the default configuration anyways.
Check the share permissions in Computer Manager

I'd like to point out the following:
The remote has one or more Windows shares that can be accessed through the network with the given credentials

I'm guessing this scan was run with an account that had Domain Admin priviledges?
In which case this statement is absolutely true, since a Domain Admin would also be a local admins on the server.

Our company just passed PCI audits in last week, and we just pointed out the scan user had elevated permissions due to the "given credentials" and that ordinary users couldn't write to this location and that read access is needed to see the CRL.
btanExec ConsultantCommented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now