CertEnroll Directory Permission for AD CA Servers

Posted on 2012-08-15
Last Modified: 2012-08-16
We have an audit finding where the certenroll directory has everyone permissions.  can this be further restrictred to say authenticated users?  do computers need access to this directory.


Description¿The remote has one or more Windows shares that can be accessed through the network with the given credentials. ¿¿

Depending on the share rights, it may allow an attacker to read/write confidential data.¿¿

Solution¿To restrict access under Windows, open Explorer, do a right click on each share, go to the 'sharing' tab, and click on 'permissions'.¿¿

Risk Factor: High¿¿CVSS Base Score¿7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)¿¿

CVSS Temporal Score¿7.5 (CVSS2#E:H/RL:U/RC:ND)¿¿Plugin Output¿The following shares can be accessed as nfagent : ¿¿

- CertEnroll - (readable) ¿ + Content of this share : ¿ .. ¿Everyone group has access to this folder.
Question by:BrianRB
    LVL 17

    Expert Comment

    by:James Haywood
    Depending on what your using the ca for you should be able to restrict to read only for authenticated users and domain computers,
    unless you are providing certs to non-domain entities.
    LVL 26

    Accepted Solution

    You can adjust the permissions so that everyone only has read access.
    They should not need write access to this folder.

    IIRC, this is the default configuration anyways.
    Check the share permissions in Computer Manager

    I'd like to point out the following:
    The remote has one or more Windows shares that can be accessed through the network with the given credentials

    I'm guessing this scan was run with an account that had Domain Admin priviledges?
    In which case this statement is absolutely true, since a Domain Admin would also be a local admins on the server.

    Our company just passed PCI audits in last week, and we just pointed out the scan user had elevated permissions due to the "given credentials" and that ordinary users couldn't write to this location and that read access is needed to see the CRL.
    LVL 60

    Assisted Solution


    Featured Post

    Courses: Start Training Online With Pros, Today

    Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

    Join & Write a Comment

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now