🛡️ Mitigation for CVE-2024-49019 CVE-2024-49019 is a vulnerability related to certificate enrollment in Active Directory Certificate Services (AD CS), which can allow unauthorized users to enroll certificates using weak or overly permissive templates. 🔧 Mitigation Steps 1. Remove 'Authenticated Users' from Enrollment Permissions Open Certificate Templates Console (certtmpl.msc). + Locate the affected certificate template(s). + Right-click the template → Properties → Security tab. + Uncheck or remove the Enroll permission for Authenticated Users. + This prevents domain users from automatically enrolling certificates using vulnerable templates. 2. Restrict Certificate Enrollment to Specific Security Groups In the same Security tab of the certificate template: + Add only trusted security groups (e.g., Enrollment Admins, IT Department, Administrators,Domain Admins, Domain Enterprise etc.,). + Grant them Read and Enroll (and optionally Autoenroll) as required. + This ensures only designated users or systems can enroll certificates. + Add Authenticated Users Then In the Permission Tab and Deny their right to request Certificate. 3. Limit 'Enroll On Behalf Of' Rights (Enrollment Agent Restrictions) Open Certification Authority Console (certsrv.msc). + Right-click the CA → Properties → Policy Module → Properties. + Under Enrollment Agents, limit which templates and users/groups can use these permissions. + Audit all Enrollment Agent templates and permissions. + This stops unauthorized enrollment using agent certificates. 4. Revoke Existing Certificates Review all certificates issued using vulnerable templates. + In Certification Authority Console: + Go to Issued Certificates. + Identify certificates issued to unintended users. + Right-click → All Tasks → Revoke Certificate. + Choose reason: Cease of Operation or Privilege Withdrawn. - Optionally, publish CRL to propagate revocation. ✅ Best Practices + Regularly audit certificate templates and permissions. + Use separate templates for high-privilege certificates with tightly controlled permissions. + Monitor certificate issuance logs. Implement role-based access control for template management.