Skillplan AD Checklist
2026-05-20 16:34
AD
Security Checklist
de
en
fr
it
System Online
← Back to sections
Mitigation Controls · Section 3 of 17
Mitigating an AD CS Compromise
Assessment Progress
0
/ 95 items
0%
Fulfillment so far
0
/ 0 controls
0%
Explain this attack
Remove the 'Enrollee Supplies Subject' flag.
Not Fulfilled
Fulfilled
Accepted
Restrict standard user object permissions on certificate templates.
Not Fulfilled
Fulfilled
Accepted
Remove vulnerable AD CS CA configurations.
Not Fulfilled
Fulfilled
Accepted
Require CA Certificate Manager approval for certificate templates that allow the SAN to be supplied.
Not Fulfilled
Fulfilled
Accepted
Remove EKUs that enable user authentication.
Not Fulfilled
Fulfilled
Accepted
Limit access to AD CS CA servers to only privileged users that require access.
Not Fulfilled
Fulfilled
Accepted
Restrict privileged access pathways to AD CS CA servers to jump servers and secure admin workstations.
Not Fulfilled
Fulfilled
Accepted
Only use AD CS CA servers for AD CS and do not install any non-security-related services or applications.
Not Fulfilled
Fulfilled
Accepted
Encrypt and securely store backups of AD CS CA servers and limit access to only Backup Administrators.
Not Fulfilled
Fulfilled
Accepted
Centrally log and analyse AD CS CA server logs in a timely manner to identify malicious activity.
Not Fulfilled
Fulfilled
Accepted
Save and Continue →
