{"id":8730,"date":"2025-04-07T06:08:00","date_gmt":"2025-04-07T06:08:00","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=8730"},"modified":"2025-04-07T06:08:01","modified_gmt":"2025-04-07T06:08:01","slug":"prevent-users-to-request-a-certificate-valid-for-arbitrary-users-based-on-the-certificate-template-esc1","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/prevent-users-to-request-a-certificate-valid-for-arbitrary-users-based-on-the-certificate-template-esc1","title":{"rendered":"Prevent users to request a certificate valid for arbitrary users based on the certificate template (ESC1)"},"content":{"rendered":"\n<p>We use Radius and NPS for Authentication , we had the below Defender for Identity show up <\/p>\n\n\n\n<p><strong>Prevent users to request a certificate valid for arbitrary users based on the certificate template (ESC1)<\/strong><\/p>\n\n\n\n<p>Resolutions were : <\/p>\n\n\n\n<p>Identify the vulnerable certificate template. Perform at least one of the following possible remediations:<br>1. Disable the \u201cSupply in the request\u201d configuration.<br>2. Remove EKU\u2019s enabling user authentication (e.g Client Authentication).<br>3.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.<br>4.Enable \u201cCA certificate manager approval\u201d requirement.<\/p>\n\n\n\n<p>We changed the below <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2025\/04\/image-16.png\"><img loading=\"lazy\" decoding=\"async\" width=\"405\" height=\"558\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2025\/04\/image-16.png\" alt=\"\" class=\"wp-image-8731 img-responsive\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2025\/04\/image-16.png 405w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2025\/04\/image-16-218x300.png 218w\" sizes=\"auto, (max-width: 405px) 100vw, 405px\" \/><\/a><\/figure>\n\n\n\n<p>2) We can&#8217;t do this needed for Wifi Auth<\/p>\n\n\n\n<p>3) Can&#8217;t do this Users need to enroll<\/p>\n\n\n\n<p>4) Can&#8217;t do this don&#8217;t want manual approval <\/p>\n","protected":false},"excerpt":{"rendered":"<p>We use Radius and NPS for Authentication , we had the below Defender for Identity show up Prevent users to request a certificate valid for arbitrary users [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-8730","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/8730","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=8730"}],"version-history":[{"count":1,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/8730\/revisions"}],"predecessor-version":[{"id":8732,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/8730\/revisions\/8732"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=8730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=8730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=8730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}