- 01 Oct 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Active Directory Certificate Service (AD CS)
- Updated on 01 Oct 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Active Directory Certificate Services (AD CS) is a Windows Server feature that allows you to build and manage PKI certificates used in software security systems.
Types of Assets Fetched
This adapter fetches the following types of assets:
- Certificates
Parameters
Authentication - Select Authentication method, either NTLM (default) or Kerberos. If you select Kerberos, the following optional fields for authentication may be configured:
- Kerberos AES Key (optional) - A cryptographic key, either 128 or 256 bits in length, used to secure communication by encrypting and decrypting messages exchanged between the client and the server.
- Kerberos Host (KDC) (optional) - The Kerberos Key Distribution Center (KDC) that will be used to authenticate. If this parameter is not specified, the domain will be used.
ADCS Server (required) - The hostname of the domain controller with the ADCS service.
User Name and Password (required) - The credentials for a user account that has the Required Permissions to execute PowerShell code which queries the ADCS server for information on the systems managed by that server.
Custom Share Name (optional) - If you do not have local Admin access, specify the name of a share to use instead of 'ADMIN$' for SMB operations. For more information, see Creating a Custom Share.
Custom Files Directory (optional) - Specify the name of a file directory to use instead of 'axonius'.
Custom Working Directory (optional) - If file sharing is restricted in the domain, specify the physical path of the share specified in Custom Share Name.
To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.
APIs
Axonius uses the Certutil module.
Required Ports
Axonius must be able to communicate with the value supplied in Host Name or IP Address via the following ports:
- 135 (RPC)
- 445 (SMB)
- Random port in the range 1024-65535
Setting up a fixed port for WMI
The Active Directory Federation Service (AD CS) adapter uses WMI.
You need to set up a fixed port to work with WMI.
WMI runs as part of a shared service host with ports assigned through DCOM by default. However, you can set up the WMI service to run as the only process in a separate host and specify a fixed port. For more details, see Microsoft Documentation - Setting Up a Fixed Port for WMI.
To set up a fixed port for WMI:
- At the command prompt, type:
winmgmt -standalonehost
- Stop the WMI service by typing:
net stop "Windows Management Instrumentation"
or:
net stop winmgmt
- Restart the WMI service again in a new service host by typing:
net start "Windows Management Instrumentation"
or:
net start winmgmt
- Establish a new port number for the WMI service by typing (e.g. the following example will establish port TCP 24158):
netsh advfirewall firewall add portopening TCP 24158 WMIFixedPort
If you are running an old Windows Server version, it might need to run the deprecated command version (netsh firewall
).
To undo any changes you make to WMI, type:
winmgmt /sharedhost
Then stop and start the winmgmt service again.
Creating a Custom Share
You can create a custom share and directory instead of ADMIN$ \ axonius. A custom share that is properly configured enables you to not require full local admin permissions to fetch data.
To create a custom share:
Create a local user, such as ‘axonius-usr’.
Add the user to the following groups:
- Distributed COM Users
- Remote Management Users
Create a directory for Axonius to use to store temporary files and to serve as a working directory, for example: C:\axonius
The name of this directory may be used later in the adapter configuration for AD CS in Axonius.Grant the following permissions to the local user:
- Read
- Write
- Modify
- Execute (or full control) permissions on the custom directory, subdirectories, and files
Share the directory that you created by using Sharing or Advanced Sharing. Verify that the local user has full permissions for this share. Specify a descriptive name for the shared directory, preferably a name which ends with a dollar-sign, such as: AxoniusShare$
The name of this share will be used later in the adapter configuration for AD CS in Axonius.Open WMI Management (wmimgmt.msc). Under Security, select Root (minimal: root/cimv2) namespace.
Click Security. Add the local user.
Click Advanced.
From the Applies to dropdown, select This namespace and subnamespaces.
Under the Allow column for the local user, select the Execute Methods, Enable Account, and Remote Enable options, and then click OK.
In Axonius, verify that the Custom Share Name and Custom Files Directory parameters are configured. The adapter will attempt to create the specified directory under the share.
If the above step fails, it means some sharing options are not enabled on the server. In such a case, add the full path to the share under Custom Working Directory.
Note: When using Custom Working Directory, this directory must be identical to all Active Directory Federation Service (AD CS) adapter connections, and needs to be specified in all adapter connections, even if using a local admin. Only use this option as a last resort.
Required Permissions
The value supplied in User Name and Password must be able to execute PowerShell code which queries the ADCS server for information on the systems managed by that server. The configured user must have permission to run the following PowerShell commands:
- (Get-Service -Name CertSvc).Status
- certutil -view csv
The value supplied in User Name and Password must have the following permissions in order to fetch assets:
- Local admin permissions.
- Access RPC on the ADCS server.
- Execute PowerShell on the ADCS server and access the IPC$ share on the ADCS server.
- Read and Write Access to ADMIN$ share on the ADCS server. Alternatively, create an 'axonius' folder inside the \localhost\ADMIN$\ directory and ensure the Axonius account has Full Permissions to read and write to this newly created folder.
Supported From Version
Supported from Axonius version 6.1