ADCS response starts by identifying issued certificates, vulnerable templates, modified templates, exposed CA keys, and relayable enrollment endpoints. Certificates must be treated as live credentials until expired or revoked.
Inventory CAs and templates
certutil -config "dc01.ootw.local\OOTW-CA" -catemplates
certutil -config "dc01.ootw.local\OOTW-CA" -getconfig
Find vulnerable templates
certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -vulnerable -enabled -text -output adcs_review
Disable vulnerable template publication
certutil -config "dc01.ootw.local\OOTW-CA" -setcatemplates -ESC1
Revoke a certificate
$Serial = "SERIAL_NUMBER"
certutil -config "dc01.ootw.local\OOTW-CA" -revoke $Serial
certutil -config "dc01.ootw.local\OOTW-CA" -crl
Remove ESC1-style risk
Disable Enrollee Supplies Subject for authentication templates.
Require manager approval where subject supply is required.
Require authorized signatures for sensitive templates.
Remove broad enrollment rights from Domain Users and Authenticated Users.
Remove Any Purpose and unnecessary authentication EKUs.
Remove ESC4-style risk
Restrict template ownership to PKI administrators.
Remove WriteDacl, WriteOwner, GenericAll, GenericWrite, and WriteProperty from non-PKI administrators.
Review template changes in the Configuration naming context.
Restore known-good template JSON or GPO-backed documentation.
Reduce ESC8 risk
Disable ADCS web enrollment if not required.
Require HTTPS.
Enforce Extended Protection for Authentication.
Disable NTLM where possible.
Require LDAP signing and channel binding.
Reduce coercion exposure such as Print Spooler on servers where not needed.
Golden Certificate response
Treat CA private key compromise as a PKI root compromise.
Revoke forged certificates if serials are known.
Rotate or rebuild the CA where required.
Publish fresh CRLs.
Remove compromised CA certificate trust from NTAuth if retiring the CA.
Hunt for certificate authentication after the suspected compromise window.
Useful event IDs
4886 Certificate Services received a certificate request
4887 Certificate Services approved a certificate request and issued a certificate
4888 Certificate Services denied a certificate request
4890 Certificate Services certificate manager settings changed
4898 Certificate template loaded
4899 Certificate Services template updated
4900 Certificate Services template security updated
4768 TGT requested, including certificate-based Kerberos authentication
4769 Service ticket requested after certificate authentication
5136 Directory object modified, useful for template and PKI object changes
Review issued certificates
certutil -config "dc01.ootw.local\OOTW-CA" -view -restrict "Disposition=20" -out "RequestID,RequesterName,CommonName,CertificateTemplate,SerialNumber,NotBefore,NotAfter"
Hardening baseline
Separate PKI administration from domain administration.
Limit enrollment to specific groups.
Use short certificate validity periods for authentication templates.
Remove unused templates from issuing CAs.
Require approval for templates that allow request-supplied subjects.
Monitor template ACLs and CA configuration changes.
Protect CA private keys with HSM-backed or equivalent controls where possible.