The answer is simply no, since CDP/AIA use unauthenticated access. There is no NTLM when you download CDP/AIA items from IIS, so they are not subject for this vulnerability and no changes are required in these extensions.
Must PetitPotam NTLM relay mitigation include changing your CA server's CDP & AIA extensions?
We are looking to mitigate the PetitPotam vulnerability on our internal 2Tier active Directory CA hierarchy. There is a very clear MS document here...
The very first instruction says "We recommend enabling EPA and disabling HTTP on AD CS servers."
However...there are no additional instructions on editing the CDP / AIA extensions in the subordinate CA server config.
My question is - what happens to already issued certificates without HTTPS in their certificate configuration and surely we need to add HTTPS extensions to the Subordinate CA configuration?
I'm worried that simply following this document will have a detrimental affect on my PKI infrastructure?
Any advice, explanations would be most gratefully welcomed!
Regards,
durrie
1 additional answer
Sort by: Most helpful
-
Limitless Technology 39,351 Reputation points
2021-10-14T18:58:01.947+00:00 Hello @durrie
Basically all your HTTP certificates would stop working as you enable EPA, require SSL and disable HTTP over ADCS. This is the "modern" safety rule for your environment, not only for PetitPotam, but for many other attacks. It's been many years that most issuing instances have moved to the SSL protocol and HTTPS, however is true that some signing is still done on HTTP mostly for backwards compatibility and historical purposes.
Hope this helps with your query,
------
--If the reply is helpful, please Upvote and Accept as answer--