Security assessment: Edit vulnerable Certificate Authority setting (ESC6) (Preview)

This article describes Microsoft Defender for Identity's Vulnerable Certificate Authority setting report.

What are vulnerable Certificate Authority settings?

Each certificate is associated with an entity through its subject field. However, a certificate also includes a Subject Alternative Name (SAN) field, which allows the certificate to be valid for multiple entities.

The SAN field is commonly used for web services hosted on the same server, supporting the use of a single HTTPS certificate instead of separate certificates for each service. When the specific certificate is also valid for authentication, by containing an appropriate EKU, such as Client Authentication, it can be used to authenticate several different accounts.

Unprivileged users that can specify the users in the SAN settings can lead to immediate compromise, and post a great risk to your organization.

If the AD CS editflags > EDITF_ATTRIBUTESUBJECTALTNAME2 flag is turned on, each user can specify the SAN settings for their certificate request. This, in turn affects all certificate templates, whether they have the Supply in the request option turned on or not.

If there's a template where the EDITF_ATTRIBUTESUBJECTALTNAME2 setting is turned on, and the template is valid for authentication, an attacker can enroll a certificate that can impersonate any arbitrary account.


This assessment is available only to customers who installed a sensor on an AD CS server. For more information, see New sensor type for Active Directory Certificate Services (AD CS).

How do I use this security assessment to improve my organizational security posture?

  1. Review the recommended action at for editing vulnerable Certificate Authority settings. For example:

    Screenshot of the Edit vulnerable Certificate Authority setting (ESC6) recommendation.

  2. Research why the EDITF_ATTRIBUTESUBJECTALTNAME2 setting is turned on.

  3. Turn off the setting by running:

    certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
  4. Restart the service by running:

    net stop certsvc & net start certsvc

Make sure to test your settings in a controlled environment before turning them on in production.


While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as Completed.

The reports show the affected entities from the last 30 days. After that time, entities no longer affected will be removed from the exposed entities list.

Next steps