A new advisory from signals intelligence and cybersecurity experts at the National Security Agency (NSA) highlights the top 10 most common cybersecurity misconfigurations in large organisations – including regular exposure of insecure Active Directory Certificate Services.
It comes as the NSA’s Cybersecurity Director Rob Joyce warned that “if your infrastructure can’t survive a user clicking a link, you are doomed.
"I’m the director of cybersecurity at NSA and you can definitely craft an email link I will click” he added on X – writing as generative AI models make it far easier for non-native speakers to craft convincing phishing emails and as such campaigns remain highly effective for threat actors.
The list is a useful guidebook to those seeking to secure IT estates and is no doubt based in part on the NSA’s extensive experience of breaching services, as well as support defending CNI. To The Stack, it is also a crisp reminder that strict organisational discipline is critical for cyber hygiene.
1. Default configurations and service permissions
Too many network devices with user access via apps or web portals still hide default credentials for built-in administrative accounts. (Cisco, we’re looking at you, you, you. (Others are also regularly guilty.) The problem extends to printers and scanners with hard coded default credentials on them – but are set up with privileged domain accounts loaded so that users can scan and send documents to a shared drive).
What should I do, in brief?
NSA says: Modify the default configuration of applications and appliances before deployment in a production environment . Refer to hardening guidelines provided by the vendor and related cybersecurity guidance (e.g., DISA's Security Technical Implementation Guides (STIGs) and configuration guides)
Active Directory Certificate Services
More specifically on default permissions risks, NSA says it regularly says issues with configuration of Active Directory Certificate Services (ADCS); a Microsoft feature used to manage Public Key Infrastructure (PKI) certificates, keys, and encryption inside of AD environments.
“ Malicious actors can exploit ADCS and/or ADCS template misconfigurations to manipulate the certificate infrastructure into issuing fraudulent certificates and/or escalate user privileges to domain administrator privileges” it warns, pointing to ADCS servers running with web-enrollment enabled; ADCS templates where low-privileged users have enrollment rights and other associated issues – with external guidance on a handful of known escalation paths here, here and here.
What should I do, in brief?
Ensure the secure configuration of ADCS implementations. Regularly update and patch the controlling infrastructure (e.g., for CVE-2021-36942), employ monitoring and auditing mechanisms, and implement strong access controls to protect the infrastructure. Disable NTLM on all ADCS servers. Disable SAN for UPN Mapping. If not required, disable LLMNR and NetBIOS in local computer security settings or by group policy.
