Microsoft Updates ADCS: CRL Partitioning, NTLM Relay Hardening, and Database Expansion

By /

Listen to this Post

Featured Image
Microsoft has announced significant updates to Active Directory Certificate Services (ADCS), including:
– CRL Partitioning: Enhances scalability and performance by splitting Certificate Revocation Lists (CRLs) into manageable partitions.
– Hardening Against NTLM Relay Attacks (PetitPotam): Default configurations now mitigate NTLM relay vulnerabilities.
– Expanded Database Row Size: Prepares ADCS for larger cryptographic key sizes, likely for Post-Quantum Cryptography (PQC).

These updates apply to Windows Server 2019, 2022, and Server 2025.

You Should Know:

1. Enabling CRL Partitioning

CRL partitioning reduces load on CA servers. To configure: 

certutil -setreg CA\CRLPartitionFlags 1 
net stop certsvc && net start certsvc

2. Mitigating NTLM Relay Attacks (PetitPotam Fix)

Disable NTLM where possible and enforce EPA (Extended Protection for Authentication): 

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "FullSecureChannelProtection" -Value 1 -Type DWORD

3. Expanding ADCS Database for Larger Keys

Run this manual command to update the database schema: 

certutil -upgradedbschema

Note: Backup the CA database before execution.

4. Verifying Updates

Check installed hotfixes:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object HotFixID, Description, InstalledOn

Additional Hardening Steps

  • Disable unnecessary HTTP enrollment endpoints: 
    certutil -setreg CA\InterfaceFlags +IF_NONETWORKAUTOENROLLMENT
  • Enable strong CA auditing: 
    auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable

What Undercode Say

Microsoft’s ADCS updates address long-standing PKI challenges. CRL partitioning improves scalability, while NTLM relay hardening closes a critical attack vector. The database expansion hints at future PQC readiness.

Key Commands Recap:

 Linux equivalent checks (for hybrid environments) 
ldapsearch -x -h <DC_IP> -b "CN=Configuration,DC=domain,DC=com" "(objectClass=certificationAuthority)" 
openssl crl -inform DER -in <CRL_FILE> -noout -text

For Windows Admins:

 Monitor CA events in real-time 
Get-WinEvent -LogName "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational" -MaxEvents 10

Prediction

Post-quantum cryptographic support will soon necessitate further ADCS schema changes. Expect more registry-based tuning flags for hybrid key storage.

Expected Output:

  • Updated CRL distribution points.
  • Hardened NTLM relay policies.
  • Expanded CA database schema logs (certutil -viewdb -out log.txt).

Reference:

Microsoft ADCS Updates
PKI Solutions Hotfix Digest

References:

Reported By: Thepkiguy Beyond – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: