Configuration Changes in Active Directory Certificate Services
Ensure a specific security flag is not configured in Microsoft AD CS to maintain system integrity.
Plain language
This control is about making sure a specific technical setting (a security flag) is not used in your company's certificate services. If this setting is wrongly enabled, it could allow attackers easier access to fake digital credentials, similar to ID badges, which might let them impersonate your systems or users. By ensuring this setting is turned off, you maintain your organisation's integrity and protect against identity-based attacks.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
The EDITF_ATTRIBUTESUBJECTALTNAME2 flag is removed from Microsoft AD CS CA configurations.
Why it matters
If EDITF_ATTRIBUTESUBJECTALTNAME2 remains enabled on AD CS, attackers can request certificates with spoofed SANs, enabling impersonation and MITM.
Operational notes
Audit each AD CS CA for EDITF_ATTRIBUTESUBJECTALTNAME2 and remove/disable it; document the change and re-check after CA updates or template changes.
Implementation tips
- The IT team should verify the configuration settings of your organisation’s Active Directory Certificate Services. They should access the server where these services are installed and check the server's specific settings to ensure the EDITF_ATTRIBUTESUBJECTALTNAME2 flag is not enabled.
- A security officer should cross-reference the server settings with official guidance from the Australian Cyber Security Centre (ACSC). They can find the appropriate documentation on the ACSC website and ensure that your configurations match the recommended best practices.
- Educate relevant staff about the importance of configuring digital certificates correctly. The IT manager should hold a training session explaining what the EDITF_ATTRIBUTESUBJECTALTNAME2 flag does and why removing it is crucial for maintaining digital security.
- The IT team should set up a policy for regular reviews of the certificate services configuration. This can be done by scheduling monthly checks in the IT team's calendar to ensure the flag remains disabled and no unauthorised changes have been made.
- Appoint a compliance officer to maintain a log of all configuration checks undertaken. This log should include the date, who performed the check, and confirmation that the EDITF_ATTRIBUTESUBJECTALTNAME2 flag was not enabled, ensuring accountability and enabling an easy review of procedures over time.
Audit / evidence tips
-
Askthe Active Directory Certificate Services configuration documentation: Request the recent server configuration report
GoodThe report shows that the EDITF_ATTRIBUTESUBJECTALTNAME2 flag is not enabled
-
Askto see the log of configuration reviews: Request the compliance log that records all configuration reviews
GoodThe log includes dated entries showing who checked the settings and notes that the flag is correctly disabled
-
Askstaff training records: Request documentation of training sessions about certificate management
GoodRecords show recent, relevant sessions with IT staff attending, discussing the importance of flag settings
-
Aska policy document on configuration management: Request the internal policy that defines how and when configuration settings are reviewed
GoodA clear policy exists, specifying regular review schedules and responsible staff members
-
Askevidence of ACSC compliance checks: Request records showing comparisons made against Australian Cyber Security Centre guidelines
GoodDocumentation shows detailed comparisons and notes actions taken to comply with recommendations
Cross-framework mappings
How ISM-1944 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.32 | ISM-1944 mandates a specific secure configuration outcome for AD CS CAs: the EDITF_ATTRIBUTESUBJECTALTNAME2 flag must be removed to reduc... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.