Entra ID CIS Assessment with SmartProfiler-SecID
About SmartProfiler SmartProfiler for Entra ID is designed to mitigate security risks in the Azure
Read MoreAAll tests for Microsoft PKI Assessment are automated with SmartProfiler for PKI Assessment.
Detailed reporting includes information about each Test and Step-By-Step Recommendations to fix the issues.
Checks to make sure all Microsoft CA Servers recommended tests are configured on Microsoft CA Servers.
SecID for Microsoft PKI Assessment supports multiple CA Servers. The tool connects to all CA Servers and provides a summary of components that are not configured correctly.
The Microsoft PKI (Public Key Infrastructure) Assessment Benchmark is a comprehensive set of security best practices and configuration guidelines designed to help administrators secure Private and Internal Certificate Authority (CA) servers. These benchmarks are especially critical in enterprise environments where internal PKI plays a foundational role in authentication, encryption, and digital trust.
The SmartProfiler tool supports the Microsoft PKI Assessment Benchmark by automating the evaluation of configuration settings across multiple CA servers, helping organizations ensure that their PKI environments adhere to industry best practices and compliance standards.
These benchmarks are aligned with guidance from trusted organizations such as the Center for Internet Security (CIS) and Microsoft, ensuring that CA servers are hardened against potential vulnerabilities and operational risks.
Validates secure installation and configuration of CA roles (Enterprise or Standalone, Root or Subordinate).
Checks for unnecessary roles, features, or services enabled on the CA server.
Verifies CA settings such as validity periods, CRL (Certificate Revocation List) distribution points, and AIA (Authority Information Access) locations.
Assesses adherence to least privilege principles for CA administrators, certificate managers, and auditors.
Checks for unauthorized users in privileged CA groups (e.g., Cert Publishers, Enterprise Admins).
Validates access permissions on CA-related file paths, registry keys, and templates.
Ensures that CA auditing is enabled and configured to track key events (e.g., certificate issuance, revocation, CA startup/shutdown).
Verifies integration with centralized logging platforms (e.g., SIEM solutions).
Confirms event logs are protected from tampering and stored securely.
Checks for insecure or overly permissive certificate templates.
Validates that auto-enrollment is configured securely.
Reviews issuance and enrollment permissions to prevent misuse.
Verifies that the CA uses strong cryptographic algorithms (e.g., SHA-256 or higher).
Assesses key length, CSP/KSP usage, and key protection mechanisms.
Confirms that Root CA private keys are stored securely (e.g., HSM usage or offline protection for Root CAs).
Validates configuration of CRLs and OCSP to ensure reliable certificate revocation checking.
Confirms CRLs are published at proper intervals and accessible from all relying parties.
Ensures OCSP responders are secured and functioning correctly (if used).
Ensures the CA server is fully patched with the latest Windows Updates.
Validates that the server OS follows hardened configuration baselines.
Checks that unnecessary ports, services, and protocols are disabled.
Verifies regular and secure backup of CA configuration, certificates, and keys.
Checks for tested and documented disaster recovery procedures for CA hierarchy.
The Center for Internet Security is a nonprofit organization focused on identifying, developing, and promoting best practices in cybersecurity. Its benchmarks and controls are developed through a global, consensus-driven process involving IT professionals from government, industry, and academia. SmartProfiler aligns with CIS standards and Microsoft security recommendations to provide robust assessments for Microsoft PKI, Microsoft 365, and Azure environments.
SmartProfiler for Microsoft PKI Assessment requires connectivity to CA Servers and ability to execute PowerShell commands remotely.
SmartProfiler requires a Domain Admin account to connect to remote CA Servers and be able to execute PowerShell scripts to check status of each test.
SmartProfiler utilizes POSH Modules for CA Server to perform assessment for multiple CA Servers.
SmartProfiler is a read-only product, and no write operation is ever made to the target while it is being assessed.
SmartProfiler for CA Server Assessment is simple to use and execute in four-steps.
It depends on the number of resources in the Tenant. It typically takes 1 hour to perform Windows 10/11 InTune CIS Assessment for a Tenant having 30 GPOs.
SmartProfiler for Azure CIS Assessment is a read-only product.
Since SmartProfiler generates reports in Microsoft Word format, you can re-brand reports.
SmartProfiler is designed to support multiple Microsoft Azure Tenants. You can add unlimited Azure Tenants in the tool. However, each Azure Tenant requires a license before the assessment can be done.
Here is the list of tests included with SmartProfiler for Microsoft PKI Assessment
| Category | CISWB | DynamicPack |
| PKI Infrastructure | SP v1.0 | Identify all Certificate Authorities-Root and Subordinate |
| PKI Infrastructure | SP v1.0 | Verify CA hierarchy Standalone-Enterprise |
| PKI Infrastructure | SP v1.0 | Check if Root CA is offline and properly secured |
| PKI Infrastructure | SP v1.0 | Validate certificate chain and trust path |
| PKI Infrastructure | SP v1.0 | Review CA certificate validity periods and renewal settings |
| CA Configuration | SP v1.0 | Verify cryptographic algorithms used SHA-256-RSA 2048 |
| CA Configuration | SP v1.0 | Check ACLs on CA servers and private key containers |
| CA Configuration | SP v1.0 | Confirm role separation for CA administration |
| CA Configuration | SP v1.0 | Review patching and hardening status of CA servers |
| CA Configuration | SP v1.0 | Check if CA is publishing CRLs correctly and on schedule |
| CA Configuration | SP v1.0 | Validate CA database retention settings and size |
| CA Configuration | SP v1.0 | Verify if CA is using Hardware Security Module-HSM-for private key storage |
| CA Configuration | SP v1.0 | Detect any duplicate or expired CA certificates in the store |
| CA Configuration | SP v1.0 | Check for unnecessary or outdated certificate templates still published |
| CA Permissions | SP v1.0 | Identify users or groups with Manage CA or Manage Certificates permissions |
| CA Permissions | SP v1.0 | Detect Domain Users or Authenticated Users with dangerous CA level access |
| CA Permissions | SP v1.0 | Check for excessive DCOM or RPC permissions on the CA server |
| CA Permissions | SP v1.0 | Enumerate users-groups with Enroll and Autoenroll rights across all templates |
| Certificate Templates | SP v1.0 | Review published certificate templates |
| Certificate Templates | SP v1.0 | Verify strong key lengths and template purposes |
| Certificate Templates | SP v1.0 | Check for Subject Name supply by requestor |
| Certificate Templates | SP v1.0 | Identify templates with excessive enrollment rights |
| Certificate Templates | SP v1.0 | Identify templates allowing manager approval or SubjectAltName injection |
| Certificate Templates | SP v1.0 | Detect templates with enrollment agent permissions assigned broadly |
| Certificate Templates | SP v1.0 | Check for templates configured to allow SmartcardLogon without proper restrictions |
| Certificate Templates | SP v1.0 | Verify issuance policies on templates for sensitive certificates-Code Signing |
| Certificate Templates | SP v1.0 | Identify templates vulnerable to ESC1-ESC8 attack paths |
| Certificate Templates | SP v1.0 | Detect templates allowing SAN-Subject Alternative Name-injection |
| Certificate Templates | SP v1.0 | Find templates with Enrollment Agent permissions assigned to non-admins |
| Enrollment | SP v1.0 | Validate autoenrollment Group Policy settings |
| Enrollment | SP v1.0 | Ensure authorized users/devices can autoenroll |
| Enrollment | SP v1.0 | Check cleanup of expired and revoked certificates |
| Enrollment | SP v1.0 | List all autoenrollment-enabled certificate templates assigned via GPO |
| Enrollment | SP v1.0 | Check for devices receiving unintended templates through misconfigured GPOs |
| Enrollment | SP v1.0 | Detect clients failing to autoenroll and analyze enrollment event logs |
| CRL & Revocation | SP v1.0 | Verify CRL and Delta CRL publication and availability |
| CRL & Revocation | SP v1.0 | Validate CDP and AIA URL configurations |
| CRL & Revocation | SP v1.0 | Confirm OCSP responder configuration and health |
| CRL & Revocation | SP v1.0 | Validate CRL files are signed and time-stamped correctly |
| CRL & Revocation | SP v1.0 | Ensure offline Root CA CRLs are manually updated and published before expiry |
| CRL & Revocation | SP v1.0 | Check if CDP/AIA URLs are accessible externally-misconfiguration risk |
| CRL & Revocation | SP v1.0 | Check if CRL Distribution Points-CDPs-are publicly exposed or misconfigured |
| CRL & Revocation | SP v1.0 | Verify that CRLs are published on schedule and not expired |
| CRL & Revocation | SP v1.0 | Ensure AIA locations do not expose unnecessary metadata or CA certificates |
| CRL & Revocation | SP v1.0 | Detect gaps in OCSP responder availability and health |
| Audit & Monitoring | SP v1.0 | Ensure CA auditing is enabled for critical events |
| Audit & Monitoring | SP v1.0 | Verify secure storage of CA audit logs |
| Audit & Monitoring | SP v1.0 | Check integration with SIEM or log monitoring tools |
| Audit & Monitoring | SP v1.0 | Confirm object access auditing is enabled for certsrv.exe and private keys |
| Audit & Monitoring | SP v1.0 | Check if failed certificate requests are logged and retained |
| Audit & Monitoring | SP v1.0 | Verify if role separation is enforced through registry settings |
| Audit & Monitoring | SP v1.0 | Parse event logs for unauthorized or abnormal certificate requests |
| Audit & Monitoring | SP v1.0 | Check for absence of alerting/monitoring on CA access or certificate misuse |
| Audit & Monitoring | SP v1.0 | Validate integration with SIEM for real-time visibility of PKI operations |
| Service Accounts | SP v1.0 | Review CA service account permissions |
| Service Accounts | SP v1.0 | Ensure no unnecessary domain or enterprise privileges |
| Service Accounts | SP v1.0 | Confirm no interactive logon rights for service accounts |
| Service Accounts | SP v1.0 | Check if CA service account is using a gMSA-Group Managed Service Account |
| Service Accounts | SP v1.0 | Identify services or scripts using CA private key via permissioned access |
| Service Accounts | SP v1.0 | Ensure DCOM and RPC permissions for CA services are tightly scoped |
| Service Account Security | SP v1.0 | Confirm CA service account is not a member of Domain Admins or Enterprise Admins |
| Service Account Security | SP v1.0 | Validate CA private key access is limited to SYSTEM and CA service account |
| Service Account Security | SP v1.0 | Identify interactive logon rights assigned to CA service account |
| Key Protection | SP v1.0 | Verify if CA uses Hardware Security Module-HSM-or software-based key storage |
| Key Protection | SP v1.0 | Detect CAs using exportable private keys-security risk |
| Key Protection | SP v1.0 | Check for unprotected or legacy private keys in the machine certificate store |
| Certificate Usage | SP v1.0 | Identify certificates issued to users-Computers and Services |
| Certificate Usage | SP v1.0 | Detect certificates with elevated privileges |
| Certificate Usage | SP v1.0 | Assess exposure to known ADCS abuse paths-ESC1-ESC8 |
| Certificate Usage | SP v1.0 | Detect certificates issued with overly broad EKUs-All Purposes |
| Certificate Usage | SP v1.0 | Identify certificates used by Tier 0 infrastructure-DCs-ADFS-VPN and validate settings |
| Certificate Usage | SP v1.0 | Search for user-issued certificates allowing client authentication without constraints |
| Certificate Usage | SP v1.0 | Find duplicate certificates issued to the same object-users-computers |
| Certificate Usage | SP v1.0 | Find certificates issued with “Client Authentication†EKU for high-privilege users |
| Certificate Usage | SP v1.0 | Detect code signing or SmartcardLogon certificates issued from weak or unvalidated templates |
| Certificate Usage | SP v1.0 | Identify certificates used for authentication with excessively long validity periods |
| Certificate Usage | SP v1.0 | List certificates used by Tier 0 assets-DCs-ADFS and check compliance |
| Compliance | SP v1.0 | Map PKI setup against CIS/NIST/ANSSI standards |
| Compliance | SP v1.0 | Document deviations and remediation steps |
| Compliance | SP v1.0 | Verify alignment with Microsoft’s ADCS Hardening Guidelines |
| Compliance | SP v1.0 | Compare PKI design with ANSSI’s Root CA isolation and trust path best practices |
| Compliance | SP v1.0 | Assess certificate issuance limits and constraints-max validity period |
| Compliance | SP v1.0 | Map all issued certificates to 802.1x-S-MIME-VPN and other use cases |
| Compliance & Standards | SP v1.0 | Assess PKI environment against Microsoft ADCS security baseline |
| Compliance & Standards | SP v1.0 | Map template configuration against CIS Benchmark recommendations |
| Compliance & Standards | SP v1.0 | Validate issuance practices against NIST SP 800-57 and NIST SP 800-53 |
| Compliance & Standards | SP v1.0 | Review root and issuing CA segregation as per ANSSI recommendations |
Instead of manually checking PKI Tests status on Microsoft CA Servers, which could take a significant amount of time, SmartProfiler Assessment has automated all the tests to ensure that the assessment is completed in a matter of hours.
If you’re really looking for an Active Directory security assessment tool, download SmartProfiler and perform an assessment. This will assist you in identifying security, health, and configuration problems.
The health and misconfiguration assessment feature of SmartProfiler can be very useful in demonstrating that your environment does not use Microsoft’s suggested settings.
The best feature of SmartProfiler is that it can perform the assessment without a Global Admin account and without needing the registration of an Azure AD application. Because it only required a Global Reader Account, we were able to use the tool effectively for our clients and clients could allow us to conduct the assessment!
SmartProfiler's advanced assessment parameters really gives you insights about your Active Directory environment and make sure every risk is mitigated.
About SmartProfiler SmartProfiler for Entra ID is designed to mitigate security risks in the Azure
Read MoreAbout SmartProfiler SmartProfiler for Active Directory and ACTIVE DIRECTORY is designed to mitigate security risks
Read MoreOrganizations are increasingly reliant on cloud-based services to enhance productivity and collaboration. Microsoft 365, with
Read More