# ESC2

A template is vulnerable to ESC2 when a certificate template allows the requested certificate to be used for any purpose (such as the exploit for ESC3).

A certificate template with the following configuration is vulnerable to ESC2:

* The Enterprise CA grants low-privileged users enrollment rights.
* Manager approval is disabled.
* No authorized signatures are required.
* An overly permissive certificate template security descriptor grants certificate enrollment rights to low-privileged users.
* The certificate template defines the *Any Purpose EKU* or no EKU.

{% hint style="success" %}
Go check out the [ESC3](https://stuff.weelee.zip/network/on-prem-active-directory/ad-cs/esc3) page for exploitation steps :)
{% endhint %}