Orin Thomas

Exploiting Active Directory misconfigurations is a popular path for attackers. According to Microsoft, 95 million AD accounts are targeted every day. Attackers use Active Directory security vulnerabilities to gain privileged access and move through the compromised systems, harvesting valuable assets, installing malware, or planting ransomware, among other tactics.

Protect your organization by addressing these common AD misconfigurations ASAP.

1. Non-default principals with DCSync rights

The DCSync functionally impersonates a domain controller (DC) and requests password data from a targeted DC using Directory Replication Services Remote Protocol.

Detecting the problem

  • Look for accounts that are delegated the following rights:
    • Replicating Directory Changes (DS-Replication-Get-Changes)
    • Replicating Directory Changes All (DS-Replication-Get-Changes-All)
    • Replicating Directory Changes in Filtered Set (DS-Replication-Get-Changes)
  • Determine whether DCSync is being used to host other domain controllers.
  • Determine whether any accounts that aren’t members of Domains Admins or Domain Controllers have these rights.

Remediation

For an in-depth discussion of this issue and how to address it, see this AD Security 101 post.

2. Permission changes on the AdminSDHolder object

AdminSDHolder provides template permissions for protected accounts and groups. Unlike most objects in the Active Directory domain, the AdminSDHolder is owned by the Domain Admins group. By default, Enterprise Admins, Domain Admins, and the Administrators groups can make changes to any domain’s AdminSDHolder object. In addition, members of Administrators or Enterprise Admins can take ownership of the object. The template permissions of AdminSDHolder are also persistent, which means they’re reapplied every 60 minutes.

Detection

To find Active Directory misconfigurations of this type, look for unusual user accounts assigned permissions on AdminSDHolder access control lists. Typically, you’ll discover this by removing an unknown permission holder, such as “harry_the_frog,” only to see that same holder pop up 60 minutes later. That should be a trigger to remind you of the persistence of AdminSDHolder.

Remediation

  • Use ADSIEdit to connect to the default naming context and locate the AdminSDHolder container.
  • Select Properties.
  • In Advanced Security, click Restore Defaults.
  • Force replication by using repadmin/syncall.

3. Reversible passwords in Group Policy Objects

The Store Password Using Reversible Encryption policy setting provides support for applications that use protocols that require the user’s password for authentication. This is a problem because reversible encryption is, well, reversible. That means that an attacker who breaks this encryption can compromise the account.

Detection

Review your group policies and determine whether or not Store Passcode Using Reversible Encryption is enabled.

Remediation

Remediation is fairly straightforward: You just disable it. However, before you do so, you must figure out what the action will break. Remediation has likely been turned on because some applications require it. Application compatibility is unpaid tech debt that affects everyone. Unless the application can be rewritten, you might be forced to mitigate the security problems that the application might cause.

4. Anonymous access to Active Directory

Anonymous access means that unauthenticated users can read and access data. This access is disabled by default but might be required in certain legitimate instances. With this access, an unauthorized user can anonymously list account names and use the information to attempt to guess passwords or perform social-engineering attacks.

Detection

  • Using ADSIEdit, check the following list for dSHeuristics set as 0000002:
    • CN=Directory Service
    • CN=Windows NT
    • CN=Services
    • CN=Configuration
    • DC=<my domain>
  • Determine whether anonymous access is enabled (assigned to “NT Authority/Anonymous” on the domain or container using Active Directory Users and Computers (ADUC).

Remediation

  • Change the attribute value from 0000002 to 1 or 0.
  • Remove anonymous access to the domain or the container.

5. Zerologon vulnerabilities

The Zerologon vulnerability is an exploit in the Active Directory netlogon protocol (MS-NRPC) that allows access to servers that use NTLM. This attack makes it possible for an attacker to impersonate any computer in the system, including the root DC. The vulnerability also enables the disabling of security features in the netlogon authentication process. Used by a competent attacker, it can also generate a Golden Ticket, which enables an attacker to gain control of the KRBTGT account.

Detection

Detection can be difficult because the Kerberos tokens look legitimate. The TGT tickets are valid and signed by KRBTGT.

Remediation

NTLM authentication is functional in the shipping product and on by default. Disabling NTLM authentication can break applications. Determine which applications use this old protocol and remediate them. Then disable NTLM and start using Kerberos in your Active Directory domain.

6. Non-expiring service account passwords

Service accounts are configured with passwords that never expire. Service accounts with standard, unchanging passwords are more easily compromised. There are better password-management options available today to enable access without introducing this level of risk.

Detection

Search for accounts with non-expiring passwords so that you can identify and address them.

Remediation

Implement the practice of switching your services accounts to group managed service accounts. You don’t need to know the password; the system will manage it for you, and your security will be better for the change.

7. Non-domain admin access to domain controllers

Users who aren’t domain admins can remotely sign into a DC through RDP or PowerShell. Attackers can remotely sign in to a DC by using PowerShell or remote desktop services.

Detection

Check the User Rights Assignment in the configuration settings.

Remediation

Microsoft recommends the following steps to address Active Directory misconfigurations of this type:

  • Go to the GPO section Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
  • Find the policy Allow Log On Through Remote Desktop Services.
  • After the server is promoted to the domain controller, only the Administrators group (Domain Admins) should remain in this local policy.

Protect yourself from Active Directory misconfigurations

One final note: If there’s a reason you’ve modified a default setting, document those changes. Doing so will help you if you need to roll back to default settings and reinstate valid permissions. Documenting modifications can also help others (including the next admin) understand why modifications were made and assess whether they are still required.

Most of us inherit Active Directory implementations that have been around for a while. Spending time shoring up these common Active Directory misconfigurations—and implementing a solid documentation process—can go a long way toward protecting your Active Directory from attack. So can running an assessment to find commonly exploited vulnerabilities. Downloading and running our free Purple Knight AD security assessment tool can give you a clearer view of these and other issues to put on your to-do list.