Common Active Directory Pit Falls
That could Ruin Your Day
By Noah Heckman
Active Directory is a critical part in many of our Windows networks. As the basis of trust, it makes an enchanting target for an adversary. However, on the blue team, we sometimes lose sight of it, since it “just works” in the background. Compiled below are a few common unsecure configurations that you should make sure don’t exist in your environment.
Control Paths: Who are your admins, really?
An extremely common issue I have found in Active Directory instances is that the Administrator groups indirectly contain more high-privilege accounts than the organization thinks are there. As an example, say an organization has proper account segmentation for their IT staff, such as one account for day-to-day emails and general business, one support account for basic admin tasks such as resetting passwords and making new low-privilege accounts, and one domain administrator (DA) account that is used for making new high-privilege accounts and other domain level tasks. Now, say that you allow all helpdesk accounts to reset all passwords. At first, this makes sense, until you factor in that this could also include your DA accounts. If a user can reset the password of a DA account, they effectively are a DA account themselves. These control paths are something that can be seen using tools like BloodHound (https://github.com/BloodHoundAD). Despite what many will say, Bloodhound is an incredibly useful tool to assist blue teamers in finding vulnerable control paths.
Pre-Windows 2000 Compatible Access: I doubt your computers are really that old, but.….
The Pre-Windows 2000 Compatible Access Group allows its members to have access to legacy RPC calls that could be abused by an adversary. In Active Directory 2003, the Everyone group and Anonymous group are members of the Pre-Windows 2000 Compatible Access group by default. Having the Anonymous, Authenticated Users, and Everyone user groups as members this group effectively allows any user access to read all AD users and groups across the domain. So, if any user account was compromised, or if someone were to run malicious software, then the entire domain could easily be enumerated. Exploitation and enumeration of this legacy group has been seen in connection with the critical Windows print spooler vulnerability, PrintNightmare. Likewise, placing computer accounts in this group allows the use of legacy RPC calls on those member systems that, at a minimum, increases the attack surface of a system. As a systems admin, any devices, users, or groups in the Pre-Windows 2000 Compatible Access group should be regarded as less secure, and mitigations should be made to protect them.
Free Admins! Authenticated Users Can Add Devices to the Domain
By default, the Default Domain Controller Policy GPO object allows the Authenticated Users group to add up to 10 computers to the domain.
The security concern of this is, of course, that it would be possible for an attacker to compromise a low-privilege account and then add a device to the domain that the attacker has full control of. This would eliminate the need to perform privilege escalation on a compromised system, or avoid the need to compromise a system at all if they acquire credentials out of band. Additionally, such devices may help an attacker remain undetected by providing bases of operations that appear like regular domain systems without containing any of the usual endpoint protection controls that might raise alerts. This also could potentially provide an avenue for attacks like we saw with CVE-2021-42278. Luckily, the fix for this is easy. First, we will want to restrict the above GPO to only allow IT staff to add devices to the domain. Next, we want to set ms-ds-machineaccountquota to 0 instead of the default value of 10.
To do this, just access Active Directory Users and Computer, and enable Advanced Features. Then, pull up the Properties pane for the domain and set the ms-ds-machineaccountquota to 0, as shown above.
In summary, BloodHound is your friend — even on the blue team — and you should run it on a regular basis to validate your control paths and group memberships. Tools such as Ping Castle are also free to run in your environment and find items such as the ability for users to add workstations. Ultimately, it is infinitely easier to correct these issues now, rather than after an incident.
Behind-the-Zines
Noah Heckman currently holds the record for the most chainsaws used during a BHIS webcast.