Improving your Active Directory security posture: AdminSDHolder to the rescue

Abstract

This paper covers a key aspect of Active Directory (AD) security, which is often overlooked: the wealth of default read permissions that Microsoft has granted to any user and computer in the directory. The concept of an AD forest being a security boundary must now not only be understood as a protective feature; if you do not have an account in an AD forest, you cannot access any of its AD objects and connected resources. Instead, the security boundary must also be understood as the scope of reach for an intruder to access and assess the security of AD objects once they gain a foothold into an organisation’s network. Removing certain default read permissions in AD is a low-risk operation that pays off by making it much more difficult for intruders to perform reconnaissance that helps them in planning their next steps to domain dominance. Understanding the mechanism of the built-in logic that Microsoft has added to AD to protect the most privileged accounts in the directory (eg members of the domain admins group) is key to realising both the benefits and weaknesses of this mechanism. This paper discusses how this protection mechanism works behind the scenes and how it can be adjusted to remove risky default read permissions to make AD safer. Many AD infrastructures were implemented many years ago and operated by different teams of administrators over time, so most AD implementations today have incurred a solid ‘misconfiguration debt’. This paper covers one aspect of that debt: specifically, how to fix the permissions on objects that had once been added to a privileged group but are no longer a part of that group. Essentially, locking down the visibility of objects and general read permissions in AD is vital to reducing the AD attack surface and thus increasing its security posture.