Category Archives: Active Directory

Too much permissions on the domain root

This is an interesting question that I would like to share my view of here.

The question: What are the security implications of someone being able to modify permissions protecting the domain root object?

Let’s start with some basics:

  • All Objects in AD are securable
  • Securable Objects has a Security Descriptor (SD)
  • The SDs contains Owner SID, Group SID, DACL, SACL (known as ACLs) and the header with control flags
  • The ACLs contain ACEs
  • ACEs contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited

This topic focuses on the Write_DAC or Modify Permissions. If a Security Principal (User, Sec group, Computer) has the Write_DAC he is allowed to modify the Security Descriptor guarding the object.

So what are the implications of someone having the permission to modify the SD on the Domain Root? Continue reading

Expire Passwords On Smart Card Only Accounts

I was browsing thru the new schema updates in Windows Server TP 4 and found an interesting new attribute: ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts

Sch83.ldf:

dn: CN=ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
CN: ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts
attributeID: 1.2.840.113556.1.4.2344
attributeSyntax: 2.5.5.8
adminDisplayName: ms-DS-Expire-Passwords-On-Smart-Card-Only-Accounts
adminDescription: This attribute controls whether the passwords on smart-card-only accounts expire in accordance with the password policy.
oMSyntax: 1
lDAPDisplayName: msDS-ExpirePasswordsOnSmartCardOnlyAccounts
isSingleValued: TRUE
systemOnly: FALSE
schemaIDGUID:: SKsXNCTfsU+AsA/LNn4l4w==
systemFlags: 16
searchFlags: 0
instanceType: 4

Well, this sound interesting if you read the adminDescription:

This attribute controls whether the passwords on smart-card-only accounts expire in accordance with the password policy.

No much more info when I tried to search the internet.

If we search for the attribute we can find it being used at the root of DNC corp.secid.se Continue reading