Tag Archives: Delegate

What is required to delete Domain Admin accounts?

What is required to delete admin accounts that is member of a protected group like Domain Admins or Enterprise Admins?

The most common answer is whoever has the Delete Right on the user object. But when it comes to ACLs in Active Directory it’s not always that easy. ACLs is a powerful and complex thing in Active Directory.
If we read the Microsoft documentation on how the system evaluates if a Security Principal is allowed and denied access: Discretionary Access Control Lists (DACLs) and Access Control Entries (ACEs)

When access is requested to an Active Directory object, the Local Security Authority (LSA) compares the access token of the account that is requesting access to the object to the DACL. The security subsystem checks the object’s DACL, looking for ACEs that apply to the user and group SIDs referenced in the user’s access token. The security subsystem then steps through the DACL until it finds any ACEs that allow or deny access to the user or to one of the user’s groups. The subsystem does this by first examining ACEs that have been explicitly assigned to the object and then examining ones that have been inherited by the object. The following illustration shows the important parts of an access token and a DACL when a request is evaluated.

If an explicit deny is found, access is denied. Explicit deny ACEs are always applied, even if conflicting allow ACEs exist. Explicit allow ACEs are examined, as are inherited deny and allow ACEs. The ACEs that apply to the user are accumulated. Inherited deny ACEs overrule inherited allow ACEs but are overruled themselves by explicit allow permissions. If none of the user SIDs or group SIDs in the access token match the DACL, the user is denied access implicitly.

Now to the fun part, when talking about deletion you must consider a little more than just this logic to determine the effective permissions granting a user to delete a Domain Admin user.  Continue reading

Password reset smart card only accounts – Why should I care?

One interesting thing when using smart card authentication is that you can still use username and passwords even if the smart card is required. There have been many examples and articles about that you can still use Pass the Hash since the NT Hash is still in use.

This is just another twist on it focusing on the clear text password.

The support for using smart card has existed a long time in Windows, it was implemented in MS KILE as a Kerberos extension in Windows 2000 and is called PKINIT. The purpose was to get rid of using passwords and offer a strong authentication with 2 factors (not to mitigate Pass the Hash and Pass the Ticket etc). Continue reading

Having fun with RDGW, SDI and MFA creating “where am I now admins”

This is part two of my RDP series on how to protect the communication, minimize the credentials exposure and how to use it in different delegation models.
This time we will have a look at an interesting delegation model using RDGW and RDP Restricted Admin mode.

I want to have a user dynamically/temporary member of an admin group. I don’t have JIT or JEA implemented so what can I do with built-in tools in the OS platform?
With RDPRA we have the possibilities to be a special admin depending on which server we jump to. It can look something like this:

In this example, we will grant a user Domain Admin rights temporarily, and in other cases he will just be a regular user.

In part one I wrote about RDPRA and how it flips the users identity to the servers identity he logon to. If a user RDP to a server with Restricted Admin mode, he will thru that machine connect to other resources in that context. If we make that server a member of Domain Admins the user will become a Domain Admin only by landing on that machine, and it happens automatically only thru RDP.

So, we start with stealing the setup from part one and add the server to Domain Admins group. Now when my user Tony connects to the server he is effectively a Domain Admin.
Sure, we need to step up our game on logging and correlations of event logs to get a clear picture of who did what. This isn’t about Auditing, so I will save that for some other time. Continue reading

ADPREP Bug in Windows Server 2016

When I upgraded a domain to Windows Server 2016 DCs I noticed a bug in the adprep program that I have reproduced in my lab and wanted to share it here.

In Active Directory 2016 there is two new groups introduced.
Key Admins
Enterprise Key Admins

If you create a new domain with Windows Server 2016 the groups will be created and given Read and Write access to the ms-DS-Key-Credential-Link attribute on all child objects from the domain root.

There isn’t much public documentation about this attribute, and that isn’t what this blog post is about.
But it seems to have something with Windows Hello for Business providing key-based or certificate-based authentication. That is still not fully implemented in Active Directory, it’s on the roadmap for future release. You can read more about it here: Manage identity verification using Windows Hello for Business

I have also noticed the ADFS 4.0 installation wizard tries to add the service account as member of the Enterprise Key Admins group. You can read about it here: Upgrading the ADFS farm behavior level

When I upgraded a domain, and ran adprep.exe to prepare the domain for Windows Server 2016 DCs I noticed after running adprep.exe /domainprep two new SIDs representing the two new groups. Continue reading

Recover LAPS passwords from deleted objects and delegate recovery admins

I got a question about LAPS and deleted Computer objects.
What happens if a Computer is disjoined from the domain or if the object is deleted, how do we recover the LAPS password?
And for how long can we recover the LAPS password? (if we don’t look at the backups you should have).

Computer is disjoined:

If you configure the client to join another Domain or a Workgroup the Computer object isn’t deleted in the Active Directory database. At most the computer account is disabled. No problems retrieving the password there.

Computer Object is deleted in the Active Directory database: Continue reading

Where the adminCount doesn’t count and the SD isn’t what you thought.

This is a short follow-up on my earlier blog entry on the AdminSDHolder.
As stated earlier the AdminSDHolder process that runs as a background task on the Domain Controller acting as PDC Emulator sets the Security Descriptor of Protected Admin Groups.

The thing I wanted to revisit is when the adminCount attribute and Security Descriptor isn’t set on objects. Continue reading

Who is object owner in your domain?

Object Owner, who is that in your Active Directory environment?
When delegating admin access in Active Directory there are a few things to consider, and one of them is the owner.

When an object is created, it will have an owner set in the Security Descriptor guarding that object. The object owner will be set depending of who is creating it. Continue reading

Delegate DHCP Admins in the domain

This is a simple guide delegating DHCP Admins in the domain.
This guide is built on a Windows Server 2012R2 environment.

If you have a lot of DHCP servers and want to delegate the administration in your domain it’s quite easy, and a good thing to do if you don’t want to grant people Domain Admin access unnecessarily. But, there is a few differences you need to know depending on How and Where you install the DHCP Server Role.

If we start with the most common way installing the DHCP Server Role service which is an easy task. Continue reading

Too much permissions on the domain root

This is an interesting question that I would like to share my view of here.

The question: What are the security implications of someone being able to modify permissions protecting the domain root object?

Let’s start with some basics:

  • All Objects in AD are securable
  • Securable Objects has a Security Descriptor (SD)
  • The SDs contains Owner SID, Group SID, DACL, SACL (known as ACLs) and the header with control flags
  • The ACLs contain ACEs
  • ACEs contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited

This topic focuses on the Write_DAC or Modify Permissions. If a Security Principal (User, Sec group, Computer) has the Write_DAC he is allowed to modify the Security Descriptor guarding the object.

So what are the implications of someone having the permission to modify the SD on the Domain Root? Continue reading