Domain Computer rename failed with access denied

Issue:

IT Helpdesk or desktop admins are not able to rename a computer that is already a member of a domain. Similarly, they have issues in resetting the user’s password remotely.

Environment:

Windows Server 2016 Domain Controllers hardened with STIG/CIS benchmark

Reference:

The SAMRPC protocols makes it possible for a low-level or non-privileged user to query a machine on network for information. Generally, a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group membership from local SAM and Active Directory. An attacker can use this information as starting point to compromise a domain or network.

To mitigate this risk, configure ‘Network access: Restrict clients allowed to make remote calls to SAM’ security policy setting to force the security account manager (SAM) to do an access check against remote calls.

By default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (Built-in) Administrators group remote access to SAM on member servers, and allow Everyone access to domain controllers.

CIS Benchmark also recommend allowing only Administrators on MS only.

Problem start with if the Domain Controllers are also configured with same security policy setting.

Solution:

This security policy setting can be configured to allow low-level or non-privileged account either through group policy or registry setting on each DC.

Security Consideration:

The SAMRPC protocol has a default security posture that makes it possible for low-privileged attackers to query a machine on the network for data that is critical to their further hacking and penetration plans.

The following example illustrates how an attacker might exploit remote SAM enumeration:

1.      A low-privileged attacker gains a foothold on a network.

2.      The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine.

3.      If the attacker can then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to logon and then steal or impersonate those credentials.

Countermeasure

You can mitigate this vulnerability by enabling the Network access: Restrict clients allowed to make remote calls to SAM security policy setting and configuring the SDDL for only those accounts that are explicitly allowed access.

Active Directory Security: Leverage AdminSDHolder for persistent backdoor in AD

Leverage AdminSDHolder for persistent backdoor in AD

Each domain in Active Directory contains an AdminSDHolder object which resides in System partition of a domain. Distinguished Name (DN) of this object is “CN=AdminSDHolder, CN=System, DC=PENLAB, DC=LOCAL”.  Active Directory Domain Services uses this object, protected groups and SDPROP to secure privileged users and groups from unintentional modification. The AdminSDHolder object has unique set of Access Control List (ACL) which is used to control the permission of security principals that are member of built-in privileged Active Directory groups. Each time the process runs on PDC Emulator operation master role, it compare the ACL on all security principals (users, groups, and computers) that belong to protected groups against the ACL of AdminSDHolder object.

Protected Objected

 Listed groups and their members are protected by AdminSDHolder object. Look for the AdminCount attribute in Active Directory with value set to 1. AdminCount value never set back to 0 even though account is removed from the protected groups. This is by design as per Microsft.

•          Account Operators
•         Administrators
•         Administrator
•         Backup Operators
•         Domain Admins
•         Domain Controllers
•         Enterprise Admins
•         Schema Admins
•         Krbtgt
•        Print Operators
•         Read-only Domain Controllers
•          Server Operators
•         Replicators

Default AdminSDHolder object ACL

•         Authenticated Users: Read
•         SYSTEM: Full Control
•         Administrators: Modify
•         Domain Admins: Modify
•         Enterprise Admins: Modify

SDPROP process runs every 60 minutes and reset the ACL as per AdminSDHolder object if found modified. This process can be run manually.

AdminSDHolder object

An attacker can use AdminSDHolder object to grant the ability to modify the privileged groups in Active Directory by leveraging a key security component. This will provide an attacker, persist way of exploiting the Active Directory.  Even the system administrator or Active Directory Administrator changed the protected group or user, SDPROP will change the security ACL as per of the AdminSDHolder.

1. Open AdminSDHolder object and check the default permission
2. Add domain account penlab\pentest1 to AdminSDHolder object permission and grant Full Control.


3. Verify the user pentest1 is only Domain Users group member

4   Run the SDPROP manually or just wait for next cycle of the process

5   Open the Domain Admins group property and see that penlab\pentest1 is added to security permission with full control

6   Logon with penlab\pentest1 account to a member server or workstation and open Active Directory snap-in. Since this user have full access to object, add the pentest1 account to Domain Admins or Enterprise Admin

 Add pentest1 account to Domain Admins group

7    Now the penlab\pentest1 become the Domain Admins

8    Penlab\pentest1 user account now is able to manipulate not only high privileged group but also all the privileged user accounts, like enable, disable, deletion, creation and a lot

Detection and Control

It is now so important to monitor the ACLs configured on the AdminSDHolder object. It is recommended to keep the default ACL unless there is an absolute requirement to add a group or user. Monitor the users and groups with attribute AdminCount set to 1 to identify accounts with ACLs set by SDPROP