| Vulnerability Template | Vulnerability | Risk | What to find |
|---|---|---|---|
| Account password last changed |
Name: Built-in Guest account is enabled Default scope: N/A |
The built-in Guest account enables access to Active Directory without requiring a password and should be disabled. Remediation: To resolve vulnerability, disable the built-in Guest account (if it has been renamed, the account whose SID is S-1-5-domain-501). |
Built-in Guest accounts that are enabled |
| Vulnerability Template | Vulnerability | Risk | What to find |
|---|---|---|---|
| Built-in Guest account status |
Name: Built-in Guest account is enabled Default scope: N/A |
The built-in Guest account enables access to Active Directory without requiring a password and should be disabled. Remediation: To resolve vulnerability, disable the built-in Guest account (if it has been renamed, the account whose SID is S-1-5-domain-501). |
Built-in Guest accounts that are enabled |
| Anonymous access to Active Directory status |
Name: Anonymous access to Active Directory is enabled Default scope: N/A |
Anonymous access allows accounts to perform reconnaissance against Active Directory by binding to Active Directory over RPC (including over Name Service Provider Interface (NSPI)) without authenticating. Anonymous access to Active Directory is enabled using the Remediation: Set the 7th character (fLDAPBlockAnonOps bit) of the dsHeuristics attribute to 0 to ensure that anonymous access is blocked. The dsHeuristics attribute is located on the Directory Service object in CN=WindowNT,CN=Services,CN=Configuration,
|
The dsHeuristics attribute on the Directory Service object indicates Anonymous access to Active Directory is enabled |
| Vulnerability Template | Vulnerability | Risk | What to find |
|---|---|---|---|
| Account Trusted for Delegation attribute status |
Name: User accounts with unconstrained delegation Default scope: All users |
The Kerberos TGT ticket can be captured when unconstrained delegation is enabled and then used to elevate the adversary's privileges to any service the TGT ticket has access to. Remediation: To resolve vulnerability, remove the TRUSTED_FOR_DELEGATION flag in userAccountControl attribute. This can be performed in the account's Delegation tab - Account options. Make sure “Trust this user for delegation to any service (Kerberos only)” is not selected. If a Kerberos delegation is required, use one that is constrained. |
Accounts in scope that have Trusted for Delegation enabled |
|
Name: Computer accounts with unconstrained delegation Default scope: All computers except domain controllers |
The Kerberos TGT ticket can be captured when unconstrained delegation is enabled and then used to elevate the adversary's privileges to any service the TGT ticket has access to. Remediation: Remove unconstrained delegation on the computer object from the computer’s Properties - Delegation tab by ensuring “Trust this computer for delegation to any service (Kerberos only)” is not selected. If required, constrained delegation can be used by selecting the "Trust this computer for delegation to specified services only" option. |
Accounts in scope that have Trusted for Delegation enabled | |
| Users Password Not Required attribute status |
Name: User accounts do not require a password Default scope: All users |
An adversary can easily compromise a user account that does not require a password and find an attack path from that account to escalate their privileges. Remediation: To resolve vulnerability, in the account’s Attribute Editor tab, select userAccountControl and remove the PASSWD_NOTREQD value. |
User accounts in scope that have “Password not required” enabled |
| Domain Add computers to domain value |
Name: Non-privileged users can create computer accounts Default scope: N/A |
Without hardening, non-privileged users have the ability to create computer accounts in the domain. Improperly configured computer accounts are exposed to Kerberos authentication attacks. Only administrators should be able to add new computer accounts. Remediation: In Active Directory Users and Computers Attribute Editor tab for the domain object, change the value of the ms-DS-MachineAccountQuota attribute (which is 10 by default) to a value of 0. This will prevent non-privileged users from being able to register new computer accounts within the domain. |
Domain has the “ms-DS-MachineAccountQuota” attribute set to more than 0 NOTE: The operator and quota attribute value are editable. |
| Account "Use any authentication protocol" status |
Name: Accounts that allow Kerberos protocol transition delegation Default scope: All users and computers |
A service configured to allow Kerberos protocol transition will allow a delegated service to use any available authentication protocol. This can result in reduced authentication security and increase the chance of services being compromised by an adversary. Remediation: In the account Properties -Delegation tab, ensure configured delegation is not set to “Use any authentication protocol.” |
Accounts in scope which have “Use any authentication protocol” enabled in delegation |
| Domain Unexpire Password permission delegation |
Name: Non-privileged accounts with Unexpire password permission delegation Default scope: All except Tier Zero users and groups |
If the “Unexpire password” permission is delegated an adversary could use it to restore the password of a privileged principal. Remediation: Except for the Domain Admins group, these delegations should be removed unless there is a compelling reason for their existence. |
Domain has “Unexpire password” set to Allow for any accounts in scope |
| Domain Migrate SID history permission delegation |
Name: Non-privileged accounts with Migrate SID history permission delegation Default scope: All except Tier Zero users and groups delegation Default scope: All except Tier Zero users and groups |
If the “Migrate SID history” permission is delegated an adversary can use it to elevate their privileges by adding a privileged account to their sIDHistory attribute and obscuring the exploit. Remediation: Except for the Domain Admins group, these delegations should be removed unless there is a compelling reason for their existence. |
Domain has “Migrate SID history” set to Allow for any accounts in scope |
| Domain Reanimate tombstones permission delegation |
Name: Non-privileged accounts with Reanimate tombstones permission delegation Default scope: All except Tier Zero users and groups |
If the “Reanimate tombstones” control access right is delegated an adversary could use it to restore and take control of a privileged object. Remediation: Except for the Domain Admins group, these delegations should be removed unless there is a compelling reason for their existence. |
Domain has “Reanimate tombstones” set to Allow for any accounts in scope |
| Vulnerability Template | Vulnerability | Risk | What to find |
|---|---|---|---|
| Foreign Security Principals privileged group membership status |
Name: Foreign Security Principals are members of a privileged group Default scope: N/A
|
A Foreign Security Principal (FSP) is an object created by the system to represent a security principal in a trusted external forest. They can also represent special identities, such as Authenticated Users, Anonymous Logon, and Enterprise Domain Controllers. The FSP for a special identity is created when the special identity is added to a group. Foreign security principals can be added to privileged groups in the local domain but because they do not have the adminCount attribute, their origin can be difficult to audit. Thus adversaries can abuse this relationship to proceed without being detected. Remediation: Investigate Foreign Security Principals that are members of the protected groups and remove the membership if appropriate.
|
Foreign Security Principals in scope that are members of a privileged group |
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback 利用規約 プライバシー Cookie Preference Center
