Chat now with support
Chat with Support

Security Guardian Current - User Guide

Introducing Quest Security Guardian Using the Dashboard Tier Zero Objects Assessments Findings Security Settings Appendix - Security Guardian Indicator Details

Discovery for Defense Evasion Vulnerabilities

Vulnerability Template Vulnerability Risk What to find
Built-in Administrator account last used

Name:

Built-in Administrator account that has been used

Default scope:

N/A

The Built-in Administrator should never be used because it cannot be tied back to an individual. Any use of the account likely indicates it has been compromised.

Remediation:

To resolve vulnerability, make sure that the Built-in Administrator account (if it has been renamed, the account whose SID is S-1-5-21-domain-500) has not been used within the last 30 days.

Built-in Administrator account was last used less than 30 days ago

NOTE: The number of days is editable.

Members of protected groups adminCount attribute value

Name:

User accounts in protected groups that are not protected by AdminSDHolder (SDProp)

Default scope:

All users

Microsoft uses the adminCount attribute to indicate an object has had its ACL modified by the system to be more secure as it was a member of one of the administrative groups. Accounts that are members of the protected groups whose adminCount attribute is not set to 1 could be evidence of an adversary who has breached the directory and trying to remain undetected. Protected groups include:

  • Account Operators (S-1-5-32-548)
  • Administrators (S-1-5-32-544)
  • Backup Operators (S-1-5-32-551)
  • Cert Publishers (S-1-5-domain-517)
  • Domain Admins (S-1-5-domain-512)
  • Domain Controllers (S-1-5-domain-516)
  • Enterprise Admins (S-1-5-root_domain-519)
  • Read-only Domain Controllers (only since Windows Server 2008) (S-1-5-domain-521)
  • Replicator (S-1-5-32-552)
  • Schema Admins (S-1-5-root_domain-518)
  • Server Operators (S-1-5-32-549)

Remediation:

Investigate accounts that are members of the protected groups whose adminCount attribute is not set to 1 to determine why the attribute is not set by Active Directory.

User objects in scope that are members of protected groups and have adminCount attribute set to 0 or not set.
Account Primary Group ID permissions

Name:

User accounts without readable Primary Group ID

Default scope:

All users

Inability to read the Primary Group ID can indicate that read permissions have been removed by an adversary trying to cover their tracks as they elevate their permissions in an environment.

Remediation:

To resolve vulnerability, review the User object and remove any Deny Read permissions which would prevent the Primary Group ID from being read.

Accounts in scope that have Deny Read set for the “Primary Group ID” attribute

Name:

Computer accounts without readable Primary Group ID

Default scope:

All computers

Inability to read the Primary Group ID can indicate that read permissions have been removed by an adversary trying to cover their tracks as they elevate their permissions in an environment.

Remediation:

To resolve vulnerability, review the computer object and remove any Deny read permissions which would prevent the Primary Group ID attribute from being read.

Active Directory Operator group AdminSDHolder protection status

Name:

Active Directory Operator groups that are not protected by AdminSDHolder

Default scope:

N/A

 

The AdminSDHolder object maintains a template of permissions that are automatically applied to Tier Zero groups to ensure their security. A change to the AdminSDHolder behavior could indicate that an adversary has compromised the directory and is covering their tracks. The dwAdminSDExMask bit in the dsHeuristics attribute of CN=DirectorService,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com, can be configured so that the following Active Directory Operator groups (and their nested members) are no longer protected:

  • Account Operators

  • Server Operators

  • Print Operators

  • Backup Operators.

Remediation:

Set the 16th character (dwAdminSDExMask
bit) of the dsHeuristics attribute to 0 to ensure that no Operator groups are excluded from AdminSDHolder protection. The dsHeuristics attribute is located on the Directory Service object in CN=Window NT,CN=Services,
CN=Configuration,DC=domain,DC=com.

The dsHeuristics attribute on the Directory Service object indicates some Operator groups are excluded from AdminSDHolder protection

Discovery for Discovery Vulnerabilities

Vulnerability Template Vulnerability Risk What to find
Account password last changed

Name:

Tier Zero user accounts whose passwords have not changed recently

Default Scope:

Tier Zero users

Administrator accounts with passwords that are not cycled regularly are more susceptible to brute force password cracking attempts. If a password manager or multi-factor authentication is not used, passwords should be updated a minimum of every 90 days.

Remediation:

To resolve vulnerability, update the administrator password and enforce a password policy to ensure the administrator account password is updated regularly.

Accounts in scope that have not updated their password within last 180 days

Discovery for Initial Access Vulnerabilities

Vulnerability Template Vulnerability Risk What to find
Built-in Guest account status

Name:

Built-in Guest account is enabled

Default scope:

N/A

The built-in Guest account enables access to Active Directory without requiring a password and should be disabled.

Remediation:

To resolve vulnerability, disable the built-in Guest account (if it has been renamed, the account whose SID is S-1-5-domain-501).

Built-in Guest accounts that are enabled
Anonymous access to Active Directory status

Name:

Anonymous access to Active Directory is enabled

Default scope:

N/A

Anonymous access allows accounts to perform reconnaissance against Active Directory by binding to Active Directory over RPC (including over Name Service Provider Interface (NSPI)) without authenticating. Anonymous access to Active Directory is enabled using the
fLDAPBlockAnonOps bit in the dsHeuristics attribute of CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,
DC=domain,DC=com.

Remediation:

Set the 7th character (fLDAPBlockAnonOps bit) of the dsHeuristics attribute to 0 to ensure that anonymous access is blocked. The dsHeuristics attribute is located on the Directory Service object in CN=WindowNT,CN=Services,CN=Configuration,
DC=domain,DC=com.

 

The dsHeuristics attribute on the Directory Service object indicates Anonymous access to Active Directory is enabled

Discovery for Lateral Movement Vulnerabilities

Vulnerability Template Vulnerability Risk What to find
Account Trusted for Delegation attribute status

Name:

User accounts with unconstrained delegation

Default scope: All users

The Kerberos TGT ticket can be captured when unconstrained delegation is enabled and then used to elevate the adversary's privileges to any service the TGT ticket has access to.

Remediation:

To resolve vulnerability, remove the TRUSTED_FOR_DELEGATION flag in userAccountControl attribute. This can be performed in the account's Delegation tab - Account options. Make sure “Trust this user for delegation to any service (Kerberos only)” is not selected. If a Kerberos delegation is required, use one that is constrained.

Accounts in scope that have Trusted for Delegation enabled

Name:

Computer accounts with unconstrained delegation

Default scope:

All computers except domain controllers

The Kerberos TGT ticket can be captured when unconstrained delegation is enabled and then used to elevate the adversary's privileges to any service the TGT ticket has access to.

Remediation:

Remove unconstrained delegation on the computer object from the computer’s Properties - Delegation tab by ensuring “Trust this computer for delegation to any service (Kerberos only)” is not selected. If required, constrained delegation can be used by selecting the "Trust this computer for delegation to specified services only" option.

Accounts in scope that have Trusted for Delegation enabled
Users Password Not Required attribute status

Name:

User accounts do not require a password

Default scope:

All users

An adversary can easily compromise a user account that does not require a password and find an attack path from that account to escalate their privileges.

Remediation:

To resolve vulnerability, in the account’s Attribute Editor tab, select userAccountControl and remove the PASSWD_NOTREQD value.

User accounts in scope that have “Password not required” enabled
Domain Add computers to domain value

Name:

All domain users can create computer accounts

Default scope:

N/A

Without hardening, all domain users have the ability to create computer accounts in the domain. Improperly configured computer accounts are exposed to Kerberos authentication attacks. Only administrators should be able to add new computer accounts.

Remediation:

In Active Directory Users and Computers Attribute Editor tab for the domain object, change the value of the ms-DS-MachineAccountQuota attribute (which is 10 by default) to a value of 0. This will prevent non-administrative users from being able to register new computer accounts within the domain.

Domain has the “ms-DS-MachineAccountQuota” attribute set to more than 0

NOTE: The operator and quota attribute value are editable.

Account "Use any authentication protocol" status

Name:

Accounts that allow Kerberos protocol transition delegation

Default scope:

All users and computers

A service configured to allow Kerberos protocol transition will allow a delegated service to use any available authentication protocol. This can result in reduced authentication security and increase the chance of services being compromised by an adversary.

Remediation:

In the account Properties -Delegation tab, ensure configured delegation is not set to “Use any authentication protocol.”

Accounts in scope which have “Use any authentication protocol” enabled in delegation
Domain Unexpire Password permission delegation

Name:

Non-Tier Zero accounts with Unexpire password permission delegation

Default scope: All except Tier Zero users and groups

If the “Unexpire password” permission is delegated an adversary could use it to restore the password of a Tier Zero principal.

 

This vulnerability will not generate a Finding in Security Guardian.

 

Remediation:

Except for the Domain Admins group, these delegations should be removed unless there is a compelling reason for their existence.

Domain has “Unexpire password” set to Allow for any accounts in scope
Domain Migrate SID history permission delegation

Name:

Non-Tier Zero accounts with Migrate SID history permission

delegation

Default scope:

All except Tier Zero users and groups

delegation

Default scope:

All except Tier Zero users and groups

If the “Migrate SID history” permission is delegated an adversary can use it to elevate their privileges by adding a Tier Zero account to their sIDHistory attribute and obscuring the exploit.

Remediation:

Except for the Domain Admins group, these delegations should be removed unless there is a compelling reason for their existence.

Domain has “Migrate SID history” set to Allow for any accounts in scope
Domain Reanimate tombstones permission delegation

Name:

Non-Tier Zero accounts with Reanimate tombstones permission delegation

Default scope:

All except Tier Zero users and groups

If the “Reanimate tombstones” control access right is delegated an adversary could use it to restore and take control of a Tier Zero object.

Remediation:

Except for the Domain Admins group, these delegations should be removed unless there is a compelling reason for their existence.

Domain has “Reanimate tombstones” set to Allow for any accounts in scope
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating