Why talk about the group "Authenticated Users"?
If you ask the question "What AD account is most likely to be compromised during an intrusion?", It is likely that the most popular answer is "a Domain Admins account". It goes without saying that an account of the group "Domain Admins" is targeted primarily because it offers the key to the castle Active Directory and thealmost total control of your infrastructure.
But as in any good offer to buy any self-respecting castle, it may be necessary to visit and inspect the place before officially taking possession.
I fear that many AD administrators are not aware of this fact, but that's exactly what the group "Authenticated Users" offers its customers ... an access rights to visit all objects of an AD Domain. (As the forest if they target a Global Catalog)
As its name suggests, the group "Authenticated Users" contains by default ALL authenticated users of a domain. This includes the accounts of network services, generic accounts "autologon" in meeting rooms, consultants, partners connecting from VPN access, the Test account with a compromised password "Qwerty123" ... anyway you get the idea ;)
So logic dictates that all users authenticated to the domain have access to all objects in AD read only with the exception of some protected attributes such as passwords. Please note that in the following cases, this read-only access is also available to anonymous users (unauthenticated):
- Windows 2000 AD
- Windows 2003 AD (ugrade from AD Windows 2000)
- Windows 2003 AD with Windows 2000 AD compatibility mode
"Active Directory Domain Services, is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location."
Now that you have a better idea of the type of information available in an AD, you are entitled to ask how to prevent this too permissive access . Currently, there is no real solution, only very limited suggestions to control information:
- Avoid excessively detailed descriptions and comments during the creation of user accounts and computers.
- Mark attributes as "confidential" by editing the AD schema(http://support.microsoft.com/kb/922836)
End of theory ... time for example!
Let say a user of your domain is compromised following an attack by social engineering "Signed Java Applet" (ok you may say perhaps that therefore the scenario does not apply to you because all your users are sensitized to this type of attack and never click "yes" when a Java popup appears ... if it does ... good for you;)
The attacker has access to the client desktop in the context of a single authenticated user (a member of the Authenticated Users group). Before going on with a great Nmap scan to find servers and make the a lot of noise on the network, it may request the list of workstations / servers using a ldap query ... no noise on the network and a lot of information.
dsquery * -filter (objectclass=computer) -attr cn description operatingsystem operatingsystemservicepack operatingsystemversion
Wow! A simple ldap query for a list of all servers / workstations in the field including their description and a specific version of their operating system. Our attacker now has enough relevant information to plan further attacks in order to extend its control over your environment.
If you want to test and you're not an LDAP-fu master, you can use ADexplorer from the suite of tools Microsoft Sysinternals. This is an easy to use and powerfull LDAP client that fits in a single executable without installation. (Handy on a restricted workstation without installation permission)
Here's how to connect AD with ADexplorer :
- Download ADexplorer (http://live.sysinternals.com/ADExplorer.exe)
- Be sure to be authenticated to your domain (for institutional use non-admin)
- run ADexplorer.exe
- Click OK without entering a value in the dialog box "Connect to active directory"
- The connection is made to AD with your current user
You should now see the entire tree of your AD. Your ticket was valid! You can now start visiting your castle as you walk through the ldap tree. When you select an object in the left section, you can see all the available attributes and their values in the right section.
I let you get familiar with the concept until the next paper where there will be less theory and more AD Enumeration Kung Fu.