Solved

Active Directory Read Access on Groups and Default Permissions

Posted on 2016-10-16
4
35 Views
Last Modified: 2016-11-04
It seems that all AD authenticated users by default are able to list the members of all groups, including Domain Admins and Enterprise Admins groups. Is there a reason for this?

If I disable the read access from some of the groups, i.e. so that users will not be able to find out the Domain Administrators accounts, this will cause any problems?

Also, are there any other default read permissions that it's suggested to be disabled, for security purposes?

Thanks,
0
Comment
Question by:Harrris
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 81

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points (awarded by participants)
ID: 41845864
That is why we have passwords knowing a username is useless without a password with a good lockout policy
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41845934
Harrris, it's difficult to find a realistic scenario, where an attacker would have an advantage carrying out his attack, if he knew the names of (for example) a certain domain administrator account.

So I'll ask you to draw a scenario where making the group members unlistable for domain members would help.
0
 
LVL 40

Accepted Solution

by:
Adam Brown earned 250 total points (awarded by participants)
ID: 41846055
You *can* prevent read access for all users, but you won't gain much advantage by doing so. You may also inhibit some useful functions as well. For instance, users need to be able to read group objects to add them to ACLs. It's probably not something that will happen often, but in the off chance that someone needs to grant file permissions to their files, if they don't have read access they won't be able to find the groups they need to grant access. There are a bunch of other potential uses as well. Like finding out who to talk to if you need help.

Also, blocking users from enumerating group members as a way to keep them from learning usernames is a useless security tactic. Most organizations have standardized username conventions like first initial last name (bbrown for bobby brown), so if you know someone's name you know their username. Want to know the usernames required for domain admin access? Go to the IT department and ask everyone what their name is.

Knowing which user accounts are privileged is potentially useful to an attacker, but most organizations fail to disable the default administrator account in the domain, which means that's a moot point as well. Even if the default administrator is renamed to something other than administrator, the GUID stays the same, so it's easy to get access to that account with a minimum of effort.

Realistically, being able to read group memberships, or any AD attribute, for that matter, isn't really a security issue. It, by itself, doesn't allow someone to increase the level of access they have in the environment.
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 41873670
Security by obscurity is not a realistic and what the OP wants will break more things without adding any security
0

Featured Post

Increase your protection from Zero Day threats!

Running two Antivirus' is never a good idea.
Taking advantage of Multiple Security layers on the other hand can often save your hide.
See which top notch security software brands have been proven to happily coexist together.
Reduce your chances of becoming a statistic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question