Active Directory Read Access on Groups and Default Permissions

Posted on 2016-10-16
Medium Priority
Last Modified: 2016-11-04
It seems that all AD authenticated users by default are able to list the members of all groups, including Domain Admins and Enterprise Admins groups. Is there a reason for this?

If I disable the read access from some of the groups, i.e. so that users will not be able to find out the Domain Administrators accounts, this will cause any problems?

Also, are there any other default read permissions that it's suggested to be disabled, for security purposes?

Question by:Harrris
  • 2
LVL 85

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 1000 total points (awarded by participants)
ID: 41845864
That is why we have passwords knowing a username is useless without a password with a good lockout policy
LVL 59

Expert Comment

ID: 41845934
Harrris, it's difficult to find a realistic scenario, where an attacker would have an advantage carrying out his attack, if he knew the names of (for example) a certain domain administrator account.

So I'll ask you to draw a scenario where making the group members unlistable for domain members would help.
LVL 44

Accepted Solution

Adam Brown earned 1000 total points (awarded by participants)
ID: 41846055
You *can* prevent read access for all users, but you won't gain much advantage by doing so. You may also inhibit some useful functions as well. For instance, users need to be able to read group objects to add them to ACLs. It's probably not something that will happen often, but in the off chance that someone needs to grant file permissions to their files, if they don't have read access they won't be able to find the groups they need to grant access. There are a bunch of other potential uses as well. Like finding out who to talk to if you need help.

Also, blocking users from enumerating group members as a way to keep them from learning usernames is a useless security tactic. Most organizations have standardized username conventions like first initial last name (bbrown for bobby brown), so if you know someone's name you know their username. Want to know the usernames required for domain admin access? Go to the IT department and ask everyone what their name is.

Knowing which user accounts are privileged is potentially useful to an attacker, but most organizations fail to disable the default administrator account in the domain, which means that's a moot point as well. Even if the default administrator is renamed to something other than administrator, the GUID stays the same, so it's easy to get access to that account with a minimum of effort.

Realistically, being able to read group memberships, or any AD attribute, for that matter, isn't really a security issue. It, by itself, doesn't allow someone to increase the level of access they have in the environment.
LVL 85

Expert Comment

by:David Johnson, CD, MVP
ID: 41873670
Security by obscurity is not a realistic and what the OP wants will break more things without adding any security

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

A discussion about Penetration Testing and the Tools used to help achieve this important task.
In computing, Vulnerability assessment and penetration testing are used to assess systems in light of the organization's security posture, but they have different purposes.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question