Solved

Active Directory Read Access on Groups and Default Permissions

Posted on 2016-10-16
4
30 Views
Last Modified: 2016-11-04
It seems that all AD authenticated users by default are able to list the members of all groups, including Domain Admins and Enterprise Admins groups. Is there a reason for this?

If I disable the read access from some of the groups, i.e. so that users will not be able to find out the Domain Administrators accounts, this will cause any problems?

Also, are there any other default read permissions that it's suggested to be disabled, for security purposes?

Thanks,
0
Comment
Question by:Harrris
  • 2
4 Comments
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points (awarded by participants)
ID: 41845864
That is why we have passwords knowing a username is useless without a password with a good lockout policy
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41845934
Harrris, it's difficult to find a realistic scenario, where an attacker would have an advantage carrying out his attack, if he knew the names of (for example) a certain domain administrator account.

So I'll ask you to draw a scenario where making the group members unlistable for domain members would help.
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 250 total points (awarded by participants)
ID: 41846055
You *can* prevent read access for all users, but you won't gain much advantage by doing so. You may also inhibit some useful functions as well. For instance, users need to be able to read group objects to add them to ACLs. It's probably not something that will happen often, but in the off chance that someone needs to grant file permissions to their files, if they don't have read access they won't be able to find the groups they need to grant access. There are a bunch of other potential uses as well. Like finding out who to talk to if you need help.

Also, blocking users from enumerating group members as a way to keep them from learning usernames is a useless security tactic. Most organizations have standardized username conventions like first initial last name (bbrown for bobby brown), so if you know someone's name you know their username. Want to know the usernames required for domain admin access? Go to the IT department and ask everyone what their name is.

Knowing which user accounts are privileged is potentially useful to an attacker, but most organizations fail to disable the default administrator account in the domain, which means that's a moot point as well. Even if the default administrator is renamed to something other than administrator, the GUID stays the same, so it's easy to get access to that account with a minimum of effort.

Realistically, being able to read group memberships, or any AD attribute, for that matter, isn't really a security issue. It, by itself, doesn't allow someone to increase the level of access they have in the environment.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41873670
Security by obscurity is not a realistic and what the OP wants will break more things without adding any security
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now