Solved

Active Directory Read Access on Groups and Default Permissions

Posted on 2016-10-16
4
32 Views
Last Modified: 2016-11-04
It seems that all AD authenticated users by default are able to list the members of all groups, including Domain Admins and Enterprise Admins groups. Is there a reason for this?

If I disable the read access from some of the groups, i.e. so that users will not be able to find out the Domain Administrators accounts, this will cause any problems?

Also, are there any other default read permissions that it's suggested to be disabled, for security purposes?

Thanks,
0
Comment
Question by:Harrris
  • 2
4 Comments
 
LVL 79

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points (awarded by participants)
ID: 41845864
That is why we have passwords knowing a username is useless without a password with a good lockout policy
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41845934
Harrris, it's difficult to find a realistic scenario, where an attacker would have an advantage carrying out his attack, if he knew the names of (for example) a certain domain administrator account.

So I'll ask you to draw a scenario where making the group members unlistable for domain members would help.
0
 
LVL 39

Accepted Solution

by:
Adam Brown earned 250 total points (awarded by participants)
ID: 41846055
You *can* prevent read access for all users, but you won't gain much advantage by doing so. You may also inhibit some useful functions as well. For instance, users need to be able to read group objects to add them to ACLs. It's probably not something that will happen often, but in the off chance that someone needs to grant file permissions to their files, if they don't have read access they won't be able to find the groups they need to grant access. There are a bunch of other potential uses as well. Like finding out who to talk to if you need help.

Also, blocking users from enumerating group members as a way to keep them from learning usernames is a useless security tactic. Most organizations have standardized username conventions like first initial last name (bbrown for bobby brown), so if you know someone's name you know their username. Want to know the usernames required for domain admin access? Go to the IT department and ask everyone what their name is.

Knowing which user accounts are privileged is potentially useful to an attacker, but most organizations fail to disable the default administrator account in the domain, which means that's a moot point as well. Even if the default administrator is renamed to something other than administrator, the GUID stays the same, so it's easy to get access to that account with a minimum of effort.

Realistically, being able to read group memberships, or any AD attribute, for that matter, isn't really a security issue. It, by itself, doesn't allow someone to increase the level of access they have in the environment.
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 41873670
Security by obscurity is not a realistic and what the OP wants will break more things without adding any security
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question