?
Solved

Active Directory Read Access on Groups and Default Permissions

Posted on 2016-10-16
4
Medium Priority
?
38 Views
Last Modified: 2016-11-04
It seems that all AD authenticated users by default are able to list the members of all groups, including Domain Admins and Enterprise Admins groups. Is there a reason for this?

If I disable the read access from some of the groups, i.e. so that users will not be able to find out the Domain Administrators accounts, this will cause any problems?

Also, are there any other default read permissions that it's suggested to be disabled, for security purposes?

Thanks,
0
Comment
Question by:Harrris
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 1000 total points (awarded by participants)
ID: 41845864
That is why we have passwords knowing a username is useless without a password with a good lockout policy
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41845934
Harrris, it's difficult to find a realistic scenario, where an attacker would have an advantage carrying out his attack, if he knew the names of (for example) a certain domain administrator account.

So I'll ask you to draw a scenario where making the group members unlistable for domain members would help.
0
 
LVL 42

Accepted Solution

by:
Adam Brown earned 1000 total points (awarded by participants)
ID: 41846055
You *can* prevent read access for all users, but you won't gain much advantage by doing so. You may also inhibit some useful functions as well. For instance, users need to be able to read group objects to add them to ACLs. It's probably not something that will happen often, but in the off chance that someone needs to grant file permissions to their files, if they don't have read access they won't be able to find the groups they need to grant access. There are a bunch of other potential uses as well. Like finding out who to talk to if you need help.

Also, blocking users from enumerating group members as a way to keep them from learning usernames is a useless security tactic. Most organizations have standardized username conventions like first initial last name (bbrown for bobby brown), so if you know someone's name you know their username. Want to know the usernames required for domain admin access? Go to the IT department and ask everyone what their name is.

Knowing which user accounts are privileged is potentially useful to an attacker, but most organizations fail to disable the default administrator account in the domain, which means that's a moot point as well. Even if the default administrator is renamed to something other than administrator, the GUID stays the same, so it's easy to get access to that account with a minimum of effort.

Realistically, being able to read group memberships, or any AD attribute, for that matter, isn't really a security issue. It, by itself, doesn't allow someone to increase the level of access they have in the environment.
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 41873670
Security by obscurity is not a realistic and what the OP wants will break more things without adding any security
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question