Overview#
Active Directory RISK Related Searches shows some rather simple LDAP SearchRequests which probably reveal some risk issues that might be of concern.Many of these use the Microsoft Active Directory LDAP_MATCHING_RULE_BIT_AND ((1.2.840.113556.1.4.803)) control and evaluate the UserAccountControl for various User-Account-Control Attribute Values.
Risk: PASSWD_NOTREQD (32)#
PASSWD_NOTREQD implies the user could have no password and anyone could authenticate as the entry and set their own password.
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORELdapwiki was advised that this includes values with userAccountControl=2080 which are INTERDOMAIN_TRUST_ACCOUNT which you should not mess with these passwords. They do not have passwords but use non-password authentications.
Risk: DONT_EXPIRE_PASSWORD (65536)#
The DONT_EXPIRE_PASSWORD is a FLAG that overrides the Password Policy assigned to the user.searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
Risk: Users with accounts that do not expire" (accountExpires)#
Weird but this is different from DONT_EXPIRE_PASSWORD. This addresses accounts that never expire vs passwords. Read about accountExpires to learn why.
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
Risk: Users with accounts that do not expire #
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE
Risk: NOT require Kerberos Pre-Authentication #
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
Risk: Sensitive and not trusted#
These are entries which have been assigned a "Sensitive Privilege" but are not "Trusted" for delegation. This has been observed during some attacks where an Attacker obtains the privilege but not is "Trusted"searchBase="DC=EXAMPLE,DC=COM" filer="(userAccountControl:1.2.840.113556.1.4.803:=1048576)" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
Risk: NO Password Change since 2018#
Often you will find some of entries have NEVER performed a logon by evaluating the pwdLastSet attribute.searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(pwdLastSet<=131707986436733938))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"
