jspωiki
Active Directory RISK Related Searches

Overview#

Active Directory RISK Related Searches shows some rather simple LDAP SearchRequests which probably reveal some risk issues that might be of concern.

Many of these use the Microsoft Active Directory LDAP_MATCHING_RULE_BIT_AND ((1.2.840.113556.1.4.803)) control and evaluate the UserAccountControl for various User-Account-Control Attribute Values.

Risk: PASSWD_NOTREQD (32)#

PASSWD_NOTREQD implies the user could have no password and anyone could authenticate as the entry and set their own password.

searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE
Ldapwiki was advised that this includes values with userAccountControl=2080 which are INTERDOMAIN_TRUST_ACCOUNT which you should not mess with these passwords. They do not have passwords but use non-password authentications.

Risk: DONT_EXPIRE_PASSWORD (65536)#

The DONT_EXPIRE_PASSWORD is a FLAG that overrides the Password Policy assigned to the user.
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"

Risk: Users with accounts that do not expire" (accountExpires)#

Weird but this is different from DONT_EXPIRE_PASSWORD. This addresses accounts that never expire vs passwords. Read about accountExpires to learn why.

searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"

Risk: Users with accounts that do not expire #

searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE

Risk: NOT require Kerberos Pre-Authentication #

searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"

Risk: Sensitive and not trusted#

These are entries which have been assigned a "Sensitive Privilege" but are not "Trusted" for delegation. This has been observed during some attacks where an Attacker obtains the privilege but not is "Trusted"
searchBase="DC=EXAMPLE,DC=COM" filer="(userAccountControl:1.2.840.113556.1.4.803:=1048576)" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"

Risk: NO Password Change since 2018#

Often you will find some of entries have NEVER performed a logon by evaluating the pwdLastSet attribute.
searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(pwdLastSet<=131707986436733938))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"

More Information#

There might be more information for this subject on one of the following: