!!! Overview
[{$pagename}] shows some rather simple [LDAP] [SearchRequests] which probably reveal some [risk] issues that might be of concern.


Many of these use the [Microsoft Active Directory] [LDAP_MATCHING_RULE_BIT_AND] (([1.2.840.113556.1.4.803])) control and evaluate the [UserAccountControl] for various [User-Account-Control Attribute Values].

!! [Risk]: [PASSWD_NOTREQD] (32)

[PASSWD_NOTREQD] implies the user could have no password and anyone could authenticate as the entry and set their own password.
{{{ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))" "userAccountControl" "EmployeeStatus" "employeeType" "pwdLastSet" "sAMAccountName" "objectClass"}}}

[{$applicationname}] was advised that this includes values with [userAccountControl]=2080 which are [INTERDOMAIN_TRUST_ACCOUNT] which you should not mess with these passwords. They do not have passwords but use non-password authentications. Here is one that excludes those accounts:
{{{ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2048))(pwdLastSet=0))" "sAMAccountName" "userAccountControl" "employeeStatus" "employeeType" "pwdLastSet" "lastLogonTimestamp" "createTimeStamp" "objectClass"}}}

!! [Risk]: [DONT_EXPIRE_PASSWORD] (65536)
The [DONT_EXPIRE_PASSWORD] is a FLAG that overrides the [Password Policy] assigned to the user.

{{{searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"}}}

!! [Risk]: Users with accounts that do not expire" ([accountExpires])

Weird but this is different from  [DONT_EXPIRE_PASSWORD]. This addresses accounts that never expire vs passwords. Read about [accountExpires] to learn why.

{{{searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"}}}

!! [Risk]: Users with accounts that do not expire 
 
{{{searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(|(accountExpires=0)(accountExpires=9223372036854775807)))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE}}}

!! [Risk]: NOT require [Kerberos Pre-Authentication] 

{{{searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"}}}

!! [Risk]: Sensitive and not trusted
These are entries which have been assigned a "Sensitive Privilege" but are not "Trusted" for delegation. This has been observed during some attacks where an Attacker obtains the privilege but not is "Trusted"

{{{searchBase="DC=EXAMPLE,DC=COM" filer="(userAccountControl:1.2.840.113556.1.4.803:=1048576)" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"}}}

!! [Risk]: NO [Password Change] since 2018
Often you will find some of entries have NEVER performed a logon by evaluating the [pwdLastSet] attribute.

{{{searchBase="DC=EXAMPLE,DC=COM" filer="(&(objectCategory=person)(objectClass=user)(pwdLastSet<=131707986436733938))" scope="SUBTREE" timeLimit="0" countLimit="1000" aliasesDereferencingMethod="ALWAYS" referralsHandlingMethod="IGNORE"}}}

And a slightly more specific to search using (sAMAccountType=805306368)
{{{ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(sAMAccountType=805306368)(lastLogonTimestamp<=131592420610000000))" "userAccountControl" "employeeType" "lastLogonTimestamp" "objectClass"}}}

!! [Risk]: [foreignSecurityPrincipal]
{{{ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 10000 "(objectClass=foreignSecurityPrincipal)" "memberOf" "sAMAccountName" "sAMAccountType" "objectClass"}}}

!! [Risk]: [USE_DES_KEY_ONLY] (2097152)
{{{ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 100000 "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2097152))" "userAccountControl" "employeeType" "createTimeStamp" "objectClass"}}}


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]