Impact of Privileged User Compromise
The compromise of a single Active Directory privileged user account or group could instantly result in a massive breach.
It is a well-known and witnessed fact that the compromise of a single Active Directory unrestricted privileged user account could instantly jeopardize the security of all organizational IT assets and result in a massive cyber security breach.
However, the impact of compromise of an Active Directory user that possesses restricted privileged access is not as well-known and well-understood yet, and consequently many such privileged accounts remain undetected and vulnerable.
Impact of Compromise of a Privileged User who has Unrestricted Access in Active Directory
If someone could compromise an account that has unrestricted privileged access in Active Directory, he/she could instantly obtain command and control over the organization's entire IT infrastructure, systems, resources and data.
This would be tantamount to a system-wide breach, and potentially put the entire organization at risk of compromise.
Impact of Compromise of a User who can Manage Privileged User Accounts and Groups
If someone could compromise the account of a user that has sufficient effective permissions so as to be able to manage an organization's unrestricted privileged user accounts and groups in Active Directory, he/she too could instantly obtain command and control over the organization's entire IT infrastructure, systems, resources and data.
This too would be tantamount to a system-wide breach, and potentially put the entire organization at risk of compromise.
An Ocean of Delegated Privileged Access
A widely-held popular belief is that the extent of privileged users in Active Directory are only those domain user accounts that are members of default privileged groups like Domain Admins etc.
However, at most organizations, today there exists an ocean of privileged access within their Active Directory that has been delegated and that is likely not yet on their radar.
As a result, at most organizations, there remain a large number of privileged user accounts in Active Directory that have not yet been identified and designated as privileged.
Consequently, all such accounts remain outside the umbrella of enhanced Privileged Access Management protection, and thus remain inadequately protected and vulnerable.
Organizations worldwide are advised and encouraged to gain a deeper understanding of privileged access in Active Directory as well as the impact of compromise of all privileged accounts.
Top-10 Privilege Delegations + Impact of Compromise
The following are the Top-10 administrative delegations frequently made in most Active Directory deployments today -
Modify the permissions on the AdminSDHolder object
Reset privileged or other domain user account's password
Change privileged or other domain group's membership
Modify permissions protecting an Organizational Unit (OU)
Link a Group Policy Object (GPO) to an OU
Disable Smartcard is required for interactive logon option
Create a domain user account
Delete a domain security group
Modify userAccountControl attribute on computer accounts
Modify keywords attribute on Service Connection Points
The impact of compromise of domain user accounts that possess such delegated privileged access is presented below.
Impact of Compromise of a Privileged User that Could Modify Permissions on AdminSDHolder
If a perpetrator could compromise an account that has sufficient effective permissions to modify permissions on, or the ownership of the AdminSDHolder object, he/she could gain control over all default privileged accounts and groups in Active Directory.
This too would be tantamount to a system-wide breach, and potentially put the entire organization at risk of compromise.
For example, if someone were to add a single security permission to the ACL of the AdminSDHolder object, such as Allow Authenticated Users Full Control, literally every single domain user account and domain-joined computer would instantly become a Domain Admin equivalent privileged user.
Impact of Compromise of a Privileged User that Could Reset a Domain User Account's Password
If someone could compromise an account that has sufficient effective permissions to reset the password of a domain user account, he/she could instantly login as that account and access all IT resources that account has access to.
It someone could reset the password of even a single Active Directory privileged user's account, that too would be tantamount to a system-wide breach, and potentially put the entire organization at risk of compromise.
For example, if someone were to reset the password of an organization's CEO, CFO, CIO, CISO or the account of any Active Directory privileged user, he/she could instantly login as that individual and do whatever he/she desires.
Impact of Compromise of a Privileged User that Could Change an AD Group's Membership
If someone could compromise an account that has sufficient effective permissions to change a domain security group's membership, he/she could add his/her/any account to that group and obtain access to all IT resources to which that group has access.
For example, if someone could change the membership of a group called Confidential/Restricted Level-3 Access, he/she could instantly obtain access to all (potentially thousands of) IT resources (files, folders, databases, Intranet sites, applications, etc.) in the network to which that group is granted access.
Impact of Compromise of a Privileged User that Could Modify Permissions Protecting an OU
If someone could compromise an account that has sufficient effective permissions to modify the permissions protecting an OU, he/she could use inheritance of permissions to gain privileged access on all domain accounts, computers, groups etc. in that OU.
For example, if someone could modify the security permissions protecting a top-level OU called Corp, he/she could instantly gain full administrative control over all (potentially thousands of) domain user accounts, computer accounts, security groups, printers, service connection points etc. that reside in that OU, and subsequently use that gained access to easily further gain unrestricted access to thousands of IT resources in the network.
Impact of Compromise of a Privileged User that Could Link a Group Policy to an OU
If someone could compromise an account that has sufficient effective permissions to link a GPO to an OU, he/she could link a malicious GPO to compromise, or gain privileged access on, all computers whose domain computer accounts reside in that OU.
For example, if someone could link a single malicious GPO to an OU in which a large number of the organization's computer accounts reside, such as an OU named Computers, he/she could instantly gain privileged access over all those computers, as well as subsequently use that gained access to easily further gain unrestricted access to all IT resources on those computers.
Impact of Compromise of a Privileged User that Could Disable the Use of SmartCards
If someone could compromise an account that has sufficient effective permissions to disable the use of Smartcards on domain user accounts, he/she could downgrade account security to solely being password based, thus disabling two-factor authentication and significantly weakening security, then reset their password to instantly login to these accounts.
For example, if someone could disable the use of Smartcards on a single privileged or executive user's account, he/she could then downgrade security on that account to being password based, and use this to more easily attempt to compromise that account by attempting various credential theft-attack vectors, such as Password guessing, brute-forcing, Pass-the-Hash (PtH) etc. If he/she could also reset the account's password, then he/she could take over that account within a matter of seconds without having to do anything else.
Impact of Compromise of a Privileged User that Could Create Domain User Accounts
If someone could compromise an account that has sufficient effective permissions to create domain user accounts in Active Directory, he/she could create an alternate account to engage in malicious activity that could likely not be traced back to the perpetrator.
For example, if an intruder or a malicious insider could create a domain user account, he/she would create an Active Directory account that would seem like a legitimate user account, and then (mis-)use it to easily engage in any desired nefarious activities, as well as automatically obtain access to all IT resources to which Authenticated Users have access.
Impact of Compromise of a Privileged User that Could Delete a Domain Security Group
If someone could compromise an account that has sufficient effective permissions to delete an existing domain security group, he/she could cause all members of that group to no longer have access to all IT resources to which that group is granted access.
For example, if someone could delete a domain security group such as All Employees, he/she would cause all members of that group to no longer be able to access any (and possibly thousands of) IT resources to which that group has access.
Impact of Compromise of a Privileged User that Could Modify userAccountControl Attribute on Computer Accounts
If someone could compromise an account that has sufficient effective permissions to modify the userAccountControl attribute on a computer account, he/she could set the Trusted for Unconstrained Delegation bit on that domain computer account, which could then enable this individual to use Kerberos delegation to impersonate a user and elevate privilege.
For example, if an intruder or a malicious insider could set this bit on the domain computer account of a computer that he/she has control over, then if he/she could lure a privileged user to access a service running on that computer, he/she could impersonate that privileged user to elevate privilege and gain domain-wide privileged access, potentially resulting in a massive breach.
Impact of Compromise of a Privileged User that Could Modify Keywords Attribute on SCPs
If someone could compromise an account that has sufficient effective permissions to modify the keywords attribute on a service connection point (SCP), he/she could launch a denial-of-service attack on the service that relies on that SCP.
For example, if an intruder or a malicious insider could change the keywords of the service connection point used to join the Active Directory to Microsoft Azure, then he/she could instantly cause an organization-wide denial of service attack wherein access to Microsoft Azure would be disrupted for all organizational users.
The Importance of Correctly Identifying Privileged Access in Active Directory
As illustrated above, the compromise of a single user account that even has restricted privileged access in Active Directory could equally result in a cyber security breach.
Unlike members of default Active Directory privileged groups which are easy to identify, it is not easy to identify accounts that possess delegated privileged access in Active Directory.
To correctly identify accounts that possess delegated privileged access in Active Directory, organizations need to accurately identify effective permissions on Active Directory objects.
Organizations worldwide are thus advised and encouraged to gain a deeper understanding of both unrestricted and delegated privileged access, and effective permissions in Active Directory.
Our Global Customers
