ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


ActiveDirSec.Org -> Active Directory Security Risks -> What is privilege escalation in Active Directory?
Post Info TOPIC: What is privilege escalation in Active Directory?
Joe


Member

Status: Offline
Posts: 5
Date: Jun 22, 2011
What is privilege escalation in Active Directory?
 
 

Hi Forum,

We have an All Systems Secure initiative going on in our company, and as a part of it we have been looking at the security of our Active Directory and any known threats and risks to our Active Directory.

In doing some basic research, I came across a few sites that talked about Privilege Escalation in Active Directory, but I'm not sure I understood what this means or entails. I mean I generally understand what escalation of privilege entails but what does it have to do with our Active Directory per se?

If someone could provide a brief explanation of what privilege escalation in Active Directory means, and how we could protect our Active Directory from it, it would be greatly benefit our organization and I am sure others as well.

Thank you in advance.

Joe.



__________________
Don't mess with my Alienware!
Ishmael


Member

Status: Offline
Posts: 6
Date: Jul 13, 2011
 
 

Hi Joe,

Shalom. Privilege Escalation in Active Directory is the process by which an attacker systematically escalates their privilege in Active Directory from that of a lesser privileged account to a more privileged account. It is one of the easiest ways in which an attacker, especially an insider could instantly compromise an Active Directory.

Here's an example - let's say a hacker wanted to compromise a Domain Admin account.

Privilege Escalation in Active Directory

(Picture used from - http://www.activedirsec.com/privilege_escalation.html)

Here's how the hacker could use privilege escalation in Active Directory to start with a regular user account and ultimately compromise the Domain Admin's account -

1. Obtain a list of all Domain Admin accounts by enumerating the nested group membership of the Domain Admins security group.

2. Select the account of any one (or more) of these Domain Admin accounts as the target of the attack. Let's assume the Domain Admin selected is John Doe.

3. Find out exactly who all can reset the password of John Doe's user account. Let's assume that the hacker found that 27 people can do so, and one of them is Jane Doe.

4. Find out exactly who all can reset the password of Jane Doe's user account. Let's assume that the hacker found that 34 people can do so, and one of them is Jim Doe.

5. Find out exactly who all can reset the password of Jim Doe's user account. Let's assume that the hacker found that 8 people can do so, and one of them is Jack Doe.

6. Now all the hacker needs to do is compromise Jack Doe's account, then log-in as Jack and reset Jim's password, then log-in as Jim and reset Jane's password, then log-in as Jane and reset John's password, thus becoming Domain Admin.

This whole thing can be done in just a few minutes, and once done, the hacker just escalated his privilege from a ordinary user to a Domain Admin. He/she could then lock out all other Domain Admins and take full control of the Active Directory.

In order to protect Active Directory from security privilege based attacks, it is always best to ensure that you know precisely who can reset whose passwords at all times in your Active Directory.

By the way, if you're need to find out how many admins can reset your account's password today, the only tool I have found to do so is one called Gold Finger Mini.

Lehitra'ot

- Ishmael



__________________

There isn't a system that cannot be broken into.
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.
ActiveDirSec.Org -> Active Directory Security Risks -> What is privilege escalation in Active Directory?
Post to Facebook Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me