Shulou(Shulou.com)06/03 Report--

LDAP Read Control for Domain Security

Luis

AD Active Directory is designed to be fair and open, and any user can read other user information.

Microsoft recommends creating a separate domain administration privilege account and delegating control to another domain, but there are more convenient ways

0x01 Risk

Have you ever used AD Explorer and dsquery?

When Red Team (hereinafter referred to as RT) successfully broke through the external network server and entered the intranet, the main goal at this time changed from the external network breakthrough to the horizontal expansion of the intranet.

If there is a domain in the intranet, and RT obtains a common account in the domain on the server that has been successfully ***, RT can use the dsquery command and AD Explorer to obtain sensitive information such as all server lists, user lists, and organization structures in the domain.

Figure 1 AD Explorer

Figure 2 dsquery computer

Figure 3 dsquery user

Figure 1, Figure 2 and Figure 3 respectively show the information of computers and users in the domain obtained through AD Explorer and dquery by using common accounts in the domain.

Sometimes the domain administrator may feel that what does it matter if this information is leaked? With this information, RT is equivalent to getting a complete map of the domain. It is easy to find which administrator and business you need to pay attention to. This sensitive information greatly improves the *** efficiency of RT and can be called the "treasure hunt map" in *** testing.

0x02 How to Defend

In the default configuration of a domain, all users in the domain have read access to the LDAP service! It has to be said that this default configuration is a huge pit in domain security. And most domain administrators don't notice this problem. But this *** method is one of RT's favorite methods.

So how do we defend ourselves against this kind of in-domain information acquisition?

In fact, most users in the domain do not need LDAP read permissions. We can achieve security configuration by disabling read and list permissions for ordinary users on AD.

0x03 Specific settings

Take Windows Server 2012 R2 as an example to explain the steps of security configuration in detail.

Ctrl+R, type dsa.msc and run.

Click View and select Advanced Features.

Add a user group, such as DisabelLDAPGroup. (https://s1.51cto.com/images/blog/201905/27/6da51318aba7d655b623c538d99a1f78.png? x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)

4. Right-click the User OU in the domain and select Properties.

Note: The root OU cannot be rejected here, because the group policy needs to be delivered to the user and computer. If the group policy is rejected completely, it means that the user and computer names cannot be identified, resulting in failure to deliver the group policy.

Select Personnel OU

Select Security and click Advanced.

6. In the pop-up window, click Add.

7. In the pop-up window, click Select a principal, and enter DisableDLAPGroup in the pop-up window, click OK.

Pull the scroll bar to the bottom, select Clear all, then pull to the top, select List contents and Read all properties in the Permission area, and select Deny in the Type area.

Click the OK button on all dialog boxes.

X. Add all users who do not need LDAP read permissions to the DisableLDAPGroup group.

After doing the above operations, we will use dsquery and AD Explorer to read the information.

As you can see, the LDAP read operation was successfully blocked!

0x04 Impact on Business

Many administrators ask, does this prevent RT from illegally reading LDAP information, but does it affect the business?

After testing, disabling LDAP permissions does not have any impact on normal login and LDAP authentication of computers in the domain.

For users who do not have LDAP read permissions, an error occurs when selecting domain users, computers, and groups. The solution is to use a privileged user for the operation. Since this scenario doesn't occur much for the average user, the impact is within acceptable limits.

If a business needs to use LDAP to read domain information, a dedicated account can be created instead of being added to the DisableLDAPGroup to meet related business needs.

0x05 Summary

LDAP arbitrary user access issues are often overlooked by many administrators, but are favored by many Red Team. Disabling LDAP permissions for ordinary users can effectively prevent the disclosure of information in the domain and improve the security of AD.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.