In today’s short post, part 2 of How to Perform Simple Active Directory Audits, we’ll take a quick look at how IT admins, IT managers, IT consultants as well as IT and Cyber Security auditors can easily audit Active Directory to identify all domain-joined computers in an Active Directory domain whose domain computer accounts are “Trusted for Unconstrained Delegation.”
Computers “Trusted for Unconstrained Delegation”
Computers whose domain computer accounts are “Trusted for Unconstrained Delegation” could pose a security risk as they could be misused to engage in Active Directory Privilege Escalation.
In particular, if a computer’s domain-computer account in Active Directory was configured to be “Trusted for Unconstrained Delegation”, then anyone with admin access to that computer could launch a service (running as System* on that computer) that could be designed to obtain a Kerberos ticket to any resource on behalf of any* client that could be lured to access that service, and this could be used to compromise security by providing the perpetrator the opportunity to impersonate ordinary, privileged and executive users (e.g. CEO, CFO, CIO etc.) to obtain unauthorized access to files, folders, computers, servers, internal sites, SharePoint portals, databases, line-of-business applications, HR systems etc., as well as to engage in Active Directory Privilege Escalation.
By way of example, if a rogue insider had admin access on a computer whose domain-computer account was marked as “Trusted for Unconstrained Delegation“, then he/she could launch a service on that computer such that, if he/she could then lure an Active Directory privileged user to connect to that service, then he/she could have that service request and obtain a Kerberos Ticket to any resource of choice, including to Domain Controllers, in the security context of the client, which in this case would be an Active Directory privileged user, and in and by doing so, the perpetrator could instantly elevate privilege to that of an Active Directory privileged user, thereby easily and instantly obtaining complete command and control over the entire Active Directory forest.
*Note: In the interest of simplicity, the description provided above is highly simplified. It may further be noted that alternatives such as constrained Kerberos delegation could be used to mitigate risk.
Ideally, only Domain Controllers should have the “Trusted for Unconstrainted Delegation” bit set on their domain computer accounts. Unfortunately though, due to various reasons, such as legacy requirements, misconfiguration, scripting errors, or malicious changes, there could possibly be other computers in an Active Directory forest that could have this sensitive Kerberos setting enabled.
Thus, all organizations operating on Active Directory should consider frequently performing an Active Directory audit to identify domain computer accounts “Trusted for Unconstrained Delegation”.
How to Audit Computer Accounts Trusted for Unconstrained Delegation
Here’s a quick video that shows anyone can instantly audit Active Directory to identify all domain computer accounts that are “Trusted for Unconstrained Delegation” –
As seen above, one does not need to know Active Directory or have admin access to perform this simple audit. All you need is a domain-user account to perform this audit, and it takes seconds.
Thus, to make this easy, our Active Directory Security Audit Tool has a dedicated report to help IT personnel audit all domain computer accounts that are “Trusted for Unconstrained Delegation.”
This tool can be downloaded, installed and run all in under 2 minutes, without requiring any admin privileges.
For Advanced Users
Advanced users know that anyone who has sufficient delegated administrative access in Active Directory to be able to modify this setting on various domain computer accounts in Active Directory, could easily enable this setting on various computers, and potentially provide themselves the opportunity to enact an Active Directory Privilege Escalation attack as described above. Thus, ideally organizations should also frequently audit their Active Directory to determine exactly who can change the “Trusted for Unconstrained Delegation” setting on all their domain computer accounts.
This is an advanced Active Directory audit that requires the ability to perform accurate Active Directory effective permissions analysis on all domain computer accounts in an Active Directory. The accurate determination of Active Directory effective ermissions is a very difficult, expertise-reliant, time consuming and error-prone process. Unfortunately even PowerShell isn’t that powerful.
Our advanced Active Directory Effective Permissions Audit Tool and Active Directory Administrative Access and Delegation Audit Tool uniquely automate the ability to accurately determine effective permissions/access, both on a per-object basis, as well as on all domain computer accounts in an Active Directory domain at the touch of a button, thus providing advanced users and all security conscious organizations the unique ability to be able to audit and uncover exactly who can change/modify this sensitive setting on all domain-joined computers in an Active Directory domain.
To conclude this post, basic users may want to begin by identifying all domain computer accounts that are “Trusted for Unconstrained Delegation” and advanced users may additionally want to further identify exactly who can change this setting on each and every one of their domain-joined computers. Considering that there could be thousands of domain-joined computers in an Active Directory domain, and a delegated administrator need only change this setting on any ONE domain-joined computer to be in a position to launch an Active Directory privilege escalation attack, hopefully advanced users will see why making this determination is so important to organizational cyber security.
PS: You may also find our 100+ slide-deck on Active Directory Security very useful and insightful.