Active Directory Data Privacy Issue
I did penetration testing using PowerView and used it to retrieve user information from Active Directory (hereinafter referred to as AD). At that time, I focused on collecting information about membership in security groups, and then used this information to navigate the network. In any case, AD contains confidential data about employees, some of them really should not be accessible to everyone in the organization. In fact, on Windows file systems, there is an equivalent Everyone problem, which can also be used by both internal and external attackers.
But before we talk about privacy issues and how to fix them, let's take a look at the data stored in AD.
Active Directory is Corporate Facebook
But in this case, you have already made friends with everyone! You may not find out about your colleagues ’favorite movies, books, and restaurants, but AD contains sensitive contacts
data and other fields that can be used by hackers and even insiders without special technical skills.
System administrators, of course, are familiar with the screenshot below. This is the Active Directory Users and Computers (ADUC) interface, where they install and edit user information and assign users to the appropriate groups.
AD contains fields with the name of the employee, address and phone number, so it looks like a telephone directory. But there is much more! Other tabs also have an email address and web address, an immediate supervisor and notes.
Does everyone in the organization need to see this information, especially in the OSINT era, when every new part makes finding additional information even easier?
Of course not! The problem is exacerbated when data from senior management is available to all employees.
PowerView for everyone
This is where PowerView comes into play. It provides a very convenient PowerShell interface for the underlying (and confusing) Win32 functions that access AD. In short:
this makes getting AD fields as easy as entering a very short cmdlet.
Let's take an example of collecting information about an employee of Cruella Deville, who is one of the leaders of the company. To do this, use the PowerView get-NetUser cmdlet:
Installing PowerView is not a serious issue – see for yourself on the github page. And more importantly, you do not need elevated privileges to run many PowerView commands, such as get-NetUser. Thus, a motivated, but not very technically savvy employee can start poking around in AD without much effort.
From the screenshot above, it can be seen that the insider can quickly learn a lot about Cruella. Did you also notice that the “info” field displays information about personal habits and the user's password?
This is not a theoretical probability. From dialogs with other pentesters, I learned that they scan AD to search for passwords in an unencrypted form, and often these attempts, unfortunately, are successful. They know that companies are careless about information in AD, and usually they don’t know about the next topic – permissions in AD.
Active Directory has its own ACLs
The AD Users and Computers interface allows you to set permissions for AD objects. There are ACLs in AD, and administrators can assign or deny access through them. You need to click “Advanced” in the ADUC View menu, and then when you open the user, you will see the “Security” tab in which you set the ACL.
In my Cruella script, I did not want all Authenticated Users to be able to see her personal information, so I denied them read access:
And now a regular user will see this if they try Get-NetUser in PowerView:
I managed to hide obviously useful information from prying eyes. To keep it accessible to relevant users, I created another ACL to allow VIP members (Cruella and other senior colleagues) to access this sensitive data. In other words, I implemented AD permissions based on the role model, which made sensitive data inaccessible to most employees, including insiders.
However, you can make group membership invisible to users by setting the appropriate ACL for the group object in AD. This will help in terms of privacy and security.
In my series of epic pentests, I showed how you can navigate the system by exploring group membership using PowerViews Get-NetGroupMember. In my scenario, I restricted read access to membership in a particular group. You see the result of the command before and after the changes:
I managed to hide the membership of Cruella and Monty Burns in the VIP group, which complicated the exploration of infrastructure by hackers and insiders.
This post was intended to motivate you to study the fields more closely.
AD and related permissions. AD is a great resource, but think about how you would
wanted to share confidential information and personal data, especially
when it comes to the first persons of your organization.