Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Friday, June 20, 2014

Active Directory Account Password Security 101 for Regulatory Compliance Auditors - The Difference Between Change Password and Reset Password


I hope this finds you well. Today, I just wanted to take a few minutes to shed light on a matter that impacts virtually every publicly-held organization in the United States, and possibly most organizations across the world.

A few weeks ago, yet another globally prominent multi-$B publicly held U.S organization licensed Gold Finger 007.

Given Gold Finger 007’s numerous capabilities (Active Directory Delegation Audit, Active Directory Effective Permissions Analysis, Active Directory Permissions Analysis, Domain-wide Kerberos Token Size Computation etc.), we always like to learn about what our customers are using Gold Finger for.

So when we asked them what they intended to use Gold Finger for, they informed us that they wish to use it to “audit who can change whose passwords in Active Directory, because their SOX Compliance auditors required them to furnish this information.”

That was a bit surprising. We figured they meant to say “who can reset whose passwords” so we asked them again whether the auditors required them to furnish a report of “who can change whose passwords”, or “who can reset whose passwords.

They confirmed that the auditors wanted to know “who can change whose passwords”.

That to us was a bit worrying.

Here’s why –

The Difference between Change Password and Reset Password

Folks, the difference between “who can change passwords” and “who can reset passwords” is paramount to understand for organizational security, yet it remains largely misunderstood, and thus is worth shedding light on -

Active Directory Password Changes

Every domain user account in Active Directory is protected by a password, and it is the knowledge of this password that allows the account holder to authenticate him/herself, and in effect stake claim to the identity represented by that domain user account.

When a user’s account is initially set up, he/she is provided with a temporary password (ideally via secure means), and then asked to immediately change that password to a new value, i.e. one that only he/she has knowledge of.

Only the account’s holder is supposed to know the account’s password. No one else is supposed to know his/her password, because anyone who knows the account’s password can authenticate to the system as that user by using that password.

Now, for security reasons, most organizations require users to change their passwords on a periodic basis, so as to protect passwords from password guessing attacks, and as such the system provides a facility to let users change their passwords.

A user can change his/her password by invoking the Security Authentication Sequence (“Alt-Ctrl-Del”), then selecting the “Change Password” option. The user is then required to enter BOTH the new password AND the current password.

(Note: The Windows Change Password dialog refers to the current password as the old password.)

If the current password entered is valid, the system accepts the password change request, and proceeds to change the user’s password to the new value. If the current password entered is not valid, the system denies the password change request.

Now, it is very important to NOTE that in order to change the password, the user is REQUIRED to enter the current password i.e. WITHOUT demonstrating knowledge of the current password, he/she CANNOT change the password.

In other words, if one assumes that ONLY the user knows the password to his/her account, then one can infer that NO ONE ELSE can change the user’s password, because NO ONE ELSE knows the user’s current password.

In summary, there is NO need to audit who can change whose passwords because (in 99.9999% of cases), ONLY the user account holder knows the current password of the account, and without knowing the current user’s password, no one can change the user’s password.

Consequently, in my humble opinion, regulatory compliance auditors should not be asking organizations to audit “who can change whose passwords” only because there is no material benefit in doing so.

Active Directory Password Resets

NOW, in case you find yourself asking – “But wait, what about the situation wherein a user forgets his/her password, then calls Help Desk for assistance, as a result of which a Help Desk Operator resets the user’s password, and grants the user a temporary password with which he/she can then login, and immediately after logging in, change his/her password to a value only known to the user.”

The answer is that, the Help Desk Operator, did NOT CHANGE the user’s password, but in fact RESET the user’s password to a new temporary password, then provided this temporary password to the user (hopefully via a secure channel) AND (hopefully) instructed him/her to immediately change his/her password to a value only known to the user.

You see, in order to account for situations wherein a user forgets his/her password, and is thus unable to login, the system provides a facility by which authorized administrative personnel can reset the password of a user’s account.

This password reset facility can also be used to take control of a domain user account in situations wherein IT needs to take over the user's account, such as those involving employee termination, security incidents etc.

It may be noted that resetting a user’s password does NOT require demonstrating knowledge of the user’s existing/current password. Instead, it only requires that the individuals performing the password reset have the “User Force Change Password” extended right granted on the domain user account. Anyone who has this right granted on a domain user account can instantly reset the domain user account’s password.

(Strictly speaking, in order to change a user’s password, the user too requires the “User Change Password” extended right on his/her own account, which by default is granted to “Everyone” and “Everyone” implicitly includes the user him/herself. By the way, just because the right is granted to “Everyone” does not mean that everyone (/anyone) can change the user’s password; only those individuals who can demonstrate knowledge of the current password can change the user’s account’s password.)

(BTW, the Rights GUID for User-Force-Change-Password is 00299570-246d-11d0-a768-00aa006e0529 and the Rights GUID for User-Change-Password is ab721a53-1e2f-11d0-9819-00aa0040529b.)

Now, by default many Active Directory administrative groups, including Domain Admins, Enterprise Admins, Built-in Admins, Account Operators and other are granted the “User Force Change Password” (also known as “Reset Password”) extended right on all domain user accounts, and thus many administrative personnel are by default, already have the ability to reset the passwords of most domain user accounts. In addition, many organizations develop and implement custom delegation models resulting in an even larger number of individuals being able to reset the passwords of most of their domain user accounts.

It is imperative to understand that ANYONE who has the “User Force Change Password” (i.e. “Reset Password”) extended right effectively granted on a domain user account can instantly reset that account’s password and login as him/her.

Of course, once someone can reset a domain user account’s password, he/she can instantly login as him/her, obtain access to everything that user has access to, read and send email, access, tamper, copy or divulge everything that user has access to.

As a result, it is paramount to know AT ALL TIMES, exactly who can reset whose passwords in Active Directory.

Consequently, instead of asking organizations to audit “who can change whose passwords” regulatory compliance auditors should be asking them to audit “who can reset whose passwords”, since the ability to reset someone’s password instantly lets the perpetrator logon as the target user, and access everything the user has access to.

It is also possible for a malicious individual to reset a user’s password, then logon as the user, engage in unauthorized access, then logoff, and when the actual user account attempts to login the next time around, after a few unsuccessful attempts to logon using the old password, the user would unsuspectingly call Help Desk, and in most cases, a Help Desk operator will simply reset the password again, without suspecting that someone may have reset the user’s password and logged on.

You can imagine the consequences of someone being able to reset the password of an administrative account or an executive account – depending on the (mal-)intent and expertise of the perpetrator, the consequences could potentially be disastrous.

So, if I may, I’d like to humbly request compliance auditors to understand this vital difference, and perhaps the next time around, ask for a report of “who can reset user account passwords”, not “who can change user account passwords”.

Finally, when requesting this information, it is imperative to ensure that the audit report being furnished is based NOT on simply permissions analysis, but on effective permissions analysis, because only effective permissions reveal who can truly reset whose passwords.

This Impacts 85% of Organizations Worldwide

As you may know, today Active Directory is the bedrock of cyber security at over 85% of organizations worldwide.

Our global intelligence indicates that in most of these organizations, no one has any idea as to exactly who can reset whose passwords, even those of high-value targets i.e. Executive and Administrative Accounts.

This is unfortunately a highly concerning and alarming situation.

For instance, a while back, an employee of a multi-$B international company requested a trial of, and ran Gold Finger Mini in their environment here in the United States. In about 2 minutes, he was able to find out that over 700 individuals in the world had sufficient effective rights to be able to reset the password of that organization’s CEO’s domain user account. What was shocking to us is that neither the CEO, nor most of these 700+ individuals knew that that they had sufficient rights to be able to reset the CEO's password.

Incidentally, this organization had outsourced the management of their Active Directory deployment to another multi-$B international company, and imagine my surprise when we learnt that there were some very prominent individuals on that 700+ user list, some of whom I know personally (; most are in Europe and others in Asia.)

For security reasons, both these companies shall remain nameless. (You know who you are.)

Wrapping it Up

A few weeks ago we informed our customer about this subtle yet important difference, and I am pleased to let you know that today they are performing an audit of "who can reset whose passwords" instead.

In summary, it is very important to know (at all times) exactly who can reset whose passwords. At a minimum, all organizations should know at least who can reset the passwords of all their Administrative/Privileged Accounts and their Executive Accounts (CEO, CIO, CFO and CISO) because it is the ability to reset passwords that is at the heart of the world's top cyber security risk today.

Well, my 10 minutes are up. (More next time.)

Best wishes,

1 comment: