Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Tuesday, February 14, 2017

AdminSDHolder (and another $100 Billion Question for Microsoft)

Dear Microsoft,

On May 22, we start our 30-day advanced Active Directory Security School for you. To help you prep, I thought I'd ask you another $ 100 Billion question, which is at the root (pun intended) of organizational cyber security worldwide - AdminSDHolder.


If you're Microsoft, or one of millions of Windows/Active Directory admins or cyber security pros worldwide, you know that at the heart, root & foundation of administrative/privileged access in Active Directory lies one Active Directory object - AdminSDHolder.

In the interest of brevity, I'll skip the details and provide a very brief background here. In essence, all default Active Directory accounts and groups that are considered to be administrative in nature by Active Directory are protected with a special protected locked-down access control list (ACL), which is the access control list of the AdminSDHolder object -


It logically follows that anyone who can modify the permissions specified in the AdminSDHolder object's ACL can easily control and impact the security afforded to all default Active Directory administrative accounts and groups, such as Domain Admins, Enterprise Admins, Administrators, Backup Operators, etc., as well as the default Administrator account, and all such accounts.

In other words, anyone (e.g. a rogue or coerced insider, an intruder, APT etc. ) who could modify the permissions specified in the AdminSDHolder object's ACL could instantly obtain complete administrative control over the entire Active Directory forest!

A $ Billion Question -

So a $ Billion question begs itself, and all organizations operating on Active Directory must ideally have an exact answer today -

Q: "In our Active Directory domain(s), exactly who can modify the permissions specified in the AdminSDHolder object's ACL?"

(If you're thinking "That's easy; just perform a permissions audit using dsacls, PowerShell etc.", think again. Its not that simple.)

A $100 Billion Question for Microsoft

In light of the above, the security of an entire Active Directory deployment also boils down to this:
Anyone who can modify the permissions specified in the AdminSDHolder object's ACL  could easily compromise all default Active Directory administrative domain user accounts and groups, & by extension all of Active Directory.

So, to my esteemed former colleagues at Microsoft, I have a very simple question for Microsoft -
"Precisely what does Microsoft recommend that customers do to accurately make this paramount determination in their foundational Active Directory deployments?"  i.e. how do they accurately determine exactly who can modify security permissions specified in the AdminSDHolder object's ACL?"
To be clear, in Active Directory environments that have been around for years now, and in which a non-trivial amount of access provisioning/changes have been done in Active Directory, including wherein changes have been made to the default AdminSDHolder ACL (for instance as illustrated in the visual above), how do they accurately determine exactly who can modify security permissions specified in the AdminSDHolder object's ACL?

In case you're wondering why this is a proverbial $100 Billion question, if you were to add up the market cap of all organizations worldwide that operate on Active Directory, it would handily exceed $10 Trillion. Now, considering the potentially colossal impact of compromise resulting from a cyber security incident involving a perpetrator having modified AdminSDHolder to gain complete command and control over an organization's foundational Active Directory, you should be able to see why this is a $100B Q.

We, i.e. your customers and I, look forward to an answer. Your customers look forward to it because they have a right and an urgent need to know how to do so. I look forward to it because I'd like to see how well Microsoft still understands AD security.

Please allow me to give you a hint - here.  (To help organizations worldwide, I'll answer the question right here in a few days.)


PS: One more hint. The answer is a term mentioned 20+ times in this 2-pager and 0 times in Microsoft's official 100-pager.

PS2: My apologies for asking this publicly. It is 2017 after all, not 2007 (, which is when you should've already addressed this.)

PS3: Interestingly, due to a complete lack of guidance from Microsoft on advanced stuff, when it comes to AdminSDHolder, today most organizations are still just trying to figure out basic stuff, such as how to find & cleanup orphaned AdminSDHolder objects i.e. accounts that still have admincount=1 even though they may no longer be a member of any default admin groups.

PS4: February 22, 2017 updated - Microsoft, the answer is here.

No comments:

Post a Comment