Using builtin groups is a practice often used by organizations using Microsoft’s Active Directory. One of these groups, the Account Operators, is commonly used for basic user administration. As an organization grows the dangers of using this group grows. If the use of the account operators continues without review and governance, security gaps are added to the organization.
Upon completion of Active Directory Gap Analyses, I’ve notice businesses often use Account Operators as the easy way to delegate the management of users and groups. When there is a need for a non technical person to manage groups, the person often gets added to this group. Once added to the group he or she then has access to manage users and groups across the domain.
I’m going to demonstrate a few scenarios where attackers exploit permissions once they gain control of an account that’s a member of this group.
The Account Operators group has extensive permissions across the domain. The group has every right described in my other post, “Who needs an administrator account?”. They also have access to all the users, groups, permissions outlined here (schema post)
I’ll journey through a few of the permissions listed in the previous articles. I’ll demonstrate just how quick, and simple it is for an attacker to jump through the directory once they control this group. It’s important to note that attackers aren’t always after full Domain Administrative control, and sometimes are only after information on servers or workstations.
This is the typical scenario Microsoft described with the lateral movement attacks. The attacker steps consist of:
I.e. full local admin access to all machines on the domain
Sean Metcalf has a fantasic presentation on the GPO exploitation. This video starts at 30:15, right where the Account Operators and GPO permissions are listed.
These five scenarios demonstrate why the Microsoft recommendation for Account Operators is to “Leave it empty.” My script, Github Account Operators Cleanup, to empty the account operators group and the full guide will be available shortly.