EconPapers    
Economics at your fingertips  

EconPapers Home
About EconPapers

Working Papers
Journal Articles
Books and Chapters
Software Components

Authors

JEL codes
New Economics Papers

Advanced Search


EconPapers FAQ
Archive maintainers FAQ
Cookies at EconPapers

Format for printing

The RePEc blog
The RePEc plagiarism page

 

Improving your Active Directory security posture: AdminSDHolder to the rescue

Guido Grillenmeier
Additional contact information
Guido Grillenmeier: Semperis, USA

Cyber Security: A Peer-Reviewed Journal, 2023, vol. 6, issue 3, 242-260

Abstract: This paper covers a key aspect of Active Directory (AD) security, which is often overlooked: the wealth of default read permissions that Microsoft has granted to any user and computer in the directory. The concept of an AD forest being a security boundary must now not only be understood as a protective feature; if you do not have an account in an AD forest, you cannot access any of its AD objects and connected resources. Instead, the security boundary must also be understood as the scope of reach for an intruder to access and assess the security of AD objects once they gain a foothold into an organisation’s network. Removing certain default read permissions in AD is a low-risk operation that pays off by making it much more difficult for intruders to perform reconnaissance that helps them in planning their next steps to domain dominance. Understanding the mechanism of the built-in logic that Microsoft has added to AD to protect the most privileged accounts in the directory (eg members of the domain admins group) is key to realising both the benefits and weaknesses of this mechanism. This paper discusses how this protection mechanism works behind the scenes and how it can be adjusted to remove risky default read permissions to make AD safer. Many AD infrastructures were implemented many years ago and operated by different teams of administrators over time, so most AD implementations today have incurred a solid ‘misconfiguration debt’. This paper covers one aspect of that debt: specifically, how to fix the permissions on objects that had once been added to a privileged group but are no longer a part of that group. Essentially, locking down the visibility of objects and general read permissions in AD is vital to reducing the AD attack surface and thus increasing its security posture.

Keywords: identity security; default security; Active Directory (AD); privileged objects; AdminSDHolder; SDPROP; MITRE ATT&CK: reconnaissance; MITRE D3FEND: harden (search for similar items in EconPapers)
JEL-codes: M15 (search for similar items in EconPapers)
Date: 2023
References: Add references at CitEc
Citations:

Downloads: (external link)
https://hstalks.com/article/7536/download/ (application/pdf)
https://hstalks.com/article/7536/ (text/html)
Requires a paid subscription for full access.

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:aza:csj000:y:2023:v:6:i:3:p:242-260

Access Statistics for this article

More articles in Cyber Security: A Peer-Reviewed Journal from Henry Stewart Publications
Bibliographic data for series maintained by Henry Stewart Talks ().

 
Share

RePEc
This site is part of RePEc and all the data displayed here is part of the RePEc data set.

Is your work missing from RePEc? Here is how to contribute.

Questions or problems? Check the EconPapers FAQ or send mail to .

Örebro UniversityEconPapers is hosted by the School of Business at Örebro University.

Page updated 2025-03-19
Handle: RePEc:aza:csj000:y:2023:v:6:i:3:p:242-260