This series of posts focuses on key Active Directory (AD) components that need to be secured in order to ensure AD security is leveled up. In this post, we focus on Group Policy Objects (GPOs) and their permissions.
Group Policy provides the ability to change application settings, security settings, install and run code, and more! As such it’s a powerful tool for the administrator as well as the attacker/adversary.
When a Group Policy is created, the creator often becomes the owner. As with other objects in Active Directory, the owner has the ability to change permissions on the GPO. This can cause issues with enforcing the tiering rules for an AD environment since a GPO may be created by a Server Admin and then linked to the Domain Controllers container. This would allow the creator of this GPO to retain owner rights and be able to change permissions on it. Compromise of the account that’s the owner could lead to full Active Directory compromise.
In this example, Alanna Baker created the DC Auditing Policy and it was linked to the Domain Controllers container, but she retained the Owner right on the GPO. Alanna is able to change permissions on the GPO and if this user account were compromised, AD could be compromised.
In this example, Terry Owens (admin) has modify rights to a group policy that applies computer settings and it was later linked to the domain root. Compromise of this account would result in compromise of the entire domain due to this configuration.
All Group Policies that are linked to the Domain root and the Domain Controllers container should be created and only linked to these locations. This means that GPOs that apply to the Domain root, should only apply to the domain and all GPOs linked to the Domain Controllers container should only apply to this container. There should not be GPOs cross-linked to an OU as well as to one or both of these locations.
Group policy permissions and owner rights should be regularly reviewed to ensure they are appropriate. sensitive locations like the Domain root and Domain Controllers container should have additional scrutiny, to include any Administrative (Tier 0) OUs as well.
Recent Comments