Unconstrained delegation in Active Directory leaves security holes

As is often the case with Active Directory, some of the worst security breaches are caused by misconfigurations that leave doors open for attackers. One common setting that cybercriminals like to exploit is unconstrained delegation.

What is unconstrained delegation and why is unconstrained delegation a security risk? Delegation is the action that allows a computer to register a user’s Kerberos authentication tickets, and then use those tickets to impersonate the user and act on that user’s behalf. Unconstrained delegation is a configuration setting that many multilevel web applications need to function. But the setting has security implications, as a computer that stores tickets for a group of users would be an obvious target for attackers. If attackers can recover these tickets, they can act with the identity and privileges of these users.

If this setting is so risky, why do administrators configure servers with unconstrained delegation? Probably because in early versions of AD, this was the only form of delegation supported, and it’s also the easiest to configure, requiring only one checkbox. What if setting up unconstrained delegation makes the app work, that’s fine, right? But there is, in fact, a great reason to revisit this framework. Removing unconstrained delegation eliminates a weak link in a trusted authentication chain that could cause significant damage if abused.

Roots of unconstrained delegation

The roots of this potential security risk go back 20 years. Microsoft introduced unconstrained Kerberos delegation in Windows Server 2000 to allow services to access other services on behalf of an authenticated user so that they do not have to re-authenticate. For example, if a user has authenticated against a web server, then that web server can impersonate the user and access back-end databases without the user having to re-enter their credentials. . When unconstrained delegation is enabled on an account, it can impersonate the user from any service in the same domain.

While this feature made life easier for users (and administrators), it also presented an obvious risk. If a server with unconstrained delegation enabled were under the control of malicious actors, they could abuse that trust to gain widespread access throughout the environment. Microsoft sought to mitigate this risk by introducing constrained delegation in Windows Server 2003, which allowed domain administrators to restrict the services that a particular server could access.

With the release of Windows Server 2012, Microsoft gave service administrators the power to decide whether front-end services can access core resources. Prior to this change, only domain admins could control delegation, leaving service admins no easy way to know which front-end services could access the resource they owned and, therefore, what potential attack paths might be. open. Known as Resource-Based Constrained Delegation (RBCD), this approach to delegation is the most difficult to abuse.

In comparison, unconstrained delegation is the least secure. While attackers can abuse an insecure Kerberos delegation, they can mask all kinds of malicious activity by impersonating a legitimate user. A malicious actor with access to a web server with this configuration could steal the user’s Ticket Granting Ticket (TGT), which is stored in the server’s memory, and use it to impersonate that user and take advantage of it. of its access privileges. This reality makes unconstrained delegation an ideal mechanism for moving sideways in the environment. A TGT owned by a domain administrator, for example, could give the attacker access to any service of their choice, or potentially access a KRBTGT account and launch a Golden Ticket Attack.

An attacker can use the Get-ADComputer Active Directory PowerShell module cmdlet to find computers on which this parameter is enabled, and then go to work. They can use Mimikatz, for example, to extract all tickets from system memory. The negative implications of this are clear.

Improve AD Security by Disabling Unconstrained Delegation

The good news is that you can close the security hole created by unconstrained delegation by simply disabling this setting. For unconstrained delegation to take effect, domain administrators must enable it for accounts by checking “Trust this computer for delegation to any service (Kerberos only)” under the Delegation in the ADUC management console.

Given the high stakes involved in enabling this setting, organizations can improve their level of security by identifying all servers on which unconstrained delegation is enabled, disabling the setting, and replacing it with constrained delegation for them. servers that need it. Administrator accounts should be set to “The account is sensitive and cannot be delegated” and elevated privilege accounts should be placed in the Protected Users security group. Administrators can find forests with inbound trusts that allow TGT delegation and all security principals that allow unconstrained delegation using PowerShell scripts. You can also detect unconstrained delegation by examining Windows events. When a Kerberos ticket is issued, an Active Directory domain controller logs security events that contain information about the target domain. You can examine these events to determine whether unconstrained delegation is being used in inbound approvals. Or you can download and run Purple knighta free security assessment tool designed by Semperis AD experts that scans your AD environment for over 80 security metrics, including unconstrained delegation.

Disabling unconstrained delegation can cause compatibility issues for some feature-based applications, which means you will need to reconfigure those applications to use constrained delegation or RBCD. As always, businesses should remember that AD security is about more than fixing vulnerabilities in code. Preventing attacks also means taking steps to reduce the attack surface and proactively prevent problems before they occur.

The post office Unconstrained delegation in Active Directory leaves security holes appeared first on Semperis.

*** This is a Syndicated Security Bloggers Network blog by Semperis written by Gil Kirkpatrick. Read the original post on: https://www.semperis.com/blog/active-directory-unconstrained-delegation-security-risks/

Source link