StevensNet.com

...Because someone's gotta tell the story...

Blogs

To return to the main Blog List, click Full Blog Listing.

Tags

Active Directory
Group Policy
SCCM
SMB

Computer Accounts and Trusts, if I were a hacker...

Thursday, September 16, 2010 in Active Directory (Views: 4328)
I had an interesting discussion regarding the safety and security of computer accounts the other day and it led me to want to say a few things to the mass population...

If I were a hacker, would I want to channel in on an unsecured or secured connection? Time's up. I would want to use a secured connection, as having a trust would grant me more access than authenticating as "Anonymous".

We are speaking here of domain joined workstations, workgroup based machines for the purpose of this blog can cease to exist.

Computer accounts are highly secure for many reasons. First, they don't have passwords that an administrator can change or know. Second, unannounced to anyone, their passwords change every 30 days.

It is a good practice to use computer accounts where it makes sense, I know SMS and SCCM are notorious for using them, which is really a good thing. Let me give you a good use of the computer account...

• The SMS Site server connects to a potential client through the admin$ share. Of course to do this, the user in question needs Administrator rights. You can do this in one of two ways: Either via the client installation account or the SMS Site Server computer account.
• The client installation account is a user, and probably someone who has significant permissions since it would need Administrator permissions on each workstation or server it installs the client on (often times, this account is a member of Domain Admins). This can be bad, especially if an IT person can simply change this password and access any machine that supports this credential.
• The site server computer account can't be changed, and can install the client. It's finished, and secure.

We'll make this a 2 for 1 blog: How do you add the Site Server computer account to the local Admins group specifically? You can't via Group Policy, since computer accounts can't be added via Preferences or Restricted Groups. You can however, either create this as a computer startup script, or have an Active Directory group with the computer account in it - then add the group to the Group Policy.

Let's look at this the other way. You have a multiple site SMS Heirachy and to simplify things, an AD group with ALL of your servers in it. Each of these servers has a policy to add this group to the local Administrators group. Not so secure. Why?

You have a rogue admin at a child site with Administrator privledges to their Site Server. They can log in as system (it's easy, just use psexec with the -s cmd.exe command line) and they have local system perms. They can then connect to any other server and do whatever they like. It does get better. If you just "carpet bombed" the built in Administrators group from the Central Site to have full control over SMS, this user can hijack their own permissions and do some ugly things.

So, safe and secure, but keep in mind who you give your Administrator permissions to. Just some food for thought.

 

Related Blogs You May Be Interested In:


To leave a comment, please log in and/or register.