Users Allowed to Join Computers to the Domain

By default, any privileged or unprivileged user can add a computer to the domain, creating a new computer account in the Active Directory. If this computer holds sensitive information, it could become a security risk, and the user who added it may still hold privileges on it, creating backdoors. This feature can also simplify exploitation of vulnerabilities (CVE-2021-42278 / CVE-2021-42287). It's recommended to disable this feature and verify existing computers added using this feature.
The sAMAccountName impersonation Indicator of Attack can detect attacks but does not replace fixing the issue.

To ensure security, it is advisable to verify that only authorized administrators can add computers to the Active Directory domain. Additionally, some existing computers may have been added to the domain through unauthorized means. In such cases, it may be necessary to reinstall those computers and apply the organization's Windows master file. Although this can be a costly undertaking, it is important to consider the potential risks posed by these computers, which may lack proper security hardening or contain hidden backdoors that could leave the domain vulnerable to attack.

Name: Users Allowed to Join Computers to the Domain

Codename: C-USERS-CAN-JOIN-COMPUTERS

Severity: Medium