AD Starter Scan - Primary Group ID integrity

high Nessus Plugin ID 150487
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

A potential backdoor using the Primary Group ID attribute has been found on a user account.

Description

Groups are the standard way of providing access to resources in an environment. Therefore group membership should be treated with utmost care. A less known Active Directory feature can be used for the same purpose: Primary Group ID. This is a mechanism that was created to support legacy UNIX applications, where group membership is not stored in the same way as in Windows. When checking the access rights to a resource, being a member of a group or having a Primary Group ID set for this group is exactly the same from an Active Directory perspective. Not all third party tools and software consider this use-case.

Using the Primary Group ID mechanism is considered a bad practice and a security risk.

Note: This plugin is part of the Active Directory Starter Scan Template and is meant to be used for preliminary analysis of AD hosts. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post - https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations

Solution

From a security perspective, because of the hidden backdoor mechanism that it provides, the Primary Group ID value of the accounts of the domain should be reset to their default value:

- for every user account of the domain, the PGID should be set to 513, whatever the functional type of the account (normal or privileged user, service account, VIP user, etc.)
- the Guest account is a specific user account that should have a PGID of 514
- for every computer account of the domain, the PGID should be set to 515, whatever the functional type of the computer (desktop or server), except for domain controllers
- for every domain controller of the domain, the PGID should be set depending on the type of domain controller that is expected:
-- for standard read-write domain controllers, the PGID should be set to 516
-- for read-only domain controllers, the PGID should be set to 521
-- for enterprise read-only domain controllers, the PGID should be set to 498

See Also

https://technet.microsoft.com/fr-fr/library/dd378789%28v=ws.10%29.aspx

http://www.nessus.org/u?dae9d9c5

http://www.nessus.org/u?d5c4c81f

Plugin Details

Severity: High

ID: 150487

File Name: adsi_pgid.nbin

Version: 1.11

Type: local

Agent: windows

Family: Windows

Published: 7/29/2021

Updated: 9/20/2021

Dependencies: adsi_enum.nbin

Risk Information

CVSS Score Source: manual

CVSS Score Rationale: Score based on an in-depth analysis by tenable.

CVSS v2

Risk Factor: High

Base Score: 7.1

Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:microsoft:active_directory

Required KB Items: Secret/adsi/username/0, Secret/adsi/password/0, adsi/host/0, adsi/domain/0, adsi_enum_users_and_groups/available, adsi_enum_computer_objects/available