AD Starter Scan - Primary Group ID integrity

high Nessus Plugin ID 150487

Synopsis

A potential backdoor using the Primary Group ID attribute has been found on a user account.

Description

Groups are the standard way of providing access to resources in an environment. Therefore group membership should be treated with utmost care. A less known Active Directory feature can be used for the same purpose: Primary Group ID. This is a mechanism that was created to support legacy UNIX applications, where group membership is not stored in the same way as in Windows. When checking the access rights to a resource, being a member of a group or having a Primary Group ID set for this group is exactly the same from an Active Directory perspective. Not all third party tools and software consider this use-case.

Using the Primary Group ID mechanism is considered a bad practice and a security risk.

Note: The AD Starter Scan and associated plugins are intended to be used with smaller AD deployments for purposes of preliminary analysis. Accurate preliminary analysis can be expected for AD deployments with up to 5000 users, groups or machines and incomplete results will be returned for larger AD deployments with Nessus, Security Center and Vulnerability Management. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post - https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations

Solution

From a security perspective, because of the hidden backdoor mechanism that it provides, the Primary Group ID value of the accounts of the domain should be reset to their default value:

- for every user account of the domain, the PGID should be set to 513, whatever the functional type of the account (normal or privileged user, service account, VIP user, etc.)
- the Guest account is a specific user account that should have a PGID of 514
- for every computer account of the domain, the PGID should be set to 515, whatever the functional type of the computer (desktop or server), except for domain controllers
- for every domain controller of the domain, the PGID should be set depending on the type of domain controller that is expected:
-- for standard read-write domain controllers, the PGID should be set to 516
-- for read-only domain controllers, the PGID should be set to 521
-- for enterprise read-only domain controllers, the PGID should be set to 498

See Also

http://www.nessus.org/u?748f1454

http://www.nessus.org/u?dae9d9c5

http://www.nessus.org/u?d5c4c81f

Plugin Details

Severity: High

ID: 150487

File Name: adsi_pgid.nbin

Version: 1.111

Type: local

Agent: windows

Family: Windows

Published: 7/29/2021

Updated: 11/22/2024

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS Score Rationale: Score based on an in-depth analysis by tenable.

CVSS v2

Risk Factor: High

Base Score: 7.1

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: manual

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:microsoft:active_directory

Required KB Items: ldap_enum_person/available, ldap_enum_computer/available, ldap_enum_domaindns/available