Identity Management

Active Directory: LDIF, An Extraction to Rule Them All

Extracting data from a Microsoft Active Directory (Microsoft’s LDAP directory for Windows), enables a multitude of controls that are easily automated, and helps establish a primary defense for access governance across your Windows systems.

The objective of this article is to introduce you to the “LDAP Data Interchange Format” (LDIF) extraction from an AD and the series of available controls based on ANSSI recommendations.

1 – LDIF Extraction: Which Format for Which Data?

LDIF is a standardized format designed to facilitate the exchange of data from an LDAP directory. It not only represents directory data but also enables actions on a directory (adding, modifying, deleting data). The LDIF extraction is a text file (with the extension .ldif or .ldf) and can be read or edited using a simple text editor.

2 – How to Obtain LDIF Extraction from an Active Directory

Microsoft has provided a dedicated AD extraction tool. Its full name is “Lightweight Directory Access Protocol Data Interchange Format Directory Exchange,” and commonly known as LDIFDE. It’s a command-line tool used for importing or exporting LDIF files. This tool is available on Windows servers when the “Active Directory Domain Services” (AD DS) or “Active Directory Lightweight Directory Services” (AD LDS) server roles are installed on the machine.

3 – What to Do with My Extraction?

Now that we have a proper LDIF extraction of our AD, we should focus on the Controls! WALLIX offers you 23 unique controls which may be performed on your extraction to identify anomalies in your identity and access governance, and to avoid vulnerabilities in your IT system.

Control 1: A Significant Number of Privileged Group Members

Privileged Groups are administrative and operational groups that have ALL rights and privileges on the domain, or are able to assign them. The following groups are included:

Account Operators
Administrators
Backup Operators
Domain Admins
Enterprise Admins
Print Operators
Schema Admins
Server Operators

Assigning these Groups should be avoided, or only done if all permissions are genuinely necessary. It’s generally preferable to use Custom Groups and apply the principle of ”Least Privilege” access.

Control 2: Inconsistent Domain Controllers

A domain controller is a server that authenticates a user to the domain and validates their network access. It’s important that its User Account Control (UAC) attributes are correctly set. Therefore, it’s necessary to check if the domain controller has the attributes SERVER_TRUST_ACCOUNT and TRUSTED_FOR_DELEGATION and no others. Additional attributes can apply to “Read Only Domain Controllers” (RODC).

Control 3: Privileged Accounts without Kerberos Pre-Authentication

Kerberos is an authentication protocol that enables strong authentication using secret keys. Privileged accounts (accounts with all or the potential to have all rights on the domain) should not have the “DONT_REQUIRE_PREAUTH” attribute.

Control 4: Privileged Accounts with SPN

The ServicePrincipalName (SPN) attribute is set by default on machine accounts. This attribute should NEVER be set on a privileged account because a “brute force” attack could retrieve the password of the privileged account through the ticket issued by Kerberos.

Control 5: Privileged Accounts with Passwords that Never Expire

The countless risks associated with this anomaly don’t need listing. The “DONT_EXPIRE” attribute should never be set on a privileged account. Compromising the entire domain could be made easy (e.g., by a former employee).

Control 6: Privileged Accounts with Unchanged Passwords for a Certain Period

To mitigate the risks associated with password theft, it’s crucial to have frequent password rotations. This applies to all users but is even more critical for privileged accounts.

Control 7: Domain Controllers with Unchanged Computer Account Passwords for Over 45 Days

By default, password rotation occurs every 30 days. If this cannot be achieved, it’s important to promptly investigate the cause.

Control 8: Inactive Domain Controllers

A domain controller typically connects every 30 days to change its password. Absence of authentication can result from desynchronization. In such cases, the domain controller needs to be reinstalled or removed.

Control 9: Accounts with a primaryGroupId Less Than 1,000

This attribute associates a user with a group implicitly. Some interfaces do not display this relationship in the list of group members. Therefore, it’s important to leave the default value: 513 for a user, 514 for a guest, and 515 for a computer.

Control 10: Accounts Members of the DnsAdmins Group

It’s recommended NOT to use the DnsAdmins group. This group allows code execution through the DNS service, typically hosted on the domain controller.

Control 11: High Number of Unused Active Accounts

A dormant account is one that hasn’t logged into the domain for a certain period. It could be an account rarely used (or whose owner is on leave) or an obsolete account (associated with a former employee). Efficient categorization of dormant accounts is important to disable obsolete accounts, reducing both the attack surface and the workload during rights reviews.

Control 12: Unconstrained Delegation of Authentication

The “TRUSTED_FOR_DELGATION” property should only be present in domain controllers. If another account has this attribute, it could authenticate to a Kerberos service with the identity of another account that has authenticated to the first account.

Control 13: Accounts Without Kerberos Pre-Authentication

The “DONT_REQUIRE_PREAUTH” attribute should NOTbe present in an account.

Control 14: User Accounts with Weak Kerberos Encryption

Kerberos can use the DES encryption algorithm to issue tickets. However, this algorithm is considered obsolete, so the “USE_DES_KEY_ONLY” attribute should be removed from accounts in the AD.

Control 15: Accounts with Passwords that Never Expire

A second control on password expiration, but this time the criterion applies to all users in the AD, not just privileged accounts.

Control 16: Incorrect Version of Active Directory

In certain versions of Active Directory, the Key Admins and Enterprise Key Admins groups have overly permissive Access Control Entries (ACE). The Windows Server 1709 versions fix this issue, so it’s important to update. Check the “ActiveDirectoryUpdate” value in the LDIF file. If the version is 15, it’s recommended to perform the update.

Control 17: The “Pre-Windows 2000 Compatible Access” Group Contains “Anonymous”

This group should only contain “Authenticated Users” (S-1-5-11) and not “Anonymous” (S-1-5-7). Otherwise, anonymous enumeration of certain elements is possible from the domain controller.

Control 18: krbtgt Account Password Unchanged for Over a Year

Compromising the “krbtgt” account would allow an attacker to forge Kerberos tickets and authenticate with Administrative rights across the entire domain.

Control 19: Account with Modified primaryGroupID

Earlier, we recommended prohibiting primaryGroupIDs less than 1,000 (excluding the default value). Now we advise against modifying this property, which implies implicit group membership. Explicit declaration via the “MemberOf” property is preferred.

Control 20: Accounts or Groups Members of “Pre-Windows 2000 Compatible Access”

Same explanations as Control 17, but this time, we broaden the control scope to prevent Anonymous from being a member of this group through an intermediary.

Control 21: Privileged Accounts Not Members of the “Protected Users” Group

The “Protected Users” group establishes barriers for member users:

Forcing Kerberos authentication
Reducing the lifetime of Kerberos tickets
Enforcing strong encryption algorithm usage (e.g., AES)
Disabling password caching on workstations
Prohibiting any form of delegation

Control 22: Accounts with Reversible Password Storage

If the “ENCRYPTED_TEXT_PASSWORD_ALLOWED” attribute is set on an account, the password for that account can be retrieved in plain text.

Control 23: Accounts or Groups with SID History

The sIDHistory attribute must be empty for all users and groups in the domain. If it’s populated, it generates logs that clutter event logs and can be exploited by an attacker to gain unauthorized rights to resources.

Conclusion

We’ve listed a few important controls that can be easily reviewed to get an overview of your Active Directory’s compliance with ANSSI best practices. These controls may be automated using PowerShell scripts. Once the controls are in place, anomalies need to be reported on a timely basis so they can be swiftly remediated. WALLIX offers a “One Shot” approach to conduct a review for a quick overview of initial actions, or to integrate these controls into a broader identity and access governance policy which covers the entire IT system. This can all be viewed from a web interface for precise and clear reports.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description

Active Directory: LDIF, An Extraction to Rule Them All

Industry 4.0: The importance of securing a connected future

Active Directory: Knowing the TRUE Last Login Date

Related

Related Resource

Products

Solutions

Resources

About