Authorization / Active Directory - Primary Group ID integrity

Description

Groups are the standard way of providing access to resources in an environment. Therefore group membership should be treated with utmost care. A less known Active Directory feature can be used for the same purpose: Primary Group ID. This is a mechanism that was created to support legacy UNIX applications, where group membership is not stored in the same way as in Windows. When checking the access rights to a resource, being a member of a group or having a Primary Group ID set for this group is exactly the same from an Active Directory perspective. Not all third party tools and software consider this use-case.

Risk

Using the Primary Group ID mechanism is considered a bad practice and a security risk.

Solution

Because of the hidden backdoor mechanism that it provides, the Primary Group ID value of the accounts of the domain should be reset to their default value:

• for every user account of the domain, the PGID should be set to 513, whatever the functional type of the account (normal or privileged user, service account, VIP user, etc.)
• the Guest account is a specific user account that should have a PGID of 514
• for every computer account of the domain, the PGID should be set to 515, whatever the functional type of the computer (desktop or server), except for domain controllers
• for every domain controller of the domain, the PGID should be set depending on the type of domain controller that is expected:
  -- for standard read-write domain controllers, the PGID should be set to 516
  -- for read-only domain controllers, the PGID should be set to 521
  -- for enterprise read-only domain controllers, the PGID should be set to 498