Identity Management / Admin Accounts which Do Not Have the Flag "This Account Is Sensitive and Cannot Be Delegated"
Admin account(s) which do not have the flag "this account is sensitive and cannot be delegated" is an IT vulnerability that falls within the category of Identity Management. This vulnerability occurs in Infrastructure when an administrator account is created without the sensitive flag, allowing users to access the account and use it to gain access to sensitive information, or manipulate system settings. This vulnerability has been assigned CWE-264: Permissions, Privileges and Access Controls, and is described in detail in the OWASP Testing Guide.
This vulnerability can be particularly dangerous, as it allows users to gain access to sensitive information and manipulate system settings. If a malicious user were to gain access to an administrator account, they could cause significant damage to the system, such as deleting important files, or changing security settings. It is therefore important to ensure that all administrator accounts are created with the sensitive flag.
To prevent this vulnerability, administrators should ensure that all admin accounts are created with the sensitive flag. This can be done by setting the account's control flags to "this account is sensitive and cannot be delegated". This will prevent users from gaining access to the account and manipulating system settings.
The following code example shows how to set the control flags for an admin account:
Set-ADUser -Identity adminAccount -ControlAccessRights PROTECTED_BY_AUTHENTICATION_FLAG
This command sets the control flags for the specified admin account to “this account is sensitive and cannot be delegated”.