Authorization / Lack of Admin Users in 'Protected Users' Group
Description
The vulnerability refers to a security weakness in which administrative user accounts are not included within the 'Protected Users' group in a system or network environment. The 'Protected Users' group is designed to enhance the security of user authentication and reduce the risk of credential-based attacks. When admin users are not part of this group, it can expose the system to potential security threats that exploit vulnerabilities in the authentication process.
Risk
The presence of this vulnerability exposes the system to several risks:
-
Credential-based Attacks: Without the added protection provided by the 'Protected Users' group, admin users' credentials become more susceptible to attacks such as Pass-the-Hash and Pass-the-Ticket, where attackers attempt to compromise accounts by obtaining and reusing their credentials.
-
Password Guessing and Brute Force Attacks: Admin accounts not included in the 'Protected Users' group are more vulnerable to password guessing and brute force attacks, as the enhanced security mechanisms of the group, such as restricting Kerberos ticket lifetimes, are not applied to them.
-
Elevation of Privileges: If an attacker gains access to a non-protected admin account, they may exploit other vulnerabilities to escalate their privileges within the system, potentially gaining control over critical resources and sensitive data.
Solution
To mitigate the risks associated with the vulnerability, the following steps are recommended:
-
Inclusion in 'Protected Users' Group: Ensure that all administrative user accounts are added to the 'Protected Users' group. This can be done through group policy settings in Windows environments or similar mechanisms in other systems.
-
Password Policies: Enforce strong password policies for admin accounts, making them less susceptible to brute force attacks.