Gone in 60 Seconds

Gone in 60 Seconds
The permissions assigned by many organizations through the Active Directories Delegation wizard and/or the computer account creation processes are more permissive then they should be. As a result, just about anyone can delete every computer account in an Active directory domain.
In Active Directory computers have accounts just like users. So as computers in your environment are deployed, or wiped and reloaded as a result of viruses, employee turnover, etc, technicians in the field need to have “Add computer account to the Domain” permissions or you need to give a few people permissions to stage the computer accounts. When you create a new computer object in AD (a staged account) you have the chance to define who can add that computer to your domain. (IMAGE1)

Picture of Add Computer Account Dialog w/ default permissions
You can see that by default Windows wants you to give “Domain Admins” permission to add the computer to the domain. Indeed, limiting this permission to Domain Admins is a pretty good idea as you will see in a minute. Limiting the permission to “Domain Admins” would be great from a security standpoint, but in most environments Domain Admin are pretty busy people are generally are not available to add every computer to the network. So organizations will change this privilege to a larger group such as “Authenticated Users” or “Everyone” as new staged computer object are created. Worse yet, in a some large environment even staging computer accounts may seem like a burden. In those organizations they often delegate the ability to add computers to the domain to a larger user base using the Active Directory Delegation Wizard or through group policy. As a matter of fact, this technet article from Microsoft walks users through giving all “Authenticated Users” the ability to add workstations to the domain. The end result is in many organizations the ability to “Add Computer Accounts to the Domain” are extended to a pretty large group of people. Often, everyone can add computers to the domain.
So is that bad? I have spoken with a few systems administrators who asked the question “Why not let everyone add their computer to the domain? You want everyone in your domain right? If someone wants to volunteer for password complexity requirements, screen savers time outs, etc why not let them?” Hmmm…. That sounds tempting. Why NOT let everyone add computers to the domain? Is this a case where the principle of least required access is wrong? No. In my opinion, there are very good reasons to limit who can add computer objects to your domain and this is just one of them.
Here is the problem, if you give Authenticated Users the ability to add a computer account they get the following permissions:
Allow DOMAINAuthenticated Users SPECIAL ACCESS
DELETE
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
DELETE TREE
LIST OBJECT
CONTROL ACCESS
As you can see, among the permissions that are assigned is the ability to DELETE that object. If these are the permissions assigned to all the computer objects in your domain then any authenticated user on your network could drop to a command prompt and delete ALL the computers in your domain with one simple command.
Any disgruntled authenticated user with a command prompt or piece of malware with a temper can execute “dsquery computer -limit 0 | dsrm” and you have a really really bad day on your hands. In one fell swoop every computer account in the domain is deleted.
Could all your computer object be deleted that easily? Chances are good that they could be. To know for sure, go through some of your computer objects and see what permissions are assigned to the objects. Who has the ability to delete your computer objects? This command will show you the permissions on your computer objects:
for /F “tokens=” %i in (‘dsquery computer -limit 0’) do dsacls %i | more
Need to fix it? dsacls.exe lets you set the permissions on your computer objects as well. So drop to a command prompt and figure out what the dsacls syntax is to set the appropriate permissions for your environment. Here is a reference on dsacls.
First figure out what permissions to set on one computer object doing something like this:
dsacls “CN=COMPNAME,OU=SomeOU,DC=DOMAINNAME,DC=com”

 /D “everyone”:”SDDT;;”
Once you have the permissions setup for one object, run dsacls against all computer objects in the domain like this:
for /F “tokens=” %i in (‘dsquery computer -limit 0’) do dsacls %i /D “everyone”:”SDDT;;”
Be sure to address both “Authenticated Users” and “Everyone”. Keep in mind that you need to schedule these commands to be run on a regular interval to address new computer objects that are constantly being created. Of course the best solution is to limit who can join a computer to your domain when the computer account is created.
Here is some sample output from dsacls. In the example below “Domainbadaccess” is what you do NOT want “everyone” or “authenticated users” to have. The rest of the permissions are the defaults and do not put your computer objects at risk.
dsacls “CN=TEST Computer Account,OU=OUNAME,DC=DOMAINNAME,DC=com”

Allow DOMAINDomain Admins FULL CONTROL
Allow BUILTINAccount Operators FULL CONTROL
Allow NT AUTHORITYSYSTEM FULL CONTROL
Allow DOMAINbadaccess SPECIAL ACCESS
DELETE
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
DELETE TREE
LIST OBJECT
CONTROL ACCESS
Allow NT AUTHORITYAuthenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITYSELF SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
Allow Domainadmingroup FULL CONTROL