Foreward
"Owner or Pwned?" is an in-depth journey into the intricacies of ownership in Active Directory (AD). Yes, I had to lookup how to spell intricacies. Trimarc's own Jim Sykora smashes a years’ worth of research into 54 short pages. Complete with code snips, screenshots, examples and of course Kenny Loggins' references. This whitepaper touches on all aspects of AD ownership: Organizational Units (OUs), Computers, Groups, Users, AD Certificate Services (ADCS), Group Policy Objects (GPOs), and even Active Directory Integrated DNS (ADI DNS).
Jim identifies reactive approaches to fix what's already vulnerable as well as proactive options to reconfigure AD to be more secure in the future. These fundamental shifts in design strategy remove the necessity for monthly or quarterly scripts to scan and remediate misconfigurations that persist as a default as new computers, users, and other objects are provisioned into AD.
This paper drops plenty of best practices along the way but reads more like a journey. Jim walks through his thought process from start to finish showcasing the difference between doing it your way and doing it the right way.
He concludes by investigating several recent patches and published research that highlight the necessity for understanding ownership. Failure to do so, as Kenny Loggins puts it, is a "highway to the danger zone".
- Brandon Colley, Identity Security Consultant at Trimarc Security
============================================================================
The default behavior in Active Directory allows the Owner of an AD Object to fully control that Object. Do you know who owns objects in your AD Forest? Do you know which AD Object Owners could compromise your AD Forest? Do you know who could own your AD Objects and who could Pwn your AD?
Find out by downloading the whitepaper below:
Problems downloading? Try our Github instead.