🔒Secure Bits💡
Do you know what members you have in your Active Directory group “Pre-Windows 2000 Compatible Access” ?
Well you should know it, as it does a lot:
“A backward compatibility group which allows read access on all users and groups in the domain”
This is quite dangerous because it might lead to data leakage eventually. Basically it depends on the membership of this group which varies on different Active Directory domains. It usually depends on how long your AD exists.
If your AD is older, the group could include: Everyone and Anonymous Logon – This is definitely a security issue, because anyone with anonymous logon entity can read all attributes on your user and group objects.
Newer AD includes only Authenticated Users ion the group. That is basically a recommended state but… Do you remember the post when I mentioned Honeypot user and reconnaissance using Bloodhound. Here our topics intersect, because if you go further with this group you are going to find out, that with default membership in “Pre-Windows 2000 Compatible Access” group authenticated user has access to circa 363 attributes BUT if you completely empty this group then it is only 108 attributes.
From the perspective of a reconnaissance this is a huge difference, because an attacker is unable to collect all required information. For example an attacked would miss User-Account-Control attributes (lockout, disable, password not required, …,).
It is definitely good to be aware of this group and its behaviour, definitely think about removing all members but Authenticated Users. If you are brave enough, you can play with also removing Authenticated Users (in testing environment of course).
The table is there just to see the scale. If you want the table with all attributes differences, I will send it to you, just write me a comment please.
