๐Secure Bits๐ก
Do you know ๐๐ต๐ฎ๐ ๐๐ฑ๐บ๐ถ๐ป๐๐ผ๐๐ป๐ ๐ญ ๐ฎ๐๐๐ฟ๐ถ๐ฏ๐๐๐ฒ ๐บ๐ฒ๐ฎ๐ป๐ย ? 2/2
In a previous post, I explained what AdminSDHolder is, but it is also important to know what it protects and how.
We already know that the AdminSDHolder process runs every 60 minutes (you can also trigger this) and sets ACLs on protected accounts and groups. By default, the following are protected:
๐ธAccount Operators
๐ธAdministrator
๐ธAdministrators
๐ธBackup Operators
๐ธDomain Admins
๐ธDomain Controllers
๐ธEnterprise Admins
๐ธEnterprise Key Admins
๐ธKey Admins
๐ธKrbtgt
๐ธPrint Operators
๐ธRead-only Domain Controllers
๐ธReplicator
๐ธSchema Admins
๐ธServer Operators
They all have something in common:
1) They have the attribute AdminCount set to 1
2) They have disabled inheritance of permissions
+ they have the same ACL from AdminSDHolder. This is also what happens to your account if you add it, for example, to the Domain Admins group.
Two very important things to mention:
โ ๏ธ If you remove your account from any protected group mentioned above, and the AdminSDHolder process has already run, no changes are reverted. This means you still have disabled inheritance and the AdminCount 1 attribute. There is a reason for this, and if you wish to keep using the account afterward, you should revert it manually, or better delete it and create a new one.
โ ๏ธ Whenever the AdminSDHolder process must reset the ACL on some protected account or group, it generates Event ID 4780, which is very useful for monitoring your environment for malicious activities. However, this event does not always work:
“๐๐ฐ๐ณ ๐ด๐ฐ๐ฎ๐ฆ ๐ณ๐ฆ๐ข๐ด๐ฐ๐ฏ, ๐ต๐ฉ๐ช๐ด ๐ฆ๐ท๐ฆ๐ฏ๐ต ๐ฅ๐ฐ๐ฆ๐ด๐ฏโ๐ต ๐จ๐ฆ๐ฏ๐ฆ๐ณ๐ข๐ต๐ฆ ๐ฐ๐ฏ ๐ด๐ฐ๐ฎ๐ฆ ๐๐ ๐ท๐ฆ๐ณ๐ด๐ช๐ฐ๐ฏ๐ด.”
๐๐ผ๐น๐น๐ผ๐ ๐๐ for more insights and free courses.
