Disabling Machine Account Creation

Since Windows 2000, Microsoft has enabled the ability for all users to create up to 10 machine accounts by default. This is a “feature” implemented by Microsoft that inadvertently introduces potential vulnerabilities within an Active Directory environment. Secure deployment should ensure that Machine Account creation is limited to specific users or groups; Lucid Security strongly recommends making this quick change to bolster your Active Directory environment’s security. This article demonstrates how to set the MachineAccountQuota to 0 instead of the default 10.

Dangers of User Machine Account Creation

First off, let me briefly highlight why having a MAQ of anything over “0” for users is a bad idea. First, once an attacker has valid user credentials, a machine account is trivial to add. This opens up attack paths for a threat actor that often lead to domain compromise. These include:

• Resource Based Constrained Delegation Attacks.
• Possibility of elevating computer account to domain admin via relaying attacks.
• Active Directory Certificate Services (AD CS) attacks.
• Additional persistence for an attacker should a user or administrator change existing user credentials.

How to Disable User Machine Account Creation

First, this is what it looks like from an attacker viewing the Machine Account Quota (MAQ) remotely from an attacker controlled device:

Second, this is what it looks like for an attacker creating a machine account:

Log into your domain controller and perform the following:

1. Press Windows Key + R and type adsiedit.msc
2. Right click on the “DC=” drop down menu and select Properties
3. Scroll down until you see ‘ms-DS-MachineAccountQuota’ and select it and then click Edit
4. Modify the value to “0” and hit OK
5. Apply

Assuming you’ve done everything correctly, this is what it will look like when a user checks the MAQ:

Lastly, when attempting to create a computer account, an attacker will be met with an error stating the relayed user machine quota is exceeded, or they do not have sufficient privileges:

Final Thoughts

Restricting the ability for users to create machine accounts is an important step in hardening an Active Directory environment and is often overlooked by IT administrators as it is an default value set by default by Microsoft. Lucid Security recommends having annual or bi-annual penetration testing to uncover settings such as this.

Contact us today at [email protected] or fill out our Contact Us form to speak with a qualified expert to determine the best solution for you!

A common theme amongst clients when conducting penetration tests is a large attack surface. Generally, the biggest risk is amongst externally exposed assets. However, this can be related to internal penetration tests and web application penetration tests. This blog post will briefly examine the biggest risks associated with a large attack surface.

Unknown Assets

It is not uncommon for companies to have unknown assets exposed to their networks. Historically, Lucid Security has encountered client’s who have acquired other companies. As such, they assume control of the assets that the acquired company. This can lead to client’s having exposed assets that they are unaware of, or not inventoried. If this is the case, these assets may go unpatched/updated leading to further security vulnerabilities.

Test Content

It is important for organizations to continue to grow and evolve. Because of that, IT administrators may test out new software and services. While this is a great idea, unfortunately this test content may find itself exposed externally to the Internet. By testing out software and exposing it to the Internet, typical hardening procedures may have not been made.

Excessive Logging Solutions Exposed

Oftentimes for development reasons, logging software is included in dev/staging environments. However, organizations may forget to exclude them from their applications or external perimeter. This can lead to information disclosures such as database information or internal server architecture.

Conclusion

Between an everchanging security climate and regular development procedures, it is possible for organizations to expose more information/assets than necessary. For this reason, Lucid Security recommends conducting annual penetration testing and at a minimum quarterly external vulnerability assessments to stay on top of issues.

How Lucid Security Can Help

Lucid Security often conducts penetration testing and vulnerability assessments. Our services are catered to assist in identifying issues and help provide expert remediation advice. Contact us today to get started!

This process, involving the simulated attack on a network to identify vulnerabilities, is critical for maintaining the integrity and confidentiality of an organization’s data. However, there’s a crucial aspect often neglected during these tests: application security testing.