search

netwrix / pingcastle

PingCastle - Get Active Directory Security at 80% in 20% of the time
https://www.pingcastle.com
Other
2.35k stars 292 forks source link

Some issues with A-MembershipEveryone #194

Closed Voelundr closed 1 year ago

Voelundr commented 1 year ago

Hello.

This issue is all about A-MembershipEveryone. The Changelog says that there was an change of this rule and after updating the Version to 3.1.0.0 our domain got a 4 digit Number of new Points from this rule - yikes.

Let's try to understand what is happening here. Description says: "In order to correct the issue, you should edit the GPO and change the local group assignation." Ok, let's head into the GPO and investigate Computer Configuration / Policies / Windows Settings / Security Settings / Restricted Group. But uh oh, there are no Groups specified at all. After some using of a search machine I found this site where it is stated: "This rule checks also the membership set in Computer Configuration / Preferences / Control Panel Settings / Local Users and group." Aha! Now we are on the right path and found the entries which are also found by PingCastle. First issue: Why not write this text?

Next thing which stood out was that not all GPOs which are found by PingCastle are actually linked. Second issue: Maybe only mention linked GPOs or at least add a flag accordingly.

Final and biggest issue: Now that we are knowing where to look let's see what we have. Source Code indicates it is looking for AuthenticatedUsers, Everyone, Users, Anonymous, DomainUsers or DomainComputers. Ok. Our GPOs have some entries where AD Groups are added to S-1-5-32-544 but none of these Groups are of the previous mentioned groups. Only very special Groups are added to S-1-5-32-544. However, there is only one entry where S-1-5-domain-513 (DomainUsers) is added, but it is added to S-1-5-32-547 (Power Users) and not to e.g. S-1-5-32-544. It seems that this is the only entry that is responsible for all other entries being complained about by pingcastle. Third issue: None of the groups AuthenticatedUsers, Everyone, Users, Anonymous, DomainUsers or DomainComputers are added to a localgroup with admin rights, only to Power Users (Whether this is a security risk can be discussed elsewhere). But instead of one entry where the DomainUsers are added all other entries are also flagged (with indication DomainUsers).

To Summarize:

  1. Please check the description
  2. Please check the possibility to flag unlinked GPOs (and maybe don't count them to the score)
  3. Please check the examination of the GPOs to eliminate false positives

Best regards

vletoux commented 1 year ago

we fixed an issue in our code. The check was case sensitive while some implementation did not use the classic Microsoft case. See in the next version if the bug is fixed