An access control gap in Microsoft's Active Directory (AD) service may allow users within Windows environments to access domains beyond those for which they are authenticated, all while IT admins are none the wiser.
AD, Microsoft's catchall identity management service for authenticating computers, printers, users, or really anything participating in an IT environment, is built into most Windows domain-type networks. Tens of thousands of organizations use the service, including 90% of Global Fortune 1000 companies, according to Frost & Sullivan.
Network administrators use AD to manage authentication across a domain, ensuring that intended users — only intended users — can access the resources they're allotted — only those they're allotted.
In a report published March 14, however, Charlie Clark, security researcher at Semperis, detailed how a user can escape the guardrails within AD, and access domains for which they were not explicitly granted permission.
"It massively increases the attack surface for an attacker," he explains, "and obviously, the larger the attack surface, the more likely it is that an attacker can find an exploitable bug."
MSFT AD's "Transitive Trust" Problem
According to the transitive property of mathematics, if a = b and b = c, then a = c.
In AD, if domain A connects to domain B, and domain B connects to domain C, domains A and C may or may not be able to access one another, depending on whether they share a "transitive trust." As stated in Microsoft's documentation, "transitivity determines whether a trust can be extended outside of the two domains with which it was formed."
Two domains belonging to two different organizations might bear an "external trust" — a form of trust that's set up manually in AD, which is nontransitive. However, herein lies the issue that Clark found: that external trust can be used by one company to access sister domains within the same group (what Microsoft calls a "forest") as the second, for which no official external trust has been established, Clark says.
"If what we thought about non-transitive trusts were true," Clark explains, an authenticated user from one domain would "only be able to target the specific domain they've got a trust with. They wouldn't be able to move around the forest to other domains."
Instead, "any account within the trusted domain will be able to authenticate against any domain within the entire forest in which the trusting domain resides," he wrote in his analysis.
A malicious user who figures out how to burrow around a forest at will can access resources, reach accounts, and find data they otherwise should not.
"It allows an attacker to have a much larger attack surface from any low-privileged account on a trusted domain," Clark reasons, because "if you manage to take over a single domain within a forest, it's very easy to take over the whole forest."
Clark first reported his findings to Microsoft on May 4, 2022. On Sept. 29, Microsoft wrote in an email that "we have determined that this submission does not meet the definition of a security vulnerability for servicing. This report does not appear to identify a weakness in a Microsoft product or service that would enable an attacker to compromise the integrity, availability, or confidentiality of a Microsoft offering." With that, the company closed the case.
“We provide many mechanisms for limiting resource access when using external trusts in a forest trust environment," a Microsoft spokesperson explained. "For example, by applying an authentication policy to resources at any granularity to allow or deny authentication based on any security descriptor. Customers can also set a deny-by-default posture which only allows those users to authenticate to accounts where the user has the allowed-to-authenticate right. We are continuously researching ways to improve security for future releases. More information is available in our authentication policy documentation.”
Why Trust Matters
Clark worked as a systems administrator for over 15 years, and a pen tester for six. "Every medium to large business or infrastructure that I've worked with has had external trusts," he claims. By that logic, most of AD's clients are likely at risk right now, he alleges, if additional protections haven't been put in place.
Microsoft's recommendations aside, to protect against this form of access control abuse, Clark recommends that admins remove all external trusts. If this is not possible, then monitoring which users are accessing what is the next best thing.
The most important thing, in the end, is awareness. Otherwise, admins may fall prey to a false sense of security. They "can see that a trusted domain is a higher risk. So they may apply greater security to that domain," Clark explains, but "they might not apply the same level of security to the rest of the domains within the forest," despite the similar risk.
"I think the main thing is to make system admins aware that this is possible," Clark concludes. By knowing this, "they can harden the rest of the domain sufficiently."