Security Focus: Reporting on Interesting UserAccountControl Values

  • Article

I've talked about various UserAccountControl values in previous AD security focused posts. Recently, there's been UserAccountControl values concerning 'Unconstrained Delegation' and Protocol Transition. Prior to that, we've had 'Account is sensitive and cannot be delegated''SCRIL' and also accounts configured for 'DES encryption'.

This time out, I'll show you how to generate some basic reports, using the AD PowerShell module, on some other interesting UserAccountControl values.

These are the values:

PASSWD_NOTREQD - an account can be configured to have a null value for a password. With this set anyone could login with the account and access authorised resources.

PASSWD_CANT_CHANGE - the user cannot change the account password. Worth flagging for its rarity.

ENCRYPTED_TEXT_PWD_ALLOWED - the password is stored with reversible encryption. The password hash can be converted to plain text.

DONT_EXPIRE_PASSWORD - the password never expires, leaving the account susceptible to brute force attacks.

DONT_REQ_PREAUTH - the account doesn't require Kerberos pre-authentication. Opens up the possibility of offline brute-forcing of encrypted TGT.

 

This is the PowerShell:

#Create a hash table of UserAccountControl properties to be tested
$UacProperties = [Ordered]@{

PASSWD_NOTREQD = 0x0020
PASSWD_CANT_CHANGE = 0x0040
ENCRYPTED_TEXT_PWD_ALLOWED = 0x0080
DONT_EXPIRE_PASSWORD = 0x10000
DONT_REQ_PREAUTH = 0x400000

}

#Loop through each domain in the forest
(Get-ADForest).Domains | ForEach-Object {

    $Domain = Get-ADDomain -Server $_

    #Loop through the hash table keys
$UacProperties.Keys | ForEach-Object {

    #Perform query against current UAC property
$UacValue = $UacProperties.Item($_)
$Findings = Get-ADObject -Filter {UserAccountControl -band $UacValue} -Server $Domain.DNSRoot -ErrorAction SilentlyContinue

#If $Findings is populated, export to CSV
if ($Findings) {

            $Findings | Export-Csv -Path ".\$(($Domain.Name).ToUpper())_$($_).csv"

    }

    }

}

 

What happens when we run that? Well, we loop through each domain in the forest and end up with a report for each UserAccountControl value from each domain. Each report contains details of the accounts that have that specific value set. If no accounts were found, there isn't a report for that value in that domain.

Consider adding other UserAccountControl values to the ordered hash table to generate different reports.