Security Focus: Check the AdminSDHolder ACL - Part 1

In Active Directory, AdminSDHolder is an object in each domain partition's system container. It has a security descriptor that is stamped hourly on any AD object marked as AdminCount -eq 1. This 'fix up' is performed by a process called SDProp on the PDCe. The security descriptor / ACL can be thought of as a template and is a means of protecting high privileged users and groups.

However, changing the ACL can produce unwanted behaviour, e.g. it could be used by an attacker to persist in Active Directory.

This post shows how to dump the ACL. It can then be checked and compared against an older version.

 

#Loop through each domain in the forest

(Get-ADForest).Domains | ForEach-Object {

    #Get System Container path

    $Domain = Get-ADDomain -Identity $_

    #Connect a PS Drive

    $Drive = New-PSDrive -Name $Domain.Name -PSProvider ActiveDirectory -Root $Domain.SystemsContainer -Server $_

    #Export AdminSDHolder ACL

    if ($Drive) {

        $Acl = (Get-Acl "$($Drive.Name):CN=AdminSDHolder").Access

        if ($Acl) {

            $Acl | Export-Clixml -Path ".\$(($Domain.Name).ToUpper())_ADMINSDHOLDER_ACL_FULL.xml"

            $Acl | Select-Object -Property IdentityReference -Unique | Export-Csv -Path ".\$(($Domain.Name).ToUpper())_ADMINSDHOLDER_ACL_GROUPS.csv"

        }

        #Remove PS Drive

        Remove-PSDrive -Name $Domain.Name

    }

}

 

Some bits to note:

  • We use a tried and trusted means to loop through each domain in the forest
  • Once the path for the domain's system container is found, we create a PSDrive to the container using the ActiveDirectory PSProvider
  • With the drive established, good ol' Get-Acl is used to dump the AdminSDHolder access list
  • This access list is then used to produce two domain specific reports, one XML report containing the full ACL and a CSV report with a list of unique groups for easy tracking and checking
  • Finally, we remove the PSDrive for the current domain and then move onto the next

 

Sample Full Report Section

 Capture145

 

Sample Groups Report

 Capture146

Compare-Object

In a couple of weeks time I'll show you how to compare the reports.