Users in Windows environments may be able to access domains other than those for which they are authenticated due to a security flaw in Microsoft's Active Directory (AD) service that IT administrators may not be aware of.
The majority of Windows domain-type networks come pre-configured with AD, Microsoft's all-purpose identity management tool for authenticating computers, printers, users, and virtually anything else taking part in an IT environment. According to Frost & Sullivan, tens of thousands of businesses use the service, including 90% of the Global Fortune 1000 corporations.
By using AD to manage authentication across a domain, network administrators may ensure that only authorised users can access the resources that have been assigned to them.
Nevertheless, Charlie Clark, a security researcher at Semperis, described how a user might circumvent AD's security measures and access domains for which they were not specifically given permission in a study released on March 14.
He says that by doing so, an attacker's "attack surface" is greatly enlarged. Obviously, the larger the attack surface, the more likely it is that an attacker will discover an exploitable bug.
The transitive property of mathematics states that if a = b and b = c, then a = c.
In AD, if domain A connects to domain B and domain B links to domain C, domains A and C may or may not be able to access one another depending on whether they share a "transitive trust." According to Microsoft's website, "transitivity controls whether a trust can be extended outside of the two domains with which it was built."
An external trust—a manually created, nontransitive form of trust in AD—could exist between two domains belonging to two different organisations. The problem, according to Clark, is that one firm can utilise external trust to access sister domains that are part of the same group (referred to by Microsoft as a "forest") as the second, even if no formal external trust has been established for those domains.
"An authorised user from one domain would only be able to target the precise domain they've established a trust with," as per Clark, assuming what we believed about non-transitive trusts were accurate. They wouldn't be able to go to other domains outside of the forest."
As opposed to this, "every account within the trusted domain will be able to authenticate against any domain throughout the whole forest in which the trusting domain resides," he stated in his research.
A malicious user who learns how to move about a forest at will can gain access to things like accounts and data that they shouldn't be able to find.
Clark claims that because it is so simple to take control of one domain inside a forest, it "allows an attacker to have a significantly bigger attack surface from any low-privileged user on a trusted domain."
On May 4, 2022, Clark informed Microsoft of his initial findings. In an email on September 29, Microsoft stated that "According to our assessment, this submission does not constitute a security issue for servicing. This research doesn't seem to point out any flaws in Microsoft products or services that could allow an attacker to compromise their integrity, accessibility, or confidentiality." The business then concluded the investigation.
Trust: Why it matters
Clark spent more than 15 years working as a systems administrator and six years as a pen tester. Every medium-sized to major infrastructure or business I've worked with has had external trusts, he asserts. He claims that if extra safeguards aren't in place, the majority of AD's clients are most likely at risk right now.
Clark advises administrators to delete all external trusts in order to safeguard against this type of access control misuse in addition to Microsoft's suggestions. The next best thing is to keep track of which users are accessing what if this is not achievable.
Awareness is ultimately the most crucial factor. A false sense of security could otherwise cause administrators to make mistakes. People can tell that the risk is larger for a trustworthy domain. So they might put more security in place for that domain, Clark says, but they might not put the same level of security in place for the other domains in the forest even though the risk is identical.
"I think the main thing is to make system admins aware that this is possible," Clark concluded. By knowing this, "they can harden the rest of the domain sufficiently."
