ESC5 flags "Domain Admins" as security risk #225
Comments
|
You are correct! That language should be updated, and will be soon. Thanks! |
|
Actually, after thinking about this for 3 more seconds, I realize that Domain Admins owning of the computer object is fine. The things that should be owned by Enterprise Admins are the objects in the This will be a slightly longer fix. Expect it... sometime? |
|
Ha, sounds good, appreciate the feedback and the great tool! |
|
Thank you, friend! Have a wonderful day! |
|
I guess along those same lines, we're receiving a similar message about built-in Administrator account having ownership of certificate templates, with the suggested fix being to change owner to Enterprise Admins...but Administrator is a member of Enterprise Admins so it seems this fix would not really change anything?
|
|
Oh, we're moving right into religious debates, are we? lol Honestly, with the RID-500 account, it's likely not that big of a deal to have an individual user owning an object. But with any other user, I am concerned about a situation where an individual AD Admin owns a PKS object and has its AD Admin rights later revoked. That ownership would be maintained. So, that's why I recommend group ownership instead of individual user ownership. Does that make sense? I'm writing off the cuff here. |
|
Haha...yes, group ownership versus individual ownership makes total sense. |
|
You caught me between tasks and with Mermaid on my mind. Am I doing it right? 😄 (EDIT) graph TD
A[Invoke-Locksmith] --> B{Is the computer object owner a group or an individual account?}
B -- Group --> C{Is it the built-in 'Administrators', 'Domain Administrators', or 'Enterprise Administrators' group?}
C -- Yes --> D[OK 🐴]
C -- No --> E[Not OK 🐐]
B -- Individual Account --> G{Is the individual account RID-500?}
G -- Yes --> H[OK 🐴]
G -- No --> I[Not OK 🐐]
|
|
Close! The object type should determine whether any AD Admin should own it or JUST Enterprise Admins. Computer = any AD Admin, PKS object = Enterprise Admins or gtfo |
|
Ah, yes--I was thinking in line with the discussion and didn't fully branch out into that distinction. It was really just an excuse to play with Mermaid and check my understanding. |
|
❤️ You're wonderful, sturdy! |
Hey guys, our CA computer object in Active Directory was flagged for "Domain Admins" having ownership rights. However, I noticed in the issue description it states only "AD Admins" should own CA host objects. I guess I'm not clear on what is the difference between Domain Admins and AD Admins? Also it appears the suggested fix is to change ownership to "Enterprise Admins" which was a little confusing too since in my mind Enterprise Admins are also a type of AD Admin.
The text was updated successfully, but these errors were encountered: