Security Focus: Get Mail Enabled Admin Users
Browsing the internet with an admin account is a very, very bad thing to do. Using an admin account to send / receive email is also a very, very bad thing. Why? Well you expose the credentials to a high risk of being stolen and used to compromise your enterprise.
Want do to some checks against Active Directory to see if you have any privileged accounts, i.e. those that are a member of one of the protected groups, that might be mail enabled? Good. Read on...
Here's a means of generating a list for further investigation.
Get-ADUser -Filter {(adminCount -eq 1) -and (mail -like "*")} -Properties adminCount,mail
Have Exchange? Try this.
Get-ADUser -Filter {(adminCount -eq 1) -and (msExchWhenMailboxCreated -like "*")} -Properties adminCount,msExchWhenMailboxCreated
Instant Messaging also poses a significant risk. He's how to check for SIP enabled admin users.
Get-ADUser -Filter {(adminCount -eq 1) -and (msRTCSIP-PrimaryUserAddress -like "*")} -Properties adminCount,msRTCSIP-PrimaryUserAddress
Found an issue? Look into securing privileged access...
Comments
- Anonymous
March 03, 2017
Thankgreat tip