Security Focus: Check the AdminSDHolder ACL - Part 1
In Active Directory, AdminSDHolder is an object in each domain partition's system container. It has a security descriptor that is stamped hourly on any AD object marked as AdminCount -eq 1. This 'fix up' is performed by a process called SDProp on the PDCe. The security descriptor / ACL can be thought of as a template and is a means of protecting high privileged users and groups.
However, changing the ACL can produce unwanted behaviour, e.g. it could be used by an attacker to persist in Active Directory.
This post shows how to dump the ACL. It can then be checked and compared against an older version.
#Loop through each domain in the forest
(Get-ADForest).Domains | ForEach-Object {
#Get System Container path
$Domain = Get-ADDomain -Identity $_
#Connect a PS Drive
$Drive = New-PSDrive -Name $Domain.Name -PSProvider ActiveDirectory -Root $Domain.SystemsContainer -Server $_
#Export AdminSDHolder ACL
if ($Drive) {
$Acl = (Get-Acl "$($Drive.Name):CN=AdminSDHolder").Access
if ($Acl) {
$Acl | Export-Clixml -Path ".\$(($Domain.Name).ToUpper())_ADMINSDHOLDER_ACL_FULL.xml"
$Acl | Select-Object -Property IdentityReference -Unique | Export-Csv -Path ".\$(($Domain.Name).ToUpper())_ADMINSDHOLDER_ACL_GROUPS.csv"
}
#Remove PS Drive
Remove-PSDrive -Name $Domain.Name
}
}
Some bits to note:
- We use a tried and trusted means to loop through each domain in the forest
- Once the path for the domain's system container is found, we create a PSDrive to the container using the ActiveDirectory PSProvider
- With the drive established, good ol' Get-Acl is used to dump the AdminSDHolder access list
- This access list is then used to produce two domain specific reports, one XML report containing the full ACL and a CSV report with a list of unique groups for easy tracking and checking
- Finally, we remove the PSDrive for the current domain and then move onto the next
Sample Full Report Section
Sample Groups Report
Compare-Object
In a couple of weeks time I'll show you how to compare the reports.