-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a check for GMSA accounts and exclude them of specific rules #180
Comments
In general it is not a false positive, because the GMSA has both identified risk rules. P-Delegated is fine and does not need to be changed as far as i know. P-ProtectedUsers increases security in many ways, the most important for you is that it doesn't allow to save the password for services/tasks. So even if you know what you are doing it is a risk that needs to be discovered. The system you are using this account on, needs to be protected because as the credentials on it could be misused in several cases. No change to either rule makes sense in my opinion. |
Hello,
I didn't know that, I will try this on my lab.
True, my point is about the recommandation, not the rule itself. If this is a gmsa, the recommendation is not valid and it should not recommand something that doesn't not apply to a gmsa. At least a note should be written regarding if this is a gmsa account. |
So @An-dir I double check on the "delegation" thing and I still think it's a false positive to report a gmsa in an admin group as not secure. Default value for a gmsa is You can test this by checking the userAccountControl of a gmsa => default = 0x1000 So from my understanding, if a gmsa cannot be delegated by default, why reporting it as vulnerable ? |
Hi, |
I've just tested using beta version: 3.1.5.0 Beta The problem is fixed on my side with this version 🥳 |
When checking for rules in "Privileged Accounts", two rules are triggered if a gmsa account is found to be in an "admin group" (like DnsAdmin for example).
Nevertheless, gmsa accounts cannot be put in the Protected Users group and they cannot be set as "this account is sensitive and cannot be delegated" (it doesn't exist on gmsa)
Therefore gmsa accounts considered as "admin" should be excluded of these two rules as it is just impossible to use the solution provided by pingcastle for gmsa accounts.
The text was updated successfully, but these errors were encountered: