Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a check for GMSA accounts and exclude them of specific rules #180

Closed
mpgn opened this issue May 16, 2023 · 5 comments
Closed

Add a check for GMSA accounts and exclude them of specific rules #180

mpgn opened this issue May 16, 2023 · 5 comments

Comments

@mpgn
Copy link

mpgn commented May 16, 2023

When checking for rules in "Privileged Accounts", two rules are triggered if a gmsa account is found to be in an "admin group" (like DnsAdmin for example).

  • Check if all privileged accounts are in the special group Protected Users. - Rule ID: P-ProtectedUsers
  • At least one Administrator Account can be delegated - Rule ID: P-Delegated

Nevertheless, gmsa accounts cannot be put in the Protected Users group and they cannot be set as "this account is sensitive and cannot be delegated" (it doesn't exist on gmsa)

Therefore gmsa accounts considered as "admin" should be excluded of these two rules as it is just impossible to use the solution provided by pingcastle for gmsa accounts.

@An-dir
Copy link

An-dir commented Aug 2, 2023

In general it is not a false positive, because the GMSA has both identified risk rules.

P-Delegated is fine and does not need to be changed as far as i know.
You can set the delegation option on a GMSA. Here is a description: https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/configure-kerberos-delegation-group-managed-service-accounts

P-ProtectedUsers increases security in many ways, the most important for you is that it doesn't allow to save the password for services/tasks. So even if you know what you are doing it is a risk that needs to be discovered. The system you are using this account on, needs to be protected because as the credentials on it could be misused in several cases.

No change to either rule makes sense in my opinion.

@mpgn
Copy link
Author

mpgn commented Aug 4, 2023

Hello,

P-Delegated is fine and does not need to be changed as far as i know.
You can set the delegation option on a GMSA. Here is a description: https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/configure-kerberos-delegation-group-managed-service-accounts

I didn't know that, I will try this on my lab.

P-ProtectedUsers increases security in many ways, the most important for you is that it doesn't allow to save the password for services/tasks. So even if you know what you are doing it is a risk that needs to be discovered. The system you are using this account on, needs to be protected because as the credentials on it could be misused in several cases.

True, my point is about the recommandation, not the rule itself. If this is a gmsa, the recommendation is not valid and it should not recommand something that doesn't not apply to a gmsa. At least a note should be written regarding if this is a gmsa account.

@mpgn
Copy link
Author

mpgn commented Aug 7, 2023

So @An-dir I double check on the "delegation" thing and I still think it's a false positive to report a gmsa in an admin group as not secure.
By default, a gmsa is not delegated to anything and unless the value is set to TRUSTED_TO_AUTH_FOR_DELEGATION or TRUSTED_FOR_DELEGATION or msDS-AllowedToDelegateTo is not empty there is not delegation possible.

Default value for a gmsa is -TrustedForDelegation $false, -TrustedToAuthForDelegation $false and msDS-AllowedToDelegateTo is empty

You can test this by checking the userAccountControl of a gmsa => default = 0x1000
Run the command -TrustedForDelegation $false -TrustedToAuthForDelegation $false and the uAC will be the same value.

So from my understanding, if a gmsa cannot be delegated by default, why reporting it as vulnerable ?

@spotet
Copy link

spotet commented Aug 10, 2023

Hi,
We tested this very promising solution for us, but the score is not representative for the same problem announced here by @mpgn, a gMSA cannot be TrustedForDelegation. We would like to take this solution commercially for the image of our company from the customer point of view. This anomaly would not allow us to present a score reflecting the efforts made by the use of gMSA.

@mpgn
Copy link
Author

mpgn commented Jan 24, 2024

I've just tested using beta version: 3.1.5.0 Beta

The problem is fixed on my side with this version 🥳

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants