Active Directory Has a Privacy Problem

Attackers can manipulate Active Directory into giving up potentially sensitive data about users on your network.
Michael Buckbee
3 min read
Last updated October 14, 2022

Back when I was pen testing with the wonderful PowerView, I was using it to pull user information from Active Directory.  At the time I was more interested in gathering group membership and then using that info to hop around a network. Anyway, AD contains sensitive data about employees, some of which really should not be available to everyone in the organization. In fact, there is an equivalent to the “everyone” problem in Windows file systems for Active Directory that can also be exploited by insiders and outsiders alike.

But before we explain the privacy issues and ways to mitigate, let’s take a dive into the data found in AD.

Get the Free Pentesting Active
Directory Environments e-book

Active Directory is Facebook for the corporate world

But where you’ve friended everyone!  Maybe you’re not learning about your coworkers’ favorite  movies, books, and restaurants, but AD does contain sensitive contact data and other fields that can be exploited by hackers and even non-tech savvy insiders.

Sys admins are, of course, familiar with the screenshot below. It’s the Active Directory Users and Computers (ADUC) interface where they set up and edit user information and assign users to appropriate groups.

AD contains employee name, address and phone number fields

AD contains employee name, address and phone number fields, and so it is like a phone directory. But there’s so much more! In the other tabs, there’s also email and web addresses, employee direct reports, and descriptive notes.

Does everyone in the organization need to see this information, especially in the age of OSINT surveillance where every extra detail makes finding additional background even easier?

Of course, not!  The problem is magnified when your corporate executives are exposed this way.

PowerView for everyone

This is where PowerView comes into play. It provides a very cozy PowerShell interface to the underlying (and messy) Win32 functions that access AD. In short: it makes getting AD fields as easy as typing in a very short cmdlet.

Let’s take the example of dumping info on my favorite employee, Cruella Deville, who’s a C-level. It’s a matter of using PowerView’s get-NetUser cmldlet:

major challenge to install PowerView
Yikes! Too much AD information.

It is not a major challenge to install PowerView — check out its github page! And more importantly you don’t need elevated privileges to run many of  the PowerView commands, such as get-NetUser. So a motivated but not very technical employee can start poking around AD with little effort.

You can see from the above screenshot that an insider can quickly learn a lot about Cruella. If you noticed there’s revealing information in the Info field about personal habits and passwords, then give yourself an Inside Out Security blog CPE credit!

This is not a theoretical possibility. In chatting with pen testers, I’ve learned that they do in fact look at AD specifically for plaintext passwords, and often they are — unfortunately — successful. They know that companies are careless when it comes to AD information, and generally not aware of the next topic, AD permissions.

Active Directory has its own ACLs

Here’s the big “take-away” from this post: the AD Users and Computers interface does have a way to set permissions on AD objects. There are ACLs, and admins can assign or deny access.

If you’re playing along at home, you’ll need to click on “Advanced”  under  ADUC View menus, and then when you pop a user, you’ll see the Security tab, which is where you set the ACLs.

In my scenario with Cruella, I didn’t want everyone — Authenticated Users — to be able to see her private information, so I denied them read access :

tried PowerView’s Get-NetUser
There be ACLs in Active Directory under the Security tab.

And now an ordinary user would see this if they tried PowerView’s Get-NetUser:

obviously exploitable information from prying eyes
Personal contact information removed after tweaking the ACL.

I was able to remove the obviously exploitable information from prying eyes. To keep it within “the family”, I set up another ACL to allow members of the VIP group — Cruella and her other follow C-levels — to access this sensitive data. In other words, I implemented role-based AD permissions, thereby making it unavailable to most employees, including insiders who might become threats.

You’re asking, no doubt, can I set ACLs on AD fields on a group basis to save having to separately go into each member of the VIP group?

And the answer, as far as I can tell, is no! It needs to be done programmatically. Sigh.  If I find a good script used by admins (or create one), I’ll share in another post.

However, you can make group membership invisible to snoopy users by setting the ACL in an AD group object. That does help in terms of privacy and security.

In my now epic pen testing series, I showed how it was possible to jump around a system by exploring group memberships using PowerViews’ Get-NetGroupMember. In my scenario, I restricted read access to VIP group membership. You see before and after effect this change had:

Monty Burns membership in the VIP group
VIP membership is now concealed  from  general users (unless you’re a VIP).

I was able to hide Cruella and Monty Burns membership in the VIP group, making it harder for hackers and insiders to snoop around the system.

Let’s call it a day!

This post was meant to force you to look more closely at your AD fields and the permissions associated with them.  I hope this got you motivated. AD is a great resource, but think how you’d want to share sensitive contact and personal information, particularly from high-level executives and managers in critical areas.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

pen-testing-active-directory-environments,-part-iii: -chasing-power-users
Pen Testing Active Directory Environments, Part III:  Chasing Power Users
For those joining late, I’m currently pen testing the mythical Acme company, now made famous by a previous pen testing engagement (and immortalized in this free ebook). This time around...
pen-testing-active-directory-environments,-part-i:-introduction-to-crackmapexec-(and-powerview)
Pen Testing Active Directory Environments, Part I: Introduction to crackmapexec (and PowerView)
I was talking to a pen testing company recently at a data security conference to learn more about “day in the life” aspects of their trade. Their president told me...
binge-read-our-pen-testing-active-directory-series
Binge Read Our Pen Testing Active Directory Series
With winter storm Niko now on its extended road trip, it’s not too late, at least here in the East Coast, to make a few snow day plans. Sure you...
powerview-pen-testing
PowerView Pen Testing
Pen Testing Active Directory Environments, PowerView, and how to go on the offensive with AD, take a look at our guide!