Grant Allowed To Act

Description

The Source security principal is allowed to grant itself or someone else an Allowed To Act relation to the Target computer. It often leads to a total compromise of the Target computer via a Kerberos RBCD delegation attack.

This is possible because the Source has the permission to edit the Target's "msDS-AllowedToActOnBehalfOfOtherIdentity" attribute.

A malicious security principal performing this operation can create an "Allowed To Act" attack relation.

Exploitation

Attackers who compromise the Source security principal must edit the Target computer's msDS-AllowedToActOnBehalfOfOtherIdentity attribute using PowerShell (for example "Set-ADComputer <target> -PrincipalsAllowedToDelegateToAccount ...").

Remediation

Several natively privileged security principals have this permission by default, namely Account Operators, Administrators, Domain Admins, Enterprise Admins and SYSTEM. These security principals are legitimate and do not require remediation.

Kerberos RBCD is designed so that a computer's administrators can give the rights to perform delegation on the computer to anyone who needs it. This is different from other modes of Kerberos delegation that require Domain Admins level permission. This allows lower-level administrators to manage these security settings themselves, which is a principle also called delegation. In this case, the relation is legitimate.

However, if the Source security principal is not a legitimate administrator of the Target computer, the relation is not legitimate and you must remove this permission.

To modify the security descriptor of the Target computer:

  1. In "Active Directory Users and Computers", right-click Properties > Security.

  2. Remove the permission given to the Source security principal. Look for permissions such as "Write msDS-AllowedToActOnBehalfOfOtherIdentity", "Write all properties", "Write account restrictions", "Full control", etc.

Note: The Source security principal can inherit the permission from an object higher in the Active Directory tree.

 

See also