Owns

Description

The Source security principal is the declared owner of the Target object because it likely created the Target object. Owners have implicit rights – "Read Control" and "Write DACL" – that allow them to obtain additional rights, for themselves or someone else, and ultimately compromise the Target object.

Exploitation

Attackers who compromise the Source security principal only have to edit the Target object's security descriptor using native Windows commands such as "dsacls", PowerShell such as "Set-ACL", administration tools such as "Active Directory Users and Computers", or dedicated hacker tools such as PowerSploit.

When an object gets created, there is a risk of privilege escalation if a low privileged user creates it and thus owns it – for example, a standard helpdesk technician – and later that object gets elevated to higher privileges – for example, administrator. The original owner remains and can now compromise the newly privileged object to take advantage of its privileges.

Remediation

If the Source security principal is not a legitimate owner of the Target object, then you must change it.

To change the owner of the Target object:

  1. In "Active Directory Users and Computers", right-click Properties > Security > Advanced.

  2. On the Owner line at the top, click Change.

Safe Target object owners used by default for most sensitive Active Directory objects are:

  • Objects in the Domain partition: "Administrators" or "Domain Admins"

  • Objects in the Configuration partition: "Enterprise Admins"

  • Objects in the Schema partition: "Schema Admins"

See also