Write Owner

Description

The Source security principal has the permission to change the owner of the Target object, including assigning themselves as the owner. Owners have implicit rights, "Read Control" and "Write DACL", that allow them to obtain additional rights for themselves or for someone else, and ultimately compromise the Target object.

For more information, see the Owns relation.

Exploitation

Attackers who compromise the Source security principal can assign themselves as the owner of the Target using native Windows commands such as "dsacls /takeownership", PowerShell such as "Set-ACL", administration tools such as "Active Directory Users and Computers", or dedicated hacker tools such as PowerSploit.

They can then edit the Target object's security descriptor using similar methods.

Remediation

If the Source security principal does not have legitimate permission to change the Target object's owner, then you must remove this permission.

To modify the Target object's security descriptor:

  1. In "Active Directory Users and Computers", right-click the object and select Properties > Security > Advanced.

  2. Remove the "Modify owner" permission for the Source security principal.

Note: An object can inherit this permission from an object higher in the Active Directory tree.

See also