Accessing Active Directory Information with LDP
Active Directory is the most popular network directory used by corporations throughout the world. This does not mean that there are no other popular network directories, but Microsoft's Active Directory (AD) runs most corporate networks. With this said, it is key to understand the security issues implications, whether you are aware of them or not. Every operating system has flaws and every operating system has vulnerabilities. Microsoft seems to be highest on the list, but that is just because it is everywhere, unlike other operating systems which have some market share, just not the volume that Microsoft does (IMHO). In this article, I am going to expose the issues related to LDAP and Active Directory, using a free Microsoft tool called LDP.exe. Anyone can download and run this tool from any Windows computer. At the end, I will give you some direction on how to protect yourself against this vulnerability.
Active Directory and LDAP
Active Directory is responsible for storing user, group, and computer accounts, as well as authenticating users and computers so network access can be granted. In order to update Active Directory objects (users, groups, computers, etc.) or query information about an existing object, you must use LDAP (lightweight directory access protocol). LDAP is an industry standard protocol and nearly all network directories now use LDAP.
Of course, like all of the other operating system vendors, Microsoft has made their implementation of LDAP proprietary in some areas. However, there is still enough similarity from the Microsoft version to other versions that they can cohabitate on the same network and even share information.
Active Directory Information
Active Directory is nothing but a database, which has many different bits of information stored within it. Information about users, groups, and computers are stored within the database, some of which can be very useful for someone who is trying to gather information about the organization and the network. I will not go into what people might use the information for, but here is a partial list of what type of information is stored in the database:
- Logon name
- Full name
- Last logon date
- Last password change date
- Password expiration
- Group name
- Group members
- Computer name
- Objects contained within
This is a tool that is developed and distributed by Microsoft. The tool is designed to access LDAP databases, as the name indicates. The tool was originally developed for Windows 2000, then updated for 2003, and still works on 2008. The tool does not need to run on a server, it can run on Windows XP or 7.
In order to use the tool, you must have an account in Active Directory. So, this is not a tool that can be used with anonymous access. To use the tool, three steps must be performed. First, the user must make a connection to a domain controller. This is done with the Connect menu option. Figure 1 shows how to make a connection to a domain controller.
Figure 1: Connecting to a domain controller.
Next, the user must authenticate to the domain controller, which is referred to using LDP as Bind. The users enter their own credentials to authenticate. Please note that the credentials used do not need to be administrative to perform this task. Figure 2 illustrates the Bind option and procedure.
Figure 2: Binding to Active Directory.
Finally, the user now needs to make the final configuration in LDP to view the Active Directory structure. Since Active Directory uses LDAP, you must input the information using LDAP syntax. The menu option used here is the View option. Since most users will want to view the entire structure, only the domain portion of the Active Directory name and contents needs to be entered. So, if your domain name is braincore.net, then the LDAP syntax would be dc=braincore,dc=net, which can be seen in Figure 3.
Figure 3: Viewing the Active Directory structure in LDP.
By clicking around in the view, the user can see all of the objects, organizational units, and properties of the objects.
Risk associated with this access
Of course, anyone can see the risk associated with this tool and the access it provides to Active Directory objects and information. A user can obtain membership details for all of the "Admin" groups in Active Directory, determine which accounts have non-expiring passwords, and much more. With this information, the user can then spawn an attack on the Active Directory database and other network resources using the information obtained from the Active Directory database using LDP.
Reducing the risk
A user can obtain the information due to the fact that all users that have an account in Active Directory have Read access to the domain level of Active Directory and below. This is done so that users can search for objects and properties within Active Directory. For example, Exchange integrates into Active Directory and Outlook is typically the front-end to the Exchange contents. When looking for someone to e-mail, a search is performed on the objects in Active Directory, which requires "read" access. If read access is altered, Outlook could easily throw an error, cause instability on the desktop, or any myriad of issues without the correct access. So, altering the default permissions which give users read access to Active Directory is not an option.
As an alternate option for users reading this article, I suggest that organizations should include tools like LDP in their IT security policy, and this should include similar tools that enumerate Active Directory properties. With users signing a policy that prohibits this activity outside of the normal duties, the corporation at least has some recourse if the user decides to attack the network or obtain information that is not useful to their job responsibilities.
If you want to take a more direct approach to solving this, you could create a whitelist/blacklist of acceptable/denied tools. This is a technical approach, but with the abyss of tools that can enumerate LDAP databases, you are bound to miss one or two tools. However, combining the written security policy along with a blacklist of denied applications would be a good combo!
LDP is a known and powerful tool. If a user has an Active Directory user account, LDP can be used to gather some amazing information. Knowing this access is available and knowing there is little that can be done to alter the permissions, it is important to know what options you have on how to mitigate this risk. Putting additional information in the written security policy and creating a blacklist of denied tools would be a good consideration to help reduce the risk associated with this access.