Rule S-ADRegistration wont trigger if the "ms-DS-MachineAccountQuota" is not set, but adding computers is possible.

Question

Rule S-ADRegistration wont trigger if the "ms-DS-MachineAccountQuota" is not set, but adding computers is possible.

dcaluzi opened this issue 9 months ago · 0 comments

If the ms-DS-MachineAccountQuota in the Active Directory is "not set" it is possible to add computers to the domain if the SeMachineAccountPrivilege is set to "Authenticated Users".

However the PingCastle rule S-ADRegistration will not detect the issue.

The following lab setup was used to confirm the behaviour:

PingCastle version 3.1.0.1
ms-DS-MachineAccountQuota: "not set"
SeMachineAccountPrivilege: Authenticated Users

PingCastle did not trigger the S-ADRegistration Rule, however adding a computer was possible (in this case using impacket):

$ impacket-addcomputer child.testlab.local/cclear:Welc0me2022! -dc-ip 10.0.1.100 -computer-name EVIL-COMPUTER$ -computer-pass password.123 
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Successfully added machine account EVIL-COMPUTER$ with password password.123.

Computer created in AD:

It would be nice if PingCastle could also detect this special case to know if adding machine accounts as domain user is possible. Remediation will stay the same: set the ms-DS-MachineAccountQuota to 0.