Home / server / Questions / 565887
Accepted
the-wabbit
Asked: 2014-01-09 07:45:09 +0800 CST

Managed Service Account has "Everyone:Change password" ACE by default

  • 772

I have created a service account using the Add-ADComputerServiceAccount cmdlet and bound it to a computer account using Install-ADServiceAccount. When looking into the ACL of the created service account object, I noticed that the "Everyone" group has the "Change Password" permission assigned for this object, while "SELF" mysteriously has not:

ACL for the Managed Service Account object

This looks like a security problem and a denial-of-service attack vector. Why is this so? Does it have to stay this way?

active-directory

1 Answers

  1. Best Answer

    Take a look at the default security ACL on a normal user account. You'll notice that Everyone has Change Password on those as well. But everyone can't just go and change each others passwords.

    Remember that Change Password and Reset Password are two different permissions. Changing a password is something the user does for itself and requires providing the current password as part of the process. Resetting a password is something done administratively by another user and doesn't require the current password.

    Edit: Nope, I was wrong about the underlying reason. Microsoft Article KB242795 explains better the underlying reason for the permission.

    From the article:

    The Everyone group has Change Password permissions on all computer and user objects so that unauthenticated or "anonymous" users or computers are able to change their passwords when they expire without having to be authenticated first. If the anonymous user is denied the ability to change passwords, the user would be unable to change the password without logging on.

    • 5