Securing Active Directory: Forgotten Groups
Does anyone remember the Pre-Windows 2000 Compatible Access Group? I know, why are we discussing a group with the year 2000 in it? Because it is still related to security.
Long ago, Microsoft needed to give certain users and services the ability to access Active Directory anonymously. This access was of course not tracked, and the user/service could get a ton of info out of AD without being noticed. Unfortunately, the solution Microsoft came up with not only gave the user/service this access, but also anyone trying to access the resources—including non-domain users!
This was accomplished by adding the Everyone group to the Pre-Windows 2000 Compatible Access Group. Back in 2000, the Everyone group included the Anonymous user. With this simple group modification, the solution was engaged.
Obviously this is not something we want today, so what is our solution in 2020? Well, it is more complicated now given that there are additional settings to control “anonymous” within AD.
First, I suggest you look at your Pre-Windows 2000 Compatible Access Group and ensure that the Everyone group does not have membership. If it does, you might want to investigate whether you have a service that requires this level of access before you go and rip it out.
Second, you will need to verify if the Everyone group includes the Anonymous user. To do this, you can run secpol.msc on one of your domain controllers, which will result in a secpol.msc window appearing. Then drill down into the structure of the left panel to find the following location:
Security Settings – Local Policies – Security Options
There you will find an entry named “Network Access: Let Everyone permissions apply to anonymous users”, which can be seen in Figure 1.
The ideal configuration for this setting is “Disabled”. If Disabled, the Everyone group does not allow anonymous access.
So why be concerned about the Everyone group being located in the Pre-Windows 2000 Compatible Access Group? Two words: security layering. By removing the Everyone group, it takes two steps to allow the access, versus only the one toggle of the security setting exposed by secpol.msc.
Verifying your security at a deep level in addition to security layers will ensure a more secure AD.