This means there are two avenues to securing this password: If for whatever reason a user or object is configured to have permissions to query the password via the msDS-GroupMSAMembership account, they still need to have ‘Read’ permissions to the gMSA itself, specifically the msDS-ManagedPassword attribute. It’s a little more complicated than just that attribute though, as Active Directory permissions do come into play. Since the password information is stored in the msDS-ManagedPassword attribute you’ll definitely want to know who in your environment is able to query the password, which is set in the msDS-GroupMSAMembership attribute. MsDS-ManagedPasswordInterval – the interval (days) in which the password is rotated for the gMSA. MsDS-GroupMSAMembership – the list of objects that have permission to query the password for the gMSA MsDS-ManagedPasswordPreviousID – the key ID used to generate the previous gMSA password MsDS-ManagedPasswordID – the key ID used to generate the current gMSA password MsDS-ManagedPassword – a BLOB with the password for group-managed service accounts Here are the specific attributes and a short description: Some of these attributes include information around who can query the password, how frequently the password rotates, the current and previous key IDs used for generating the passwords, and like I mentioned, the password itself. One other very important thing to note about gMSAs is all of their information is stored in Active Directory, and the password itself is stored in an attribute. The most important thing to note about these accounts, which plays into to their increased security, is the automatically generated and rotating password that no human has to know to make use of the account.
In case you need a quick recap, a gMSA is a special Active Directory object used for securely running automated tasks, services and applications. If you’re not familiar with Group Managed Service Accounts (gMSA), you can review my last post which gave a high-level overview of how they work. Abusing gMSA Passwords to Gain Elevated Access gMSA Recap
0 kommentar(er)
