Univention Bugzilla – Bug 56805
Samba can´t prevent net group "domain admins" /domain or Get-wmiobject win32_useraccount from windows
Last modified: 2024-04-18 10:48:04 CEST
UCS: 5.0-5 errata852 Installed: samba4=4.16 If a customer wants to secure or harden their system so that domain users are not allowed to list the existing domain admins and/or list existing domain users, this can be done through a Microsoft AD by setting up security groups and a deny read permission. The following commands are used: net group "domain admins" /domain Get-wmiobject win32_useraccount More information about the project (external link) https://www.adamcouch.co.uk/disable-domain-user-enumeration/ One idea was to implement it in UCS as follows: udm groups/group create --position "cn=groups,$(ucr get ldap/base)" --set name="Disable Domain Read" while [ -z "$groupsid" ]; do ## Warten auf den S4-Connector sleep 1 groupsid=$(univention-s4search "cn=Disable Domain Read" objectsid | sed -n 's/^objectSid: //p') done # For group "Domain Admins" # deny permission "Read Property" for attribute "member" (Attribute Schema GUID: bf9679c0–0de6–11d0-a285–00aa003049e2) # to all members of the group we just created, which has the SID $groupsid samba-tool dsacl set --objectdn="CN=Domain Admins,CN=Groups,$(ucr get samba4/ldap/base)" --sddl "(OD;;RP;bf9679c0–0de6–11d0-a285–00aa003049e2;;$groupsid)" Unfortunately, this did not have the desired effect because Samba uses the SYSTEM user instead of the user executing the command. Therefore, there is a vulnerability on the Samba side that can be exploited in guided pentests or by external 3rd parties.
Samba-Bug https://bugzilla.samba.org/show_bug.cgi?id=15519