cn at brain-biotech.de
2021-Jan-26 06:55 UTC
[Samba] Resetting the krbtgt account password
Hello you all, I was thinking about disaster recovery when this question came up. If your AD would be compromised by an attacker which made himself a golden ticket. Would the change of the password of the krbtgt account lock him out? I am looking at this: https://dev.tranquil.it/samba/en/samba_advanced_methods/samba_reset_krbtgt.html So I think this will help lockout any attacker who has a "normal" user ticket. But will this also be true for a golden ticket? Regards Christian -- Dr. Christian Naumer Vice President Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com phone +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
On Tue, 2021-01-26 at 07:55 +0100, cn--- via samba wrote:> Hello you all, > I was thinking about disaster recovery when this question came up. > If > your AD would be compromised by an attacker which made himself a > golden > ticket. Would the change of the password of the krbtgt account lock > him out? > > I am looking at this: > > https://dev.tranquil.it/samba/en/samba_advanced_methods/samba_reset_krbtgt.html > > > So I think this will help lockout any attacker who has a "normal" > user > ticket. But will this also be true for a golden ticket? >Yes, this how to invalidate a golden ticket. However there are lots of other privileged accounts and keys in AD, like every AD DC, administrator, and any user with access to replicate passwords, or reset passwords (eg via changing ACLs). I would love for someone to write or fund a tool to list the comprehensive set of accounts that are privileged, so this can be audited regularly. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba