More details on "P-OperatorsEmpty"

In the HTML report the “Technical Explanation“ is Operator groups (Account Operators, Server Operators, ...) can take indirect control of the domain

image1406×360 18.2 KB

Does the “…” mean the rule includes more? No, it does not:

• The Rule is only for Server Operators and Account Operators:
  pingcastle/PingCastle/Healthcheck/Rules/HeatlcheckRulePrivilegedOperatorsEmpty.cs at b43dcee39bb17a7c5443b6509a5601ea54adedd0 · netwrix/pingcastle · GitHub
• This is “on purpose” and The other groups (backup operators, print operators, ...) are the subject of different rules but confuses me everytime:
  P-OperatorsEmpty only 2 of 5 operators groups · Issue #141 · netwrix/pingcastle · GitHub

So I was trying to name the “other groups” also called “…” (Found them here) and find the different rules :

• “S-1-5-32-548” - Account Operators - P-OperatorsEmpty / P-RODCNeverReveal /P-DsHeuristicsAdminSDExMask
• “S-1-5-32-549” - Server Operators - P-OperatorsEmpty / P-RODCNeverReveal / P-DsHeuristicsAdminSDExMask
• “S-1-5-32-550” - Print Operators - P-DsHeuristicsAdminSDExMask
• “S-1-5-32-551” - Backup Operators - P-RODCNeverReveal
• “S-1-5-32-569” - “Certificate Operators” - ?none?

Lets have a look at “Certificate Operators“:
The “Certificate Operators” is named “DOMAIN_ALIAS_RID_CRYPTO_OPERATORS“ or “cryptography operators“ or “Cryptographic Operators” (also here) by Microsoft and according to the PingCastle sourcecode have the same “CompromiseGraphDataObjectRisk.Medium“ as the group “Backup Operators“.

Microsoft describes this group:

Members of this group are authorized to perform cryptographic operations. This security group configures Windows Firewall for IPsec in Common Criteria mode. This group can’t be renamed, deleted, or removed.

Source: Active Directory Security Groups | Microsoft Learn
…and:

Default Container, Group Scope and Type: Built-in container, Domain-local security group
Description and Default User Rights: Members are authorized to perform cryptographic operations.
Direct user rights: None
Inherited user rights:

• Access this computer from the network
• Add workstations to domain
• Bypass traverse checking
• Increase a process working set

Source: Active Directory Privileged Accounts and Groups Guide | Microsoft Learn

Did you notice? “Certificate Operators“ should be called “Cryptographic Operators” not “Certificate Operators”

So the situation in PingCastle is:

1. “Account Operators” and “Server Operators” are validated if in use (Member > 0)
2. “Account Operators”, “Server Operators” and “Backup Operators” should not replicate to RODCs
3. “Account Operators”, “Server Operators”, “Print Operators” and “Backup Operators” should be protected by SDPROP/AdminSDHolder
4. “Print Operators”, “Backup Operators” and “Certificate Operators” can be used (Member > 0) although they are medium/high/medium “ObjectRisk”
5. “Certificate Operators” is wrong named medium critical but has no rule reporting it

So, anyone else confused?
What I do with that current situation:

• I have notes for myself when using PingCastle
• I check other operators groups as well and ask customers if they know what they are doing

Hey Andreas,
This is indeed confusing!

I think the following improvements may make this much more understandable:

1. Clearer risk text for P-OperatorsEmpty
2. Rename Certificate Operators in the code to Cryptographic Operators to avoid further confusion and set risk to low. Alternatively, Remove it.
   a. I believe the risk this group presents is the local group for computers and member servers, not the domain group which will apply to Domain Controllers as you require login rights for this to work effectively as the domain group is not nested in local groups.

What do you think the best solution is here? I think my vote would be to remove Cryptographic Operators from specific reporting in PingCastle at this stage.

This would leave it at:

1. P-OperatorsEmpty - Account Operators and Server Operators
2. RODC Replication - Account Operators, Server Operators and Backup Operators denied RODC Replication
3. AdminSDHolder - Members of Account Operators, Server Operators, Print Operators and Backup Operators should be protected by SDPROP.
4. Risky - Members of Print Operators and Backup Operators marked as risky in control paths.

Cheers,
Joe

Thank you Joe.
Text cleanup, rename, priority change are the essentials and I agree with that.
About details how the RiskID “P-OperatorsEmpty” should be, I am unsure - even the more I think about it.

• It needs to be descriptive.
• It could describe the Account/Server/Print/Backup/Cryptographic Operators and their known risklevel indicating why Print/Backup/Cryptographic Operators are not validated within that Risk
• It should point to Control Paths Analysis > Admin Groups
• Backup Operators get relevant access/data to compromize a domain so these should be reduced to a minimum. Maybe Report them if you have more than a limit (1 for example) within a P-OperatorsRisky rule as Print Operators could be reported as well.

As “Cryptographic Operators” was within the reports in the past, I initially thought about keeping them in the Admin groups > Groups and in Control Paths Analysis > Admin Groups, but as for now I can’t name a real risk with it.

Regarding the priority it could be low - what about the other priority the Certificate Publishers have?

A possible P-OperatorsRisky would be more like having to validate if the users are worth having that permission

I agree with the following, but as I wrote before, I am unsure if there should be done more.