How to remediate – Active Directory – Enumerate Directory Trusts

1. Introduction

Active Directory – Enumerate Directory Trusts retrieves a list of trusts via ADSI. This allows an attacker with local access to gather information about the network’s trust relationships, potentially aiding in further reconnaissance and privilege escalation. Systems running Active Directory are usually affected. A successful exploit could compromise confidentiality by revealing internal network structure.

2. Technical Explanation

The vulnerability occurs because ADSI allows enumeration of trusts without sufficient access controls. An attacker with local access can query Active Directory to obtain a detailed list of trusts in the network. There is no known CVE associated with this specific enumeration, but similar information disclosure issues exist (e.g., CVE-2017-0143). For example, an attacker could use PowerShell to enumerate all trusts within a domain. Affected platforms are Windows systems running Active Directory Domain Services.

• Root cause: Insufficient access control on ADSI queries for trust information.
• Exploit mechanism: An attacker uses ADSI to query Active Directory and retrieve trust details. Example payload using PowerShell: Get-ADTrust.
• Scope: Windows systems running Active Directory Domain Services.

3. Detection and Assessment

Confirm whether a system is vulnerable by checking the ability to enumerate trusts. A quick check involves attempting to list trusts with standard tools. Thorough assessment requires reviewing ADSI permissions.

• Quick checks: Run Get-ADTrust in PowerShell. If it returns trust information, the system is likely vulnerable.
• Scanning: Nessus plugin ID 10386 can identify this issue as an example only.
• Logs and evidence: Security event logs may show ADSI queries for trust information (Event ID 4725). Look for events related to querying the trusts container in Active Directory.

Get-ADTrust

4. Solution / Remediation Steps

Fix the issue by restricting access to ADSI queries for trust information. This involves configuring appropriate permissions on the trusts container.

4.1 Preparation

• Dependencies: Requires domain administrator privileges. Roll back plan: Restore from backup if necessary.
• Change window: Coordinate with security team and obtain approval for permission changes.

4.2 Implementation

1. Step 1: Open Active Directory Users and Computers (ADUC).
2. Step 2: Navigate to the Trusts container within your domain.
3. Step 3: Right-click the Trusts container and select “Properties”.
4. Step 4: Go to the Security tab.
5. Step 5: Edit permissions for the Users or Groups that should not have access to enumerate trusts, removing read permissions.
6. Step 6: Apply changes and verify.

4.3 Config or Code Example

Before

Users group has Read permissions on Trusts container

After

Users group does not have Read permissions on Trusts container. Only Domain Admins and authorized accounts have access.

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

• Practice 1: Least privilege to reduce the impact if exploited by limiting access to sensitive information.

4.5 Automation (Optional)

# Example PowerShell script to remove read permissions from Trusts container for specific group:
# $GroupName = "Users"
# Get-Acl -Path "LDAP://CN=Trusts,DC=yourdomain,DC=com" | Set-Acl -Access $(Get-ADGroupMember -Identity $GroupName) -Rights Remove

5. Verification / Validation

Confirm the fix worked by attempting to enumerate trusts with a non-administrator account. Verify that access is denied.

• Post-fix check: Run Get-ADTrust as a standard user. Expected output should be an “Access Denied” error.
• Re-test: Re-run the earlier detection (Get-ADTrust) with a non-administrator account to confirm access is denied.
• Smoke test: Verify that domain administrators can still manage trusts as expected.
• Monitoring: Monitor security event logs for failed ADSI queries related to trust enumeration.

Get-ADTrust # Expected output: Access Denied

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

• Baselines: Update security baselines or policies to enforce least privilege access controls on Active Directory objects.
• Pipelines: Implement regular audits of Active Directory permissions to identify and correct overly permissive settings.
• Asset and patch process: Maintain a current inventory of Active Directory systems and apply security patches promptly.

7. Risks, Side Effects, and Roll Back

• Roll back: Restore permissions on the Trusts container from backup if necessary, or manually re-add read permissions for authorized accounts.

8. References and Resources

• Vendor advisory or bulletin: Microsoft Documentation on Managing Trusts