pingcastle icon indicating copy to clipboard operation
pingcastle copied to clipboard
verified publisher icon vletoux

A-Guest Rule Bug?

Open PR3R00T opened this issue 3 years ago • 7 comments

Running the latest version of Ping Castle in a lab presents the rule A-Guest:

Rule ID: A-Guest

Description: The purpose is to ensure that the guest account of the domain is not enabled

Technical explanation: The GUEST account is a special account whose SID is S-1-5-domain-501. It is used as a non nominative account to allow anyone to connect to the Active Directory. Unless there is a justification about its activation, this represents a security issue because anybody can use this account to connect to any computer without any trace.

Advised solution: You have to find the GUEST account and disable it.

Points: 15 points if present

However Looking at the lab AD the Guest account is disabled and it is the only user in the domain guest group. image

Tried enabling and disabling again, still reports. Any ideas?

PR3R00T avatar Feb 17 '22 13:02 PR3R00T

can you show a screenshot of the guest user account with the following attributes ? objectSID and userAccountControl

Thanks

vletoux avatar Feb 19 '22 09:02 vletoux

Hey @vletoux please see below: image image image

Apologies for the userAccountControl, Couldn't find a powershell command for it.

PR3R00T avatar Feb 21 '22 09:02 PR3R00T

This is very strange because the code associated to the check shouldn't be trigger here: https://github.com/vletoux/pingcastle/blob/master/Healthcheck/HealthcheckAnalyzer.cs#L460-L466

Are you running the code in a different account that could explain why is not seeing the same properties ?

vletoux avatar Feb 21 '22 11:02 vletoux

Hey @vletoux So running PingCastle 2.10.1.0 as a created account with domain admins group privileges. interactive mode - healthcheck -default Domain (my case AC.LOCAL) through CMD. ... And I've just seen a difference, so when I run the same exe (copied from the created account's desktop) and run while logged in as the default Administrator account I do not get the guest account in the report. Below is the groups of the created account used to run the script originally. image

PR3R00T avatar Feb 21 '22 11:02 PR3R00T

I think you have a permission issue that shows different results based on the user you are running You’d better run adexplorer with these different identities to find the root cause

vletoux avatar Feb 21 '22 14:02 vletoux

Hi, I've got the same issue on this rule : the account (S-1-5-21-***-501) is disabled : userAccountControl = 546 NORMAL_ACCOUNT+PASSWD_NOTREQD+ACCOUNTDISABLE , but the rule triggers... ? Regards

Nioubi24 avatar Mar 08 '22 13:03 Nioubi24

This is because the permission hide the useraccountcontrol attribute (set it to zero, then zero = ACCOUNT DISABLED)

vletoux avatar Mar 08 '22 13:03 vletoux