You are able to configure a password replication policy for the RODC that specifies user accounts the RODC is allowed to cache. If the user logging on is included in the PRP, the RODC caches that user’s credentials, so the next time authentication is requested, the RODC can perform the task locally. As users who are included in the PRP log on, the RODC builds its cache of credentials so that it can perform authentication locally for those users.

what is rodc

Control of this one account provides full control on accounts and groups in the domain. With this information, we can determine which RODCs have account passwords stored on them. The next step is identifying ways to gain access to the RODC with interesting account passwords stored on it. RODC’s are a perfect tool to compliment your IT infrastructure and help secure it as well.

What is an RODC

While the password stored on the RODC may not be the current one, this is still a risk. Normally, the user/computer needs to authenticate to the RODC before the password is cached. An administrator can pre-populate account passwords on a Ways to Become a Mobile App Developer RODC if those accounts are allowed to be cached. RODCs are typically deployed to not cache any accounts or are configured to allow caching of most accounts, often by adding Authenticated Users or Domain Users to allow password caching.

what is rodc

Whatever content is there in your main writable DC, the same content will be replicated to RODC. The only thing is, you can’t change, create or delete anything, logging in a RODC. Writable domain controllers maintain a list of all cached credentials on individual RODCs. When you delete the account of the stolen or compromised RODC from Active Directory, you are given the option to reset the passwords of all user accounts that were cached on the RODC. The RODC replicates changes to Active Directory from DCs in the main site. Replication is one way ; no changes to the RODC are replicated to any other domain controller.

The RODC can be configured to cache user and computer passwords to enable local authentication of these users. Administration of the RODC is easily delegated to local staff for on-site RODC management without making them Active Directory admins. This configuration typically results in most domain accounts having stored passwords on RODC.

Scenarios for an RODC

Enter your email address to follow this blog and receive notifications of new posts by email. First, determine what group manages the RODC by enumerating the RODC managedby attribute. Also added is the RODC Admins group used in this lab environment to administer the RODCs. Think twice about placing a RODC in the same site as a DC. RODCs are meant to be used where there are security and/or other concerns . If a writable DC is in the site, it makes more sense to place another DC there instead of a RODC.

A Read Only Domain Controller is typically placed in situations and scenarios where a standard writable domain controller cannot be placed. The AD data/information can be filtered so that important items such as passwords, credentials, and other security sensitive information are not cached on that server. This provides a safety mechanism if the RODC is stolen or compromised .

Or, depending on how the Domain Controllers are configured, it’s possible to pull AD credential password hashes using Mimikatz DCSync. In this scenario, we want to gain admin access to an Admin server, but don’t have direct access to it. We realize that a RODC has cached the password for this server, so we get onto the RODC and dump the AD database to get the admin server’s computer password hash. In this lab environment, the Admin computer is called “ADSEC12ADMIN1”. Enumerating the ‘msds-RevealUsers’ attribute on the RODC computer object in Active Directory, we can view the list of accounts with passwords stored on the RODC.

When the RODC receives an authentication request, it forwards it to an RWDC. The RODC then requests a copy of the credential so that it can service the request itself in the future. If the password-replication policy allows credential caching, the credential details will be cached and the RODC can service logon requests . RODCs need access to the credentials of users and computers to authenticate them locally. Every RODC should have a specific list of principals that it is designated to authenticate and is therefore allowed to retrieve their credentials.

  • Also, for the same reason, I will only refer to the point where you declare the folder and not specifically to the process of promoting the server to a Domain Controller.
  • This was tested successfully in limited lab testing on a Windows Server 2008 R2 & 2012 R2 Domain Controllers.
  • In order for a user to authenticate from a computer in a site with a RODC to that RODC , the user and computer passwords need to be cached on the RODC.
  • It only replicates back to a more powerful Domain Controller.
  • Every Active Directory domain has a domain Kerberos service account called KRBTGT which is used to sign all Kerberos tickets and encrypt all Kerberos authentication tickets .

The new RODC will use this key to encrypt and sign the TGTs that it generates. The key is assigned a random key version number , stored in a new AD account named KRBTGT_XXXXX, where XXXXX is the key version number. The key version number is also stored in the msDS-SecondaryKrbTgtNumber attribute of the new KRBTGT account. If a DC is not placed in the branch office, authentication and service ticket activities will be directed to the main site over the WAN link.

Since RODC attributes contain some useful information and all Authenticated Users have read access to these attributes by default, we can query these attributes and use this information to craft an attack. This post covers several attack techniques that can be performed against Read-Only Domain Controllers and chains them together in interesting ways based on real-world configurations. Federation is a much better solution and greatly reduces risk of compromise related to authentication of internal users to external systems. Federation enables internal users to be authenticated to external systems without exposing the internal Active Directory to the DMZ or systems on the internet.

You can control it so that only required information is cached, such as credentials for the users in the specific office. RODCs were originally designed to provide authentication and directory services in situations where the system couldn’t be fully trusted. This normally means not allowing account passwords to be cached or configuring a subset of domain user and computer accounts that are allowed to have their passwords cached on the RODC. This is configured by creating a group, adding the appropriate accounts to the group, and setting the Password Replication Policy on the RODC to enable password caching for the group. In order for a user to authenticate from a computer in a site with a RODC to that RODC , the user and computer passwords need to be cached on the RODC.

After this the RODC requests the user’s password from the writable DC. If allowed by the RODC’s Password Replication Policy, the writable DC replicates the user’s password to the RODC. If the user’s password is cached on the RODC, the RODC handles the authentication request. Administrator Role Separation– Administration of a RODC can be delegated to a domain user account without providing “keys to the kingdom” access or significantly decreasing the security posture of Active Directory. A Read-Only Domain Controller is a new type of domain controller in Windows Server 2008.

Steps to create your website in a day | for beginners.

RODCs are typically administered by a “RODC admins” group which is not typically protected at a high level. Often the RODC admin group contains server administrators and potentially regular user accounts. The accounts in the RODC admin group are often allowed to be cached on the RODC to enable administration if a DC cannot be contacted to authenticate them. Local AD database storage– Writable DCs host a full copy of the Active Directory database including security principal credentials.

what is rodc

The RODC exists so that you won’t start hearing about all of the Domain Controller thefts. There are several ways to protect Read-Only Domain Controllers against attacks, most of which involve better restricting RODC access. Once the Silver Tickets are generated and passed into memory, we can view these tickets in klist. It’s important to note that we can’t DCSync from a RODC since they don’t replicate data .

At the Edge of Tier Zero: The Curious Case of the RODC

A DC maintains a copy of all attributes of all objects in its domain, including secrets such as information related to user passwords. If a DC is accessed or stolen, it becomes possible for a determined expert to identify valid user names and passwords, at which point the entire domain is compromised. At a minimum, you must reset the passwords of every user account in the domain. Because the security of servers at branch offices is often less than ideal, a branch office DC poses a considerable security risk.

Responses to “All About (RODC)Read Only Domain Controllers”

Once we gain admin access to a RODC, either by compromising an RODC admin account, a GPO that applies to it, or a system that manages it, dumping the local Windows Security Accounts Manager database is a good first step. Yes, Domain Controllers do have a local Administrator account called the Directory Services Restore Mode account. Using Mimikatz, we can get the DSRM account password for the RODC. So, by gaining access to the RODC, we now have full control of accounts and groups as well as admin rights to all servers in the Servers OU . When a user attempts to authenticate to a RODC, the RODC checks to see if it has the the user’s password cached. If it doesn’t already have the password, the RODC forwards the authentication request to an upstream writable DC which replies with the authentication data.

When talking to them about physical security and the RODC they start to imagine all the ways someone could possibly come after their servers, and because sys admins also tend to be movie buffs, things start to get a little crazy. First, keep in mind that RODCs do not provide greater protection for network based attacks. A RODC only provides more security should someone gain physical access to the server, usually through theft. For those servers locked into secure racks in the nice, cool, monitored, server room this shouldn’t be an issue. Rodc is basically fitted to be deployed in the sites/locations where you can’t afford or don’t want to keep an AD Experts to manage/modify any changes in the AD.

tobias carmon diaz


Trusted by

0 comentarios

Deja una respuesta

Marcador de posición del avatar

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *