Managed Service Accounts for the Protected Users Group

[mf-digital]

I noticed that the P-ProtectedUsers finding does respect, that if a user is a gMSA (group Managed Service Account), then those users are not being recommend for moving them into the "Protected Users" group (#180). During my research I could not find a valid reason on why only gMSA are being taken into consideration, but not MSA in general.

If nothing speaks against, I would recommend exempting MSAs from the recommendations to move them to the Protected Users group.

[JoeDibley]

Hi there,
Whilst it makes sense for gMSAs to be excluded due to their automated password management and rotation there is an edge case where with standard MSAs it is possible to manually set an insecure password on them using the command New-ADServiceAccount -RestrictToSingleComputer -AccountPassword (ConvertTo-SecureString -String "PASSW0rd!" -AsPlainText -Force )

With this in mind I propose we do the following:

• Leave MSAs to be included in P-ProtectedUsers
• Update the logic for the gMSA exlusions to exclude only when the following is true:
  • msds-ManagedPasswordInterval is less than 45 days
  • PasswordLastSet (pwdLastSet) is less than 45 days
• Extend the above updated gMSA logic to also include the new dMSA (Delegated Managed Service Accounts)

Let me know what you think!

[mf-digital]

Joe,

that sounds good. However Microsoft strictly advises against moving MSAs into the Protected Users group here: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group#how-the-protected-users-group-works which I cannot fully comprehend on why they actually would not recommend it (probably to not force anyone out of NTLM or headaches while mitigating NTLM connections).

However I am not sure if this edge case is sufficient to not move the MSAs to the Protected Users Group or if the overall benefit of moving them is bigger than actually respecting the edge case. BUT that being said, you're the Product Manager and I leave the decision to you obv :)

[JoeDibley]

Thanks for the information and link. I think the Microsoft advice is based off strictly that it makes no difference for the local protections but I am sure the domain restrictions still apply (no delegation, RC4, ticket lifetimes etc).

However, based off the provided information I believe we should apply the same logic to MSAs that I mentioned above for gMSA and dMSA so all are treated the same. This should avoid confusion and then only highlight inactive accounts and accounts with an extended msds-ManagedPasswordInterval.

With this change in logic I think an update to the text of the rule is also in order to make it clearer when any type of MSA is detected.

Do you think that sounds like a plan?