| Administrative Task |
Security Risk * |
| 1. Create a domain user account |
Instantly obtain access to all organizational IT assets to which Authenticated Users, Domain Users and Everyone has access.
Engage in malicious activities (e.g. launching a DoS attack, crack passwords etc) that are hard to trace back to the individual.
|
| 2. Delete a domain user account |
Prevent an individual from being able to engage in their business functions until IT personnel effectively re-instate their account.
Require IT personnel to completely re-provision all access grants that were originally provisioned for the individual in the organization.
|
| 3. Reset a user account's password |
Completely take over the user's identity by simply logging in as the user and access every IT asset to which the user has access.
Engage in and implicate the individual (whose password was reset) for engaging in illegal or unauthorized malicious activities.
|
| 4. Enable a disabled domain user account |
Enable the individual (to whom the disabled account belongs), to be able to instantly log in and engage in computing activities.
Reset the account's password subsequent to enabling it, so as to be able to use it to engage in (malicious) computing activities.
|
| 5. Unlock a locked domain user account |
Significantly weaken the protection afforded to the account, by being able to repeatedly attempt to crack its password, even though it is set to get locked after a specific number of failed attempts.
|
| SECURITY GROUP MANAGEMENT |
| Administrative Task |
Security Risk * |
| 1. Create a domain security group |
Attempt to breach security, by creating a security group with a misleading name which unsuspecting users may use to provision access to confidential resources to which the group's creator can then easily obtain access by adding his/her account to the group.
|
| 2. Delete a domain security group |
Jeopardize security by making all organizational IT assets being protected by the group instantly vulnerable to security compromise.
Deny organizational users access to all IT assets to which access had been provisioned by using this security group.
|
| 3. Modify a domain security group's membership |
Grant unauthorized users access to all organizational IT assets being protected by the group, in effect compromising their security.
Deny organizational users access to all IT assets to which access had been provisioned by using this security group.
|
| 4. Modify the scope of a domain security group |
Jeopardize security by making certain organizational IT assets being protected by the group vulnerable to security compromise.
Deny organizational users access to certain IT assets to which access had been provisioned by using this security group.
|
| 5. Modify the type of a domain security group |
Jeopardize security by making all organizational IT assets being protected by the group instantly vulnerable to security compromise.
Deny organizational users access to all IT assets to which access had been provisioned by using this security group.
|
| ORGANIZATIONAL UNIT MANAGEMENT |
| Administrative Task |
Security Risk * |
| 1. Create an organizational unit management (OU) |
Instantly acquire the ability to create domain user accounts, security groups, OUs, SCPs and other Active Directory objects which can be instantly used for engaging in malicious activities.
|
| 2. Delete an organizational OU |
Prevent all individuals whose user accounts were in the OU from being able to engage in their business functions until IT personnel have effectively re-instated their accounts.
Require IT personnel to completely re-provision all access grants that were originally provisioned for all individuals in the organization.
Jeopardize security by making all organizational IT assets being protected by all security groups that were in the OU, be instantly vulnerable to security compromise.
Deny users access to all IT assets to which access had been provisioned by using security groups that resided in the OU.
Significantly jeopardize the security of all computers whose accounts reside in the OU, in effect weakening their security, and prevent users to whom these computers belong, from logging on.
|
| 3. Change list of GPOs linked to an OU |
Potentially jeopardize (circumvent, render ineffective, or weaken) the security of all computers whose accounts reside in the OU, and by extension jeopardize all IT assets stored on these computers.
|
| 4. Disable GPOs linked to an OU |
Potentially jeopardize (circumvent, render ineffective, or weaken) the security of all computers whose accounts reside in the OU, and by extension jeopardize all IT assets stored on these computers.
|
| 5. Change precedence of GPOs linked to an OU |
Potentially jeopardize (circumvent, render ineffective, or weaken) the security of all computers whose accounts reside in the OU, and by extension jeopardize all IT assets stored on these computers.
|
| SERVICE CONNECTION POINT MANAGEMENT |
| Administrative Task |
Security Risk * |
| 1. Create a service connection point (SCP) |
Launch a denial-of-service attack against a specific service that uses SCPs, by creating a SCP and specifying the same keywords as used by that service, to have the effect of redirecting the clients of that service away from the actual service instance.
|
| 2. Delete a SCP |
Launch a denial-of-service attack against a specific service using the SCP, as clients of the service will no longer be able to locate the specific instance of the service pointed to by the deleted SCP.
|
| 3. Change a SCP's keywords |
Launch a denial-of-service attack against a specific service using the SCP, as clients of the service will no longer assess this SCP because its keywords have changed, and thus will not be able to locate the specific instance of the service pointed to by the SCP.
|
| 4. Change a SCP's service DNS name |
Launch a denial-of-service attack against a specific service using the SCP, as clients of the service will no longer be able to contact the host that hosts the specific instance of the service pointed to by this SCP, because its Service-DNS-Name would have changed.
|
| 5. Change a SCP's security permissions |
Launch a denial-of-service attack against a specific service using the SCP, by being able to change any or all of its attributes and/or by being able to delete the SCP itself, so clients are unable to locate the specific instance of the service pointed to by this SCP.
|
