Active Directory : the hidden information behind the ”User Account Control”

The term “User Account Control” can refer to two mechanisms that are well known to Windows users. The first was introduced with Windows Vista and allows programs to be run with restricted rights by default.

The second is an attribute of accounts (users or computers) in Active Directory. In this article, we will discuss this mechanism.

 

The « User account control » attribute is an integer number, between 2 and 134 167 290. The decimal (base 10) representations of the possible values have no meaning. Instead, it is better to consider the binary (base 2) representation. These values can be written as an unsigned 32-bit (4-byte) number. Each digit of this number is a “flag” for the different features of the UAC :

  • If its value is 1 then the associated property is activated for the account to which the UAC is assigned.
  • If it is disabled, the value of the bit is 0.

bit 32 0000 0000 0000 0000 0000 0000 0000 0000 bit 1

The following table describes the UAC features, their associated digit and the behavior when it is activated [1].

Bit number Decimal value Property Description
1 1 SCRIPT The logon script will be run.
2 2 ACCOUNTDISABLE The user account is disabled.
3 4 Reserved Must be 0.
4 8 HOMEDIR_REQUIRED The home folder is required.
5 16 LOCKOUT The account is locked.
6 32 PASSWD_NOTREQD No password is required.
7 64 PASSWD_CANT_CHANGE The user cannot change the password.
8 128 ENCRYPTED_TEXT_PWD_ALLOWED The user can send an encrypted password.
9 256 TEMP_DUPLICATE_ACCOUNT It is an account for users whose primary account is in another domain.
10 512 NORMAL_ACCOUNT It is a default account type.
11 1 024 Reserved Must be 0.
12 2 048 INTERDOMAIN_TRUST_ACCOUNT It is a permit to trust an account for a system domain that trusts other domains.
13 4 096 WORKSTATION_TRUST_ACCOUNT It is a computer account for computer that is running Windows NT 4.0 Workstation, Windows NT 4.0 Server, Windows 2000 Professional, Windows 2000 Server.
14 8 192 SERVER_TRUST_ACCOUNT It is a computer account for a domain controller that is a member of this domain.
15 16 384 Reserved Must be 0.
16 32 768 Reserved Must be 0.
17 65 536 DONT_EXPIRE_PASSWORD The password should never expire.
18 131 072 MNS_LOGON_ACCOUNT It is an MNS logon account.
19 262 144 SMARTCARD_REQUIRED The user must log on with a smart card.
20 524 288 TRUSTED_FOR_DELEGATION The service account under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service
21 1 048 576 NOT_DELEGATED The security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
22 2 097 152 USE_DES_KEY_ONLY Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
23 4 194 304 DONT_REQ_PREAUTH This account does not require Kerberos pre-authentication for logging on.
24 8 388 608 PASSWORD_EXPIRED The user’s password has expired.
25 16 777 216 TRUSTED_TO_AUTH_FOR_DELEGATION The account is enabled for delegation.
26 33 554 432 Reserved Must be 0.
27 67 108 864 PARTIAL_SECRETS_ACCOUNT The account is a read-only domain controller (RODC).
28 134 217 728 Reserved Must be 0.
29 268 435 456 Reserved Must be 0.
30 536 870 912 Reserved Must be 0.
31 1 073 741 824 Reserved Must be 0.
32 2 147 483 648 Reserved Must be 0.

Example :

Consider the UAC value : 514

The UAC tells us that this is a normal account, in a disabled state.

Some common values :

  • User account : 512 (NORMAL_ACCOUNT)
  • Domain controller : 532 480 (TRUSTED_FOR_DELEGATION + SERVER_TRUST_ACCOUNT)
  • Server : 4 096 (WORKSTATION_TRUST_ACCOUNT)

 

Now, that we have explained the mechanics of User Account Control values, let us talk about some best practices [2].

  • A domain controller must contain SERVER_TRUST_ACCOUNT and TRUSTED_FOR_DELEGATION.
  • A read-only domain controller must contain PARTIAL_SECRETS_ACCOUNT, TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION and WORKSTATION_TRUST_ACCOUNT.
  • Accounts must enforce Kerberos pre-authentication and therefore not contain DONT_REQUIRE_PREAUTH.
  • Accounts should not have passwords without expiration dates so the DON’T_EXPIRE attribute should not be activated.
  • No non-domain controller account should contain TRUSTED_FOR_DELEGATION if authentication delegation is not constrained.
  • The USE_DES_KEY_ONLY attribute is obsolete and should not be activated.

 

To conclude, the meaning of an account’s UAC attribute is more important than its actual value. That is why IAG solutions prefer to translate it into several “enabled/disabled” fields like “Password never expires: Enabled”. The UAC is a source of raw information similar to other systems (e.g. “REVOKED” flag for RACF systems) but finds its full strength when broken down and translated to make identity and access governance simple and readable for end users.

 

Sources :

[1] Documentation Microsoft UAC attribute — https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties (26/03/2021)

[2] Control points Active Directory ANSSI — https://www.cert.ssi.gouv.fr/uploads/guide-ad.html (26/03/2021)

 

Did you like this post ?

Share on twitter
Twitter
Share on linkedin
LinkedIn