August 5, 2022

Careful Not to Set-Up an Internal Attacker


It’s Monday morning, you and the HR Directory administrator, receive a stack of papers for the new employees of the week. You proceed to create the 12 new users. You ensure the first name, last name, and logon names are correct. You also input the password for new users; NewHire01. You create all 12 user accounts, you configure the details for each account; home drive, telephone number, and department.

You complete the task and move on to the rest of your day. You have done this every week for the past 10 years and think nothing of the “setup” you just created for the disgruntled employee that is working in the engineering department.
Do you see the glaring error in the setup of the 12 new user accounts?

  • Every user account in Active Directory has read access to all of Active Directory.
  • Any user can attempt to logon as any other user.
  • There is a user account property that indicates if a user has logged in before or not.

How is this possible?
Every user in Active Directory can logon as a newly created user because they know the username and password! Once logged on, they will have access to every resource that their group membership allows them to access.
Ideally, a random password needs to be used for every newly created user account. This means that no one, except for the user account creator and the new employee knows the password. Once the random password is used to logon, the user is forced to input their own password. Therefore, the random password is only valid for a single use.

In this article:
Share on social media: