Security Misconfiguration
Users and Computers Can Create and Delegate Computer Accounts

Security Misconfiguration

Issue

Default Active Directory deployments permit valid domain user and computer accounts to create up to ten (10) computer accounts in the domain. This default is configured in the MS-DS-Machine-Account-Quota attribute in the domain.

Recommended Remediation

The following outlines the recommended steps that the systems and network administrators should take in order to secure the environment.

Administrators can determine the attribute value via ADSI. To view the Attribute via ADSI and modify it, use the following steps:

• • Open the Server Manager with a privileged account, click the Tools menu, and select ADSI Edit

• • In the ADSI Edit window, select Action, Connect To, and enter the appropriate information for the domain. In most cases, the default settings are valid for this task. Click OK once verified.

• • Click the drop down for the new naming context, right click the directory beginning with DC=, and select Properties 
    • In the Properties window, scroll down to ms-DS-MachineAccountQuota, and observe the value. Reduce the value to zero, or whichever value your organization has deemed appropriate. 
    • Utilizing a non-domain joined computer for testing, attempt to join the computer to the Active Directory environment. When configured correctly, an error should occur stating that the computer cannot join the domain. 

The process can also be replicated utilizing PowerShell. Utilize the following command to query the ms-DS-MachineAccountQuota value:

• • Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-ds-machineaccountquota

Utilize the following PowerShell command to set the value to zero (0), and check the value afterwards. Ensure that the domain name reflects the current domain

• • Set-ADDomain -Identity <domain> -Replace @{“ms-ds-machineaccountquota”=”0”}