Configuration Naming Context Replication
The Configuration Naming Context (NC) serves as the repository for forest-wide configuration data in Active Directory, necessitating its replication across the entire AD forest. The Distinguished Name (DN) for this context is CN=Configuration,DC=domain,DC=com
, wherein DC=domain,DC=com
denotes the DN of the forest root domain.
The Configuration NC is the primary repository for configuration information for a forest and is replicated to every domain controller in the forest. Additionally, every writable domain controller in the forest holds a writable copy of the Configuration NC.
To access the NC, follow these steps:
Open the Active Directory Services Interfaces (ADSI) Edit tool
adsiedit.msc
Click on
Action
in the menu barSelect
Connect to...
from the dropdown menuIn the
Connection Settings
window, underSelect a well-known Naming Context
, chooseConfiguration
Click
OK
to connectOnce connected, you will have access to the
Configuration Naming Context
, where you can view and manage configuration settings for Active Directory
Any modifications made to an object within Configuration at the forest root level will be replicated downwards
to all domains within the forest and vice-versa: if an object within Configuration undergoes a change in a child domain, that alteration will propagate upwards
to the forest root.
NC Replication Abuse
Configuration Naming Context (NC) replication abuse refers to a offensive tactic wherein attackers exploit the replication
mechanism of the Configuration Naming Context
in Active Directory to propagate unauthorized changes or configurations across the domain infrastructure.
To retrieve the Access Control List (ACL)
rights associated with the DN for the NC we can use the Get-Acl
cmdlet from a high-integrity shell.
Let's take a look at some dummy output
User | Rights on Configuration Naming Context (NC) |
| Full Control |
| Read all, List all, Write all, All Extended rights |
| Full Control |
We can see that NT AUTHORITY\SYSTEM
has GenericAll
over the NC.
On a child domain's DC, a SYSTEM
account has the authority to make modifications to the Configuration Naming Context within the forest by querying its local replica; any alterations initiated in this context will propagate back to the parent domain.
To abuse these privileges we can:
Last updated