search
GitHubTwitterExegolTools

RODC

Read-Only Domain Controller

hashtag
Theory

The read-only Domain Controller (RODC) is a solution that Microsoft introduced for physical locations that don’t have adequate security to host a Domain Controller but still require directory services for resources in those locations. A branch office is the classic use case.

(By Elad Shamir on specterops.ioarrow-up-right)

RODC holds a read-only filtered copy of the Active Directory database with all the sensitives attributes deleted, like the LAPS passwords (this refers to RODC Filtered Attribute Setarrow-up-right (FAS)), and cache only specific credentials.

hashtag
RODC Management

As any Active Directory object, an RODC has an attribute named managedBy. Any user or group specified in the attribute has local administrative rights on the RODC. From an attacker point of view, this means that compromising an account listed in the managedBy attribute leads to an RODC admin access. And with sufficient rights to modify this attribute, an attacker can promote himself to RODC admin.

hashtag
Authentication with an RODC

To authenticate a principal locally, the RODC must be allowed to retrieve his credentials. Only users, groups and computers that are in the msDS-RevealOnDemandGrouparrow-up-right and not in msDS-NeverRevealGrouparrow-up-right may have their credentials cachedarrow-up-right on the RODC to be used for future local authentication (in this case, their principal name IDs are added to its msDS-Revealed-Listarrow-up-right attribute). The attributes msDS-RevealOnDemandGroup and msDS-NeverRevealGroup define the Password Replication Policyarrow-up-right of the RODC.

The default PRP (Password Replication Policy) specifies that no account passwords can be cached on any RODC, and certain accounts are explicitly denied from being cached on any RODC. (Microsoftarrow-up-right)

In case the RODC has cached the principal's credentials and thus, is able to authenticate it locally, it will issue a TGT. To do so, the RODC holds a derived version of the krbtgt key named krbtgt_XXXXX(where XXXXX is its random version number) and uses it to sign and encrypt the generated TGT. This krbtgt account's version number can also be found in its msDS-SecondaryKrbTgtNumber attribute.

circle-info

The RODC computer account has reset rights on the account krbtgt_XXXXX's password.

When the RODC generates the TGT, it indicates in the kvno field the version number of the key used to generate the ticket. With this TGT, it is possible to request a Service Ticket (ST) against the RODC or any accessible standard writable Domain Controller (provided that the principal is listed in msDS-RevealOnDemandGroup and not listed in msDS-NeverRevealGroup).

RODC authentication flow
RODC service access flow

hashtag
Practice

Several attacks can be performed on RODCs:

hashtag
Resources

LogoAt the Edge of Tier Zero: The Curious Case of the RODC - SpecterOpsSpecterOpschevron-right
Attacking Read-Only Domain Controllers (RODCs) to Own Active DirectoryActive Directory & Azure AD/Entra ID Securitychevron-right
LogoResource HubSecureAuthchevron-right
LogoAppendix A: Read-Only Domain Controller (RODC) Technical Reference TopicsMicrosoftLearnchevron-right
LogoRODC Filtered Attribute Set, Credential Caching, and the Authentication Process with an RODCMicrosoftLearnchevron-right
PreviousPre-Windows 2000 computersNextPersistence

Last updated

Was this helpful?