An important function of the Active Directory is the Active Directory Service Recovery Mode (DSRM). Unfortunately, only a few administrators are familiar with this critical function. In this background article I try to shed some light on it.Read more: Active Directory Service Recovery Mode (DSRM)
Was ist der Directory Service Recovery Mode (DSRM)?
Directory Service Recovery Mode (DSRM) is a special start-up option for Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). DSRM is used to fix system problems that prevent the normal operating modes from working. DSRM allows administrators to access the AD DS or AD LDS database to perform maintenance tasks or attempt to troubleshoot errors that affect normal operation.
In simple terms, DSRM is a security network function that allows administrators to access and repair the Active Directory database if it is corrupted or otherwise not functioning properly.
This is how the Directory Service Recovery Mode works:
- In order to access DSRM, the server must be set to this mode at start-up. This is normally done via the start options.
- When Active Directory is first installed on a server, the administrator is prompted to create a DSRM password. This password is then used to log on to the DSRM.
- In DSRM, the Active Directory database can be accessed while it is offline. This allows the administrator to perform maintenance tasks or fix problems that prevent the database from functioning normally.
- Administrators can restore the database by restoring a previous state of the database or overwriting the database with a backup copy. They can also check the consistency of the database and repair it by using tools such as “ntdsutil.exe”.
It is important to note that the server in DSRM does not provide the full functionality of Active Directory. For example, the server in DSRM cannot provide logon services to other computers on the network. For this reason, the DSRM should only be used to perform maintenance tasks or troubleshooting, and the server should be returned to normal operating mode as soon as possible afterwards.
What are the risks of Directory Service Recovery Mode (DSRM)?
Unauthorised access to Directory Service Recovery Mode (DSRM) can pose a serious security risk. DSRM provides access to the core of the Active Directory database, so unauthorised access to this function gives attackers extensive control. Some specific risks are:
- Data manipulation: An attacker with access to DSRM may be able to manipulate data in the Active Directory database. He could change account information, manipulate privilege sets and even create new accounts, effectively making him a super administrator on your network.
- Data theft: Since DSRM provides full access to the Active Directory database, intruders could extract sensitive information. This includes, for example, user names, email addresses, encryption keys and possibly even password hashes.
- Denial of Service (DoS): An attacker could use DSRM to intentionally corrupt the Active Directory database and thereby disrupt normal operations. This could result in significant downtime and require time-consuming recovery or repair.
- Persistence mechanics: An attacker could also use DSRM to establish persistence mechanisms on your network. This means that he could make changes that allow him to access your network even after the original intrusion has been discovered and attempted to be fixed.
What is the reality of Directory Service Recovery Mode (DSRM)?
In practice, it almost always looks like this:
- If the DSRM password is needed, nobody or everybody (including employees who left the company years ago) knows it.
- If there is documentation on the installation of the domain controllers, it is there and identical on all domain controllers.
- The risk of this function is not known to anyone and is not changed when IT employees leave the company with knowledge of the password.
From the perspective of IT security / basic IT protection
From the perspective of German IT-Grundschutz (as of February 2023 – as of now only available in German – I translated the Quotes in English for better understanding), the DSRM affects the following building blocks / measures directly or indirectly, for example:
- ORP.2.A2 Regulated procedure on departure of staff (B) – “In addition, all documents, keys and equipment, as well as identity cards and access authorisations received from departing staff in the course of their duties MUST be confiscated.” Source: ORP.2 Personnel (bund.de), page 3 – The DSRM password is like a key to your AD. It must therefore be changed.
- ORP.4.A2 Establishment, modification and revocation of authorisations (B) – “In the event of personnel changes, user identifications and authorisations that are no longer required SHALL be removed.” Source: ORP.4 Identity and authorisation management (bund.de), page 3 – The DSRM is not an authorisation, but rather a master key for emergencies.
- ORP.4.A8 Regulation of password use (B)
- As this is a data backup function, CON.3 Data backup concept (bund.de) must also be observed.
- OPS.1.1.1 General IT operations – “If internal or external operations personnel leave and the relevant processes are inadequately executed, such persons may continue to use the privileged rights. Similarly, omnibus accounts can have the effect of continuing to provide access to operationally relevant information and resources, e.g., when the field of work changes.” Source: OPS.1.1.1 General IT operations (bund.de), page 4 – Unfortunately, for technical reasons, the DSRM password is a so-called collective account.
- OPS.1.1.2 Proper IT administration – “Privileged access, accesses and accesses can also be misused if the processes are inadequate when internal or external administrators leave and as a result departed persons can continue to access IT components” Source: OPS.1.1.2 Proper IT administration (bund.de), Page 3
- According to the importance of the DSRM, it is also to be taken into account in the module OPS.1.1.7 System Management (bund.de).
This list is not exhaustive, but is intended to give an impression of the importance of the DSRM mode. I only found these in the first 5 building block groups (approx. 1/3 of the folder). But the following building blocks should also be considered particularly intensively:
How should one handle the DSRM passwords now?
- Change regularly – at the latest when an employee leaves the company.
- For each DC a randomly generated password (long, but not too long, no copy & paste in case of emergency).
- Securely stored with logging of access
How to change it?
Either with the command “ntdsutil” or with this PowerShell script that also directly suggests a password: Scipts/ActiveDirectory/Reset-DSRM.ps1 at master – InfrastructureHeroes/Scipts (github.com).
Alternatively, with the new Windows LAPS (Local Administrative Password Solution) there is also a possibility to change it automatically and to store the password protected in the AD. More about this in the article “Domain Controller and the Directory Service Recovery Mode with Windows LAPS”.
This article is a translation of the Infrastrukturhelden.de article. Links may refer to other Infrastrukturhelden.de articles, these may also be available in English language.
Also it can be, that I still use screenshots of German systems. However, where it is possible for me with little effort, I insert screenshots of English systems.