Basics of Active Directory Permissions: Replicating Directory Changes All

One of the most important permissions that one can give a user in Active Directory is the "Replicating Directory Changes All". This is an important permission because not only does this give us a better understand of how Active Directory works, but it can also help prevent against a common Active Directory Attack known as a DCSync Attack. 

Before we talk about this permission, I think a great place to start is how Active Directory handles high availability and redundancy. Active Directory High Availability is not based on failover clustering, like Hyper-V, or log shipping, like SQL Server. Instead, it is based on the idea that Domain Controllers all offer the Active Directory Database to whoever needs it. 

When you deploy at least 2 Domain Controllers for an Active Directory Domain, you gain redundancy and high availability by default for that domain. Because of this, these controllers need to be in sync. So, Active Directory uses the concept of "Replication" for this to happen. 

What is Replication? Essentially, this means any changes that happen to one controller are also made on any other controller within that domain. There are two types of replications. 

1. Intrasite Replication
2. Intersite Replication

Intrasite Replication:

• Within an Active Directory site, replication is based on pull replication. So, after being notified of changes, a Domain Controller will ask the Domain Controller with the changes what changes have been seen. 
• This is set automatically on default. 
• This is for Domain Controllers of a same site.
• This is focused on making sure changes are rapidly distributes

Intersite Replication:

• Between Active Directory Sites, replication is schedule-based and between bridgehead servers.
• After the default schedule time-out, the Bridgehead Domain Controller for a site asks the Bridgehead DC in the other site for the changes it has seen. 
• This is for Domain Controllers across different sites.

So, the "Replicating Directory Changes All" permission enables a user to query for changes in the directory, discover Active Directory Objects, including credentials, such as hashed passwords. 

This is the elevated permission of "Replicating Directory Changes", which would only allow for the discovery of Active Directory Changes, and you would only be able to see very specific information. 

If a user in Active Directory has "Replicate Directory Changes All" permission, this will grant that user the permission to discover Active Directory objects. One example of this is User Account Objects. Inside of this object, you can also get the NLTM hashed passwords. If an adversary has this, they are able to pass that hashed password into a Pass-The-Hash Attack to retrieve the actual password. Also, the adversary is able to do this as many times as they want. Even more damage can be done if the account that has been compromised has admin privileges who is not an admin. 

This is why it is important to be very specific and careful to who you give these permissions to. It should only be on a need-to-know and need-to-have basis.