{"id":41976,"date":"2021-07-26T20:31:11","date_gmt":"2021-07-26T20:31:11","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/"},"modified":"2021-07-26T20:31:11","modified_gmt":"2021-07-26T20:31:11","slug":"you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/","title":{"rendered":"You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick"},"content":{"rendered":"<p>Microsoft completed a vulnerability hat-trick this month as yet another security weakness was uncovered in its operating systems. And this one doesn&#8217;t even need authentication to work its magic.<\/p>\n<p>The security shortcoming can be exploited using the wonderfully named <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/github.com\/topotam\/PetitPotam\">PetitPotam<\/a> technique. It involves abusing Redmond&#8217;s <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/docs.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-efsr\/08796ba8-01c8-4872-9221-1000ec2eff31\">MS-EFSRPC<\/a> (Encrypting File System Remote Protocol) to take over a corporate Windows network. It seems ideal for penetration testers, and miscreants who have gained a foothold in a Windows network.<\/p>\n<p>Specifically, security researcher Gilles Lionel found it was possible to use MS-EFSRPC force a device, including Windows domain controllers, to authenticate with a remote attacker-controlled NTLM relay. The <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/blog.truesec.com\/2021\/07\/25\/mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-adv210003-kb5005413-petitpotam\/\">end result<\/a> is an authentication certificate that grants the attacker domain-controller-level access to services, allowing them to commandeer the entire domain.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;PetitPotam takes advantage of servers,&#8221; <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429\">said Microsoft<\/a>, &#8220;where the Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>Lionel published a proof-of-concept exploit, available from the above link, and Microsoft responded by burying the bad news in an <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/ADV210003\">advisory<\/a> released on Friday. The Windows giant described PetitPotam as &#8220;a classic NTLM relay attack,&#8221; and noted that such attacks have a <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/docs.microsoft.com\/en-us\/security-updates\/SecurityAdvisories\/2009\/974926\">long, long history<\/a>.<\/p>\n<p>Which does make us wonder: why does the problem linger on?<\/p>\n<p>Microsoft&#8217;s preferred <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/support.microsoft.com\/en-gb\/topic\/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429\">mitigation<\/a> is for administrators to simply disable NTLM authentication, although doing so could break any number of services and applications that depend on it. A variety of alternatives are also on offer, &#8220;listed in order of more secure to less secure.&#8221;<\/p>\n<p>Great.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The advisory makes grim reading for sysadmins pondering how to plug this latest WONTFIX issue. PetitPotam makes use of the Certificate Authority Web Enrollment service or Certificate Enrollment Web Service (depending on system) and, according to Lionel&#8217;s PoC, uses the MS-EFSRPC EfsRpcOpenFileRaw function &#8220;to coerce Windows hosts to authenticate to other machines.&#8221;<\/p>\n<p>CERT\/CC analyst Will Dormann summarized the attack:<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\" readability=\"7.9706744868035\">\n<p lang=\"en\" dir=\"ltr\">nth time is the charm! Not sure what was up the first times, but this is a DEFAULT install\/config of the Certification Authority WEb Enrollment (ADCS-Web-Enrollment) on a machine other than the DC.<br \/>\n<br \/>Lowly domain-joined user to golden ticket.<br \/>\n<br \/>No credentials required, even. <a href=\"https:\/\/t.co\/EHxq17oT4p\">pic.twitter.com\/EHxq17oT4p<\/a><\/p>\n<p>\u2014 Will Dormann (@wdormann) <a href=\"https:\/\/twitter.com\/wdormann\/status\/1418576755389083662?ref_src=twsrc%5Etfw\">July 23, 2021<\/a><\/p><\/blockquote>\n<p>Windows Server 2008 and up are affected, according to Microsoft&#8217;s advisory, and, other than suggesting customers take NTLM mitigations, a fix for MS-EFSRPC does not appear to be incoming. We asked Microsoft and will update if it tells us anything more than to look at the advisory again.<\/p>\n<p>&#8220;Microsoft are no[t] fixing this,&#8221; <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1418990195169497099\">tweeted<\/a> IT security guru Kevin Beaumont, &#8220;so you have an out-of-the-box no-auth to Domain Admin path on default config Active Directory environments now, attackers.&#8221;<\/p>\n<p>We&#8217;ll leave the final word to Mimikatz creator Benjamin Delpy and await Microsoft&#8217;s move&#8230; \u00ae<\/p>\n<blockquote class=\"twitter-tweet\" readability=\"8.8713910761155\">\n<p lang=\"en\" dir=\"ltr\">Hey <a href=\"https:\/\/twitter.com\/msftsecurity?ref_src=twsrc%5Etfw\">@msftsecurity<\/a>&#8230; focusing on NTLM Relay &amp; AD CS default configuration is interesting, but could you fix [MS-EFSR] first?\n<\/p>\n<p>You (maybe?) know PetitPotam is primary about abusing [MS-EFSR] remote calls *without authentication*\n<\/p>\n<p>&gt; <a href=\"https:\/\/t.co\/hTE2JgBmPi\">https:\/\/t.co\/hTE2JgBmPi<\/a><br \/>\n<br \/>&gt; <a href=\"https:\/\/t.co\/doK77F9cz2\">https:\/\/t.co\/doK77F9cz2<\/a> <a href=\"https:\/\/t.co\/gsoweKbsrd\">https:\/\/t.co\/gsoweKbsrd<\/a> <a href=\"https:\/\/t.co\/Y26TYEvJow\">pic.twitter.com\/Y26TYEvJow<\/a><\/p>\n<p>\u2014 \ud83e\udd5d Benjamin Delpy (@gentilkiwi) <a href=\"https:\/\/twitter.com\/gentilkiwi\/status\/1419585218227363856?ref_src=twsrc%5Etfw\">July 26, 2021<\/a><\/p><\/blockquote>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2021\/07\/26\/petitpotam_microsoft_windows\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft offers some mitigations for thwarting PetitPotam attacks Microsoft completed a vulnerability hat-trick this month as yet another security weakness was uncovered in its operating systems. And this one doesn&#8217;t even need authentication to work its magic.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-41976","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-26T20:31:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick\",\"datePublished\":\"2021-07-26T20:31:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\\\/\"},\"wordCount\":540,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\\\/\",\"name\":\"You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2021-07-26T20:31:11+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/","og_locale":"en_US","og_type":"article","og_title":"You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-07-26T20:31:11+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick","datePublished":"2021-07-26T20:31:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/"},"wordCount":540,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/","url":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/","name":"You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2021-07-26T20:31:11+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2YP9MzuGwc3vLdwxxjUxzlAAAAFY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/you-too-can-be-a-windows-domain-controller-and-do-whatever-you-like-with-this-one-weird-wontfix-trick\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41976","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=41976"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41976\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=41976"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=41976"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=41976"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}