Hardening Requirement: Renew KDS Root Keys and gMSA Secrets

Target Scope

  • Applicable Systems: Domain Controllers, Group Managed Service Accounts (gMSAs)
  • Operating Systems: Windows Server 2016, Windows Server 2019, Windows Server 2022

Implementation Details

  • Priority: High
  • GPO Path / Registry Location: Active Directory KDS Configuration container: CN=Microsoft Key Distribution Service,CN=Services,CN=Configuration,DC=[Domain]

Rationale

Group Managed Service Accounts (gMSAs) offer secure, automated password management (complex 120-character passwords rotated every 30 days) for services running on domain member systems. The passwords for these accounts are generated by the Key Distribution Service (KDS) running on Domain Controllers.

However, the password generation algorithm relies on KDS root keys stored in the AD Configuration partition.

If an attacker compromises or steals the Active Directory database (e.g., via NTDS.dit exfiltration), they obtain the active KDS root keys. Using these keys, the attacker can recalculate the passwords for any gMSA at any time, establishing an invisible, persistent backdoor to any service running under a gMSA.

Therefore:

  1. Interrupts Attacker Persistence: Generating a new KDS root key and forcing all gMSA accounts to rotate their passwords invalidates any previously compromised password generation seeds.
  2. Harden Service Isolation: Ensures that service account security boundaries remain intact post-remediation.

Legacy Impact & Compatibility

  • Replication Sync Delay: By default, Active Directory enforces a 10-hour delay when adding a new KDS root key. This is done to ensure that all Domain Controllers have successfully replicated the new root key before it is used to generate gMSA passwords. Bypassing this delay during remediation using -EffectiveImmediately is possible, but requires verifying that AD replication is functioning properly.
  • Service Downtime: gMSA password rotation is handled automatically by the host systems. However, triggering a force-reset of the password requires restarting the associated service on the host system to ensure it fetches the new password.

Implementation Steps

Option A: Active Directory PowerShell Configuration (Remediation / Non-GPO)

Because KDS keys and gMSAs do not have standard GPO management interfaces, the creation of root keys and service account password rotation must be executed via PowerShell.

1. Generate a New KDS Root Key

Open an elevated PowerShell console on the PDC Emulator Domain Controller and run:

Download Script: New-KdsKey.ps1

# New-KdsKey.ps1
# Description: Generates a new KDS Root Key.

Import-Module Kds

Write-Host "Creating new KDS Root Key..." -ForegroundColor Cyan

# Create new KDS key effective immediately (backdated by 10 hours to bypass replication delay)
$NewKey = Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10)) -ErrorAction Stop

if ($null -ne $NewKey) {
    Write-Host "[+] New KDS Root Key created successfully. Key ID: $NewKey" -ForegroundColor Green
}

2. Force gMSA Password Rotation

Once the new root key is active, force password rotation for all gMSAs:

Download Script: Rotate-gMSAPasswords.ps1

# Rotate-gMSAPasswords.ps1
# Description: Forces password rotation for all gMSAs.

Import-Module ActiveDirectory

Write-Host "Locating all gMSAs in the domain..." -ForegroundColor Cyan

$gMSAs = Get-ADServiceAccount -Filter "ObjectClass -eq 'msDS-GroupManagedServiceAccount'"

if ($gMSAs) {
    foreach ($Acct in $gMSAs) {
        Write-Host "[*] Rotating password for gMSA: $($Acct.Name)..." -ForegroundColor White

        # Reset password (forces rotation on the next request by the host computer)
        Reset-ADServiceAccountPassword -Identity $Acct.DistinguishedName -ErrorAction Stop

        Write-Host "[+] Password rotated successfully for $($Acct.Name)." -ForegroundColor Green
    }
} else {
    Write-Host "[-] No Group Managed Service Accounts found." -ForegroundColor Yellow
}

Option B: PowerShell Auditing Status

Use this PowerShell script to audit current KDS root keys and gMSA replication status.

Download Script: Get-KdsAndGmsaAudit.ps1

# Get-KdsAndGmsaAudit.ps1
# Description: Audits active KDS root keys and checks gMSA accounts.

Import-Module ActiveDirectory
Import-Module Kds

Write-Host "--- Auditing KDS Root Keys ---" -ForegroundColor Cyan

$KdsKeys = Get-KdsRootKey -ErrorAction SilentlyContinue

if ($KdsKeys) {
    foreach ($Key in $KdsKeys) {
        Write-Host "[+] KDS Key ID:     $($Key.KeyId)" -ForegroundColor Green
        Write-Host "    - Created:       $($Key.CreateTime)" -ForegroundColor White
        Write-Host "    - Effective:     $($Key.EffectiveTime)" -ForegroundColor White
    }
} else {
    Write-Host "[-] No KDS Root Keys found in the forest." -ForegroundColor Red
}

Write-Host "--- Auditing gMSA Accounts ---" -ForegroundColor Cyan

$Accounts = Get-ADServiceAccount -Filter * -Properties msDS-ManagedPasswordInterval, msDS-HostSecurityGroupsScope

if ($Accounts) {
    foreach ($Acct in $Accounts) {
        Write-Host "[*] gMSA: $($Acct.Name)" -ForegroundColor White
        Write-Host "    - Rotation Interval: $($Acct.'msDS-ManagedPasswordInterval') days" -ForegroundColor Gray
    }
} else {
    Write-Host "[-] No service accounts found." -ForegroundColor Yellow
}

Sources & Compliance References

  • ANSSI Remediation of Active Directory Tier 0 Guide: Section 4.d (Page 27)
  • ANSSI AD Hardening Guide: Section 4.14 (Managed Service Accounts)
  • Microsoft Security Guidance: Group Managed Service Accounts (gMSAs) and KDS Root Key Management

results matching ""

    No results matching ""