{"id":10856,"date":"2025-05-27T04:00:46","date_gmt":"2025-05-27T04:00:46","guid":{"rendered":"https:\/\/cheapwindowsvps.com\/blog\/exploring-the-rights-extension-gap-in-active-directory-insights-into-windows-server-2025\/"},"modified":"2025-05-27T04:00:46","modified_gmt":"2025-05-27T04:00:46","slug":"exploring-the-rights-extension-gap-in-active-directory-insights-into-windows-server-2025","status":"publish","type":"post","link":"https:\/\/cheapwindowsvps.com\/blog\/exploring-the-rights-extension-gap-in-active-directory-insights-into-windows-server-2025\/","title":{"rendered":"Exploring the Rights Extension Gap in Active Directory: Insights into Windows Server 2025"},"content":{"rendered":"<p>Akamai has issued a warning regarding a significant security vulnerability in Windows Server 2025&#8217;s Active Directory functionality, potentially allowing users to gain increased permissions. This issue has been dubbed \u201cBadSuccessor\u201d and is noted in a recent <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.akamai.com\/blog\/security-research\/abusing-dmsa-for-privilege-escalation-in-active-directory\">blog post<\/a> by Akamai.<\/p>\n<p>The vulnerability stems from a feature called \u201cdelegated Managed Service Account\u201d (dMSA), introduced with Windows Server 2025. The default configuration of this feature is susceptible, and Akamai describes the exploitation method as straightforward.<\/p>\n<h3>Key Points of the Vulnerability<\/h3>\n<p>The analysis indicates substantial risk, with most organizations utilizing Active Directory impacted; specifically, 91% of environments examined by Akamai had non-domain admin user accounts capable of executing the attack. Microsoft is aware of the issue and is planning to rectify it, although a patch has yet to be released.<\/p>\n<p>Due to the introduction of dMSAs, attackers may be able to take over any principal in a domain with these accounts if they possess the necessary permissions in one of the domain&#8217;s organizational units (OUs). Remarkably, it is not mandatory for dMSAs to be actively utilized in the domain; the mere presence of a Windows Server 2025 machine on a network is sufficient for exploitation.<\/p>\n<h3>Proposed Countermeasures<\/h3>\n<p>To mitigate this threat, Akamai recommends identifying all principals such as users, groups, and computers authorized to create dMSAs, and limiting this permission to trusted administrators only. Akamai has also provided a PowerShell script that identifies non-standard principals authorized to create dMSAs, yielding a list of the corresponding OUs.<\/p>\n<p>As of now, the timeline for when Microsoft will issue a fix for this vulnerability remains uncertain.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Akamai has issued a warning regarding a significant security vulnerability in Windows Server 2025&#8217;s Active Directory functionality, potentially allowing users to gain increased permissions. This issue has been dubbed \u201cBadSuccessor\u201d and is noted in a recent blog post by Akamai. The vulnerability stems from a feature called \u201cdelegated Managed Service Account\u201d (dMSA), introduced with Windows [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":10857,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-10856","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/10856","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/comments?post=10856"}],"version-history":[{"count":0,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/10856\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media\/10857"}],"wp:attachment":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media?parent=10856"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/categories?post=10856"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/tags?post=10856"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}