Table of Contents
- Is Your Active Directory Safe from the Dangerous Golden dMSA Attack?
- Key Points About dMSA
- How Can dMSA Be Dangerous?
- What Makes the Golden dMSA Attack Possible
- Steps in the Golden dMSA Attack
- Why Is the Golden dMSA Issue Worrying?
- Attacker stays hidden
- Wide-ranging control
- Detection is tough
- Official risk is “moderate”
- How Can Companies Defend Against Golden dMSA Attacks?
- Steps to Minimize the Risk
- About the GoldenDMSA Tool
- Short Summary List
- Important Reminder
Is Your Active Directory Safe from the Dangerous Golden dMSA Attack?
Windows Server 2025 brings a new security feature called delegated Managed Service Accounts (dMSA). These accounts are part of Active Directory and are designed to make managing passwords for services simpler and safer. With dMSA, companies can move old, unmanaged accounts to managed ones. During this move, a dMSA can take over the rights of the old account, so services keep working with no break.
Key Points About dMSA
- dMSA replaces old service accounts: It does this smoothly so important systems stay online.
- Password handling is automatic: IT does not set the passwords; Active Directory does, and they change often.
- Only specific computers can use each dMSA: This limits which machines can run important services.
- Goal is improved safety: By automating and rotating passwords, accidental leaks or easy steals are reduced.
How Can dMSA Be Dangerous?
A flaw was found in how dMSAs work inside Active Directory on Windows Server 2025. Security experts discovered attackers could use this weakness to take over accounts and spread through the company. This attack is called “Golden dMSA.”
What Makes the Golden dMSA Attack Possible
Insecure password design
When dMSA passwords are created, a part of the process uses a predictable pattern based on time. Attackers need to guess only 1,024 combinations to get the right password.
Easy password guessing
With the predictable pattern, a strong computer can try all 1,024 options quickly. Passwords meant to protect sensitive services become weak in practice.
Attackers need access first
To run this attack, someone must already control a privileged account, like Domain Admin or SYSTEM. They would use this power to get a special key, the KDS root key.
Steps in the Golden dMSA Attack
- Get the KDS root key: This key is controlled by top-level admins. If attackers get it, they can move forward.
- Find all target accounts: Attackers list out all dMSAs and gMSAs in the network.
- Brute-force passwords: By using the time-based pattern, attackers try every possible password—only 1,024 options for each account.
- Control service accounts: Once passwords are found, attackers can use these accounts to move through the network without being noticed.
Why Is the Golden dMSA Issue Worrying?
After getting in, attackers can use these accounts for a long time. Normal security tools might not notice anything wrong.
Wide-ranging control
A single break can give attackers access to many parts of a company’s systems, across different servers and resources.
Detection is tough
By default, Windows does not record the key events showing the root key was accessed. IT needs to set up special security logs.
Official risk is “moderate”
Since highly privileged access is required to begin the attack, immediate risk isn’t “severe,” but if it happens, the damage can be huge.
How Can Companies Defend Against Golden dMSA Attacks?
Steps to Minimize the Risk
- Restrict top admin access: Only give KDS root key access to people who absolutely need it. Regularly check who has this power.
- Monitor dMSA creation and changes: Set up logs to track when new dMSAs are made, especially by non-admins and outside normal change times.
- Audit changes to important attributes: Watch for changes to technical settings like msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState.
- Review permissions across Active Directory: Make sure users, computers, and groups can only create or manage dMSAs if necessary.
- Simulate attacks with GoldenDMSA tool: Use the free tool to check if your systems could be hit by this flaw. The tool helps show how the attack works, making it easier to plan for stronger defenses.
About the GoldenDMSA Tool
GoldenDMSA is a free resource designed to help test, understand, and detect issues tied to the Golden dMSA flaw. The tool can:
- List all dMSAs and gMSAs in the network.
- Brute-force passwords using the weak pattern, to show if accounts are at risk.
- Help IT teams simulate attacks for training and response planning.
Short Summary List
- dMSA makes managing service accounts easier and more secure, but a design flaw changes that.
- Attackers can guess dMSA passwords with little effort if they get access to a special root key.
- Detection and prevention require extra steps, like advanced logging and tightly controlled admin accounts.
- The risk exists mainly if an attacker gets very high-level admin access, but successful attacks can last a long time and be hard to notice.
- The GoldenDMSA tool helps companies defend by showing weaknesses before attackers do.
Important Reminder
Keep your Windows Server and Active Directory fully patched. Stay updated on new security releases from Microsoft. Review your admin permissions and audit logs regularly. Use the GoldenDMSA tool as part of your security checks to avoid unhappy surprises.