{"id":17197521,"url":"https://github.com/lu-fi/ars","last_synced_at":"2025-10-22T10:57:50.936Z","repository":{"id":237254872,"uuid":"449821676","full_name":"Lu-Fi/ARS","owner":"Lu-Fi","description":"Access Request System","archived":false,"fork":false,"pushed_at":"2022-04-06T06:55:39.000Z","size":693,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-30T07:43:38.078Z","etag":null,"topics":["active-directory","ad","authentication","group","group-membership","ldap","security","time-bound"],"latest_commit_sha":null,"homepage":"","language":"Visual Basic .NET","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Lu-Fi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-01-19T19:08:11.000Z","updated_at":"2022-10-10T07:11:16.000Z","dependencies_parsed_at":"2024-04-30T15:48:04.262Z","dependency_job_id":"3daba133-ef01-4d8e-a325-a7186345356d","html_url":"https://github.com/Lu-Fi/ARS","commit_stats":null,"previous_names":["lu-fi/ars"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Lu-Fi%2FARS","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Lu-Fi%2FARS/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Lu-Fi%2FARS/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Lu-Fi%2FARS/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Lu-Fi","download_url":"https://codeload.github.com/Lu-Fi/ARS/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245425649,"owners_count":20613216,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","ad","authentication","group","group-membership","ldap","security","time-bound"],"created_at":"2024-10-15T01:56:38.360Z","updated_at":"2025-10-22T10:57:45.898Z","avatar_url":"https://github.com/Lu-Fi.png","language":"Visual Basic .NET","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Access Request System\n\nFirst I would like to explain some of my motivations for the development as well as views regarding secure administration in Active Directory environments.\n\n---\n\nIn my opinion there are only 2 really useful ways to increase security in Active Directory Domains.\n\n1. all administrative operations are performed exclusively by secure systems (PAW's). This includes not only administrative activities on domain controllers but all administrative activities divided by tiers.\n\nAs an example: Tier0 = Domain Controller, Tier1 = Member Systems, Tier2 = Clients.\n\nSuch an approach is unfortunately very difficult to implement and can be very expensive depending on the environment.\n\n2. the range and duration of administrative privileges is limited to the most necessary.\nPrivileges are requested for a certain duration and expire afterwards.\n\n---\n\nBecause of the costs and benefits, I looked more closely at the second option and what options are available. I noticed that Microsoft has already implemented a way to assign group memberships time-bound in Server 2016. Here a special LDAP extension is used to specify the number of seconds how long a membership exists (LDAP_SERVER_LINK_TTL extended control (OID = 1.2.840.113556.1.4.2309)).\n\nUnfortunately, the assignment of such memberships is currently only possible with Powershell, which makes the whole thing a bit uncomfortable.\n\nThis is where my tool comes in. I provide a webinterface, with which it is possible to request and remove group memberships time-bound. In addition, it can be specified that the administrative accounts, which are managed in the application, e.g. after the expiration of the last group membership, are deactivated and the password resets automatically. These accounts are then reactivated when a new membership is requested and a new password can be retrieved.\n\nOf course, not just anyone can request any group membership. The application aims to ensure that each administrator has at least one Office and one or more Administrative accounts.\n\nThe web application is used with the Office account. To improve security, the login requires an Active Directory on the one hand and an Azure login for the Office Account (This is also how MFA can be implemented).\n\nThe Office account is then assigned the administrative accounts within the application, which the user is allowed to manage. The assignment of the accounts takes place either in the application or via an extension attribute in the Active Directory.\n\nThe administrative accounts are then either assigned to so-called \"request groups\", via these groups it is then defined which group memberships may be requested (managedBy attribute) or a direct assignment is made within the application (SQL database).\n\nThe administrative process then looks as follows:\n1. the office user logs on to the application (incl. MFA)\n2. he chooses an administrative account in the web interface and requests a group membership for x hours.\n3 [Optional] A new password is requested.\n4. the administrative activities are executed\n5. [Optional] The time span is extended\n6. after the time period expires, Active Directory removes the group memberships by itself, the Kerberos tokens are invalid.\n7. [Optional] The application disables the Administrative account and sets a random password.\n\nI have been able to analyze attacks in the past, and the procedure is almost always the same. First, threat actors try to compromise an account via social engineering, fake company websites, mail, etc. It does not matter which rights this account has. Next, the environment is analyzed. Such an analysis quickly reveals possible configuration errors on systems as well as attack vectors on services and applications. If an attack target is not already found here (e.g. the user has local administration rights on his system or on a server and can thus compromise the local SAM), the account is misused to compromise other systems via mails and documents, if necessary.\n\nActually, at this point you can already assume that if 0,1,2 administrative rights have been obtained in a tier, the complete tier is more or less lost.\n\n---\n\n![screen_1](https://user-images.githubusercontent.com/1177251/150324132-6d614dbb-0759-4995-97ee-fd7adbb1fc1a.png)\n![screen_2](https://user-images.githubusercontent.com/1177251/150324137-461cc29b-b9bf-4859-b256-8d17a2ccd4f5.png)\n![screen_3](https://user-images.githubusercontent.com/1177251/150324139-d9572ce4-4ac5-4762-8272-5c90ab98f8b1.png)\n![screen_4](https://user-images.githubusercontent.com/1177251/150324143-545afd3b-8fa4-4894-930f-fd0643120d57.png)\n\n\n# Autostart with IIS\n\nc:\\windows\\system32\\inetsrv\\config\\applicationHost.config\n\n    \u003capplicationPools\u003e\n        \u003cadd name=\"ARS\" autoStart=\"true\" managedRuntimeVersion=\"v4.0\" startMode=\"AlwaysRunning\"\u003e\n            \u003cprocessModel identityType=\"SpecificUser\" userName=\"DOMAIN\\USER\" password=\"\" loadUserProfile=\"false\" idleTimeout=\"00:00:00\" maxProcesses=\"0\" /\u003e\n            \u003crecycling\u003e\n                \u003cperiodicRestart time=\"00:00:00\"\u003e\n                    \u003cschedule\u003e\n                        \u003cclear /\u003e\n                    \u003c/schedule\u003e\n                \u003c/periodicRestart\u003e\n            \u003c/recycling\u003e\n        \u003c/add\u003e\n    \u003c/applicationPools\u003e\n\n    \u003csites\u003e\n        \u003csite name=\"ARS\" id=\"2\" serverAutoStart=\"true\"\u003e\n            \u003capplication path=\"/\" applicationPool=\"ARS\" preloadEnabled=\"true\"\u003e\n                \u003cvirtualDirectory path=\"/\" physicalPath=\"C:\\inetpub\\wwwroot\\ARS\" /\u003e\n            \u003c/application\u003e\n            \u003cbindings\u003e\n                \u003cbinding protocol=\"https\" bindingInformation=\"*:443:ars.domain.net\" sslFlags=\"0\" /\u003e\n            \u003c/bindings\u003e\n        \u003c/site\u003e\n    \u003c/sites\u003e\n\n    \u003clocation path=\"ARS\"\u003e\n        \u003csystem.webServer\u003e\n            \u003csecurity\u003e\n                \u003cauthentication\u003e\n                    \u003cwindowsAuthentication enabled=\"true\" useKernelMode=\"false\"\u003e\n                        \u003cextendedProtection tokenChecking=\"None\" /\u003e\n                        \u003cproviders\u003e\n                            \u003cclear /\u003e\n                            \u003cadd value=\"Negotiate:Kerberos\" /\u003e\n                        \u003c/providers\u003e\n                    \u003c/windowsAuthentication\u003e\n                    \u003canonymousAuthentication enabled=\"false\" /\u003e\n                \u003c/authentication\u003e\n                \u003caccess sslFlags=\"Ssl\" /\u003e\n            \u003c/security\u003e\n        \u003c/system.webServer\u003e\n    \u003c/location\u003e\n\n\nhttps://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization\n\n\n# SQL Scheme\n(Create empty DB called \"**Ars**\" first)\n\n    USE [Ars]\n    GO\n\n    SET ANSI_NULLS ON\n    GO\n    SET QUOTED_IDENTIFIER ON\n    GO\n    CREATE TABLE [dbo].[ars_assignments](\n      [aID] [uniqueidentifier] NOT NULL,\n      [uSID] [varchar](256) NOT NULL,\n      [aSID] [varchar](256) NOT NULL,\n      [flag] [int] NOT NULL\n    ) ON [PRIMARY]\n    GO\n\n    SET ANSI_NULLS ON\n    GO\n    SET QUOTED_IDENTIFIER ON\n    GO\n    CREATE TABLE [dbo].[ars_audit](\n      [aSID] [varchar](256) NOT NULL,\n      [aName] [varchar](256) NOT NULL,\n      [uSource] [varchar](128) NULL,\n      [uName] [varchar](256) NOT NULL,\n      [action] [varchar](256) NOT NULL,\n      [result] [int] NOT NULL,\n      [ts] [datetime] NULL\n    ) ON [PRIMARY]\n    GO\n\n    SET ANSI_NULLS ON\n    GO\n    SET QUOTED_IDENTIFIER ON\n    GO\n    CREATE TABLE [dbo].[ars_user](\n      [uSID] [varchar](256) NOT NULL,\n      [pwdLastSet] [bigint] NULL\n    ) ON [PRIMARY]\n    GO\n\n    SET ANSI_NULLS ON\n    GO\n    SET QUOTED_IDENTIFIER ON\n    GO\n    CREATE TABLE [dbo].[ars_users](\n      [uSID] [varchar](256) NOT NULL,\n      [flag] [int] NOT NULL\n    ) ON [PRIMARY]\n    GO\n    ALTER TABLE [dbo].[ars_assignments] ADD  CONSTRAINT [DF_ars_assignments_aID]  DEFAULT (newid()) FOR [aID]\n    GO\n    ALTER TABLE [dbo].[ars_users] ADD  CONSTRAINT [DF_ars_users_flag]  DEFAULT ((0)) FOR [flag]\n    GO\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flu-fi%2Fars","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flu-fi%2Fars","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flu-fi%2Fars/lists"}