Delegated Managed Service Accounts (dMSAs), introduced in Windows Server 2025, represent Microsoft’s latest innovation in secure service account management.
While designed to enhance security by preventing traditional credential theft attacks like Kerberoasting, security researchers have uncovered potential abuse vectors that could allow attackers to establish persistent access in Active Directory environments.
dMSAs were created to solve long-standing problems with traditional service accounts. Unlike standard accounts that require manual password management, dMSAs provide automatic credential management and link authentication directly to machine identities.
.png
)
According to Microsoft documentation, “dMSA is a more secure and manageable approach to service account management compared to traditional service accounts”.
The technology allows administrators to migrate from conventional service accounts while disabling the original account’s password authentication, redirecting all requests through the Local Security Authority (LSA) using the new dMSA mechanism.
This feature was specifically designed to eliminate credential theft risks.
The Persistence Vector
According to Matan Bahar, despite enhanced security controls, dMSAs can potentially be abused by attackers who have temporarily gained elevated privileges. The attack targets the Access Control Lists (ACLs) of the dMSA objects themselves.
The key vulnerability lies in the “Managed Service Accounts” container and its permission inheritance structure.
An attacker with domain administrator access, even temporarily, can modify ACLs to maintain access to dMSA accounts after their privileged access is revoked.
The attack begins by gaining “GenericAll” permissions on the Managed Service Accounts container:
While having “GenericAll” permissions on the container doesn’t automatically grant access to child objects, attackers can force inheritance down to all dMSA objects:
These commands establish persistent control over all existing and future dMSA objects. The attacker can then:
- Change ownership of dMSA objects.
- Create new dMSA accounts under their control.
- Modify the PrincipalsAllowedToRetrieveManagedPassword property to include their compromised accounts.
Mitigation
Organizations deploying Windows Server 2025 should implement these protections:
- Closely monitor modifications to the “Managed Service Accounts” container ACLs
- Enable the Group Policy setting: “Computer ConfigurationAdministrative TemplatesSystemKerberosEnable Delegated Managed Service Account logons” only on authorized systems
- Monitor for Event ID 4662, which indicates “Write” access to dMSA objects.
- Implement least privilege access to Active Directory administrative groups.
- Regularly audit ACL changes on critical containers using tools like PingCastle or BloodHound.
While dMSAs significantly improve service account security over traditional accounts, organizations must remain vigilant about potential abuse vectors.
According to the Report, the security improvements offered by dMSAs still outweigh the risks, particularly when proper monitoring and access controls are implemented.
As Microsoft continues to develop Windows Server 2025, additional security controls around dMSA management will likely emerge to address these newly discovered persistence techniques.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
