Full Report
And the admin password was right in the Active Directory description field
Analysis Summary
# Incident Report: Unauthorized Administrative Access via AD Metadata Exposure
## Executive Summary
A 17-year-old student at a UK secondary school discovered that the institution’s entire network was compromised due to severe credential mismanagement. By simply viewing the Active Directory (AD) description field for the Domain Administrator account, the student obtained cleartext credentials, granting him "God mode" access to student data, staff emails, and server controls. No malicious action was taken, but the incident highlights a catastrophic failure in basic identity and access management (IAM).
## Incident Details
- **Discovery Date:** Circa 2024–2026 (Published June 25, 2026)
- **Incident Date:** During the student's enrollment (Sixth Form)
- **Affected Organization:** Unnamed UK School
- **Sector:** Education
- **Geography:** United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** During school term
- **Vector:** Unauthorized Internal Reconnaissance
- **Details:** The student connected a personal laptop to the school’s Active Directory domain. He found that the environment allowed standard users to view domain controller tools and policy maps without administrative authentication.
### Lateral Movement
- **Technique:** Credential Harvesting from Metadata
- **Details:** The student navigated to the Domain Administrator account properties. The password was explicitly written in the "Description" metadata field.
### Data Exfiltration/Impact
- **Potential Scope:** The student gained access to student/staff records, Remote Desktop (RDP) access to all servers, LanSchool classroom management software, and the Google Workspace environment (including all user mailboxes).
- **Actual Impact:** Minimal; the student exercised restraint and did not modify or exfiltrate data.
### Detection & Response
- **Detection:** The "incident" was never detected by the school’s IT department.
- **Response Actions:** None taken by the organization; the vulnerability was disclosed to the media years later by the student after graduation.
## Attack Methodology
- **Initial Access:** Connection of a personal device to the internal AD domain.
- **Persistence:** Not required (credentials remained valid throughout the student's tenure).
- **Privilege Escalation:** Exploitation of cleartext passwords stored in AD attributes (Description field).
- **Defense Evasion:** None (The school had zero monitoring/auditing for AD attribute lookups).
- **Credential Access:** Cleartext passwords found in AD: "horse fence ditch," "bd," and "bigbaddog."
- **Discovery:** AD Schema and Object browsing using standard domain tools.
- **Lateral Movement:** RDP access and Google Workspace synchronization.
- **Collection:** Potential access to sensitive leadership documents and keystroke histories.
- **Exfiltration:** N/A (Student chose not to exfiltrate).
- **Impact:** Total loss of Confidentiality, Integrity, and Availability (Potential).
## Impact Assessment
- **Financial:** Low (No ransom or recovery costs incurred due to student's restraint).
- **Data Breach:** Critical Risk; full access to PII of minors and staff.
- **Operational:** Potential for total network wipeout or grade manipulation.
- **Reputational:** High risk if the vulnerability remains unpatched and is discovered by a malicious actor.
## Indicators of Compromise
- **Network indicators:** N/A (Standard internal traffic).
- **File indicators:** N/A.
- **Behavioral indicators:** Unusual AD object enumeration from a student-owned device; RDP login attempts from non-IT workstations using the Domain Admin account.
## Response Actions
- **Containment:** None documented.
- **Eradication:** None documented.
- **Recovery:** None documented (Vulnerabilities may still be active).
## Lessons Learned
- **Metadata is Not Secure:** Descriptions, comments, and notes fields in IT management tools are frequently used by negligent admins to store "seed" passwords, which are visible to all authenticated users.
- **Lack of Least Privilege:** Standard users (students) should not have the permissions required to view the administrative structure or object attributes of the Domain Admin accounts.
- **Single Point of Failure:** Syncing AD with Google Workspace without MFA or tiered administrative accounts allows a single credential leak to compromise the entire cloud productivity suite.
## Recommendations
- **Credential Hygiene:** Immediately audit all AD account attributes (Description, Info, etc.) for sensitive data and passwords.
- **Hardening Active Directory:** Implement "Least Privilege" for AD object visibility; prevent standard users from enumerating administrative groups or viewing sensitive attributes.
- **Multi-Factor Authentication (MFA):** Mandate MFA for all administrative logins, especially for RDP and cloud-synced services like Google Workspace.
- **Audit Logging:** Enable and monitor AD event logs (specifically Event IDs 4662 and 4661) to track who is accessing sensitive account objects.
- **Separation of Duties:** Ensure IT administrative accounts are distinct from standard user accounts and are not used for daily tasks.