Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Monday, June 9, 2014

The Active Directory Permissions and Effective Permissions Analysis Challenge - Solved


I hope this finds you doing well. Today, I was planning on sharing technical and contextual insights on arguably the most important technical subject in Active Directory Security – Active Directory Effective Permissions.

However, due to lack of time (and one other reason), I’ll focus on the technicals today. (I'll provide the context in a few weeks.)

The intention of sharing this today is to save 1000s of IT professionals 1000s of hours of painful, laborious and error-prone work, because based on our assessment of what’s out there, most folks are unfortunately still operating in the proverbial Stone Age.

The Stone Age of Active Directory Access Analysis

In case you’re wondering what I mean by “most folks are unfortunately still operating in the proverbial stone age”, let me explain.

You see, having written the book on this vital subject almost 10 years ago, and then, having not just solved this problem for Microsoft’s ecosystem (more on that below), but having made it as easy as touching a button, I find it amazing that most of the world is still trying to re-invent the wheel, chipping away at a colossal rock (i.e. a mighty challenge) with little stones, and in the process not only wasting valuable time and effort, but also not getting what they actually need to know i.e. effective permissions.

It’s been 10+ years since Microsoft's released the whitepaper - Best Practices for Delegating Active Directory Administration.

(I happen to know so because I wrote that whitepaper.)
If you’re working on Active Directory delegations/permissions, chances are you’ve read it. If you haven’t read that paper yet, I highly recommend reading at least the first 2 chapters. If you’ve read it, you know how Active Directory’s security model works.

More importantly, if you've read it, you also know that if you need to find out who all effectively have a specific type of access on a specific Active Directory object, you need to find out who has what effective permissions on that object, NOT who has what permissions on that object.

Unfortunately, it appears that the subtle yet profound difference between permissions and effective permissions in Active Directory remains largely unknown, and as a result, everyday, in 1000s of organizations, IT personnel proceed to determine who has what permissions, when in fact what they really should be attempting to determine is who has what effective permissions.

The only thing more alarming is that to do so, they primarily seem to be relying on half-baked / amateur tools / scripts that not only cannot determine effective permissions, but in fact may not even always deliver reliable permissions insight. I say so because I doubt any of them have even been professionally and rigorously tested, let alone having been designed by proficient experts, and as you know, the only thing more dangerous/reckless than not having essential security insight, is acting upon unreliable insight.

Furthermore they’re most likely relying on incorrect/insufficient technical advice as well, such as this on Microsoft Technet.

Here’s the short of it –
Trying to manually determine effective permissions based on manual permissions analysis in Active Directory is a very difficult, time-consuming and highly error-prone process because it involves very precisely taking into all relevant factors that influence effective permissions, as illustrated here.

Microsoft’s Effective Permissions Tab

To help determine effective permissions on Active Directory objects, Microsoft has devoted an entire tab for Active Directory Effective Permissions in the Advanced Security Settings /ACL Editor dialog of the Active Directory User’s and Computers tool.
Unfortunately, 3 issues render it practically unusable –  

  1. It is self-admittedly inaccurate –
  2. It is realistically unusable because it will at best display a long list of check-boxes corresponding to the various permissions a specific user or group has, so if you’re trying to figure out who all have a given permission, and let's say you have 50,000 users in your Active Directory, you’ll have to manually enter the identity of each one of those 50,000 users to try and figure out the identities of everyone who has the specific access you’re trying to determine (e.g. Write Property access to the userAccountControl attribute.) That's not very user-friendly now, is it?
  3. The third issue I prefer not to shed light on yet.
I suspect that it is because of it being practically unusable that IT personnel worldwide have to end up resorting to writing scripts and/or using amateur tools to perform Active Directory permissions analysis.

The Aha! Moment

Finally, over 10 years later, IT personnel are starting to understand that this is actually a very difficult problem to solve, and in fact, here’s one of the first few public acknowledgments of this fact that we have seen, this one from a former Microsoft employee -
The author of the blog begins the post with the statement -

"Analyzing permissions in Active Directory is a quite difficult task for Active Directory administrators."

He continues, and I quote -
"First, because the Active Directory delegation capabilities are extremely powerful and could lead to highly complex hierarchy which is then hard to check."

"Second, because the built-in tools are limited: The permissions are displayed in the properties of each object, the effective permissions for a user on an object can be calculated but the usage is limited in large environment and provide approximated and sometimes inaccurate results (See Microsoft KB 933071). Other alternatives will also be describe in this post."

I commend him for taking the time to speak to the challenge. The challenge of trying to accurately determine effective access granted in Active Directory deployments is indeed one of the most difficult challenges in the field of Windows Security today.

Incidentally, he is a member of our global community of Active Directory Security Professionals, which today is comprised of 2000+ members from 100+ countries. I have to admit though that I am a bit surprised that he didn't mention that the problem's already been solved, because based on our records, he tried our Gold Finger solution on October 28, 2013, requesting a license for use in the domain.

Anyway, I wanted to save him and 1000s of other folks, 1000s of precious hours of their lives by letting them know that our patented technology has already solved this problem for the world, and made it as easy as touching a button. (See below.)

The Digital Age of Active Directory Access Analysis
Folks, we live in the digital age, and today, so many complex problems are being solved by automation, and this problem too is ideally one that is best solved by automation, because of the complexity involved and because of the analysis involved being highly error-prone.


However, before one can attempt to automate a solution to solve such a problem, one needs to understand it VERY well.
Over the last 14 years, I've personally spent 1000s of hours on this subject. In addition, our team at Paramount Defenses has collectively logged 20,000+ hours on solving the effective access audit challenge in Active Directory.

Based on our experience, I can tell you that this is a very difficult problem to solve especially when you’re trying to solve it on a domain full of objects. Trying to build an automated solution that can solve this problem in virtually any Active Directory environment is exponentially difficult.
(This is perhaps the reason that the Centrifys and Dells of the world, or for that matter the Hewlett Packards and Ciscos of the world, may not even have attempted to build a solution that can help organizations fulfil this fundamental cyber security need.)

At Paramount Defenses, we have invested over half a decade of innoavtive research and development to solve this one single problem for the world, and today we have made it as easy as touching a button -

Take a look -  
1. Let's say you wanted to find out who effectively has the Reset Password Extended Right (i.e. effective permissions) granted on Larry Page's (an IT admin) account. Point, click, done in about 8 seconds - 
Gold Finger 006 - Active Directory Effective Permissions Tool

2. Now, let's say you wanted to find out who all can effectively reset the passwords of all 50,000 domain user accounts in your Active Directory domain. Point, click, done in minutes -
Gold Finger 007 - Active Directory Access/Delegation Audit Tool

3. Having fully automated the difficult and the (almost) impossible, automating the easy stuff is well, easy, so let's say you wanted to find out who has Write-Property permissions to modify the the Account Restrictions Property Set, based both on an exact grant as well as on a blanket permissions grant (i.e. blanket Read Property) in a sub-tree rooted on the domain root, but only 6 levels deep, and you wished to apply an LDAP filter to focus it on specific objects, well, Point, click, done -  
Gold Finger 005 - Active Directory Permissions Analyzer
4. Speaking of much easier stuff, let's say you wanted to analyze the ACL on the Americas OU in detail. That's too easy - 
Gold Finger 004 - Active Directory Permissions (ACL) Viewer

I could go on, but I think you'll get the drift. (BTW, bigger snapshots here.)
In essence, from advanced Active Directory ACL Analysis to fully-customizable, comprehensive Active Directory Permissions Analysis, and from Accurate, True Active Directory Effective Permissions Analysis to fully-automated domain-wide Active Directory Effective Delegated Access Analysis (i.e. Delegation Audit), our innovative patented technology has already made everything related to Active Directory permissions and effective permissions analysis as easy as touching a button.

The Active Directory Permissions and Effective Permissions Analysis Challenge - Solved

Folks, our innovative globally trusted, patented access assessment technology has already solved the great Active Directory permissions and effective permissions analysis challenge for the world, so organizations and IT personnel worldwide can focus their energies on quickly locking down access in their Active Directory, rather than spending 1000s of hours trying to find out who actually has what access in Active Directory.

(In case you don't know why quickly locking down access in Active Directory is paramount today, you may want to read this.)
There is no longer a need for IT personnel to waste their precious time by trying to use half-baked/amateur tools to manually try and solve a mountain of a problem, when they can just touch a button, have a sip of coffee and be done with it in minutes.
So, perhaps the next time you're enjoying a cup of coffee at work, you could solve one of the biggest challenges for your organization while doing so -
Best wishes,
PS: As for the contextual insight, it will have to wait (just) a bit.

No comments:

Post a Comment