I hope this
finds you doing well. Today, I was planning on sharing technical and contextual insights on arguably
the most important technical subject in Active Directory Security – Active Directory
Effective Permissions.
However, due to lack of time (and one other reason), I’ll focus on the technicals today. (I'll provide the context in a few weeks.)
The
intention of sharing this today is to save 1000s of IT professionals 1000s of
hours of painful, laborious and error-prone work, because based on our
assessment of what’s out there, most folks are unfortunately still operating in the proverbial Stone Age.
The Stone Age of Active Directory Access Analysis
In case you’re
wondering what I mean by “most folks are unfortunately still operating in the proverbial stone age”, let me
explain.
You see, having
written the book on this vital subject almost 10 years ago, and then, having
not just solved this problem for Microsoft’s ecosystem (more on that below), but having made it as
easy as touching a button, I find it amazing that most of the world is
still trying to re-invent the wheel, chipping away at a colossal rock (i.e. a mighty challenge) with
little stones, and in the process not only wasting valuable time and effort,
but also not getting what they actually need to know i.e. effective permissions.
It’s
been 10+ years since Microsoft's released the whitepaper - Best Practices for Delegating Active Directory Administration.
(I happen to know so because I wrote that whitepaper.)
(I happen to know so because I wrote that whitepaper.)
If you’re working on Active Directory delegations/permissions, chances are you’ve read it. If you haven’t read that paper yet, I highly recommend reading at least the first 2 chapters. If you’ve read it, you know how Active Directory’s security model works.
More importantly, if you've read it, you also know that if you need to find out who all effectively have a specific type of access on a specific Active Directory object, you need to find out who has what effective permissions on that object, NOT who has what permissions on that object.
Unfortunately,
it appears that the subtle yet profound difference between permissions and effective permissions in Active Directory remains largely unknown, and as a result, everyday,
in 1000s of organizations, IT personnel proceed to determine who has
what permissions, when in fact what they really should be attempting to determine is who has
what effective permissions.
The only thing more alarming is that to do
so, they primarily seem to be relying on half-baked / amateur tools / scripts that not
only cannot determine effective permissions, but in fact may not even always deliver
reliable permissions insight. I say so because I doubt any of them have even been
professionally and rigorously tested, let alone having been designed by proficient experts, and as you know, the only thing more
dangerous/reckless than not having essential security insight, is acting upon unreliable insight.
Furthermore
they’re most likely relying on incorrect/insufficient technical advice as well, such
as this on Microsoft Technet.
Here’s the
short of it –
Trying to manually determine effective
permissions based on manual permissions analysis in Active Directory is a very difficult, time-consuming and highly error-prone process because it involves very precisely taking into all relevant factors that influence effective permissions, as illustrated here.
Microsoft’s Effective Permissions Tab
To
help determine effective permissions on Active Directory objects, Microsoft
has devoted an entire tab for Active Directory Effective Permissions in the Advanced Security
Settings /ACL Editor dialog of the Active Directory User’s and Computers tool.
- It is self-admittedly
inaccurate – http://support.microsoft.com/kb/933071
- It is realistically unusable because it will at best display a long list of check-boxes corresponding to the various permissions a specific user or group has, so if you’re trying to figure out who all have a given permission, and let's say you have 50,000 users in your Active Directory, you’ll have to manually enter the identity of each one of those 50,000 users to try and figure out the identities of everyone who has the specific access you’re trying to determine (e.g. Write Property access to the userAccountControl attribute.) That's not very user-friendly now, is it?
- The third issue I prefer not to shed light on yet.
The Aha! Moment
Finally,
over 10 years later, IT personnel are starting to understand that this is actually a very difficult problem to solve, and in fact, here’s one of the first few public acknowledgments of this fact that we have seen, this one from a former Microsoft employee - http://blog.cassidiancybersecurity.com/post/2014/03/The-Active-Directory-Permissions-Analysis-Challenge.
The author of the blog begins the post with the statement -
"Analyzing permissions in Active Directory is a quite difficult task for Active Directory administrators."
I commend him for taking the time to speak to the challenge. The challenge of trying to accurately determine effective access granted in Active Directory deployments is indeed one of the most difficult challenges in the field of Windows Security today.
Incidentally, he is a member of our global community of Active Directory Security Professionals, which today is comprised of 2000+ members from 100+ countries. I have to admit though that I am a bit surprised that he didn't mention that the problem's already been solved, because based on our records, he tried our Gold Finger solution on October 28, 2013, requesting a license for use in the bj8.fr domain.
Anyway, I wanted to save him and 1000s of other folks, 1000s of precious hours of their lives by letting them know that our patented technology has already solved this problem for the world, and made it as easy as touching a button. (See below.)
The Digital Age of Active Directory Access Analysis
However, before one can attempt to automate a solution to solve such a problem, one needs to understand it VERY well.
Over the last 14 years, I've personally spent 1000s of hours on this subject. In addition, our team at Paramount Defenses has collectively logged 20,000+ hours on solving the effective access audit challenge in Active Directory.
Based on our experience, I can tell you that this is a very difficult problem to solve especially when you’re
trying to solve it on a domain full of objects. Trying to build an automated solution that can solve this problem in virtually any Active Directory environment is exponentially difficult.
(This is perhaps the reason that the Centrifys and Dells of the world, or for that matter the Hewlett Packards and Ciscos of the world, may not even have attempted to build a solution that can help organizations fulfil this fundamental cyber security need.)
At Paramount Defenses, we have invested over half a decade of innoavtive research and
development to solve this one single problem for the world, and today we have made it as easy as touching a
button -
Take a look -
1. Let's say you wanted to find out who effectively has the Reset Password Extended Right (i.e. effective permissions) granted on Larry Page's (an IT admin) account. Point, click, done in about 8 seconds -
Gold Finger 006 - Active Directory Effective Permissions Tool |
2. Now, let's say you wanted to find out who all can effectively reset the passwords of all 50,000 domain user accounts in your Active Directory domain. Point, click, done in minutes -
Gold Finger 007 - Active Directory Access/Delegation Audit Tool |
3. Having fully automated the difficult and the (almost) impossible, automating the easy stuff is well, easy, so let's say you wanted to find out who has Write-Property permissions to modify the the Account Restrictions Property Set, based both on an exact grant as well as on a blanket permissions grant (i.e. blanket Read Property) in a sub-tree rooted on the domain root, but only 6 levels deep, and you wished to apply an LDAP filter to focus it on specific objects, well, Point, click, done -
Gold Finger 005 - Active Directory Permissions Analyzer |
4. Speaking of much easier stuff, let's say you wanted to analyze the ACL on the Americas OU in detail. That's too easy -
Gold Finger 004 - Active Directory Permissions (ACL) Viewer |
I could go on, but I think you'll get the drift. (BTW, bigger snapshots here.)
In essence, from advanced Active Directory ACL Analysis to fully-customizable, comprehensive Active Directory Permissions Analysis, and from Accurate, True Active Directory Effective Permissions Analysis to fully-automated domain-wide Active Directory Effective Delegated Access Analysis (i.e. Delegation Audit), our innovative patented technology has already made everything related to Active Directory permissions and effective permissions analysis as easy as touching a button.
The Active Directory Permissions and Effective Permissions Analysis Challenge - Solved
Folks, our innovative globally trusted, patented access assessment technology has already solved the great Active Directory permissions and effective permissions analysis challenge for the world, so organizations and IT personnel worldwide can focus their energies on quickly locking down access in their Active Directory, rather than spending 1000s of hours trying to find out who actually has what access in Active Directory.
(In case you don't know why quickly locking down access in Active Directory is paramount today, you may want to read this.)
The Active Directory Permissions and Effective Permissions Analysis Challenge - Solved
Folks, our innovative globally trusted, patented access assessment technology has already solved the great Active Directory permissions and effective permissions analysis challenge for the world, so organizations and IT personnel worldwide can focus their energies on quickly locking down access in their Active Directory, rather than spending 1000s of hours trying to find out who actually has what access in Active Directory.
(In case you don't know why quickly locking down access in Active Directory is paramount today, you may want to read this.)
There is no longer a need for IT personnel to waste their precious time by trying to use half-baked/amateur tools to manually try and solve a mountain of a problem, when they can just touch a button, have a sip of coffee and be done with it in minutes.
So, perhaps the next time you're enjoying a cup of coffee at work, you could solve one of the biggest challenges for your organization while doing so - http://www.paramountdefenses.com/goldfinger.html.
Best wishes,
Sanjay
PS: As for the contextual insight, it will have to wait (just) a bit.
No comments:
Post a Comment