Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Wednesday, August 3, 2016

How to Easily Dump/Export Active Directory Security Permissions/ACLs

Folks,

Today, I'd like to take a small break from some important technical stuff  and cover some very simple stuff, which is to share with you the easiest way in the world to dump/export Active Directory security permissions/ACLs, because this is elemental.

But first a very quick overview of Active Directory security permissions and ACLs might be helpful.

If you want to get straight to the details, you can skip to section 3 below.




1. A Quick Overview of Active Directory Security Permissions and ACLs

As you may know, every object in Active Directory is protected by an access control list (ACL), which is comprised of zero or more access control entries (ACEs), each one of which allows or denies a specific set of security permissions (of which there are many in Active Directory) to a specific security principal (user, group or well-known security principal.)

Active Directory Security Permissions specified in an Active Directory Access Control List (ACL)


Together, the security permissions specified in an Active Directory object's ACL serve to protect that Active Directory object, and specify who is allowed or denied what security permissions onto that object (which of course includes all its attributes.)

Since even a quick overview of the various permissions in Active Directory could take a few paragraphs, here's a pointer to a very quick overview of the Active Directory Security Model and Active Directory security permissions, which as you may know, include over a dozen generic permissions, dozens of extended rights and several validated writes. Alternatively, you can refer to Appendices C, D and E of Microsoft's official whitepaper on administrative delegation, which I wrote back in 2003.

In essence, Active Directory ACLs and the security permissions specified within them control access to the entirety of Active Directory content, and thus lie at the very foundation of cyber security in a Microsoft Windows Server based IT infrastructure.




2. The Need to be able to Dump/Export Active Directory Security Permissions/ACLs

IT personnel responsible for administering Active Directory deployments, delegating and maintaining administrative authority in Active Directory, provisioning secure access for applications and other stakeholders to Active Directory content, auditing Active Directory security etc. often have a need to be able to dump/export Active Directory Security permissions/ACLs.

In fact, here are 5 specific use-cases -
1. Perform security analysis to identify who is specified what access across an Active Directory domain
2. Identify the list of all security principals that have any sort of access granted in an Active Directory domain
3. Determine what security permissions are granted to whom, where and which ones in Active Directory
4. Obtain a detailed, fully-sortable view of all security permissions/ACLs in an Active Directory partition. 
5. Export/dump an Active Directory object's ACL for detailed offline-analysis, comparison, audit and archival.

Today these needs are elemental to the foundational cyber security of virtually every Active Directory deployment in the world.





3. The World's Easiest Way to Dump/Export Active Directory Security Permissions/ACLs

Today the easiest, fastest and most reliable way to dump/export Active Directory security permissions/ACLs in Active Directory is via this specialized Active Directory ACL Viewer and Exporter tool - 
Gold Finger Active Directory ACL Viewer and Exporter


Click, Done. If you can click a button, you can export Active Directory security permissions/ACLs in seconds. It's that simple.


Active Directory Security Permissions/ACL Dump


Here's some sample output (; you can click the image below to enlarge it + download complete CSV file from here) -
Active Directory ACL Dump
 
The Active Directory security permissions/ACL dumps generated by the tool are very easily sortable by virtually every relevant field, including object type, object name, distinguished name, permission type (Allow/Deny), security principal, each of the 13 individual generic Active Directory permissions (RC LC LO WO WD SD DT CC DC CR SW RP WP), attribute/class, inheritance, applies to and inheritance flags (CI (Container Inherit), ID (Inherited), IO (Inherit-Only) and NP (No Propagate)), making it very easy to sort the data by any field, and easily perform rich and efficient ACL/security analysis.

In fact, with this dedicated tool, if you can click a button, you can instantly -
1. Obtain a highly-detailed, fully-sortable view of the access control list (ACL) of any Active Directory object.
2. Analyze an Active Directory object ACL by being able to sort it by any field (e.g. Type, Security Principal etc.) 
3. Sort an Active Directory object's ACL by any of the 13 generic permission types (e.g. Create Child, Delete etc.)
4. Export/dump an Active Directory object's ACL for detailed offline-analysis, comparison, audit and archival.
5. Export/dump the ACLs of any, some or all Active Directory objects in any Active Directory partition.

Right below, I've shared 7 real-world examples, complete with their ACL dump output so you can see the data for yourself.





4. Seven Real-World Examples of Active Directory Security Permissions/ACL Dump

Here are 7 real-world examples of Active Directory ACL dumps, with actual outputs, that you can perform with this tool -

 
1. Dump the security permissions/ACLs of all objects in the domain: output
2. Dump all protected ACLs in the domain: output
3. Dump the security permissions/ACLs of all privileged users and groups in the domain: output
4. Dump the security permissions/ACLs of all users in the domain whose title contains the word Cloud: output
5. Dump the ACLs of all objects in the domain that are owned by the Builtin Administrators group: output
6. Dump the ACLs of all organizational units that are immediate children of the Corp organizational unit: output
7. Dump the ACLs of all organizational units that are up to 2 levels deep in the Corp organizational unit: output

To view the actual ACL dumps for each of the examples above, simply click on the associated output links above.




5. Seven Design Goals

Here are 7 design goals we had when developing our dedicated Active Directory Security Permissions/ACL Dump Tool -

1. Ease of Use - Ability to dump Active Directory permissions/ACLs at the touch of a button.
2. Complete Flexibility - Ability to use LDAP filters to customize scope of objects whose ACLs are to be dumped.
3. Scope and Depth Control - Ability to specify the scope and depth of objects whose ACLs are to be dumped.
4. Easily Analyzable and Sortable Results - The results retrieved should be rich and easy to analyze and sort.
5. Zero Dependencies - The tool should not require any configuration changes or special permissions.
6. Easy installation - The tool should be installable on any domain-joined machine in under 2 minutes.
7. Advanced Features - It should be able to perform special retrievals such as to be able to -
a. Export/dump all ACLs marked protected
b. Export/dump the ACLs of all objects that are owned by a specific user/group
c. Export/dump the ACLs of all objects with a specific Primary Group

Its specialized features embody these goals and make it substantially more capable than other tools (e.g. dsacls, acldiag, etc.)

In addition, because all of our tools are professionally built to the highest standards of security, reliability and trustworthiness, organizations do not need to worry about the accuracy, integrity or security risks associated with amateur/custom-built scripts.



Summary

Today, our Gold Finger Active Directory Security Permissions/ACL Viewer and Export Tool is used in 6 continents worldwide, by so many of the world's top business and government organizations, perhaps because its the easiest, most reliable and trustworthy way to dump Active Directory ACLs.

To learn more + to get a free trial, visit - http://www.paramountdefenses.com/active-directory-acl-permissions-viewer.html

Of course, because we know first-hand that there's a lot more to Active Directory Security Audit than performing Active Directory ACL dumps, we also offer the world's most capable Active Directory Permissions Analyzer and the world's only accurate Active Directory Effective Permissions Tool, Active Directory Effective Access Audit Tool and the world's only Active Directory Administrative Access and Delegation Audit Tool.

In essence, we offer the world's most comprehensive suite of Active Directory security, access and effective access audit tools, all available in a single user-interface, with zero dependencies, two-minute installation and Windows-integrated security.

More information on our Gold Finger Suite is online at - http://www.paramountdefenses.com/goldfinger.html

Best wishes,
Sanjay

No comments:

Post a Comment