Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Thursday, January 5, 2017

The World's Best Active Directory ACL / Security Permissions Audit Tool


Hope your 2017's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 5th.

Active Directory ACL / Security Permissions Audit - A Basic Need

Today virtually every organization that operates on Microsoft's Active Directory has a basic and essential need to be able to easily view, analyze and audit Active Directory ACLs (Access Control Lists) because Active Directory permissions ultimately protect virtually all of the organization's IT resources. A few examples of such basic Active Directory ACL audit needs include -

  1. Who security permissions/rights does a specific user/group have in a specific Active Directory object's ACL?
  2. Who has a specific Active Directory security permission allowed in the ACL of a specific Active Directory object?
  3. Which ACEs (access control entries) grant a specific Active Directory security permission to various security principals?
  4. Which ACEs explicitly deny a specific Active Directory security permission in an object's ACL?
  5. Which ACEs explicitly grant a specific Active Directory security permission to a specific user or group in an object's ACL?

Now, let me be the first to tell you that if you truly know Active Directory Security, then you know that it is not "Who has what permissions" but "Who has what effective permissions" that matters (and the difference is colossal and could be the difference between security and compromise), but for now let's just play along and assume that this is what organizations need to audit.

To fulfill their ACL analysis needs, IT admins worldwide use numerous means, such as writing in-house LDAP/ PowerShell scripts, using free MS tools like dsacls, acldiag, LDP etc., or relying on some 3rd party audit tools many of which aren't reliable.

In doing so, here are some issues/challenges they could run into -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone.
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise.
  3. Many 3rd party tools, whilst inexpensive, may or may not always be sufficiently trustworthy (e.g. built in Russia etc.)

In our experience, we found that what is ideally needed is a dedicated and reliable (tamper-proof) Active Directory ACL analysis, viewing and dump tool that can help easily & trustworthily fulfill all Active Directory ACL/permissions audit needs.

So we built possibly the world's best (most advanced) Active Directory ACL Viewer and Exporter that could help IT admins, analysts, auditors and other stakeholders easily and trustworthily fulfill their basic Active Directory ACL/permissions audit needs.

Gold Finger Active Directory ACL / Security Permissions Audit and Dump Tool

The Gold Finger Active Directory ACL Viewer and Exporter is the world's most advanced and trustworthy Active Directory ACL/Permissions Audit Tool -

Gold Finger Active Directory ACL Audit Tool, Viewer and Exporter
If you can touch a button, you can now easily, comprehensively and above all, trustworthily view, analyze, audit as well as instantly export/dump Active Directory ACLs and security permissions/rights, both on a per-object and a domain-wide basis.

Capability Overview

Here's a quick overview of the tool's top 5 features/capabilities -
  1. Complete View – Obtain a complete, fully sortable view of the ACL (both DACL & SACL) of any Active Directory object.
  2. Detailed View – Obtain a detailed view wherein each ACL field is expanded into individually sortable columns.
  3. ACL Exports – Export the complete ACL of an Active Directory object for analysis, comparison, archival and audit.
  4. Tree-wide ACL Exports – Export/dump the ACLs of all Active Directory objects in any Active Directory tree (e.g. OU).
  5. Advanced ACL Export Options – Export only those ACLs that are marked Protected or owned by a specific user/group.

Design Goals

Here are the 5 main design goals we set and met for Gold Finger -
  1. Trustworthiness - When it comes to security, Gold Finger sets the bar and gold standard for trustworthiness.
  2. Ease-of-use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  3. Rich Analysis - IT personnel can easily analyze every aspect of the ACL, including sorting the ACL by individual Active Directory security permissions (e.g. Write Property, Extended Right etc.), inheritance fields etc.
  4. Instant Export - IT personnel can easily export/dump the ACLs of any, some or all Active Directory objects. 
  5. Data output - IT personnel can effortlessly export the raw data for archival, rich analysis etc.

Example Reports

Here are 10 real-world examples of the kinds of Active Directory ACL/permissions audits you can perform with Gold Finger -

  1. Alphabetically sort the ACL on the AdminSDHolder object to list all security principals for whom access is specified.
  2. Identify all permissions in the ACL of the Administrators group object that grant Write Property - Member permissions.
  3. Export/dump the ACL on the Enterprise Admins group object to furnish it as evidence for a regulatory compliance report.
  4. Identify every permission in the ACL on the Corporate OU object that grants a user or group Create Child permissions.
  5. Enumerate the list of all security permissions in the ACL of the Help Desk Operators object that are Explicit in nature.
  6. Instantly dump/export the security permissions/ACLs of all objects contained in any Active Directory domain/partition.
  7. Easily dump/export the security permissions/ACLs protecting all executive (e.g. all C*O) and privileged user accounts.
  8. Instantly dump/export Active Directory security permissions/ACLs protecting all Organizational Units in a domain.
  9. Obtain a snapshot of all Active Directory permissions/ACLs protecting the Configuration, Schema and domain partitions.
  10. Dump/export Active Directory security permissions/ACLs to a file to furnish evidence for a compliance/security audit.

Trusted Worldwide

Today, our Gold Finger Active Directory ACL Viewer and Exporter is used worldwide by the world's top organizations to easily, efficiently and trustworthily fulfill all their basic Active Directory ACL/security permissions/rights analysis and audit needs.

Best wishes,

PS: This is about 1% of what we do, so this is as much as I'd like to say about it.

No comments:

Post a Comment