Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Monday, January 9, 2017

The World's Only Accurate Active Directory Effective Permissions Tool

Folks,

Hope your 2017's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 7th.

Active Directory Effective Permissions Audits - A Mission-Critical Need

Today every organization that operates on Microsoft's Active Directory has a mission-critical cyber security need to be able to accurately audit effective permissions in their foundational Active Directory deployments, to protect the entirety of their organizational IT resources. A few examples of such essential Active Directory effective permissions audits include -


  1. Who has sufficient effective permissions to be able to replicate secrets from Active Directory? (Implications & details.)
  2. Who has what sufficient effective permissions to be able to control every Active Directory administrative account?
  3. Who has sufficient effective permissions to be able to control every Active Directory administrative group?
  4. Who has sufficient effective permissions to be able to manage all executive accounts (i.e. those of the CEO, CIO etc.)?
  5. Who has sufficient effective permissions to be able to manage all vital Active Directory domain user accounts, domain computer accounts, domain security groups, Organizational Units, etc. (and there could be 1000s of such objects)?

If you truly know Active Directory Security, then you know that it is not "Who has what permissions" but "Who has what effective permissions" that matters, ; the difference is colossal and could very well be the difference between security and compromise.

Most organizations do not even seem to know that they need to be able to determine effective permissions in Active Directory, and do so accurately, to maintain a sound cyber security posture. At those who do know, IT personnel struggle to fulfill this mission-critical need - they try writing advanced in-house LDAP/ PowerShell scripts, using free MS tools like dsacls, acldiag, LDP, the Effective Permissions Tab, etc., or relying on this free 3rd party audit tool which is dangerously inaccurate.

To begin with, the expertise required to write a script that can accurately determine effective permissions in Active Directory is so rare that most IT personnel may not even know where to begin. That said, many may still proceed to write and use substantially inaccurate scripts to do so.

Further, assuming they could write an accurate script to do so, here are 4 issues/challenges that they will most likely run into -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone.
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise
  3. The Microsoft Effective Permissions Tab is not only self-admittedly inaccurate, it is woefully inadequate.
  4. All free 3rd party tools that claim to do Active Directory effective permissions are substantially inaccurate.

It is unequivocally clear to use that what organizations need is an accurate, reliable (tamper-proof) and above all a trustworthy Active Directory Effective Permissions Audit Tool that could help IT personnel worldwide easily & trustworthily fulfill this need.

So we built the world's best and only accurate Active Directory Effective Permissions Calculator / Audit Tool so it could help all IT admins, analysts, auditors and others easily and trustworthily fulfill their Active Directory effective permissions audit needs.



Gold Finger Active Directory Effective Permissions Calculator / Audit Tool

The Gold Finger Effective  Permissions Calculator is the world's only accurate Active Directory Effective Permissions Audit Tool:

Gold Finger Active Directory Effective Permissions Calculator / Audit Tool


If you can touch a button, you can now (for the first time ever) accurately and easily fulfill all your Active Directory effective permissions audit and compliance reporting needs. Click, done. It quite simply is as simple and as remarkable as that.


Capability Overview

Here's a quick overview of the tool's top 10 features/capabilities -
  1. Accurate Analysis – Accurately determine effective permissions on any Active Directory object, taking all factors (e.g. precedence orders, memberships expansions, conflict resolution etc.) that influence effective access into account.
  2. Real-Time Analysis – Instantly view & verify resulting change in effective permissions as soon as a permission changes.
  3. Full Automation – Instantly determine effective permissions and effective access at the touch of a single button.
  4. Full Coverage – Determine effective permissions on any Active Directory object in any Active Directory partition.
  5. Intuitive Interface – Easily view all effective permissions, all users who have them, and their underlying permissions.
  6. Permission-Centric Analysis – Instantly enumerate all users who are granted a specific effective permission / admin task.
  7. Source Identification – Find out exactly which underlying permission is granting a user a specific effective permission.
  8. Effective Access Insight – Find out both, who has what effective permissions and who has what effective access.
  9. Analysis Exports – Export effective permissions for offline analysis, sharing, audit report submission and archival.
  10. DC Specific Analysis and Alternate Credential Use – Target any Domain Controller, and use alternate credentials.


Design Goals

Here are the 6 main design goals we set and met for Gold Finger -
  1. Accuracy - Accuracy is everything, and Gold Finger is the world's only accurate effective permissions calculator.
  2. Complete Picture - It calculates and shows the complete set of effective permissions entitled on an Active Directory object, and it also shows the identities of all security principals for whom a specific effective permission is entitled.
  3. Source-Identification - It pinpoints the underlying security permission that entitles a user to a specific effective permission
  4. Data output - IT personnel can effortlessly export the raw data for archival, rich analysis etc.
  5. Ease of use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  6. Trustworthiness - When it comes to security, Gold Finger also sets the bar and gold standard for trustworthiness.



Example Reports

Here are 10 real-world examples of the kinds of Active Directory effective permissions audits you can perform with Gold Finger -


  1. Find out exactly who has Extended Right - Get Replication Changes All effective permissions granted on domain root.
  2. Find out exactly who has what effective permissions (e.g. Blanket Write-Property) granted on the Domain Admins group.
  3. Determine exactly who has Write-Property - Member effective permissions on the Domain Admins security group.
  4. Find out exactly who has Write Property - userAccountControl effective permissions on a DC's computer account.
  5. Determine exactly who has Delete or Delete Tree effective permissions on the Corp OU containing 1000s of objects.
  6. Find out exactly who has Extended Right - Reset Password effective permissions on the CEO's domain user account.
  7. Determine exactly who has Extended Right - Send As effective permissions on the CFO's domain user account.
  8. Find out exactly who has Modify Permissions effective permissions on the domain root object or on AdminSDHolder.
  9. Determine exactly who has Extended Right - Apply Group Policy effective permissions on the Domain Controllers OU.
  10. Determine exactly how John Doe has Write-Property - Member effective permissions on the Domain Admins group.




Trusted Worldwide

Today, our Gold Finger Active Directory Effective Permissions Calculator is used worldwide by the world's top organizations to easily fulfill the mission-critical cyber security need of being able to accurately audit Active Directory effective permissions.

Best wishes,
Sanjay

No comments:

Post a Comment