Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Friday, January 6, 2017

The World's Best Active Directory Permissions Analyzer


Hope your 2017's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 6th.

Active Directory Permissions Audits - An Essential Need

It goes without saying that today virtually every organization that operates on Microsoft's Active Directory has an essential need to be able to audit Active Directory security permissions because Active Directory security permissions ultimately protect the entirety of the organizations IT resources. A few examples of such essential Active Directory permissions audits include -

  1. Who has what security permissions/rights in Active Directory, which ones and where?
  2. Who has what security permissions/rights on a specific Active Directory object and how?
  3. What security permissions/rights does a specific user or security group have in Active Directory?
  4. Where does a specific user or group have any kind of modify permissions/rights in Active Directory?
  5. Who has what security permissions/rights on critical Active Directory objects such as the domain root object etc.?

Now, let me be the first to tell you that if you truly know Active Directory Security, then you know that it is not "Who has what permissions" but "Who has what effective permissions" that matters (and the difference is colossal and could be the difference between security and compromise), but for now let's just play along and assume that this is what organizations need to audit.

To fulfill these essential needs, IT admins worldwide use various means, such as writing advanced in-house LDAP/ PowerShell scripts, using free MS tools like dsacls, acldiag, LDP etc., or relying on some 3rd party audit tools many of which aren't reliable.

In doing so, here are some issues/challenges they could run into -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise
  3. Many 3rd party tools, whilst inexpensive, may or may not always be sufficiently trustworthy (e.g. built in Russia etc.)

In our experience, we found that what is ideally needed is a dedicated and reliable (tamper-proof) permissions audit tool that can help all these IT personnel easily & trustworthily fulfill their essential Active Directory security permissions audit needs.

So we built possibly the world's best (most capable) Active Directory Permissions Analyzer that could help IT admins, analysts, auditors and other stakeholders easily and trustworthily fulfill their essential Active Directory security permissions audit needs.

Gold Finger Active Directory Permissions Analyzer

The Gold Finger Permissions Analyzer is the world's most capable and trustworthy Active Directory Permissions Audit Tool -

Gold Finger Active Directory Permissions Analyzer

If you can touch a button, you can now easily, comprehensively and above all, trustworthily fulfill all your Active Directory security permissions/rights audit and compliance reporting needs. Active Directory permissions audits could not be simpler.

Capability Overview

Here's a quick overview of the tool's top 5 features/capabilities -
  1. Rapid Analysis and Enterprise Scalability – Analyze entire Active Directory domains within a matter of minutes.
  2. Rich Analysis Criteria – Find permissions based on grant type (allow/deny), inheritance (explicit/inherited), permission type (e.g. Write Property), security principal (any user, security group or well-known security principal) and scope.
  3. Group Membership Inclusion – Automatically include the impact of group memberships when analyzing permissions.
  4. Real-time Schema Availability – Specify any class, attribute or extended right defined in your organization's AD Schema.
  5. Complete Flexibility – Customize analysis scope via use of custom LDAP filters (e.g. (&(objectClass=user)(title=C*O)).)

Design Goals

Here are the 5 main design goals we set and met for Gold Finger -
  1. Trustworthiness - When it comes to security, Gold Finger sets the bar and gold standard for trustworthiness.
  2. Ease-of-use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  3. Customization - Every report can be completely customized using LDAP filters as well as scope and depth control.
  4. Complete Flexibility - IT personnel can search for any kind of Active Directory security permission, including specific permissions and extended rights, as well as permissions granted anywhere to a specific user/group etc. 
  5. Data output - IT personnel can effortlessly export the raw data for archival, rich analysis etc.

Example Reports

Here are 10 real-world examples of the kinds of Active Directory security permissions audits you can perform with Gold Finger -

  1. Identify all security principals that have any kind of modify permissions granted anywhere in the Corp domain.
  2. Identify all security groups that have All Extended Rights granted anywhere in the Corp domain.
  3. Identify all users that have the Reset Password Extended right granted on any domain accounts in the Executives OU.
  4. Identify all security principals that have Delete permissions granted on any organizational unit (OU) in the Corp domain.
  5. Find out if the Temporary Contractors group is granted any security permissions anywhere in the Corp domain.
  6. Find out which security permissions, if any, are granted to John Doe anywhere in the Production OU.
  7. Find out which users are explicitly granted the Create Child - User permission anywhere in the Headquarters OU.
  8. Find out who has Deny permission granted anywhere in the Corp domain, and whether they are Explicit or Inherited.
  9. Determine whether John Doe has Write Property - Member permissions on any administrative group in the Corp domain.
  10. Determine who has Send As permissions granted on the CEO's mail-enabled domain user account.

Trusted Worldwide

Today, our Gold Finger Active Directory Permissions Analyzer is used worldwide by the world's top organizations to easily, efficiently and trustworthily fulfill the entirety of their essential Active Directory security permissions/rights audit needs.

Best wishes,

PS: This is about 1% of what we do, so this is as much as I'd like to say about it.

No comments:

Post a Comment