Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Saturday, August 5, 2017

How to Correctly Audit Who can Create User Accounts in Active Directory


Earlier this week, I had posed a most simple question to the respectable $ 550 Billion Microsoft Corporation regarding possibly the most elemental and fundamental aspect of cyber security and identity management, and that question was -

Exactly how do/should organizations find out exactly who can create domain user accounts in their Active Directory? (and ideally also, where they can do so & how)

Now, of course, Microsoft's likely not going to respond (for obvious reasons), and because this is so important to organizational cyber security, I'll provide the answer today. Ideally Microsoft should have educated organizations about this 10 years ago!

I'll not only answer the question, I'll show you how to easily answer this question.

First, A Scenario to Visualize

To help visualize this problem, let us begin by considering a single Active Directory domain of a fictional organization. As is the case with most organizations, and as displayed above, this fictional organization has a fairly elaborate organizational unit (OU) tree hierarchy/structure, the design of which was dictated by a combination of their group policy and permissions inheritance requirements. In essence, assume that it is more than 6 levels deep, and includes 60+ organizational units (OUs).

Next, Just Enough Technical Background

Like everything else in Active Directory, even (domain) user accounts are objects, and thus the administrative task of creating a user account in Active Directory corresponds to an LDAP operation targeted at the parent object and involving the creation of an object of class User, and this LDAP operation is gated by a specific Active Directory security permission: Create Child - User.

In practice, the presence of either one of the following permission combinations on a candidate parent object in Active Directory would influence a user's ability to create user objects in Active Directory, the premise being that Create All Child Objects obviously includes Create Child - User and similarly that Full Control obviously includes Create All Child Objects -
1. Create Child - User 2. Create All Child Objects 3. Full Control

Oh, and speaking of candidate parent objects in Active Directory, while most people likely just assume that you can create user objects under organizational units, strictly and technically speaking, it is the Active Directory Schema that defines and governs (via an attribute in Schema Class definitions) the specific types of objects that may be created under specific types of objects.

Oh, and Debunking a Myth - Finding out Who has What Permissions in Active Directory is NOT the Answer

Most IT personnel and vendors in the Active Directory space are familiar with the above technical background, and if you ask them this simple question "How to find out who can create domain user accounts in Active Directory?", you'll likely get one of the 2 most common answers, depending on whom you ask -
  1. If you ask the vendors, their answer will likely be - "Sure, this is simple. All you have to do is perform a permissions audit in your Active Directory to find out who has the above specified permissions in your Active Directory, and that's it, you're done! Oh, and our amazing "Active Directory Permissions Audit Tools" can help you get the job done in no time!"

  2. If you ask most IT personnel, their answer will likely be - "Sure, this is simple. All we need to do is perform an Active Directory permissions audit to find out who has the above specified permissions in our Active Directory, and that's it, we're done! Oh, and tools like PowerShell Get-Acl, AclScanner, dsacls, acldiag, Bloodhound, etc. let us do this easily!

Guess what?! Unfortunately, both these answers are wrong.

In fact, they're not just wrong, they're dangerously wrong. Simply finding out "Who has what permissions in Active Directory" aka performing an "Active Directory permissions Audit", is not the answer and it is NOT going to give you accurate results, and the last time I checked, when it comes to cyber security, accuracy is paramount. Of course, if you don't care about accuracy, ... .

By the way, if you want to know why these answers are so wrong, you will absolutely want to read this.

To accurately answer this and all such questions related to "Who can do what in Active Directory", what organizations need to do is find out "Who has what effective permissions in Active Directory," / "Who has what effective access in Active Directory."

Active Directory Effective Permissions

One of the most important measures organizations worldwide can take today is understand the one paramount aspect of cyber security that impacts the security of just about everything in their IT infrastructures - Active Directory Effective Permissions.

I am not going to explain what Active Directory Effective Permissions are in this post, as I have already explained it thoroughly in that post pointed to by the link above, but you will definitely want to read that before proceeding any further in this blog post.

In order to find out who can create domain user accounts under a specific Active Directory object, such as an Organizational Unit (OU), all that we need to do is find out "who has sufficient effective Create Child - User permissions" granted on that OU.

Now, The Answer to This Trillion Dollar Question

With the above background and concepts in mind, we are now in a position to answer this simple cyber security question.

Theoretically, here is what it takes to answer this question -
  1. The first step is to identify all objects in Active Directory under which the Schema permits the creation of objects of class User. This step is needed because as noted above, we need to determine "who has what effective permissions" on all objects under which objects of class User can be created, so in order to be able to do so, we will first need to identify each one of these objects. It is these objects on which we will need to determine effective permissions.

  2. The next step would be to accurately determine effective permissions on each one of the Active Directory objects identified in step 1 above, to identify all users who have sufficient effective Create Child - User permissions on them.

  3. The final step, which is the simplest one, merely involves aggregating the individual results of step 2, as performed on each one of the objects identified in step 1, to ultimately arrive at the complete list of all individuals who can create domain user accounts in an Active Directory domain.  

So you see, there is a WORLD of a difference between what the world thinks the answer is, and what the answer actually is!

Keep reading...

A Herculean Challenge

Now, while the answer to this simple question seems simple, in reality, it represents a herculean challenge for the world today.

Here's why -
  1. To begin with, the actual technical process involved in accurately determining effective permissions in Active Directory is very complicated, expertise-reliant, time-consuming and error-prone. In fact, even just the expertise required to know how to correctly do this alone is extremely rare, and hardly anyone in the world could engage in this process repeatedly without making mistakes, and unfortunately, in cyber security, there is no room for mistakes. Thus, even if organizations were to attempt to try and do this manually, most organizations likely won't even have the expertise to do this correctly.

  2. Secondly, the capability (i.e. tooling) required to be able to accurately determine effective permissions in Active Directory is virtually non-existent (barring one tool.) In fact, not a single vendor in the Active Directory space or any cyber security company (barring one) in the world has ever built a tool that could accurately determine effective permissions in Active Directory. The only tooling available in the world is Microsoft's Effective Permissions Tab, which unfortunately is not only inaccurate, it is substantially inadequate, and here's why. Oh, and this little excuse of a tool is dangerously inaccurate.

  3. Finally, there could easily be hundreds if not thousands of objects in an organization's Active Directory domain under which the Schema permits the creation of objects of class User. Consequently, at many organizations, to answer this question, they would have to accurately determine effective permissions on hundreds, if not (on) thousands of objects, and to do that manually could take months, if not years, let alone the fact that the data would be obsolete within days anyway, considering that the state of permissions in Active Directory do change every so often.

In light of the above, how are organizations supposed to be able to answer what is such an elemental cyber security question?!

Where is Microsoft ?

In light of the above, if you agree that this is an important question for organizations to be able to answer today (and if not, I could share with you many more such questions, all of which involve a similar process to answer), then in light of everything I have shared above, is it not worth asking how, if in any way, Microsoft may be helping organizations answer this question?

Unfortunately, let alone helping organizations answer this question, for more than a decade now, Microsoft has not even shed light on what it takes to answer this question. Most recently, and in all likelihood, in response to this, when it finally provided some guidance on the subject, again it completely missed out on educating the world on how to correctly answer this question!

That's how much Microsoft seems to care about cyber security. Yet, it would love for the world to embrace its Cloud offering!

What is the World To Do?

I'm told last year almost $ 80 Billion was spent worldwide on Cyber Security. As you all know, over 85% of all organizations worldwide are operating on Active Directory, and yet, not a single one of these organizations likely has an accurate answer for such a simple, elemental and fundamental cyber security question!

What is the world supposed to do? How are thousands of organizations worldwide supposed to be able to answer this most basic, elemental and fundamental of all cyber security questions, and what's the point when, even after spending millions of dollars on cyber security, an organization can't even accurately answer "Who can create user accounts in Active Directory?"

A while back, we had a prominent 3-letter acronym government agency reach out to us. They had well over 10,000 OUs in their Active Directory domain, and (perhaps because someone had been able to create and misuse a domain user account,) they wanted to know if we could help them identify exactly who can create domain user accounts in their Active Directory.

We are Paramount Defenses

Please allow me to show you how thousands of organizations worldwide can instantly and accurately find out exactly who can create domain user accounts in their Active Directory, where, and how, at the touch of ONE button -

Gold Finger Administrative Access And Delegation Audit Tool

The Administrative/Privileged Access and Delegation Audit Tool, a part of our Gold Finger Active Directory Audit Tool Suite can instantly and accurately determine effective permissions/access across an entire Active Directory domain, whether it has a 100 objects or a 100,000+ objects, and reveal in plain English exactly who can create domain user accounts in Active Directory.

In fact, not only can it audit (identify and reveal) exactly who create domain user accounts in Active Directory, it can accurately and automatically audit exactly who can enact over 100 administrative tasks in an Active Directory domain, no matter its size.

With Gold Finger, here's what it takes to answer this simple, elemental and fundamental cyber security question -
  1. Launch Gold Finger
  2. Select Report #1 - "Who can create Domain User Accounts"
  3. Set the Scope to be the entire domain. (By default, it is already pre-set for you.)
  4. Press the Gold Finger button. 
That's it!

Within minutes, Gold Finger will automatically identify all such objects under which domain user account creations are permitted (by your unique Schema), then perform the herculean task of accurately determining effective permissions/access on each one of them, whether it be on 10 OUs or on 10,000+ OUs and containers, to correctly figure out and reveal the identities of everyone who can actually create domain user accounts in your Active Directory, as well as where (i.e. under which OUs) they can do so, and how they can do so (i.e. which permissions in the underlying ACLs entitle them to do.)   [Sample output - CSV, PDF.]

(The BIG advantage of knowing the HOW is that if there are users who can create domain user accounts but who should NOT ideally be authorized to do so, organizations can at once tweak the appropriate permissions/groups to revoke their access.)

So you see, all that IT admins need to do is click a button and sip their favorite beverage while it almost magically does it ALL.

A Note To My Friends at Microsoft: Gentlemen, I want you to think about this for a moment - imagine being able to automatically and accurately determine effective permissions on hundreds of thousands of objects in Active Directory in a single shot, and not just that, also figure out what administrative tasks they end up entitling and then present the results in terms of administrative tasks, so that IT personnel worldwide can easily comprehend them and act upon them. Imagine that!
In light of this, travel as far as needed, from Silicon Valley (the hot-bed of venture capital funded companies) to Israel (the hot-bed of cyber security companies these days) and across the whole world, and if you can find me even ONE company that can do anything even remotely close to this, let me know.

This tool is our flagship tool. It embodies our unique, patented effective-access assessment technology, and is the culmination of over half a decade of innovative, focused and disciplined research and development. Simply put, it is simultaneously both, the Rolls Royce and the Lamborghini of Active Directory Audit Tools.


Microsoft Active Directory is the very foundation of cyber security at over 85% of all organizations worldwide today. At these organizations, the need to know exactly who can do what, where and how, in Active Directory domains is paramount to cyber security, because the entirety of all building blocks of cyber security, from domain user accounts to domain computer accounts and from domain security groups to group policies are all stored, managed and protected in Active Directory.

There is only one correct way to find out who can actually do what in Active Directory, and that involves accurately determining effective permissions in Active Directory. In other words, it is not "who has what permissions in Active Directory" that matters, but in fact "who has what effective permissions in Active Directory that matters."

Unfortunately, the process involved in accurately determining effective permissions in Active Directory is extremely complicated.

Yet, to be able to answer so many vital cyber security questions, such as "Who can create domain user accounts in Active Directory", not only do organizations absolutely need to be able to determine effective permissions in Active Directory, but in fact, depending on the size of their Active Directory domains, may also need to determine effective permissions on possibly hundreds if not thousands of Active Directory objects, and do so often since Active Directory permissions do often change.

Sadly, Microsoft does not seem to have done much to help the world in this vital regard. In fact, they apparently even forgot to educate the thousands of organizations that operate on Active Directory regarding the importance of Active Directory effective permissions. Further, while there are almost a thousand cyber security companies in the world today, not a single one of them has a solution that can help organizations accurately find out the answer to even such basic and elemental cyber security questions as "Who can create domain user accounts in Active Directory?"

Fortunately, organizations worldwide that DO care about knowing the answer to not just this vital question, but also many other similar, equally important questions that impact their foundational cyber security, now do have an option and can now do so.

That'll do it for today, Day-12.

Best wishes,

PS: To anyone who wishes to see just how inaccurate virtually all Active Directory permissions audit tools out there including PowerShell Get-Acl, AclScanner, dsacls, acldiag, Bloodhound, etc.. are, all you need to do is compare its results to those of Gold Finger. The simple fact is that none of those tools can accurately determine effective permissions, which is all that matters.

PS2: In case you're wondering why this was a Trillion $ question, please read this.

No comments:

Post a Comment