Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Friday, September 15, 2017

How to Audit Who Can Change/Control/Delete a Service Connection Point in Active Directory?

Dear Microsoft,

Today is Day-18 of our Active Directory Security School for you. Today, I'll answer the question I had asked you on Day-17, and in doing so, along with you, we will also help thousands of organizations worldwide find out how to correctly audit who can change, control or delete Service Connection Points in their Active Directory deployments.

First, A Quick Recap

If you have yet to read the previous post, which can be found here, you may want to do so to get sufficient context for this post.

In the previous post, we had talked about what a Service Connection Point is, and how numerous Active Directory-integrated applications, both those developed in-house as well as 3rd-party applications, use and rely on them to deliver their functionality.

A Service Connection Point in Active Directory

In short, we had seen how various mission-critical applications that provide everything from email to two-factor authentication and from Linux/UNIX integration with Active Directory to auditing and privileged user account management, use and rely on Service Connection Points in Active Directory for their proper functioning. (A list of a few such apps is provided below.)

We had also covered the impact of someone being able to make an unauthorized modification to one or more attributes of the Service Connection Points of these mission-critical cyber security enabling Active Directory integrated-applications.

An Intruder Changing the Keywords Attribute on a Service Connection Point in Active Directory

To be precise, we had concluded that in the event that an intruder or a malicious insider could do so, he/she could potentially disrupt these applications from delivering their functionality, the impact of which could range from an instant denial-of-service attack on these critical Active Directory-integrated applications to leaving millions of IT resources vulnerable to compromise.

Next, A Few Such Apps

To appreciate the real-world security implications of an unauthorized change made to the Service Connection Points of such applications, perhaps it may help to identify even just a few prominent such applications that are today extensively deployed worldwide and depend on, and thus could be impacted by the unauthorized modification of Service Connection Points.

Here are 10 such prominent applications that may likely be deployed at 1000s of organizations worldwide today -

  1. BeyondTrust PowerBroker for Windows - BeyondTrust's PowerBroker Identity Services (PBIS) centralizes authentication for Unix, Linux and Mac environments by extending Active Directory's Kerberos authentication and single sign-on capabilities to these platforms. As documented here, to store information about a group or a user, PBIS creates a serviceConnectionPoint object (in Active Directory) and stores information in its keywords attribute. 

  2. Centrify Server Suite - Centrify's Server Suite, beyond its core capability of integrating UNIX and Linux accounts into Microsoft Active Directory, supports privilege management capabilities, integrated cross-platform auditing, dynamic server isolation, and single sign-on to on-premises applications. One of the major strengths of the Centrify Server Suite, is that all UNIX identity and authorization data is stored as Active Directory objects. As documented here, it extensively creates and uses serviceConnectionPoint objects in Active Directory to represent computer profiles, UNIX group profiles and UNIX user profiles.

  3. Citrix XenApp and XenDesktop - Citrix's XenApp and XenDesktop application virtualization solutions optimize productivity with universal access to virtual applications, desktops and data from any device. As documented here, delivery controllers, the server-side component responsible for managing user access brokering and optimizing connections, are represented by serviceConnectionPoint objects in Site OUs in Active Directory. Each time a Controller starts, it validates the contents of its Service Connection Point. In addition, Windows Desktop Virtual Delivery Agents (VDAs) use OU-based controller discovery which relies on these service connection point objects.

  4. IBM DB2 - IBM's DB2 for Linux, UNIX and Windows is a next generation data platform for transactional and analytical operations that provides continuous availability of data to keep transactional workflows and analytics operating at maximum efficiency. As documented here, DB2 database servers are published in the Active Directory as ibm_db2Node objects, which is a subclass of the serviceConnectionPoint object class. Each such object contains protocol configuration information to allow client applications to connect to the DB2 database server. When connecting to a remote database, a DB2 client queries the Active Directory though the LDAP interface for these objects.

  5. Microsoft Exchange - Microsoft's Exchange Server is a messaging platform that provides email, scheduling and tools for customer collaboration and messaging service applications. As documented here, Exchange stores the configuration of Exchange Servers as well as information about user mailboxes in Active Directory. Its Autodiscover feature, that enables client applications and users to configure themselves with minimal input, uses Active Directory service connection points to store and retrieve a list of Autodiscover URLs for the forest in which Exchange is installed. When you install Exchange 2016, you need to update the SCP object to point to the Exchange 2016 server. This is necessary because Exchange 2016 servers provide additional Autodiscover information to clients to improve the discovery process.

  6. Microsoft Active Directory Rights Management Server - Microsoft's Active Directory Rights Management Server delivers Active Directory Rights Management Services (AD RMS), information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized user, both online and offline, inside and outside of a firewall. As documented here, AD RMS publish Service Connection Points in Active Directory to hold the web address of the AD RMS certification cluster. AD RMS-enabled applications then use these Service Connection Points to discover the AD RMS service; it is the first connection point for users to discover the AD RMS web services.

  7. One Identity / Quest Privileged Password Manager - One Identity / Quest Software's Privileged Password Manager helps automate, control and secure the process of granting administrators the credentials necessary to perform their duties. Privileged Password Manager is a critical component of One Identity privileged account management solutions. As documented here, Privileged Password Manager publishes and relies upon Service Connection Points in Active Directory. In particular it modifies the serviceBindingInformation, displayName and keywords attributes of its Service Connection Points to store, amongst other pieces of information, your registered company name, Server URLs etc.   

  8. Quest Active Roles Server - Quest's Active Roles Server is a proxy solution designed to help organizations enhance account administration, directory management and security in Active Directory deployments. As documented here, as Active Roles performs operations on behalf of delegated users, the Active Directory service account requires adequate permissions. Quest recommends making Active Roles a member of Domain Admins. If organizational policies restrict its Domain Admin membership, then at a minimum, amongst a plethora of other permissions, since its service account must be able to publish itself in Active Directory, it will also require permissions to create serviceConnectionPoint objects.

  9. Quest Change Auditor - Quest's Change Auditor is an auditing solution that helps organizations track/audit changes to Active Directory, and thus helps ensure security, compliance and control of Active Directory content. As documented here, Change Auditor publishes Service Connection Points in Active Directory so that Change Auditor clients, agents and other third-party applications can automatically locate the Change Auditor coordinator. When clients or agents start up, they search Active Directory for these Service Connection Points to retrieve connection information for the Change Auditor coordinator such as hostname, listening port, and other authentication information.

  10. Quest InTrust - Quest's Intrust enables organizations to collect, store, search and analyze IT data from numerous data sources, devices and security information and event management (SIEM) solutions in one place. As documented here, Quest Intrust creates the following service connection point in Active Directory - <MyDomainName>/System/Quest In Trust/InTrustServer{<InTrustServerGUID>}.

Note - It must also be mentioned that the manner in which most of these applications have been integrated with Active Directory is consistent with Microsoft's recommendations, and in fact by integrating with Active Directory, these applications get to leverage its various capabilities, strengths and uses, and that is a good thing.

Speaking of which, of the applications above, perhaps the one that is most well-integrated with Active Directory, and thus one that uses and relies upon Service Connection Points most extensively may be Centrify Server Suite.

Oh, and the Azure AD Connect feature of Microsoft Azure also uses/relies on Service Connection Points in Active Directory.
( Specifically, as documented here, if you have an on-premises Active Directory environment and you want to join your domain-joined devices to Azure AD, you can accomplish this by configuring hybrid Azure AD joined devices. During their registration process, these domain-joined devices query the Active Directory for a Service Connection Point to discover Azure AD tenant information. Specifically they search for the object "cn=62a0ff2e-97b9-4513-943f-0d221bd30080,cn=Device Registration Configuration,cn=Services,cn=Configuration,dc=<forest-root-domain>" as it is this object's Keywords attribute that contains the organization's Azure AD tenant information. )

As you'll likely agree, many of these applications play a vital role in ensuring cyber security at many organizations worldwide.

If you understand the role that these applications play in providing and ensuring security at organizations worldwide, then you know that the unauthorized modification of the attributes of their Service Connection Points could substantially impact security.

The Question

In light of the above, I had posed the following few most simple and elemental questions, and asked you how organizations worldwide could answer these questions  -

Question: Who can change the various attributes/properties of a Service Connection Point in  Active Directory ?

In fact, in addition, it also begs the following questions -
  1. Who can modify the ACL/permissions protecting a Service Connection Point? 
  2. Who can modify the owner of a Service Connection Point?
  3. Who can delete a Service Connection Point?
     That's because if you can do either one of the above, you can have the same effect on the service.

Finally, The Answer

It is imperative that every organization that has any application that relies on the use of Service Connection Points in Active Directory know the exact answers to these questions at all times, and now let me show you how to correctly answer them.

First, lets rule out the incorrect answer, which is how most organizations worldwide may be trying to answer these questions today, and that incorrect answer is - "Find out who has what permissions on a Service Connection Point in Active Directory."


Even though this is the incorrect answer, most organizations may not know this, so they continue to use tools like dsacls, acldiag, PowerShell scripts etc. or any one of numerous 3rd-party Active Directory Permissions Audit Tools to do so.

Now, the correct answer, which is how every organization worldwide should be attempting to answer these questions today, and that correct answer is - "Find out who has what effective permissions on a Service Connection Point in Active Directory."

The Effective Permissions Tab is Inaccurate

As we can all see above, effective permissions are so important that Microsoft's native tooling has an entire tab for them!

Now, before you assume that the Effective Permissions Tab is sufficient/adequate to answer these questions and stop reading this further, let me share with the three (3) reasons as to why it is substantially inadequate and thus almost useless -

  1. First and foremost, it is not 100% accurate because it does not take all the factors that influence the accurate determination of effective permissions in Active Directory into account.

  2. Secondly, it can at best determine (an approximation of, and thus inaccurate) effective permissions one user at a time. So if you have 10,000 users in your organization, you will have to manually enter each user's name individually i.e. one by one, one at a time; now I don't know about you, but if I had to do this, I would probably find another job. 

  3. Finally, even though it can at best determine (an approximation of, and thus inaccurate) effective permissions one user at a time, it (also) CANNOT show you exactly which permission in the object's ACL is granting a specific effective permission, so if you're trying to find out HOW a user has a specific effective permission, you can't do so using this tool.  

Unfortunately, the same is true of dsacls, acldiag, LDP, PowerShell scripts and virtually every other 3rd-party Active Directory ACL/Permissions Analysis/Audit Tool out there, so there's really no easy way to answer these simple questions. Oh, and this free tool is so dangerously inaccurate that if it were an X-ray machine at an airport, I'd advise you to stay away from the airport.

Before we continue further, let me say this again. I cannot stress this enough - if you don't know what effective permissions in Active Directory are and why they're paramount to your security, you'll want to read this - Active Directory Effective Permissions.

So, now that we know that theoretically the correct answer is - "Find out who has what effective permissions on a Service Connection Point in Active Directory", is there an easy way to determine effective permissions on Active Directory objects?

Yes, (thankfully) there is one way...

Here's how so many of the world's top business and government organizations easily and accurately answer these questions -

The Gold Finger Active Directory Effective Permissions Audit Tool

The snapshot above is of the Gold Finger Active Directory Effective Permissions Audit Tool.

This tool quite simply is the world's only accurate and adequate effective permissions calculator for Active Directory.

Not only can this tool accurately determine effective permissions on any object in Active Directory, to use this tool, all you have to do is point the tool at whatever object you want to determine effective permissions on, and then click ONE button. That's it!

As seen in the snapshot above, we used this tool to perform an effective permissions audit on a service connection point called RMS Service in Active Directory, and the audit results show us every single security permission-combination that is effectively allowed on this service connection point object, as well as exactly who each effective permission is granted to, and how so.

So, for example, to find out who can change a Service Connection Point's keywords, all you have to do is use the What drop-down to select Write-Property - Keywords effective permissions and the tool will display the complete list of all individuals who can do so. Similarly you can find out exactly who can change each attribute/property, as well as its ownership and permissions.

Now, wouldn't it be nice if someone could make it even simpler such that all these technical details (i.e. effective permissions, attributes, mappings etc.) could be abstracted enough that we could just find all this out in English. Well, guess what? Done! -

The Gold Finger Active Directory Effective Access Audit Tool

The snapshot above is of the Gold Finger Active Directory Effective Access Audit Tool, which is the world's only tool that can accurately and adequately determine effective access in Active Directory environments.

As seen in the snapshot above, we used this tool to perform an effective access audit on a service connection point called RMS Service in Active Directory, and the audit results show us every single administrative task that can be enacted on this object by virtue of the effective permissions allowed on this service connection point object, as well as exactly who can enact each one of these administrative tasks, and of course, how so. In other words, you can now find out exactly who can do what, in English!

(Finally, if you have numerous Service Connection Points in Active Directory, this tool can audit all of them at a button's touch.)

In this manner, every organization worldwide that needs to know exactly who can change, control or delete Service Connection Points in their Active Directory can now accurately and instantly find out so 365-24-7, in seconds, and at the touch of a button.

So, Microsoft, you see, today this is how organizations worldwide can answer these simple yet vital cyber security questions.

In contrast, let alone providing your customers i.e. organizations worldwide, a solution, in 17 years, you haven't even told them that what they actually need to do is not to audit "who has what permissions" but to audit "who has what effective permissions"!

Need one say more?


PS: It took half a decade of laser-focused execution to make something this difficult, this easy for the world. You're welcome.

No comments:

Post a Comment