Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Showing posts with label Active Directory ACL Dump. Show all posts
Showing posts with label Active Directory ACL Dump. Show all posts

Tuesday, June 19, 2018

Some Interesting Figures from an Active Directory ACL Dump of Security Permissions from a default Windows Server 2016 Active Directory Domain

Folks,

I had only 2 minutes to blog today, so within the 2 minutes I had, I thought I'd generate, put together and share some interesting figures about the default Active Directory security permissions in a Windows Server 2016 based Active Directory domain.

It took a mere 3 seconds to do a domain-wide ACL dump of a Windows Server 2016 based Active Directory domain -


Active Directory Domain-wide ACL Dump




Domain-wide ACL Dump Download URL

You can download the entire actual domain-wide ACL dump from here.




Some Interesting Figures

Here are some interesting figures that took a minute to put together -
  • Total number of object classes instantiated in domain partition: 40
  • Total number of Active Directory objects in the domain: 242
  • Total number of Active Directory ACLs (duh, obviously!): 242
  • Total number of Active Directory security permissions (aka ACEs): 6677
  • Total number of explicit Active Directory security permissions: 1323
  • Total number of inherited Active Directory security permissions: 5354  
  • Total number of inherit-only Active Directory security permissions: 3746
  • Total number of unique security principals for whom permissions are specified: 27
  • Total number of objects whose ACLs were marked "Protected" : 20

  • Total number of Allow security permissions: 6677
  • Total number of Deny security permissions: 0
  • Total number of security permissions specified for Domain Admins: 246
  • Total number of security permissions specified for Enterprise Admins: 230
  • Total number of security permissions specified for Administrators: 231
  • Total number of security permissions in the ACL of the AdminSDHolder object: 24
  • Total number of security permissions in the ACL of the domain root objects: 53
  • Total number of specific extended rights specified in these security permissions: 19
  • Total number of attribute-specific write-property security permissions: 15

The exact security permissions can be viewed in the downloadable ACL dump (link provided above).



Unique Security Principals

Here's the list of the 27 unique security principals for whom security permissions are granted in the domain -
  1. Pre-Windows 2000 Compatible Access
  2. Cloneable Domain Controllers
  3. Enterprise Read-only Domain Controllers
  4. Domain Controllers
  5. Key Admins
  6. Enterprise Key Admins
  7. Creator Owner
  8. Self
  9. Enterprise Domain Controllers
  10. Administrators
  11. Incoming Forest Trust Builders
  12. Authenticated Users
  13. Domain Admins
  14. Enterprise Admins
  1. Everyone
  2. System
  3. Account Operators
  4. Print Operators
  5. Group Policy Creator Owners
  6. RAS and IAS Servers
  7. Domain Computers
  8. Network Service
  9. Cert Publishers
  10. Windows Authorization Access Group
  11. Terminal Server License Servers
  12. DnsAdmins
  13. DC1 (<domain computer account>)

The exact permissions granted to each one of these security principals can be viewed in the ACL dump (; link provided above).

Instantiated Object Classes

Here's the list of the 40 object classes, instances of which exist in the domain -

  1. Domain-DNS
  2. Container
  3. Organizational-Unit
  4. Lost-And-Found
  5. Infrastructure-Update
  6. ms-DS-Quota-Container
  7. Rpc-Container
  8. File-Link-Tracking
  9. Link-Track-Volume-Table
  10. Link-Track-Object-Move-Table
  11. Domain-Policy
  12. Class-Store
  13. Group-Policy-Container
  14. NTFRS-Settings
  15. Dfs-Configuration
  16. Ipsec-Policy
  17. Ipsec-ISAKMP-Policy
  18. Ipsec-NFA
  19. Ipsec-Negotiation-Policy
  20. Ipsec-Filter
  1. ms-DS-Password-Settings-Container
  2. ms-Imaging-PSPs
  3. TPM-InformationObjectsContainer
  4. User
  5. Builtin-Domain
  6. Group
  7. Foreign-Security-Principal
  8. Sam-Server
  9. Computer
  10. RID-Manager
  11. RID-Set
  12. ms-DFSR-GlobalSettings
  13. ms-DFSR-ReplicationGroup
  14. ms-DFSR-Content
  15. ms-DFSR-ContentSet
  16. ms-DFSR-Topology
  17. ms-DFSR-Member
  18. ms-DFSR-LocalSettings
  19. ms-DFSR-Subscriber
  20. ms-DFSR-Subscription

Each instance of these object classes, and their complete ACLs can also be viewed in the ACL dump (;link provided above).



Permission-Specific Breakdown

Finally, here's a breakdown of the number of security permissions of each Active Directory permission type -
  • Number of security permissions (ACEs) granting Read Control (RC): 1977
  • Number of security permissions (ACEs) granting List Child (LC): 2171
  • Number of security permissions (ACEs) granting List Object (LO): 1968
  • Number of security permissions (ACEs) granting Read Property (RP): 5704
  • Number of security permissions (ACEs) granting Write Property (WP): 2072
  • Number of security permissions (ACEs) granting Create Child (CC): 1001
  • Number of security permissions (ACEs) granting Delete Child (DC): 779
  • Number of security permissions (ACEs) granting Standard Delete (SD): 803
  • Number of security permissions (ACEs) granting Delete Tree (DT): 586
  • Number of security permissions (ACEs) granting Extended Right (CR): 1299
  • Number of security permissions (ACEs) granting Validated Write (SW): 1389
  • Number of security permissions (ACEs) granting Modify Permissions (WD): 978
  • Number of security permissions (ACEs) granting Modify Owner (WD): 978

Finally, the exact ACEs that specify each one of these permissions can also be viewed in the ACL dump (;link provided above).



Detailed Security Permissions Analysis

Time permitting, you can analyze the entire ACL dump to perform detailed Active Directory security permissions analysis. Since the tooling splits the permissions field up into individual columns for permissions, it makes it very easy to analyze these ACLs.

For instance, you can easily find out exactly what security permissions are granted to a specific user or group, or find out exactly which users or groups are granted a specific Active Directory permission. You can also easily identify all inherit-only security permissions, as well as all Allow permissions, Deny permissions, Explicit permissions, Inherited permissions etc. etc.. I could go on with many more interesting facts/figures, but I'll stop here because my 2 minutes are up :-).

BTW, this is super easy and what we consider child's play (which is also why I didn't want to give this more than 2 minutes of my time.) Since it took just 3 seconds to dump these ACLs, I was happy to give it 2 minutes ; Oh, and we use our own tooling.

Alright then, my 2 minutes are up, so back to work.

Thanks,
Sanjay
No comments:
Labels: , , , , , , ,

Thursday, January 5, 2017

The World's Best Active Directory ACL / Security Permissions Audit Tool

Folks,

Hope your 2017's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 5th.

Active Directory ACL / Security Permissions Audit - A Basic Need

Today virtually every organization that operates on Microsoft's Active Directory has a basic and essential need to be able to easily view, analyze and audit Active Directory ACLs (Access Control Lists) because Active Directory permissions ultimately protect virtually all of the organization's IT resources. A few examples of such basic Active Directory ACL audit needs include -


  1. Who security permissions/rights does a specific user/group have in a specific Active Directory object's ACL?
  2. Who has a specific Active Directory security permission allowed in the ACL of a specific Active Directory object?
  3. Which ACEs (access control entries) grant a specific Active Directory security permission to various security principals?
  4. Which ACEs explicitly deny a specific Active Directory security permission in an object's ACL?
  5. Which ACEs explicitly grant a specific Active Directory security permission to a specific user or group in an object's ACL?

Now, let me be the first to tell you that if you truly know Active Directory Security, then you know that it is not "Who has what permissions" but "Who has what effective permissions" that matters (and the difference is colossal and could be the difference between security and compromise), but for now let's just play along and assume that this is what organizations need to audit.

To fulfill their ACL analysis needs, IT admins worldwide use numerous means, such as writing in-house LDAP/ PowerShell scripts, using free MS tools like dsacls, acldiag, LDP etc., or relying on some 3rd party audit tools many of which aren't reliable.

In doing so, here are some issues/challenges they could run into -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone.
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise.
  3. Many 3rd party tools, whilst inexpensive, may or may not always be sufficiently trustworthy (e.g. built in Russia etc.)

In our experience, we found that what is ideally needed is a dedicated and reliable (tamper-proof) Active Directory ACL analysis, viewing and dump tool that can help easily & trustworthily fulfill all Active Directory ACL/permissions audit needs.

So we built possibly the world's best (most advanced) Active Directory ACL Viewer and Exporter that could help IT admins, analysts, auditors and other stakeholders easily and trustworthily fulfill their basic Active Directory ACL/permissions audit needs.
Gold Finger Active Directory ACL / Security Permissions Audit and Dump Tool

The Gold Finger Active Directory ACL Viewer and Exporter is the world's most advanced and trustworthy Active Directory ACL/Permissions Audit Tool -

Gold Finger Active Directory ACL Audit Tool, Viewer and Exporter
If you can touch a button, you can now easily, comprehensively and above all, trustworthily view, analyze, audit as well as instantly export/dump Active Directory ACLs and security permissions/rights, both on a per-object and a domain-wide basis.


Capability Overview

Here's a quick overview of the tool's top 5 features/capabilities -
  1. Complete View – Obtain a complete, fully sortable view of the ACL (both DACL & SACL) of any Active Directory object.
  2. Detailed View – Obtain a detailed view wherein each ACL field is expanded into individually sortable columns.
  3. ACL Exports – Export the complete ACL of an Active Directory object for analysis, comparison, archival and audit.
  4. Tree-wide ACL Exports – Export/dump the ACLs of all Active Directory objects in any Active Directory tree (e.g. OU).
  5. Advanced ACL Export Options – Export only those ACLs that are marked Protected or owned by a specific user/group.

Design Goals

Here are the 5 main design goals we set and met for Gold Finger -
  1. Trustworthiness - When it comes to security, Gold Finger sets the bar and gold standard for trustworthiness.
  2. Ease-of-use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  3. Rich Analysis - IT personnel can easily analyze every aspect of the ACL, including sorting the ACL by individual Active Directory security permissions (e.g. Write Property, Extended Right etc.), inheritance fields etc.
  4. Instant Export - IT personnel can easily export/dump the ACLs of any, some or all Active Directory objects. 
  5. Data output - IT personnel can effortlessly export the raw data for archival, rich analysis etc.



 Example Reports

Here are 10 real-world examples of the kinds of Active Directory ACL/permissions audits you can perform with Gold Finger -

  1. Alphabetically sort the ACL on the AdminSDHolder object to list all security principals for whom access is specified.
  2. Identify all permissions in the ACL of the Administrators group object that grant Write Property - Member permissions.
  3. Export/dump the ACL on the Enterprise Admins group object to furnish it as evidence for a regulatory compliance report.
  4. Identify every permission in the ACL on the Corporate OU object that grants a user or group Create Child permissions.
  5. Enumerate the list of all security permissions in the ACL of the Help Desk Operators object that are Explicit in nature.
  6. Instantly dump/export the security permissions/ACLs of all objects contained in any Active Directory domain/partition.
  7. Easily dump/export the security permissions/ACLs protecting all executive (e.g. all C*O) and privileged user accounts.
  8. Instantly dump/export Active Directory security permissions/ACLs protecting all Organizational Units in a domain.
  9. Obtain a snapshot of all Active Directory permissions/ACLs protecting the Configuration, Schema and domain partitions.
  10. Dump/export Active Directory security permissions/ACLs to a file to furnish evidence for a compliance/security audit.



 Trusted Worldwide

Today, our Gold Finger Active Directory ACL Viewer and Exporter is used worldwide by the world's top organizations to easily, efficiently and trustworthily fulfill all their basic Active Directory ACL/security permissions/rights analysis and audit needs.

Best wishes,
Sanjay

PS: This is about 1% of what we do, so this is as much as I'd like to say about it.

No comments:
Labels: , , , , , ,

Wednesday, August 3, 2016

How to Easily Dump/Export Active Directory Security Permissions/ACLs

Folks,

Today, I'd like to take a small break from some important technical stuff  and cover some very simple stuff, which is to share with you the easiest way in the world to dump/export Active Directory security permissions/ACLs, because this is elemental.

But first a very quick overview of Active Directory security permissions and ACLs might be helpful.

If you want to get straight to the details, you can skip to section 3 below.




1. A Quick Overview of Active Directory Security Permissions and ACLs

As you may know, every object in Active Directory is protected by an access control list (ACL), which is comprised of zero or more access control entries (ACEs), each one of which allows or denies a specific set of security permissions (of which there are many in Active Directory) to a specific security principal (user, group or well-known security principal.)

Active Directory Security Permissions specified in an Active Directory Access Control List (ACL)


Together, the security permissions specified in an Active Directory object's ACL serve to protect that Active Directory object, and specify who is allowed or denied what security permissions onto that object (which of course includes all its attributes.)

Since even a quick overview of the various permissions in Active Directory could take a few paragraphs, here's a pointer to a very quick overview of the Active Directory Security Model and Active Directory security permissions, which as you may know, include over a dozen generic permissions, dozens of extended rights and several validated writes. Alternatively, you can refer to Appendices C, D and E of Microsoft's official whitepaper on administrative delegation, which I wrote back in 2003.

In essence, Active Directory ACLs and the security permissions specified within them control access to the entirety of Active Directory content, and thus lie at the very foundation of cyber security in a Microsoft Windows Server based IT infrastructure.




2. The Need to be able to Dump/Export Active Directory Security Permissions/ACLs

IT personnel responsible for administering Active Directory deployments, delegating and maintaining administrative authority in Active Directory, provisioning secure access for applications and other stakeholders to Active Directory content, auditing Active Directory security etc. often have a need to be able to dump/export Active Directory Security permissions/ACLs.

In fact, here are 5 specific use-cases -
1. Perform security analysis to identify who is specified what access across an Active Directory domain
2. Identify the list of all security principals that have any sort of access granted in an Active Directory domain
3. Determine what security permissions are granted to whom, where and which ones in Active Directory
4. Obtain a detailed, fully-sortable view of all security permissions/ACLs in an Active Directory partition. 
5. Export/dump an Active Directory object's ACL for detailed offline-analysis, comparison, audit and archival.

Today these needs are elemental to the foundational cyber security of virtually every Active Directory deployment in the world.





3. The World's Easiest Way to Dump/Export Active Directory Security Permissions/ACLs

Today the easiest, fastest and most reliable way to dump/export Active Directory security permissions/ACLs in Active Directory is via this specialized Active Directory ACL Viewer and Exporter tool - 
Gold Finger Active Directory ACL Viewer and Exporter


Click, Done. If you can click a button, you can export Active Directory security permissions/ACLs in seconds. It's that simple.


Active Directory Security Permissions/ACL Dump


Here's some sample output (; you can click the image below to enlarge it + download complete CSV file from here) -
Active Directory ACL Dump
 
The Active Directory security permissions/ACL dumps generated by the tool are very easily sortable by virtually every relevant field, including object type, object name, distinguished name, permission type (Allow/Deny), security principal, each of the 13 individual generic Active Directory permissions (RC LC LO WO WD SD DT CC DC CR SW RP WP), attribute/class, inheritance, applies to and inheritance flags (CI (Container Inherit), ID (Inherited), IO (Inherit-Only) and NP (No Propagate)), making it very easy to sort the data by any field, and easily perform rich and efficient ACL/security analysis.

In fact, with this dedicated tool, if you can click a button, you can instantly -
1. Obtain a highly-detailed, fully-sortable view of the access control list (ACL) of any Active Directory object.
2. Analyze an Active Directory object ACL by being able to sort it by any field (e.g. Type, Security Principal etc.) 
3. Sort an Active Directory object's ACL by any of the 13 generic permission types (e.g. Create Child, Delete etc.)
4. Export/dump an Active Directory object's ACL for detailed offline-analysis, comparison, audit and archival.
5. Export/dump the ACLs of any, some or all Active Directory objects in any Active Directory partition.

Right below, I've shared 7 real-world examples, complete with their ACL dump output so you can see the data for yourself.





4. Seven Real-World Examples of Active Directory Security Permissions/ACL Dump

Here are 7 real-world examples of Active Directory ACL dumps, with actual outputs, that you can perform with this tool -

 
1. Dump the security permissions/ACLs of all objects in the domain: output
2. Dump all protected ACLs in the domain: output
3. Dump the security permissions/ACLs of all privileged users and groups in the domain: output
4. Dump the security permissions/ACLs of all users in the domain whose title contains the word Cloud: output
5. Dump the ACLs of all objects in the domain that are owned by the Builtin Administrators group: output
6. Dump the ACLs of all organizational units that are immediate children of the Corp organizational unit: output
7. Dump the ACLs of all organizational units that are up to 2 levels deep in the Corp organizational unit: output

To view the actual ACL dumps for each of the examples above, simply click on the associated output links above.




5. Seven Design Goals

Here are 7 design goals we had when developing our dedicated Active Directory Security Permissions/ACL Dump Tool -

1. Ease of Use - Ability to dump Active Directory permissions/ACLs at the touch of a button.
2. Complete Flexibility - Ability to use LDAP filters to customize scope of objects whose ACLs are to be dumped.
3. Scope and Depth Control - Ability to specify the scope and depth of objects whose ACLs are to be dumped.
4. Easily Analyzable and Sortable Results - The results retrieved should be rich and easy to analyze and sort.
5. Zero Dependencies - The tool should not require any configuration changes or special permissions.
6. Easy installation - The tool should be installable on any domain-joined machine in under 2 minutes.
7. Advanced Features - It should be able to perform special retrievals such as to be able to -
a. Export/dump all ACLs marked protected
b. Export/dump the ACLs of all objects that are owned by a specific user/group
c. Export/dump the ACLs of all objects with a specific Primary Group

Its specialized features embody these goals and make it substantially more capable than other tools (e.g. dsacls, acldiag, etc.)

In addition, because all of our tools are professionally built to the highest standards of security, reliability and trustworthiness, organizations do not need to worry about the accuracy, integrity or security risks associated with amateur/custom-built scripts.



Summary

Today, our Gold Finger Active Directory Security Permissions/ACL Viewer and Export Tool is used in 6 continents worldwide, by so many of the world's top business and government organizations, perhaps because its the easiest, most reliable and trustworthy way to dump Active Directory ACLs.

To learn more + to get a free trial, visit - http://www.paramountdefenses.com/active-directory-acl-permissions-viewer.html

Of course, because we know first-hand that there's a lot more to Active Directory Security Audit than performing Active Directory ACL dumps, we also offer the world's most capable Active Directory Permissions Analyzer and the world's only accurate Active Directory Effective Permissions Tool, Active Directory Effective Access Audit Tool and the world's only Active Directory Administrative Access and Delegation Audit Tool.

In essence, we offer the world's most comprehensive suite of Active Directory security, access and effective access audit tools, all available in a single user-interface, with zero dependencies, two-minute installation and Windows-integrated security.

More information on our Gold Finger Suite is online at - http://www.paramountdefenses.com/goldfinger.html

Best wishes,
Sanjay
No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)