How to Audit Who Can Change Group Memberships in Active Directory

Dear Microsoft,

Hello. Today is Day-16 of our Active Directory Security School for you. Today, I will answer the question I had asked you on Day-15, and in doing so, we will learn about how to correctly audit who can change group memberships in Active Directory.



The Simple Trillion $ Question

Microsoft, in my previous post I had asked you a very simple Windows and Cyber Security 101 question, which was -

Who can modify the membership of a domain security group in Active Directory?

In case you're wondering why this might be an important question, as I've already explained, it is only so because today across 1000s of organizations worldwide, it is domain security groups that secure billions of organizational IT resources such as files, folders, email, data, SharePoint portals, Intranets, remote access etc. and thus they help protect trillions of dollars of wealth.


So, without further adieu, lets find out
what the answer is, shall we?! ...




First, the Incorrect Answer

Before I answer it, let me take a moment to share what the incorrect answer is, and the only reason I'm doing so is because in all likelihood, at 1000s of organizations worldwide today, this is exactly how IT personnel may be answering the question -

The Incorrect Answer

Find out / audit "who has Write-Property - Member (attribute) permissions on the security group."

Many will suggest that you can simply use tools like dsacls or acldiag, or simply write-up a PowerShell Script to do so, and most vendors will suggest using their Active Directory Permissions Audit tools. Sadly, and unbeknownst to them, they'd all be wrong!

In fact, they'd not just be wrong, they'd unfortunately be substantially wrong, and yet (and sadly,) this is exactly how most IT personnel at most organizations worldwide may be answering this question at their multi-billion dollar organizations today!

If you've been attending school diligently, then you know why this is not only the incorrect way to audit who can change group memberships in Active Directory, but also that if you use this approach to do so, you're going to end up with vastly inaccurate results, acting upon which could leave thousands of IT resources inadequately protected and thus vulnerable to compromise.

Here's why...





Now, the Correct Answer

If you've been attending school diligently, then by now you know that it is not "who has what permissions in Active Directory" that matters, but rather "who has what effective permissions in Active Directory" that matters. In fact, that is all that matters.

Thus, the correct answer is -

Find out / audit "who has Write-Property - Member (attribute) effective permissions on the security group."

Microsoft Effective Permissions Tab - Conceptually Correct Answer, But * Inaccurate and Inadequate

*Now, BEFORE you assume (and mistakenly and falsely so) that the Microsoft Effective Permissions Tab is sufficient to make this determination, please know that unfortunately not only is Microsoft's Effective Permissions Tab inaccurate, it is also substantially inadequate, as are all basic tools like dsacls, acldiag, PowerShell scripts etc. as explained in detail here and here.


I have already shared a substantial amount about Active Directory Effective Permissions, including why they are all that matters and why they are so difficult to accurately determine, which is also why the Effective Permissions Tab and virtually all other tools including dsacls, acldiag, PowerShell etc. just cannot be relied upon to accurately determine effective permissions.


To help organizational IT personnel worldwide understand this, let me share with you the only way that I know of, as former Microsoft Program Manager for Active Directory Security, to accurately audit effective permissions in Active Directory -

The snapshot above is that of the Gold Finger Active Directory Effective Permissions Calculator, which is the only tool that I know of that can correctly (i.e. accurately), automatically and adequately determine effective permissions in Active Directory.

As you can see above, we performed an Active Directory Effective Permissions Audit on a single domain security group called Executives, and we can see exactly who has Write Property - Member attribute effective permissions granted on this object.

I must mention that the only reason I have shared info about this tool here is to help everyone see exactly what it is they should be performing an audit of, and exactly what the output of such an audit looks like. You can download sample output from here.

I would encourage all organizations and IT personnel worldwide to compare the results of whatever method they might currently be using to make this vital determination on their domain security groups, with the results of a true effective permissions audit on their domain security groups. In all likelihood, in most cases the difference will be substantial, surprising and eye-opening.






Finally, Domain-Wide Assessment

Microsoft, there's an old saying that "Talk is Cheap." If I might add, "Actions are Not." If I were merely shedding light on this problem (as so many often do) without also doing something to help solve it, then I'd say the former saying would apply to me.

However, because I have the onus of representing the very best of not just Paramount Defenses, but also that of Microsoft (having been one of you), the onus of ensuring that I'm not just talking, is on me, so without further adieu, let me show you just how SIMPLE we have made the determination of such an important yet fundamental determination for the entire world.

If you can click a button, and I do literally mean just ONE button, you can now instantly, automatically and (most importantly) accurately find out exactly who can change the group membership of every single domain security group in an entire Active Directory domain, irrespective of whether it has 100 domain security groups or 100,000+ domain security groups -

Gold Finger - Active Directory Administrative (Privileged) Access and Delegation Audit Tool

Imagine that an organization has thousands of domain security groups. Within minutes, this tool can accurately determine effective permissions/access on each one of these thousands of domain security groups to determine and reveal exactly who can change their memberships, AND how they can do so. (In contrast, it would several thousands of hours to do this manually.)

Microsoft, this quite simply is the state-of-the-art when it comes to true effective access entitlement assessment in Windows based networks, and this is what can empower organizations worldwide to instantly identify (audit), lock down, and then verify (and of course subsequently audit on demand 365-24-7) that on every single domain security group in their Active Directory domain, only those individuals who should actually be able to change group memberships (and no one else) can do so.

If you wish to see the complete output of the above domain-wide effective access assessment, you can download it from here.

At so many of our customers worldwide, there are thousands of domain security groups in their Active Directory domains. Within minutes, they can instantly and accurately find out exactly who can change the membership of each one of their thousands of domain security groups, as well as find out exactly how these individuals are entitled to do so, and within just days, they have been able to completely lock down (and maintain secure) access on every single domain security group in their Active Directory.

To say that this is an eye-opening experience for them, would be to substantially understate its profound value and impact.

Note: Microsoft, as you can imagine, in the wrong hands, the same power could be used to obtain and potentially misuse extremely valuable cyber security intel (e.g. exactly who can change the membership of Domain Admins, Enterprise Admins, Built-in Admins, Executives, Employees, Contractors, Project X Confidential Access Group, Litigation Y Access Group, Next Innovative Product Z Group etc. etc.) This is why we do not indiscriminately license this tool. In fact, we only license it to organizations and only for use within their own environments.  

Something to Think About

Microsoft, in light of what I've just shared above, I'd like for you to give some serious thought to the following -

The need to know exactly who can change a domain security group in Active Directory is so basic, essential and fundamental to cyber security, yet even today, 17+ years after Active Directory was shipped, most organizations do not even seem to know how to do so correctly, let alone having the ability to do so correctly (, adequately, efficiently and on-demand.) Further, neither you, nor a single vendor (of which there are 1000s) in your global partner ecosystem have a single solution that can help the world fulfill this most basic, essential and fundamental cyber security need.

I can't help but wonder Why, and like I said, only one plausible explanation makes sense - this one (see "Here's Why" section.)





Summary

In summary, the primary objective of asking this simple question was to shed light on something that although may seem so very simple, is actually (not only) very important (but also very difficult to do correctly,) because it could possibly provide the easiest avenue for perpetrators to most easily compromise a substantially large number of organizational IT resources.


You see, in an Active Directory deployment, just about everything (i.e. all files, folders, email, SharePoint portals, applications, services, Intranet sites, remote access, Cloud access, Internet access, etc.) is ultimately protected by domain security groups.

Thus, if someone could change the membership of a domain security group in Active Directory, he/she could immediately obtain authorized access to every single organizational IT resource to which that domain security group is currently granted access.

This is why it is imperative to know exactly who can change the membership of all domain security groups in Active Directory.


The secondary objective was to help organizations worldwide understand that in order to correctly make this determination (i.e. to correctly find out who can change domain security groups in Active Directory), what they need to do is audit "who has what effective permissions" (i.e. this) and not "who has what permissions" on each single one of their domain security groups.

Finally, because "talk (alone) is cheap", I also wanted to share how easy we've made solving this problem for the entire world.


That's all for today.

Best wishes,
Sanjay


PS: Microsoft, I've some good news for you. Perhaps you may feel that I 've been a bit hard on you, but the good news is that Day-22 or so onwards, I'm going to show you and your customers just how rock-solid and trustworthy Active Directory is, how the world can easily attain and maintain least privileged access, and operate a bullet-proof Active Directory, so hang in there.

A Trillion $ Question to Microsoft regarding Domain Security Groups

Dear Microsoft,

Today is Day-15 of our Active Directory Security School for you. Since you may still be trying to grasp and comprehend the depth and complexity of what I shared with you on Day 14, I'll keep today's post/lesson really simple, short and to the point.



Domain Security Groups:  An All-Access Pass to 1000s of IT Resources

As you know, at the foundation of cyber security of most IT networks powered by Windows Server lies Active Directory.

As you may also know, in all such IT networks/infrastructures powered by Active Directory, one building block of cyber security in particular is extensively used to provision access to almost all IT resources in the network. Do you know which block it is?

Of course you do! In most IT networks powered by Active Directory, it is Domain Security Groups that are used to provision access to most organizational IT resources such as files, folders, SharePoint portals, Intranet sites etc. across the network!


In fact, in almost every Active Directory deployment in the world, today there exist 1000s of domain security groups within Active Directory that are used to provision secure access to almost the entirety of the organization's IT resources!

For anyone living on Mars, here are a few examples of such domain security groups -

1. Domain Admins - A small but all-powerful group of privileged user that possess system-wide administrative access.


2. All Employees - A large membership security group whose members include all organizational employees' accounts.


3. Contractors - A medium-sized security group whose members may include the accounts of all existing contractors.


4. Executives - A small security group whose members include all organizational executives' (e.g. C*Os) user accounts.


5. <Resource-specific> Group - One of thousands of domain security groups that may be used to provision access on various IT resources for various business purposes. For example, Legal Team, R&D Team, Product X Group, etc.

In fact, today Active Directory domain security groups are used to aggregate (group) organizational users for the purpose of facilitating secure access to just about everything in a Microsoft Windows Server based network powered by Active Directory.

And by just about everything, I do mean just about everything - computers, files, folders, documents, emails, SharePoint portals, intranet sites, line-of-business applications, data, databases, VPN, remote access, web access ... <the list goes on and on.>

Thus, it is after all Active Directory domain security groups that help secure the entirety of the organization's IT resources!


Further, often a domain security group in Active Directory gates access to either a large or a highly-sensitive set of IT resources.

It thus logically follows that possibly the easiest way to obtain access to a specific IT resource (or 1000s thereof) that is(/are) protected by an Active Directory domain security group might be to literally just be a member of that domain security group!






Which Begs A Question

If by virtue of being a member of the a specific domain security group, one could instantly and automatically get access to all IT resources protected by the domain security group, then one cannot help but ask the simplest of cyber security questions i.e. -

Who can change the membership of a domain security group in Active Directory?

After all, if someone could modify the membership of a specific domain security group, such as All Employees, or Executives, or Secret Project "X" Staff , Project "Stratosphere" Source-Code Access Group etc., he/she could instantly obtain access to literally everything (i.e. all IT resources) that specific domain security group currently has access to, across the entire network!





A Simple Example

Perhaps this is best understood with a simple example, so here's a very simple one.

Consider that its Friday evening, and that a multi-billion dollar organization is going to announce their quarterly earnings on Monday at the close of the market. Further consider that this sensitive and highly confidential information (i.e. their Earnings) resides in a simple Microsoft Excel file titled Q3 2017 P&L, the only copy of which resides on a highly-protected server that's both physically located in their ultra secure data-center, and to which (server) all suspicious network access is monitored -

Now, consider that an intruder (funded by a wealthy nefarious entity) has been able to breach their perimeter and compromise a domain-joined machine and further has been able to ascertain that this specific file contains the information this entity has an interest in acquiring prior to Monday afternoon, because if they could access this information, they could possibly make $100M.

The intruder may not be able to obtain physical access to the server on which it resides, and he/she may not want to attempt trying to breach the security of the server over the network since all suspicious network activity is being monitored, (and for all Mimikatz fans, sadly no Domain Admin either has or is going to logon to the one machine you've compromised and now 0wn), so might there be an easier way for him/her to obtain access to this file?

Consider this! He/she may not be able to access the contents of the file but he/she can view its ACL, and thus he/she can see (as shown in the snapshot above) that the domain security group Executives has Full Control over this file. So, if he/she could somehow become a member of this domain security group (or compromise the user account of an existing member of this domain security group), he/she will be able to instantly (and in fact as far as the "System" is concerned, legitimately) access the contents of this high-value confidential file without any suspicion being raised anywhere or a single alarm going off anywhere!

In effect, his/her challenge has now been reduced to finding out exactly who can change the membership of the Executives domain security group, because if he/she can compromise the account of any one such individual, he/she would literally be a minute away from being able to change the membership of that group, and thus consequently obtaining access to that file!

In other words, the entire focus of attack just shifted from a highly secured IT resource to a single Active Directory object!

(In the interest of brevity, I'm not going to into further detail, but for those skilled in the art, the rest should be obvious.)






So, Microsoft, What's the Answer?

Dear Microsoft, you are a $550 Billion company today and one of the most important and valuable organizations in the world.

(You can take that as a compliment from the CEO of the most important and valuable cyber security company in the world.)


As you'll hopefully agree, since domain security groups help protect trillions of dollars in wealth worldwide today, the discussion and example above lead us back to and prompt one of the most simple and fundamental questions in cyber security -

Question: Who can change the membership of a domain security group in  Active Directory ? ( and ideally that of each domain security group in each one of 1000s of Active Directory domains of business and govt. organizations worldwide? )

Microsoft, you have now had 17+ years to demonstrate your deep expertise and thought leadership to the World in the vital Active Directory Security, Windows Security and the Cyber Security spaces, and you've spent Billions on it, so I ask you -

"Do YOU think this (i.e. the one above) is an important question for organizations to know the answer to, 

  and if so, can YOU please (at least) tell them HOW they can/should answer this question?!"

Oh, and since you're Microsoft, I have just one more question for you
(i.e. an opportunity for you to earn a few bonus points ;-) ) -

"Can YOU help them answer this question?"

That's it for today. The answer tomorrow on Day 16.

Best,
Sanjay


PS: See, I told you that today's would be a much simpler question than the previous one i.e. this one. Besides, if you've been attending your school regularly, by now you know that this is a rhetorical question that I've already answered many times over!


PS2: Microsoft, I may be a bit hard on you, but please know that I care deeply for you, and that you enjoy my goodwill. By the way, if I'm hard on you, its only because I feel that you had 17 years to educate your customers about this / this, yet you didn't, and likely as a result 1000s of organizations worldwide are blissfully operating in the dark, minutes away from compromise :-(

How to Audit Who Can Delete an Organizational Unit in Active Directory?

Dear Microsoft,

Today is Day-14 of our Active Directory Security School for you. Today, I will answer the question I had asked on Day-13 by teaching you how organizations worldwide can correctly audit who can delete an Organizational Unit (OU) in Active Directory.


Microsoft, like my other posts, this one too likely impacts Trillions of $ worldwide, so you'll want to read it with utmost attention.

This post also demonstrates the extent to which your entire global organizational customer-base is operating in the dark today.

So let's proceed, shall we? By the way, if you haven't already done so,
before reading this post, you'll absolutely want to read this post.





Such A Simple Question

The simple question I had asked in my last post was -

     How do organizations find out "Who can Delete an Organizational Unit in Active Directory?"

Microsoft, you likely may not know the answer to this simple question,
so I'll help you and the world figure out how to do this correctly...





First, Let's Rule out the Incorrect Answer

Before I share the correct answer to this most simple of Active Directory questions, let me help the world rule out the incorrect answer, which incidentally may be how 99% of all organizations worldwide may have been answering this question thus far.

If you were to ask this simple question to most self-proclaimed Active Directory Security experts out there, or even to numerous highly-accomplished Active Directory experts and gurus, or to most vendors in the Active Directory solutions space that develop and sell "Active Directory Permissions Audit" solutions, or to thousands of folks who participate in tech forums such as Microsoft TechNet, here's the answer you're most likely to get -

"Oh, this is easy! Simply find out "who has what Standard Delete permissions on the OU", and that's it!"

Many will suggest that you can simply use tools like dsacls or acldiag, or simply write-up a PowerShell Script to do so, and the vendors will suggest using their Active Directory Permissions Audit tools. Sadly, and unbeknownst to them, they'd all be wrong!

acldiag on ou=corp,dc=root,dc=local

In fact, they're not just wrong, they're substantially and dangerously wrong, and yet (and sadly,) this is exactly how most IT personnel at most organizations worldwide may be answering this question at their multi-billion dollar organizations today!

Here's why...






Now, The Correct (And Not So Simple) Answer

This question may be simple, but the answer certainly is not. You see, to answer this question correctly, one needs to consider just what is involved in the deletion of an OU, and although its complicated, I'll do my best to explain it as succinctly as I can -



I. First, The Three Delete Permissions

To begin with, when it comes to deletion, there are three (3) Active Directory security permissions that influence deletions.

1. Standard Delete - The Standard Delete permission controls the ability of a security principal to delete the Active Directory object in whose DACL the permission resides.


2. Delete Child - The Delete Child permission controls the ability of a security principal to delete a child object directly underneath an object. If the ObjectType member of the ACE in which this permission is specified specifies a GUID of a specific Active Directory object class, the permission only controls the ability to delete child objects of the specified Active Directory class. If the ObjectType member of the ACE does not specify a GUID, then the permission controls the ability to delete child objects of any Active Directory class.


3. Delete Tree - The Delete Tree permission controls the ability of a security principal to delete an entire (sub-)tree of objects regardless of the permissions specified on the individual objects in the tree. The root of this tree is the object in whose DACL this permission resides.

II. Second, The Access Checks

When a security principal attempts to delete an Active Directory object, he/she must have one of the following access rights -

1. Standard Delete on the object itself, OR


2. Delete Child permissions (for that object type) on its parent object

By the way, this isn't some secret; this is straight from Microsoft MSDN right here.

Further, and additionally, if a security principal's deletion request involves the Delete Tree operation, then if the security principal has sufficient (i.e. effective) Delete Tree permissions on the object that is the target of that operation, then he/she will be able to delete the entire tree of objects regardless of the permissions granted on the child objects.





III. In Light of the Above, Consider This -

With the above theory in mind, now let us consider what it might take to delete a top-level Organizational Unit (OU) that may have thousands of Active Directory objects (such as domain user and computer accounts, security groups and OUs) within it.

In order to be able to successfully delete this top-level Organizational Unit -

1. If the user has sufficient Delete-Tree effective permissions on the OU AND he/she uses the Delete Subtree Control, he/she will be able to delete the entire OU irrespective of the permission specified on all the child objects in the OU.


2. If the user does not have sufficient Delete-Tree effective permissions on the OU, then he/she will only be able to delete the entire OU if he/she has sufficient access so as to be able to delete the entirety of all objects contained in the OU (including the OU object itself), and by that I mean that in order to be able to delete the entire OU, he/she will need to have ON EACH OBJECT in the OU (including on that OU object itself), either OF 1) Standard Delete effective permissions on the object, or 2) Delete-Child effective permissions on its parent object.

In short, as one can see, in order to be able to determine who can delete an OU in Active Directory, irrespective of whether or not it is a top-level OU, organizations will have to determine effective permissions on EVERY SINGLE OBJECT in that OU!

Thus, to correctly find out who can actually delete a top-level Organizational Unit (OU) that may contains thousands of Active Directory objects, IT personnel will need to accurately determine effective permissions on thousands of Active Directory objects!




IV. Oh, The Most Important Part

Now, the most important part here is not that IT personnel will have to audit access on not just one Active Directory object (i.e. the OU itself,) but on thousands of Active Directory objects; that of course is very important. The MOST IMPORTANT part here is that IT personnel will need to determine Active Directory Effective Permissions on thousands of Active Directory objects!

I cannot stress this enough - to make this determination, today, all that most organizations may be doing is trying to find out "who has what permissions on an Organizational Unit('s object)" WHEREAS what they need to be doing is trying to find out "who has what effective permissions on all the objects in that Organizational Unit( including that OU object itself)."

I'll say that again. Today most organizations are likely merely performing a useless "Active Directory Permissions Audit" on the OU object itself to try and find out who has Delete permissions on the OU. What they need to be doing is performing an "Active Directory Effective Permissions Audit" on not just the OU object itself, but on every single object in that OU, to find out who effectively has the effective permissions I have mentioned in point 3 above!

The difference is HUGE, and in fact, the difference between having accurate and inaccurate insight could mean the difference between preventing someone from being able to enact a MASSIVE denial-of-service attack or letting them successfully do so!

Microsoft, hopefully now you and thousands of organizations worldwide can see why it is not only completely useless to perform an "Active Directory Permissions Audit" but also that infantile tools like dsacls, acldiag, PowerShell, or any one of many Active Directory permissions audit tools from any one of numerous vendors out there cannot help make this determination accurately!

Side-note: For folks on Twitter, such as one who said this regarding this - "That's it? Make sure your delegation is tight and...no big deal" (here), well this is also what one might consider a delegation in Active Directory, and so trying to find out who can delete a top-level OU would fall under making sure your delegations are tight.  

Thus, I'd really like for this gentleman to not just talk the talk, but walk the walk, because there is a mountain of a difference between the two, and since he makes it sound so easy, perhaps he should show the world how to make sure this delegation is tight!  (Even if he tried for a 100 years, I doubt he'd likely be able to do it.)

Click, Done.

We just established above that trying to find out who can delete a top-level Organizational Unit could be a massive challenge, since it would require organizations to determine effective permissions/access on potentially thousands of objects in that OU.

Now, thanks to you Microsoft, thousands of organizations worldwide don't even seem to know what "effective permissions" are, so obviously for them to possess the ability to determine "effective permissions" correctly is to expect too much from them, in which case obviously, trying to do the above would be almost impossible for them!

So, wouldn't it be nice if someone could make this almost impossible problem a little easier to solve for the whole world?


I think it would. How easy you ask?   Well, how about as easy as touching
a single button?! (Wait, isn't this supposed to be almost impossible?) ...


Here you go (; isn't it amazing what half a decade of laser-focused innovative R&D can do?) ! - 

Gold Finger - Active Directory Effective Access Audit Tool

What you're seeing above is a snapshot of the world's only accurate Active Directory Effective Access Calculator, a tool that can instantly and of course accurately audit and reveal exactly who can delete entire organizational units in any Active Directory in the world, even one that contains thousands of Active Directory objects in it, within a matter of minutes, if not within seconds!

If you wish to see the complete output of this effective access assessment on the Corp OU, you can download it from here.

In fact, not only can it accurately audit and reveal who can delete OUs, it can accurately audit and reveal who can enact 100+ administrative tasks that can be enacted on Active Directory content, such as exactly who can create, delete and manage OUs, accounts, groups etc. anywhere in Active Directory + how they can do so, which is what we need to know to tighten delegations.

This powerful tool is unique in is ability to correctly audit who can delete an organizational unit in Active Directory, in light of the technical details I've shared above, and irrespective of whether the organizational unit contains 100 objects or 100,000 objects.





A Picture Speaks a 1000 Words

The substantial complexity in trying to audit who can delete an OU in Active Directory is perhaps best illustrated with pictures -

If you take a closer look at the Status message in the snapshot of the tool displayed above, you will see that it indicates that during the process of trying to find out who can delete this one single top-level Corp OU, the tool analyzed 11528 ACEs!

That's a bit intriguing, because all we requested was an effective access assessment on a single object i.e. a single top-level OU named Corp, yet the status message indicates that the tool had to analyze 11,528 access control entries (ACEs) to make this one single determination! There couldn't possibly be that many ACEs in the ACL of a single Active Directory object!

This definitely merits a closer look!

In the interest of time, I'll make this super simple for you...


First, in one second, using Gold Finger's Active Directory Security Audit Tool, we find that there are 263 objects in the Corp OU:

Next, in less than five seconds, using Gold Finger's powerful and comprehensive Active Directory Permissions Analyzer, we determine that there are indeed a total of 11494 access control entries (ACEs) on the 263 objects that exist in the Corp OU -

(In fact, an instant Corp OU-wide ACL dump performed with Gold Finger's Active Directory ACL Exporter tool confirms this.)


Now, some basic Kindergarten math i.e. subtracting 11494 from 11,528 leaves us with 34 ACEs.


Hmm, if we consider the Corp OU's parent object i.e. the domain root, and use the Gold Finger Active Directory ACL Viewer to view its ACL, we see that there are exactly 34 ACEs in the ACL of the Corp OU's parent object, i.e. the domain root object -

(By the way, in case you want to view the entire ACL as exported from this nifty tool, it can be downloaded from here.)


Thus, if in the process of determining effective access to find out exactly who can delete the Corp OU, Gold Finger analyzed 11,528 ACEs to make this assessment, it must have analyzed 11,494 ACEs that exist in the ACLs of the 263 objects in the Corp OU (including the Corp OU's ACL itself) as well as the 34 ACEs that exist in the ACL of its parent object, the domain root, since 11,494 + 34 = 11,528!

In other words, to find out who can delete a single top-level OU, one needed to determine effective permissions on not just every single object in the OU, but also on the parent of the OU object!

Here's why -

1. It needs to determine who has sufficient Delete-Tree effective permissions on the Corp OU object itself, because all users who have this effective permission on the OU will be able to delete the OU.


2. It needs to determine who has sufficient blanket Standard-Delete effective permissions on the Corp OU object itself AND either Standard-Delete effective permissions on every single object in the OU OR Delete-Child effective permissions on the parent of every such object , because all users who have this combination of effective permissions in this subtree will also be able to delete the OU.


3. It may optionally need to determine who has sufficient blanket* Delete-Child effective permissions on the Corp OU object itself, if this OU only had a single level of child objects in it, because then all users who have this effective permission on the OU will also be able to delete the OU.


4. Finally, it needs to determine who has sufficient Delete-Child effective permissions on the parent of the Corp OU object i.e. the domain root object, since that will also influence who can delete the Corp OU (assuming all such users also have sufficient access to be able to delete all objects in the Corp OU except the Corp OU object itself!)

Note - Strictly speaking, there is one other case to take into account (, and our unique tool can optionally take that into account) but I'm not going to mention it here.

So you see, in order to answer what is seemingly such a simple question, one needs to accurately determine effective permissions on every single object in the OU as well as on its parent object!

Now, in the simple example we saw above, there were only about 260 objects in that top-level OU. In the real world, at so many organizations, there are thousands of objects in a top-level OU. In fact, at many large organizations there could be well over 50,000 to a 100,000 objects in a top-level OU!

At most of these organizations, let alone possessing the ability to accurately determine effective permissions in Active Directory, thanks to the lack of any guidance whatsoever from Microsoft, IT personnel may not even know that to make this seemingly simple determination, they need to be able to determine effective permissions on thousands of objects!

Oh, and this is how much effort it takes to make this determination on one OU. What if an organization had 50 or a 100 OUs?! (One of our customers had 20,000 OUs in their Active Directory.) To do so, you'd have to proverbially scale Mount Everest!





[A Small Digression...

The Protect Object from Accidental Deletion Feature

This discussion wouldn't be complete without a quick mention of your feeble Protect Object from Accidental Deletion feature, which is (more of a hack than a feature) designed to accomplish exactly what it states i.e. prevent accidental deletions of OUs.

I imagine that so many organizations out there must think that if this feature is enabled on an Organizational Unit, then that Organizational Unit cannot be deleted, PERIOD. That is a misconception that should be clarified for everyone once and for all.

You see, when you activate this feature on an Organizational Unit, all that the System does is that it introduces two access control entries, one on the object on which it is activated, and one on its parent object, and these are the ones -

Deny  Everyone    Delete, Delete Subtree      (This one is in the ACL of the target object) 

Deny  Everyone    Delete All Child Objects   (This one is in the ACL of the parent object)

It is the presence of these two explicit deny permissions that protects the target object from being accidentally deleted.

Now, of course, anyone who could change the permissions on either the target object or on its parent object could effectively undo, modify or remove these permissions, leaving the object vulnerable to deletion, whether it be accidental or intentional.

But more importantly, it doesn't even take that much to intentionally circumvent this feature!

Specifically, anyone who has sufficient Delete-Tree effective permissions on the parent** object of the object that is protected from accidental deletion could effectively delete the entire subtree rooted at the parent object, and as a consequence, this object (and if happens to be the root of a subtree, such as a top-level OU, then that entire OU) too would end up getting deleted!

So, if you truly want to know exactly who can delete an Organizational Unit, even one that is protected from accidental deletion, you'll also want to find out who has sufficient Delete Tree effective permissions on its parent*** (and technically, all the way up!)

For instance, let us consider another example in which we take a look at the Cyber Security OU (whose properties are displayed in the snapshot above) which as one can see in the snapshot above, is protected from accidental deletion.

As seen below, when a user Michael Karp tries to delete this Cyber Security OU, he is (consequently) unable to do so -

However, if we analyze Active Directory Effective Permissions on the parent OU of the Cyber Security OU, which is the Corporate Security OU, we see that although Michael Karp may not be able to delete the Cyber Security OU, he does in fact have Delete Tree effective permissions on its parent object, Corporate Security OU -

(Incidentally, this tool shown above is the world's only accurate Active Directory Effective Permissions Audit Tool.)

To see the complete output of the effective permissions audit on the Corporate Security OU, you can download it from here.

So, Michael Karp launches LDP and tries to delete the parent OU, i.e. the Corporate Security OU using the Delete Tree control, and he is successfully able to do so, as a result of which the entire Cyber Security OU (which was protected from accidental deletion) is now also deleted -

In the LDP snapshot above, here's what the four numbers indicate -

1. Unsuccessful attempt to delete the Cyber Security OU (since its protected from accidental deletion)


2. Unsuccessful attempt to delete the Corporate Security OU (i.e. the parent OU) using various standard delete options


3. Successful deletion of the entire Corporate Security OU using the extended Delete Tree operation and control


4. Confirmation that the entire Corporate Security OU no longer exists i.e. no such object!

So you see, this little (hack of a) feature does exactly what it says, prevent an object from accidental deletion!


... End of Small Digression.]






Scaling Mount Everest

Now, just prior to the small digression above, we had started giving some thought to just how much effort it might take to make this determination in an Active Directory domain that had numerous OUs (e.g. 20+), and I had had left it by saying that to do so, one would have to proverbially scale Mount Everest!

Consider that you needed to find out exactly who can delete every single OU in an Active Directory domain that had 50 OUs.

How would you do so? Well, you would have to manually perform the above process on every single OU in the domain (, and by now I shouldn't have to tell you that not only is that almost impossible, if attempted it could take months to do!)  OR ...

What if someone could fully automate performing this Herculean feat for the world, so all you had to do was touch a button?!

Here you go (; its amazing what else half a decade of laser-focused innovative R&D can do) ! -

What you're seeing above is a snapshot of the world's only accurate and fully-automated Active Directory Administrative Access / Delegation Audit Tool, a tool that can instantly and of course accurately audit and reveal exactly not only who can delete every single entire organizational unit in any Active Directory in the world, even one that may contain thousands of Active Directory objects in it, within a matter of minutes, if not within seconds, but in fact can accurately audit and reveal exactly who can perform virtually the universe of all administrative tasks that may be possible in Active Directory.

If you wish to see the complete output of the domain-wide OU deletion effective access audit, you can download it from here.

For example, not only can it accurately audit and reveal exactly who can delete every single OU in an Active Directory, it can also accurately audit and reveal exactly who can create, delete and manage every single domain user account, domain computer account, domain security group, container, OU, service connection point, print-queue etc. in Active Directory.

As it pertains to object deletions, simply put, whether you have one OU in your Active Directory or whether you have 100s of OUs, this tool can instantly, automatically and above all, correctly determine exactly who can delete each one of these OUs.


(Of course, if it couldn't deliver such paramount cyber security insight at the touch of a button, it wouldn't be called Gold Finger, i.e. a tool that can deliver informational security gold at the touch of a single button (i.e. at the tip of a finger), thus the name.)

But, this isn't about promoting the tool so I'm not going to say any more about it. The only reason I mentioned it, is to prove that if one truly cares for the world and puts one's mind to it, even such an incredibly difficult technical challenge can be solved. In contrast, you (Microsoft) couldn't even educate the world about the importance of effective permissions over an entire decade :-(






This Impacts of Trillions of $ Worldwide

Microsoft, as you obviously know, literally the entire world is running on Active Directory today. In effect thousands of organizations, many of whose market capitalization is easily in the billions of dollars, operate on Active Directory.

Consequently, today foundational Active Directory deployments help secure and protect trillions of dollars of wealth worldwide.

Now, at these organizations, the entirety of their domain user accounts, computer accounts, security groups etc. all reside in their foundational Active Directory deployments, within organizational units of course!

At most of these organizations no one has any idea as to exactly who can delete not just all their OUs, but even their top-level OUs in their foundational Active Directory deployments, and thus most of them may be minutes away from an intruder or a malicious insider being able to launch a crippling denial-of-service attack in seconds, by simply deleting their top-level OU(s)!

Were such an attack to be launched on them internally, organizations that have up-to-date backups may experience an entire day of downtime, and organizations that do NOT have up-to-date backups could experience days (if not weeks) of downtime!

Now, I don't have to tell you how much one day of downtime could cost a multi-billion dollar organization that has thousands of employees. This would in effect be a massive organization-wide denial-of-Service attack most easily executed in ONE second!

Oh, and if you know of any company that could survive weeks of downtime in today's fiercely competitive world, let me know.

In essence, due to a complete global lack of ability to obtain accurate effective access insight into something as simple as who can delete an organizational unit in Active Directory, trillions of dollars of wealth across the world could be so easily impacted!





In Summary

Microsoft, in summary, here are the salient points I wanted to convey to you concerning this vital topic -

1. Active Directory is the foundation of cyber security at 1000s of organizations worldwide, and in the Active Directory deployments of these organizations, all their building blocks of cyber security are stored in Organizational Units.
   
   In the Active Directory of most organizations, an excessive number of individuals may have sufficient effective permissions/access to be able to delete these Organizational Units, yet no one knows exactly who they are.


2. Should someone be able to delete one of these Organizational Units, especially a top-level one, he/she would basically and most easily have inflicted a massive internal denial-of-service (DoS) attack on the entire organization within minutes, since no one (including of course all employees, contractors, senior executives including C*Os, as well as IT personnel) will be able to log-on or engage in their computing activities, until the Active Directory is restored using a backup.
   
   Organizations that have an up-to-date backup of their Active Directory may be able to recover within a day, but at organizations that do not have an up-to-date AD backup, it could take weeks to recover from such an attack. 


3. Organizations thus must know at all times exactly who can delete their Organizational Units. This is not just a "nice to know" thing; this is an integral part of cyber security and thus a responsibility the organization has to its stakeholders, predominantly its shareholders as well as its customers, partners, employees and others.


4. Sadly, thanks mostly to you Microsoft, IT personnel at most organizations worldwide don't even know how to correctly audit who can delete their OUs, so obviously they are far away from being able to identify and lockdown who could launch such a simple yet massive internal DoS attack that could cost them millions of dollars per occurrence.


5. Let alone possessing the ability to help these organizations figure this out, you haven't even educated them about how to correctly do so, which is concerning, given that you're going all out to woo the world to embrace your Cloud offering!
   
   I felt that it was important for organizations worldwide to know why it is so important for them to know exactly who can delete their Organizational Units, esp. top-level OUs, so, above I have now educated them about how they can do so.
   
   I just find it concerning that even though here we are in 2017, i.e. 17 years after Active Directory was shipped, and yet someone is having to explain such a basic and fundamental aspect of Active Directory and cyber security to the world!

Given what it is we do here at Paramount Defenses, my time is very valuable, and while we're doing our bit to help secure and defend organizations worldwide, you, the $550 B Microsoft, need to do your bit by educating your customers about this stuff!

We are here to help them, but we cannot educate them all about such basic cyber security stuff - that's your responsibility.

Best wishes,
Sanjay


PS: To Satya and team at Microsoft, you may want to ask your IT folks if they know exactly who can delete your own OUs. If they too need help figuring it out, feel free to give us a call, and time permitting, we'll be happy to consider helping them out.


Aug 30, 2017 Update - I penned this today to help organizations better understand the importance of what is shared above.

An ACE Up the Sleeve: Designing Active Directory ACL Backdoors

Folks,

Earlier today, two fine gentlemen gave a nice presentation titled An ACE Up the Sleeve: Designing Active Directory ACL Backdoors at the Black Hat Conference 2017.

Here's the abstract of their presentation -

"Active Directory (AD) object discretionary access control lists (DACLs) are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD objects align perfectly with the "attackers think in graphs" philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise. 

While DACL misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy Active Directory persistence. It's often difficult to determine whether a specific AD DACL misconfiguration was set intentionally or implemented by accident. This makes Active Directory DACL backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability. 

This talk will cover Active Directory DACLs in depth, our "misconfiguration taxonomy," and enumeration/analysis with BloodHound's newly released feature set. We will cover the abuse of AD DACL misconfigurations for the purpose of domain rights elevation, including common misconfigurations encountered in the wild. We will then cover methods to design AD DACL backdoors, including ways to evade current detections, and will conclude with defensive mitigation/detection techniques for everything described."

I didn't have to be there to know that this would be a well-received and fascinating presentation.  Nice work, gentlemen!



The World of Active Directory ACLs

I'd like to welcome them to the important world of Active Directory ACLs. Even though they may have recently discovered this fascinating world, they're still far ahead of thousands of organizations worldwide, which only goes to prove what I've said here.

Active Directory ACLs

Given how much time they may have spent on Active Directory ACLs (even in just the last few months), they'll likely get this.

Let me tell you that they are a 100% correct that within the ocean of Active Directory ACLs that exists in every Active Directory deployment worldwide, there are a million (pl)ACEs for a intruder/perpetrator/insider to hide within, oh, and for anyone who knows how to find them, there are also thousands of  exploitable Active Directory privilege escalation paths to find.

They may also have shown you how to design Active Directory DACL backdoors, including ways to evade current detections, assuming by current detections, they're referring to the use of existing tooling like dsacls, acldiag, PowerShell scripts, <fill in the blank with your favorite Active Directory ACL analyzer/permissions audit tool> to analyze Active Directory ACLs, you know the tools most IT personnel having been using for years at 1000s of organizations because Microsoft never educated them better.

Fortunately, and they may not know this, organizations that possess the right tooling can now easily identify and eliminate all such insecure (pl)ACEs leaving no place left to hide in Active Directory ACLs i.e. there'll be zero ways left to evade detection.

   Zero!      нуль, nul, صفر , 零,Null, μηδέν, ʻole, אֶפֶס , शून्य, ゼロ,제로, nihil, sero !

So, what is the right tooling ?  Well, I will be penning a post titled something along the lines of  No more (pl)ACEs To Hide : Identifying Active Directory ACL Backdoors and/or How to Thwart Persistence In Active Directory in a few days, so you'll just have to wait for it, but if you're curious, I'll give you a big hint; it has to do with this - Active Directory Effective Permissions.

Over all, these gentlemen are spot-on and 100% right, and I sincerely commend their efforts to help organizations become aware of the vulnerabilities that lie deep within the thousands of ACLs inside their foundational Active Directory deployments.  




How to Identify and Thwart Sneaky Persistence in Active Directory

[Nov 22, 2017 Update] - Here are two posts on how to identify and thwart sneaky persistence in Active Directory -

1. How to Easily Identify and Thwart Sneaky Persistence in Active Directory


2. How to Identify and Thwart "Real" Sneaky Persistence in Active Directory

Best wishes,
Sanjay



PS: A Helpful Reading List - For everyone who'd like to get into the fascinating world of Active Directory Security/ACLs -

Best Practices for Delegating Active Directory Administration (especially the Appendices, and the other guides + the free LDP tool.) Defending Active Directory Against Cyber Attacks (Microsoft) Defending Active Directory Against Cyber Attacks (Paramount Defenses) Advanced Active Directory Security School for Microsoft