Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Showing posts with label dsacls. Show all posts
Showing posts with label dsacls. Show all posts

Friday, September 15, 2017

How to Audit Who Can Change/Control/Delete a Service Connection Point in Active Directory?


Dear Microsoft,

Today is Day-18 of our Active Directory Security School for you. Today, I'll answer the question I had asked you on Day-17, and in doing so, along with you, we will also help thousands of organizations worldwide find out how to correctly audit who can change, control or delete Service Connection Points in their Active Directory deployments.



 First, A Quick Recap

 If you have yet to read the previous post, which can be found here, you may want to do so to get sufficient context for this post.

In the previous post, we had talked about what a Service Connection Point is, and how numerous Active Directory-integrated applications, both those developed in-house as well as 3rd-party applications, use and rely on them to deliver their functionality.


A Service Connection Point in Active Directory

In short, we had seen how various mission-critical applications that provide everything from email to two-factor authentication and from Linux/UNIX integration with Active Directory to auditing and privileged user account management, use and rely on Service Connection Points in Active Directory for their proper functioning. (A list of a few such apps is provided below.)


We had also covered the impact of someone being able to make an unauthorized modification to one or more attributes of the Service Connection Points of these mission-critical cyber security enabling Active Directory integrated-applications.


An Intruder Changing the Keywords Attribute on a Service Connection Point in Active Directory

To be precise, we had concluded that in the event that an intruder or a malicious insider could do so, he/she could potentially disrupt these applications from delivering their functionality, the impact of which could range from an instant denial-of-service attack on these critical Active Directory-integrated applications to leaving millions of IT resources vulnerable to compromise.




 Next, A Few Such Apps

To appreciate the real-world security implications of an unauthorized change made to the Service Connection Points of such applications, perhaps it may help to identify even just a few prominent such applications that are today extensively deployed worldwide and depend on, and thus could be impacted by the unauthorized modification of Service Connection Points.



Here are 10 such prominent applications that may likely be deployed at 1000s of organizations worldwide today -

  1. BeyondTrust PowerBroker for Windows - BeyondTrust's PowerBroker Identity Services (PBIS) centralizes authentication for Unix, Linux and Mac environments by extending Active Directory's Kerberos authentication and single sign-on capabilities to these platforms. As documented here, to store information about a group or a user, PBIS creates a serviceConnectionPoint object (in Active Directory) and stores information in its keywords attribute. 

  2. Centrify Server Suite - Centrify's Server Suite, beyond its core capability of integrating UNIX and Linux accounts into Microsoft Active Directory, supports privilege management capabilities, integrated cross-platform auditing, dynamic server isolation, and single sign-on to on-premises applications. One of the major strengths of the Centrify Server Suite, is that all UNIX identity and authorization data is stored as Active Directory objects. As documented here, it extensively creates and uses serviceConnectionPoint objects in Active Directory to represent computer profiles, UNIX group profiles and UNIX user profiles.

  3. Citrix XenApp and XenDesktop - Citrix's XenApp and XenDesktop application virtualization solutions optimize productivity with universal access to virtual applications, desktops and data from any device. As documented here, delivery controllers, the server-side component responsible for managing user access brokering and optimizing connections, are represented by serviceConnectionPoint objects in Site OUs in Active Directory. Each time a Controller starts, it validates the contents of its Service Connection Point. In addition, Windows Desktop Virtual Delivery Agents (VDAs) use OU-based controller discovery which relies on these service connection point objects.

  4. IBM DB2 - IBM's DB2 for Linux, UNIX and Windows is a next generation data platform for transactional and analytical operations that provides continuous availability of data to keep transactional workflows and analytics operating at maximum efficiency. As documented here, DB2 database servers are published in the Active Directory as ibm_db2Node objects, which is a subclass of the serviceConnectionPoint object class. Each such object contains protocol configuration information to allow client applications to connect to the DB2 database server. When connecting to a remote database, a DB2 client queries the Active Directory though the LDAP interface for these objects.

  5. Microsoft Exchange - Microsoft's Exchange Server is a messaging platform that provides email, scheduling and tools for customer collaboration and messaging service applications. As documented here, Exchange stores the configuration of Exchange Servers as well as information about user mailboxes in Active Directory. Its Autodiscover feature, that enables client applications and users to configure themselves with minimal input, uses Active Directory service connection points to store and retrieve a list of Autodiscover URLs for the forest in which Exchange is installed. When you install Exchange 2016, you need to update the SCP object to point to the Exchange 2016 server. This is necessary because Exchange 2016 servers provide additional Autodiscover information to clients to improve the discovery process.

  6. Microsoft Active Directory Rights Management Server - Microsoft's Active Directory Rights Management Server delivers Active Directory Rights Management Services (AD RMS), information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized user, both online and offline, inside and outside of a firewall. As documented here, AD RMS publish Service Connection Points in Active Directory to hold the web address of the AD RMS certification cluster. AD RMS-enabled applications then use these Service Connection Points to discover the AD RMS service; it is the first connection point for users to discover the AD RMS web services.

  7. One Identity / Quest Privileged Password Manager - One Identity / Quest Software's Privileged Password Manager helps automate, control and secure the process of granting administrators the credentials necessary to perform their duties. Privileged Password Manager is a critical component of One Identity privileged account management solutions. As documented here, Privileged Password Manager publishes and relies upon Service Connection Points in Active Directory. In particular it modifies the serviceBindingInformation, displayName and keywords attributes of its Service Connection Points to store, amongst other pieces of information, your registered company name, Server URLs etc.   

  8. Quest Active Roles Server - Quest's Active Roles Server is a proxy solution designed to help organizations enhance account administration, directory management and security in Active Directory deployments. As documented here, as Active Roles performs operations on behalf of delegated users, the Active Directory service account requires adequate permissions. Quest recommends making Active Roles a member of Domain Admins. If organizational policies restrict its Domain Admin membership, then at a minimum, amongst a plethora of other permissions, since its service account must be able to publish itself in Active Directory, it will also require permissions to create serviceConnectionPoint objects.

  9. Quest Change Auditor - Quest's Change Auditor is an auditing solution that helps organizations track/audit changes to Active Directory, and thus helps ensure security, compliance and control of Active Directory content. As documented here, Change Auditor publishes Service Connection Points in Active Directory so that Change Auditor clients, agents and other third-party applications can automatically locate the Change Auditor coordinator. When clients or agents start up, they search Active Directory for these Service Connection Points to retrieve connection information for the Change Auditor coordinator such as hostname, listening port, and other authentication information.

  10. Quest InTrust - Quest's Intrust enables organizations to collect, store, search and analyze IT data from numerous data sources, devices and security information and event management (SIEM) solutions in one place. As documented here, Quest Intrust creates the following service connection point in Active Directory - <MyDomainName>/System/Quest In Trust/InTrustServer{<InTrustServerGUID>}.

Note - It must also be mentioned that the manner in which most of these applications have been integrated with Active Directory is consistent with Microsoft's recommendations, and in fact by integrating with Active Directory, these applications get to leverage its various capabilities, strengths and uses, and that is a good thing.

Speaking of which, of the applications above, perhaps the one that is most well-integrated with Active Directory, and thus one that uses and relies upon Service Connection Points most extensively may be Centrify Server Suite.
Oh, and the Azure AD Connect feature of Microsoft Azure also uses/relies on Service Connection Points in Active Directory.
( Specifically, as documented here, if you have an on-premises Active Directory environment and you want to join your domain-joined devices to Azure AD, you can accomplish this by configuring hybrid Azure AD joined devices. During their registration process, these domain-joined devices query the Active Directory for a Service Connection Point to discover Azure AD tenant information. Specifically they search for the object "cn=62a0ff2e-97b9-4513-943f-0d221bd30080,cn=Device Registration Configuration,cn=Services,cn=Configuration,dc=<forest-root-domain>" as it is this object's Keywords attribute that contains the organization's Azure AD tenant information. )


As you'll likely agree, many of these applications play a vital role in ensuring cyber security at many organizations worldwide.

If you understand the role that these applications play in providing and ensuring security at organizations worldwide, then you know that the unauthorized modification of the attributes of their Service Connection Points could substantially impact security.



 The Question

In light of the above, I had posed the following few most simple and elemental questions, and asked you how organizations worldwide could answer these questions  -

Question: Who can change the various attributes/properties of a Service Connection Point in  Active Directory ?

In fact, in addition, it also begs the following questions -
  1. Who can modify the ACL/permissions protecting a Service Connection Point? 
  2. Who can modify the owner of a Service Connection Point?
  3. Who can delete a Service Connection Point?
     That's because if you can do either one of the above, you can have the same effect on the service.





Finally, The Answer

 It is imperative that every organization that has any application that relies on the use of Service Connection Points in Active Directory know the exact answers to these questions at all times, and now let me show you how to correctly answer them.


 First, lets rule out the incorrect answer, which is how most organizations worldwide may be trying to answer these questions today, and that incorrect answer is - "Find out who has what permissions on a Service Connection Point in Active Directory."


acldiag

Even though this is the incorrect answer, most organizations may not know this, so they continue to use tools like dsacls, acldiag, PowerShell scripts etc. or any one of numerous 3rd-party Active Directory Permissions Audit Tools to do so.


 Now, the correct answer, which is how every organization worldwide should be attempting to answer these questions today, and that correct answer is - "Find out who has what effective permissions on a Service Connection Point in Active Directory."


The Effective Permissions Tab is Inaccurate


As we can all see above, effective permissions are so important that Microsoft's native tooling has an entire tab for them!

Now, before you assume that the Effective Permissions Tab is sufficient/adequate to answer these questions and stop reading this further, let me share with the three (3) reasons as to why it is substantially inadequate and thus almost useless -

  1. First and foremost, it is not 100% accurate because it does not take all the factors that influence the accurate determination of effective permissions in Active Directory into account.

  2. Secondly, it can at best determine (an approximation of, and thus inaccurate) effective permissions one user at a time. So if you have 10,000 users in your organization, you will have to manually enter each user's name individually i.e. one by one, one at a time; now I don't know about you, but if I had to do this, I would probably find another job. 

  3. Finally, even though it can at best determine (an approximation of, and thus inaccurate) effective permissions one user at a time, it (also) CANNOT show you exactly which permission in the object's ACL is granting a specific effective permission, so if you're trying to find out HOW a user has a specific effective permission, you can't do so using this tool.  

Unfortunately, the same is true of dsacls, acldiag, LDP, PowerShell scripts and virtually every other 3rd-party Active Directory ACL/Permissions Analysis/Audit Tool out there, so there's really no easy way to answer these simple questions. Oh, and this free tool is so dangerously inaccurate that if it were an X-ray machine at an airport, I'd advise you to stay away from the airport.

Before we continue further, let me say this again. I cannot stress this enough - if you don't know what effective permissions in Active Directory are and why they're paramount to your security, you'll want to read this - Active Directory Effective Permissions.



So, now that we know that theoretically the correct answer is - "Find out who has what effective permissions on a Service Connection Point in Active Directory", is there an easy way to determine effective permissions on Active Directory objects?

Yes, (thankfully) there is one way...



Here's how so many of the world's top business and government organizations easily and accurately answer these questions -


The Gold Finger Active Directory Effective Permissions Audit Tool


The snapshot above is of the Gold Finger Active Directory Effective Permissions Audit Tool.

This tool quite simply is the world's only accurate and adequate effective permissions calculator for Active Directory.

Not only can this tool accurately determine effective permissions on any object in Active Directory, to use this tool, all you have to do is point the tool at whatever object you want to determine effective permissions on, and then click ONE button. That's it!

As seen in the snapshot above, we used this tool to perform an effective permissions audit on a service connection point called RMS Service in Active Directory, and the audit results show us every single security permission-combination that is effectively allowed on this service connection point object, as well as exactly who each effective permission is granted to, and how so.

So, for example, to find out who can change a Service Connection Point's keywords, all you have to do is use the What drop-down to select Write-Property - Keywords effective permissions and the tool will display the complete list of all individuals who can do so. Similarly you can find out exactly who can change each attribute/property, as well as its ownership and permissions.


Now, wouldn't it be nice if someone could make it even simpler such that all these technical details (i.e. effective permissions, attributes, mappings etc.) could be abstracted enough that we could just find all this out in English. Well, guess what? Done! -


The Gold Finger Active Directory Effective Access Audit Tool

The snapshot above is of the Gold Finger Active Directory Effective Access Audit Tool, which is the world's only tool that can accurately and adequately determine effective access in Active Directory environments.

As seen in the snapshot above, we used this tool to perform an effective access audit on a service connection point called RMS Service in Active Directory, and the audit results show us every single administrative task that can be enacted on this object by virtue of the effective permissions allowed on this service connection point object, as well as exactly who can enact each one of these administrative tasks, and of course, how so. In other words, you can now find out exactly who can do what, in English!

(Finally, if you have numerous Service Connection Points in Active Directory, this tool can audit all of them at a button's touch.)

In this manner, every organization worldwide that needs to know exactly who can change, control or delete Service Connection Points in their Active Directory can now accurately and instantly find out so 365-24-7, in seconds, and at the touch of a button.


 So, Microsoft, you see, today this is how organizations worldwide can answer these simple yet vital cyber security questions.

In contrast, let alone providing your customers i.e. organizations worldwide, a solution, in 17 years, you haven't even told them that what they actually need to do is not to audit "who has what permissions" but to audit "who has what effective permissions"!

Need one say more?

Best,
Sanjay


PS: It took half a decade of laser-focused execution to make something this difficult, this easy for the world. You're welcome.
No comments:
Labels: , , , , , ,

Monday, January 9, 2017

The World's Only Accurate Active Directory Effective Permissions Tool

Folks,

Hope your 2017's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 7th.

Active Directory Effective Permissions Audits - A Mission-Critical Need

Today every organization that operates on Microsoft's Active Directory has a mission-critical cyber security need to be able to accurately audit effective permissions in their foundational Active Directory deployments, to protect the entirety of their organizational IT resources. A few examples of such essential Active Directory effective permissions audits include -


  1. Who has sufficient effective permissions to be able to replicate secrets from Active Directory? (Implications & details.)
  2. Who has what sufficient effective permissions to be able to control every Active Directory administrative account?
  3. Who has sufficient effective permissions to be able to control every Active Directory administrative group?
  4. Who has sufficient effective permissions to be able to manage all executive accounts (i.e. those of the CEO, CIO etc.)?
  5. Who has sufficient effective permissions to be able to manage all vital Active Directory domain user accounts, domain computer accounts, domain security groups, Organizational Units, etc. (and there could be 1000s of such objects)?

If you truly know Active Directory Security, then you know that it is not "Who has what permissions" but "Who has what effective permissions" that matters, ; the difference is colossal and could very well be the difference between security and compromise.

Most organizations do not even seem to know that they need to be able to determine effective permissions in Active Directory, and do so accurately, to maintain a sound cyber security posture. At those who do know, IT personnel struggle to fulfill this mission-critical need - they try writing advanced in-house LDAP/ PowerShell scripts, using free MS tools like dsacls, acldiag, LDP, the Effective Permissions Tab, etc., or relying on this free 3rd party audit tool which is dangerously inaccurate.

To begin with, the expertise required to write a script that can accurately determine effective permissions in Active Directory is so rare that most IT personnel may not even know where to begin. That said, many may still proceed to write and use substantially inaccurate scripts to do so.

Further, assuming they could write an accurate script to do so, here are 4 issues/challenges that they will most likely run into -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone.
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise
  3. The Microsoft Effective Permissions Tab is not only self-admittedly inaccurate, it is woefully inadequate.
  4. All free 3rd party tools that claim to do Active Directory effective permissions are substantially inaccurate.

It is unequivocally clear to use that what organizations need is an accurate, reliable (tamper-proof) and above all a trustworthy Active Directory Effective Permissions Audit Tool that could help IT personnel worldwide easily & trustworthily fulfill this need.

So we built the world's best and only accurate Active Directory Effective Permissions Calculator / Audit Tool so it could help all IT admins, analysts, auditors and others easily and trustworthily fulfill their Active Directory effective permissions audit needs.
Gold Finger Active Directory Effective Permissions Calculator / Audit Tool

The Gold Finger Effective  Permissions Calculator is the world's only accurate Active Directory Effective Permissions Audit Tool:

Gold Finger Active Directory Effective Permissions Calculator / Audit Tool


If you can touch a button, you can now (for the first time ever) accurately and easily fulfill all your Active Directory effective permissions audit and compliance reporting needs. Click, done. It quite simply is as simple and as remarkable as that.


Capability Overview

Here's a quick overview of the tool's top 10 features/capabilities -
  1. Accurate Analysis – Accurately determine effective permissions on any Active Directory object, taking all factors (e.g. precedence orders, memberships expansions, conflict resolution etc.) that influence effective access into account.
  2. Real-Time Analysis – Instantly view & verify resulting change in effective permissions as soon as a permission changes.
  3. Full Automation – Instantly determine effective permissions and effective access at the touch of a single button.
  4. Full Coverage – Determine effective permissions on any Active Directory object in any Active Directory partition.
  5. Intuitive Interface – Easily view all effective permissions, all users who have them, and their underlying permissions.
  6. Permission-Centric Analysis – Instantly enumerate all users who are granted a specific effective permission / admin task.
  7. Source Identification – Find out exactly which underlying permission is granting a user a specific effective permission.
  8. Effective Access Insight – Find out both, who has what effective permissions and who has what effective access.
  9. Analysis Exports – Export effective permissions for offline analysis, sharing, audit report submission and archival.
  10. DC Specific Analysis and Alternate Credential Use – Target any Domain Controller, and use alternate credentials.


Design Goals

Here are the 6 main design goals we set and met for Gold Finger -
  1. Accuracy - Accuracy is everything, and Gold Finger is the world's only accurate effective permissions calculator.
  2. Complete Picture - It calculates and shows the complete set of effective permissions entitled on an Active Directory object, and it also shows the identities of all security principals for whom a specific effective permission is entitled.
  3. Source-Identification - It pinpoints the underlying security permission that entitles a user to a specific effective permission
  4. Data output - IT personnel can effortlessly export the raw data for archival, rich analysis etc.
  5. Ease of use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  6. Trustworthiness - When it comes to security, Gold Finger also sets the bar and gold standard for trustworthiness.



 Example Reports

Here are 10 real-world examples of the kinds of Active Directory effective permissions audits you can perform with Gold Finger -


  1. Find out exactly who has Extended Right - Get Replication Changes All effective permissions granted on domain root.
  2. Find out exactly who has what effective permissions (e.g. Blanket Write-Property) granted on the Domain Admins group.
  3. Determine exactly who has Write-Property - Member effective permissions on the Domain Admins security group.
  4. Find out exactly who has Write Property - userAccountControl effective permissions on a DC's computer account.
  5. Determine exactly who has Delete or Delete Tree effective permissions on the Corp OU containing 1000s of objects.
  6. Find out exactly who has Extended Right - Reset Password effective permissions on the CEO's domain user account.
  7. Determine exactly who has Extended Right - Send As effective permissions on the CFO's domain user account.
  8. Find out exactly who has Modify Permissions effective permissions on the domain root object or on AdminSDHolder.
  9. Determine exactly who has Extended Right - Apply Group Policy effective permissions on the Domain Controllers OU.
  10. Determine exactly how John Doe has Write-Property - Member effective permissions on the Domain Admins group.




Trusted Worldwide

Today, our Gold Finger Active Directory Effective Permissions Calculator is used worldwide by the world's top organizations to easily fulfill the mission-critical cyber security need of being able to accurately audit Active Directory effective permissions.

Best wishes,
Sanjay
No comments:
Labels: , , , , , ,

Friday, January 6, 2017

The World's Best Active Directory Permissions Analyzer

Folks,

Hope your 2017's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 6th.

Active Directory Permissions Audits - An Essential Need

It goes without saying that today virtually every organization that operates on Microsoft's Active Directory has an essential need to be able to audit Active Directory security permissions because Active Directory security permissions ultimately protect the entirety of the organizations IT resources. A few examples of such essential Active Directory permissions audits include -


  1. Who has what security permissions/rights in Active Directory, which ones and where?
  2. Who has what security permissions/rights on a specific Active Directory object and how?
  3. What security permissions/rights does a specific user or security group have in Active Directory?
  4. Where does a specific user or group have any kind of modify permissions/rights in Active Directory?
  5. Who has what security permissions/rights on critical Active Directory objects such as the domain root object etc.?

Now, let me be the first to tell you that if you truly know Active Directory Security, then you know that it is not "Who has what permissions" but "Who has what effective permissions" that matters (and the difference is colossal and could be the difference between security and compromise), but for now let's just play along and assume that this is what organizations need to audit.

To fulfill these essential needs, IT admins worldwide use various means, such as writing advanced in-house LDAP/ PowerShell scripts, using free MS tools like dsacls, acldiag, LDP etc., or relying on some 3rd party audit tools many of which aren't reliable.

In doing so, here are some issues/challenges they could run into -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise
  3. Many 3rd party tools, whilst inexpensive, may or may not always be sufficiently trustworthy (e.g. built in Russia etc.)

In our experience, we found that what is ideally needed is a dedicated and reliable (tamper-proof) permissions audit tool that can help all these IT personnel easily & trustworthily fulfill their essential Active Directory security permissions audit needs.

So we built possibly the world's best (most capable) Active Directory Permissions Analyzer that could help IT admins, analysts, auditors and other stakeholders easily and trustworthily fulfill their essential Active Directory security permissions audit needs.
Gold Finger Active Directory Permissions Analyzer

The Gold Finger Permissions Analyzer is the world's most capable and trustworthy Active Directory Permissions Audit Tool -

Gold Finger Active Directory Permissions Analyzer

If you can touch a button, you can now easily, comprehensively and above all, trustworthily fulfill all your Active Directory security permissions/rights audit and compliance reporting needs. Active Directory permissions audits could not be simpler.


Capability Overview

Here's a quick overview of the tool's top 5 features/capabilities -
  1. Rapid Analysis and Enterprise Scalability – Analyze entire Active Directory domains within a matter of minutes.
  2. Rich Analysis Criteria – Find permissions based on grant type (allow/deny), inheritance (explicit/inherited), permission type (e.g. Write Property), security principal (any user, security group or well-known security principal) and scope.
  3. Group Membership Inclusion – Automatically include the impact of group memberships when analyzing permissions.
  4. Real-time Schema Availability – Specify any class, attribute or extended right defined in your organization's AD Schema.
  5. Complete Flexibility – Customize analysis scope via use of custom LDAP filters (e.g. (&(objectClass=user)(title=C*O)).)

Design Goals

Here are the 5 main design goals we set and met for Gold Finger -
  1. Trustworthiness - When it comes to security, Gold Finger sets the bar and gold standard for trustworthiness.
  2. Ease-of-use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  3. Customization - Every report can be completely customized using LDAP filters as well as scope and depth control.
  4. Complete Flexibility - IT personnel can search for any kind of Active Directory security permission, including specific permissions and extended rights, as well as permissions granted anywhere to a specific user/group etc. 
  5. Data output - IT personnel can effortlessly export the raw data for archival, rich analysis etc.



 Example Reports

Here are 10 real-world examples of the kinds of Active Directory security permissions audits you can perform with Gold Finger -

  1. Identify all security principals that have any kind of modify permissions granted anywhere in the Corp domain.
  2. Identify all security groups that have All Extended Rights granted anywhere in the Corp domain.
  3. Identify all users that have the Reset Password Extended right granted on any domain accounts in the Executives OU.
  4. Identify all security principals that have Delete permissions granted on any organizational unit (OU) in the Corp domain.
  5. Find out if the Temporary Contractors group is granted any security permissions anywhere in the Corp domain.
  6. Find out which security permissions, if any, are granted to John Doe anywhere in the Production OU.
  7. Find out which users are explicitly granted the Create Child - User permission anywhere in the Headquarters OU.
  8. Find out who has Deny permission granted anywhere in the Corp domain, and whether they are Explicit or Inherited.
  9. Determine whether John Doe has Write Property - Member permissions on any administrative group in the Corp domain.
  10. Determine who has Send As permissions granted on the CEO's mail-enabled domain user account.



Trusted Worldwide

Today, our Gold Finger Active Directory Permissions Analyzer is used worldwide by the world's top organizations to easily, efficiently and trustworthily fulfill the entirety of their essential Active Directory security permissions/rights audit needs.

Best wishes,
Sanjay

PS: This is about 1% of what we do, so this is as much as I'd like to say about it.

No comments:
Labels: , , , , , ,

Thursday, January 5, 2017

The World's Best Active Directory ACL / Security Permissions Audit Tool

Folks,

Hope your 2017's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 5th.

Active Directory ACL / Security Permissions Audit - A Basic Need

Today virtually every organization that operates on Microsoft's Active Directory has a basic and essential need to be able to easily view, analyze and audit Active Directory ACLs (Access Control Lists) because Active Directory permissions ultimately protect virtually all of the organization's IT resources. A few examples of such basic Active Directory ACL audit needs include -


  1. Who security permissions/rights does a specific user/group have in a specific Active Directory object's ACL?
  2. Who has a specific Active Directory security permission allowed in the ACL of a specific Active Directory object?
  3. Which ACEs (access control entries) grant a specific Active Directory security permission to various security principals?
  4. Which ACEs explicitly deny a specific Active Directory security permission in an object's ACL?
  5. Which ACEs explicitly grant a specific Active Directory security permission to a specific user or group in an object's ACL?

Now, let me be the first to tell you that if you truly know Active Directory Security, then you know that it is not "Who has what permissions" but "Who has what effective permissions" that matters (and the difference is colossal and could be the difference between security and compromise), but for now let's just play along and assume that this is what organizations need to audit.

To fulfill their ACL analysis needs, IT admins worldwide use numerous means, such as writing in-house LDAP/ PowerShell scripts, using free MS tools like dsacls, acldiag, LDP etc., or relying on some 3rd party audit tools many of which aren't reliable.

In doing so, here are some issues/challenges they could run into -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone.
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise.
  3. Many 3rd party tools, whilst inexpensive, may or may not always be sufficiently trustworthy (e.g. built in Russia etc.)

In our experience, we found that what is ideally needed is a dedicated and reliable (tamper-proof) Active Directory ACL analysis, viewing and dump tool that can help easily & trustworthily fulfill all Active Directory ACL/permissions audit needs.

So we built possibly the world's best (most advanced) Active Directory ACL Viewer and Exporter that could help IT admins, analysts, auditors and other stakeholders easily and trustworthily fulfill their basic Active Directory ACL/permissions audit needs.
Gold Finger Active Directory ACL / Security Permissions Audit and Dump Tool

The Gold Finger Active Directory ACL Viewer and Exporter is the world's most advanced and trustworthy Active Directory ACL/Permissions Audit Tool -

Gold Finger Active Directory ACL Audit Tool, Viewer and Exporter
If you can touch a button, you can now easily, comprehensively and above all, trustworthily view, analyze, audit as well as instantly export/dump Active Directory ACLs and security permissions/rights, both on a per-object and a domain-wide basis.


Capability Overview

Here's a quick overview of the tool's top 5 features/capabilities -
  1. Complete View – Obtain a complete, fully sortable view of the ACL (both DACL & SACL) of any Active Directory object.
  2. Detailed View – Obtain a detailed view wherein each ACL field is expanded into individually sortable columns.
  3. ACL Exports – Export the complete ACL of an Active Directory object for analysis, comparison, archival and audit.
  4. Tree-wide ACL Exports – Export/dump the ACLs of all Active Directory objects in any Active Directory tree (e.g. OU).
  5. Advanced ACL Export Options – Export only those ACLs that are marked Protected or owned by a specific user/group.

Design Goals

Here are the 5 main design goals we set and met for Gold Finger -
  1. Trustworthiness - When it comes to security, Gold Finger sets the bar and gold standard for trustworthiness.
  2. Ease-of-use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  3. Rich Analysis - IT personnel can easily analyze every aspect of the ACL, including sorting the ACL by individual Active Directory security permissions (e.g. Write Property, Extended Right etc.), inheritance fields etc.
  4. Instant Export - IT personnel can easily export/dump the ACLs of any, some or all Active Directory objects. 
  5. Data output - IT personnel can effortlessly export the raw data for archival, rich analysis etc.



 Example Reports

Here are 10 real-world examples of the kinds of Active Directory ACL/permissions audits you can perform with Gold Finger -

  1. Alphabetically sort the ACL on the AdminSDHolder object to list all security principals for whom access is specified.
  2. Identify all permissions in the ACL of the Administrators group object that grant Write Property - Member permissions.
  3. Export/dump the ACL on the Enterprise Admins group object to furnish it as evidence for a regulatory compliance report.
  4. Identify every permission in the ACL on the Corporate OU object that grants a user or group Create Child permissions.
  5. Enumerate the list of all security permissions in the ACL of the Help Desk Operators object that are Explicit in nature.
  6. Instantly dump/export the security permissions/ACLs of all objects contained in any Active Directory domain/partition.
  7. Easily dump/export the security permissions/ACLs protecting all executive (e.g. all C*O) and privileged user accounts.
  8. Instantly dump/export Active Directory security permissions/ACLs protecting all Organizational Units in a domain.
  9. Obtain a snapshot of all Active Directory permissions/ACLs protecting the Configuration, Schema and domain partitions.
  10. Dump/export Active Directory security permissions/ACLs to a file to furnish evidence for a compliance/security audit.



 Trusted Worldwide

Today, our Gold Finger Active Directory ACL Viewer and Exporter is used worldwide by the world's top organizations to easily, efficiently and trustworthily fulfill all their basic Active Directory ACL/security permissions/rights analysis and audit needs.

Best wishes,
Sanjay

PS: This is about 1% of what we do, so this is as much as I'd like to say about it.

No comments:
Labels: , , , , , ,

Wednesday, August 3, 2016

How to Easily Dump/Export Active Directory Security Permissions/ACLs

Folks,

Today, I'd like to take a small break from some important technical stuff  and cover some very simple stuff, which is to share with you the easiest way in the world to dump/export Active Directory security permissions/ACLs, because this is elemental.

But first a very quick overview of Active Directory security permissions and ACLs might be helpful.

If you want to get straight to the details, you can skip to section 3 below.




1. A Quick Overview of Active Directory Security Permissions and ACLs

As you may know, every object in Active Directory is protected by an access control list (ACL), which is comprised of zero or more access control entries (ACEs), each one of which allows or denies a specific set of security permissions (of which there are many in Active Directory) to a specific security principal (user, group or well-known security principal.)

Active Directory Security Permissions specified in an Active Directory Access Control List (ACL)


Together, the security permissions specified in an Active Directory object's ACL serve to protect that Active Directory object, and specify who is allowed or denied what security permissions onto that object (which of course includes all its attributes.)

Since even a quick overview of the various permissions in Active Directory could take a few paragraphs, here's a pointer to a very quick overview of the Active Directory Security Model and Active Directory security permissions, which as you may know, include over a dozen generic permissions, dozens of extended rights and several validated writes. Alternatively, you can refer to Appendices C, D and E of Microsoft's official whitepaper on administrative delegation, which I wrote back in 2003.

In essence, Active Directory ACLs and the security permissions specified within them control access to the entirety of Active Directory content, and thus lie at the very foundation of cyber security in a Microsoft Windows Server based IT infrastructure.




2. The Need to be able to Dump/Export Active Directory Security Permissions/ACLs

IT personnel responsible for administering Active Directory deployments, delegating and maintaining administrative authority in Active Directory, provisioning secure access for applications and other stakeholders to Active Directory content, auditing Active Directory security etc. often have a need to be able to dump/export Active Directory Security permissions/ACLs.

In fact, here are 5 specific use-cases -
1. Perform security analysis to identify who is specified what access across an Active Directory domain
2. Identify the list of all security principals that have any sort of access granted in an Active Directory domain
3. Determine what security permissions are granted to whom, where and which ones in Active Directory
4. Obtain a detailed, fully-sortable view of all security permissions/ACLs in an Active Directory partition. 
5. Export/dump an Active Directory object's ACL for detailed offline-analysis, comparison, audit and archival.

Today these needs are elemental to the foundational cyber security of virtually every Active Directory deployment in the world.





3. The World's Easiest Way to Dump/Export Active Directory Security Permissions/ACLs

Today the easiest, fastest and most reliable way to dump/export Active Directory security permissions/ACLs in Active Directory is via this specialized Active Directory ACL Viewer and Exporter tool - 
Gold Finger Active Directory ACL Viewer and Exporter


Click, Done. If you can click a button, you can export Active Directory security permissions/ACLs in seconds. It's that simple.


Active Directory Security Permissions/ACL Dump


Here's some sample output (; you can click the image below to enlarge it + download complete CSV file from here) -
Active Directory ACL Dump
 
The Active Directory security permissions/ACL dumps generated by the tool are very easily sortable by virtually every relevant field, including object type, object name, distinguished name, permission type (Allow/Deny), security principal, each of the 13 individual generic Active Directory permissions (RC LC LO WO WD SD DT CC DC CR SW RP WP), attribute/class, inheritance, applies to and inheritance flags (CI (Container Inherit), ID (Inherited), IO (Inherit-Only) and NP (No Propagate)), making it very easy to sort the data by any field, and easily perform rich and efficient ACL/security analysis.

In fact, with this dedicated tool, if you can click a button, you can instantly -
1. Obtain a highly-detailed, fully-sortable view of the access control list (ACL) of any Active Directory object.
2. Analyze an Active Directory object ACL by being able to sort it by any field (e.g. Type, Security Principal etc.) 
3. Sort an Active Directory object's ACL by any of the 13 generic permission types (e.g. Create Child, Delete etc.)
4. Export/dump an Active Directory object's ACL for detailed offline-analysis, comparison, audit and archival.
5. Export/dump the ACLs of any, some or all Active Directory objects in any Active Directory partition.

Right below, I've shared 7 real-world examples, complete with their ACL dump output so you can see the data for yourself.





4. Seven Real-World Examples of Active Directory Security Permissions/ACL Dump

Here are 7 real-world examples of Active Directory ACL dumps, with actual outputs, that you can perform with this tool -

 
1. Dump the security permissions/ACLs of all objects in the domain: output
2. Dump all protected ACLs in the domain: output
3. Dump the security permissions/ACLs of all privileged users and groups in the domain: output
4. Dump the security permissions/ACLs of all users in the domain whose title contains the word Cloud: output
5. Dump the ACLs of all objects in the domain that are owned by the Builtin Administrators group: output
6. Dump the ACLs of all organizational units that are immediate children of the Corp organizational unit: output
7. Dump the ACLs of all organizational units that are up to 2 levels deep in the Corp organizational unit: output

To view the actual ACL dumps for each of the examples above, simply click on the associated output links above.




5. Seven Design Goals

Here are 7 design goals we had when developing our dedicated Active Directory Security Permissions/ACL Dump Tool -

1. Ease of Use - Ability to dump Active Directory permissions/ACLs at the touch of a button.
2. Complete Flexibility - Ability to use LDAP filters to customize scope of objects whose ACLs are to be dumped.
3. Scope and Depth Control - Ability to specify the scope and depth of objects whose ACLs are to be dumped.
4. Easily Analyzable and Sortable Results - The results retrieved should be rich and easy to analyze and sort.
5. Zero Dependencies - The tool should not require any configuration changes or special permissions.
6. Easy installation - The tool should be installable on any domain-joined machine in under 2 minutes.
7. Advanced Features - It should be able to perform special retrievals such as to be able to -
a. Export/dump all ACLs marked protected
b. Export/dump the ACLs of all objects that are owned by a specific user/group
c. Export/dump the ACLs of all objects with a specific Primary Group

Its specialized features embody these goals and make it substantially more capable than other tools (e.g. dsacls, acldiag, etc.)

In addition, because all of our tools are professionally built to the highest standards of security, reliability and trustworthiness, organizations do not need to worry about the accuracy, integrity or security risks associated with amateur/custom-built scripts.



Summary

Today, our Gold Finger Active Directory Security Permissions/ACL Viewer and Export Tool is used in 6 continents worldwide, by so many of the world's top business and government organizations, perhaps because its the easiest, most reliable and trustworthy way to dump Active Directory ACLs.

To learn more + to get a free trial, visit - http://www.paramountdefenses.com/active-directory-acl-permissions-viewer.html

Of course, because we know first-hand that there's a lot more to Active Directory Security Audit than performing Active Directory ACL dumps, we also offer the world's most capable Active Directory Permissions Analyzer and the world's only accurate Active Directory Effective Permissions Tool, Active Directory Effective Access Audit Tool and the world's only Active Directory Administrative Access and Delegation Audit Tool.

In essence, we offer the world's most comprehensive suite of Active Directory security, access and effective access audit tools, all available in a single user-interface, with zero dependencies, two-minute installation and Windows-integrated security.

More information on our Gold Finger Suite is online at - http://www.paramountdefenses.com/goldfinger.html

Best wishes,
Sanjay
No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)