ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to audit security permissions in Active Directory


Member

Posts: 21
Date: Jun 1, 2011
How to audit security permissions in Active Directory
Permalink  
 


Hi. I would like to know what is the most efficient way to audit security permissions in our Active Directory deployment? We have about 2000 objects in our Active Directory, and I believe may have close to 75 ought delegated admins.

In addition, over the past few years, we've granted many access rights to service accounts and while its been easy to grant these permissions with precision, its not been that easy to try and find out who has what access in our Active Directory.

We're looking for an efficient and reliable way to audit permissions in Active Directory, and are all ears for good ideas.

Thank you very much.



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.



Member

Posts: 6
Date: Jun 16, 2011
How to audit security permissions in Active Directory
Permalink  
 


Geoffrey,

I think I understand what you're asking, but it is not entirely clear from your post as to which of the two you are interested in -

1. How to find out where a user/group has permissions in Active Directory?

OR

2. How to find out who is actually delegated what access in Active Directory?

These are two related things, but their is a VAST difference between the two.

In short, the first one is not that difficult at all, but the second one is very, very difficult, and in fact requires a lot of time, effort and expertise.

If you can let me know which one you were alluding to,  I can share some more info. Having faced a similar challenge last year, I've actually spent quite some time on both, and after a lot of research and countless hours of trying too write scripts, have finally found one solution for both of the above.

Let me know and I'll be happy to share some more information.

Philippe.



__________________

I'd rather be Skiing!



Member

Posts: 21
Date: Jul 12, 2011
RE: How to audit security permissions in Active Directory
Permalink  
 


Hi Philippe,

Thanks for your help. Your question is rather interesting, because the answer is YES to both.

You see, we are trying to find out who is delegated what access in our Active Directory, and as far as I know, to do so, we need to find out who has what permissions in our Active Directory. (At least, that is OUR understanding of how to do so.)

In short, we need to know who can perform things like controlling the Domain Admins group membership, resetting user account passwords, deleting OUs etc.

I hope this helps and I hope that in light of this you can provide some guidance.

Thank you very much in advance.

Geoffrey.



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.



Member

Posts: 6
Date: Jun 23, 2012
RE: How to audit security permissions in Active Directory
Permalink  
 


Hello Geoffrey,

Thank you for sharing some more details about what you were trying to do. Okay, so now it is much clearer as to what you are trying to accomplish.

You are correct that in order to find out who is delegated what access in Active Directory, you have to start by looking at the security permissions in Active Directory.

The key point here is that looking at the security permissions is just the starting point. Basically, first of all, if you are doing this manually, you have to do this one object at a time, because of the all the things involved.

For example, you have to first obtain the list of all security permissions in the ACL of the Active Directory object (e.g. a domain user account) on which you are trying to determine delegations.

Then, you have to go permission by permission, see if it applies to the object, and whether or not it is an inherited or explicit permission. You then have to see whom it is granting rights to, and if it is a group, then you have to expand the membership of the entire group, including all nested group members. I would recommend writing it down on a piece of paper. 

Then you have to see what rights the permission is giving to the user/group, and cases of Full Control rights, you have consider all rights. In cases of Special Permissions, you have to list all the permissions.

Then, for each permission you have make sure that there are no conflicting permissions such as an Explicit Deny permission which would overwrite an Inherited Allow permission, or a Explicit Allow permission which would overwrite an Inherited Deny permission and so on.

Then you have to figure out all the combinations of all the rights for all the set of users, and then you have to figure out what delegated tasks these rights map to. I'm pretty sure I am missing a few steps, but this was some of what we had to do initially.

This is all for one one object. Then you have to repeat this process for each object on which you wish to determine who is delegated what access.

All in all, it takes about 30 minutes to an hour to determine who is delegated what access on a single object. So if you have only a few objects, you should be able to do this in a week's time. 

In our case, our country's laws required us to report on this for 1000s of accounts, so there was no way we could do this manually. We just didn't have the man-power or the resources to do this in an efficient way.

But, like I said, hopefully you only have a few objects to deal with, and so in a week or two, you should be able to do this and deliver your report.

I hope that my inputs helped you. If I can answer any more questions for you, let me know.

Philippe.



__________________

I'd rather be Skiing!



Member

Posts: 21
Date: Jun 25, 2012
RE: How to audit security permissions in Active Directory
Permalink  
 


Hi Philippe,

That's exactly what I'm talking about - when we tried to do this, we encountered most of the challenges you've described below.

We too have a large number of objects in our Active Directory, and can't realistically do this manually, as it would be prohibitively time-consuming.

You seemed to indicate that you too had no way of doing this manually. So, if you don't mind me asking, did you find a way to do in some sort of an automated fashion? If so, what process/methodology/tool are you using to audit effective security permissions/delegated access in Active Directory? 

Thanks,

Geoffrey.



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.



Member

Posts: 5
Date: Jun 29, 2012
RE: How to audit security permissions in Active Directory
Permalink  
 


Hello Mr. Geoffrey,

Have you tried AD Manager Plus from Manage Engine? It has many reports, and is quite cheap too, as it is made in India. I  think it can help you do the needful.

-Krishna Raju.



__________________


Member

Posts: 21
Date: Jun 29, 2012
RE: How to audit security permissions in Active Directory
Permalink  
 


Hi Krishna,

Thanks for the pointer. We did look at AD Manager Plus. I'm sure it is a good tool but I believe, unfortunately, it can only show who has what permissions. What we are looking for is effective permissions / effective delegated access, which is does not do.

Also, while it might be cheap, if it doesn't solve our problem, the cost is irrelevant. As such, price is a secondary factor for us, but thanks anyway.

Geoffrey. 



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.



Member

Posts: 21
Date: Jun 29, 2012
RE: How to audit security permissions in Active Directory
Permalink  
 


Hi Philippe,

You seemed to indicate that you too had no way of doing this manually. So, if you don't mind me asking, did you find a way to do in some sort of an automated fashion? If so, what process/methodology/tool are you using to audit effective security permissions/delegated access in Active Directory?

Thanks,

Geoffrey.



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.



Member

Posts: 6
Date: Jul 18, 2012
How to audit security permissions in Active Directory
Permalink  
 


Hi Geoffrey,

Sure, happy to help.

We're using an automated solution called Gold Finger for AD to solve our Active Directory security permissions and effective permissions analysis needs.

We chanced upon it when googling "Active Directory Effective Permissions Tool".

Here in Switzerland, we liken it to a Swiss Army Knife for Active Directory Security, as it has so many AD security/access analysis/audit capabilities.

Here's a link to it in - www.paramountdefenses.com/goldfinger

By the way, I'm sorry I could could not reply sooner, as it being the Summer, I was out on summer vacation. Summer's just beautiful!

Hope this helps.

Philippe



__________________

I'd rather be Skiing!

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me