The world's most trusted forum on Active Directory Security
With a recent change in IT management, we've been asked to audit security and privileges across the board, including on all our file-servers as well as in the Active Directory.
We've got some in-house scripts that we've been able to do our file-server assessments with, but trying to write in-house scripts to get a sense of who has what rights in our Active Directory has been more challenging than we thought.
Basically, the Active Directory security model seems to be far more elaborate (complicated) than the simple 3-permission (Read, Write, Execute) file-system model, and we've been trying for some weeks to find some success in this regard. Unfortunately, it continues to be a challenge.
So I thought I'd ask you guys if you face a similar challenge in trying to analyze access in your Active Directory, and if so, how you address this challenge.
We're particularly interested in being able to efficiently obtain the insight we need into who has what permissions where and how in our Active Directory. We've got the change part covered with auditing, but the analysis part remains unaddressed.
I would like to get some ideas on how to address this need.
Thanks for your inputs.
Music is the soul of life! & IT Management Best-Practices
The need to know who has what access/rights in Active Directory is very important, and in fact arguably more important than the need to know who has what access to which files on file-servers.
I say so because, if a file is compromised, at most, the contents of the file are compromised, but if an Active Directory security group is compromised, all IT resources being protected by that file are put at risk of compromise.
You've also rightly mentioned that while the file-system security model is relatively simple with just 3 permissions, Rad, Write and Execute to deal with, Active Directory's security model is far more complicated with over a dozen security permissions, many of which can further apply to specific Schema elements, so it is definitely much harder to assess.
In regards to what it is you're trying to accomplish, if you just need to enumerate basis security permissions, I believe there may be a few free tools out there to use, although I say that with hesitancy, because as a good Active Directory administrator knows, it is a cardinal sin to use a free tool in a production environment, especially when logging using administrative credentials.
Also, while it is good to know who has what permissions in Active Directory, in itself, that knowledge is meaningless, because what one really needs to know is who has what efffective permissions in Active Directory, because that is the stuff that determines who can actually do what.
For example, just because a user John Doe has some permission in some ACL of some object, it does not necessarily mean that he has the ability to perform the operation/task controlled by that permission.
Why? Because there could be several other permissions in the ACL of the same object that could conflict with, override or other negate the access granted to that user by that one single permission.
This is a mistake many IT admins and even IT auditors often make, and when they do so, they end up with errant access data, which results in many continued security violations in their Active Directory.
In light of this, if you could let me know, whether you're trying to determine who has what permissions in Active Directory, or whether you're trying to determine who has what effective permissions/access rights in Active Directory, I could accordingly advise, as to a solution.
Good question though, because it applies to many of us.
We will NEVER forget.
Thanks for such a helpful explanation - this has certainly helped me gain a better understanding of what I should be looking for.
As to your question Jack, YES, I believe what I need to and am trying to determine is who has what effective permissions/access rights in Active Directory.
If you know of a way to accomplish this, could you please advise?
Sure, happy to help. There are really two ways to accomplish this - a) try to determine effective permissions on AD objects yourself, OR b) use an automated tool to do this.
I do recommend trying option a) first because, if nothing else, it makes you learn a lot, and appreciate just how difficult this problem is. For example, I learnt that there are some SAM read-only attributes that the Effective Permissions Tab in ADU&C incorrectly shows as writeable.
Once you've had an opportunity to try option a) I think you'll automatically find yourself trying option b). The challenge there is that there are NO automated tools that can accurately determine effective permissions in Active Directory. Except ONE.
That ONE tool is called Gold Finger for Active Directory, and its the only tool I've found thusfar that can correctly determine effective permissions in Active Directory. There are many things you can do with that tool, but we were primarily interested in the effective permissions and effective delegated capabilities, and we're very happy with it.
I must say though that our consultants are NOT happy and its understandeable. They used to charge us $200/hour to help us analyze delegated access, and now we just do it ourselves.
Check it out, and I think you'll find that its the right tool for what you're trying to accomplish.
Thank you for your recommendations. I just wanted to let you know that we did put in an earnest effort to do this manually and it was difficult indeed, as well as time-consuming of course.
We then tried the tool you recommended, and it dawned upon us as to just how much time and effort the right tool for the right job can save us. I should mention that had we not tried doing this manually, we would not have figured out how complicated it is, so thank you for the suggestion.
Of course, we did learn alot when trying to do this manually, such as what inheritance of permissions is, what extended rights and validated writes, what forward and back links are etc, so I understand the innards of AD much better now.