Active Directory Security dot com

Complete Coverage of Delegation, Security Audit & Compliance Reporting in Active Directory

REFERENCE GUIDANCE REPORTING
Reference | Top-20 D | Risks | FAQ Delegate | Verify | Assess | Audit | Report | Comply Reports Tools
Security Model
Security Descriptors
Security Groups
Security Permissions
Property Sets
Extended Rights
Validated Writes
Visibility Modes
SDDL
LDAP Filters
Deleted Objects
True Last Logon
Nested Group Memberships
Resultant Access

How to Determine Resultant (Effective / Delegated) Access in Active Directory

IT security analysts and IT administrators very often have a need to determine resultant access in their Active Directory. Accurately determining resultant access in Active Directory is absolutely essential for maintaining security and protecting Active Directory.

Determining Resultant/Effective Access in Active Directory

The process of determining who is delegated/provisioned what access in Active Directory is also referred to as Determining Resultant Access in Active Directory, and it is a very difficult problem.


Introduction

Organizations typically delegate administrative responsibilities for IT management in Active Directory by provisioning least-privileged access for delegated IT administrators. They also often provision access for service accounts to Active Directory content for use by various (e.g. HR) applications.

Active Directory offers an elaborate security model and tools to make fine-grained delegation of administration and provisioning of access in Active Directory very easy for IT administrators.

However, while Active Directory's elaborate security model makes is very easy to delegate access, it also makes it very difficult to determine who is delegated/provisioned what access in Active Directory.



A Very Difficult Problem

It is very difficult because there are many related factors involved in Active Directory's security model and to accurately determine who has what resultant access, they all need to be taken into account.

For example, here are some such factors (; NOT a complete list) –

  1. Standard and Special Permissions – There are over 12 standard permissions and over 60 special permissions (extended rights) for controlling access in Active Directory
  2. Allow and Deny Permissions – A user or group can be allowed permissions or denied permissions, and deny permissions, usually but not always, override allow permissions
  3. Explicit and Inherited Permissions – Permissions can either be set directly (explicitly) on specific Active Directory objects, or be inherited from parent objects, but not always apply
  4. Direct and Indirect Permissions – A user could either have permissions specified directly, or could have permissions specified indirectly, based on direct/nested group memberships
  5. Effective and Ineffective Permissions – Not all permissions in an object's access control list (ACL) might be effective for the purpose of controlling access on the object, as they might only exist in the ACL to be inherited down to child objects of specific classes

For instance, a user could be granted a permission in an Access Control entry (ACE) but also be a deeply nested member of a security group that is denied the same permission in another ACE. Even then, either or both of the ACEs may or may not be effective on the object, and/or one might be explicit and another inherited, and one might allow access while the other may deny access. This would neither be readily apparent nor easy to correctly analyze across all ACEs protecting an object.


Manually determining resultant access in Active Directory requires IT administrators to take all factors into account exactly how Active Directory takes them into account in a real access check.

Taking all of these factors into account correctly to determine resultant access in Active Directory is not only very difficult and challenging but also a highly error-prone and time-consuming process.

The fact that in most Active Directory deployments, there usually exist a few thousand objects and 20+ ACEs in each Active Directory object ACL, only makes the problem substantially more difficult.


A Microsoft-Endorsed Solution

There is a Microsoft-endorsed Active Directory security and resultant-access reporting tool called Gold Finger, from Paramount Defenses Inc, that can accurately assess resultant access in Active Directory.

Gold Finger Resultant access Reporting Tool for Active Directory

Gold Finger is architected by former Microsoft Active Directory Security Program Manager, the author of Microsoft's official whitepaper on Best Practices for Delegating Active Directory Administration.

Its resultant-access assessment capabilities can accurately assess resultant access in Active Directory and report and reveal who really has what access in Active Directory. It can accurately assess resultant access on single Active Directory objects, such as a user account or a security group, as well as on thousands of objects in a single assessment.

In addition, it can also show you exactly How someone is delegated a specific task.

For instance, here are some delegations that Gold Finger can instantly help you determine, by accurately assessing resultant access in your Active Directory –

  1. Who can create and delete domain user accounts, and exactly where?
  2. Who can create and delete domain security groups, and exactly where?
  3. Who can create and delete organizational units, and exactly where?
  4. Who can create and delete service connection points, and exactly where?
  5. Who can modify domain account security policies, and which ones?
  1. Who can reset domain user account passwords, and exactly whose?
  2. Who can unlock locked domain user accounts, and exactly which ones?
  3. Who can enable disabled domain user accounts, and exactly which ones?
  4. Who can change domain security group memberships, and exactly which ones?
  5. Who can change the domain security group scopes, and exactly which ones?

How to Determine Resultant Access in Active Directory – A Demo

The following is a demo of the Microsoft-endorsed Gold Finger resultant-access assessment solution for Active Directory, which can instantly determine resultant-access in any Active Directory deployment –

The Camtasia Studio video content presented here requires JavaScript to be enabled and the latest version of the Adobe Flash Player. If you are using a browser with JavaScript disabled please enable it now. Otherwise, please update your version of the free Adobe Flash Player by downloading here.


Gold Finger - Microsoft-endorsed, Active Directory Resultant Access/Security Auditing/Reporting Tool
About Copyright ActiveDirSec.Com 2008 – 2012. All Rights Reserved Disclaimer