Active Directory Security dot com

Complete Coverage of Delegation, Security Audit & Compliance Reporting in Active Directory

Brought to you by former Microsoft Program Manager for Active Directory Security
REFERENCE GUIDANCE REPORTING
Reference | Top-20 D | Risks | FAQ Delegate | Verify | Assess | Audit | Report | Comply Reports Free Tools
| Overview | Pitfalls | Challenges | How to Assess Delegated Access in AD |




Challenges in Assessing Delegated Access in Active Directory




One of the biggest challenges in Windows security is that of accurately determining delegated access in Active Directory –

Consequently, the accurate assessment of delegated access in Active Directory also remains a challenging task for IT admins.


This is a challenge for IT admins because in order to correctly (i.e. accurately) determine who is delegated what access in Active Directory, IT admins need to simulate a real Active Directory authorization check, and doing so requires deep technical expertise and significant time. The challenge, and its solution, are perhaps best illustrated with an appropriate example, below.



Example

Consider the ACL shown above, which serves to protect the user account of the CEO of a fictional business organization.


Can you accurately determine who is delegated what administrative tasks on the CEO's account? (It's not easy, is it?)


Here's why its not easy –

  1. There are numerous permissions specified for numerous users, security groups and well-known security principals.
  2. Security groups may be nested to multiple levels, thus effectively specifying access for large numbers of individuals.
  3. There are over seventy different kinds of permissions and rights that could be granted or denied to security principals.
  4. Permissions granted to someone in one ACE may be denied to the same user or security group in another ACE.
  5. Permissions granted in an inherited ACE may be overridden by permissions specified in an explicit ACE.
  6. Permissions specified in an ACE may or may not control access depending on the characteristics of the ACE.
  7. A user could belong to multiple nested security groups, some of which may be allowed, and some denied, permissions.
  8. So on and so forth ...


    9. Note: The Effective Permissions Tab in the Active Directory Users & Computers snap-in does NOT provide accurate results as it does not take into account vital access rules such as evaluating complicated nested group memberships, weighing conflicting permissions, processing the Everyone group etc. to name a few.

In effect in order to correctly (i.e. accurately) determine who is delegated what access in Active Directory, IT admins need to simulate a real Active Directory authorization check, and doing so requires deep technical expertise and significant time.

This is why accurately assessing who is delegated what administrative tasks in Active Directory is a challenge for IT admins.
                 What if you could accurately assess, verify, audit & report access delegated in your Active Directory?

You can, with the Gold Finger from Paramount Defenses Inc              Download your Free trial          
< About Copyright ActiveDirSec.Com 2008 – 2010. All Rights Reserved Disclaimer >