Active Directory Security dot com

Complete Coverage of Delegation, Security Audit & Compliance Reporting in Active Directory

Brought to you by former Microsoft Program Manager for Active Directory Security

REFERENCE

GUIDANCE

REPORTING

Reference


\|	Overview	\|	What to Cover to Demonstrate Compliance in AD	\|	How to Demonstrate Compliance of Access Rights in AD	\|

How to Demonstrate Compliance of Access Rights in Active Directory

Organizations can reliably demonstrate compliance of access rights in Active Directory by following a simple 3 step process –

Step 1 – Identify the specifc Active Directory objects that you need to include in your assessment to demonstrate compliance.

Step 2 – Decide which administrative tasks you wish to include when demonstrating compliance on these objects.

Step 3 – Proceed to accurately determine who can perform these tasks on these objects.

NOTE

Compile your assessment in the form of a report
that can be furnished to demonstrate compliance.

The process of determining delegated access on these objects can be performed manually or via an automated solution –

Option 1 – Demonstrate Compliance Manually

(Approximate time needed per object – 30 minutes)

Launch Active Directory Users and Computers
(To do so, click on Start, then click on Run, then type "dsa.msc" in the box and finally press Enter)
Click on the View option in the Menu bar and select the Advanced Features option.
Navigate to the specific user account, group or OU on which you wish to demonstrate compliance.
Right-click on the object and select Properties.
Navigate to the Security Tab by clicking on it.
Click the Advanced button to open the Advanced Security Settings pane.
Take every entry in the Permission entries field into account identical to how an actual access check is performed in Active Directory to determine who is delegated which tasks on this object.

The precise details are complicated, but following are some helpful pointers to take into account –
1. A recommended starting point is to figure out if there are any Deny permissions specified.
2. Then, look for any Allow permission entries that seem to conflict with Deny permissions.
3. Meticulously intersect every set of effective conflicting permissions, keeping in mind that Explicit permissions override Inherited ones.
4. Expand every group membership specified in every relevant ACE, as users could belong to multiple groups with conflicting permissions.
5. Dynamically evaluate the membership of every well-known SID encountered in ACEs.
6. Check Schema to determine if authorized objects creations are in fact permissible.
7. In this manner, include every relevant detail to precisely simluate a real access check.
Upon the successful completion of this step, you will have successfully demonstrated compliance.
Click the Okay button to return to the object's Security tab of the Properties pane.
Click the Okay button to return to Active Directory Users and Computers main application panel.
Close the Active Directory Users and Computers main application panel.

Option 2 – Use an Automated Solution

(Approximate time needed per object – 30 seconds)

Launch Gold Finger.
(To do so, click on Start, then click on Programs, then on Paramount Defenses, then on Gold Finger)
Select the administrative tasks whose delegations you wish to demonstrate compliance of.
Specify the scope of your assessment by entering the distinguished name of the target AD object/tree.
Press Enter or click the Gold Finger button.
Results pane will list the identities of all individuals who can perform this task in the specified scope.
Click on Print to print your compliance report.

What if you could instantly & accurately demonstrate compliance of access rights in Active Directory?

You can, with Gold Finger from Paramount Defenses, a valued Microsoft partner. Try it for Free


<	About	Copyright ActiveDirSec.Com 2008 – 2010. All Rights Reserved	Disclaimer	>