|
The Microsoft Windows family of operating systems provides the ability to secure a variety of system objects such as files, directories, registry keys, mutexes etc. (commonly referred to as securable objects.) On the same note, Windows also provides the ability to protect objects in Active Directory, and these objects are protected by security descriptors.
Security Descriptor Components
A security descriptor is a data-structure that serves to protect these securable objects. It is used to specify pertinent security information such as who has what access to this object.
In particular, a security descriptor is comprised of four components –
Owner Group DACL SACL
The Owner and the Group fields of a security descriptor specify the Security Identifier (SID) of the owner of the object and the primary group of the object.
The DACL is a set of access control entries (ACEs) that together specify who has what access on this object. In particular, each ACE allows or denies one or more technical permissions to a user or a group of users on the object.
The SACL is a set of ACEs that together specify which operations on this object should be audited. In particular, each ACE specifies the types of access attempts by a specified user or a group of users that cause the system to generate a record in the security event log.
The Gold Finger Active Directory Reporting Tool from Paramount Defenses lets you instantly analyze Active Directory security descriptors and report who is granted what permissions. You can specify the exact permissions you are looking for and the OU/container/domain you wish to look for permissions in. You can also export all results to CSV files as well as evaluate complete nested group memberships.
|
