Active Directory Security dot com

Complete Coverage of Delegation, Security Audit & Compliance Reporting in Active Directory

Brought to you by former Microsoft Program Manager for Active Directory Security
REFERENCE GUIDANCE REPORTING
Reference | Top-20 D | Risks | FAQ Delegate | Verify | Assess | Audit | Report | Comply Reports Tools
Security Model
Security Descriptors
Security Groups
Security Permissions
Property Sets
Extended Rights
Validated Writes
Visibility Modes
SDDL
LDAP Filters
Deleted Objects
True Last Logon
Nested Group Memberships
Resultant Access


Gold Finger Mini

Active Directory Security Descriptors

The Microsoft Windows family of operating systems provides the ability to secure a variety of system objects such as files, directories, registry keys, mutexes etc. (commonly referred to as securable objects.) On the same note, Windows also provides the ability to protect objects in Active Directory, and these objects are protected by security descriptors.


Security Descriptor Components

A security descriptor is a data-structure that serves to protect these securable objects. It is used to specify pertinent security information such as who has what access to this object.

Active Directory Security Descriptors

In particular, a security descriptor is comprised of four components –

  1. Owner

  2. Group

  3. DACL

  4. SACL


The Owner and the Group fields of a security descriptor specify the Security Identifier (SID) of the owner of the object and the primary group of the object.

The DACL is a set of access control entries (ACEs) that together specify who has what access on this object. In particular, each ACE allows or denies one or more technical permissions to a user or a group of users on the object.

The SACL is a set of ACEs that together specify which operations on this object should be audited. In particular, each ACE specifies the types of access attempts by a specified user or a group of users that cause the system to generate a record in the security event log.

The Gold Finger Active Directory Reporting Tool from Paramount Defenses lets you instantly analyze Active Directory security descriptors and report who is granted what permissions. You can specify the exact permissions you are looking for and the OU/container/domain you wish to look for permissions in. You can also export all results to CSV files as well as evaluate complete nested group memberships.


Gold Finger - Microsoft-endorsed, Active Directory Resultant Access/Security Auditing/Reporting Tool
About Copyright ActiveDirSec.Com 2008 – 2011. All Rights Reserved Disclaimer
Active Directory Security Active Directory Reports Active Directory Reporting Tools Cyber Security and Global Security
Active Directory Audit Tool Active Directory Reporting Tool Active Directory Reporting Tools Active Directory Effective Permissions