ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How do we lockdown Authenticated Users access to our Active Directory content?
CF


Member

Posts: 8
Date: Jun 11, 2010
How do we lockdown Authenticated Users access to our Active Directory content?
Permalink  
 


Hello All,

 

I would like to know if any of you have tried and succeeded at locking down access for authenticated users to Active Directory content. One of our clients has a need to restrict read access to certain Organizational Units.

 

They have the standard Active Directory integrated applications (MS Exchange, SQL databases, IIS) etc. running and have a few in-house developed web applications that too rely on access to Active Directory content.

 

They would like to take away read access for all Authenticated Users except the users and delegated admins of those OUs, but are hesitant to try it because they’re not sure of what all might get impacted (; it being a production domain, its hard to actually try it, and its hard to repro the whole production environment into a test environment.)

 

If you too have encountered this problem, it would be helpful to hear of how you may have accomplished such a thing, and if there were any things to look out for.

 

Thanks,
- CF



__________________

My little dot on the web - Auditing Security in the Active Directory

 



Member

Posts: 18
Date: Jun 15, 2011
RE: How do we lockdown Authenticated Uses access to our Active Directory content?
Permalink  
 


Hi CF,

We actually tried this last year, and in fact spent a great deal of time trying to do this, and I have to say that this is unfortunately very difficult. By the way, we tried it because we had a situation where we had some insiders who ran running permission-analysis tools in our environment to try and take over some accounts.

Anyway, it turns out that the reason it is so difficult is that because so many components (apps, services, functions) of both native Microsoft products and applications as well as 3rd party apps rely on the presence of read-access for Authenticated Users,  that if you were to try to restrict it even minimally, so many things stop working.

For instance, Exchange is one application that substantially got impacted. In fact Exchange relies heavily on access to Active Directory. If I remember correctly, we also notices some impact on RAS, VPNs, Terminal Services and Network Browsing.

I would highly recommend against trying to do this. If you do try it, please do first try it in a production-like test environment and then only try it in production.

if I may ask, what is your motivation to lock-down Authenticated User access?

Nate



__________________
Today is the tomorrow we worried about yesterday
CF


Member

Posts: 8
Date: Jun 29, 2012
RE: How do we lockdown Authenticated Users access to our Active Directory content?
Permalink  
 


Hi Nathan,

I didn't know so much stuff could break if one locked-down Read Access to Authenticated Users. Wow, it seems like just about everything integrated with Active Directory seems to rely on the existence of Read Access granted to authenticated users.

Well, one of the motivations was that they didn't want everyone in their company to be able to look at all kinds of data in the Active Directory, especially group memberships and security permissions.

I believe the issue with group memberships was that certainly people were in certain sensitive group memberships, such as those to closely monitor employee access etc. but they didn't want everyone to know who was in these groups.

As for security permissons, I believe they have a heavily delegated Active Directory (i.e. lots of delegations done in their Active Directory) and they didn't want everyone to be able to view/analyze ACLs and try to find out who is delegated what access in their Active Directory, becaus they too didn't have an exact picture to begin with.

Anyway, I'll pass our input along, and hopefully they can find other ways to try and deal with these two issues.

Many thanks for your sharing your experiences.

Kind Regards,

-CF



__________________

My little dot on the web - Auditing Security in the Active Directory

 



Member

Posts: 18
Date: Jul 20, 2012
RE: How do we lockdown Authenticated Users access to our Active Directory content?
Permalink  
 


Hi CF,

Sure, always happy to help. Yeah, this wasn't an easy one for us to deal with other.

If, as you're mentioning, they have a fair amount of delegations done in Active Directory, then, since you can't really lock-down authenticated user's access to Active Directory content and permissions, I would just suggest that they get a very good grip on who is delegated what access in the Active Directory.

I say this because, with everyone having read-access to Active Directory content, literally anyone, with the right knowledge or tools could easily find holes in delegation grants, and use them to quietly compromise security.

In my experience, we're starting to hear instances of insiders using this little known way to compromise security from the inside, and its not a risk worth taking, given that an insider could gain elevated powers and do some damage in short order.

Just something to think about as you guys continue to figure out how to deal with this whole Authenticated Users read access issue.

Cheers,

Nate.



__________________
Today is the tomorrow we worried about yesterday
CF


Member

Posts: 8
Date: Jul 22, 2012
How do we lockdown Authenticated Users access to our Active Directory content?
Permalink  
 


Hi Nathan,

You make a very good point about anyone being able to find out who is delegated what access in Active Directory as a result of Authenticated Users being granted complete read access in Active Directory.

Since, as we've discussed, one can't really lockdown the read access granted to Authenticated Users,  I suppose the only option left is to at least lockdown all delegated administrative access in Active Directory, so that even if anyone could view AD permissions, there would be no weaknesses that anyone could exploit.

We've been giving this some thought, and started looking at who might be delegated what access in our Active Directory, but we hit a road-block and frankly got a headache just looking at all the security permissions in AD.

Do you happen to know of any way that we could easily and quickly find out who is delegated what access in our Active Directory? 

Thanks.

CF.

PS: Dang, its Sunday night. Why are Mondays so depressing!



__________________

My little dot on the web - Auditing Security in the Active Directory

 



Member

Posts: 18
Date: Jul 23, 2012
RE: How do we lockdown Authenticated Users access to our Active Directory content?
Permalink  
 


CF,

Sure, the quickest and only way I know of to find out who is delegated what access in your Active Directory is to use the Gold Finger for AD security analysis tool.

We came across on it YouTube a few weeks back, checked it out, tried it and licensed it. BTW, here's the YouTube demo we came across - 

Note: In case the video above doesn't work, here's the direct link to the demo video - How to Find Out Who is Delegated What Administrative Access in Active Directory?

Its pretty slick.

Cheers.

Nate.

PS: Hey, Monday's almost over, so you're now 24 hours closer to enjoying that inviting Corona



__________________
Today is the tomorrow we worried about yesterday
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me