ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: WikiLeaks, Active Directory Domain Security Groups and Access Management in Windows


Member

Posts: 15
Date: Dec 3, 2010
WikiLeaks, Active Directory Domain Security Groups and Access Management in Windows
Permalink  
 


Hello All,

In the wake of all the chatter about WikiLeaks potentially leaking organizational secrets as well, our management has decided to perform a prioritized security review of the security of our assets.

We have a robust Active Directory based network, and we use our Active Directory based domain security groups extensively to provision access to resources on our servers, inluding Sharepoints, shared files, databases and internal apps.

While thinking about how to proceed with our review, numerous questions were raised, including how to approach the assessment, what all to cover, what all to assess comprehensively, and how to distribute the assessment amongs the team. I came across this forum and thought it might be a good place to invite some input.

For instance, determining where all a security group is used, who its member's are, what effective rights these groups have etc. all seem like valid things to cover. But without a systematic approach and the right tools we worry that this could take a very long time.

If you have performed such assessments, or have any thoughts or suggestions, it would be quite helpful and appreciated.

Thank you,
Joe



__________________
Don't mess with my Alienware!


Member

Posts: 16
Date: May 19, 2011
RE: WikiLeaks, Active Directory Domain Security Groups and Access Management in Windows
Permalink  
 


Hi Joe,

Wikileaks wasn't exactly to do with Active Directory, but in general I agree that with so much focus on security, and so data breaches becoming a common affair these days, Active Directory is starting to get a lot of attention, since Microsoft (for good or bad) virtually ended up tying just about everything to do with security into it.

In general, here are some of the most logical and essential things to look at -

1. Audit your user accounts and look for accounts that may not be password-protected, that may have failed password attempts, may be stale or may have permissions in Active Directory 

2. Audit your groups and try to identify groups with large memberships, empty groups, any groups that do not have a manger specified, or groups that have permissions anywhere in Active Directory.

3. Audit your administrative delegations. This is often overlooked but is one of the riskiest areas in Active Directory because the AD is essentially a jungle of permissions and while its easy to grant permissions, its virtually impossible to find out who has what access.

Speaking of determining access in Active Directory, just remember that who has what permissions is NOT equal to who has what resultant set of permissions. There is a huge difference but sadly it is very easy to fall in the trap of making wrong inferences.

(BTW, if you're interested in this, simply google "Active Directory Resultant Access" and you should find a loads of info on how to correctly determine delegated access.

4. You should obviously also audit administrative groups and get a good sense of exactly who is a member of which group, also taking into account nested memberships.

5. Finally, you should audit your OUs, get a summary view of how many accounts, groups, computers etc. are in each OU, and who is delegated what access on which OU.

6. You should get a list of all your DCs, their physical locations, who manages them etc.

7. Look at all Trust relationships. Obtaining a list of trusts, their directions, transitivity, SID filtering status etc. is also quite helpful.

This is my list of the top few things to look at. While most are easy, the delegated/ resultant-access part is the hardest, but its also one of the most important.

Hope this helps.



__________________


Member

Posts: 15
Date: Jun 29, 2012
RE: WikiLeaks, Active Directory Domain Security Groups and Access Management in Windows
Permalink  
 


Hi Aaron,

Thanks for sharing your thoughts. We've been working on implementing some of the suggestions you've made below, and some of ours as well. 

Most of the stuff we've been able to get a grip of, such as ensuring that there are no accounts with blank passwords etc, but some of the suggestions have been a little difficult to act upon.

For example, the suggestion about auditing our administrative delegations. 

We're not quite sure how to do that. I mean we tried doing it, but we hit a wall because first we thought it was a matter of finding out who has what permissoins in Active Directory, but then as you pointed out, I suppose its a matter of figuring out who has what resultant access in Active Directory.

That's the part we've been struggling with. We've a fair amount of delegation in our Active Directory, and its something that does change often, given the dynamic nature of business needs, so we're frankly not sure how to get this done. 

If you don't mind me asking, how are you auditing administrative delegations in your Active Directory?

Thanks,

Joel.



__________________
Don't mess with my Alienware!


Member

Posts: 16
Date: Jul 21, 2012
WikiLeaks, Active Directory Domain Security Groups and Access Management in Windows
Permalink  
 


Hi Joel,

We're using a Microsoft recommended solution called Gold Finger Security Audit Tool to solve audit administrative delegations in our Active Directory.

It has helped us get the insight we need into security rights and delegations in our Active Directory, and we've used it extensively to clean up AD access grants.

Thanks,

Aaron.



__________________
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me