ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to determine delegated access in Active Directory?


Member

Posts: 17
Date: May 31, 2011
How to determine delegated access in Active Directory?
Permalink  
 


Hi again. As I had mentioned, we were in the midst of a thorough review of our Active Directory, and are looking at everything, from DC security to auditing to delegated access in our Active Directory.

We natively delegate administration in Active Directory, and in fact having been doing so for a few years now. The problem is that in the last two/three years. we've had some administrative churn, and so have had to make a fairly non-trivial set of changes to delegated rights in our Active Directory.

The problem is that we now don't really know who is delegated what access, and that's a huge problem. For political reasons, its a little difficult to discuss internally, because the notion is that everyone is trusted internally. All that's good, but then why delegate if everyone's supposed to have equal access. Anyways, I seem to be meandering here.

Getting back to the point, I'd like to know if there is a way to efficiently find out just how might be delegated what access in the Active Directory? We're not even sure where to actually start from, given how complicated it is, especially with inheritance and nested groups and so many different kinds of permissions, not all of which seem to apply half the time anyway.

As always, all helpful pointers and guidance are much appreciated. Thanks.



__________________

I’m sorry, but having a DB9 on the drive and not driving it is a bit like having Keira Knightley in your bed and sleeping on the couch.



Member

Posts: 18
Date: Jun 27, 2012
RE: How to determine delegated access in Active Directory?
Permalink  
 


Hi Will,

If you don't know exactly who is delegated what access in your Active Directory, I'm afraid you do have a serious problem at hand. 

Also, like you rightly said, although internally folks say that everyone's trusted, well the risk is not always actually from them, but in fact, can be from a single smart hacker, who has figured out who is delegated what access, and can then systematically work backwards from say a Domain Admin's account, and figure out who can reset whose passwords, to ultimately find a easy starting point in an attempt to escalate privilege and compromise the Active Directory.

Incidentally, the Chinese and the Russians are getting quite good at these and similar attack methodologies, so the real risk is from one disgruntled insider who can figure the maze out, then connect the dots to quickly take over the Active Directory.

It turns out that this is also a very difficult problem to solve, because of the complexity involved, so none of the traditional solutions like scripting, PowerShell, consultants etc. helps. I mean you'd have to write the equivalent of 50-100 scripts to try and figure this out, so its basically not an option.

We dealt with this problem last year, and after extensive research, found just one solution that can solve this problem. We've been using it for over a year now, and its helped us immensely in solving this problem.

Let me know if you need a pointer, and I'll be happy to point you to it.

Best wishes,

Nathan.



__________________
Today is the tomorrow we worried about yesterday


Member

Posts: 17
Date: Jul 20, 2012
RE: How to determine delegated access in Active Directory?
Permalink  
 


Hi Nathan,

Yes, please! If you can give me any pointers that could help us determine delegated access in our Actiive Directory, it would be so helpful! 

Have a good weekend!

Will



__________________

I’m sorry, but having a DB9 on the drive and not driving it is a bit like having Keira Knightley in your bed and sleeping on the couch.



Member

Posts: 18
Date: Feb 5, 2013
RE: How to determine delegated access in Active Directory?
Permalink  
 


Will,

Take a look at - http://www.paramountdefenses.com/goldfinger.html.

Its the only tool that we know of, based on our research that can correctly and completely determine who is delegated what access in Active Directory. It also sheds light on the underlying permissions due to which someone is delegated access, and that's needed to lockdown unauthorized access.

Good luck to you.

- Nate



__________________
Today is the tomorrow we worried about yesterday
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me