ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: What rights are needed to view the SACL on an Active Directory object?


Member

Posts: 16
Date: Jun 1, 2011
What rights are needed to view the SACL on an Active Directory object?
Permalink  
 


I'd also like to know what rights are needed to be able to view the SACL on an Active Directory object, you know, the one that specifies what access should be audited on the object?

We would like and delegate audit management to our in-house compliance team, but have been struggling to determine what rights they need to be able to modify the audit settings on objects in Active Directory?

Does it need some user right, or some privilege, or membership in some builtin group? If anyone know, would appreciate you letting me know. Thank you in advance for your help.



__________________
Ray


Member

Posts: 17
Date: Jun 16, 2011
RE: What rights are needed to view the SACL on an Active Directory object?
Permalink  
 


Hi John,

Do you wish to know what rights are needed to view an object's SACL or to modify the object's SACL?

In order to modify an Active Directory object's SACL, you need to have the Manage Auditing and Security Log user right granted to you in the Domain Controllers Security Policy.

By default, this right is assigned to the BuiltIn Admins security group.

In general, you should NOT delegate the ability to modify SACLs, unless you are delegating it to an highly and equally trusted individual or group of individuals.

This is because anyone who has this right, can permanently or temporarily disable the auditing of specific events on specific objects, and use the opportunity to engage in malicious activity for which there won't be any audit events generated.

It is best to work in collaboration with your in-house compliance team, let them know which administrative tasks they would like audited, then configure the corresponding SACLs yourself, instead of giving them the ability to do so.

This is merely my 2c, but this is very critical stuff, and thus I would highly advise against delegating this ability to anyone.

Thanks, and good luck with your project.

Ray.



__________________
One misconfigured 00299570-246d-11d0-a768-00aa006e0529 is all I need.


Member

Posts: 16
Date: Jul 12, 2011
RE: What rights are needed to view the SACL on an Active Directory object?
Permalink  
 


Hi Ray,

Thanks very much for providing this information. I really appreciate you pointing out that we should not be delegating the ability to control what is audited, and now it makes complete sense as to why this must not be done.

We have since gone ahead and delegated all common administrative tasks in our Active Directory as well as specified adequate auditing settings so as to be able to catch the occurence of these tasks by our delegated admins.

I really appreciate your clear and detailed post.

Thanks,

John.



__________________
Ray


Member

Posts: 17
Date: Jul 15, 2011
RE: What rights are needed to view the SACL on an Active Directory object?
Permalink  
 


Hi John,

Nice work! By the way, don't forget to verify your delegations on a weekly basis.

This is very important because while auditing can certainly help you find out who did what, it is equally or more important to know who did what, because as they say, prevention is better than cure, and sometimes cure may not be possible.

For instance, if a smart hacker was to reset the password of an Enterprise / Domain Administrator, even though an event will get generated in the audit log, by the time you notice in and attempt to act upon it, the smart hacer, now loggged in as Domain Admin would already have disabled your account.

Just remember than weekly audits of who is delegated what access in your Active Directory are equally, if not more important than auditing the delegated tasks.

Ray.



__________________
One misconfigured 00299570-246d-11d0-a768-00aa006e0529 is all I need.


Member

Posts: 16
Date: Jul 20, 2012
RE: What rights are needed to view the SACL on an Active Directory object?
Permalink  
 


Hi Ray,

We were able to delegate administrative tasks rather easily and precisely using the Delegation Wizard. However, I'm not sure how to verify these delegations on a weekly basis, or even once?

We can't really ask our admins to see if they can do only what they have been delegated and nothing else, and I don't know how else to verify the delegations we've made.

How does one verify delegations in Active Directory?

John.



__________________
Ray


Member

Posts: 17
Date: Feb 5, 2013
RE: What rights are needed to view the SACL on an Active Directory object?
Permalink  
 


Hi John,

That's a very good question. I wish I could tell you that there's an option to verify delegations in the Active Directory Delegation Wizard. Unfortunately I can't, because there's isn't such an option.

Take a look at this write-up though (Option 1). Basically, one can either try to manually verify a delegation grant on an Active Directory object by determining effective delegated access, or one can using an automated solution such as this one to verify delegations in Active Directory.

I hope this helps. Let me know if you have any other questions in this regard. I've tried both the ways, and so should be able to answer any additional questions you may have.

Ray



__________________
One misconfigured 00299570-246d-11d0-a768-00aa006e0529 is all I need.
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me