ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to audit administrative privileges in Active Directory?


Member

Posts: 10
Date: May 24, 2012
How to audit administrative privileges in Active Directory?
Permalink  
 


All,

As a part of a Secure IT initiative, we've been tasked with documenting administrative privileges in our Active Directory, which is comprised of three domains in a single forest.

Initially we thought this would be a simple matter of enumerating our admin group memberships, but then we realize that there's a fair amount of delegation done in our Active Directory, both to some internal teams, as well as to an external vendor, although that one is limited in scope to a few OUs.

We tried the Active Directory Administrative Center only to very soon realize that is hopelessly deficient when it comes to providing any sort of insight into delegated access or administrative privileges in Active Directory.

We've been thinking of implementing some in-house scripts, but we don't really have the man-power or the detailed level of expertise I imagine it takes to figure this out.

So my question is how are you guys going about performing an audit of who has what administrative privilege in your Active Directory?

Another related question is how to you define administrative privileges in Active Directory? Is it just folks who have Full Control, or would it be folks who have varying levels of delegated access as well?

I look forward to your inputs and suggestions.

Sincere thanks in advance.

George 



__________________

"There is the finest line between data and evidence" - Dale Adams

Ray


Member

Posts: 17
Date: Jun 24, 2012
RE: How to audit administrative privileges in Active Directory?
Permalink  
 


Hi George,

You bring up a very important point. Identifying and documenting delegated rights in Active Directory is critical to organizational security, because all the building blocks of distributed security are managed in Active Directory.

I mean, if you think about whats involved in protecting all the IT resources, it boils down to three things - a) user accounts used for authentication, the b) security groups used to grant access to IT resources and c) the security policies protecting all the workstations and servers.

Each of these three components are stored in Active Directory, and in fact their management is delegated in Active Directory. Should any one of these components be compromised, the security of all resources protected by them could be compromised. So it is very important to protect them all.

The most important aspect of protecting these components is to ensure that responsibilities for their management are only delegated to a small set of trustworthy delegated administrators. 

Active Directory makes it very easy to delegate access precisely, so with just a little bit of care, one can delegated access almost exactly. The only problem is that over time, when multiple admins end up delegating access, and if access is not delegated precisely, it is very easy to end up giving delegated access to more people than you wanted to, and this can result in a situation where you have more delegated admins than you intended to.

So, it is very important to be audit administrative privileges in Active Directory. And yes, that includes not only individuals who have Domain Admin access, but all individuals who have any level of delegated access in Active Directory. 

You are also right that it is not easy to audit administrative/delegated access in Active Directory. This is because there are way too many complicated factors involved that influence delegated access, making it very difficult to actually determine who is delegated what access.

As for us, we use an automated solution to audit delegated access in our Active Directory, and we audit access once a week on all vital accounts and groups, and once a fortnight on all accounts and groups.

I would highly recommend that you consider establishing a schedule to audit delegated access in your Active Directory environment as well.

>Ray.



__________________
One misconfigured 00299570-246d-11d0-a768-00aa006e0529 is all I need.


Member

Posts: 10
Date: Jun 25, 2012
RE: How to audit administrative privileges in Active Directory?
Permalink  
 


Hi Ray,

Thanks for sharing your thoughts. We do understand the concept of delegation of administration in Active Directory, and in fact have an extensive amount of delegations in our environment.

I guess what I was trying to get some help on is how to go about performing an audit of who is delegated what access in the Active Directory?

Also, as to your suggestion of doing it on a schedule, and preferably weekly, well as of now, we don't even know how to do correctly and efficiently it once a year, so unless there's some sort of an automated way of doing so, the suggestion of doing it regularly is not very helpful.

You mentioned that you seemed to be have an automated solution to audit administrative delegations in Active Directory. If you don't mind me asking, what solution are you using to accomplish this?

George.



__________________

"There is the finest line between data and evidence" - Dale Adams



Newbie

Posts: 3
Date: Jun 29, 2012
RE: How to audit administrative privileges in Active Directory?
Permalink  
 


Hi George,

Have you given checkdsacls a shot? I believe it can dump AD ACLs, so that should give you a starting point. We looked at it, but since it was not supported, it was not an option for us. Anyway, just thought I'd mention it.

-Jesse



__________________


Member

Posts: 6
Date: Jun 29, 2012
RE: How to audit administrative privileges in Active Directory?
Permalink  
 


George,

Have you tried ActiveRoles Server from Quest Software? It is quite comprehensive and can help you with delegated access reporting.

Vladmir.



__________________

Да здравствует Россия!  Министерство обороны Российской Федерации



Member

Posts: 10
Date: Jun 29, 2012
How to audit administrative privileges in Active Directory?
Permalink  
 


Vladmir,

Thanks but we have no interest in deploying ActiveServer Roles from Quest Software.

We do not wish to have a install a proxy for AD management, espcially when it needs agents deployed on DCs, and more so when it runs in Enterprise Admin context!That's just too much of a risk to take, given that its built by a 3rd party, and not by Microsoft.

Furthermore, its really expensive, and even if we were to install it, it would still leave us with the problem to trying to find out what effective access is provisioned on our domain computer accounts, many service connection points, vital info in the Configuration partition, and many service accounts that require direct permissions on Active Directory content.

Besides, the future of Quest Software is uncertain at this point, so its hard for us to consider licensing other solutions from them, until their acquisition process is completed and there is some stability.

I appreciate the pointer though.

Thank you.

George.



__________________

"There is the finest line between data and evidence" - Dale Adams



Member

Posts: 10
Date: Jun 29, 2012
RE: How to audit administrative privileges in Active Directory?
Permalink  
 


Hi Jesse,

Thanks for the pointer. Unfortunately checkdsacls just exports ACLs, which is just the starting point in what we are looking to automate, which is to easily and reliably audit effective administrative privileges in Active Directory.

Also, the fact that is free and unsupported makes it a non-viable for most organizations.

But thanks for the pointer - appreciate it.

George.



__________________

"There is the finest line between data and evidence" - Dale Adams



Member

Posts: 10
Date: Jun 29, 2012
RE: How to audit administrative privileges in Active Directory?
Permalink  
 


Ray,

You mentioned that you seemed to be have an automated solution to audit administrative delegations in Active Directory. If you don't mind me asking, what solution are you using to accomplish this?

Thanks,

George.



__________________

"There is the finest line between data and evidence" - Dale Adams



Member

Posts: 5
Date: Jul 8, 2012
RE: How to audit administrative privileges in Active Directory?
Permalink  
 


Hello George,

Documenting administrative privileges is an essential component of any Active Directory Security Audit, and in fact no Active Directory Security Audit should be considered complete without it.

This is particularly important because of the increasing risk of advanced threats like Security Privilege Escalation in Active Directory, which any user in the environment can carry out with the right downloadable tools.

Fortunately we cover this in our Active Directory Security Audit Services, so if we can help, please feel free to look us up and let us know. My contact info is in my signature.

Thanks, and good luck,

Ryan



__________________

We help organizations with Active Directory Security Audit services.



Member

Posts: 10
Date: Jul 18, 2012
How to audit administrative privileges in Active Directory?
Permalink  
 


Hello Ryan,

Thank you for your suggestion. We'll be happy to look into it, although to be frank, we are more interested in an automated tool than in engaging consultants to solve the problem, as it is an ongoing need.

Basically, we believe that it would be more cost-effective to get a tool than to pay for consulting services which in our experience happen to easily exceed $100/$200 per hour in the Active Directory space.

With the on-going scope of the project, that could mean $20K/$30K for a one-time audit. We'd rather invest in a tool so we could audit our AD on a need basis without having to spend $20K each time we need to audit our AD.

Thanks anyway though. We'll keep it in mind if we don't find any automated tools to help us out.

Regards,

George.



__________________

"There is the finest line between data and evidence" - Dale Adams



Member

Posts: 10
Date: Jul 18, 2012
How to audit administrative privileges in Active Directory?
Permalink  
 


Ray,

You mentioned that you seemed to be have an automated solution to audit administrative delegations in Active Directory. What solution are you guys using?

Thanks,

George



__________________

"There is the finest line between data and evidence" - Dale Adams

Ray


Member

Posts: 17
Date: Jul 22, 2012
How to audit administrative privileges in Active Directory?
Permalink  
 


Hi George,

The only solution that we found during our research that can correctly audit administrative delegations in Active Directory is Gold Finger  - www.paramountdefenses.com/goldfinger.html.

One of its capabilities is called Effective Active Directory Delegated Access Reports, and that lets us determine who is delegated what administrative tasks in our environment.

We came across many tools that claim to show you "Who can do what in Active Directory" but it turns out that is not the same as "Who is delegated what access in Active Directory." So my only suggestion would be to watch out for misleading claims from tool vendors.

The fact that Gold Finger was the only AD administrative privilege tool endorsed by Microsoft was reassuring and when we tried it, it worked exactly as claimed.

It has saved us a lot of effort and made it very easy to audit administrative privileges and delegations in our Active Directory. We use it on a daily basis to keep a good eye on our administrative delegations.

Ray.



__________________
One misconfigured 00299570-246d-11d0-a768-00aa006e0529 is all I need.


Member

Posts: 12
Date: Mar 6, 2013
RE: How to audit administrative privileges in Active Directory?
Permalink  
 


Hi George,

As Ray described, the ony way to determine administrative privileges is to determine effective access rights in Active Directory, which is more commonly also known as Active Directory Effective Permissions.

By the way, there's a write-up I came across on how to audit elevated access rights in Active Directory, and I thought I'd share it with you in case it i of help to you; its over here.

Good luck.

Nicolas.



__________________
Bond: There’s a name to die for! (Die Another Day)
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me