ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: Why does the effective permissions tab in Active Directory not give accurate results?


Member

Posts: 21
Date: May 25, 2012
Why does the effective permissions tab in Active Directory not give accurate results?
Permalink  
 


Guys, 

I'm sure we've all had a need to use the Effective Permissions Tab in Active Directory to determine who has what effective access on an Active Directory object.

Yesterday, we were using it on a Domain Admin's account to see who can modify the useraccountcontrol attribute on his account, and were a bit surprised by the results.

While reviewing results, we noticed that it showed that many admins could modify the memberOf attribute on the account.

Now that sent an alarm ringing in our minds because memberOf is a back-link attribute and it is NOT modifiable, yet the Effective Permissions was reporting that it is IS modifiable and by which users!

This is obviously not right, so it makes us wonder if we can rely on using the inbuilt Effective Permissions analyzer in Active Directory at all.

By gollly, we've been using it for many years now, and I can't imagine how many miscalculations we may have made if this thing isn't accurate!

Before we concluded that it has accuracy issues, just thought I'd check in with you guys to know if you've chanced upon this as well.

Frankly, this is quite disconcerting. I mean, if this is not reliable, how are we to make any effective access determinations in our Active Directory?

Please let me know guys. This is kind of urgent for us.

Thanks!

Geoffrey.



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.

Ray


Member

Posts: 17
Date: Jun 24, 2012
RE: Why does the effective permissions tab in Active Directory not give accurate results?
Permalink  
 


Hi Geoffrey,

You bring up a very important point. It is a less known fact that the Effective Permissions Tab in Active Directory is not accurate at all and thus cannot be relied upon for making access determinations.

In fact, Microsoft itself very subtly makes this fact known via KB articles, but I doubt most admins know about this, so most admins end up relying upon it on a daily basis to determine effective access, and end up with inaccurate data, and thus have a false sense of security.

Here are two KB articles that shed light on the inaccuracies in the Effective Permissions analyzer/calculator/tab in Active Directory

The "Effective Permissions" tab may report incorrect permissions in Windows Server 2003 - KB 933071

Access control lists may report incorrect information in Windows Server 2003 - KB 884049

There are other KB articles as well, but I don't handily have their #s.

I would recommend that you do NOT rely on the default Effective Permissions Tab in Active Directory to make ANY access decisions.

If you do so, you would be doing so at your own risk, and in doing so, you may be jeopardizing the security of your Active Directory and your organization.

It is really unfortaunte that such an essential and vital security capability in Active Directory is inaccurate and cannot be relied upon.

>Ray



__________________
One misconfigured 00299570-246d-11d0-a768-00aa006e0529 is all I need.


Member

Posts: 21
Date: Jun 26, 2012
RE: Why does the effective permissions tab in Active Directory not give accurate results?
Permalink  
 


Geoffrey,

Ray is right. The Effective Permissions tool that ships with Active Directory is not accurate and should not be relied upon to make any effective access determinations.

In fact, not only is it inaccurate, its user-interface is also largely unusable, in the sense that, it can only show you what effective permissions a user might have, but cannot show you who all have a specific effective permission in Active Directory.

So for example, if you had even a 1000 user Active Directory, and wished to find out how many people had Write Property to the User-Account-Control attribute on a user account, you would have to manually put in the names of each of the 1000 users to determine how many of them actually hae this access effectively granted, and that too would not be accurate.

Its very unfortunate that such a crtiical capability in Active Directory is not reliable. If we cannot even find out who has what effective-access in Active Directory, how are we supposed to protect it from compromise.

Sincerely,

Ishamel. 



__________________

There isn't a system that cannot be broken into.



Veteran Member

Posts: 28
Date: Jun 29, 2012
Why does the effective permissions tab in Active Directory not give accurate results?
Permalink  
 


Ishamel,

All hope its not lost my friend, so I wouldn't despair so soon.

Although I completely agree that Microsoft should have ensured that such a critical capability in Active Directory is reliable, fortunately, one of their directory services partners offers has developed and offers a reliable Active Directory Effective Permissions analyzer.

So, while ideally Microsoft shoud have made this reliable, at least one of their partners has made it reliable, and that's the beauty of Microsoft's eco-system.

Interestingly, the vendor has a patent-pending on the capability, so I'm not sure how that will play out in the long run for Microsoft. I guess they'll just have to license the technology from their partner, as Microsoft does many a time.

Jack.


__________________

We will NEVER forget.

Ray


Member

Posts: 17
Date: Jul 8, 2012
RE: Why does the effective permissions tab in Active Directory not give accurate results?
Permalink  
 


Jack,

I wasn't aware of any solution, whether from Microsoft or any vendor that can accurately determine Effective Permissions in Active Directory for us?

This is a critical capability for all Active Directory deployments, so if there is a solution for this, I would be very interested in knowing about it.

Can you please let me know which solution can accurately determine Effective Permissions in Active Directory?

Thank you.

Ray.



__________________
One misconfigured 00299570-246d-11d0-a768-00aa006e0529 is all I need.


Veteran Member

Posts: 28
Date: Aug 29, 2012
Why does the effective permissions tab in Active Directory not give accurate results?
Permalink  
 


Ray,

Certainly. Its the Gold Finger for ADwww.paramountdefenses.com/goldfinger

Its pretty slick, and can analyze Effective Permissions on any object in any partition. What we like most about is the fashion in which the output is displayed - there's a drop-down that lists all the combinations of permissions that are provisioned on the object, and when you select one, it shows you the list of everyone who has that permission combination on the object.

I have to warn you though that its almost addicting because when you finally have the ability to view true effective permissions on objects, its quite eye-opening to find that people you never thought would/should have access on an object, actually have access!

Fortunately, it also shows you exactly which permission in the object's ACL is granting that access, so you can immediately lock it down. That has to be the #2 thing I like about it i.e. it not only shows you that you a problem, but it shows you how to fix it.

Jack.



__________________

We will NEVER forget.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me