ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to audit access granted to a security group in Active Directory?


Member

Posts: 17
Date: Jun 1, 2012
How to audit access granted to a security group in Active Directory?
Permalink  
 


Hi Guys,

With Q2, 2012 having just ended, we're working our quarterly IT security audits. One of the audits we do involves documenting who has what access in our Active Directory domain. This one was just recently introduced (I'm told based on the occurrence of a rather nast security incident this quarter.)

So we're tasked with obtaining and furnishing a list that shows the list of everyone who has modify access in our Active Directory. We also need to show where these individuals have access (i.e. on which Active Directory objects) and specifically what access they have on these objects.

We started by looking at the Active Directory Administrative Center, and even looked at dsacls, but couldn't figure out how to do so.

We initially toyed with the idea of writing a script to do so, but upon some analysis, it became clear that this wasn't that easy to script up, so now we're trying to figure out how to fulfill this requirement.

This forum seemed like the right place to ask for suggestions, so if you have any, we're all ears. Our management insists on this report, and our efforts to push back aren't meeting with too much success.

Thanks in advance.

Will.



__________________

I’m sorry, but having a DB9 on the drive and not driving it is a bit like having Keira Knightley in your bed and sleeping on the couch.



Member

Posts: 21
Date: Jun 26, 2012
RE: How to audit access granted to a security group in Active Directory?
Permalink  
 


Hi Will,

I think I might be able to suggest something useful, but before I did so, could you please elaborate on what you mean by modify access.

I ask because there are many modify permissions in Active Directory, such as Write Property, Modify Owner, Modify Permissions, etc.

In addition, permissions like Write Property can either be blanket, meaning they apply to all properties, or they can be property specific, meaning they only apply to a specific property of a specific property-set.

If you could let me know what you have in mind, I could possibly suggest something useful for you to try.

Sincerely,

Ishmael.



__________________

There isn't a system that cannot be broken into.



Member

Posts: 17
Date: Jun 28, 2012
RE: How to audit access granted to a security group in Active Directory?
Permalink  
 


Hello Ishmael,

Thank you for your help. We are interested in finding out who all have any kind of Modify Permissions in our Active Directory, so I suppose that would mean all fo the permissions you have listed below.

In light of this could you please suggest how we could fulfill our need?

Thank you very much.

Will.



__________________

I’m sorry, but having a DB9 on the drive and not driving it is a bit like having Keira Knightley in your bed and sleeping on the couch.



Member

Posts: 10
Date: Jun 29, 2012
RE: How to audit access granted to a security group in Active Directory?
Permalink  
 


Hi Will,

Have you given dsacls from Microsoft a shot? I believe it can help view the ACL of an object, and I suppose that should be sufficient. Just a thought.

Andy.



__________________

Music is the soul of life! & IT Management Best-Practices 



Member

Posts: 5
Date: Jul 8, 2012
How to audit access granted to a security group in Active Directory?
Permalink  
 


Hello Will,

Finding out what access is granted to a security group can be very important when trying to determine who is delegated what  administrative privileges in Active Directory.

Determining effective delegated access rights is an essential component of any Active Directory Security Audit, and in fact no Active Directory Security Audit should be considered complete without it.

This is particularly important because of the increasing risk of advanced threats like Security Privilege Escalation in Active Directory, which any user in the environment can carry out with the right downloadable tools.

Fortunately we cover this in our Active Directory Security Audit Services, so if we can help, please feel free to look us up and let us know. My contact info is in my signature.

Thanks, and good luck,

Ryan



__________________

We help organizations with Active Directory Security Audit services.



Member

Posts: 17
Date: Jul 18, 2012
RE: How to audit access granted to a security group in Active Directory?
Permalink  
 


Andy, thanks but dsacls was not sufficient to make this determination.

Ryan, thanks for the suggestion - we may consider your org's services.

Ishmael, thank you for your help. We are interested in finding out who all have any kind of Modify Permissions in our Active Directory, so I suppose that would mean all of the permissions you have listed.  In light of this could you please suggest how we could fulfill our need?

Thank you all.

Will.



__________________

I’m sorry, but having a DB9 on the drive and not driving it is a bit like having Keira Knightley in your bed and sleeping on the couch.



Member

Posts: 21
Date: Jul 22, 2012
RE: How to audit access granted to a security group in Active Directory?
Permalink  
 


Hi Will,

I would recommend using the Permissions Analyzer capability of the Microsoft-endorsed Gold Finger Active Directory Security Audit Tool.

Its got one of the most powerful permission analysis capabilities for Active Directory that we have seen in any tool, and its very easy to use - 

We chanced upon it on YouTube (; I'll try to embed the demo below.)

In case the demo doesn't run, here's the link to it - How to Analyze Active Directory Permissions (Active Directory Permissions Analyzer)

What we liked best about it is the ease with whcih it can be installed and used - no admin privileges, no agent installation, no servers, no services, nothing required. Its a simple client-side tool that installed in 2 minutes.

Maybe it can help you with your goals as well.

Lehitra'ot

Ishamel.



__________________

There isn't a system that cannot be broken into.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me