ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: Looking for a good Active Directory Security Permissions Analyzer / Analysis Tool


Newbie

Posts: 4
Date: Jan 3, 2013
Looking for a good Active Directory Security Permissions Analyzer / Analysis Tool
Permalink  
 


Hello Forum,

We are in the midst of an IT security audit and we have been asked to perform an audit of access rights provisioned in our organizational Active Directory deployment which is currently comprised of three Active Directory domains (including an almost empty forest root domain.)

I have been doing some reading on Active Directory Security and have come to the conclusion that due to the sheer size of an Active Directory deployment, while it is not realistically possible to completely lock-down an Active Directory, we can certainly do our best to identify certain permissions that should not generally be granted, and if we find any such permissions, that we should lock them down.

For example, we wish to ensure that no delegated administrators have Explicit Allow Modify Permissions granted on any of our OUs, because if they have these permissions, they could change the permissions on the OU and override those delegated to them by changing the permissions.

We are thus looking for a good Active Directory Security Permissions Analyzer / Analysis Tool that can help us find such permissions rather easily and quickly, so that we don't have to spend lots of time and effort trying to write, test and maintain our own scripts to do this.

If any of you have been in a similar situation, and have a recommendation, we would appreciate it, as it would help us save a lot of time, effort and resources, especially since we're short-staffed, and don't have the resources to test every possible tool out there before deciding on one.

Thank you in advance for any help you can provide.

Tom.



__________________

When everything's coming your way, you're in the wrong lane.



Member

Posts: 6
Date: Feb 12, 2013
RE: Looking for a good Active Directory Security Permissions Analyzer / Analysis Tool
Permalink  
 


Tom,

We had a very similar need a few months ago, and did some research to figure out how to fulfill this need back then, so I'm happy to share whatever I learnt with you.

Like you, we figured that the problem was almost unsolvable, given the ocean of permissions in our AD, so we too thought we'd catch the low-hanging fruit, and started looking for tools that could help us analyze Active Directory permissions.

We initially tried dsacls and accesschk from Microsoft, but given their usability (or lack thereof rather) we quickly gave up as we weren't willing to spend days look at command-line output.

We then came across two other tools, which are quite commonly used, but sadly are unreliable - I'm referring to LIZA and ADUCAdmin, which are both GUI based. The problem is that we found that they both make inaccurate claims as to a key capabilitiy, and that raised a red-flag for us.

(They both claim to be able to determine effective access in Active Directory, but if you look at their effective access outputs, they don't actually determine effective access! That was quite surprising because you expect tool developers to know such differences and details. It became a red-flag for us because if the developers didn't seem to know what effective access means in AD, we weren't sure as to how to trust anything else these tools claimed to do accurately.)

Anyway, we continued looking and accidentally chanced upon another tool called Gold Finger here and it has worked quite well for us. It is also a GUI based tool and has a few other analysis capabilities, including an AD permissions analyzer.

We have been using it for quite some time now so I can tell you based on my experience that you can use it to find out who has specific permissions in your Active Directory.

Apart from some of the tools I have mentioned above, I don't think there are many more tools that can help find out who has what permissions in Active Directory. I suppose one could use cmdlets or write scripts but I'm not much of a script guy, so I prefer GUIs to solve problems.

I hope I was able to help you. Good luck.

Benji.



__________________
Tower, this is Ghost Rider requesting a flyby!


Member

Posts: 9
Date: Mar 20, 2013
RE: Looking for a good Active Directory Security Permissions Analyzer / Analysis Tool
Permalink  
 


Hi Tom,

We were in a similar boat last year, and after much looking around and trying our hands with in-house scripting, we too started using this tool, and its been very helpful. We tried LIZA as well, but found it to be insufficient for our use. Also, since LIZA wasn't digitally signed, we couldn't get it past approval from the corp sec guys (which are such a pain to deal with.)

By the way, since you're primarily interested in permissions analysis, there's a decent write up on how to use it to find out who has what permissions in Active Directory, here, and the tool's pretty straight forward to use. 

Best wishes,

Matthew



__________________

Go Aussie!



Newbie

Posts: 4
Date: Apr 11, 2013
Looking for a good Active Directory Security Permissions Analyzer / Analysis Tool
Permalink  
 


Benjamin,

I'm sorry I couldn't respond sooner, mostly because we were busy researching our options to fulfill this need, and because I had two other projects handed to me recently (as though I didn't already have enough on my plate, but I'm sure you know who that is.)

Anyway, I just wanted to thank you for your input as it was helpful. We looked at 5 different tools including dsacls, ACLDiag, LIZA, ADUCAdmin and Gold Finger and we tried each one of them, and I have tried to share a quick summary of my findings below.

As I had mentioned, one of the key requirements for us to perform searches like - where does user Jane Doe have Explicit Allow Reset Password permissions in the OU Users and Computers.

This need was important and sort of urgent because we were trying to clean up our Active Directory permissions, because its been a mess for quite some time, and a new Director who was brought in to enhance security, ended up making cleaning up our AD one of his key projects.

Anyway, so with that background in mind, here's a quick summary of our findings -

We found that dsacls and ACLDiag were free and from Microsoft but were only sufficient for basic ACL analysis. It wasn't very convenient to perform permission and user specific searches, which was a key requirement for us, and the need to either copy results to a text file and then to a CSV file for analysis were just something we didn't have the patience or time for.

We looked as LIZA as well, and we although it was free and decently capable, because it was not digitally signed or supported, it was not really an option for us due to liability reasons. (If a product ain't verifiably unique, and it ain't supported, CorpSec doesn't allow its use .)

ADUCAdmin was both promising and disappointing. It was promising because it was decently capable of doing basic permissions analysis. We liked the fact that it was easy to install and use, and that it was decently fast. In the end it was disappointing though because one of its major claims (i.e. Effective Permissions) turned out to be not very true and unfortunately that made us question whether its developers really understood Windows/AD security innards well enough to build a tool to we can trust.

We took a look at Gold Finger, and of all the tools, it seemed to be the most capable and trustworthy one. Here's what we liked about it - a) it offered the flexibility we needed in being able to exactly specify our permissions analysis parameters, b) its GUI was intuitive to use, c) it had an export to CSV option and d) it had other capabilities (e.g. ACL viewer, dumper, effective permissions analyzer etc.) that we needed. What we didn't like about it very much was its price, but we figured that it was cheaper than hiring consultants ($$$) to do this for us, so we'll most likely go ahead with it.

So, in case it helps, here are the links to each of the products we evaluated -

1. dsacls - http://technet.microsoft.com/en-us/library/cc771151

2. ACL Diag - http://technet.microsoft.com/en-us/library/cc755388

3. LIZA - http://www.ldapexplorer.com/en/liza.htm

4. ADUCAdmin - http://www.aducadmin.com/

5. Gold Finger - http://www.paramountdefenses.com/goldfinger.html 

 

I thought I would share our findings, in case it helps others with a similar need. AD permissions aren't exactly fun to deal with, and its been a headache for most of us thusfar, so we're hoping we can get a good grip on them and get them locked down.

Thanks,

Tom



-- Edited by TomL on Thursday 11th of April 2013 05:48:56 PM

__________________

When everything's coming your way, you're in the wrong lane.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me