How to View the ACL on the AdminSDHolder Obect in Active Directory

In Active Directory domains, special protection is provided by default to all members of specific default administrative groups, to minimize the risk of security compromise.

Active Directory Administrative Accounts / Groups protected by AdminSDHolder

Specifically, all direct and indirect (nested) members of a set of specific default administrative groups, including groups such as Domain Admins, Enterprise Admins, Builtin Admins, Accounts Operators, Server Operators and others are provided special protection by the system to reduce the likelihood of someone obtaining unauthorized access on these the user accounts belonging to the members of these groups.

The "system" does this by applying a special security descriptor on a specially designated object called AdminSDHolder. This special object resides in the "System" container in Active Directory domains and can be identified by the distinguished name, cn=AdminSDHolder,cn=System,dc=<domain>.

The security descriptor applied on this object is "protected" meaning that it does not inherit any permissions from any parent object. Furthermore, the security permissions specified in this ACL are specially configured to provide optimal protection for all protected objects.

The system runs a special process called SDProp on domain controllers, and thus process takes the security descriptor (SD) on this object and applies it to all user and computer accounts that effectiely belong to one or more of the special protected administrative groups.

This is intended to ensure that even if the user account of one of the members of one of the administrative groups resides in a specific OU that is within the administrative control of a delegated administrator, that delegated administrator does not have any administrative access on that user account, because if he/she did, it would essentially him/her to elevate their privilege and become a more powerful administrator.


How to View the ACL on the AdminSDHolder Obect in Active Directory

Sometimes administrative personnel need to be able to view the ACL protecting the AdminSDHolder object. Most often this is done to analyze what access is granted on this object, so that one can in turn determine what access is granted on all administrative accounts in the domain.

One of the most commonly used ways to view the ACL on the AdminSDHolder object is to use a tool, such as dsacls, that can display the ACL of an Active Directory object.

Using dsacls to view AdminSDHolder Permissions

Although dsacls can show the ACL of the object in a command-line format, sometimes it is helpful to be able to view the object's ACL in a GUI form, especially if a tool can help analyze the permissions in the object's ACL easily, such as by providing the ability to sort the object's ACL based on permission type.

The 004 edition of our Gold Finger Active Directory Audit Tool is one such Active Directory ACL Viewer/Exporter/Analyzer that can help easily analyze Active Directory ACLs. It can of course also be used to view the ACL of the AdminSDHolder object -

Active Directory ACL Viewer - Simple View

If you click the View Details button, Gold Finger automatically shows all the permissions in their own colums, so that you can then easily analyze the entire ACL by permission type -

Gold Finger 003 Edition - World's Most Capable Active Directory ACL Viewer/Export/Dump Tool

In fact, it can be used to view the ACL of any Active Directory object in any partition. It also makes it very easy to export the entire ACL to a CSV file. It can also show you all the inheritance flags, as well as let you sort the ACL by type, security principal, inheritance and other relevant fields.

It thus helps analyze and maintain Active Directory security in your Windows Server environment.


All IT personnel who are responsible for administering Active Directory environments must be familiar with the AdminSDHolder object and the security specified in its ACL, because it determines the security afforded to all administrative accounts and groups, and that in turn determines the security afforded to the entire Active Directory deployment.

For more information on Active Directory Security, including Top Risks, Mitigations, Guides, Checklists, Tools, Technicals and other resources, please visit - http://www.paramountdefenses.com/active-directory-security

How to View Active Directory ACLs

Active Directory is the foundation of security in Microsoft Windows Server based IT environments.

It stores and protects all vital IT resources such as user accounts, security groups, computer accounts, service connection points etc. which are stored in Active Directory containers and organizational units (OUs.)

Active Directory Permissions in Active Directory Users and Computers Snap-In

Active Directory objects are protected by Active Directory security descriptors, which specify the object's owner and primary group, as well a discretionary access control list (DACL) and a System audit control list (SACL).

An Active Directory object's DACL contains numerous individual security permissions, also known as access control entries (ACEs), and each ACE specifies some access for some security principal, such as a user, a group or a well-known SID (security identifier.) Together all the ACEs in an object's ACL serve to protect the object, and together they determine the actual set of Active Directory effective permissions granted to a user on the object.

IT administrators and IT analysts often have a need to be able to view and analyze Active Directory ACLs.

How to View and Analyzer Active Directory Permissions

This is needed, for example, to inspect the set of all permissions granted in the object's ACL and to try or to try and perform Active Directory security analysis. It is also need to identify advanced Active Directory Security Risks such as Active Directory Privilege Escalation, which can be exploited by insiders to obtain administrative access and take over the Active Directory.

Unfortunately, it is not always easy to analyze Active Directory ACLs because the default Active Directory management tools do not provide lucid and clear insight into Active Directory ACLs. There are tools like dsacls that can help obtain a command-line view, but these views too are hard to easily analyze.

An Active Directory ACL displayed in the Advanced Security Settings Tab

At Paramount Defenses, we have built the world's most capable Active Directory Security Analysis tool called Gold Finger for Active Directory, which amongst other capabilities, features the world's most capable Active Directory ACL Viewer -

Active Directory ACL Viewer

Our ACL Viewer not only displays the complete ACL of an Active Directory with absolute clarity and completeness, it also offers an advanced view wherein it can break down the various permissions specified in an ACLs access-mask into individual columns, thus making it very easy to sort the entire ACL by a specific permissions type, or to sort the ACL by specific inheritance or other flags -

Active Directory ACL Viewer - Detailed View

The detailed view provides instantly actionable security information, which not only saves substantial time but can be easily acted upon to make security enhancements and lock down unauthorized access grants in Active Directory.


A Demo of our Active Directory ACL Viewer

Here is a demo of our Active Directory ACL Viewer, which shows both the simple view and the detailed view mentioned above -




Our Active Directory ACL Viewer can be used to view, analyze and export the ACL of any Active Directory object in any Active Directory partition. A related capability, the ACL Exporter can also be used to dump the ACLs of all objects in an Active Directory tree, and the Permissions Analyzer capability can be used to find out who has what permissions in Active Directory. In addition, its effective permissions capability can be used to determine effective permissions in Active Directory, which is the only way to correctly audit Active Directory permissions, and its effective delegated access reporting capability can be used to find out who is delegated what administrative tasks where in Active Directory.

For more information on Gold Finger's ACL Viewer capabilities, and to download a free trial, please visit our website, or Google "Gold Finger for Active Directory"

How to View Active Directory Permissions

Active Directory permissions store and protect Active Directory objects from unauthorized access, and enable IT administrators to precisely control who has access to what in Active Directory.

Active Directory permissions are specified in Active Directory ACLs and IT admins often have a need to be able to view, analyze and export Active Directory permissions, whether to analyze access grants, or to lock down Active Directory access or to control access to Active Directory content.

How to View Active Directory Permissions

The default view to view Active Directory permissions is via the Security Tab that can be accessed by right-clicking on objects in Active Directory Users and Computers Snap-In or in the Active Directory Administrative Center Console.

However, it can be a challenge to view and analyze Active Directory permissions using the Security Tab, because it unfortunately does not provide a complete and easily analyzable view of the ACL of the Active Directory object -

Active Directory Advanced Permissions

For example, the most common problem with it is that it is very difficult to find out exactly which security permissions are granted by which access control entries (ACEs) in the ACL, and that makes it very difficult to analyze Active Directory permissions, especially when you are trying to find out who is delegated what access on an Active Directory object, or when performing an Active Directory delegation audit.

This information can also be obtained using other Microsoft security tools such as dsacls, but even with dsacls, it is not easy to get an easily sortable breakdown of all the permissions granted by each ACE in an object's Active Directory object's ACL. There are also some 3rd party tools like LIZA that provide an advanced view, but they do not provide a break down of all the individually possible permissions in an Active Directory object's ACL.

How to Easily View Active Directory Permissions

With our Gold Finger Microsoft Active Directory Audit Tool, IT administrators can now instantly view, analyze and export ACLs with unmatched ease and clarity, as well as obtain detailed views of the individual permissions granted in Active Directory ACLs -

Active Directory ACL / Permissions Viewer

The ability to view the ACL in its entirety makes it much easier to analyze ACLs and permissions, and the availability of the detailed view makes it very easy to identify which ACEs in the ACL end up granting a specific permission type, such as Extended Rights permissions, or Write Property permissions.

This information is also often needed when performing an Active Directory delegation audit, or when relying on an Active Directory Audit Checklist to perform an Active Directory Audit.

Armed with this information, IT admins can easily and instantly analyze Active Directory ACLs and make accurate and well-informed decisions based on clear and detailed insight into all aspects of access rights granted in an Active Directory object's ACL.

For more information on the Active Directory ACL Viewer capabilities of our Gold Finger audit tool for Active Directory, including a free 21-day trial, please visit - http://www.paramountdefenses.com/products/active-directory-audit-tool/capabilities/acl-viewer-and-exporter.html.

How to view Active Directory ACLs and Permissions

Active Directory stores and protects vital content such as user accounts, security groups, computer accounts, and service connections points. Content in the Active Directory is typically stored in OUs and containers and all content is protected by Active Directory ACLs.

Each Active Directory ACL contains one or more ACEs, each of which grants or denies some Active Directory security permission for a user, an Active Directory security group or for a well-known SID such as Everyone, Authenticated Users etc.

Active Directory ACL

IT admins often need to be able to view Active Directory ACLs as well as export/dump Active Directory permissions so as to be able to analyze Active Directory security from time to time.

IT admins usually utilize tools like dsacls, dsrevoke, acldiag etc to try and view AD ACLs but these tools seldom provide the granularity that is needed to view and analyze AD ACLs completely.

The Worlds Best Active Directory Audit Tool

The Gold Finger Active Directory Audit Tool from Paramount Defenses is the world's best Active Directory security analysis tool. One of its capabilities includes an Active Directory ACL viewer -

Active Directory Audit Tool

 
Gold Finger's ACL Viewer is the world's most capable ACL viewer because in addition to displaying the complete ACL, it can break down the permissions and the flags fields of an ACL into individual columns. This allows administrators to be able to easily sort Active Directory ACLs by permission type and thus be able to instantly audit Active Directory rights identify all ACEs that grant a specific type of permission, whether directly, or as a combination of permissions.

In addition to an ACL viewer, Gold Finger also features other Active Directory security analysis and Active Directory Audit capabilities such as the ability to determine Active Directory effective permissions, and generate fully automated effective Active Directory delegated access reports.

When it comes to Active Directory Audit Tools, Gold Finger is most simply the world's most powerful and capable Active Directory audit tool. No other tool in the world comes even close.

For more information, and to download a free trial, please visit -
http://www.paramountdefenses.com/goldfinger.

How to View Active Directory Permissions Easily and Instantly

Folks,

In today's post, I will show you just how easy it is to view, analyze and export Active Directory security permissions / access rights/ ACLs with the world's best Active Directory ACL Viewer and ACL Exporter. IT admins often have a need to be able to view Active Directory permissions / ACLs and analyze them to find out who has what rights on an Active Directory object, or to find out who is delegated what rights on an Active Directory object.

Active Directory Security Permissions

How to View Active Directory Permissions Easily

The ACL Viewer capability of the Gold Finger Active Directory Audit Tool lets you instantly view, analyze and export the permissions granted on any Active Directory object at the touch of a button.

How to View Active Directory Permissions Easily

Here's how easy it is to view the security permissions in the ACL of an Active Directory object -

1. Launch Gold Finger
2. Select the ACL Viewer Capability
3. Select the report - View the ACL of an Active Directory object
4. Specify the DN of the Active Directory object in the scope field
5. Press the Gold Finger button.

That's it.

Gold Finger instantly retrieves and displays the complete ACL of the Active Directory object, including all the fields listed below.

Active Directory Permissions Fields Displayed -

1. Type - Allow / Deny
2. Security Principal
3. Permissions  
4. Attribute/Class
5. Inheritance
6. Applies To

Detailed Security Permissions Analysis View

Gold Finger is the also the world's only ACL Viewer that displays each of the thirteen unique Active Directory permissions in their own individual columns, thus letting you easily sort the entire ACL of the Active Directory object by permission-type and thus find all ACEs that grant a specific kind of permission, such as Create-Child, or Extended-Right etc.

Active Directory Permissions Displayed in Individual Columns

List of Active Directory Security Permissions Displayed in Individual Columns

In fact, here is the list of the 13 different types of Active Directory Security permissions, that Gold Finger displays in individual columns for instant, reliable and effortless analysis -

1. List Child (LC) permissions
2. List Object(LO) permissions
3. Read Control(RC) permissions
4. Read Property (RP) permissions
5. Write Property (WP) permissions
6. Create Child(CC) permissions
7. Delete Child(DC) permissions
8. Standard Delete (SD) permissions
9. Delete Tree (DT) permissions
10. Write DACL (WD) permissions
11. Write Owner (WO) permissions
12. Extended Rights (CR) permissions
13. Validated Write (SW) permissions

Gold Finger can be used to view Active Directory permissions easily and in fact can be used to view the ACL of any object in any Active Directory domain partition, as well as objects in the Schema partition and the Configuration partitions.

For instance, Gold Finger can be used to view the ACL of the root of the Configuration partition, or any Class-Schema or Attribute-Schema object in the Schema partition or any object in any domain partition, such as the System container, the AdminSDHolder object, the Users container, or any OU, user account, computer account, security group, service connection point etc. of your choice.

This information can be used to assess delegated rights in Active Directory, verify provisioned access in Active Directory, as well as help when you are trying to audit delegated access in Active Directory.

In this manner, Gold Finger can help you perform detailed Active Directory Security Analysis, and as well as easily sort and export the ACL of any Active Directory object in your environment.

For more information, and to download a free 21-day trial, please visit - http://www.paramountdefenses.com/goldfinger_capabilities_acl_viewer_and_exporter_for_active_directory.html

How to easily view, export and analyze the security permissions / access rights in an Active Directory (AD) Access Control List (ACL)

IT personnel often need to be able to view, export and analyze Active Directory ACLs to assess, audit, manage, control and lock-down security permissions granted to various security principals on an Active Directory object, and to perform Active Directory Security Analysis



Active Directory ACL Editor View - Advanced Security Settings



For instance, IT personnel often need to be able to identify -

1. All ACEs that Deny permissions
2. All ACEs that apply to a specific object type, such as to all User objects
3. All ACEs that grant permissions for a specific security principal, such as Domain Admins
4. All ACEs that are inherited but marked as Inherit-Only
5. All ACEs that grant a specific type of permission, such as Extended Right permissions

Active Directory Users and Computers / Administrative Center are insufficient

The default means of viewing and analyzing Active Directory ACLs is via the Security Tab of either the Microsoft Active Directory Users and Computers snap-in or via the Administrative Center snap-in.

Active Directory Users and Computer Snap-In - ACL Editor | ACL Viewer

In either of these cases, the default views are not very user-friendly because they do not display the ACL as is, so one has to resort to using the Advanced button to view the underlying permissions in detail.

Even in the Advanced view, it is not very easy to view the entire ACL and it is by no means possible to be able to sort the ACL by the individual security permissions contained in a single access control entry (ACE.)

The fact that many ACEs typically grant multiple permissions necessitates the ability to be able to easily view the individual permissions specified in an ACE and sort the ACL by individual permission types, but this is not possible using Microsoft's default UIs for ACL viewing.



dsacls.exe and 3rd party tools (e.g. LIZA) are also insufficient

The dsacls command-line utility is not of much help in this regard in that even thought it can be used to dump an object's ACL to the console, it cannot render a view wherein individual permissions are displayed in individual columns for easy viewing and analysis. Some 3rd party tools (e.g. LIZA) offer some progress in that it is able to break down the permissions but only by a few generic permission types. It falls short in that it cannot break down the entire ACL by each of the 13 permission types in Active Directory.


Gold Finger's ACL Viewer Capability Completely Breaks Down Individual Permissions in Active Directory ACLs

In that regard, the ACL Viewer capability of the Gold Finger Active Directory Security Audit Tool delivers the best view into Active Directory ACLs for quick and complete ACL analysis -

Gold Finger's Detailed Active Directory ACL Viewer

In particular, it not only displays each field of an Active Directory ACL in a separate column, it also has an Detailed view (activated by pressing Alt-D) that further breaks down the permission field into 13 individual columns, one each for each of the 13 types of permissions available in Active Directory.

By offering this ability, it finally lets IT personnel easily analyze Active Directory ACLs by letting them sort the entire ACL by not only the basic ACE fields, but also sort the entire Active Directory ACL by individual permission types, such as Extended Rights, or Modify Permissions etc.

It thus empowers IT personnel to be able to, for the first time ever, obtain complete clarity and insight into the ACL of any Active Directory object in any directory partition, quickly and effortlessly.


Benefits

For instance, if an IT administrator wanted to identify all the ACEs in an object's ACL that grant Delete Tree permissions, it makes accomplishing this objective as easy as touching a button.

In order to do so, the IT administrator would simply sort the ACL by the Delete Tree permission column, and by doing so be able to instantly identify all ACEs that grant this permission, either as an individual permission, or as a combination of permissions.

Not only does Gold Finger provide complete clarity into the various ACEs and permissions in an Active Directory object's ACL, it also lets IT personnel instantly export that ACL to a CSV file. This makes it possible to document and archive the ACL of an object.

In addition, Gold Finger can also be used to target specific DCs so in situations where replication issues might exist, it can help determine the differences between different ACLs simply by obtaining and comparing two versions of the same Active Directory object's ACL from two different DCs.

Gold Finger's ACL Viewer is thus the most valuable and capable Active Directory ACL Viewer as well as the world's most capable Active Directory Permissions Analyzer.

For additional details, please visit - http://www.paramountdefenses.com/goldfinger

How to View and Analyze Active Directory (AD) Object ACLs Using Gold Finger

In this blog, as we begin coverage of how to view and analyze Active Directory security permissions, ACLs and SACLs, we will make extensive use of the Gold Finger Active Directory Security/ACL/SACL Viewer Tool. It would thus be helpful to have a basic understanding of how to use Gold Finger's automated Active Directory security permissions/ACL/SACL viewing and analysis capabilities.

How to View and Analyze Active Directory (AD) Object ACLs Using Gold Finger

The following is thus a brief demo that shows how to use Gold Finger to view and analyze Active Directory security permissions, ACLs and SACLs.

How to View and Analyze Active Directory Security Permissions/Rights, ACLs and SACLs

In addition to being able to view and analyze Active Directory security permissions/rights, ACLs and SACLs, Gold Finger can also generate Active Directory delegated access reports that show you who is delegated what access where and how.

Once you have gained familiarity with how to use Gold Finger to view and analyze Active Directory security rights/permissions, ACLs and SACLs, it will be much easier to follow various examples that we shall share as we cover this subject.


The WikiLeaks Security Incident and the lastest Anonymous Cyber-Attacks on Israel all demonstrate the importance of cyber security and IT security today. When it comes to the security of the IT infatructures of organization, Active Directory is at the foundation of their security and thus is mission-critical to global security today. In fact, the most the Most Powerful and Expensive Weapon in the World is related to Active Directory security as well.