August 31, 2012

How to View and Analyze Active Directory ACLs and SACLs

Active Directory stores and protects critical IT resources like user and computer accounts, passwords, security groups and security policies, which are stored in the form of Active Directory objects.



Each Active Directory object is secured by the means of a security descriptor, which is comprised of a discretionary access control list (ACL) an System Access Control List (SACL), a Group field and an Owner field. Each ACL in turn contains many access control entries (ACEs). Each ACE specifies some security permissions for some security principal (e.g. user, computer, group, well-known principals.)

In order to maintain security, IT personnel often need to be able to analyze Active Directory ACLs such as to find out and lock down who is granted what access on individual Active Directory objects.

ACL Editor in Active Directory Users and Computers

The default way to view Active Directory ACLs is via the ACL Editor/Viewer that is built into the Microsoft Active Directory Users and Computers tool -



 
Unfortunately, the view available in the ACL Editor is substantially insufficient to perform any kind of Active Directory ACL analysis because one is unable to view the individual elements of the access control entires (ACEs) that comprise the ACL of the Active Directory object.


DSACLs to Analyze Active Directory ACLs
 
The Microsoft command-line tool DSACLS provide some additional detail that is somewhat useful in performing Active Directory ACL analysis, but it is still cumbersome because you need to export the contents to perform any useful analysis and even then, it does not break down the individual permissions contained in the access mask field, so you have to do that manually, which can be time consuming, and prone to error.
 
 

Scripts to Analyze Active Directory ACLs
 
It is also not very easy to write scripts to try and analyze Active Directory ACLs, because detailed ACL analysis involves looking into the security mask of all ACEs, analyzing analyzing flags, resolving SIDs, etc. In addition, because there can be multiple permissions specified in a single ACE, determining which ACEs grant which permissions can be complicated.

Performing all of these steps can take a very long time, involve a lot of effort and knowledge. As a result, analyzing Active Directory ACLs in detail can be difficult for most IT personnel.

 
A Dedicated and Automated ACL Analysis Tool
 
In this blog, we will take a look at how to use a dedicated and automated, advanced Active Directory ACL Viewer and ACL Analysis Tool to easily and efficiently analyze Active Directory ACLs.





A dedicated ACL Analysis Tool can help easily analyze Active Directory ACLs. and look into every field of an object's ACL, including the individual permissions specified in every ACE.



With a dedicated Active Directory ACL Analysis Tool, IT personnel have the ability to instantly analyze the ACL of any Active Directory object in any partition, and use this information to identify security vulnerabilities, as well as lock down and maintain secure access to Active Directory content.

- Andrew