September 26, 2012

How to easily view, export and analyze the security permissions / access rights in an Active Directory (AD) Access Control List (ACL)


IT personnel often need to be able to view, export and analyze Active Directory ACLs to assess, audit, manage, control and lock-down security permissions granted to various security principals on an Active Directory object, and to perform Active Directory Security Analysis



Active Directory ACL Editor View - Advanced Security Settings

For instance, IT personnel often need to be able to identify -
  1. All ACEs that Deny permissions
  2. All ACEs that apply to a specific object type, such as to all User objects
  3. All ACEs that grant permissions for a specific security principal, such as Domain Admins
  4. All ACEs that are inherited but marked as Inherit-Only
  5. All ACEs that grant a specific type of permission, such as Extended Right permissions


Active Directory Users and Computers / Administrative Center are insufficient

The default means of viewing and analyzing Active Directory ACLs is via the Security Tab of either the Microsoft Active Directory Users and Computers snap-in or via the Administrative Center snap-in.


Active Directory Users and Computer Snap-In - ACL Editor | ACL Viewer

In either of these cases, the default views are not very user-friendly because they do not display the ACL as is, so one has to resort to using the Advanced button to view the underlying permissions in detail.

Even in the Advanced view, it is not very easy to view the entire ACL and it is by no means possible to be able to sort the ACL by the individual security permissions contained in a single access control entry (ACE.)

The fact that many ACEs typically grant multiple permissions necessitates the ability to be able to easily view the individual permissions specified in an ACE and sort the ACL by individual permission types, but this is not possible using Microsoft's default UIs for ACL viewing.



dsacls.exe and 3rd party tools (e.g. LIZA) are also insufficient

The dsacls command-line utility is not of much help in this regard in that even thought it can be used to dump an object's ACL to the console, it cannot render a view wherein individual permissions are displayed in individual columns for easy viewing and analysis. Some 3rd party tools (e.g. LIZA) offer some progress in that it is able to break down the permissions but only by a few generic permission types. It falls short in that it cannot break down the entire ACL by each of the 13 permission types in Active Directory.


Gold Finger's ACL Viewer Capability Completely Breaks Down Individual Permissions in Active Directory ACLs

In that regard, the ACL Viewer capability of the Gold Finger Active Directory Security Audit Tool delivers the best view into Active Directory ACLs for quick and complete ACL analysis -


Gold Finger's Detailed Active Directory ACL Viewer

In particular, it not only displays each field of an Active Directory ACL in a separate column, it also has an Detailed view (activated by pressing Alt-D) that further breaks down the permission field into 13 individual columns, one each for each of the 13 types of permissions available in Active Directory.

By offering this ability, it finally lets IT personnel easily analyze Active Directory ACLs by letting them sort the entire ACL by not only the basic ACE fields, but also sort the entire Active Directory ACL by individual permission types, such as Extended Rights, or Modify Permissions etc.

It thus empowers IT personnel to be able to, for the first time ever, obtain complete clarity and insight into the ACL of any Active Directory object in any directory partition, quickly and effortlessly.


Benefits

For instance, if an IT administrator wanted to identify all the ACEs in an object's ACL that grant Delete Tree permissions, it makes accomplishing this objective as easy as touching a button.

In order to do so, the IT administrator would simply sort the ACL by the Delete Tree permission column, and by doing so be able to instantly identify all ACEs that grant this permission, either as an individual permission, or as a combination of permissions.

Not only does Gold Finger provide complete clarity into the various ACEs and permissions in an Active Directory object's ACL, it also lets IT personnel instantly export that ACL to a CSV file. This makes it possible to document and archive the ACL of an object.

In addition, Gold Finger can also be used to target specific DCs so in situations where replication issues might exist, it can help determine the differences between different ACLs simply by obtaining and comparing two versions of the same Active Directory object's ACL from two different DCs.

Gold Finger's ACL Viewer is thus the most valuable and capable Active Directory ACL Viewer as well as the world's most capable Active Directory Permissions Analyzer.

For additional details, please visit - http://www.paramountdefenses.com/goldfinger

September 17, 2012

How to View and Analyze Active Directory (AD) Object ACLs Using Gold Finger

In this blog, as we begin coverage of how to view and analyze Active Directory security permissions, ACLs and SACLs, we will make extensive use of the Gold Finger Active Directory Security/ACL/SACL Viewer Tool. It would thus be helpful to have a basic understanding of how to use Gold Finger's automated Active Directory security permissions/ACL/SACL viewing and analysis capabilities.

How to View and Analyze Active Directory (AD) Object ACLs Using Gold Finger

The following is thus a brief demo that shows how to use Gold Finger to view and analyze Active Directory security permissions, ACLs and SACLs.







In addition to being able to view and analyze Active Directory security permissions/rights, ACLs and SACLs, Gold Finger can also generate Active Directory delegated access reports that show you who is delegated what access where and how.

Once you have gained familiarity with how to use Gold Finger to view and analyze Active Directory security rights/permissions, ACLs and SACLs, it will be much easier to follow various examples that we shall share as we cover this subject.


The WikiLeaks Security Incident and the lastest Anonymous Cyber-Attacks on Israel all demonstrate the importance of cyber security and IT security today. When it comes to the security of the IT infatructures of organization, Active Directory is at the foundation of their security and thus is mission-critical to global security today. In fact, the most the Most Powerful and Expensive Weapon in the World is related to Active Directory security as well.