It stores and protects all vital IT resources such as user accounts, security groups, computer accounts, service connection points etc. which are stored in Active Directory containers and organizational units (OUs.)
Active Directory Permissions in Active Directory Users and Computers Snap-In |
Active Directory objects are protected by Active Directory security descriptors, which specify the object's owner and primary group, as well a discretionary access control list (DACL) and a System audit control list (SACL).
An Active Directory object's DACL contains numerous individual security permissions, also known as access control entries (ACEs), and each ACE specifies some access for some security principal, such as a user, a group or a well-known SID (security identifier.) Together all the ACEs in an object's ACL serve to protect the object, and together they determine the actual set of Active Directory effective permissions granted to a user on the object.
IT administrators and IT analysts often have a need to be able to view and analyze Active Directory ACLs.
How to View and Analyzer Active Directory Permissions |
This is needed, for example, to inspect the set of all permissions granted in the object's ACL and to try or to try and perform Active Directory security analysis. It is also need to identify advanced Active Directory Security Risks such as Active Directory Privilege Escalation, which can be exploited by insiders to obtain administrative access and take over the Active Directory.
Unfortunately, it is not always easy to analyze Active Directory ACLs because the default Active Directory management tools do not provide lucid and clear insight into Active Directory ACLs. There are tools like dsacls that can help obtain a command-line view, but these views too are hard to easily analyze.
An Active Directory ACL displayed in the Advanced Security Settings Tab |
At Paramount Defenses, we have built the world's most capable Active Directory Security Analysis tool called Gold Finger for Active Directory, which amongst other capabilities, features the world's most capable Active Directory ACL Viewer -
Active Directory ACL Viewer |
Our ACL Viewer not only displays the complete ACL of an Active Directory with absolute clarity and completeness, it also offers an advanced view wherein it can break down the various permissions specified in an ACLs access-mask into individual columns, thus making it very easy to sort the entire ACL by a specific permissions type, or to sort the ACL by specific inheritance or other flags -
Active Directory ACL Viewer - Detailed View |
The detailed view provides instantly actionable security information, which not only saves substantial time but can be easily acted upon to make security enhancements and lock down unauthorized access grants in Active Directory.
A Demo of our Active Directory ACL Viewer
Here is a demo of our Active Directory ACL Viewer, which shows both the simple view and the detailed view mentioned above -
Our Active Directory ACL Viewer can be used to view, analyze and export the ACL of any Active Directory object in any Active Directory partition. A related capability, the ACL Exporter can also be used to dump the ACLs of all objects in an Active Directory tree, and the Permissions Analyzer capability can be used to find out who has what permissions in Active Directory. In addition, its effective permissions capability can be used to determine effective permissions in Active Directory, which is the only way to correctly audit Active Directory permissions, and its effective delegated access reporting capability can be used to find out who is delegated what administrative tasks where in Active Directory.
For more information on Gold Finger's ACL Viewer capabilities, and to download a free trial, please visit our website, or Google "Gold Finger for Active Directory"
No comments:
Post a Comment