Paramount Defenses Company | Leadership | Products | Solutions | Partners | Privileged Access Insight | Support | News | Careers | Blog | Contact 100%
Our Global Customers - Cyber Security Thought Leaders
Welcome | Importance | Assets | Top Risks | Mitigation | Audit | Auditing | Checklists | How-Tos | Tools | Guides | Learning | Technicals | Resources

A Simple  10-Point Active Directory Security Learning Program

Learning Active Directory Security

Active Directory Security Learning

Active Directory Security is a vast subject, but with the right guidance, one can easily learn a lot quickly.

Here are 10 simple steps that can help you learn how to perform Active Directory Security Audits and Active Directory Security Analysis quickly –

  1. The very first step is to understand how Active Directory's security model works, as well as how security groups and security permissions protect Active Directory content.

  2. The next step is to install a test Active Directory deployment to perform tests and experiments.

  3. The third step is to get familiar with in-built admin tools like Active Directory Users & Computers.

  4. The next step is to put together a basic Active Directory security toolset comprised of –

  5. The fifth step is to create a small OU hierarchy, and some test accounts and security groups.

  6. The next step is to populate group memberships and delegate access in your OU hierarchy.

  7. The seventh step is to install the dsacls, tool, the LDP tool and the Gold Finger tool, and learn how to use them to perform Active Directory Audits and Active Directory Security Analysis.

  8. The next step is to perform your first Active Directory Audit, which involves documenting the list of all accounts (and their states, such as active, inactive, expired, locked etc.), a list of all groups (and their memberships), a list of computer accounts (and their OSes), OUs, etc.

    The easiest way to do this is to launch the Gold Finger tool, select the Security Audit Reports capability, then select the audit reports you want, and click the Gold Finger button.

  9. The ninth step involves spending time and effort analyzing Active Directory ACLs and access rights. At this point, you should focus on being able to answer the following basic questions –

    • What is an Active Directory ACL, how do I view it, and what does it contain?

    • What is the difference between explicit permissions and inherited permissions?

    • What is the difference between allow permissions and deny permissions?

    • What are the 13 types of security permissions / access rights in Active Directory?

    • What are Property Sets, Extended Rights, and Validated writes?

    • What are nested group memberships, and how to enumerate a group's members?

    • What are true Active Directory Effective Permissions, and how to determine them?

    To do so, you should Active Directory Users and Computers and the dsacls, LDP and Gold Finger tools to view, analyze and learn more about Active Directory ACLs and access rights.

    How much you learn will depend largely on the amount of time and effort invested in this step. At this point, you will have the foundation you need to perform Active Directory Access Audits.

  10. During the final step you will become intimately familiar with the innards of Active Directory security, and will know how to perform virtually any Active Directory access related audit.

    In this final step, you should focus on the concept of true effective permissions and determine how it relates to, and influences, who is effective delegated which administrative tasks.

    This is an exploratory step, so you will have to take what you learnt thus far, and build upon it by doing some research on advanced topics like effective access and effective permissions.

    By the end of this step, you will know how to figure out answers to advanced questions like –

    • Who has what permissions on an Active Directory object?

    • Who has what effective permissions on an Active Directory object?

    • Who can perform which admin tasks by virtue of these effective permissions ?

    • Who has effective permissions to perform a specific admin task (e.g. Create an account, Modify a group's membership etc.) in an OU, and/or in the entire domain?

    • What tasks can a given user perform on an individual object, or in an OU/domain?

    • Who can perform which admin tasks in the domain, in which OUs or on which objects can they perform them, and how are they able to perform them?

  11. Once you have reached this level of familiarity with Active Directory security, you will have sufficient knowledge to be able to perform Active Directory Security and Access Audits.

  12. Note – The guidance provided above is primarily to help learn more about how to perform Active Directory Security Analysis. It is not intended to, and does not cover how to learn more about topics like Domain Controller Security, Auditing and Secure Administrative Practices.

Guides Guides
Technicals Technicals

Who We Are What We Do How We Protect You