In today’s short post, Part 3 of How to Perform Simple Active Directory Audits, we’ll take a quick look at how IT administrators, IT managers and IT and cyber security auditors can easily and instantly audit and enumerate the complete membership of any domain (Active Directory) security group, no matter how large or complicatedly nested its membership might be.
Domain Security Groups / Active Directory Group Memberships
As you may know, ever since Active Directory was introduced back in 2000, virtually all security groups that are used to provision access to the entirety of an organization’s IT resources across the entire network (i.e. files and folders stored and shared on servers etc.), are all domain security groups that are stored and protected in Active Directory.
Perhaps the most familiar and well-known Active Directory security groups may be the default security groups that reside in every Active Directory domain, such as, but not limited to Enterprise Admins, Domain Admins, Schema Admins, Domain Users, Domain Computers and various other default Active Directory domain security groups.
However, in addition to these groups, in almost every Active Directory domain, depending on the organization’s size, there exist hundreds if not thousands of domain security groups, which are used to provide secure (authorized) access to thousands of organizational IT resources that are stored across the network on domain-joined computers (workstations and servers).
For instance, an organization might have an All Employees Group to provision access to various files and folders, or to the company’s internal HR portal for employees. Similarly, there might exist an Executives group, which might contain the domain user accounts of all of the company’s executives (CEO, CIO, CFO etc.). Likewise, there could be a group for a special project that numerous employees may collectively be working on, such as say Project X, so there might be a group called well, perhaps Project X, and this group could be used to provide read and write access to various resources across the network to only members of this group. In this manner, Active Directory domain security groups are used to protect thousands of IT resources across the network.
Group Nesting and Nested Group Memberships
Active Directory lets organizations nest Active Directory groups within other Active Directory groups, and many organizations often nest groups to make it easy to manage access.
For example, an organization may have a group called Full-Time Employees (FTEs), a group called Part-Time Employees (PTEs), and a group called All Employees. Now, instead of having to directly make all members of the FTE group and all members of the PTE group members of the All Employees group, the organization could just make the FTE and the PTE group members of the All Employees group, and in doing so would have easily accomplished the objective of making all employees members of the All Employees group.
In this manner, when used correctly, group nesting can be very helpful in making access management easier to manage. However, there can be situations where a group A could be a member of another group B, which could in turn be a member of group C, and group C could be a member of group A, creating what is called a circular nested group membership, which can lead to difficulties when enumerating the complete group membership of group A, B or C. Incidentally, the process of identifying all the members of a group, including by expanding the memberships of any and all nested groups is commonly called flattening a group membership.
Organizations often nest domain security groups, and domain security groups can often contain a fairly large number of domain user accounts, thus making it a little difficult to easily audit the complete flattened membership of an Active Directory domain security group. Incidentally, in addition to domain user accounts, domain computer accounts and domain service accounts can also be members of domain security groups, and domain security group memberships can span trust relationships.
How to Easily Audit Active Directory Security Groups
For various reasons, such as to manage access, to provision access, to verify provisioned access, to troubleshoot access-denied issues, to demonstrate regulatory compliance etc., organizational IT personnel often have a need to be able to audit Active Directory domain security groups.
To accomplish this objective, while some IT personnel may rely on manually attempting to determine the membership of an Active Directory domain security group, such as by viewing and analyzing the group’s membership in Active Directory Users and Computers (ADUC), others may attempt to write PowerShell scripts to do the same. The challenge with PowerShell scripts is that their accuracy depends on the expertise of whoever wrote them, and if someone were to accidentally change them, they could deliver inaccurate results. Thus, it is best to be able to rely on a dedicated tool that is tamper-proof, and that is developed by experts who understand all the intricacies involved.
With that in mind, at Paramount Defenses, based on many customer requests, we built what we believe is the world’s simplest and yet most capable Active Directory Group Membership Audit Tool, one that can enumerate the complete membership of any domain security group, no matter how deeply it may be nested, or whether it may contain circular memberships, or whether it may include dynamic groups whose memberships needs to be evaluated in real-time, or whether you wish to audit the list of all domain security groups to which a user’s domain account belongs –
Here’s a very quick and simple demo of our Group Membership Audit Tool, which today is used worldwide by so many organizations to audit Active Directory group memberships –
If you can click a button, you can now audit the complete, nested membership of any and every domain security group in Active Directory, whether it be a domain local group, a global group, a universal group or a well-known group, as well as the complete list of all domain security groups to which a user’s domain-user account belongs.
We believe that enumerating and auditing Active Directory domain security group memberships does not get any easier than this – all you have to do is click a button. You can also export the group membership results to a CSV file as well as generate a customized professional-grade PDF report, complete with a custom title, logo, header, description, footer, password-protection etc.
In short, this tool enables and empowers everyone to be able to easily, instantly and professionally enumerate domain security groups in Active Directory, on-demand, at the touch of a button.
Lastly, not only was the tool also built with security in mind, and is thus designed to set the bar for trustworthiness, it was also built with ease of use and deployment in mind, and thus can be downloaded, installed and run in under 2 minutes, and without requiring any administrative privilege. For more info, please checkout its page – Active Directory Group Membership Audit Tool.
For Advanced Users
Advanced Users will appreciate that while it may be important to be able to audit the complete membership of any specific Active Directory domain security group, it is equally (if perhaps not more) important to be able to accurately audit exactly who can change the membership of every such group in Active Directory, because anyone who could change the membership of any group, could instantly obtain access to everything that group has access to.
For example, consider the Domain Admins security group. Whilst most organizations may audit the membership of the Domain Admins security group, and do so frequently, hardly any organizations also audit exactly who can change the membership of the Domain Admins group, even though anyone who could do so is equally as powerful as are the Domain Admins.
In fact, trying to audit who can change an Active Directory domain security group’s membership is a very difficult task, because the only way to correctly make this determination is to accurately determine effective permissions/access on that domain security’s group’s object in Active Directory, and it is very difficult to accurately determine/calculate effective permissions in Active Directory.
Those who don’t know enough about Active Directory may errantly assume and believe that they could simply write a PowerShell script to accurately determine effective permissions in Active Directory, but those who actually know Active Directory security well enough will tell you that its very difficult to write any kind of PowerShell that can accurately determine effective permissions in any Active Directory domain/forest. As a result, it remains extremely difficult for organizations to be able to fulfill this paramount need.
Fortunately, our advanced tooling, i.e. our Active Directory Effective Permissions Calculator uniquely empowers organizations worldwide to be able to easily find out exactly who can change the membership of any domain security group in their Active Directory. It is architected by former Microsoft Program Manager for Active Directory Security and endorsed by Microsoft.
Got thousands of groups? No problem. Our unique and unrivaled Active Directory Administrative Access and Delegation Audit Tool can automatically determine effective permissions/access on thousands of Active Directory security groups in an entire domain, at the touch of a single button, to reveal within minutes, exactly who can change which domain security group, and how, arming organizations to for the first time ever actually know exactly who can change which domain security group, and how.
We believe that all organizations that operate on Active Directory must know at all times not only who the members of all their domain security groups are, but equally and perhaps more importantly, also exactly who can change the membership of every single one of their domain security groups, and together our basic and advanced tooling empowers organizations worldwide to be able to accomplish both these objectives, with equal ease.
Should you wish to learn more about the unique and innovative features of our basic and advanced Active Directory audit tools, here’s a good starting point – Gold Finger.
In today’s short post, part 2 of How to Perform Simple Active Directory Audits, we’ll take a quick look at how IT admins, IT managers, IT consultants as well as IT and Cyber Security auditors can easily audit Active Directory to identify all domain-joined computers in an Active Directory domain whose domain computer accounts are “Trusted for Unconstrained Delegation.”
Computers “Trusted for Unconstrained Delegation”
Computers whose domain computer accounts are “Trusted for Unconstrained Delegation” could pose a security risk as they could be misused to engage in Active Directory Privilege Escalation.
Trusted for Unconstrained Delegation
In particular, if a computer’s domain-computer account in Active Directory was configured to be “Trusted for Unconstrained Delegation”, then anyone with admin access to that computer could launch a service (running as System* on that computer) that could be designed to obtain a Kerberos ticket to any resource on behalf of any* client that could be lured to access that service, and this could be used to compromise security by providing the perpetrator the opportunity to impersonate ordinary, privileged and executive users (e.g. CEO, CFO, CIO etc.) to obtain unauthorized access to files, folders, computers, servers, internal sites, SharePoint portals, databases, line-of-business applications, HR systems etc., as well as to engage in Active Directory Privilege Escalation.
By way of example, if a rogue insider had admin access on a computer whose domain-computer account was marked as “Trusted for Unconstrained Delegation“, then he/she could launch a service on that computer such that, if he/she could then lure an Active Directory privileged user to connect to that service, then he/she could have that service request and obtain a Kerberos Ticket to any resource of choice, including to Domain Controllers, in the security context of the client, which in this case would be an Active Directory privileged user, and in and by doing so, the perpetrator could instantly elevate privilege to that of an Active Directory privileged user, thereby easily and instantly obtaining complete command and control over the entire Active Directory forest.
*Note: In the interest of simplicity, the description provided above is highly simplified. It may further be noted that alternatives such as constrained Kerberos delegation could be used to mitigate risk.
Ideally, only Domain Controllers should have the “Trusted for Unconstrainted Delegation” bit set on their domain computer accounts. Unfortunately though, due to various reasons, such as legacy requirements, misconfiguration, scripting errors, or malicious changes, there could possibly be other computers in an Active Directory forest that could have this sensitive Kerberos setting enabled.
Thus, all organizations operating on Active Directory should consider frequently performing an Active Directory audit to identify domain computer accounts “Trusted for Unconstrained Delegation”.
How to Audit Computer Accounts Trusted for Unconstrained Delegation
Here’s a quick video that shows anyone can instantly audit Active Directory to identify all domain computer accounts that are “Trusted for Unconstrained Delegation” –
As seen above, one does not need to know Active Directory or have admin access to perform this simple audit. All you need is a domain-user account to perform this audit, and it takes seconds.
Thus, to make this easy, our Active Directory Security Audit Tool has a dedicated report to help IT personnel audit all domain computer accounts that are “Trusted for Unconstrained Delegation.”
This tool can be downloaded, installed and run all in under 2 minutes, without requiring any admin privileges.
For Advanced Users
Advanced users know that anyone who has sufficient delegated administrative access in Active Directory to be able to modify this setting on various domain computer accounts in Active Directory, could easily enable this setting on various computers, and potentially provide themselves the opportunity to enact an Active Directory Privilege Escalation attack as described above. Thus, ideally organizations should also frequently audit their Active Directory to determine exactly who can change the “Trusted for Unconstrained Delegation” setting on all their domain computer accounts.
This is an advanced Active Directory audit that requires the ability to perform accurate Active Directory effective permissions analysis on all domain computer accounts in an Active Directory. The accurate determination of Active Directory effective ermissions is a very difficult, expertise-reliant, time consuming and error-prone process. Unfortunately even PowerShell isn’t that powerful.
Our advanced Active Directory Effective Permissions Audit Tool and Active Directory Administrative Access and Delegation Audit Tool uniquely automate the ability to accurately determine effective permissions/access, both on a per-object basis, as well as on all domain computer accounts in an Active Directory domain at the touch of a button, thus providing advanced users and all security conscious organizations the unique ability to be able to audit and uncover exactly who can change/modify this sensitive setting on all domain-joined computers in an Active Directory domain.
To conclude this post, basic users may want to begin by identifying all domain computer accounts that are “Trusted for Unconstrained Delegation” and advanced users may additionally want to further identify exactly who can change this setting on each and every one of their domain-joined computers. Considering that there could be thousands of domain-joined computers in an Active Directory domain, and a delegated administrator need only change this setting on any ONE domain-joined computer to be in a position to launch an Active Directory privilege escalation attack, hopefully advanced users will see why making this determination is so important to organizational cyber security.
In today’s short post, which is part 1 of our posts on How to Perform Simple Active Directory Audits, we’ll take a quick look at how IT administrators, IT managers, IT consultants as well as IT and Cyber Security auditors worldwide can easily perform a basic Active Directory Audit using the free version of our unique, trustworthy, professional-grade free Active Directory Audit Tool.
Basic Active Directory Audit vs Advanced Active Directory Audit
A Basic Active Directory Audit is one that includes an audit of all basic aspects of Active Directory security, such as obtaining an overview and details of Active Directory content, including basic details about Active Directory domain user accounts (e.g. how many in total, as well as their state e.g. active accounts, inactive accounts, stale accounts, expired accounts, etc.), domain computer accounts (e.g. how many in total, security settings, operating system/role e.g. domain controllers, workstations, servers, trusted for unconstrained delegation etc.), domain security groups (type, empty etc.), Organizational Units (OUs), GPOs, service connection points etc.
In contrast, an Advanced Active Directory Audit, a topic that we will cover in days to come, covers advanced Active Directory Security topics, such as accurately identifying all privileged users in Active Directory, correctly identifying who can run Mimikatz DCSync against an Active Directory domain, accurately identifying who has what administrative access (both delegated and unrestricted) domain-wide in Active Directory, correctly auditing all administrative delegations in Active Directory, accurately identifying effective permissions/access on all sensitive Active Directory objects etc.
For example, a basic Active Directory audit may include a list of all domain user accounts as well as their account states, whereas an advanced Active Directory audit would additionally accurately identify exactly who can manage these domain user accounts (e.g. who can reset their passwords, delete them, change access control on them, etc.) Similarly, while a basic Active Directory audit may involve identifying privileged users in Active Directory based on the value of the admincount attribute on domain user accounts (which is not the right way to do so), an advanced Active Directory audit would involve identifying privileged users in Active Directory based on an accurate domain-wide determination of who can actually enact what privileged tasks in Active Directory (which is the right way to do so.)
Today everyone can instantly perform a basic Active Directory audit for free with our free tool. Additionally, with our paid tools everyone can also instantly perform advanced Active Directory audits.
How to Easily Perform an Active Directory Audit
Here’s a quick video that shows just how easy it is to perform Active Directory Audits with our basic free Active Directory Audit Tool –
In addition to being able to perform domain-wide audits, with our tooling IT personnel can also target specific OUs, use custom LDAP filters, as well as control the scope and the depth of an audit.
Sample Active Directory Audit Reports
Here are just a few of over 100 helpful fully customizable (via LDAP filters) Active Directory audit reports that IT personnel can instantly generate using our free Active Directory Audit Tool –
List of all domain user accounts in an Active Directory domain, including all active, inactive (stale), expired, new and unused Active Directory domain user accounts
List of all administrative user accounts in an Active Directory domain (based on admincount attribute)
List of all domain user accounts that have logged in the last 24 hours, 1 week, 1 month, 3 months, 1 year (based on True Last Logon reporting)
List of all domain user accounts that have not logged in the last 24 hours, 1 week, 1 month, 3 months, 1 year (based on True Last Logon reporting)
List of all domain user accounts that are currently disabled and/or locked
List of all domain user accounts that have failed a logon attempt in the last 24 hours
List of all domain user accounts that do not have an expiration date
List of all domain user accounts that do not require passwords to logon
List of all domain user accounts that require Smartcards for interactive logon
List of all domain computer accounts (including their type, operating system, manager etc.)
List of all domain controllers in an Active Directory domain
List of all domain computer accounts that are trusted for unconstrained delegation
List of all stale domain computer accounts (based on True Last Logon reporting)
List of all domain computer accounts that are members of default privileged/administrative security groups (based on admincount)
List of all domain security groups, including their type i.e. builtin, domain-local and universal
List of all organizational units in an Active Directory domain (and optionally, also their contents)
List of all service connection points in an Active Directory domain, including their keywords, vendor and other information
List of all containers, GPOs, print-queues, contacts, mailboxes etc. in an Active Directory domain
List of all sites, subnets, trust relationships, Schema classes and attributes in an Active Directory forest etc.
A custom list based on specific parameters that can be customized using custom LDAP filter of your choice
Each one of these reports can be instantly generated using our free tool. Our free basic Active Directory Audit Tool includes 100 built-in, fully customizable (via LDAP filters) Active Directory audit reports. It does not require any administrative access or any knowledge of Active Directory to use. It can be download and installed on any domain-joined machine in under 2 minutes.
Tool Download Point + Additional Info
You can download our free Active Directory audit tool from here. For more info on advanced Active Directory audits, you can download our 100+ slide-deck on Active Directory Security.
In days to come, we will all cover how to perform specific basic as well as advanced Active Directory audits.
Hello. I hope this finds you doing well. Relative to 2017, I know we’ve been quiet for a bit, because, behind the scenes, we’ve been very busy helping protect foundational cyber security worldwide.
Its 2018, i.e. 18 years since Microsoft shipped Active Directory, yet most organizations worldwide don’t even have the means to adequately protect their foundational Active Directory deployments.
We know so, because over the last few years, we’ve had thousands of organizations from 160+ countries worldwide knock at our doors, unsolicited, so we know just how much (/little) they know.
What’s most concerning is that they don’t even seem to know that they cannot adequately secure even a single object in their Active Directory without possessing a paramount security capability.
This alarming situation can be attributed to 2 main reasons – at organizations worldwide, executive management seem to have no idea about the colossal impact an Active Directory security breach could have on their organization (, as middle-tier IT management too seem to be clueless,) and their IT personnel don’t even seem to know about certain cardinal basics of Active Directory security.
That’s about to change, because in weeks to come, we’re going to directly inform thousands of CEOs worldwide about the serious cyber security risks their organizations remain exposed to today.
Finally, since most IT and cyber security personnel worldwide still seem to have much to learn, starting July 04 2018, we’re going to conduct a helpful Back to the Basics campaign on this blog.
In short, its time to help educate and safeguard Microsoft’s global ecosystem, because, as explained here, today corporate, national and global security, all depend on Active Directory Security.
This is the least we can do, because, as I shared last week …
Starting July 04, 2018, we’re going to start educating organizations worldwide, and safeguard the foundational cyber security of thousands of business and government organizations worldwide.
As you may know, lately Active Directory Security seems to have been getting a lot of attention from traditional network security / hacking / cyber security folks (both on the good and the not-so-good side), many of whom may actually be new to the subject of Active Directory Security, and most of whom seem to be primarily interested in identifying privileged users in Active Directory.
As you may also know, there are primarily two categories of admins that possess privileged access in Active Directory – those that are members of the default Active Directory administrative groups (e.g. Domain Admins) and thus have complete and unrestricted access, and those for whom varying levels of privileged access may have been delegated/provisioned in Active Directory.
Now, while identifying privileged users that may be members of the default administrative groups is straightforward, identifying exactly who is actually delegated what administrative privileges in Active Directory is not straightforward, and thus at many organizations, IT personnel often end up not taking delegated admins into account when identifying privileged users in Active Directory.
As a result, in many Active Directory deployments there are many accounts that may not be members of the default administrative groups, yet possess varying levels of privileged access in Active Directory, and in many cases, these accounts may have sufficient privileges so as to be able to either directly or indirectly control various unrestricted privileged accounts in Active Directory.
For instance, consider the domain user account of an individual named John Doe, who may not be a member of any default admin group in Active Directory, but for whom there may exist a security permission in the access control list (ACL) of the AdminSDHolder object that effectively grants him the Reset Password extended right and/or the Write-Property Member security permission. Even though John Doe isn’t a member of any default AD administrative group, he is for all practical purposes a Domain Admin since he has sufficient effective access so as to be able to reset every Domain Admin equivalent account’s password as well as sufficient effective access so as to be able to change the membership of every default administrative group in Active Directory!
It is such accounts that, those who may be new to the subject, have been referring to as Stealthy Admins in Active Directory, even though those who know Active Directory well know that there are merely delegated admin accounts and/or admin accounts for whom access may have been provisioned, and thus strictly speaking, there’s nothing stealthy about them. Nonetheless, to those who may be new to the subject, they may appear to be stealthy as they’re not members of the default administrative groups, which in a way perhaps make such accounts hard to identify.
In that presentation, a whitepaper on which can now be downloaded from here, its authors have presented what may seem like a ground-breaking revelation to those uninitiated to the subject.
Earlier this month, I shared how organizations can easily identify and thwart sneaky persistence in Active Directory based on “hiding” objects in Active Directory within just minutes. I had also said that while amateurs rely on this technique, proficient perpetrators rely on using what I called “real” sneaky persistence in Active Directory, a way to hide that’s a 100 times harder to detect.
“Real” sneaky persistence in Active Directory is a technique via which a proficient perpetrator could plant backdoors inside Active Directory access control lists (ACLs) that would be extremely difficult to identify with the naked eye (or even with basic Active Directory permissions analysis tooling) yet allow the perpetrator to gain unrestricted privileged access in Active Directory at will. Simply put, it involves exploiting the sophistication of Active Directory’s powerful security model and the sheer complexity of the ocean of Active Directory security permissions that exist in the thousands of Active Directory ACLs that exist in every Active Directory domain to hide in plain sight wherein none of it is obvious, yet all of it leads to the “Keys to the Kingdom.”
Earlier this week, I also shared how organizations can identify and thwart “real” sneaky persistence in Active Directory with equal ease. Indeed, “real” sneaky persistence is very powerful, effective and dangerous, and likely a clear and present danger, but fortunately today every organization that wishes to identify and mitigate the risk posed by “real” sneaky persistence can today do so.