Today, I would like to cover a paramount cyber security topic, one that is at the very heart, root and foundation of organizational cyber security worldwide – Active Directory Effective Permissions.
Before I share its technical and other salient aspects, I should mention that not a single organization in the world that today operates on Microsoft Active Directory can be adequately secured without possessing this paramount cyber security capability, simply because nothing (i.e. not a single object) in Active Directory can be secured without possessing this fundamental capability
In other words, from Microsoft to the entirety of the Fortune 1000, and from the White House to the entirety of all government organizations worldwide, every organization requires this capability.
That said, let me share with you what Active Directory Effective Permissions
are and why they are paramount to cyber security today…
Active Directory Effective Permissions
Most simply put, Active Directory Effective Permissions are the security permissions that are effectively granted to various individuals in an organization on various objects in their Active Directory.
They keyword here is effective(ly) so let’s take a minute to comprehend it.
As you may know, in every IT infrastructure powered by Microsoft Windows Server platform, literally every building block of organizational cyber security, from the entirety of all organizational user accounts and privileged user accounts, to the computer accounts of the entirety of the organization’s computers, to the entirety of domain security groups used to facilitate secure access to all IT resources across the network, as well as the entirety of all group policies that are used to manage all organizational computers as well as their security, is an object in Active Directory.
Since each one of these objects, i.e. user accounts, computer accounts, security groups and policies etc. also need to be managed, Active Directory lets organizations precisely delegate/provision varying levels of access on these objects so as to enable organizational IT personnel and other involved stakeholders to be able to manage, modify and secure these Active Directory objects.
To do so, Active Directory protects each such object with a security descriptor that contains, amongst other parts, an access control list ACL, which is simply a collection of zero or more access control entries (ACEs), each one of which exists to Allow or Deny a specific type of access i.e. security permissions, to a specific security principal i.e. a user, security group, well-known SID etc.
Now, speaking of security permissions, Active Directory’s security model offers a rich set to choose from. There are almost a dozen generic security permissions (Read Control, List Child, List Object, Write Owner, Write DACL, Standard Delete, Delete Tree, Create Child, Delete Child, Read Properties, Write Properties), over five dozen specialized security permissions known as Extended Rights that control specific actions as well as several Validated Writes, so many security permissions could be specified for a specific security principal.
A highly simplified description of how it all comes into play is that when a specific security principal (such as a user, a computer or a service account) attempts (i.e. requests access) to perform a specific operation (that is controlled by one of the above mentioned Active Directory security permisisons) on a specific Active Directory object, the system subjects the request to an access check, which involves considering the security principal’s identity and its security affiliations (i.e. its security group memberships), then analyzing the target Active Directory object’s security descriptor (i.e. the various security permissions specified in the ACEs that comprise its ACL) to determine whether or not the requested access is effectively allowed. If it is, access is allowed, else, it is denied.
In short, simply put, if a security principal has the effective access (i.e. effective permissions) that it is requesting on an Active Directory object, then the access will be granted, else it will be denied.
To tie this to a real-world example, if an intruder attempts to reset the password of a Domain Admin, if he/she has sufficient effective permissions to do so on the object, the request will be allowed. Similarly, as you may know, if an intruder attempts to replicate secrets from Active Directory, if he/she has sufficient effective permissions to do so on the domain root, the request will be allowed. Likewise, if an intruder attempts to modify the permissions on AdminSDHolder in Active Directory, if he/she has sufficient effective permissions to do so on the object, the request will be allowed.
(As you probably know, if an intruder could successfully enact either of the above, it’d be Game Over right then and there, and strictly speaking, the entire organization would be compromised.)
To make a long story short, every technical operation that can be performed on an Active Directory object (i.e. in business parlance, every administrative task that a user can enact on an IT asset stored in Active Directory) is based on a user having sufficient effective permissions to do so. If the user has the sufficient effective permissions, he/she will success, else he/she will fail.
The (trillion $) keyword here is effective permissions, which is best understood with an illustrative example.
An Illustrative Example
This esoteric yet paramount technical concept is best understood with an illustrative example, so let’s consider the ACL protecting the CEO’s domain user account –
As you can see, its complicated. There are many security permissions specified in the ACEs that comprise the ACL. Some security permissions are allowed, while others are denied, and some are specified explicitly while others have been inherited from the object’s parent. Further some apply to the object while others exist only to be inherited down by child objects. Finally, some are simple and specific such as Reset Password, while others are a combination of multiple permissions (displayed as Special) and then there are those that grant all permissions (displayed as Full Control.)
Given the complicated set of security permissions in an Active Directory object’s ACL, how does one determine what permissions a user is actually (i.e. effectively) entitled to on it, considering –
- There are numerous permissions specified for numerous users, security groups and well-known security principals
- Security groups may be nested to multiple levels, thus effectively specifying access for large numbers of individuals
- There are over eighty different kinds of permissions and rights that could be granted or denied to security principals
- Permissions granted to a user in one ACE may be denied to the same user or security group in another ACE
- Permissions granted in an inherited ACE may be overridden by permissions specified in an explicit ACE
- Permissions specified in an ACE may or may not control access depending on the characteristics of the ACE
- A user could belong to multiple nested security groups, some of which may be allowed, and some denied, permissions
- Etc. Etc …
For instance, a user John could be a member of many groups including say, A1 and D1. Now group A1 may be a member of group A2 which may be a member of group A3 which may be allowed Reset Password in an ACE in the ACL above, while group D1 may be may be a member of group D2 which may be a member of group D3 (which could also be a member of D2 i.e. a circular group membership, and) which may be denied Special (i.e. multiple) permissions in another ACE in the ACL above. Further there may be a permission denying Domain Users some access, and allowing Authenticated Users some access; both of these permissions will also influence John’s resulting (effective) access.
In light of these specific permissions, as well as other ones in the object’s ACL, whether or not John can actually reset the CEO’s password would be determined by the collective impact of all the security permissions in the object’s ACL, considering their characteristics (Allow, Deny, Explicit, Inherited, Applicable, N/A etc.) in light of all factors that influence resulting access in Active Directory.
In essence, simply put, Active Directory Effective Permissions are the resulting/resultant set of permissions (RSOP) that a user is entitled to on an Active Directory object, considering all the security permissions that exist in that object’s ACL, including permissions that may or may not directly specify access for the user, and in light of all factors that influence resulting access in Active Directory.
Thus, as one can see, in order to accurately determine the effective permissions granted to one or more users on this Active Directory object, one would have to methodically take into account every aspect and rule of Active Directory’s sophisticated security model, to make this determination, and of course do so with 100% precision, each and every time, one needed to determine this.
In other words, the accurate determination of effective permissions on Active Directory is by no means, easy. It is also certainly neither the same as nor as easy as performing a simple Active Directory Permissions Audit, or for that matter attempting to write a simple (or even a very complicated) PowerShell script to do so. In fact, it is an order of magnitude more difficult to do so.
The Importance of Active Directory Effective Permissions
The ability to be able to accurately, efficiently and adequately determine effective permissions in Active Directory, i.e. on Active Directory objects is paramount to organizational cyber security today.
It is paramount because neither Active Directory itself, nor any of its content can be adequately secured without possessing the ability to assess who what effective permissions in Active Directory.
Consider this – What is the only way to answer each one of the following questions –
- Exactly how many privileged users are there in an organization’s Active Directory?
- Exactly how many privileged security groups are there in an organization’s Active Directory?
- Exactly who can reset the password of a privileged user to elevate privilege in an organization’s Active Directory?
- Exactly who can modify the group membership of a privileged security group to elevate privilege in an organization’s Active Directory?
- Exactly who can create, delete and manage user accounts, computer accounts, security groups, organizational units etc. in an organization’s Active Directory?
- Exactly who can instantly replicate secrets from Active Directory, and thus compromise the credentials of all accounts by using a tool such as Mimikatz DCSync?
- Exactly who manage the domain user accounts of the organization’s executives (Chairman of the Board, CEO, CFO, CIO, CISO etc.) in an organization’s Active Directory?
- If Smartcard authentication or other similar defense-in-depth measures (i.e. band-aids) are in use, exactly who can instantly disable their use in the organization’s Active Directory?
The answer: Active Directory Effective Permissions.
Each one of the questions posed above are paramount to organizational cyber security today, and the only way to answer them is to determine effective permissions/access in Active Directory.
(Those who truly understand Windows Security know that not a leaf moves in Microsoft’s ecosystem without the Active Directory being involved. In a typical day, the Active Directory is involved hundreds of thousands if not millions of times that organizational employees go about doing their work, and in each case, Active Directory effective permissions influence the involved access.)
The Active Directory Effective Permissions Tab
The importance of effective permissions to Windows Security is best evidenced by the fact that of the four tabs in Microsoft’s native Active Directory management tooling, the first three being Permissions, Auditing, and Owner(ship), the fourth tab is for Effective Permissions. Thus, effective permissions are at least as important as are Permissions, Auditing and Owner(ship) –
Active Directory Effective Permissions Tab
Sadly, as important as effective permissions are, Microsoft’s Effective Permissions Tab for Active Directory is not only not 100% accurate, it is substantially inadequate (; been so for a decade now.)
Here’s why –
- It is not always 100% accurate, since it self-admittedly does not take all relevant factors into account
- Most importantly, it can only determine (an approximation of) effective permissions (granted to) ONE user at a time
- Finally, it cannot identify the underlying permissions in the object’s ACL that entitle a specific user to a specific effective permission
Although the inability to be 100% accurate in itself renders it unreliable and virtually useless (because when you’re trying to secure the very foundation of security, accuracy is paramount), the fact that it can only determine (an approximation of) effective permissions one (specifiable) user at a time also makes it almost practically unusable, because then the only way to definitively determine who has what effective permissions on a specific Active Directory is to enter the identities of all of the organization’s users ONE by ONE, to discover all those who do have effective permissions granted on the object, and to rule out all those who don’t have any effective permissions on the object. Such a laborious process could easily take days, if not weeks, per object, each time.
Finally, assuming that an organization is able to use it to accurately determine effective permissions in Active Directory and identify all individuals that currently possess effective permissions on an object, including those who are not supposed to be in possession of the same, the Effective Permissions Tab provides no indication whatsoever as to which underlying security permissions in the object’s ACL end up entitling these unauthorized users to these effective permissions. In other words, the HOW component is missing, and that is what makes it substantially inadequate.
For the sake of completeness, let me also mention that virtually all of Microsoft’s tooling that offers any ability to do any type of effective permissions analysis, such as dsacls, acldiag etc. all have the same deficiencies. In addition, most of the technical guidance and scripts provided/available on Microsoft TechNet are substantially inaccurate, as is this dangerously inaccurate free tooling.
Amazingly, today there are 100s if not 1000s of cyber security / enterprise security companies in the world, yet not one of them has a solution to audit effective permissions in Active Directory.
We are Paramount Defenses, and as its CEO, it is my privilege to share with you the world’s only accurate and adequate Active Directory Effective Permissions Calculator –
At the touch of a single button, it can instantly and accurately determine and reveal –
- The complete set of effective permissions currently entitled on a given Active Directory object
- For each entitled effective permission, the complete list of all users who currently possess that effective permission on that Active Directory object
- For each such user that is entitled to a specific effective permission, the underlying permissions that entitle the user to this effective permission on that Active Directory object
In essence, Gold Finger can instantly deliver the mission-critical intel that organizations absolutely need to adequately secure and defend their foundational Active Directory deployments.
Of course, it follows that if you can touch a button, you can now also instantly answer each one of the questions posed above in your organization’s foundational Active Directory deployment.
The need to be able to accurately determine effective permissions in Active Directory is mission-critical to cyber security and is thus paramount to organizational security today.
No Active Directory deployment in the world can be adequately secured or defended without possessing the capability to accurately determine effective permission in Active Directory.
Every single organization in the world that operates on Microsoft Active Directory thus requires this essential cyber security capability to secure their foundational Active Directory deployments.
There are 100s if not 1000s of cyber security companies in the world today, yet not a single one of them has a solution that can fulfill this paramount cyber security need for organizations worldwide.
We are Paramount Defenses, and we can.
We care deeply about cyber security, and behind our ability to be able to uniquely help secure and defend organizations worldwide lies legendary vision, expertise and (a decade of) execution.
PS: Hopefully I’ve been able to substantiate this claim (and I didn’t even need to talk about this or this to do so.)
PS2: July 25, 2017 update – here’s a more in-depth description of Active Directory Effective Permissions (; you likely won’t want to miss it.)