Company | Vision | Leadership | Products | Services | Support | News | Careers | Contact


2007
2008

2009
Overview
Vital Need
Audience
Features
Benefits
Reports
Editions
Service
Accuracy
Resources
Trial
Sales

Free Download


An Illustration that depicts why assessing the resultant-set-of-permissions in Active Directory is so difficult.


      Do you really know precisely who has what access
      to which IT resources in your Active Directory?


Consider the following Active Directory access control list (ACL) protecting the CEO's user account –




Can you accurately determine who is delegated what administrative tasks on the CEO's account?

     (It's not easy, is it?)



Here's why

In order to accurately determine resultant access in Active Directory, you have to take numerous factors into account when analyzing an Active Directory access control list (ACL), such as, but not limited to –




1. Numerous Users and Groups

There are permissions specified for numerous users, security groups and well-known security principals




2. Transitive Memberships

Security groups may be deeply nested, in effect specifying access for numerous individuals




3. Over 70 Kinds of Permissions and Rights

There are over 70 different kinds of permissions and rights that could be specified for security principals




4. Conflicting Permissions

A user or a security group may be granted permissions in one ACE but denied the very same permissions in another ACE




5. Precedence Orders

Explicit permissions will override inherited permissions




6. Ineffective Permissions

Permissions specified in an ACE may or may not control access depending on the nature of the ACE




7. Nested Group Conflicts

A user or group could belong to multiple nested security groups, some of which may be allowed, and some denied, the same set of permissions


8. So on and so forth

Similarly, there are other factors involved in accurately determining resultant access in Active Directory.



In order to accurately assess access in Active Directory, you have to take all factors involved in a real Active Directory security (authorization) check into account, exactly as involved in a real access check.
Gold Finger is the only solution in the world that simulates real Active Directory security checks to accurately assess and report who actually is provisioned what access on an Active Directory object.

Copyright Paramount Defenses Inc. 2006 – 2010. All Rights Reserved.