How to Accurately Determine Resultant (i.e. Effective / Delegated) Access in Active Directory

Active Directory is the foundation of IT security management and the focal point of delegation of administration and access provisioning in Microsoft Windows Server based IT infrastructures.

Organizations typically delegate administrative responsibilities for IT management in Active Directory by provisioning least-privileged access for delegated IT administrators. They also often provision access for service accounts to Active Directory content for use by various (e.g. HR) applications.

Active Directory offers an elaborate security model and tools to make fine-grained delegation of administration and provisioning of access in Active Directory very easy for IT administrators.

However, while Active Directory's elaborate security model makes is very easy to delegate access, it also makes it very difficult to determine who is delegated/provisioned what access in Active Directory.

The process of determining who is delegated/provisioned what access in Active Directory is also referred to as Determining Resultant Access in Active Directory, and it is a very difficult problem.

A Very Difficult Problem

It is very difficult because there are many related factors involved in Active Directory's security model and to accurately determine who has what resultant access, they all need to be taken into account.

For example, here are some such factors (; NOT a complete list) –

1. Standard and Special Permissions – There are over 12 standard permissions and over 60 special permissions (extended rights) for controlling access in Active Directory
2. Allow and Deny Permissions – A user or group can be allowed permissions or denied permissions, and deny permissions, usually but not always, override allow permissions
3. Explicit and Inherited Permissions – Permissions can either be set directly (explicitly) on specific Active Directory objects, or be inherited from parent objects, but not always apply
4. Direct and Indirect Permissions – A user could either have permissions specified directly, or could have permissions specified indirectly, based on direct/nested group memberships
5. Effective and Ineffective Permissions – Not all permissions in an object's access control list (ACL) might be effective for the purpose of controlling access on the object, as they might only exist in the ACL to be inherited down to child objects of specific classes

For instance, a user could be granted a permission in an Access Control entry (ACE) but also be a deeply nested member of a security group that is denied the same permission in another ACE. Even then, either or both of the ACEs may or may not be effective on the object, and/or one might be explicit and another inherited, and one might allow access while the other may deny access. This would neither be readily apparent nor easy to correctly analyze across all ACEs protecting an object.

For a concrete example that clear illustrates why it is so difficult, please click here.

Manually determining resultant access in Active Directory requires IT administrators to take all factors into account exactly how Active Directory takes them into account in a real access check.

Taking all of these factors into account correctly to determine resultant access in Active Directory is not only very difficult and challenging but also a highly error-prone and time-consuming process.

The fact that in most Active Directory deployments, there usually exist a few thousand objects and 20+ ACEs in each Active Directory object ACL, only makes the problem substantially more difficult.

SECURITY WARNING – While many Active Directory reporting solutions claim to determine and report who has what access in Active Directory, in fact, these solutions merely display an object's ACL, or where a user or group might have direct/nested permissions, which in itself, does NOT accurately reflect who has what access at all. Organizations that rely on such data to control and lockdown access to vital IT resources stored in Active Directory may in fact be highly unprotected and vulnerable to compromise. Click HERE for details.

A Unique Solution

Gold Finger - World's only accurate Active Directory Resultant Access Reporting Solution.

Gold Finger is the world's only accurate resultant-access assessment solution for Active Directory. It completely automates the accurate assessment of resultant/effective/delegated access in Active Directory, making a very difficult, time-consuming and error-prone task as easy as touching a button.

It is designed by former Microsoft Program Manager for Active Directory Security and endorsed by Microsoft and is deployed at over 4000 organizations in over 70 countries worldwide.

It can instantly determine resultant-access in Active Directory, whether on a single object, or an entire organizational unit or domain, and reveal, exactly who can do what, where and how so.

For instance, it can instantly determine and reveal exactly who can –

Who can create domain user accounts and misuse them to compromise assets? Who can delete domain user accounts to disrupt access to organizational assets? Who can reset user account passwords to easily engage in corporate identity theft? Who can enable disabled domain user accounts to potentially misuse them? Who can unlock locked domain user accounts to keep guessing passwords?

Who can create domain security groups and mislead users into using them? Who can delete domain security groups to deny access to all protected assets? Who can modify domain security groups to obtain access to all protected assets? Who can convert security groups into non-security groups leaving assets vulnerable? Who can delete entire organizational units to critically disrupt security and access?

Not only can Gold Finger accurately and instantly determine and reveal exactly Who can do What across an entire Active Directory, it can also reveal exactly Where and How they can do so.