How to Correctly Identify Privileged Access in Active Directory

Buy

At 85% of all organizations worldwide, the most powerful privileged access as well as the vast majority of all powerful privileged access lie within millions of security permissions inside foundational Active Directory deployments worldwide.

There is only one way to correctly identify privileged access in Active Directory, and that involves performing a domain-wide privileged access assessment based on the accurate determination of Active Directory Effective Permissions.

Active Directory - The Heart of Privileged Access

From Domain Admins to hundreds of delegated administrators, today, at 85% of all organizations worldwide, the vast majority of all powerful privileged access resides in Active Directory.

In fact, the entirety of all organizational domain user accounts, computer accounts, passwords, security groups and policies reside within Active Directory, all protected by an ocean of privileged access inside Active Directory.

Further, a single change made in Active Directory can be used to gain privileged access on all domain-joined computers.

Thus, in a Microsoft Windows network, an organization's foundational Active Directory is the heart of privileged access.

Consequently, to be able to accurately assess privileged access, organizations need to understand what constitutes a privileged user in Active Directory, and know how to correctly identify privileged users in their Active Directory.

The Need to Identify Privileged Users in Active Directory

The Need to Correctly Identify Privileged Users in Active Directory

Today organizations worldwide need to be able to correctly identify privileged users in Active Directory, driven by -

Privileged Access Management (PAM) - The very first step in PAM involves Privileged Account Discovery, and the majority of all privileged accounts reside in Active Directory.
Active Directory Security Assessment and Hardening - The accurate identification and adequate protection of all privileged users in Active Directory is paramount for AD security, which is paramount for organizational security.
Governance, Risk and Compliance (GRC) - Today more than ever, corporate governance, risk management and regulatory compliance necessitate that organizations accurately identify and protect their "privileged users."

Active Directory is the heart of privileged access in Windows networks, and is thus the focal point of these vital needs.

What Constitutes a Privileged User in AD

The vast majority of privileged access resides in Active Directory, so a clear understanding of what constitutes privileged access in Active Directory is paramount.

Any user who has either of following 2 levels of privileged access in Active Directory, constitutes a privileged user in AD -

Unrestricted (Domain Admin Level) Privileged Access - This is the highest level of access in the privileged access hierarchy, and it constitutes unrestricted domain-wide privileged access, usually obtained via membership in one or more default AD administrative groups.
Delegated Privileged Access - This is the second highest level of access in the privileged access hierarchy, and it constitutes restricted domain-wide, OU-wide or per-object privileged access, usually obtained by administrative delegation or business need driven access provisioning.

It is imperative to understand that users with delegated privileged access could also possess as much privilege as Domain Admin equivalent privileged users, which is why it is equally important to accurately identify them.

How to Correctly Identify Privileged Users in Active Directory

How to Correctly Identify Privileged Users in AD

In order to correctly identify privileged users in Active Directory, organizations need to identify both, privileged users that possess unrestricted access, and those that possess delegated access.

The process of correctly identifying all users that possess unrestricted (Domain Admin equivalent) privileged access in AD is relatively simple, as outlined below.
The process of correctly identifying all users that possess delegated privileged access in AD is a bit more involved, as also outlined below.

In each case, because accuracy is foremost and paramount, organizations will need to engage in the process of accurately determining effective permissions on Active Directory objects.

How to Identify Domain Admin Equivalent Privileged Users in Active Directory

How to Identify Unrestricted Access
Privileged Users in Active Directory

To identify users that possess unrestricted privileged access in Active Directory, enact the following four steps -

Begin by identifying all default Active Directory privileged groups, a complete list of which can be found here.
Next, enumerate the complete membership of each one of these default Active Directory privileged groups.
Then, identify all users who can enact any of the ten Domain-Admin equivalent administrative tasks listed below.
Finally, identify all domain accounts that can a) modify the membership of each group identified in Step-1, b) reset the password of each group's members as identified in Step-2, c) reset the password of each user identified in Step-3, and d) modify the permissions on, or change the ownership of each one of these AD privileged user accounts and groups.

Domain Admin Equivalent Tasks

Anyone who can perform the following AD management tasks must be considered to possess Domain Admin equivalent privilege -

Promote a machine to a domain controller (DC) or manage DCs.
Create or manage an inbound forest or external trust relationship.
Replicate secrets from the domain or manage the domain root object.
Manage the Schema or Configuration partitions, including their contents.
Modify the Default Domain Controllers Policy or the Default Domain Policy.
Manage the default Users container, Built-in container and System container.
Manage the Domain Controllers OU, as well as any Domain Controller's domain computer account.
Link a GPO to the domain root, the Domain Controllers OU, or any site or OU that contains a large number of computer accounts.
Manage all top-level OUs, as well as any OUs containing a large number of user accounts, computer accounts or security groups.
Manage any default administrative accounts and groups, and/or any users or groups that have been delegated privileged access.

* Manage includes the ability to modify the security permissions on the AD object, as well as the ability to change its ownership.

Finally, any user who can modify the local Administrators group on a large number of domain-joined computers must also be considered privileged, as ideally should be all computers whose domain computer accounts are Trusted for unconstrained delegation.

How to Identify Delegated Privileged Users in Active Directory

How to Identify Users with Delegated
Privileged Access in Active Directory

To identify users that possess delegated (restricted) privileged access in Active Directory, one needs to perform a domain-wide delegation / privileged access assessment that can accurately identify -

All users who can create domain user accounts, computer accounts, security groups and OUs in the domain.
All users who can manage domain user accounts, computer accounts, security groups and OUs across the domain i.e., all users who can reset user account passwords, enable disabled accounts, change group memberships, delegate access on OUs or link GPOs to OUs etc.
All users who can delete domain user accounts, computer accounts, security groups and OUs in the domain.

When performing a privileged access assessment to identify users with delegated access, to obtain accurate results, it is vital to ensure that you correctly evaluate effective permissions on every Active Directory object in the domain.

Calculate Active Directory Effective Permissions

How to Assess Privileged Access on an AD object

Organizations often need to be able to identify exactly who has what privileged access on a specific Active Directory object, such as on a high-value domain user account, security group etc.

For example, one may need to determine (assess/identify) exactly who can -

Modify the ACL protecting the AdminSDHolder object.
Replicate secrets (everyone's passwords) from the domain.
Reset the CEOs/CFO's domain user account's password.
Change the Domain Admins group's membership.
Modify a service's service connection point's keywords.

To identify all users that possess any level of privileged access on a(ny) specific Active Directory object, one must calculate the complete set of Active Directory effective permissions granted on that object.

Effective Permissions - The Keys to Privileged Access

From AdminSDHolder to Domain Admins, and from the default Administrator account to the CEO's domain user account, literally everything in Active Directory is an AD object.

Every AD object is protected by an access control list (ACL) that specifies who has what permissions on the object, and it is the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.

Thus, what provides accurate insight into privileged access is not a determination of Who has what permissions in Active Directory but a determination of Who has what effective permissions in Active Directory.

Consequently, to correctly assess privileged access in Active Directory, including to determine who can enact each of the Domain Admin Equivalent Tasks listed above, organizations need to calculate effective permissions in Active Directory.

Learn More

Our Global Customers