Monday, June 29, 2020

Day 4 - Active Directory Security Permissions, Tooling AND a Challenge


Hello. I hope this finds you doing well. This post is Day-4 of Active Directory Security for Cyber Security Experts.

TODAY, we'll begin by 1) re-visiting a simple fact, 2) putting your arsenal together and 3) YOUR first challenge.

Active Directory Security Permissions - The Keys to Every Door in the Kingdom

If you're into IT or cyber security, then you likely already know this ONE simple technical fact which is worth reiterating -

  1. 85% of all organizations worldwide operate on Microsoft Active Directory - From Microsoft to Amazon, and from the White House to the entire U.S. Government, every relevant organization in the world operates on Active Directory.

  2. 100% of everything in Active Directory is an AD object protected by an ACL - From the Domain Admins group to the domain root object, to every employee's (e.g. CEO, CISO etc.) account and computer, to every security group (e.g. All Employees, Executives etc.) used to lockdown access to every IT asset in the organization (i.e. all files, folders, Exchange mailboxes, databases, apps, portals etc.), literally everything is an object in Active Directory.

  3. It is the complete set of Active Directory security permissions that exist in the ACL (access control list) of every Active Directory object that collectively govern exactly who can do what on that Active Directory object.

If you connect the above three dots, you'll arrive at the conclusion that at the end of the day, it is Active Directory security permissions that ultimately protect and govern the security of virtually every IT asset in every organization worldwide.

In short, not just the "Keys to the Kingdom", the "Keys to Every Door in the Kingdom" lie in AD Security Permissions.

Three Technical Pointers

Given the paramount importance that Active Directory Security permissions play in organizational cyber security today, in order to gain proficiency in Active Directory Security, one must know Active Directory Security permissions well.

So, here are a few technical pointers that I recommend we all go through to learn more about them -
  1. Active Directory Security Permissions (here), How Access Checks work (here) & Order of ACEs in a DACL (here)

  2. Best Practices for Delegating Administration in AD, Appendix C: Active Directory Security Permissions (See * below)

  3. Best Practices for Delegating Administration in AD, Chapter 2: How Delegation Works in Active Directory (" * below)

  • * Note: The content referenced in 2 and 3 above was part of a 400 page whitepaper I had written while I was at Microsoft, titled "Best Practices for Delegating Administration in Active Directory". For reasons best known to Microsoft, it was removed from its Technet Site. Fortunately, you can still access it if you know where to find it. The only place it is available is as a part of "Windows Server 2003 Retired Content", which is a massive 150 MB PDF file which you can still download from here. To locate this content in that download, install Adobe PDF Reader (needed to open the massive 150 MB PDF), open the PDF and search for my name in it (Page: 8186.)

Please take a few moments to review and learn from these simple yet vital technical pointers. I apologize that there is no good content online from Microsoft to share with you - not sure why Microsoft has pulled so much important content. :-(

Finally, if you have more time and truly want to gain a deep understanding of how access control, access checks, access assessment etc. all work in Active Directory, you can review this authoritative patent on the subject, which today is cited by Microsoft, Palantir, CyberArk, Quest, Amazon, Vmware, IBM and other notable companies.

Active Directory Permissions Analysis Tooling

Over the next day thirty days, I am going to be issuing ten challenges, each one motivated by the desire to teach you something specific and valuable, and each one involving and requiring you to analyze permissions in Active Directory.

So, please feel free to put together your own arsenal of tools so you can accept these ten simple, educative challenges.

Further, to help you put this together, here's a list of just about every tool that I know of that can help organizations analyze Active Directory Security Permissions today, listed in alphabetical order by name of the tool to ensure objectivity -
  1. Acldiag (Microsoft)
  2. Aclight (CyberArk)
  3. Active Directory ACL Analyzer (Paramount Defenses)
  4. Active Directory ACL Exporter (Paramount Defenses)
  5. Active Directory Effective Permissions Calculator (Paramount Defenses)
  6. Active Directory Effective Access Auditor (Paramount Defenses)
  7. Active Directory Permissions Analyzer (Paramount Defenses)
  8. Active Directory Permissions Reporting Tool (ManageEngine)
  9. Active Directory Privileged Access Auditor (Paramount Defenses)
  10. AD ACL Scanner (Robin Granberg ?)
  11. AD Permissions Reporter (CJWDev)
  12. BeyondTrust Auditor (BeyondTrust)
  13. Bloodhound (SpectreOps)
  14. Dsacls (Microsoft)
  15. Effective Permissions Reporting Tool (Netwrix)
  16. Enterprise Reporter for Active Directory (Quest)
  17. Hyena (Systemtools)
  18. LepideAuditor (Lepide)
  19. Permissions Analyzer for Active Directory (SolarWinds)
  20. PowerShell for Active Directory (Microsoft)
  21. Stealthaudit Active Directory Permissions Analyzer (Stealthbits)
  • Note: The mere mention of any 3rd party tool above is not and should not be considered an endorsement.

The only tools that you cannot currently (i.e. yet) have in your arsenal are those developed by Paramount Defenses.

You're welcome to use any other tools to fulfill the various challenges I'll be sharing soon. If your organization currently uses a particular tool, I recommend using it to see if it can help you get the answers to these upcoming challenges.

Your First Challenge

Your first challenge is a very simple challenge, and I expect each one of you to be able to easily fulfill this challenge.

Using any tool(s) of your choice that are in your Active Directory security arsenal, please analyze the security permissions in the Active Directory Security Lab VM that I have shared, and simply answer the following three simple questions -

  1. Exactly how many security permissions (ACEs) are there domain-wide in the corp.local domain?

  2. Exactly how many members does the Domain Admins security group have? 

  3. Exactly how many security permissions in the ACL protecting the the Domain Admins security group directly or indirectly impact "Write Property - Member" permissions ?

  • These are really simple warm-up questions. Your answer can be as simple as >   1) 100,000     2) 5     3) 4

The answer to question 1 helps determine how large the attack surface is. The answer to question 2 is (sadly) the (mere) extent to which many organizations go to to audit privileged access in Active Directory, and the answer to question 3 begins to scratch the surface when trying to determine who actually has what privileged access in an Active Directory.

You can answer these three simple questions below in a comment, or answer them in my LinkedIn post for today's lesson.

The Importance of Exactness

In Active Directory Security, exactness is very important. In fact, it is paramount because it only takes ONE compromised, malicious or coerced Active Directory privileged user to completely own, compromise and destroy the entire organization.

Here's proof - did you know that almost all major recent cyber security breaches, including JP Morgan, Target, Sony Hack, Snowden, the OPM Breach, Anthem, Avast, the United Nations and others all involved the compromise and misuse of just ONE Active Directory privileged user account.

Perhaps the best way to think of it is this - ask yourself if you would board a flight if I told you that the Metal Detector at the airport was not entirely accurate; you know, one that could do the job with about 75% accuracy (leaving a 25% chance that an explosive device or a firearm could make it past the security checkpoint and on to the plane you're going to be on.)

I know I wouldn't. Would you?   (If you care, don't accept approximate answers ; demand and expect exact answers.)

That's All for Today

Today's simple challenge is intended to lay the foundation for the next ten challenges, and the level of difficulty will only increase with each challenge, so I encourage everyone to accept and embrace this and all following challenges.

By the way, I decided to start simple because there are many folks who are tuned in, and for some of whom, even simple ACL analysis may be a first-time experience. So, to experts who may find these simple challenges simple, please wait for the next challenge, and no matter how advanced you are in Active Directory Security, you will have a worthy challenge :-)

That's it for today. I'll post Day-5 on July 04, and in it, I'll share the answers, including how I make these determinations, AND I'll share your next challenge, which clearly and directly impacts every organization's foundational cyber security today.

I look forward to your answers - answering these 3 questions shouldn't take more than 10 minutes.

Best wishes,


  1. This comment has been removed by the author.

  2. Looks like my prior comment didn't show up. Just as well, I refined my answers. I added a few OUs, computers, users, and GPOs on my VM so my ACL & ACE #s will be a bit higher. Regardless, the method of finding them is the same.

    1. Exactly how many security permissions (ACEs) are there domain-wide in the corp.local domain?

    PS AD:\> (Get-Acl (Get-ADObject -Filter *)).Access.Count

    2. Exactly how many members does the Domain Admins security group have?

    Directly under Domain Admins:
    PS AD:\> (Get-ADGroupMember -Identity "Domain Admins").Count

    Domain Admins & nested groups/users:
    PS AD:\> (Get-ADGroupMember -Identity "Domain Admins" -Recursive).Count

    3. Exactly how many security permissions in the ACL protecting the Domain Admins security group directly or indirectly impact "Write Property - Member" permissions?

    PS AD:\> ((Get-ACL 'cn=domain admins,cn=users,dc=corp,dc=local').Access | Where {$_.ActiveDirectoryRights -like "*WriteProperty*"}).Count
    In case it’s a trick question again, include other rights that indirectly impact “WriteProperty”:
    PS AD:\> ((Get-ACL 'cn=domain admins,cn=users,dc=corp,dc=local').Access | Where {($_.ActiveDirectoryRights -like "*WriteProperty*") -or ($_.ActiveDirectoryRights -like "*GenericAll*") -or ($_.ActiveDirectoryRights -like "*WriteDACL*") -or ($_.ActiveDirectoryRights -like "*WriteOwner*") -or ($_.ActiveDirectoryRights -like "*GenericWrite*") -or ($_.ActiveDirectoryRights -like "*Self*")}).Count


Paramount Defenses Logo

© 2006 - 2024 Paramount Defenses.
All Rights Reserved.

Your Privacy

We use cookies to give you the best online experience. Please let us know if you accept these cookies.