Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

How to Audit Security Permissions and Access Rights in Active Directory

Active Directory is the foundation of security and IT management in Windows Server based IT infrastructures. It stores and protects all the building blocks of security, including the user accounts used for authentication, the security groups used for authorization to all resources stored on all servers, and auditing of all identity and access management tasks. In addition, it is the focal point of administrative delegation in Windows based environments.

As a result, a substantial amount of access provisioning is done in Active Directory to fulfill business requirements such as the following:

1. Delegation of administrative duties to fulfill IT management needs and gain cost efficiencies

2. Provisioning of access to group owners and managers for project specific group management

3. Provisioning of access to line-of-business and other service accounts of AD integrated services

4. Provisioning of access for in-house or vendor supplied AD integrated applications

5. Provisioning of access for security/other services that assist in identity/access management

In most AD environments, access provisioning has been an ongoing activity for years, and as a result, in most deployments, substantial amounts of access provisioning have been done, and thus there are literally thousands of permissions granting varying levels of access to numerous individuals, groups and service accounts.

The Need to Audit Active Directory Permissions

The need to audit Active Directory (AD) permissions is a very important and a very common need for organizations. It is very common, because in all organizations, various stakeholders have a need to know things like:

1. Who has what access in AD?
2. Who has what access on specific objects in AD?
3. Who can perform what operations on specific AD OUs?
4. Who is delegated what administrative tasks, where in AD, and how?

The need to have answers to these questions is driven by various aspects of IT and security management such as:

1. IT audits driven by internal needs and/or regulatory compliance needs
2. Security risk assessment and mitigation activities aimed at managing risk
3. Security vulnerability assessment and penetration testing results

In all such cases, the one commonality is the need to know who has what access in AD, and that one need can be fulfilled by performing an Active Directory access audit.

How to Audit Active Directory Permissions

The need to audit Active Directory permissions is thus a common need for the reasons stated above. In most organizations, numerous IT personnel, in various roles, such as Domain Admins, Delegated Admins, IT Security Analysts, IT Auditors, IT Managers, Application Developers and other all at some point or the other have a need to find out who has what access in Active Directory, either on a single Active Directory object, or in an OU of objects, or across an entire Active Directory domain.

To fulfill this need, most IT personnel turn to performing an audit of Active Directory permissions, with the hope of being able to find out who has what access in AD, on one or more objects, and thus they attempt to audit Active Directory permissions to fulfill this vital need.

However, there is a very important point that most IT personnel often inadvertently miss, which is that what they actually need to find out is not who has what permissions in Active Directory, but who has what effective permissions in Active Directory.

As a result, they continue to invest substantial time and effort in trying to audit AD permissions via command-line tools, scripts and other means. In doing so, they usually not only end up losing substantial time and effort, but more importantly, they end up with inaccurate data, reliance upon which can lead to incorrect access decisions, and this can result in the introduction of unauthorized access in AD, which can pose a serious risk to their security.

The reason that one needs to know who has what effective permissions in AD and not who has what permissions in AD, is that it is effective permissions/access that impacts what access a user actually has in AD.

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2021 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268