Active directory permissions are a complex beast, at the core of Active Directory you have databases and partitions.
These have access controls lists, there are two types of these:
- DACL
- SACL
https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
In active directory auditing these with out of the box tools can be a pain, especially when you are looking to enumerate effective permissions. Luckily a nice chap as made a great PowerShell app which can help you with your auditing activities!
https://github.com/canix1/ADACLScanner
So, a big thanks for https://github.com/canix1 and the people who have contributed to this. It’s a great tool for anyone’s active directory toolkit.
Other tools you might be interested in are:
- Bloodhound
- PingCastle
https://github.com/BloodHoundAD/BloodHound
A cloudy world
These days it’s not just enough to think about on premises services, we also need to consider cloud services.
For this there is SCOUTSUITE from NCC!
https://github.com/nccgroup/ScoutSuite
Summary
Keeping on top of permissions isn’t an easy task, from file servers, cloud directories through to active directory you need to conduct regular audits to ensure your in the right place. There are cloud provider tools to support this as well but getting a view on everything still isn’t a single pane of glass affair for most organisations. Hopefully some of these tools will help you build an accurate and detailed view of your estate effective permissions. Remember, like most things in security, if the salesman sounds too good to be true, it’s probably because it is! I think a certain British spy had a good phrase for this:
“Goverments change. The lies stay the same.” – James Bond