Active Directory Security and Active Directory Delegation play a mission-critical role in global security and present an open challenge. A good Active Directory Audit Tool / Active Directory Reporting Tool / Active Directory Auditing Tool / Permissions Analyzer for Active Directory can help Audit Active Directory, generate Active Directory Reports and mitigate Active Directory Risks such as Active Directory Privilege Escalation, and find out who can reset your windows password.
Saturday, October 27, 2012
Active Directory is one of the most ubiqutously used technologies in the world today, because virtually all organizations that operate on Microsoft's Windows Server platform are powered by Active Directory.
Active Directory plays a central role in IT security, regulatory compliance and identity and access management today because all critical aspects of IT security such as authentication, authorization and auditing are completely integrated with Active Directory.
Active Directory Security is thus rapidly becoming a very important component of organizational IT security, as organizations realize that the very foundation of their security may be vulnerable.
Because of the vital role of Active Directory in IT security today, it is increasingly vulnerable to attacks, both from insider the perimiter and from the outside, espesiclaly by sophisticated hackers seeking to compromise the security.
In fact, even the US Department of Homeland Security runs on Active Direcotry and a recent audit showed that it too may be vulnerable to attack - http://www.identitysecurityandaccessblog.com
Active Directory Security risks thus loom large and organizations are actively taking steps to ensure that the security of their Active Directory is also adequately protected.
Friday, October 26, 2012
It has been quite some time since I blogged. I had started this blog in 201 when I was between jobs. Since I started my previous job, things have been very busy not giving any time for blogging.
Anyway, as a part of my job responsibilities at work, I was recently tasked with performing an audit of our Active Directory Security, and in particular, auditing who had what permissions in our Active Directory.
So I went looking for a tool to analyze permissions in our Active Directory. My research was largely restricted to searching the Internet on Google, and I came across two products that could do this for us - one was a free tool called Liza, and one was called Gold Finger for Active Directory. I tried them both out and I was really impressed with one of the, so I thought of blogging about it.
Permission Analyzer for Active Directory
In my opinion, Gold Finger for Active Directory is the best permissions analyzer for Active Directory because it allowed us to do exactly what we needed to do, i.e find out who has what permissions where in our Active Directory, and how.
For example, we needed to find all Explicit Allow Reset Password Extended Right permissions in a specific OU and we were able to do so in about 30 seconds, because it let us specify that exact combination of permissions to select from, and then it went and searched the OU for all objects in whose ACL there were security permissions matching this combination.
We also reviewed LIZA but it was not half as capable, because it lacked many capabilities, including most importantly the ability to specify the exact permissions we wanted to look for. Besides, it is free and our security policies do not allow us to deploy free products in our environment
It also had half a dozen other capabilities but we were mostly interested in its permission analyzer capabilities for Active Directory, so that is the only capability we reivewed.
If you're looking for a good permission analyzer for Active Directory, I recommend checking it out - http://www.active-directory-permissions-analyzer.com/
Saturday, June 19, 2010
The Kerberos protocol is obviously not only an industry standard but as such offers numerous advantages over NTLM, some of which include -
- Mutual Authentication - This means that not only can clients authenticate to a server, but that the client can request that the server too authenticate itself to the client, and this undoubtedly helps enhance security by ensuring that clients authenticate themselves to genuine servers.
- Faster Authentication -The use of the TGTs substantially enhances the speed with which authentication can take place in distributed systems, and this certainly facilitates more efficient and secure network accesses across the enterprise.
- Support for Delegation - Kerberos enabled security delegation, which essentially allows a server to impersonate a client when accessing remote resources, and this really helps provide trustworthy security in multi-tier application scenarios.
- Support for PKI Integration - Through the Kerberos PKINIT extension, Kerberos provides support for smartcard logons, and this substantially enhances security because it obviates the need for passwords, allowing the use of smart-cards in lieu.
All in all, Kerberos really makes Windows Server powerful enough to provide enterprise grade distributed security, and in fact today its use is so ubiquitous and prevalent across the world.
Wednesday, May 12, 2010
In fact, without Kerberos authentication, single-sign-on would largely not be possible in a Windows Server based environment, and the thousands of distributed security accesses that organizational employees engage in every day, whether sending email, navigating to an intranet portal or accessing a file on a server, would largely be much harder and certainly not seamless.
In this blog, I plan to take a look at numerous vital aspects of Kerberos, so IT admins can better understand its importance, identify how to configure and manage it, and learn about some cool tips and tricks that could optimize performance and enhance security.
Should you have any questions, you can leave your question via a comment.