Saturday, October 27, 2012

Active Directory Security Risks Loom Large


Active Directory is one of the most ubiqutously used technologies in the world today, because virtually all organizations that operate on Microsoft's Windows Server platform are powered by Active Directory.

Active Directory plays a central role in IT security, regulatory compliance and identity and access management today because all critical aspects of IT security such as authentication, authorization and auditing are completely integrated with Active Directory.

Active Directory Security is thus rapidly becoming a very important component of organizational IT security, as organizations realize that the very foundation of their security may be vulnerable.

Because of the vital role of Active Directory in IT security today, it is increasingly vulnerable to attacks, both from insider the perimiter and from the outside, espesiclaly by sophisticated hackers seeking to compromise the security.

In fact, even the US Department of Homeland Security runs on Active Direcotry and a recent audit showed that it too may be vulnerable to attack - http://www.identitysecurityandaccessblog.com

Active Directory Security risks thus loom large and organizations are actively taking steps to ensure that the security of their Active Directory is also adequately protected.

Friday, October 26, 2012

Permissions Analyzer for Active Directory


It has been quite some time since I blogged. I had started this blog in 201 when I was between jobs. Since I started my previous job, things have been very busy not giving any time for blogging.

Anyway, as a part of my job responsibilities at work, I was recently tasked with performing an audit of our Active Directory Security, and in particular, auditing who had what permissions in our Active Directory.

So I went looking for a tool to analyze permissions in our Active Directory. My research was largely restricted to searching the Internet on Google, and I came across two products that could do this for us - one was a free tool called Liza, and one was called Gold Finger for Active Directory. I tried them both out and I was really impressed with one of the, so I thought of blogging about it.

Permission Analyzer for Active Directory

In my opinion, Gold Finger for Active Directory is the best permissions analyzer for Active Directory because it allowed us to do exactly what we needed to do, i.e find out who has what permissions where in our Active Directory, and how.


 
In addition, it also allowed us to look for specific permissions anywhere in the Active Directory.

For example, we needed to find all Explicit Allow Reset Password Extended Right permissions in a specific OU and we were able to do so in about 30 seconds, because it let us specify that exact combination of permissions to select from, and then it went and searched the OU for all objects in whose ACL there were security permissions matching this combination.

We also reviewed LIZA but it was not half as capable, because it lacked many capabilities, including most importantly the ability to specify the exact permissions we wanted to look for. Besides, it is free and our security policies do not allow us to deploy free products in our environment

It also had half a dozen other capabilities but we were mostly interested in its permission analyzer capabilities for Active Directory, so that is the only capability we reivewed.

If you're looking for a good permission analyzer for Active Directory, I recommend checking it out - http://www.active-directory-permissions-analyzer.com/

Thanks.