When I perform AD security assessments I always ask for a list of privileged users and the controls over that list. Then I collect real evidence from domain controllers and compare it to the list and controls provided. I've never once failed to find privileged users that management was not aware of. Ineffective controls or failure to follow controls certainly contributes to this; but let's also face that it's really difficult to keep a handle on everyone with admin access. There are so many ways to grant admin authority and there's no place in Windows you can go to see them all in one pane of glass. Let me count the ways:
- Built-in groups like Domain Admins (that's a gimmie)
- Groups nested in Domain Admins, et. al.
- Organizational unit permissions
- Admin equivalent rights on domain controllers
- Users with password reset authority over users
- Users with knowledge of any privileged service accounts
- Users with write access to GPOs applied to DCs or servers running applications with domain privileged access
- Users with access to any AD management solutions
- Or the OS or DB that hosts that solution
- Virtualization infrastructure admins
- Physical access
The biggest ones where I invariably have the most findings are 1-6.
In this real training for free ™ webinar I will show you how to assess and catalog all users with any level of privileged access to AD. I'll show you how to use tools like PowerShell and the “ds” commands to script as much of this as you can. Some of the most difficult tasks are:
- Tracing out nested groups to get a flat, normalized list of everyone-ultimately a member of one of the built-in admin groups
- Finding objects in the organizational unit hierarchy with non-inherited permissions
Once you've cataloged every privileged user, what's the next step? Remediation of course. Great. But that is just a point in time. Don't repeat this process every few months. That's neither efficient nor is it continuous security. Instead, how do you detect when new privileged access grants occur in any of the direct and indirect ways possible?
I'll show you what the Windows Security Log has to offer. Some of the events and their volume and noise aren't particularly pretty but it's possible.
Then Brad Bussie, from our sponsor STEALTHbits, will show you their 3-point solution that helps you assess, remediate and monitor all aspects of your environment but in particular I think you'll be impressed with the deep automated analysis they perform on the above issues. Some of the reports you'll see are amazing when you understand what went into compiling them.