Protecting your Active Directory Permissions

Are you able to instantly identify who has access to the sensitive data in your Active Directory? Sometimes, answering “who has access to what?” in your IT environment can be difficult. Knowing who has permission to what enables IT teams to ensure that the right users have the right levels of access to the right data. This is a critical part of ensuring the principle of least privileges, where users only have access to the data they need to do their job. Probably the only effective way to protect your Active Directory permissions is by continuously monitoring and auditing Active Directory changes.

Securing permissions natively

The level of access delegated to objects in the domain defined by permissions, and these need to be regularly reviewed. Changes made to these access rights could potentially have a detrimental effect on the normal functioning of the network infrastructure. Analyzing these modifications allows admins to make sure that privileged authority over the network is not misused or weakened. There are numerous methods by which to keep a check on permissions using native auditing.

The first is to view the permission in the object properties. The below screenshot displays permissions held by users and groups on an Organizational unit:

Figure 1: Permissions held by objects in an Organizational unit

The second method is to use the “DSACLS” command on Windows PowerShell, followed by the distinguished name of the object.

dsacls CN=testuser3,CN=Users,DC=www,DC=domain,DC=com

The following image shows the list of permissions held by a user:

Figure 2: Permissions of a user displayed in Command Prompt

In addition to the two above methods, you can also monitor permission changes with the help of consolidated reports from third-party PowerShell scripts. Although these scripts should only be used after stringent security checks.

Why audit permission changes?

Information about access rights helps IT teams identify whether confidential information and intellectual property is at risk. The best method for identifying permission changes is by conducting stringent and continuous Active Directory auditing practices.

Let’s take a look at the steps involved in auditing permission changes natively:

• The first step is to enable “DS Access” on domain controller, from the list of policies displayed when you double-click “Active Directory Service Changes”. This can be done by accessing “Group Policy Management Editor”.
• In “ADSI Edit”, access the top node under “Domain Naming Context”. Add an audit entry “Everyone” and select only “Modify Permissions” from the permission list.
• Search for the event ID 5136 in “Event Viewer”.

Figure 3: Event Properties – Permission Changes

The downside to native methods, including the fact that it is time consuming and laborious, often results in IT teams tending to not perform Active Directory audits regularly enough.

The sheer volume of event files created can cause log rollovers over a period. Events in the form of scattered and unmanageable logs make it difficult for IT professionals to extract the information they need. The native methods of auditing, when implemented in large Active Directory environments, are often directly at fault for wasted time and a drop in productivity.

Lepide Active Directory Auditor – Audit Active Directory with ease

Lepide Active Directory Auditor is an automated auditing solution with numerous detailed reports that give actionable insight into changes taking place in your IT environment. These reports and alerts can be delivered in real time, to help you take quicker action.

The below image is a snapshot of a “Permission Modifications” report generated to audit permission changes. It gives you a summary of who, what, where, and when details of permissions were changed in Active Directory:

Figure 4: Permissions Modifications Report – Lepide Active Directory Auditor

Lepide Data Security Platform also has a dedicated section to highlight all historical changes in the permissions of Active Directory Objects. You can use it to compare the permissions of the selected object between two intervals. In addition to this, Lepide DSP has numerous reports on permissions, audit settings and ownership details of the Active Directory objects.

Lepide’s Object Restore Wizard captures backup snapshots at periodic intervals containing the state of Active Directory objects, which can be used in the future to restore unwanted changes.

Download a free trial of Lepide Data Security Platform today to see how you can easily implement it into your IT environment and get a stronger hold on what’s happening in your Active Directory.