As an MVP in Directory Services, I feel it is my job, duty, and responsibility to share, explain, and provide feedback into past, current, and future technologies that Microsoft provides with regards to Windows and Active Directory. Microsoft has a recent video on privilege access management for Active Directory which merits some explanation and feedback. Now, before I give you the link to the video, I want to give you a bit of insight into my view of securing Active Directory, which in turn might help you understand my angle on the Microsoft video.

When looking at Active Directory and Windows servers, there are many ways to grant elevated privileges. Teaching admins and auditors over the past 15 years on how to configure and report on these settings, my approach has proven to be successful and beneficial. In summary, the following are the key ways to grant elevated privileges to users within Active Directory and over Windows servers:

    • Group membership (default privileged groups)

      • Domain admins

      • Administrators

      • Administrators (local)

      • Backup operators

      • Etc.

    • User Rights

    • Permissions (Access Control Lists/ACLs)

      • Files

      • Folders

      • Registry keys

      • Active Directory objects

      • Services

Discovering each and every instance where the incorrect users have too much privilege can be difficult, and in many instances, nearly impossible. Tools such as ADManager Plus, ADAudit Plus, Dumpsec, PowerShell, and dsacls.exe provide insight into many of these settings for reporting and analysis purposes.

Track all actions performed by privileged accounts with ADAudit Plus. Download free trial.

Now, Microsoft has a different view on these elevations and the issue around hackers accessing Active Directory with elevated privileges. The video link provided is of a presentation by Microsoft employee Mark Wahl at the 2014 TechEd Europe. Here is that link:

https://channel9.msdn.com/Events/TechEd/Europe/2014/EM-B214 

I encourage you to view the video in its entirety, either now or later. Please, don’t just view a portion, as you might miss some key aspects. After you view it, you might share some of my initial concerns below. (Remember, this technology is not available to even MVPs yet!)

      • You must install an entire new FOREST!

      • You must install your new forest with the new OS from Microsoft.

      • To be fully functional, you ALSO need to purchase and install the new MIM from Microsoft.

      • Users need to use PowerShell to request group membership (really?).

      • Users must make an additional login (​RunAs) into the old forest after making the request to the new forest.

These are just a few issues that I have, not to mention the old forest and domains will not be updated with good security configurations! There is no mention of these key factors in the video.

That  being said, over the next few blog posts, I will be giving everyone solutions on how to report and what to look for with regard to the key ways  users can be granted elevated privileges.

This site uses Akismet to reduce spam. Learn how your comment data is processed.