Loads of efforts are made to protect data and devices.
Each branch office requires perimeter defense in the range of a four- to five-digit budget. Connections from outside via VPN are secured with multi-factor authentication. At the edge of the network sits an appliance checking every packet with deep inspection, and an anti-malware service runs on each desktop. Some organizations filter requests at the DNS server, and some still run a proxy server. And at the very end of it, there’s a SIEM collecting all events from various sources within the network, and even file operations.
And still, stuff happens almost every day. Afterward, you're always smarter.
It’s no secret that many security problems come from the inside.
Quite often it’s an oversight, unintended, but forced through social engineering, when lack of competence or good faith is abused.
But in some cases, the damage is fully intended by an (ex-)employee, and that’s what we call an insider threat.
The keyword is user access management, and Microsoft shares their best practices and other content on this topic on their website. The principle of least privilege is also an essential part of many regulations.
Establishing and keeping up, as well as reviewing and documenting an access management concept, doesn’t necessarily require special tools, but in reality, no one working in any IT function has enough time available to use onboard tools for these tasks, and an auditor requires more evidence than a text file.
So, let me introduce you to some tools. Good news: two of these are completely free!
Permission Analyzer for AD (PAFT)
First of all, here comes Permission Analyzer for AD (PAFT).
This free tool displays the access rights of a user or a security group on a network share, or a local file or folder. PAFT isn’t just checking network permissions, but also NTFS, so the result is effective permissions. By the way, PAFT is amongst our most mature free tools, available since 2011.
The install process is a quick one, but Microsoft .Net 3.5 is required, so I suggest deploying it upfront.
Upon starting it up for the first time, an AD account is required, and you can add as many as you want.
Using it, one click further, requires two sets of data – a user, and a resource.
The next screenshot shows my permission on a share called “test:”
Now, a different account but the same resource:
The tool shows the same data as the “Effective Permissions” feature within Windows, but it’s faster and more convenient when checking multiple users or destinations, and it provides more information than Get-SMBShareAccess.
PAFT can be quite useful for IT help desks, too, as it allows you to check user permissions on the fly and even remotely when working on a ticket.
Access Rights Auditor (ARA)
Next in line is Access Rights Auditor. ARA is one of our latest free tools and offers more complex AD scans, including a list of possible risks caused by less than optimal access management.
There’s excellent documentation available here, so I won’t waste too much time with details in this article. A short introduction will do.
ARA doesn’t require an install. It’s just a click away!
The result of a scan looks like this:
And one more click shows details for a specific risk:
And where it applies:
ARA shows share permissions, too, but not as detailed as PAFT:
That’s it. Nice and easy, quick and…free.
Access Rights Manager (ARM)
ARM is well-known already, and it’s essentially the grown-up version of ARA.
Meanwhile, two ARM versions exist (one ARM would be so sad, wouldn’t it…), one is ARM-AE (Audit Edition), and the other is the full version. Neither is freeware, but the evaluation isn’t limited in features and allows you to try it out for 30 days.
What’s the difference between the two versions? More on that below.
Once the database has been set up, all you need to do to run ARM is scan AD and a fileserver, and just a few minutes later, you’ll have a dashboard with typical usage scenarios.
More use cases are available here, so I’ll keep it short: ARM is an all-in-one solution for access rights management. The usual questions of who, when, what, and why can be resolved out-of-the-box, and both brief summaries and detailed reports can be created with a few mouse clicks. A risk analysis similar to ARA is available and shows even more details.
The difference between the two versions is additional features useful for the help desk.
For example, how much time is required to assign access permissions to employees? An employee who works on a new project requires access to specific resources, and they log a ticket. The technician working on the ticket needs to identify the necessary resources first and requests approval from the owner of the resource, or at least a line manager, and finally applies the change to the account.
How nice would it be if such a request could be forwarded to the data owner directly, who just needs to click once to finish the process?
Well, that’s possible, in addition to more routine tasks around AD management.
So, in a nutshell, what tool to use for what job?
- Effective permissions for folders and files
- Ad hoc search for individual accounts or groups
- Analyze access rights
- Display risks based on extensive permissions
- Points to possible problems like unknown SIDs
- All in one solution for managing user access rights
- In-depth analysis of permissions and potential issues
- Permanent documentation including audits
- Workflow automation for helpdesk and business processes
Give it a try!