RE: [ActiveDir] Is a Global Security group being used?

Fri, 15 Sep 2006 22:14:26 -0700 

Yep, as sucky as a method as it is it is something that has been floating 
around as *a* method for years and years to work out the Windows security 
related uses. I know I started mentioning it to folks once I noticed 
non-security groups maintained their SID. I find causing temporary easy to 
reverse pain much more desirable than deleting it and finding slightly longer 
lived pain.  

For the general question though, actually chasing down everywhere a group is 
used is a tremendously difficult task and I am not aware of any tool that can 
do it for every single possible use. The solution is truly to have very good 
process around the use of groups and a tight support definition around their 
use. This is one of the reasons why I like local and domain local resource 
groups, the scope is naturally limited. 

So, you may ask where all can the groups be used? The answer is anywhere that a 
SID or a DN can be specified. To name a few...

1. Windows Security Descriptors - this includes any kernel securable objects 
that can accept a security descriptor as well as many other objects that have 
"customized" ACL-like definitions like the customSD for event logs. A partial 
list of the "official" securable objects off the top of my head:
O Active Directory Objects
O SAM Objects (users and groups on member machines) 
O File System Objects (files/directories)
O Threads/Processes
O Synchronization objects (mutexes, events, semaphores, timers)
O Job Objects
O Network shares
O Printers
O Services 
O As of 2003 SP1 the Service Control Manager itself
O Registry keys
O Windows Desktops and Windows Stations
O Access tokens
O File Mapping objects
O Pipes (named or anonymous)

Basically anything that allows you to pass in a SECURITY_ATTRIBUTES structure 
when creating the object plus more.... 

2. Microsoft supplied Windows based applications. This includes things like 
ADAM, SQL Server, Exchange, SharePoint, etc etc etc ad nauseum. 

3. Third party applications that run on Windows and were written "properly" to 
take advantage of Windows security. This list could be long and wide, there are 
hundreds of thousands of Windows applications out there.

4. Third party applications that run on Windows and were written incorrectly to 
take advantage of Windows security. These apps don't use Windows security 
descriptors, they use custom security structures but rely on SIDs or GUIDs (if 
they are smart) or names or DNs otherwise. 

5. Ditto #4 but running on non-Windows platforms. 

6. Applications that use the groups for something other than security. For 
instance an IM app that uses groups for contact lists or an email app using 
groups for mail distribution. 

Numbers 3-6 are exceptionally hard to trace because in all but limited cases, 
it is pretty much guaranteed no well known well used interface is available to 
enumerate this info. You are completely dependent on how well you understand 
your environment and how well you know the underpinnings of what is running in 
that environment.

7. Any attribute in AD or ADAM or in fact any directory that takes a DN, GUID, 
Text, or SID. As an example here, in an Exchange/LCS enabled R2 Forest there 
are 195 DN NON-Backlink type attributes alone, roughly 20 SID attributes, who 
knows how many GUID attributes (they aren't marked as GUIDs, you get to 
guess...), hundreds of string types, etc. 

8. Cross forest uses which are represented through FSPs in the foreign forests. 

9. Privileges/Rights (in GPOs or security policy files)


This is just the stuff I can think of off the top of my head between writing 
this and smoothing out the moving parts in AdMod for general release. I am sure 
there is more. It is something that I have sat down and thought about multiple 
times through the years and have code in various stages of development to try 
and generate reports or running databases of the current use of security 
principals. If anyone tells you they can give you a comprehensive list and you 
have anything but the simplest Windows only environment which is well locked 
down by process/procedure (i.e. you don't even need the list) you can probably 
assume they are trying to sell you the moon or they don't actually understand 
the scope of the issue. I would generally assume the latter because there are 
quite a few folks who think they understand Windows security that really 
don't[1]. I often am not sure if I understand it. :)

  joe

[1] Try not to attribute to malice that which is adequately ascribed to 
ignorance. ;)


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Parker
Sent: Thursday, September 07, 2006 12:08 PM
To: ActiveDir.org
Subject: RE: [ActiveDir] Is a Global Security group being used?

We met with the Microsoft Identity and Access Management product group recently 
and this was mentioned as the method used internally.

Patrick


Patrick Parker . The Dot Net Factory . (877) 996-4276 . [EMAIL PROTECTED]
EmpowerID for Microsoft Active Directory & ADAM – Manage . Collaborate . Empower


Patrick Parker . The Dot Net Factory . (877) 996-4276 . [EMAIL PROTECTED]
EmpowerID for Microsoft Active Directory – Manage . Collaborate . Empower

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, September 07, 2006 11:41 AM
To: ActiveDir.org
Subject: Re: [ActiveDir] Is a Global Security group being used?

The question was "a way" - not "the best way". This method was actually 
suggested by MS at TechED one year, so I am not totally insane.
-----Original Message-----
From: "Laura A. Robinson" <[EMAIL PROTECTED]>
Date: Wed, 06 Sep 2006 13:44:53
To:<[email protected]>
Subject: RE: [ActiveDir] Is a Global Security group being used?

While that's an interesting approach, unless this is a very small environment 
(as in, there's no help desk that's going to be baffled by the screaming and no 
multi-gazillionaire CXOs who are going to be doing the screaming), that might 
not be such a good idea. ;-)

Laura 

> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
> Sent: Wednesday, September 06, 2006 1:18 PM
> To: ActiveDir.org
> Subject: Re: [ActiveDir] Is a Global Security group being used?
> 
> Change it to a Distribution Group and see who screams - if anyone does 
> change it back to a security group again.
> 
> M.
> 
> -----Original Message-----
> From: "Figueroa, Johnny" <[EMAIL PROTECTED]>
> Date: Wed, 6 Sep 2006 09:43:58
> To:<[email protected]>
> Subject: [ActiveDir] Is a Global Security group being used?
> 
> Does anyone have a way to determine if a domain global group is being 
> used?. Will auditing on the DCs tell me this?
>   
> Thanks in advance. 
>   
> Johnny Figueroa
> 
> .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®—­±

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

.+w֧B+v*rz+v*汫
[EMAIL PROTECTED])

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Reply via email to