An Access Control Entry (ACE) is a rule that grants or denies permissions to specific users or groups in Active Directory (AD). Each ACE is comprised of a Security Identifier (SID) and an access mask. An Access Control List (ACL) is the list of ACEs that comprise an AD object's security descriptor.
It naturally follows that in addition to reporting on group membership, being also able to report on what ACEs are configured at any given point in time for these groups is a key audit requirement of any AD organization.
For more details on ACLs refer to DACLs and ACEs - Win32 apps | Microsoft Learn. For information on their significance when it comes to securing your AD organization, see Active Directory Access Control List – Attacks and Defense - Microsoft Community Hub.
Configuring an AD Directory Provider for scanning ACEs
Reporting on ACEs is made possible with the Identity Panel Directory Provider when configured to scan security descriptors for AD or ADLDS (refer to the linked KB for how to collect DACL and SACL data).
When configured, a new Access Control Entry silo will become searchable via the Time Traveler, along with a new Security Descriptor property appearing on each configured object type (appearing in the Now view only). Be sure to specify all object types of interest to your compliance team (e.g. user, group, organizationalUnit, computer) so that the Security Descriptor property references appearing within this silo resolve to the corresponding objects (typically AD users or groups) and trustees (typically other groups/roles).
Once the relevant options are enabled, be sure to restart the associated Panel Service before initiating a full scan. If successful you will notice updates for every referenced object and adds for each ACE.
Usage
The AD Access Control report produces a list of all ACEs defined within a scanned AD organization at the time of the last scan.
Columns included in the report are as follows:
- ACE Type (DACL, SACL)
- Object (object granted a permission)
- Trustee (object holding a permission)
- Access Type (Allow, Deny)
- Grant (object to which a permission applies)
- AD Rights Flags (actions permitted on the granted object)
- IsDefault (true, false)
- Inherit Type (None, All, Descendents, SelfAndChildren, Children)
- Inherit Flags (None, ContainerInherit, ObjectInherit)
- Extended Right (custom)
- Time Stamp (last scanned)
The Object and Trustee columns are rendered in the report as Time Traveler links, although "orphaned" ACLs (that can't be resolved to another object) will appear as strings in their native Security Descriptor String Format - Win32 apps | Microsoft Learn.
While this report is primarily designed to be downloaded to Excel for further analysis and filtering, basic (case insensitive) text filtering is possible on selected ACE fields Object, Trustee and Grant (where the default value "*" is optionally replaced by a search string).
For environments where delta scans are run as part of business-as-usual (BAU) operations. all timestamps will only be the same immediately after a full scan.
Once installed, the report is ready to run in any environment in which one or more Directory provider s have been configured for DACL/SACL scanning.
Report Definition
{
"Data": [
{
"$type": "SoftwareIDM.ReportingModule.Models.Report, SoftwareIDM.ReportingModule",
"Id": "66ca1d01-f143-4465-86b9-d1d43e2631f5",
"Name": "AD Access Control",
"UserId": "3dd00fe8-5de9-48f9-9311-799a26969af7",
"UserProfile": false,
"Tags": null,
"Roles": null,
"CacheExpiration": "01:00:00",
"Description": "AD Security Descriptors",
"Parameters": [
{
"$type": "SoftwareIDM.ReportingModule.Models.TextReportParameter, SoftwareIDM.ReportingModule",
"Name": "Object",
"Description": "Object Name",
"Required": false,
"Validation": "",
"DefaultValue": "*"
},
{
"$type": "SoftwareIDM.ReportingModule.Models.TextReportParameter, SoftwareIDM.ReportingModule",
"Name": "Trustee",
"Description": "Trustee Name/Access Identity",
"Required": false,
"Validation": "",
"DefaultValue": "*"
},
{
"$type": "SoftwareIDM.ReportingModule.Models.TextReportParameter, SoftwareIDM.ReportingModule",
"Name": "Grant",
"Description": "Applies To",
"Required": false,
"Validation": "",
"DefaultValue": "*"
}
],
"DataSets": [
{
"$type": "SoftwareIDM.ReportingModule.Models.QueryData, SoftwareIDM.ReportingModule",
"Clauses": [
{
"$type": "SoftwareIDM.PanelModel.Models.FilterClause, SoftwareIDM.PanelModel",
"Field": "Deleted",
"Operation": "Null",
"Value": "",
"ObjectValue": null
},
{
"$type": "SoftwareIDM.PanelModel.Models.FilterClause, SoftwareIDM.PanelModel",
"Field": "IsDefault",
"Operation": "Ne",
"Value": "True",
"ObjectValue": null
}
],
"SubQueries": [],
"MapRule": "",
"MemoRules": [],
"Aliases": null,
"Name": "ACEs",
"Type": "SoftwareIDM.DirectoryModel.AccessControlEntry, SoftwareIDM.ProviderModel",
"Include": null,
"Limit": null
}
],
"ReportSets": [],
"Relations": [],
"FieldProjections": [
{
"$type": "SoftwareIDM.ReportingModule.Models.Projection, SoftwareIDM.ReportingModule",
"Name": "ACE Type",
"RelationName": "",
"RelationSide": null,
"ValueRule": "CoerceString(Type)"
},
{
"$type": "SoftwareIDM.ReportingModule.Models.Projection, SoftwareIDM.ReportingModule",
"Name": "Object",
"RelationName": "",
"RelationSide": null,
"ValueRule": "$\"{TimeTraveler(ObjectId)}|{ObjectName}\""
},
{
"$type": "SoftwareIDM.ReportingModule.Models.Projection, SoftwareIDM.ReportingModule",
"Name": "Trustee",
"RelationName": "",
"RelationSide": null,
"ValueRule": "If(RegExMatch(TrusteeName,\"^S-\\d-\\d+-(\\d+-){1,14}\\d+$\"), TrusteeName, $\"{TimeTraveler(Trustee)}|{TrusteeName}\")"
},
{
"$type": "SoftwareIDM.ReportingModule.Models.Projection, SoftwareIDM.ReportingModule",
"Name": "Access Type",
"RelationName": "",
"RelationSide": null,
"ValueRule": "CoerceString(AccessType)"
},
{
"$type": "SoftwareIDM.ReportingModule.Models.Projection, SoftwareIDM.ReportingModule",
"Name": "Grant",
"RelationName": "",
"RelationSide": null,
"ValueRule": "AppliesTo"
},
{
"$type": "SoftwareIDM.ReportingModule.Models.Projection, SoftwareIDM.ReportingModule",
"Name": "AD Rights Flags",
"RelationName": "",
"RelationSide": null,
"ValueRule": "CoerceString(Rights)"
},
{
"$type": "SoftwareIDM.ReportingModule.Models.Projection, SoftwareIDM.ReportingModule",
"Name": "IsDefault",
"RelationName": "",
"RelationSide": null,
"ValueRule": "isDefault"
},
{
"$type": "SoftwareIDM.ReportingModule.Models.Projection, SoftwareIDM.ReportingModule",
"Name": "Inherit Type",
"RelationName": "",
"RelationSide": null,
"ValueRule": "CoerceString(InheritType)"
},
{
"$type": "SoftwareIDM.ReportingModule.Models.Projection, SoftwareIDM.ReportingModule",
"Name": "Inherit Flags",
"RelationName": "",
"RelationSide": null,
"ValueRule": "CoerceString(InheritFlags)"
},
{
"$type": "SoftwareIDM.ReportingModule.Models.Projection, SoftwareIDM.ReportingModule",
"Name": "Extended Right",
"RelationName": "",
"RelationSide": null,
"ValueRule": "ExtendedRight"
},
{
"$type": "SoftwareIDM.ReportingModule.Models.Projection, SoftwareIDM.ReportingModule",
"Name": "Time Stamp",
"RelationName": "",
"RelationSide": null,
"ValueRule": "TimeStamp"
}
],
"Transformations": [
{
"$type": "SoftwareIDM.ReportingModule.Models.Transform, SoftwareIDM.ReportingModule",
"FilterRule": "If(Memo(\"Object\") == \"*\", true, Contains(LowerCase(Object), LowerCase(Memo(\"Object\"))))",
"GroupingRule": "",
"TransformRules": []
},
{
"$type": "SoftwareIDM.ReportingModule.Models.Transform, SoftwareIDM.ReportingModule",
"FilterRule": "If(Memo(\"Trustee\") == \"*\", true, Contains(LowerCase(Trustee), LowerCase(Memo(\"Trustee\"))))",
"GroupingRule": "",
"TransformRules": []
},
{
"$type": "SoftwareIDM.ReportingModule.Models.Transform, SoftwareIDM.ReportingModule",
"FilterRule": "If(Memo(\"Grant\") == \"*\", true, Contains(LowerCase(Grant), LowerCase(Memo(\"Grant\"))))",
"GroupingRule": "",
"TransformRules": []
}
],
"Styles": [],
"Sort": {
"Field": "Type",
"Direction": "Ascending"
}
}
],
"Count": 1
}
Comments
0 comments
Please sign in to leave a comment.