Protecting Your Active Directory Permissions
When we think of protecting Active Directory, we typically think of a few aspects of the directory service that need to be monitored and protected from disasters. If you’re responsible for the care and feeding of your corporate AD, I’m sure you can rattle off the main ones right now. But there’s one aspect I’ll bet you’ve given very little consideration to.
Let’s talk about AD protection from the most obvious aspect to the least obvious. First, if you’re to protect your AD forest, the health and recoverability of your domain controllers is probably the first thing you focus on. DCs are the physical manifestations of this distributed service, and since DCs are the most easily understood aspect of AD, most AD administrators have a good plan in place to recover them.
The next area administrators focus on protecting is not the AD service itself, but the data contained in the service. The first line of defense is the Recycle Bin, a feature that was greeted by sighs of relief by AD administrators around the world when it was first introduced in Windows Server 2008 R2. As its name implies, the AD Recycle Bin allows you to quickly restore a deleted AD object to its previous location in the directory with all its attributes intact. Before this feature was introduced, when an object was deleted (even though the object wasn’t actually deleted) the “deletion” process stripped the object of most of its attributes. Thus, even if you recovered a deleted object with a tool like Mark Russinovich’s ADrestore, it was mostly useless until you’d recovered its attributes from somewhere else. After all, what good is a restored user object if it doesn’t have the user’s group memberships, its Exchange attributes, and so forth? The Recycle Bin changed all that.
But you must always keep in mind the Recycle Bin only protects objects from deletion. It doesn’t protect them from state changes, such as a group membership change or an updated password. For this kind of protection you must record the configuration of every object and attribute in AD on a regular basis, and then be able to compare the different versions to see what has changed between one version and another. Many administrators have come up with home-grown versions of a state tracking tool such as Semperis’ Active Directory State Manager. But you need to be sure these applications track an important but less often considered aspect of Active Directory: the object’s permissions.
In a model that’s similar to the NTFS disk architecture, Active Directory has both objects and the permissions assigned to those objects. In NTFS, you can restore the files, but the restore really isn’t complete until the permissions are restored. This is even more important in Active Directory, where the permissions on an object are often highly complex and are critical to the service’s functionality. If you lose permissions on an NTFS folder structure, you can make educated guesses as to who needs access (or wait for the phone to ring when users can’t access their files). If critical permissions are altered in Active Directory, it may fail. Catastrophically.
This is an example of an NTFS access control list (ACL) for a user folder. It contains a number of access control entries (ACEs) and some broad permissions:
Next, this is the ACL in Active Directory for the Domain System Volume (AKA Sysvol) object in a domain controller container. First, note the similarity to NTFS:
Next, note how much more complex the permission structure is, and the number of Special permissions. “Special” indicates that specific, custom permissions have been applied to potentially hundreds of individual properties for this object:
The practical takeaway is this: If permissions to Active Directory objects are altered, you can restore the defaults (see the Restore defaults button in the lower right corner above) but any customization will be lost. Most AD-integrated applications (Exchange, Lync, etc.) have custom permissions throughout the directory. And these permissions will be extremely difficult to get restored correctly. Thus, when you’re looking at ways to audit and protect the state of your AD objects, it’s very important to ensure object permissions are tracked as well as the objects themselves.