Active Directory

Active Directory Delegation: A Security Audit Checklist

Tyler R.

Jan 22, 2009 — 1 min read

Active Directory delegation is one of those features that every Windows admin uses but few audit properly. It is also a common source of privilege escalation paths.

The Problem

When an administrator delegates permissions in AD, those permissions are stored as Access Control Entries on the target objects. Over time, delegation accumulates. The result is an AD environment where the effective permissions bear little resemblance to the intended security model.

Audit Approach

First, export the DACL from every OU in the domain. Second, identify all non-default ACEs. Third, for each delegated permission, verify that the grantee still needs the access and that the scope is appropriate.

Common Findings

In the eight AD environments I have audited this year, the most common issues are password reset delegation to groups broader than intended, write access to servicePrincipalName allowing Kerberoasting, and GenericAll permission on computer objects enabling resource-based constrained delegation attacks.

Nmap Cheat Sheet: The Complete Command Reference

Nmap is the standard tool for network discovery and security auditing. Whether you are mapping a small home lab or scanning a class B network, the same core commands apply. This nmap cheat sheet is a structured reference covering the commands and options I use most frequently, organized by task

Nmap NSE Scripts for Enterprise Scanning

The Nmap Scripting Engine has matured significantly. Version 4.50 added dozens of new scripts and the framework is now stable enough for enterprise use. Why NSE Over Standalone Tools Before NSE, enterprise scanning meant running Nmap for discovery, then piping results to Nessus. NSE lets you combine discovery and

Where Have All the Good Fingerprinters Gone?

OS fingerprinting has been a fundamental reconnaissance technique since the mid-1990s. Nmap, p0f, and xprobe2 all approach the problem differently, but they share a common challenge: the fingerprint databases are not keeping up with the operating systems they need to identify. I spent last week testing the latest versions of

The Severity of Vulnerabilities

I have been looking at how vendors classify vulnerability severity and I keep finding discrepancies between what the vendor says and what the CVSS score suggests. Take the most recent batch of Microsoft patches. Two of the vulnerabilities rated as Important by Microsoft score above 8.0 on the CVSS