Security Advisor
Active Directory Object Permissions 101
Understanding the ins and outs of AD and object permissions is no simple task, but your efforts can help avoid catastrophe.
- By Roberta Bragg
- 10/01/2001
"I need more circuits in this room," I told him.
"Oh, computers don't draw that much electricity," Bob the electrician
said.
I think he just didn't want to poke wires through the walls of my early
20th-century house or figure out which fuse goes where on either of my
two electrical boxes. So Bob left, and the orange extension cords still
snake around my house like a mad spider web to support my 30-some system
network.
The plumbing in my house isn't any better, either.
Every winter my plumber and I discover some new
pipe that, when it thaws, spews ice-cold water
into the basement, across the bathroom or down
my driveway at midnight. It's not that he's a
bad plumber; it's just that this house was built
before indoor plumbing was all the rage. Quite
frankly, there are days I wish they hadn't added
it—or at least that they hadn't hidden all
my pipes inside drop-down ceilings, remodeled
plaster walls, and nooks and crannies that no
one's been in for years. If you want an idea,
run the 4-G Pipes screensaver. If you could remove
the walls and ceilings in my house, it'd look
like that.
In both cases, someone who didn't really know the ins and outs of household
infrastructure was saddled with the job of "just getting it done."
Either the information wasn't available to them, they figured they knew
enough already or they just didn't care. The end result is the same. Rest
assured, before I tackle any repairs or additions on my own, I'll do some
research into the wiring and plumbing information database.
Understanding and maintaining this stuff is sort of like the job you
have implementing and maintaining Active Directory in your enterprise.
You gotta know what you're doing (and what others have done) if you're
going to do the job correctly and avoid floods and fireworks down the
road. However, the information isn't always available or easily locatable
when it comes to the internal details.
Oh, there's a wealth of documentation on AD out there, but a lot of it
is duplication, doesn't go far enough or is scattered as if shot randomly
about by my .22. It's quite difficult to find the ultimate guide. What
we may have to do is use the old divide-and-conquer routine: Separate
the universe into manageable chunks, pick a chunk and research the hell
out of it. Then we keep working on it and document the results whenever
we can add something new. If we all did this and shared the results with
each other—well, need I say more? Here's a contribution then: A short
guide to AD object permissions.
Raison du Jour?
The reason we need to understand AD object permissions seems obvious.
Object permission settings allow the control of access to the object.
If I don't want every Tom, Dick and Mary to be able to obtain a recovery
agent certificate for Encrypting File System (EFS), I set object permissions
on the certificate template object to allow only approved recovery agents
to obtain the certificate. If I do want the help desk group to be able
to reset passwords for users in the respective Organizational Units (OUs)
they manage, I use object permissions on the OU to do so. From determining
whether users can change their own addresses to who can write a Group
Policy Object (GPO), object permissions are critical to the smooth functioning
and protection of your enterprise. Set them correctly, and most folks
won't even know they exist. Muck it up and, at best, you'll have trouble
making things work. (What's worse? Well, improper object permissions will
allow unwanted access to critical objects. Can you spell, "H-A-C-K-E-D"?)
How Permissions Work
In our haste to implement Windows 2000, many of us are like the apprentice
handyman or do-it-yourselfer. We've got a job to do, by-gummy. Like the
non-existent map of my wiring and plumbing, documentation on what each
AD permission means isn't so easy to find. So we descend the steps to
the basement, brush apart the cobwebs, knock off a little plaster and
risk a little electrical shock or a bath in ancient effluents to make
headway. A safer plan, however, would be to learn the basics of wiring
and the pluses and minuses of ohms and amps before our curiosity turns
us into charcoal. Object permissions don't work on electrical currents
or underwater pressure—Ohm's law won't apply. Instead, each object follows
the Windows NT/Win2K access-control model. The model requires that you
understand four basic concepts.
First, there's the security principal: Any object within the AD that
can be assigned privileges and access control rights or permissions (Access
control rights or permissions control access to securable objects). Computers,
Services, Users and Groups are security principals.
Second, there's security context. When there's an attempt at accessing
an object, the application provides the credentials of a security principal,
usually whoever started the application. These credentials determine the
security context—the list of group memberships and the privileges (privileges
control rights to perform system tasks) and SID of the security principal.
Third is the security descriptor. Each directory object contains security
information in a structure called a security descriptor. This can contain
the following:
- A Discretionary Access Control List (DACL), which comprises
Access Control Entries (ACEs) that indicate which users and groups have
been explicitly allowed or denied a specific type of access to the object.
The ACE may specify which operations they can perform and whether or
not they can create child objects or define private or extended access
rights.
- A SID to identify the owner of the object. Ownership, by the
way, implies the right to modify the DACL.
- A System Access Control List (SACL), which identifies the
types of actions that generate an audit log entry. The ACEs in this
list indicate a user or group, the type of access attempted, and whether
success or failure or both will generate the audit.
- Security_Description_Control provides the control flags that
qualify the meaning of the security descriptor or its components.
- A set of SE_DACL_PROTECTED flags, which can be used to protect
a security descriptor DACL from inheriting ACEs from its parent.
- A SID to identify the primary group of the object. Current
documentation states that the primary group isn't used by AD.
The security descriptor exists whether or not we, as administrators,
take any action. Where does the security descriptor come from? A security
descriptor may be:
- Inherited from the parent container. (Inheritance is discussed
shortly, under "Who Gets What.")
- Provided by the definition of the object. During dcpromo,
a default security descriptor is provided for each object class. (An
object class can be thought of as a conceptual view of an object someone
wants to store in the directory. It's defined in the schema.) AD-enabled
applications may add additional object classes to the schema and should
provide their own default security descriptor for each object class
they create.
- Programmatically created and attached to the object at the time
of creation. A class is just a definition of what an object can
be. The default security descriptor is part of the definition. When
an object is created, it may be given an explicit security descriptor.
- Replaced during execution of some program. As administrators,
we use utilities through the GUI to add ACEs to the object's DACL or
SACL and to modify inheritance. We also use the Delegation of Authority
Wizard or modify the ACE of a Group Policy Object (GPO) to filter its
application to users and computers within its Group Policy Container
(GPC). In addition, third-party tools and administrative scripts can
be used to manage settings.
Fourth in the access control model is access check. Access is granted
to the object only if the security descriptor grants the rights requested
to the security principal (or groups of which he or she is a member) attempting
to use them.
| NTFS
Inheritance Choices |
AD
Comparable Setting |
AD
Differences |
| This folder
only. |
This object
only (Effective ACL). |
|
| This folder,
subfolders and files. |
This object
and all child objects |
|
| This folder
and subfolders. |
|
Each object
is specified. |
| This
folder and files. |
|
Each
object is specified. |
| Subfolders
and files only. |
Child objects
only (Inherit ACLs). |
|
| Subfolders
only. |
|
Each object
is specified. |
| Files only. |
|
Each object
is specified. |
|
| Table 1.
A comparison of NTFS and AD Inheritance Choices |
How Rights
are Evaluated
Two types of rights exist: permissions (authorization
to do something such as read or reset a password
on a specific object) and privileges or user rights
(authorization to do something, like log on or
add users, that affects an entire computer rather
than a specific object). Similar to the evaluation
of file system access control, the right to access
or use AD objects is determined by the security
context attached to the application that attempts
the access.
When users authenticate to a system, the authorization information (their
SID, SIDs of groups they belong to, and privileges) they've been given
is collected and later used to create an access token. The access token
is used when they attempt to gain access to some object. Programmatically,
an access token can be created using the security context of some other
security principal, say, the operating system, and used instead during
the applications processing. When the application requires the use of
some file system, operating system or AD object, the information in its
access token is compared with that in the security descriptor of the object.
If a match occurs, and no explicit Deny permission exists, access is granted.
If no match occurs, or the explicit Deny exists, the requested access
is denied.
| Right |
Description |
| DELETE |
Delete
object. |
| READ_CONTROL
|
Read security
descriptor information (doesn't include
the right to read the SACL). |
| WRITE_DAC
|
Modify DACL
in object's security descriptor. |
| WRITE_OWNER
|
Assume
ownership of object. |
| SYNCHRONIZE |
Use object
of synchronization. A thread (the small
executable portion of a process) can
wait until the object is in the signaled
state. |
| ACCESS_SYSTEM_SECURITY |
Get or Set
SACL. |
| GENERIC_READ |
Read security
descriptor, examine object and children
and read all properties. |
| GENERIC_WRITE |
Write properties
and write DACL. Add and remove object
from directory. |
| GENERIC_EXECUTE
|
List children
of object. |
| GENERIC_ALL
|
Create or
delete children, delete subtree, Read
and Write properties, examine children
and object, add and remove object from
directory, Read or Write with extended
right. |
| DS_CREATE_CHILD
|
Create children
(the ACE can specify child object type
that can be created. If it doesn't,
this right allows creation of all child
object types). |
| DS_DELETE_CHILD
|
Delete children
(the ACE can specify the child object
type that can be deleted. If it doesn't,
this right allows deletion of all child
object types). |
| DS_ACTRL_DS_LIST
|
List children
of object. |
| DS_SELF |
Modify group
membership of group object. |
| DS_READ_PROP
|
Read properties
of object (ACE can specify property
that can be read. If it doesn't, this
right allows reading of all properties).
|
| DS_WRITE_PROP
|
Write properties
(ACE can specify property that can be
written. If it doesn't, this right allows
writing of all properties). |
| DS_DELETE_TREE
|
Delete all
children of object, regardless of permission
on object. |
| DS_LIST_OBJECT
|
List a particular
object (if not granted to a user, the
object is hidden from user). |
| DS_CONTROL_ACCESS
|
Right to perform
operation covered by an extended access
right-either a specific extended right
or by omission all extended rights.
|
|
| Table 2.
Additional standard access rights not available
on all objects. The list and descriptions
come from the Platform SDK documentation.
|
Seems pretty simple doesn't it?
It does, unless you understand that an AD-enabled
application has choices in how it identifies itself
in its actions with AD to the operating system.
When the program is written, its author may choose
to have it "bind" or connect to AD in
one of the following ways:
- Explicitly by hard coding and, therefore, specifying a username and
password.
- Without credentials (i.e. using the context of the user that runs
the application).
- By impersonating a user.
- If LDAP is used, binding without authentication—in which case, the
group Everyone's security context is used.
With any luck, the application is written using choice two or three.
One, of course, is vulnerable to attack. Placing usernames and passwords
within code is never a good idea. Choice four exposes access to where
rights have been given to the group Everyone.
Is This Just Like NTFS Permissions?
Because the same security model is used to control access to objects in
AD that's used to control access to files and folders, don't we know all
there is to know? At first glance, object permissions in AD appear to
model that interface. There's a security tab on each object's property
box, a window that allows us to select Allow or Deny permissions, and
an Advanced button to modify more closely what can be done by whom. Inheritance
can be regulated, and there's an array of functions that determines exactly
how permission settings affect child objects. Sounds like NTFS—but wait!
Here's where your knowledge of NTFS gets in the way of understanding AD
permissions.
NTFS settings are well documented and limited to a comprehendible number
of possibilities. While a new inheritance model and the ability to either
Allow or explicitly Deny any setting have complicated file system object
permissions in Win2K, you can reasonably expect to get your arms around
them. The list of AD object permissions, however, goes on forever. Think
about it. The file system has two basic types of objects—folders and files.
Permission types vary slightly for each object, as there are only two
objects. While you can create new files and new folders, you can't create
new file system object types. On the other hand, new object types for
AD can and will be introduced to your enterprise. Your AD, therefore,
is composed of an infinite number of object types—each of which can have
unique access control settings.
Inheritance is different, too. Like NTFS, inheritance for AD objects
can be specified by object type; but, once again, for NTFS that's rather
limited. For AD, a rather large array of objects may be allowed within
a container. In addition, there's at least one surprising difference in
the way child and parent object permissions interact (See "Zing!
Got Ya!").
Let's peel apart these distinctions and talk about them a little more.
Who Gets What
The rules of inheritance define how permissions set on an object affect
child objects. While not all AD object classes can have children, many
can. OUs can contain Users, Computers, other OUs and Printers. For AD
objects, like NTFS folders, two conditions need to be considered: Is inheritance
allowed and how will settings be inherited? You may block inheritance
by clearing the Access Control Settings Permissions page box "Allow
inheritable permissions from parent to propagate to this object"
or by programmatically setting the SE_DACL_PROTECTED security descriptor
control flag. This setting prevents inheritable permissions from parent
objects.
| Zing!
Got Ya! |
|
What do you think happens when a user or group has
explicit Allow permission to Delete All Child Objects
on a parent container, yet an ACE on a child object
explicitly sets the Deny Delete permission for the same
user or group?
If you said that the explicit
Deny on the object would take
precedence, you'd be wrong.
Unlike NTFS permissions, in
which the file DACL overrides
the parent folder DACL, certain
parent-set permissions, such
as Delete All Child Objects
and Delete Subtree, will override
the child setting.
|
|
|
To control inheritance, you set the specific type you desire for each
ACE. To do so, use the Advanced button on the Security Properties page
to expose the special permission page, select the ACE desired, and click
on View/Edit to access the Object Permissions Entry page. The "Apply
onto" drop-down box can then be used. Your choices are similar to
those available for setting inheritance for NTFS (Table 1). You can set
permissions on the following:
- Only on the current object. No changes will be made to child objects.
- Only on its child objects. The ACE won't be applied to the container
or parent object, but is only present so it may be inherited.
- On the object and all of its children. Both parent and child have
the ACE applied.
- On any child object class. If an object class can be in the container,
you can restrict permission settings only to this type of object. For
example, the ability to control users and not computers may be given
to our help desk group.
How Many Permissions Are There?
When first initialized AD appears to have about a gazillion built-in object
classes. Each object class may be controlled with standard access control
rights and potential extended access control rights (possibly unique to
its class). It also has the potential for additional unique object permissions.
Like NTFS rights, each AD access control right may be composed of multiple
special permissions. In addition, each object may have multiple properties,
and distinct access control permissions may be set on each property. This
is roughly comparable to a situation in which you could allow someone
to write only certain information to a file object in the file system.
To make matters even more convoluted, not all object permissions are exposed
in the GUI. They're available programmatically, and there are ways of
exposing them. Each new AD-enabled application added to the forest may
extend the schema and, hence, the range of possible access control rights.
(Take a look at access permissions and extended rights after installing
Microsoft Exchange, for example.)
| Empty
DACL vs. Missing DACL |
| Most of us common
folk modify the security descriptor
by setting those elements through
the GUI interface—the Security
Property page of the Active Directory
object—much like we manipulate
file and folder permissions. Whether
they're building AD-enabled applications
to perform some useful corporate
function or maliciously break
into your network, programmers
use the AD Services Interface
(ADSI) or Win32 security APIs
to establish security settings
on new objects or modify existing
ones writing AD-enabled applications.
This means they can do such things
as create an object without a
DACL or take advantage of some
security flaw.
An object without a DACL is
different than one with an empty
DACL. Empty DACLs implicitly
deny access to an object. However,
if no DACL exists, then there's
no restriction on access to
the object. In other words,
everyone has Full Control.
This is an interesting situation,
and one I'd not want to discover
in my AD. If you're responsible
for coding directory-enabled
apps or able to influence those
that do, please explain the
concept to them—especially
the part on how undesirable
it is to allow everyone Full
Control of any object. Good
references on DACLs and this
interesting anomaly can be found
online at http://msdn.microsoft.com/
library/psdk/winbase/accctrl_8jl8.htm
or in Chapter 9 of the AD
Programmers Guide, part
of the five-volume AD Developer's
Reference Library from Microsoft
Press.
|
|
|
To the neophyte administrator, this combination of vast possibilities
is enormously awe-inspiring and confusing. Heck, to experienced administrators
and others who've spent some time studying AD, its object permissions
are enormously awe-inspiring and confusing. Ask Microsoft for a reference
to find each setting described and you'll probably get the answer, "Have
you checked TechNet?" (Please note that no such comprehensive resource
exists on TechNet or anywhere else as far as I can tell—at least as of
this writing—and may never exist.)
While it's impossible to document what doesn't yet exist and equally
impossible in one small article to describe the umpteen-million, plain-vanilla
AD object permissions, there's a lot I can do to get you started.
We have two areas to explore:
- Standard access rights, or basic predefined settings that exist for
all AD objects.
- Extended access rights, predefined settings that uniquely exist for
certain AD object classes and the ability to define new extended access
rights.
Of course, any creation of new AD object classes—such as those provided
by an installation of Exchange 2000 or other AD-enabled application—can
add new, uniquely defined settings for these new classes.
Standard Access Rights
Open the security page for any AD object and you should see the following
standard object access rights or permissions:
- Full Control. Can do it all.
- Read. Can read the properties of the object.
- Write. Can modify the properties of the object.
- Create All Child Objects. This permission is necessary on
the object type of the parent container. A security principal, could,
for example, have the right to create users, but not computers within
a given OU.
- Delete All Child Objects. This permission is necessary on
the object type of the parent container. See "Zing! Got Ya!"
for an interesting lesson.
These standard permissions are fairly straightforward. One exception
is the intended functioning of Write when you attempt to modify several
properties of the object and don't have Write permission on all the properties.
(For instance, the GUI might let you select modifications to the address,
home phone number and manager for user Bob even if you only have Write
permission for address and home phone number. In this case, however, none
of the properties will be changed.) One caveat: If you attempt the same
thing programmatically and haven't applied Service Pack 1, you'll succeed.
Worse yet, an audit record would show the attempt as failed! Microsoft
Security Bulletin (MS00-026) and Knowledge Base Q259401, "Active
Directory Objects May Be Modified Programmatically," explain the
problem.
Additional standard access rights not available on all objects are listed
in Table 2. The list and descriptions come from the Platform SDK documentation.
(The Platform SDK or software development kit is composed of documentation,
tools, APIs and code samples provided to assist in the development of
applications for Windows platforms.)
Extended Control Access Rights
Extended control access rights are of three types:
- Extended rights, or specific rights on objects, aren't listed
in the standard access control rights. Each user, for example, has the
"change password" right on his or her user object. The "reset
password" right may be given over a set of user objects contained
in an OU. Each object class in the AD may have specific extended rights.
The Enterprise Administrator Group would have the Add GUID extended
right.
- Property rights, or the ability to control access to a subset
of rights. By modifying one setting, you can control a number of rights.
For example, the Personal Information property set controls access to
things like street address and phone number. In fact, the default security
descriptor setting for the User object in the schema allows each user
access to modify Personal Information items. Knowledge Base Q292304,
"How to Prevent Windows 2000 Users from Changing Personal Detail
Information," explains this, as well as how to modify the schema
if you don't want users to be able to change their personal information.
(You'll want to modify the schema default to ensure that each new user
created can't modify his or her information.)
- Validated rights, which require the system to do additional
checking (beyond schema requirements) of values (perhaps to determine
if a value is within a certain range or some other restriction) before
writing the value of a property to a DS object.
 |
| Figure 1. You can identify the control access
rights available in your forest via the Extended Rights container
in the configuration partition. (Click image to view larger version.) |
If you wish to identify which control access rights are available in
your forest, they're listed in the Extended Rights container of the configuration
partition. The list will be composed of standard extended control access
rights defined during dcpromo and additional extended control access rights
defined during schema modification. You can explore this container by
loading the Win2K support tools and firing up ADSI Edit (Figure 1). (Warning!
You can get yourself in a lot of trouble using ADSI Edit. Don't modify
things here until you know exactly what you're doing. And even then, if
the setting can be changed elsewhere, do it there. Think of this like
you do regedt32—an awesome tool in the right hands, a potential disaster
in the hands of the careless.)
I haven't found any documentation that details which object classes these
rights are available on, nor which lists. Likewise, I've seen no documentation
for what each extended right means. Some extended rights are defined somewhere
in the vast documentation available on Microsoft's Web site and within
published articles, books and white papers. Others appear to be obvious
from their name. Open an object's Security Property page to see which
extended rights are added to the standard rights. Remember that each standard
right and extended right may be composed of multiple special permissions.
Use the Advanced button to expose the ACL editor to list these special
permissions.
Delegation of Control
No discussion of permission settings and AD objects would be complete
without mentioning the Delegation of Control Wizard. As you know, you
can use it instead of setting individual permissions. The interface is
fairly straightforward and allows you to set things like allowing a less-than-full
administrator to reset passwords or create new users within a specific
OU.
The delegation wizard simplifies setting permissions on AD objects. That's
all. However, it does have an advantage over you directly addressing permission
settings on the object—especially in a virgin forest (some directory-enabled
applications will expose more of the available permission settings for
you). It knows more of what's available and allows you to set some things
that aren't exposed in the GUI. Without it, or some manipulation of the
interface, you couldn't get the job done. Once the permission is set,
it does appear in the GUI. To modify it, simply open the object's security
pages, find the setting and remove or change it. There's no wizard that
will help you do this.