LIZA

Active Directory Security, Permission and ACL Analysis

Fast and lucid display of container permissions and audit configurations in Active Directory environments.
Analysis: Where in the directory hierarchy are permissions granted for an account (including it's group memberships)?

Download Liza

Liza is a free tool for Active Directory environments which allows you to display and analyse object rights in the directory hierarchy. You could use the tool for example to perform security permission analysis in an AD domain or the AD Configuration Partition.

Liza Tool Screenshot

I always found the out-of-the-box possibilities to examine the object security in Active Directory environments rather unwieldy to handle for complex permission settings. So with the LIZA development, i tried to display most of the permission ACE (Access Control Entry) information as simple as possible so you have an almost complete overview at the first sight.

The following topics are available for the LIZA online manual:

	Security Descriptor Display
	Trustee Analysis
	Command Buttons

	Installation Notes

Security Descriptor Display

In the left panel of the Liza window, you see the container hierarchy for the connected Active Directory namespace. In the right panel of the Liza window, you see the content of the Security Descriptor for the currently selected directory container. This information is stored with the regarding objects in the LDAP attribute nTSecurityDescriptor.

An Active Directory security descriptor contains three important information:

The Discretionary Access Control List (DACL): Here are the trustees which have permissions on the regarding object.
The System Access Control List (SACL): These are the audit settings for the regarding object.
The Owner/Owner Group of the regarding object (the object's creator becomes the owner and
can always access the ACLs.

You need to be the owner or you need to have RC (Read Control) permissions to access the DACL and Owner information.
You need to have the Manage auditing and security logs privilege on domain controllers to access the SACL information.

There are several columns in the access control lists:

ACE display explanations

In the ACLs, you see a list of Access Control Entries (ACE). Liza displays a summary of each ACE per line - nevertheless, you can display each ACE in detail if you use the Show ACE button.

Detailed ACE display window

Trustee Analysis

Liza can analyze trustee permissions for selected trustees. You just have to select one trustee (for example a user or a group). Then Liza detects the groups in which the selected trustee is member in (even for nested group memberships), after that Liza scans all the directory containers to find permissions which are granted or denied to that trustees (or to it's groups).

Follow these steps to analyze the permissions for a certain trustee:

	Use the Select trustee for ACL analysis button at the bottom of the Liza window to switch to browse mode. In browse mode, you see all the directory objects in the connected hierarchy which have SID attributes (Security Identifier). Only objects with SIDs can be security principals which are suitable for permission analysis.
	You can select now the security principal that you want to check for permissions in the directory. It could be a single user, or a group, or a machine account for example. In the bottom area of the Liza window, you see the currently selected object. If the Include group membership checkbox is activated, there are also the groups in the list where the object is member of, including the nested memberships.
	You can also enter an object's name directly: Just click with the mouse on the trustee list at the bottom of the window and enter the name of the regarding object. Liza can detect the object automatically during the name input:
	If you want to go back to normal Permission Display without trustee analysis, just click on the trustee list at the window bottom and press the DELETE key. The list is cleared then, and you can use the Analyze ACLs button to get back to the inital mode with permission display. To start the analysis, there have to be a trustee name and maybe it's group memberships displayed in the list at the window bottom. The button label is changed to Analyze ACLs for the Selected Trustee. To start an analysis, you have to use this button now. Attention: If you ativated the Show leaf objects in the selected container command button, the analysis can take a long time to complete, because every single object in the directory has to be examined. In this case a regarding message box is shown:
	To start the analysis, you have to use the Analyze ACLs button now. During the hierarchy analysis, the application is disabled, just wait for the progress bar to be completed. However, you can stop the analysis run any tim by using the Abort ACL analysis button.
	When Liza shows you the analysis result, you see all the containers and ACE where the regarding object (and it's groups) are directly affected in bold red. If you activated the Show leaf objects in the selected container command button, even the single objects are examined for the regarding trustee permissions. If the permission entry for the container is inherited and not directly set, you only see the display in red (without bold font):

Command Buttons

At the top of the LIZA application window, you can find the following command buttons:

This is the option to establish a new connection to another domain controller or to another Active Directory directory partition (in case you want to check the permissions in the schema, the configuration partition or in another domain). By default, LIZA connects to the next reachable domain controller and displays the domain of which the current user is member of.

This button triggers a reload of the information which is currently displayed. If you are in the left window panel (the directory tree view), not the entire directory hierarchy is refreshed but only the containers directly above and below the one you are currently in.

This button changes the container focus to the parent container of the currently selected container (you can also use the BACKSPACE key for this).

If this button is activated, LIZA show not only container (for example OUs) in the hierarchy. All objects are shown then (including the so called leaf objects which don't contain any other objects). Then all leaf objects which are contained in the currently selected container are loaded into the tree view. so if you click on a container in which for example 20.000 user objects are stored, the display of these leaf objects could take a while. If you active this option and you trigger a trustee analysis, this could take really a long time!

This button is only visible if you are currently in the mode 'Selecting a trustee for analysis'. It determines whether the directory objects are displayed in a friendly manner or if the LDAP distinguished name is shown for each object.

This button opens the online help.

Some important technical details about LIZA:

Liza runs under Windows XP, Vista, Windows 7, Windows Sever 2003, Windows Server 2008. An explicit installation of binaries or DLLs is not necessary - just copy the Liza executable file to a local drive and start the application.
Technical prerequisite: .NET Framework 2.0 Runtime engine.

The .NET Framework runtime engine is pre-installed on every Windows Vista, Windows 7 or Windows 2008, so you can use Liza here without having to install any other runtime environment. Please note that the operating systems has to be updated with all hotfixes to have the correct .NET Framework version installed.
You need to be the owner or you need to have RC (Read Control) permissions to access the DACL and Owner information.
You need to have the Manage auditing and security logs privilege on domain controllers to access the SACL information.