Active Directory Security, Permission and ACL Analysis
Liza is a free tool for Active Directory environments which allows you to display and analyse object rights in the directory hierarchy. You could use the tool for example to perform security permission analysis in an AD domain or the AD Configuration Partition.
I always found the out-of-the-box possibilities to examine the object security in Active Directory environments rather unwieldy to handle for complex permission settings. So with the LIZA development, i tried to display most of the permission ACE (Access Control Entry) information as simple as possible so you have an almost complete overview at the first sight.
The following topics are available for the LIZA online manual:
|Security Descriptor Display|
|Blocked Inheritance Analysis|
|Objekte in LEX - The LDAP Explorer anzeigen|
|Change Log and Installation Notes|
In the left panel of the Liza window, you see the container hierarchy for the connected Active Directory namespace. In the right panel of the Liza window, you see the content of the Security Descriptor for the currently selected directory container. This information is stored with the regarding objects in the LDAP attribute nTSecurityDescriptor.
An Active Directory security descriptor contains three important information:
You need to be the owner or you need to have RC (Read Control) permissions to access the DACL and Owner information.
You need to have the Manage auditing and security logs privilege on domain controllers to access the SACL information.
There are several columns in the access control lists:
In the ACLs, you see a list of Access Control Entries (ACE). Liza displays a summary of each ACE per line - nevertheless, you can display each ACE in detail if you use the Show ACE button.
Liza can analyze trustee permissions for selected trustees. You just have to select one trustee (for example a user or a group). Then Liza detects the groups in which the selected trustee is member in (even for nested group memberships), after that Liza scans all the directory containers to find permissions which are granted or denied to that trustees (or to it's groups).
Follow these steps to analyze the permissions for a certain trustee:
|Use the Select trustee for ACL analysis button at the bottom of the Liza window to switch to browse mode. In browse mode, you see all the directory objects in the connected hierarchy which have SID attributes (Security Identifier). Only objects with SIDs can be security principals which are suitable for permission analysis.
|You can select now the security principal that you want to check for permissions in the directory. It could be a single user, or a group, or a machine account for example. In the bottom area of the Liza window, you see the currently selected object. If the Include group membership checkbox is activated, there are also the groups in the list where the object is member of, including the nested memberships.
|You can also enter an object's name directly: Just click with the mouse on the trustee list at the bottom of the window and enter the name of the regarding object. Liza can detect the object automatically during the name input:
|If you want to go back to normal Permission Display without trustee analysis, just click on the trustee list at the window bottom and press the DELETE key. The list is cleared then, and you can use the Analyze ACLs button to get back to the inital mode with permission display.
To start the analysis, there have to be a trustee name and maybe it's group memberships displayed in the list at the window bottom. The button label is changed to Analyze ACLs for the Selected Trustee. To start an analysis, you have to use this button now. Attention: If you ativated the Show leaf objects in the selected container command button, the analysis can take a long time to complete, because every single object in the directory has to be examined. In this case a regarding message box is shown:
|To start the analysis, you have to use the Analyze ACLs button now. During the hierarchy analysis, the application is disabled, just wait for the progress bar to be completed. However, you can stop the analysis run any tim by using the Abort ACL analysis button.
|When Liza shows you the analysis result, you see all the containers and ACE where the regarding object (and it's groups) are directly affected in bold red. If you activated the Show leaf objects in the selected container command button, even the single objects are examined for the regarding trustee permissions.
If the permission entry for the container is inherited and not directly set, you only see the display in red (without bold font):
LIZA can search the entire directory for objects which have a blocked permission inheritance. Blocked inheritance leads to delegation problems in many cases, because delegated rights doesn't apply to such objects unless they are explicitly set directly on the object.
For all objects which are affected by the AdminSDHolder mechanism, the permission inheritance is deactivated (because they are member of a high privileged group, for example). Most often it is quite difficult to detect such objects, because the inheritance block remains on the object even if they are not member of a regarding group any more.
LIZA can search such objects, just use the Search blocked inheritance button at the screen bottom on the right. The analysis can last a bit, because LIZA has to evaluate the Security Descriptors of each object in the current directory, and this can be a lot of data. The result is shown in the treeview panel on the left side. All objects with blocked inheritance are marked bold red:
If you have an installed version of LEX - The LDAP Explorer on th same machine (minimum LEX v 1.5.000), you can use the LIZA application to open directory objects directly in LEX. This feature enables you for example to change permissions in LEX - LIZA is finally 'just' a read-only tool which can display permissions but not change it.
If you want to handle an object with LEX, just use the option Open in LEX from the context menu in the treeview panel:
At the top of the LIZA application window, you can find the following command buttons:
This is the option to establish a new connection to another domain controller or to another Active Directory directory partition (in case you want to check the permissions in the schema, the configuration partition or in another domain). By default, LIZA connects to the next reachable domain controller and displays the domain of which the current user is member of.
This button triggers a reload of the information which is currently displayed. If you are in the left window panel (the directory tree view), not the entire directory hierarchy is refreshed but only the containers directly above and below the one you are currently in.
This button changes the container focus to the parent container of the currently selected container (you can also use the BACKSPACE key for this).
If this button is activated, LIZA show not only container (for example OUs) in the hierarchy. All objects are shown then (including the so called leaf objects which don't contain any other objects). Then all leaf objects which are contained in the currently selected container are loaded into the tree view. so if you click on a container in which for example 20.000 user objects are stored, the display of these leaf objects could take a while. If you active this option and you trigger a trustee analysis, this could take really a long time!
This button is only visible if you are currently in the mode 'Selecting a trustee for analysis'. It determines whether the directory objects are displayed in a friendly manner or if the LDAP distinguished name is shown for each object.
With this button you can filter out the display of all permission entries of upper-level objects (such as OUs) which were inherited on the object. Under certain circumstances, a very large number of inherited permissions exist and the display the permissions may become cluttered and slow. So if you are primarily interested in the explicitly set permissions on objects, then you can use this filter. So do not forget that with an active filter information there is information that is not currently displayed! The button flashes red in this case.
Latest version changes:
Some important technical details about LIZA: