Is there an extract of permissions & rights captured by ADACLScan.ps1 (with their criticality levels)?
jamesplucas opened this issue · 2 comments
I am running ADACLScan.ps1 version 6.8 to uncover AD groups with Critical, Warning & Medium permissions & rights that are not already being reviewed as built-in groups.
The auditors are asking me to justify use of ADACLScan.ps1. They want to know what permissions are identified and why the criticality Level rates them as Critical, Warning & Medium. Why am I excluding Low criticality permissions?
Is there an extract of permissions & rights captured by ADACLScan.ps1 (with their criticality levels)?
If so, I could then refer the auditors to the Microsoft descriptions, such as
https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=net-5.0
Examples of what I am looking for are:
"Create Object"="Warning";
"Read permissions, Modify permissions" {$intCriticalityLevel = 4 }
Reload SSL/TLS Certificate = "1a60ea8d-58a6-4b20-bcdc-fb71eb8a9ff8" {$intCriticalityLevel = 4}
Web-Information = 2 "E45795B3-9455-11d1-AEBD-0000F80367C1" { # If it SELF then = 1
if($objIdentity -eq "NT AUTHORITY\SELF"){$intCriticalityLevel = 1 else {$intCriticalityLevel = 2}}
There is no written rational behind the severity levels, even though I have one. That's something I maybe should publish. What I have is a listing on what is categorized for each level. The criticality is not an absolute since it always depends on what object/attribute is affected by one ACE. In the UI Assessment tab/View Color Legend I have listed the severity with different rights.
ADACLScan lists all ACE's that the .Net GetAccessRules can understand, Fact; There are broken/invalid ACE's that GetAccessRule can't read.. not even windows. See the severity as a helping function to determine the level of access because there is not a direct relation with the risk for a certain organization. That is for you as a security review/researcher to understand.
This one:
if($objIdentity -eq "NT AUTHORITY\SELF"){$intCriticalityLevel = 1 else {$intCriticalityLevel = 2}}
If you have write "Web-Information" on your own object (your security principal) it is marked as "Low" if it's write on an other object it's marked as "Medium".