Page 45 - Cyber Warnings
P. 45
This wizard is located on the drop-down menu for the domain node for each Organizational Unit
in the Active Directory Users and Computers tool. The wizard defines which account (user or
group) is granted a specific task. The most common tasks are resetting passwords for users
and modifying group membership, both of which have a potential impressive security impact if
the wrong account is granted the delegation.
The Delegate Control Wizard can only configure the delegations—it can’t report or remove
delegations. Therefore, a different tool must be used for each task. The built-in dsacls.exe tool
is ideal for reporting on delegations for each Active Directory node.
As for modifications to existing delegations, that is typically left up to manual efforts performed
on the Security tab located on the object’s Property page.
Summary
Assuring that privileged access is understood, configured properly and monitored is a huge step
toward hardening the security of your Windows environment.
Without the correct reports, configurations or monitoring, it is impossible to know what privileges
are granted. Beyond that, without the knowledge of privileged access, you are leaving your
organization open for an easy attack.
However, with the correct tools in place to monitor and alert on changes to correct privileged
access, there is little that can sneak by you if an attack occurs.
About the Author
Derek Melber is the technical evangelist for ManageEngine, a division of Zoho
Corporation. As one of only a handful of Microsoft Group Policy MVPs, Derek
helps Active Directory administrators, auditors and security professionals
understand the finer points of how to manage, audit, recover and solve issues that
occur in Active Directory and Group Policy.
He educates IT professionals worldwide on Active Directory, Group Policy and Security and has
authored over 15 books on Windows security and management. He’s famous for his video
shorts in which he offers quick, practical solutions for Active Directory management. For more
information on ManageEngine, the real-time IT management company, please visit
www.manageengine.com; follow the company blog at http://blogs.manageengine.com, on
Facebook at http://www.facebook.com/ManageEngine and on Twitter @ManageEngine.
45 Cyber Warnings E-Magazine – February 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
