Active Directory ACL Analyzer and Exporter

User's Guide

2. Getting Started

Getting started with Gold Finger takes just a few minutes and involves three simple steps -

1. Download and install Gold Finger

   Navigate to your custom license download URL, locate the Gold Finger download link and click on it to download the Gold-Finger.zip package onto the computer on which you wish to install the application.

   Next, unzip the package, verify the digital signature on the unzipped Gold-Finger.msi installer file and then double-click it to launch the installer. The installer will ask a few basic questions and then proceed to install Gold Finger.




2. Download and install your Gold Finger License

   Navigate to your custom license download URL, locate the Gold Finger License download link and click on it to download the Gold_Finger_License.zip package onto the computer on which you wish to install the application.

   Next, unzip the downloaded package, and locate the GFLic.dll file within the unzipped Gold_Finger_License folder. Verify the digital signature on the GFLic.dll file, and then copy it into the Gold Finger installation directory.

   Note - In a default installation, the Gold Finger installation directory is C:\Program Files (x86)\Paramount Defenses\Gold Finger.

   
   

3. Launch Gold Finger

   Click the Start menu, locate the Paramount Defenses folder, then locate the Gold Finger application link and click on it. Please give it a few moments whilst Gold Finger performs a few basic security checks before it opens.

   Note - Should you wish to use alternate credentials or target a specific domain controller, you can do so via Basic Options.

3. Exploring the User Interface

Gold Finger's sheer simplicity is reflected in its minimalist user interface, comprised of the following elements -

1. Tool Selector - The tool selector is used to select a specific tool.

2. Reports Pane - The reports pane lists all the reports available in the selected tool.

3. Options Field - The options field is used to configure options to only export the ACLs of specific objects.

4. Scope Field - The scope field is used to specify the report's scope/target.

5. Search Utility - The inbuilt search utility is used to locate and specify targets.

6. Scope Options - The scope options button is used to access and configure scope options.

7. Run button - The run button, also known as the Gold Finger button, is used to generate a report.

8. Results Pane - The results of a report are displayed in the results pane, titled the ACL or Objects pane.

9. Status Indicator - The status indicator provides an indication of the report's status.

10. Export Button - The Export button is used to export a report's results.

11. Analyze Button - The analyze button is used to view an object's ACL in Analyze view.

4. Viewing ACLs

To view and analyze ACLs in Active Directory, select the ACL Analyzer and Exporter from the Tool Selector, then enact the following three steps -

1. Select a report

   In the Reports pane, select from one of the following two reports by clicking on it -

   1. View the ACL of an Active Directory object

   2. View the SACL of an Active Directory object




2. Specify a scope

   In the Scope field, enter the distinguished name (DN) of the AD object whose ACL/SACL you wish to analyze.

   Note - You can use Gold Finger's inbuilt search utility to instantly and easily locate and determine the DN of any Active Directory object.

   
   

3. Click a button

   Click the Gold Finger (Run) button, and the tool will proceed to retrieve and display the target object's ACL.

5. Exporting ACLs

To export ACLs, select the ACL Analyzer and Exporter from the Tool Selector, then enact the following three steps -

1. Select a report

   In the Reports pane, select from one of the following two reports by clicking on it -

   1. Export ACLs of all objects in an Active Directory tree

   2. Export SACLs (System ACLs) of all objects in an Active Directory tree

   Note - You can optionally use the Options selector to select an option to only export the ACLs of those objects that meet specific criteria.

   You can select from amongst four options - Export ACLs of all objects (default), Export ACLs of objects whose ACL is marked Protected, Export ACLs of objects owned by a specific user or group or Export ACLs of objects with a specific Primary Group.




2. Specify a scope

   In the Scope field, enter the distinguished name (DN) of the AD domain, OU, container or object you wish to target.

   Note - You can use Gold Finger's inbuilt search utility to instantly and easily locate and determine the DN of any Active Directory object.

   Note 2 - You can optionally also configure scope options to customize the report's scope and depth, and/or specify a custom LDAP filter.

   
   

3. Click a button

   Click the Gold Finger (Run) button, and the tool will proceed to export the ACLs of all objects in the target scope.

6. Viewing Results

Upon the successful completion of a report, Gold Finger displays the ACL of the specified target in the ACL pane.

The list of all access control entries (ACEs) that the ACL is comprised of is displayed in the ACL pane, and an ACL summary including the number of ACEs in the ACL, the object's owner and primary group, as well as the ACL's current protection status are displayed in the Status field.

For each ACE, all fields, including Type, Security Principal, Permissions, Attribute/Class, Inheritance and Applies To are displayed in individual columns. The results are also fully-sortable and can also be exported by clicking the Export button.

The view of an Active Directory ACL as displayed in this view is usually referred to as a Standard view. In addition to the Standard view, Gold Finger also features an Analyze view that makes it really easy to analyze Active Directory ACLs.

Note - The Analyze view can be accessed by clicking the Analyze button, and is described in detail in the next section.

7. Analyzing ACLs

Active Directory ACL Analyzer and Exporter features a unique Analyze view that makes it really easy to analyze Active Directory ACLs, and it can be accessed by clicking the Analyze button (located below the Gold Finger button.)

Note - In Analyze view, the button is dynamically labelled as View, and clicking it reverts the ACL pane back to the simple ACL view mode.

Specifically, the Analyze view provides a complete, detailed, fully-sortable view of the ACL of any Active Directory object, with individually sortable columns for all fields including the permission, type and inheritance fields.

Saliently, the Permissions field of every access control entry (ACE) that exists in an Active Directory access control list (ACL) is segemented into individual columns, one for each unique Active Directory security permission, and denoted in SDDL (Security Descriptor Definition Language), making it easy to be able to sort and analyze an Active Directory ACL by a specific Active Directory permission type -

• Read Control (RC), List Child (LC), List Object (LO), Write Owner (WO), Write DACL (WD), Standard Delete (SD), Delete Tree (DT), Create Child (CC), Delete Child (DC), Extended Rights (CR), Validated Writes (SW), Read Property (RP) and Write Property (WP)

Similarly, inheritance settings are also segmented into individually sortable columns for easy sorting and analysis.

Gold Finger's unique Analyze view makes it really easy to analyze the ACL of any Active Directory object by any field, such as by type, by security principal, by individual permissions, by applies to or by any inheritance setting.

8. Exporting Results

Gold Finger makes exporting Active Directory ACLs as easy as touching a button, as described below -

1. Exporting Results

   With Active Directory ACL Analyzer and Exporter, you can export the ACL of a specific Active Directory object, as well as the ACLs of all objects in an Active Directory tree.

   To do so, enact this step after you have completed one of the steps above, i.e. Analyze ACLs or Export ACLs.

   This step involves exporting the Active Directory ACLs, and to enact it, simply click the Export button once.

   When you do so, Gold Finger will generate a CSV file containing the entire data set relevant to the specific report selected and generated, and prompt you to specify a location at which to save the file.

   Note - You can also export the list of objects displayed, by right-clicking anywhere in the Objects pane, and selecting Export.

9. Using Basic Options

Gold Finger offers two options that can be used to target specific domain controllers and/or use alternate credentials, (and a third basic option that impacts the aesthetics of the Run button, traditionally known as the Gold Finger button,) accessible via the Options > Basic Options application menu -

1. Target a specific Domain Controller

   Gold Finger can be configured to target a specific domain controller (DC). If this option is checked, Gold Finger will only target the DC specified in the DC Name field. The specified name of a DC must be its NetBIOS name.

   Note - The only requirement is that the specified DC must belong to the target domain and it must also be a Global Catalog.




2. Use specific Alternate Credentials

   Gold Finger can also be configured to use alternate credentials. If this option is checked, Gold Finger will use the specified alternate credentials. The specified username must be in the form a UPN e.g. administrator@corp.local.

   Note - By default, Gold Finger uses the security context of the (logged-on) user account that is currently using Gold Finger.

   
   

3. Use contemporary 'Run' Button

   This option controls the aesthetics of the Run button. If this option is checked (default), the Run button sports a contemporary look. If it is unchecked, the Run button retains its traditional look i.e. the iconic Gold Finger button.

10. Using Advanced Options

Gold Finger offers four advanced options for the ACL Analyzer and Exporter tool, accessible via the Options > Advanced Options application menu -

1. Use 'Display Names' for user accounts - This option controls whether Gold Finger should retrieve and display the Display Name of domain user accounts in the Name field. If checked, it will display the Display Name instead.

2. Include 'System Container' contents - This option controls whether Gold Finger should include the contents of the System container when analyzing and exporting ACLs. If checked, it will include objects in the System container.

   [ Also include DNS data ] - This sub-option is used to control whether Gold Finger should also include DNS data that resides in the System container when analyzing and exporting ACLs. If checked, it will also include DNS contents in the System container.