Active Directory Effective Permissions Calculator

User's Guide

2. Getting Started

Getting started with Gold Finger takes just a few minutes and involves three simple steps -

1. Download and install Gold Finger

   Navigate to your custom license download URL, locate the Gold Finger download link and click on it to download the Gold-Finger.zip package onto the computer on which you wish to install the application.

   Next, unzip the package, verify the digital signature on the unzipped Gold-Finger.msi installer file and then double-click it to launch the installer. The installer will ask a few basic questions and then proceed to install Gold Finger.




2. Download and install your Gold Finger License

   Navigate to your custom license download URL, locate the Gold Finger License download link and click on it to download the Gold_Finger_License.zip package onto the computer on which you wish to install the application.

   Next, unzip the downloaded package, and locate the GFLic.dll file within the unzipped Gold_Finger_License folder. Verify the digital signature on the GFLic.dll file, and then copy it into the Gold Finger installation directory.

   Note - In a default installation, the Gold Finger installation directory is C:\Program Files (x86)\Paramount Defenses\Gold Finger.

   
   

3. Launch Gold Finger

   Click the Start menu, locate the Paramount Defenses folder, then locate the Gold Finger application link and click on it. Please give it a few moments whilst Gold Finger performs a few basic security checks before it opens.

   Note - Should you wish to use alternate credentials or target a specific domain controller, you can do so via Basic Options.

3. Exploring the User Interface

Gold Finger's sheer simplicity is reflected in its minimalist user interface, comprised of the following elements -

1. Tool Selector - The tool selector is used to select a specific tool.

2. Reports Pane - The reports pane lists all the reports available in the selected tool.

3. Scope Field - The scope field is used to specify the report's scope/target.

4. Search Utility - The inbuilt search utility is used to locate and specify targets.

5. Run button - The run button, also known as the Gold Finger button, is used to generate a report.

6. Results Panes - The results of a report are displayed in the results panes, comprised of the Who and How panes.

7. Status Indicator - The status indicator provides an indication of the report's status.

8. Export Button - The Export button is used to export a report's results.

9. Effective Permission Selector- The effective permission selector, also referred to as the What dropdown, is used to view the results of a specific effective permission.

4. Calculating Effective Permissions

To calculate effective permissions on an Active Directory object, select the Effective Permissions Calculator from the Tool Selector, then enact the following three steps -

1. Select a report

   In the Reports pane, click on Who has what effective permissions on an Active Directory object report to select it.




2. Specify a scope

   In the Scope field, enter the distinguished name (DN) of the Active Directory object you wish to target.

   Note - You can use Gold Finger's inbuilt search utility to instantly and easily locate and determine the DN of any Active Directory object.

   
   

3. Click a button

   Click the Gold Finger (Run) button, and the tool will proceed to calculate effective permissions on the target object.

5. Analyzing Results

Once Gold Finger has successfuly completed generating the report(s), it presents the results intuitively using three user-inteface elements, the What drop-down and the Who and How panes, to be be analyzed as described below -

1. Identifying Who can do What

   All effective permissions that have been determined by Gold Finger as allowed on the specified target i.e. those that are possessed by at least one account on the specified target, are listed in the What dropdown.

   Begin with the effective permission you are interested in analyzing by selecting it in the What dropdown.

   When you do so, the list of all domain user/computer accounts that have been determined to possess that effective permission on the specified target, will be displayed in the Who pane.




2. Identifying How

   To find out how a specific account (that is listed in the Who pane) has the selected effective permission on the specified target, i.e. which security permission in the ACL of the specified target is entitling the account to possess that effective permission, click on that specific account (that is listed and visible) in the Who pane.

   When you do so, the entitling security permission in the target object's ACL will be displayed in the How pane.

6. Exporting Results

Gold Finger also makes exporting the complete set of results, i.e. the What, the Who and the How, as easy as touching a button, as described below -

1. Exporting Results

   To export the results of a report, simply click the Export button once. When you do so, Gold Finger will generate a CSV file containing the entire data set, and prompt you to specify a location at which to save the file.

   The data in the CSV file is logically compartmentalized into the aforementioned three sections, and is fully sortable.

   In addition, the contents of each pane, i.e. the Who and How panes, can also be individually exported. To export the contents of a specific pane, simply right-click anywhere in the pane, and select the Export option.

7. Using Single-User Mode

Gold Finger's unique Single-User mode lets organizations easily assess whether a specific user of interest has any effective permissions on a specific Active Directory object of interest, and if so which ones, and how.

To use Single-User mode, activate it by using the Mode option in the application menu, then enact the following steps -

1. Select a User

   Click the Select a User button (, located in the top-left corner of the Reports pane) to locate and select a user.




2. Select a Report and Specify a Scope

   Select the report displayed in the Reports pane, then specify the target of your asessment by using the Scope field.

   Note - You can use Gold Finger's inbuilt search utility to instantly and easily locate and determine the DN of any Active Directory object.




3. Click a button

   Click the Gold Finger button to generate the report.

Upon the completion of the report, results will be displayed in the Results pane. The steps involved in analyzing results and exporting results are identical to those for the default (Multi-User) mode, with the exception that the only security principal listed in the Who pane will be the specified user.

Note - To return to the Multi-User mode, use the Mode option in the Application menu.

8. Using Basic Options

Gold Finger offers two options that can be used to target specific domain controllers and/or use alternate credentials, (and a third basic option that impacts the aesthetics of the Run button, traditionally known as the Gold Finger button,) accessible via the Options > Basic Options application menu -

1. Target a specific Domain Controller

   Gold Finger can be configured to target a specific domain controller (DC). If this option is checked, Gold Finger will only target the DC specified in the DC Name field. The specified name of a DC must be its NetBIOS name.

   Note - The only requirement is that the specified DC must belong to the target domain and it must also be a Global Catalog.




2. Use specific Alternate Credentials

   Gold Finger can also be configured to use alternate credentials. If this option is checked, Gold Finger will use the specified alternate credentials. The specified username must be in the form a UPN e.g. administrator@corp.local.

   Note - By default, Gold Finger uses the security context of the (logged-on) user account that is currently using Gold Finger.

   
   

3. Use contemporary 'Run' Button

   This option controls the aesthetics of the Run button. If this option is checked (default), the Run button sports a contemporary look. If it is unchecked, the Run button retains its traditional look i.e. the iconic Gold Finger button.

9. Using Advanced Options

Gold Finger offers eight advanced options for the Effective Permssions Calculator tool, accessible via the Options > Advanced Options application menu -

1. Use 'Display Names' for user accounts - This option controls whether Gold Finger should retrieve and display the Display Name of domain user accounts in the Name field. If checked, it will display the Display Name instead.

2. Include 'System Container' contents - This option controls whether Gold Finger should include the contents of the System container when calculating effective permissions. If checked, it will include objects in the System container.

   [ Also include DNS data ] - This sub-option is used to control whether Gold Finger should also include DNS data that resides in the System container when calculating effective permissions. If checked, it will also include DNS contents in the System container.

3. Include 'Anonymous' in 'Everyone' - If checked, Gold Finger will include the Anonymous well-known security principal when dynamically evaluating the membership of the Everyone well-known security principal.

4. Include impact of object ownership - This option controls whether Gold Finger should include the impact of an object's owner having implicit Modify Permissions on the object. If checked, it will include the impact of ownership.

5. Include assessment of Read Permissions (RP, RC, LC, LO) - If checked, Gold Finger will include the determination of all read permissions effective permissions. Selecting this option could considerably increase assessment time.

6. Include all attributes during Effective Permissions analysis - If checked, Gold Finger will determine effective permissions for all attributes permissible by the Schema on the target, even if they do not have a value specified.

7. Exclude data processing for CSV output - If checked, Gold Finger will skip processing data for CSV exports, likely considerably reducing assessment time. However the ability to export data to a CSV file will become unavailable.

8. Exclude all permissions for Everyone and Authenticated Users on domain-root and OUs, as well as Authenticated Users 'Send To' permissions and 'Everyone Change Password' permissions - If checked, Gold Finger will skip evaluating these effective permissions for these laden permissions, considerably reducing assessment time.