A Russian Nesting Doll? What a bizarre choice of image to accompany a technology blog, you may think. In the same way that you can’t determine what is contained within a nest of Russian Dolls, without opening them up, Active Directory doesn’t reveal exactly who is a member of a group if that membership is through group nesting.
StealthINTERCEPT 4.0 gives you the ability to peel away the layers and monitor nested group membership and any changes that may occur.
Active Directory allows certain types of groups to be nested within other groups. The primary reason is to simplify the process of giving access to resources. It allows an administrator to make permissions more granular and assign groups where appropriate.
This diagram illustrates a simple series of nested groups: Group4 nested into Group3. Group3 nested into Group2. Group2 nested into Group1.
Even though Microsoft recommends nesting doesn’t go beyond two levels, at STEALTHbits we often see our customers with group nesting as far down as 15 levels.
The deeper the nesting, the harder it is to track changes to effective membership and the larger the risk of ‘Circular Nesting’, which is when a group inadvertently becomes a member of itself – something StealtAUDIT can highlight.
Effective membership is the sum of all users in all groups within the nesting hierarchy.
As mentioned, nesting groups can spiral out of control and if not managed well can become an unwieldy mess. This leads to losing one’s grip on who has access to what – which ironically, is the exact challenge addressed by using groups in the first place.
This illustration demonstrates a simple use of nested groups. ‘Admin Group’ has been applied to the ACL on three sensitive Data folders.
With just one group applied you can natively determine effective access to the data relatively easily. However, when you start to nest groups into the ‘Admin group’, you need to use a tool such as StealthAUDIT to determine Effective Access to the sensitive data.
If a user is added or removed from the ‘Admin Group’ you can still determine Effective Access to the sensitive data.
However, and here is the compliance (and operational) headache – what if the membership of the ‘Nested Group’ changes? Natively you cannot determine effective access to the data. With other vendors you need to periodically consolidate all changes to groups, assess group nesting and then determine effective access – all reactive and far from real-time.
This brings us to the crux of the blog (the tricky bit).
StealthINTERCEPT 4.0 monitors all changes to groups and those nested within – to any level. Therefore, if a user is added to the ‘Nested Group’, a real-time alert is triggered.
As you can see in this screenshot, StealthINTERCEPT is monitoring a group called ‘Nested Group 01’. An alert has been received to say that the effective membership has changed as user ‘User Level 05’ has been added to ‘Nested Group 03’.
Even though ‘Nested Group 03’ is not directly nested into ‘Nested Group 01’, its membership does impact the effective membership of ‘Nested Group 01’.
Still with me?
So, the impact is that ‘User Level 05’ now has every access that has been granted to ‘Nested Group 01’.
Three question you should always ask are
What I’ve outlined here is a scenario with one group and one user. Now, multiply this times an enterprise number of groups and users, maybe even cross domain nesting. You aren’t dealing with a single Russian Doll, but a warehouse full of Russian Dolls!
Can your business afford NOT to monitor (in real-time) all effective membership changes to groups?
Start a Free Stealthbits Trial!
No risk. No obligation.