Utility SpotlightAnalyze Security Descriptors with searchSd

Download the code for this article: searchSd.exe (126KB)

Scenario

Your IT department is interested in conducting security audits. The group wants to have statistics generated about the usage of access control entries (ACEs) in their domain deployment. They want to be able to run a job every Sunday at 1:00 A.M. that will log the results to a file. These logs can then be examined to check for any new access rights that have been added to Active Directory® or for any existing objects that have been hidden, and possible signs of suspicious activity that should be investigated further.

As part of their audits, the IT department finds a security group that they are interested in deleting due to inactivity. They're convinced this group is not being used, but how do they know for sure?

Tool

The searchSd command-line tool was written by Gokay Hurmali, a Software Design Engineer in Test working in the Microsoft Directory and Identity Services group. The tool analyzes security descriptors of objects in Active Directory. The creation of searchSd was motivated by the absence of a built-in way for Windows® to search for authorization data within Active Directory. Active Directory stores security descriptors as binary attributes of objects and as a result does not allow for customized searching of a descriptor's fields.

This tool has two modes. The first mode is accessed by running searchSd with the /test:searchDacl switch. This mode will search the discretionary access control list (DACL) of a security descriptor and will compile a customized report for the ACEs in the DACL. From this, it's possible to construct a general overview of the authorization hierarchy of an Active Directory environment. The tool can also dump all of the explicit ACEs found during the search.

Running searchSd with the /test:dumpOwner switch gives you access to the second mode, which generates a report that describes the owner field of each security descriptor found. To see all the objects in the report, add the /dumpObjects switch to the command line.

In both modes, by default the search scope is the entire subtree under the domain naming context. However, this can be configured with the /objectDN, /filter, and /Scope switches, allowing for more control over the target search space.

When the tool is run, it performs an LDAP search and retrieves the list of all objects in the default or user-specified search scope. It then reads the binary security descriptor information of each object and uses it to compile the output report. searchSd can run against a domain controller or Active Directory Application Mode (ADAM) service from any machine in the network, and it does not need to run locally on the domain controller or ADAM server itself, though it is able to do so.

In addition to outputting information to the console, the searchSd tool can generate a report file containing all of the requested information.

Figure 1 shows the tool being used to get an overall picture of object owner-ship in the domain. You can download the searchSd.exe utility from the link at the top of this article.

Figure 1 Object Ownership in the Domain

C:\>searchSd.exe /test:dumpOwner /hostmachine:myDc /admin:Administrator /adminpwd:Iw02tS!y /domain:myDomain

tool_dumpOwner: total objects checked: 11916 failure to read SD   : 0

BUILTIN\Administrators (S-1-5-32-544)
    owns   13 objects
MYDOMAIN\Domain Admins (S-1-5-21-306529421-2353485120-531261498-512)
    owns  11890 objects
NT AUTHORITY\SYSTEM (S-1-5-18)
    owns    8 objects
MYDOMAIN\DS3X12$ (S-1-5-21-306529421-2353485120-531261498-7753)
    owns    2 objects
unknown sid  [S-1-5-21-4047798943-3841610301-3130714431-512]
    owns    1 objects
unknown sid  [S-1-5-21-306529421-2353485120-531261498-1105]
    owns    1 objects
MYDOMAIN\ua (S-1-5-21-306529421-2353485120-531261498-16464)
    owns    1 objects

Time elapsed for searchSd.LOG.00003.xml: 8 Seconds.

© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.