Learn how SolarWinds Access Rights Auditor freeware can help you get better insights into your organizational security regarding Active Directory (AD) and file share permissions.

Timothy Warner

Timothy Warner is a Microsoft Cloud and Datacenter Management Most Valuable Professional (MVP) who is based in Nashville, TN. Check out his Azure and Windows Server video training at Pluralsight, and feel free to reach out to Tim via Twitter.

Latest posts by Timothy Warner (see all)

SolarWinds Access Rights Auditor is a freeware Windows utility that scans your Active Directory Domain Services (AD DS) environment and reports on your AD and file share security posture.

Specifically, you use this tool to find security risks such as violations of least-privilege access rights, non-expiring passwords, orphaned objects, and so forth. SolarWinds Access Rights Auditor is free—download it, and I'll walk you through its use.

Run your first security scan ^

After you download and install Access Rights Auditor, fire it up and start a quick scan. Optionally, you can perform a deep system scan. The deep system scan allows you to dig deeper into directory structures.

According to the docs, you may need to run Access Rights Auditor under higher-privileged credentials depending on what you're scanning. As you can see in the next screenshot, I'm about to scan the C: drive of my vm1 server. You can use local and Universal Naming Convention (UNC) paths here.

Preparing to run a quick scan

Preparing to run a quick scan

On my system, I received a "Scan limit exceeded" warning—you can see that in my next screenshot. I receive this warning because this freeware is limited by the physical resources available on the machine it runs on (RAM and hard disk space available). The limits will show for your environment within the screen shot above.

Access Rights Auditor scan progress dialog

Access Rights Auditor scan progress dialog

Interpret scan results ^

I intentionally violated least-privilege authorization on my test domain controller, as you can see in my scan results shown in the next graphic.

Access Rights Auditor scary scan results

Access Rights Auditor scary scan results

One product feature I appreciate a lot is the guidance SolarWinds gives you when you click learn more… in each risk category. For instance, in the next screenshot you can learn what SolarWinds means by "Directories with direct access" and how they recommend you minimize risk.

And yes, last sentence is an advertisement for their premium product, but it's true that Access Rights Manager can remediate these issues for you automatically instead of your having to perform the remediation manually.

Access Rights Auditor gives you security risk education and advice

Access Rights Auditor gives you security risk education and advice

Because I'm a teacher, I can't hold myself back from briefly explaining the meaning of each Access Rights Auditor report category. Here goes:

  • Never expiring passwords: This is self-explanatory, I think. 🙂
  • Permission complexity: Occurs when you assign explicit permissions deep within a directory structure
  • Directories with direct access: Occurs when you make access control list (ACL) entries including user account references instead of group references
  • Unresolved SIDs: Occurs when ACL entries reference non-existent or otherwise orphaned accounts (security identifiers)
  • Globally accessible directories: Occurs when you've given the "Everyone" special identity access to AD or file share resources
  • Inactive accounts: Occurs when you have AD user accounts that have had no logon for the past 30 days
  • Recursive groups: Occurs when you have nested AD groups, and a single group may be a member of itself either directly or indirectly

Clicking the actual risk tiles displays environment-specific details. For example, in the next screenshot, you see the result of my Never expiring passwords risk category. In my domain, I may need to reinspect my Group Policy setup to ensure these five users have proper password policy assignments.

User accounts with non expiring passwords identified

User accounts with non expiring passwords identified

Look closely at the previous screenshot—note that it displays only five results. A user may have over five AD users with non-expiring passwords. If so, the user could request an Access Rights Manager trial to see the full results list.

Next look at my tim folder scan results in the next screen capture. Here we see Access Rights Auditor flags four problems:

  • Access granted to "Everyone" identity
  • Access granted to individual user accounts
  • ACL changes
  • Access control entry (ACE) with a non-expiring password
Directory level security reporting

Directory level security reporting

Generate reports ^

Click Print Details and then Export PDF in Access Rights Auditor to make a shareable report of the tool's findings. Here, let me show you my report in the next screen capture:

Access Rights Auditor PDF report

Access Rights Auditor PDF report

Wrap-up ^

SolarWinds Access Rights Auditor is freeware, is dead simple to use, and gives you a good insight on your AD and file share authorization structure. I encourage you to download the tool and try it!

If you are looking for more, Access Rights Auditor is a cut-back version of SolarWinds retail access management solution, Access Rights Manager.

You can read the detailed edition comparison on the SolarWinds site, but essentially Access Rights Auditor only allows you to report on AD and file system permissions and access issues. Conversely, Access Rights Manager includes full remediation capability and a self-service permissions portal among other premium features. Download a free 30-day trial of Access Rights Manager here.

Win the monthly 4sysops member prize for IT pros

2+

Users who have LIKED this post:

  • avatar
  • avatar
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account