SolarWinds Access Rights Auditor is a freeware Windows utility that scans your Active Directory Domain Services (AD DS) environment and reports on your AD and file share security posture.
Specifically, you use this tool to find security risks such as violations of least-privilege access rights, non-expiring passwords, orphaned objects, and so forth. SolarWinds Access Rights Auditor is free—download it, and I'll walk you through its use.
Run your first security scan ^
After you download and install Access Rights Auditor, fire it up and start a quick scan. Optionally, you can perform a deep system scan. The deep system scan allows you to dig deeper into directory structures.
According to the docs, you may need to run Access Rights Auditor under higher-privileged credentials depending on what you're scanning. As you can see in the next screenshot, I'm about to scan the C: drive of my vm1 server. You can use local and Universal Naming Convention (UNC) paths here.
On my system, I received a "Scan limit exceeded" warning—you can see that in my next screenshot. I receive this warning because this freeware is limited by the physical resources available on the machine it runs on (RAM and hard disk space available). The limits will show for your environment within the screen shot above.
Interpret scan results ^
I intentionally violated least-privilege authorization on my test domain controller, as you can see in my scan results shown in the next graphic.
One product feature I appreciate a lot is the guidance SolarWinds gives you when you click learn more… in each risk category. For instance, in the next screenshot you can learn what SolarWinds means by "Directories with direct access" and how they recommend you minimize risk.
And yes, last sentence is an advertisement for their premium product, but it's true that Access Rights Manager can remediate these issues for you automatically instead of your having to perform the remediation manually.
Because I'm a teacher, I can't hold myself back from briefly explaining the meaning of each Access Rights Auditor report category. Here goes:
- Never expiring passwords: This is self-explanatory, I think. 🙂
- Permission complexity: Occurs when you assign explicit permissions deep within a directory structure
- Directories with direct access: Occurs when you make access control list (ACL) entries including user account references instead of group references
- Unresolved SIDs: Occurs when ACL entries reference non-existent or otherwise orphaned accounts (security identifiers)
- Globally accessible directories: Occurs when you've given the "Everyone" special identity access to AD or file share resources
- Inactive accounts: Occurs when you have AD user accounts that have had no logon for the past 30 days
- Recursive groups: Occurs when you have nested AD groups, and a single group may be a member of itself either directly or indirectly
Clicking the actual risk tiles displays environment-specific details. For example, in the next screenshot, you see the result of my Never expiring passwords risk category. In my domain, I may need to reinspect my Group Policy setup to ensure these five users have proper password policy assignments.
Look closely at the previous screenshot—note that it displays only five results. A user may have over five AD users with non-expiring passwords. If so, the user could request an Access Rights Manager trial to see the full results list.
Next look at my tim folder scan results in the next screen capture. Here we see Access Rights Auditor flags four problems:
- Access granted to "Everyone" identity
- Access granted to individual user accounts
- ACL changes
- Access control entry (ACE) with a non-expiring password
Generate reports ^
Click Print Details and then Export PDF in Access Rights Auditor to make a shareable report of the tool's findings. Here, let me show you my report in the next screen capture:
SolarWinds Access Rights Auditor is freeware, is dead simple to use, and gives you a good insight on your AD and file share authorization structure. I encourage you to download the tool and try it!
If you are looking for more, Access Rights Auditor is a cut-back version of SolarWinds retail access management solution, Access Rights Manager.
You can read the detailed edition comparison on the SolarWinds site, but essentially Access Rights Auditor only allows you to report on AD and file system permissions and access issues. Conversely, Access Rights Manager includes full remediation capability and a self-service permissions portal among other premium features. Download a free 30-day trial of Access Rights Manager here.