How to Secure Confidential Attributes with Active Roles -Script Provided

The Challenge

The Challenge

Active Roles Access Templates are a terrific way of delegating access to Active Directory. They make securing Active Directory both simpler and more powerful. Access Templates can secure Active Directory at the object, attribute or property level.

For the most part, attribute access in Active Roles Access Templates can be controlled with the built-in "Read" and "Write" ACLs.

However, there are a class of attributes that require special permissions to be able to read. These attributes have the Control_Access or confidentiality bit assigned to them. Microsoft's Local Administrator Password Solution (LAPS) tool uses this for password storage, and many organizations have added custom attributes that do as well.

The Extended Rights permission is what is used to read these special attributes, but it can be challenging to effectively delegate. Delegating in native Active Directory requires scripting every time a new delegation is created. Active Roles can set the Extended Permissions right on an entire object using the GUI, but this grants greater permissions than we really want allowing rights like "SendAs" and password resets.

In order to create an Access Template that restricts Extended Rights permission to the attribute itself, we need to use the Active Roles API.

The Solution

An empty Access Template needs to be created before the script will function. In the example below, we are using the TestAT access template in the root of the Access Templates container.

In this example, we will apply the EDS_RIGHT_DS_CONTROL_ACCESS access control entry to the ssncustom attribute that has been created in Active Directory and set as confidential.

To use this script in your environment, replace the lines in the script that refer to the Access Template and the attribute (and the class if necessary) with the appropriate values for your environment.

The Script

const EDS_RIGHT_DS_READ_PROP=16
const EDS_RIGHT_DS_WRITE_PROP=32
const ACCESS_ALLOWED_ACE_TYPE=0
const EDS_RIGHT_DS_CONTROL_ACCESS=256
Set atObject=GetObject("EDMS://CN=TestAT,CN=Access Templates,cn=Configuration")

Set NewATE=Nothing
' Create a new Permission Entry
set NewATE=atObject.CreatePermissionEntry
' Set properties of the newly created Permission Entry: write description for user
NewATE.AteType=ACCESS_ALLOWED_ACE_TYPE ' "Allow" ATE type
' Write Property access mask
NewATE.AccessMask=EDS_RIGHT_DS_CONTROL_ACCESS 
' Apply to User objects
NewATE.InheritedObjectTypeADsPath="EDMS://user,Schema" 
' Apply to ssn property
NewATE.ObjectTypeADsPath="EDMS://ssn,Schema" 
atObject.AddPermissionEntry(NewATE)
atObject.SetInfo

This script can be run on any server that has the Active Roles ADSI provider installed on it. When run, it will add the appropriate access control to the specified Access Template. Then the Access Template can be used (and reused) like any other, and it will govern access to only the attribute specified.

Anonymous