Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit rules with -AttributeGUID overwrite each other #2

Open
Alef-Burzmali opened this issue Aug 28, 2023 · 0 comments
Open

Audit rules with -AttributeGUID overwrite each other #2

Alef-Burzmali opened this issue Aug 28, 2023 · 0 comments

Comments

@Alef-Burzmali
Copy link

Hello,

Thanks for your script which avoided me having to delve too deep in SDDL :)

When using the script to set audit rules for "Read Property" on two specific attributes of an AD object with the -AttributeGUID parameter, the script overwrite the first one with the second one instead of adding both.

Using $Acl.AddAuditRule($AuditRuleObject) instead of $Acl.SetAuditRule($AuditRuleObject) on line 272 correctly adds two rules, but I don't know the impact on other use cases.

Example:
I want to add an audit rule on attributes member and memberOf of AdminSDHolder (which is not possible via GUI because AdminSDHolder is of type container and this type does not have these attributes). These rules will be propagated by SDProp to e.g. Domain Admins (group) or Administrator (user).

> $AdminSDHolder = "CN=AdminSDHolder,CN=System,DC=EXAMPLE"
> (Get-Acl "ad:\$AdminSDHolder" -Audit).Audit

ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
IdentityReference     : Everyone
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
...

> Set-AuditRule -AdObjectPath "ad:\$AdminSDHolder" -WellKnownSidType NetworkSid -AuditFlags Success,Failure -InheritanceFlags None -Rights ReadProperty -AttributeGUID bf967991-0de6-11d0-a285-00aa003049e2  # memberOf
> (Get-Acl "ad:\$AdminSDHolder" -Audit).Audit

ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AuditFlags            : Success
IdentityReference     : Everyone
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : ReadProperty
InheritanceType       : None
ObjectType            : bf967991-0de6-11d0-a285-00aa003049e2
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AuditFlags            : Success, Failure
IdentityReference     : NT AUTHORITY\NETWORK
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
...

> Set-AuditRule -AdObjectPath "ad:\$AdminSDHolder" -WellKnownSidType NetworkSid -AuditFlags Success,Failure -InheritanceFlags None -Rights ReadProperty -AttributeGUID bf9679c0-0de6-11d0-a285-00aa003049e2  # member

# At this stage, I would expect to have a rule for bf967991-0de6-11d0-a285-00aa003049e2 and one for bf9679c0-0de6-11d0-a285-00aa003049e2
# but only the rule for bf9679c0-0de6-11d0-a285-00aa003049e2 exists

> (Get-Acl "ad:\$AdminSDHolder" -Audit).Audit

ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AuditFlags            : Success
IdentityReference     : Everyone
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : ReadProperty
InheritanceType       : None
ObjectType            : bf9679c0-0de6-11d0-a285-00aa003049e2
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AuditFlags            : Success, Failure
IdentityReference     : NT AUTHORITY\NETWORK
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
...

Instead, when adding the rules with $Acl.AddAuditRule($AuditRuleObject) :

$AdminSDHolder = "CN=AdminSDHolder,CN=System,DC=EXAMPLE"
$Acl = Get-Acl "ad:\$AdminSDHolder" -Audit

$IdentityReference = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]"NetworkSid", $null)
$Rights = "ReadProperty"
$AuditFlags = "Success","Failure"
$InheritanceFlags = "None"

$AttributeGUID = "bf9679c0-0de6-11d0-a285-00aa003049e2"  # member
$AuditRuleObject = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($IdentityReference,$Rights,$AuditFlags,[guid]$AttributeGUID, $InheritanceFlags,[guid]'00000000-0000-0000-0000-000000000000')
$Acl.AddAuditRule($AuditRuleObject)

$AttributeGUID = "bf967991-0de6-11d0-a285-00aa003049e2"  # memberOf
$AuditRuleObject = New-Object System.DirectoryServices.ActiveDirectoryAuditRule($IdentityReference,$Rights,$AuditFlags,[guid]$AttributeGUID, $InheritanceFlags,[guid]'00000000-0000-0000-0000-000000000000')
$Acl.AddAuditRule($AuditRuleObject)

Set-Acl "ad:\$AdminSDHolder" $Acl

# Now both rules exist:

> (Get-Acl "ad:\$AdminSDHolder" -Audit).Audit

ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AuditFlags            : Success
IdentityReference     : Everyone
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : ReadProperty
InheritanceType       : None
ObjectType            : bf9679c0-0de6-11d0-a285-00aa003049e2
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AuditFlags            : Success, Failure
IdentityReference     : NT AUTHORITY\NETWORK
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : ReadProperty
InheritanceType       : None
ObjectType            : bf967991-0de6-11d0-a285-00aa003049e2
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AuditFlags            : Success, Failure
IdentityReference     : NT AUTHORITY\NETWORK
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None
...
``
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Alef-Burzmali