Toxic Waste Removal for Active Directory: Quickly Identifying and Safely Removing Dangerous Legacy Permissions

Given enough time, nearly every Active Directory environment becomes an incredibly complex web of interlinked, nested, and opaque permissions and privileges. It is that exact complexity that adversaries so commonly and reliably exploit to gain elevated privileges; meanwhile, defenders are left holding the bag, lacking the tooling and time to safely remove legacy permissions. Defenders that dare to attempt to clean up these legacy permissions face a minefield of complex permissions inheritance rules, unclear or non-existence documentation, and the famous anxiety that has stopped every effort before: not knowing what's going to break when you start removing permissions.

This presentation will walk you through a new methodology, empowered by graphs, which will enable you to easily enumerate those legacy permissions, quickly identify the permissions that pose the most risk to your organization, and safely remove those permissions with confidence. For example, we will step you through this process for safely removing dangerous, legacy Exchange permissions. We will also demonstrate how you can model future changes, so you can measure and plan for the risks of granting new permissions and privileges before actually granting them. All tooling and methodologies demonstrated in this talk are free and open source.