The next major release of DirectoryRanger is now available for customers, and for everyone who would like to try it ;-). Current attacks show that quite often the topic of Active Directory Security is not on the security agenda, but it should be, and this was the reason for us to build the tool and, of course, to maintain and improve it. So what are the major new features released with DirectoryRanger 1.5.0? Here we go:
1. Risk Acceptance / Whitelisting
With this huge new feature you are now able to accept the risk for specific items or for complete domains. In enterprise environments sometimes systems, objects, users or whatever must be operated “as is”. Think of a system running Windows XP that has a control function in your production environment (e.g. car manufacturing) and which can’t be updated without replacing your major parts of the production environment, which in turn obviously doesn’t make sense (blaming the vendor of the system for this kind of support is not in scope of this post 😛 ). Now you can put it on a whitelist (accept the risk for it) and it won’t appear in the proof of concept section of the report anymore. This avoids that different people try to find our “what kind of system is this?” again and again, and it makes the handling of the findings much more easier. However, to prevent that these systems are forgotten, they are still listed in the appendix of the report.
2. Permissions
We also made the permissions more granular at some places, in order to reflect the requirements of complex environments, especially with a large DirectoryRanger user base. You can configure permission to baselines (custom mitigation texts and criticality) per user now and grant read, write and execute (use) permissions.
3. Proof of Concept data download
PoC Data can be downloaded from within DirectoryRanger separately because in very large environments putting all the stuff into the report might result in an unusable user interface and report. This feature was introduced in a former version, but for security reasons we have updated the AES encryption of the provided zip file. This breaks Windows integrated Zip compatibility, so you will have to use external Zip-tools capable of this encryption method now. 7-Zip is a free example, that is capable to unzip the data, WinZip, a commercial example, will also do the job.
If you would like to get more information regarding DirectoryRanger, just visit its website. In case you would like to give it a try just contact us at customer@ernw-sectools.de.
Cheers
Michael