Monday, October 29, 2012

Gold Finger 5.0 Review

Today, I am going to share my review of the Gold Finger 5.0 Active Directory Audit Tool.

I first came across version 2.0 of Gold Finger three years ago. Back then the tool was in its infancy, as opposed to where it is today. The latest version as of today is version 5.0 and in comparison to where the tool was at 3 years ago, I must say that the tool has been improved almost 10x times. I passed on it 3 years ago, but it is definitely #1 on my wish-list now.

Gold Finger for Active Directory - Version 5.0 Review

Gold Finger 5.0 is the latest version available as of today, and its developers seem to have packed some very powerful capabilities in a single tool, all sharing a simple, minimalistic interface -

Gold Finger 5.0 for Active Directory


I suppose the best way to review it is to review its capabilities, which range from basic security reporting to advanced delegated access reports, as listed below -
  1. Active Directory Security Reporter
  2. Active Directory Group Membership Reporter
  3. Active Directory Token Viewer
  4. Active Directory ACL Viewer & ACL Exporter
  5. Active Directory Permissions Analyzer
  6. Active Directory Effective Permissions Analyzer
  7. Active Directory Effective Delegated Access Reporter
In my opinion, this could very well have been 7 different products each, because at least for the first 5 capabilities, I know of products that offer just each one of these capabilities as an entire product. So for a company to have packed 7 of these capabilities into a singe product is rather impressive.

Active Directory Effective Delegated Access Reports

Of course, the core ability of this product is the ability to generate effective delegated access reports, which is a capability I have not seen in any other solution from any other vendor, including several prominent vendors like Microsoft, Hewlett Packard, Quest Software, Symantec, McAfee, CA etc.

Gold Finger 007 Edition - Active Directory Effective Delegated Access Reporter

I suppose this might be because it is actually a well known fact that it is very difficult to generate effective delegated access reports in Active Directory.

This is primarily because it is extremely difficult to automate trying to find out who is delegated what access in Active Directory, given the sheer complexity involved involved in the process, as well as the different ways in which an Active Directory deployment can be configured.

Active Directory True Effective Permissions

In addition, this also happens to be the only tool that can correctly determine effective permissions in Active Directory.

Gold Finger 006 Edition - Active Directory Effective Permissions Analyzer

This capability too is a must-have capability for Active Directory security, and because the effective permissions calculator in Active Directory is admittedly inaccurate, the availability of this capability is a huge win for Active Directory environments because it is virtually impossible to secure any Active Directory deployment without knowing who is provisioned what effective permissions in that deployment.

Active Directory Permission Analyzer

Then, there is the Permissions Analyzer capability, which is one of the best I've seen in a tool. In fact, there are hardly any other tools available that can analyze permissions in Active Directory. (The only one I know of is a free unsupported tool built in Germany called LIZA, which seems more like a hacker's tool than an admin tool, especially given the many warnings on its download page.)

Gold Finger 005 Edition - Active Directory Permissions Analyzer

One of the best aspects of its permissions analyzer capability is that it gives IT admins complete flexibility in being able to specify what kind of permission to search for, and that it can also search for custom Schema elements including customer classes, properties, and permissions. So for example if you have a new custom Active Directory class defined in your Schema, and wish to search for all objects on which someone has Create Child permissions for that object, you can do so very easily.

Active Directory ACL Viewer and ACL Exporter

The ACL Viewer and ACL Exporter capabilities are also quite valuable, in that not only do they let you export/dump all the ACLs of all the objects in any scope of your choice, but they also let you analyze an Active Directory object's ACL in complete detail, by touching a single button.

Gold Finger 004 Edition - Active Directory ACL Viewer and ACL Exporter

One of the unique features of the ACL viewer on this tool is that it can breakdown individual permissions into individual columns, thus letting you sort the entire ACL by a specific permission.

For example, you can use it to instantly identify all ACEs that grant someone Extended Right permissions either individually (e.g. CR) or as a combination of permissions (e.g. RPWPCRLC).

This, in my little opinion, is very helpful when you're trying to identify which ACEs end up granting a specific kind of permission on an Active Directory object.

Windows Access Token Viewer

Its Token Viewer capability is also a first of its kind, and it is the only Windows Security Access Token Viewer I know of or have come across in my research.

Gold Finger 003 - Active Directory and Windows User Access Token Viewer

Like the Effective Permissions capability for Active Directory, this capability too is a must-have capability for Active Directory and Windows Security, because it lets IT administrators see exactly what SIDs what show up in another user's token.

(It is trivial to see what SIDs show up in one's own token, but it is very difficult to see what SIDs show up in another user's token, because the contents of a user's token are dependent on the domain of the user account as well as the domain of the machine onto which the user is logging on.)

Active Directory Group Membership Reporter

Its Group Membership Reporting capabilities also seem to be have been built with two specific usage scenarios in mind, i.e. enumerating all the members of a security group as well as trying to enumerate all the groups to which a user belongs.

Gold Finger 003 Edition - Active Directory Group Membership Reporter

Each of the report membership capabilities also takes nested group memberships into account, as well seemed to have the ability to correctly determine dynamic group memberships as well, such as those of the well-known RIDs Domain Users, Domain Computers etc.

Active Directory Security Audit Reports

Finally, its most basic capability, Security Audit Report generation could very well have been a stand-alone product in itself as well.

Gold Finger 002 Edition - Active Directory Security Audit Reports

I say so because it is a fully-featured security reporter complete with 100 builtin security reports, each of which is customizable via custom LDAP filters, and with the ability to analyze output, export it to a CSV file as as well as generate customizable PDF reports.

Some of these basic reports include true last logon reports as well. Another feature I liked was the ability to use alternate credentials as well as target specific domain controllers which can be helpful in many situations.

Capability Summary

All in all, in terms of capabilities, this tool is truly a powerhouse packed with virtually every Active Directory security analysis capability you could think of or need to analyze, assess and audit Active Directory content. I don't know of a single other tool or even a set of tools combined that deliver the capabailities that this single tool does, all made as easy as touching a button.

The Best Part - Choice

Personally, one of the best aspects of this tool is its licensing model. It is available in seven different editions, numbered 001 through 007, and although that might sound too many or confusing, it in fact is very logical, because each edition offers exactly the number of capabilities as is the edition, and there appears to be an order with 1 for the basic security reporting capability all the way to 7 for the delegated access reporting capability.

Gold Finger Editions Comparison

So for instance, if you interested in a specific capability, and had a budget to meet, you just need to identify the lowest edition that offers that capability, and you can license that edition, so you only pay for what you need. In a way, its like having the choice of being able to buy any one of 7 tools, each a different price-point, and I believe you can also upgrade to a a higher edition at a later point in time.

What Could be Improved

I've used it for almost two weeks now and I can really say that it seems to be very well thought out in many ways. It installs on any domain joined machine in a minute, requires no administrative access or rights to run, no agents to deploy, no SQL server, no services, nothing, and it does almost everything at a button's touch.

They seem to have left very few things to desire, and if I had to be picky, I suppose the only thing I can think of is that I don't think you can schedule report generation or have reports emailed to you.

But in light of the fact that it does in 5 minutes what take me 5 months, i.e. find out and show me exactly who is delegated what access in an entire domain, I suppose I cannot complain.

A Note about the Trial Process

One last thing that caught my attention was the trial process. I requested by trial by filling a simple form on their website, and within an hour, I received a customized download link for my unique customized license, complete with my name, and my company's name in the license.

I was expecting a sales call, but I was quite pleasantly surprised to see that no one bothered me with a phone call. The only email I received was from a technical specialist who said that they won't bother me with a single email or phone call, but if I had any questions, or needed any help, they are just an email away. That I thought was a refreshing change from the usual, wherein, I've seen everything from a call a day to some really smart pushy salesmen trying to sell me stuff I don't need and so on.

Refreshing indeed.


All in all, I was very pleased with Gold Finger. I think it is a must-have tool for any serious Active Directory admin, because it delivers on all the capabilities that are essential for Active Directory Security and yet are missing from Windows Server.

  • Picture Credits Disclaimer - The images used in my review I have taken the liberty to reproduce (copy) from the vendor's website. I wanted to acknowledge the source of any images used in case there are any copyright issues.

Its sheer power is only outdone by the simplicity with which you can use it - being able to find out who is delegated what administrative tasks on all objects in an entire domain at the touch of a button, is undoubtedly very impressive.

If I had to pick one element that struck me most, its that they let you try the tool in any environment to test it and see for yourself just how capable and easy this tool is to use.

To me, that's huge, because that's where the rubber hits the road, so when you can try it in your own production environment in real-time, any doubt in its impressive capabilities is put to rest. I was a bit skeptic before I tried it, because there's no other tool that can touch in terms of its capabilities, but when I tried it, and saw it in action, I became a fan, in awe, in just 10 minutes.

Active Directotry Toolkit

This tool, in my humble opinion, has earned its space in the toolket of every Windows/Active Directory admin, and is a must-have for Active Directory.

If you want to try it out, here's where to get it from -

1 comment: