Today Active Directory Security has become mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Gold Finger The Paramount Brief Gold Finger Mini World Peace

Saturday, April 1, 2017

Hey Microsoft - What Constitutes a Privileged User in Active Directory?

Dear Microsoft,

I was supposed to start your 30-Days of advanced Active Directory Security school for you today, but before I did so, I wanted to ask you arguably the most fundamental yet important (and might I add, paramount) question in all of Windows and Active Directory Security, because not a single* one of your customers can be secured without the answer to this ONE question.

Here's the Question - What constitutes a Privileged User in Active Directory?


You see, this is the #1 cyber security question that every organization in the world (including all cyber security companies) must have an answer to today, given that 85% of all organizations worldwide operate on Active Directory, and that 100% of all major recent cyber security breaches involved the compromise and misuse of a single Active Directory privileged user account.

I deeply value my time, and based on what I'm seeing, thanks to you, let alone most of your organizational customers across a 150+ countries, not even you seem to have a clue as to an adequate answer to this question, and I'm not inclined to waste my valuable time taking you or anyone to school yet, until I've seen at least a basic understanding of this paramount question.

[ Here is proof that you don't seem to have a clue: Quoting a Microsoft security expert from a huge 7-part series of videos titled "Defending Active Directory against Cyberattacks" developed and released by Microsoft in May 2016 - "We are working to identify which ACLs in Active Directory can lead to command and control of Active Directory." Seriously?! You, the $ 550 Billion Microsoft are just now (i.e. in 2016/17) working to identify this!?  If you want to know how to defend Active Directory, start here.

As such, based on what I've seen thus far, you've been predominantly focused on credential-theft attacks (Pass-the-Hash, Kerberos ticket meddling etc.), which you likely may have been compelled to do something about (likely based on pressure from your customers) and all you did is acquire a puny fledgling start-up to help detect ongoing activity against Active Directory. Now, detection is #3 in the list of protection measures - #1 is prevention, and #2 is avoidance. So, Microsoft ATA is at #3. To be fair, you're not alone in being clueless - from self-proclaimed SME's, gurus & experts, to others, no one seems to have the answer. ]

So, let me give you some time to think about and answer this question to the best of your ability, (and not so much for me, but primarily for the 1000s of organizations that are your customers) and based on your answer, we'll start your school. Alright?



Everyone's Tuned In

BTW, you may not know this, so let me tell you that from your largest business customers to the most important of our 3-letter acronym government agencies & from the biggest cyber security companies to the Russians, everyone's tuned in here & here.


The world needs & looks forward to an answer. (You may not answer this question, so know that silence too speaks volumes.)

Of course, we can most easily answer this question for them in 10 seconds, and I will in days to come, on day 1 of your school,  but I wanted to give you an opportunity to show some thought leadership. As for your school, I'll start it later this month...  

...once everyone's had some time to adequately reflect on the importance of this most fundamental of cyber security questions, because this impacts the foundational cyber security of 85% of all organizations worldwide, in both business and government.

Respectfully,
Sanjay


PS: If you want a head start, you're welcome to join our free global community of Active Directory security professionals from 1000s of organizations across 100+ countries worldwide, where we're already discussing this and other paramount questions. For instance, our members already know that accounts protected by AdminSDHolder in AD are merely the Tip of the Iceberg.

PS2: Since you haven't figured it out in over 10 years now (because if you had, I wouldn't have to ask you this question today), perhaps I should help you out with a hint: to answer this question, organizations worldwide need one simple capability - this.

PS3: When you've fathomed the depth (and impact on global security) of what I'm talking about, if you want to talk, have Satya (yes Mr. Nadella, your wonderful CEO) call me, as this is a conversation that an employee at his pay-grade should be having.

Wednesday, March 15, 2017

Top-10 Active Directory Security Questions For Organizations Worldwide

Folks,

I was supposed to start 30 days of advanced Active Directory Security School for Microsoft yesterday, but we've just been so busy helping folks worldwide that I'm going to have to postpone the start date for that one final time to April 01, 2017.

So, until then, to help Microsoft prep for school, and generally to help thousands of organizations worldwide I'll share the Top-10 Active Directory security questions that every organization that operates on Active Directory must have answers to at all times.

Here they are -


Top-10 Active Directory Security Questions Every Organization Must Have Answers To -



1. Exactly how many privileged users are there in Active Directory? 
2. Exactly who can reset the password of a privileged user to elevate privilege in Active Directory?
3. Exactly how many privileged security groups are there in Active Directory? 
4. Exactly who can modify the membership of a privileged security group to elevate privilege in Active Directory?
5. Exactly who can instantly replicate secrets from Active Directory, and thus compromise the credentials of all accounts by using a tool such as Mimikatz DCSync?
6. Exactly who can modify the ACL protecting the AdminSDHolder object so as to be able to instantly gain administrative privileges in Active Directory?
7. Exactly who can create, delete and manage domain controllers, administrative workstations, trust relationships, user accounts, computer accounts, security groups, organizational units, service connection points etc. in Active Directory? 
8. Exactly who can modify critical configuration content in the Configuration and Schema partitions, changes to which could be used to gain administrative privileges in Active Directory? 
9. Exactly who manage the domain user accounts of the organization’s executives (Chairman of the Board, CEO, CFO, CIO, CISO etc.) in Active Directory?
10. If Smartcard authentication or other similar Active Directory integrated defense-in-depth measures (e.g. MFA, Auditing, Random Password Manager, Password Vault etc.)  are in use, exactly who can disable their use? 

In their own best interest, we highly recommend that all organizations have answers to these 10 security questions at all times.

(In the interest of objectivity, I must add that you don't have to take my word for it; I'm merely trying to help. If you can think of any other question concerning Active Directory Security that might be more important than these, you should focus on them.)


Finally, a simple $100 Billion QUESTION for Microsoft:  Dear Microsoft, in preparation for your Active Directory Security School starting 04-01-2017, here's a question for you -  What is the only way to answer each one of the questions enumerated above?

Since my esteemed colleagues at Microsoft may be too busy making the shift to the Cloud, let me answer the question for them:

Here's what it takes to answer these questions - http://www.paramountdefenses.com/blog/active-directory-effective-permissions


Best wishes,
Sanjay

PS: If you know of ANY cyber security (or other) company on the planet that can help answer these questions, let me know.

Tuesday, February 28, 2017

Top-5 Active Directory Security Risks & How to Adequately Mitigate Them


Folks,

Next month I will be most respectfully taking Microsoft to advanced Active Directory Security School. Today I'll share with you the Top-5 security risks to Active Directory deployments, and how organizations can swiftly and adequately mitigate them. There are times when less is more, so though I can share volumes, since this is paramount, I'll keep this short and to the point.


The Top-5 Active Directory Security Risks

The following are the Top-5 cyber security risks that most Active Directory deployments worldwide are likely exposed to -

1. Instant compromise of the credentials of all domain accounts, enactable via Mimkatz DCSync, made possible by the presence of unauthorized/excessive Get Replication Changes All effective permissions on the domain root.
2. Instant compromise of all default Active Directory privileged (administrative) domain user accounts and groups made possible by the presence of unauthorized/excessive effective permissions on the AdminSDHolder object. 
3. Instant compromise of all IT assets stored in Active Directory (whose ACLs are not marked Protected), made possible by the presence of a single inheritable unauthorized/excessive effective permission on the domain root. 
4. Instant compromise of all domain controllers via linking of a single malicious group policy, made possible by the presence of unauthorized/excessive effective permissions on the default Domain Controllers OU. 
5. Instant compromise of any IT asset stored in Active Directory, such as the CEO’s domain user account, made possible by the presence of unauthorized/excessive effective permissions on Active Directory objects.

It is imperative to understand that the materialization of risks 1, 2 and 4 risks above would be tantamount to a complete and systemic compromise of the entire Active Directory. The materialization of risks 3 and 5 could also have the same outcome.

It should also be noted that not a single one of these ways involve using pass-the-hash or Kerberos ticket meddling techniques. In fact, not a single one of these ways requires the victim to logon to any computer, let alone one owned by the perpetrator.

These risks pose a very real threat to most organizations since they likely remain unmitigated at most organizations worldwide, and since their materialization could result in the compromise of the entire Active Directory, their impact could be colossal.




How to Adequately Mitigate These Risks

Fortunately these risks can be swiftly and adequately mitigated by enacting the following risk mitigation measures -

1. Organizational IT personnel must identify all those Active Directory objects that constitute the targets upon which excessive or unauthorized access could result in the materialization of these risks. E.g. the domain root.
2. They must then proceed to accurately determine Active Directory effective permissions on each one of these objects to identify all those individuals who currently possess sufficient effective permissions/access to be able to perform those tasks which when enacted would result in the materialization of these risks.
3. The must then proceed to identify all those individuals who possess such effective permissions/access but should not be in possession of such effective permissions/access. They should then determine how these individuals are entitled to such effective permissions/access and use that information to revoke their access.
For the five security risks enumerated above, the details of the target Active Directory objects as well as the specific effective permissions that need to be determined, can be found in slides 15 - 20 of this slide deck.


An example that illustrates this step-by-step can be found here - How to Prevent a Perpetrator from Using Mimikatz DCSync.

(Neither detection nor other security measures can adequately mitigate these risks because from the minute they are enacted, the perpetrator would have sufficient access to immediately be able to prevent everyone else from logging-on to stop him/her.)

In this manner, organizations worldwide can adequately and swiftly mitigate each one of these Active Directory security risks.





One Essential Necessity

Each of the five Active Directory security risks enumerated above primarily exist because organizations have traditionally lacked the means to accurately and adequately determine effective permissions in Active Directory i.e. on Active Directory objects.

(Effective permissions are so important that Microsoft's native Active Directory management tooling has an entire tab for them -

The Effective Permissions Tab

Unfortunately, Microsoft's Effective Permissions Tab is neither accurate nor adequate. In fact it is substantially inadequate.)


In essence, organizations require the ability to accurately and adequately determine Active Directory Effective Permissions.

While accuracy is paramount for obvious reasons, adequacy is equally essential, and it entails the following -
1. IT personnel must be able to efficiently (and of course accurately) determine the identities of all individuals that possess a specific effective permission on a specific Active Directory object.
2. IT personnel must also be able to determine how a specific individual possesses a specific effective permission on a specific Active Directory object, i.e. they must be able to identify the specific underlying security permission in the object's access control list (ACL) that entitles an individual to that specific effective permission.

The former (#1) is required to be able to efficiently determine the identities of all individuals that possess a sufficient effective permission on a specific Active Directory object, and the latter (#2) is required to be able to lockdown those security permissions that end up entitling a specific individual to those effective permissions that have been deemed excessive/unauthorized.

Again, this essential necessity is best illustrated with an example - How to Prevent a Perpetrator from Using Mimikatz DCSync.


Organizations can use any Active Directory Effective Permissions Tool that is provably accurate and sufficiently adequate.




Further Reading

For details on these risks and on Active Directory effective permissions, see - Defending Active Directory Against Cyberattacks.


Best wishes,
Sanjay

Wednesday, February 22, 2017

AdminSDHolder


Folks,

Today is Day-0 of Microsoft's 30-day Active Directory Security School, which starts on March 14. Today, I'll answer the 2nd (here's the 1st) $100 B question I had asked them, which concerns AdminSDHolder, the root of organizational cyber security worldwide.

[The insight I have provided below is worth a proverbial $100 Billion, so in your own interest, you should read it in its entirety.]



AdminSDHolder

If you're Microsoft, or one of millions of Windows/Active Directory admins or cyber security pros worldwide, you know that at the heart, root & foundation of administrative/privileged access in Active Directory lies one Active Directory object - AdminSDHolder.

In the interest of brevity, I'll skip the details and provide a very brief background here. In essence, all default Active Directory accounts and groups that are considered to be administrative in nature by Active Directory are protected with a special protected locked-down access control list (ACL), which is the access control list of the AdminSDHolder object -

AdminSDHolder

It logically follows that anyone who can modify the permissions specified in the AdminSDHolder object's ACL can easily control and impact the security afforded to all default Active Directory administrative accounts and groups, such as Domain Admins, Enterprise Admins, Administrators, Backup Operators, etc., as well as the default Administrator account, and all such accounts.

In other words, anyone (e.g. a rogue or coerced insider, an intruder, APT etc. ) who could modify the permissions specified in the AdminSDHolder object's ACL could instantly obtain complete administrative control over the entire Active Directory forest!




A $ Billion Question -

So a $ Billion question begs itself, and all organizations operating on Active Directory must ideally have an exact answer today -


Q: "In our Active Directory domain(s), exactly who can modify the permissions specified in the AdminSDHolder object's ACL?"

(If you're thinking "That's easy; just perform a permissions audit using dsacls, PowerShell etc.", think again. Its not that simple.)

$100 Billion side-note: A few days ago, I had posed the same question to Microsoft here. They're likely not going to answer it, so to help Microsoft, as well as 1000s of organizations worldwide, I've answered the question below.




The Answer Illustrated

The answer is best illustrated with a walk-through example. In your own best interest, I highly recommend going through it.

Let us assume that a fictional publicly-held organization is required to identify (i.e. audit) exactly who can modify the security permissions protecting the AdminSDHolder object to demonstrate regulatory compliance, since that is what determines who controls the most powerful and prized privileged/administrative accounts in an Active Directory based IT infrastructure.

To try and answer this question, lets begin by diving right in and launching Active Directory Users and Computers to locate and view the ACL on the AdminSDHolder object -





A closer look reveals that this is a modified (i.e. non-default) AdminSDHolder ACL, in which access changes have been made, as evidenced, for example, by the presence of security permissions that are specified for numerous non-default domain security groups such as IT Contingency Support Team, IT Global Admins Team etc. -


Since this is no longer a default AdminSDHolder ACL, the resulting (effective) permissions/access granted to various individuals by the various permissions specified in the ACL may now differ (likely) substantially from those granted by the default ACL!



For instance, let us consider the impact of the Special security permissions specified for the IT Contingency Support Team -


The Special permissions specified for the IT Contingency Support Team include Allow Modify Permissions and All validated writes. Since it includes Modify Permissions it impacts our answer, so its worth taking a look at the membership of this group.




A closer look at the IT Contingency Support Team indicates that there is a another domain security group nested inside it -



Upon further expansion, one finds that the IT Contingency Support Team has as a member the IT Data Center Operations Team, which in turn has as member the IT Cloud DevOps Team, which in turn has 12 users that are members of that group -



In essence, this one single Special permission alone ends up indirectly (i.e. via 3 levels of nested group nesting) granting 12 individuals Modify Permissions on this ACL.

However, it should also be noted that there could also be one or more Deny permissions in the ACL that could similarly end up denying one or more of these 12 individuals the same Modify Permissions on this ACL, and thus it is not sufficient to merely analyze any one permission in isolation. *Further any such Deny permission may or may not end up negating the Allow, because the resulting access in this case would also depend on the nature (Explicit/Inherited) of both the Allow and Deny permissions.

* By default, the AdminSDHolder ACL is protected. However, since most Active Directory deployments have been around for years, it is possible that someone could have accidentally unchecked the Protected check-box, in which case it will inherit ACEs from the parent. As experts, we take every possible scenario into account. As such, this being an illustrative example applies to most objects in Active Directory (whose ACLs are unprotected) so in most cases, when making such determinations, inherited permissions will need to be taken into account.

As such, as seen above, there are many ACEs (access control entries) in the object's ACL (access control list), each one of which allows or denies a specific security principal (which could be a user, a computer, a security group, a well-known SID etc.) one of more specific Active Directory security permissions, and each one could either have been directly (explicitly) specified on the object, or may have been inherited via inheritance of permissions from the ACL in the object's parent.

In essence, the only way to answer this question is to accurately determine the new resulting (effective) permissions/access granted on this object, which involves collectively taking into account the entirety of all permissions specified to all security principals (users, groups well-known security principals etc.), in light of their permissions types (Allow/Deny) and nature (Explicit/Inherited), to ultimately identify all individuals who effectively possess Modify Permissions permissions on this object.

Specifically, not only will one have to correctly resolve allow vs deny conflicts taking into account the explicit vs inherited nature of each permission, but one will have to expand any and all relevant security group memberships, many of which could contain multiply nested groups (some of which may be circularly nested), and if needed also dynamically evaluate any specified well-known SIDs (e.g. Authenticated Users etc.) and of course, also analyze all relevant security permissions, i.e. in this case, not only those that allow/deny Modify Permissions but also those that allow/deny Full-Control, and of course do all this (each time) with 100% accuracy and no possibility of error.

(The astute mind will have already inferred by now, why this is not a matter of simply performing an audit of "Who has what permissions in Active Directory" or writing a simple (or for that matter even a very complicated) PowerShell script to do so.)

In summary, one needs to determine effective permissions/access granted on this Active Directory object, considering all the permissions, both allowed and denied, whether granted explicitly or inherited, to all the security principals specified in the ACL.

In short, what one needs to do is accurately determine Active Directory Effective Permissions.


In fact, Active Directory Effective Permissions are so important that Microsoft provides an entire tab for it in its native tooling -


To reiterate, the fact that along with Permissions, Auditing and Owner(ship), the fourth tab in Microsoft's native Active Directory management tooling is for Effective Permissions conveys just how important effective permissions are to Windows security.


Here's a closer look at the Effective Permissions Tab in Active Directory -

Active Directory Effective Permissions Tab

As important as it is, unfortunately the Active Directory Effective Permissions Tab provided in Microsoft's native Active Directory management tooling is (and has been so for 10+ years now) substantially inadequate for the following reasons -
1. It is not always 100% accurate, since it self-admittedly does not take all relevant factors into account
2. Most importantly, it can only determine an approximation of effective permissions granted, ONE user at a time
3. Finally, it cannot identify the underlying permissions that entitle a specific user to a specific effective permission

It is for these 3 reasons that it is unable to help organizations assess and lockdown effective permissions in Active Directory, and consequently, most organizations worldwide do not yet have a definitive answer to this and other profoundly vital questions.


(Apologies for the digression.) NOW, to continue on with the example...


Let us assume that the organization has a simple one domain Active Directory forest containing 5000 employee accounts and 10,000 computer accounts, one each for 10K domain-joined computers (e.g. laptops, mail, file, web and application servers.)

Since the Active Directory Effective Permissions Tab can only determine effective permissions ONE user at a time, the only way to definitively determine the identities of all individuals in the company who effectively have Modify Permissions permissions granted on the AdminSDHolder object would be to compile a list of each of these 5000 domain user accounts and 10,000 computer accounts, and then manually enter the identities of each of these accounts ONE BY ONE -


It should be clearly evident that such a process could be very laborious and easily take an excessively long time (i.e. a few days, if not weeks) and require substantial effort, each time the organization needed to make such a determination.

It is also worth noting that in the event that it is found that a user who is not supposed to have this effective permission granted does have it nonetheless, there is no way to easily know which underlying security permission in the ACL is entitling this user to this effective permission, and without that piece of intel, it would be very difficult to revoke this identified unauthorized access.


In essence, in reality, due to the shortcomings of the Effective Permissions Tab in Microsoft's Active Directory management tooling, and a general lack of awareness about the need, value and importance of determining effective permissions in Active Directory, today most organizations have NO idea as to EXACTLY who effectively has Modify Permissions permissions on the AdminSDHolder object, and thus likely have NO clue as to exactly who can control AdminSDHolder in their Active Directory.

By the way, virtually every method described in various forums on Microsoft TechNet on how to determine effective permissions in Active Directory and/or audit delegations, is technically substantially inaccurate, as is this dangerously inaccurate free tool.

Speaking of which, not a single other Microsoft tool such as dsacls, acldiag, etc. or for that matter any other 3rd party tool can accurately determine effective permissions in Active Directory. Some do offer Active Directory Permissions Audit Tools, but those are like baby-toys compared to an Active Directory Effective Permissions Audit Tool, because with them, you're still left to do a MOUNTAIN of work yourself to determine effective permissions, assuming you know how to do so accurately.)

In essence, even though there are 100s of cyber security companies in the world, including some big ones, not a single one of them offers an Active Directory Effective Permissions Audit Tool. Hmm... so much so for demonstrating thought leadership!



So, is there NO way for organizations to accurately and efficiently calculate effective permissions in Active Directory today?


In other words, is there NO way in which 20,000+ organizations worldwide that operate on Microsoft Active Directory, whose cumulative market cap handily exceeds $10 Trillion, can today find out exactly who controls the Keys to their Kingdom(s)?




Well, (thanks to the foresight of one individual, and a decade's work by one cyber security company,) there is ONE way...



Here's how business and government organizations worldwide, including Microsoft IT, can easily, efficiently and accurately determine exactly who has what effective permissions on not just AdminSDHolder but on any object in their Active Directory:

Open Gold Finger, select the Active Directory Effective Permissions Calculator, point it to AdminSDHolder, and click a button -

Gold Finger Active Directory Effective Permissions Calculator


Within a matter of seconds, Gold Finger will uniquely and accurately determine and reveal -
1. The complete set of all effective permissions granted on the object, including of course Modify Permissions
2. For each such effective permission, the complete set of all authenticatable security principals i.e. all domain (user, computer and service) accounts that have a specific effective permission granted on the object
&
3. For each such account, the exact underlying security permissions in the object's ACL that entitle this account to this specific effective permission.

Armed with such valuable intel, organizations can finally, and likely for the first time ever, not only instantly find out exactly who controls the Keys to their Kingdom, but also lock-down access to minimize the number of individuals who can currently do so.

(Incidentally, armed with the same intel, an intruder could also very quickly uncover and exploit the easiest possible path to the Keys to the Kingdom. That is why we only license Gold Finger to legitimate organizations and only for use in their AD domains.)

(In fact Gold Finger can also automatically determine effective permissions/access across an entire domain at a button's touch to exactly find out not only who has they Keys to the Kingdom, but also who has the keys to every door in the kingdom.)




Summary

In summary, considering the fact that 100% of all major recent cyber security breaches involved the misuse and compromise of just ONE Active Directory privileged user account, and the fact that the ACL on AdminSDHolder controls the security of all default administrative (i.e. privileged) accounts and groups in Active Directory, at the very least, every organization that operates on Active Directory today must know exactly who can control the permissions specified in AdminSDHolder's ACL.


The only other thing I will add is that I find it unbelievable that in over a decade, for whatever reason, Microsoft has not once educated its customers about the vital need and importance of determining effective permissions in their foundational Active Directory deployments. Not once! I wonder what that conveys about a company trying to woo the world to embrace its Cloud.

In their own best interest, every organization must strive to understand the profound importance of what I have shared above.

This stuff is paramount to organizational cyber security today.

Best wishes,
Sanjay



PS: The Answer

In short, the simple answer to this elemental yet profoundly vital cyber security question is -
To accurately determine exactly who can modify the security permissions specified in the AdminSDHolder object's ACL, organizations need to accurately determine Active Directory Effective Permissions granted on the object.

I could've easily just shared this one-line answer, but most folks worldwide wouldn't have gotten it, thus the example.

Tuesday, February 14, 2017

AdminSDHolder (and another $100 Billion Question for Microsoft)

Dear Microsoft,

On March 14, we start our 30-day advanced Active Directory Security School for you. To help you prep, I thought I'd ask you another $ 100 Billion question, which is at the root (pun intended) of organizational cyber security worldwide - AdminSDHolder.



AdminSDHolder

If you're Microsoft, or one of millions of Windows/Active Directory admins or cyber security pros worldwide, you know that at the heart, root & foundation of administrative/privileged access in Active Directory lies one Active Directory object - AdminSDHolder.

In the interest of brevity, I'll skip the details and provide a very brief background here. In essence, all default Active Directory accounts and groups that are considered to be administrative in nature by Active Directory are protected with a special protected locked-down access control list (ACL), which is the access control list of the AdminSDHolder object -

AdminSDHolder

It logically follows that anyone who can modify the permissions specified in the AdminSDHolder object's ACL can easily control and impact the security afforded to all default Active Directory administrative accounts and groups, such as Domain Admins, Enterprise Admins, Administrators, Backup Operators, etc., as well as the default Administrator account, and all such accounts.

In other words, anyone (e.g. a rogue or coerced insider, an intruder, APT etc. ) who could modify the permissions specified in the AdminSDHolder object's ACL could instantly obtain complete administrative control over the entire Active Directory forest!




A $ Billion Question -

So a $ Billion question begs itself, and all organizations operating on Active Directory must ideally have an exact answer today -


Q: "In our Active Directory domain(s), exactly who can modify the permissions specified in the AdminSDHolder object's ACL?"

(If you're thinking "That's easy; just perform a permissions audit using dsacls, PowerShell etc.", think again. Its not that simple.)




A $100 Billion Question for Microsoft

In light of the above, the security of an entire Active Directory deployment also boils down to this:
Anyone who can modify the permissions specified in the AdminSDHolder object's ACL  could easily compromise all default Active Directory administrative domain user accounts and groups, & by extension all of Active Directory.

So, to my esteemed former colleagues at Microsoft, I have a very simple question for Microsoft -
"Precisely what does Microsoft recommend that customers do to accurately make this paramount determination in their foundational Active Directory deployments?"  i.e. how do they accurately determine exactly who can modify security permissions specified in the AdminSDHolder object's ACL?"
To be clear, in Active Directory environments that have been around for years now, and in which a non-trivial amount of access provisioning/changes have been done in Active Directory, including wherein changes have been made to the default AdminSDHolder ACL (for instance as illustrated in the visual above), how do they accurately determine exactly who can modify security permissions specified in the AdminSDHolder object's ACL?

In case you're wondering why this is a proverbial $100 Billion question, if you were to add up the market cap of all organizations worldwide that operate on Active Directory, it would handily exceed $10 Trillion. Now, considering the potentially colossal impact of compromise resulting from a cyber security incident involving a perpetrator having modified AdminSDHolder to gain complete command and control over an organization's foundational Active Directory, you should be able to see why this is a $100B Q.


We, i.e. your customers and I, look forward to an answer. Your customers look forward to it because they have a right and an urgent need to know how to do so. I look forward to it because I'd like to see how well Microsoft still understands AD security.

Please allow me to give you a hint - here.  (To help organizations worldwide, I'll answer the question right here in a few days.)

Respectfully,
Sanjay.


PS: One more hint. The answer is a term mentioned 20+ times in this 2-pager and 0 times in Microsoft's official 100-pager.

PS2: My apologies for asking this publicly. It is 2017 after all, not 2007 (, which is when you should've already addressed this.)

PS3: Interestingly, due to a complete lack of guidance from Microsoft on advanced stuff, when it comes to AdminSDHolder, today most organizations are still just trying to figure out basic stuff, such as how to find & cleanup orphaned AdminSDHolder objects i.e. accounts that still have admincount=1 even though they may no longer be a member of any default admin groups.

PS4: February 22, 2017 updated - Microsoft, the answer is here.

Wednesday, February 1, 2017

Recommended Reading for Microsoft for "Active Directory Security School"

Dear Microsoft,

Today is February 01, 2017. I was scheduled to start our 30-day Advanced Active Directory Security School for all of you. Unfortunately, something fascinating came up, so let's start on Wednesday, March 14, 2017 instead, shall we?


Perhaps that will give you all enough time to prep for this advanced Active Directory Security school (and/or boot camp), so until then, to help you come up-to-speed and get ready for school, here's some recommended reading -
1.  The Paramount Brief
2.  Active Directory Privilege Escalation
3.  A Letter to Benjamin Delpy
4. A Simple $100B Question for Microsoft 
5.  Active Directory Beyond the MCSE for the Black Hat Conference
6.  A Simple Trillion Dollar Question for Microsoft
7.  The OPM Data Hack
8.  Responding to a Domain Admin Account Compromise
9.  Trillion Dollar Cyber Security Insight for President Donald Trump
10.  Who needs WMDs Today? 

If you're short on time, given that you're all "doing more with less", and can read only one though, then you'll want to make it this one - The Top-10 Ways in which an Intruder or a Rogue Insider Could Escalate Privilege to Domain Admin in Active Directory

Hopefully you'll find the reading helpful, and sorry for the slight delay. Lets commence school on Wednesday, March 14, 2017.

Thanks,
Sanjay

PS: Update - I've been busy, so we'll commence school on April 01, 2017.

Thursday, January 26, 2017

30 Days of Advanced Active Directory Security School for Microsoft (& WD)

Folks,

Starting April 01, 2017, as former Microsoft Program Manager for Active Directory Security and as one of Microsoft's biggest well-wishers, in the very best interest of Microsoft and thousands of its organizational customers worldwide, I will spend a few minutes each day for the next 30 days to help the brilliant folks at Microsoft better understand Active Directory Security.



Here's why -

Over the last ten years, almost 10,000 organizations from 150+ countries worldwide have knocked at our doors, completely unsolicited, to request our assistance in fulfilling a paramount organizational cyber security need, which is the need to know "Who has what privileged access in their foundational Active Directory deployments?" and here's how most dialogues start -
Organization:  "Hello. I'm a Domain Admin at <organization>.We have been provisioning and delegating access in our Active Directory for many years now, but we don't know exactly who is provisioned and delegated what access in our Active Directory today. We need to find out who has what permissions in our Active Directory so that we can identify exactly who is provisioned/delegated what privileged access in our Active Directory."
Our Response: "Hello. We can certainly help you 'audit who has what permissions in Active Directory'  BUT as you may know, to correctly identify who has what privileged access in Active Directory, one needs to (accurately) determine effective permissions in Active Directory, domain-wide. Identifying 'who has what permissions' is merely the starting point for determining effective permissions. Our unique Effective Permissions Calculator and Privileged User Access Audit Tool automate the entire process and could help you do so easily."
Organization:  "That's great, but wait, what are you talking about? What are Effective Permissions?! I'm not sure I've heard that term before. In fact, I don't think I've ever come across it in any Microsoft security guidance."

Let's stop right there for a moment and think about this!  If, (and this is what we're seeing across the world,) even Domain Admins at so many organizations worldwide do not seem to know what "effective permissions" are, that's a serious problem.

("Effective permissions", especially "Active Directory Effective Permissions" are paramount to organizational cyber security, because they control not only who has the keys to every door in the Kingdom, but also who has the "Keys to the Kingdom.")




Unbelievable

Shocked by such responses, we took a closer look at the top-3 official Microsoft Active Directory security guidance sources -
1. Microsoft's original 100+ page official Best Practice Guide for Securing Active Directory (Part I) and Part II
2. Microsoft's latest official Best Practices for Securing Active Directory guidance, introduced by Microsoft's CISO
3. Microsoft's latest 5+ hour series of 12+ videos on Defending Active Directory Against Cyber Attacks

Specifically, we did a simple keyword search for the term "effective permissions" across each of these three official authoritative sources of guidance from Microsoft, and guess how many instances of the term "effective permissions" we found across them?

Zero!      нуль, nul, صفر , 零,Null, μηδέν, ʻole, אֶפֶס , शून्य, ゼロ,제로, nihil, sero !


Effective permissions are so fundamental and important to Windows Security and Active Directory Security that in Microsoft's own tooling, it is one of the 4 main tabs - Owner, Permissions, Auditing and Effective Permissions! (Sadly, it is inadequate.)


Microsoft's security guidance amply covers Permissions, Auditing and Owner(ship), but when it comes to Effective Permissions, ZERO coverage!

To make a long story short, having spoken to 1000s of Microsoft's customers, we have found that due to a complete decade+ lack of guidance from Microsoft on the most important aspect of Active Directory Security i.e. "Effective Permissions", at 1000s of business and government organizations worldwide, let alone CISOs, IT Managers and IT Auditors, even highly-privileged Active Directory admins (i.e. Domain Admins) do not even seem to know what effective permissions are!

Now, if you don't even know what effective permissions are, you're far far away from understanding just how critical they are to organizational cyber security, and how paramount the ability to accurately determine effective permissions in Active Directory is!



This is Paramount

As you may know, 100% of all major recent cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise of a single Active Directory privileged user account. Considering that, did you know that each of the Top-10 ways to gain privileged user access in Active Directory exploit and involve having excessive effective permissions?!


Given Active Directory's foundational role at most business and government organizations worldwide today, this is paramount.

In light of this, we are completely baffled, stupefied, and blown-away to see a complete lack of guidance from Microsoft to its organizational customers on what undoubtedly is one of the most vital technical aspects of organizational cyber security today!

Could it be that Microsoft itself does not understand the importance of determining effective permissions in Active Directory?!

(I sincerely hope not, because if that's the case, it just shows that perhaps they don't deeply understand cyber security yet, and if that's the case, I'm not sure how the world can be expected to consider moving to their cloud offering, Microsoft Azure, yet?)

Personally speaking, having been on Microsoft's Windows Server Development Team, it appears that they may likely no longer have a dedicated role or team focused on Active Directory security (which if true, in itself, would be astonishing), and if so, given how esoteric the nature of this subject is and the depth required to comprehend it, the likelihood of anyone outside such a team easily comprehending it and driving the necessary education etc., is low. To me, that's the only plausible explanation that could explain how they could have totally forgotten to educate their customers about such an important security topic. All said and done, to have provided zero guidance on such a vital topic for over a decade suggests that likely they too don't understand it.

I will say this much - Active Directory is one of the most valuable, solid, secure and highly-securable foundational technologies ever built. It can be easily adequately secured and defended at all times with appropriate insight, expertise and resources. The only (one BIG) shortcoming in it is that it lacks an accurate and adequate* effective permissions / effective access assessment / audit capability (both, per-object and tree-wide.) Fortunately, our innovative patented technology (embodied in 1, 2) uniquely & perfectly fulfills this shortcoming, making Active Directory ROCK-solid and bullet-proof. We run a bullet-proof Active Directory.

* More on this in days to come.



In Summary

Its 2017, not 2007. Microsoft's organizational customers worldwide, in their own best interest i.e. to protect the very foundation of their cyber security, need to unequivocally understand the paramount importance of being able to accurately audit effective permissions/access in Active Directory, without any further delay, and Microsoft should be helping them understand it.

I would like to see Microsoft provide appropriate guidance to its customers, (because given the uniqueness and importance of what we do, our job is to help those organizations that understand this stuff, fulfill this essential need, help out with a few more, and address this foundational risk; it is NOT our job to educate ALL of Microsoft's customers on such a basic and fundamental Windows security topic), so to help Microsoft too better understand the paramount importance of effective permissions to Active Directory security, over the next 30 days, I'm going to most respectfully help them better understand Active Directory Security.

Fortunately for Microsoft and thousands of its valued customers, the most difficult part of the problem has already been solved. (The bigger problem is that so many organizations don't even seem to be aware that this is a massive problem to their security.)

Let there be no doubt or mistake about one fact - left unmitigated, this esoteric cyber security risk represents a hole the size of a football field in a jetliner's fuselage, and poses a serious threat to the foundational security of so many organizations worldwide.)



An Open Invitation

So, starting April 01, 2017, for the next 30 days, every day I'll speak to certain aspects from this syllabus, right here on this blog. By the way, strictly speaking the title should have been "Basic Active Directory Security School", but I shall leave it at such.

Everyone working on Active Directory and Cyber Security at Microsoft, such as at the Windows/AD Product Dev Team, Azure Team, Cyber Security Team, Microsoft Consulting Services, Product Support Services, TwC, MS IT, etc. is welcome to tune in.

In fact, anyone and everyone, across the world, interested in learning more about Active Directory Security, is equally welcome.

Best wishes,
Sanjay


PS1: BTW, WD (as mentioned in the title of this blog post, and also as alluded to here) is the SDDL mnemonic for "Everyone".

PS2: Speaking of everyone, last week, I shared some helpful Trillion Dollar Cyber Security Insight for President Donald Trump.

PS3: To my esteemed former colleagues at Microsoft, imagine a scenario wherein this problem exists (and poses a real threat to (y)our organizational customers) but a solution doesn't. (Fortunately it does, thanks to the vision and passion of one of you.)