Today Active Directory Security has become mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Gold Finger The Paramount Brief Gold Finger Mini World Peace

Monday, July 9, 2018

What's The World's Most Important Active Directory Security Capability?


A few days ago, I had asked likely the most important Cyber Security question in the world today, one that today DIRECTLY impacts the foundational cyber security of 1000s of business and government organizations across 190 countries worldwide.

Here It Is -

What Is the 1 Essential Cyber Security Capability Without Which NOT a Single Active Directory object, domain, forest or deployment can be adequately secured?

I had even provided a hint - it controls exactly who is denied and who is granted access to literally everything within Active Directory, and it comes into play every time anyone accesses anything in any Active Directory domain in any organization.

Thusfar, thousands of IT professionals from across the world, including some of the world's most famous/renowned Windows and Active Directory Security experts and CISOs, as well as Microsoft employees, have all seen the question on my blog.

Unfortunately, not ONE individual in the world (okay, except one) has answered this ONE most simple and basic question yet!

Why Not?

Do organizations worldwide NOT know the answer, OR are they afraid to answer it because they don't possess this capability?

Let's find out. To help organizations worldwide, including Microsoft, figure out the answer, I'm going to give a few more hints.

A Few More BIG Hints

Ladies and Gentlemen, NOT a single organization in the world whose IT infrastructure operates on Microsoft Active Directory, can fulfill even ONE of the following mission-critical IT and cyber security needs without possessing this ONE capability -

  1. Adequately secure their foundational Active Directory

  2. Adequately mitigate the risk posed by the use of Mimikatz DCSync

  3. Adequately mitigate the risk posed by Active Directory Privilege Escalation

  4. Accurately identify privileged users in their foundational Active Directory domains

  5. Accurately discover stealthy admins in their foundational Active Directory domains

  6. Adequately protect all organizational computers and user accounts (including C*O accounts)

  7. Adequately secure mission-critical Active Directory integrated applications (e.g. Exchange, Centrify)

  8. Securely integrate their on-premises Active Directory deployments with Microsoft Azure in the "Cloud"

  9. Correctly demonstrate regulatory compliance of access privileged provisioned within their Active Directory

  10. Reliably control the distribution and delegation of administrative authority in their foundational Active Directory

Let me repeat it again so there is NO ambiguity - not a single one of the above mission-critical IT and cyber security needs can be fulfilled without possessing this ONE capability, only because it is technically impossible to do so without this ONE capability.

I'll Make it Easy

Ladies and Gentlemen, Active Directory has been around for almost two decades now, and yet most organizations worldwide do not currently possess this ONE essential, fundamental and paramount cyber security capability yet. The reason they don't currently possess it is likely that they may not even know about it, and that sounds as unbelievable to me as it does to you!

If they haven't figured it out in almost TWO decades, they're not likely to figure it on their own, so let me make it easy for them.

It is ONE of the following five Active Directory Security Capabilities -
  1. Active Directory Auditing
  2. Active Directory Permissions/ACL Analysis
  3. Active Directory Effective Permissions/Access
  4. Microsoft Advanced Threat Analytics (aka ATA)
  5. <You can throw in all the latest buzzwords here e.g. Privileged Identity/Account Management, Zero Trust, blah blah etc >

Here's one FINAL hint. If you possess this ONE capability (on the right object in Active Directory,) then you can also easily turn off i.e. deactivate, disable, and/or render useless, all of the other listed security capabilities in an Active Directory deployment!

So, which ONE is it ?

Make No Mistake + Only Two Kinds of Organizations

Make no mistake about it - one simply CANNOT adequately protect anything in any Active Directory WITHOUT possessing this ONE capability, and thus one simply cannot protect the very foundation of an organization's cyber security without possessing this ONE paramount cyber security capability. It unequivocally is as remarkably simple, elemental and fundamental as this.

Thus, today there are only two kinds of organizations worldwide - those that possess this paramount cyber security capability, and those that don't. Those that don't possess this essential capability do not have the means to, and thus cannot adequately protect, their foundational Active Directory deployments, and thus by logic are provably and demonstrably vastly insecure.

My Concern - This Impacts Organizational Security Worldwide

I hope that with the hints I've provided above, organizations worldwide will finally realize what this ONE essential capability is.

More importantly, I hope that at organizations worldwide, IT personnel, Domain Admins, CISOs and CIOs realize and recognize that without possessing this ONE essential and paramount Active Directory Security capability, their $ Billion organizations may currently be operating on a highly vulnerable foundation, which is a matter so serious that it should concern all stakeholders.

I'll answer this question sometime between now and July 16, 2018 at the Cyber Security Blog.


Thursday, June 21, 2018

Can Anyone (i.e. any Cyber Security Company or Expert) Help Thousands of Microsoft's Customers MITIGATE the Risk Posed by Mimikatz DCSync?


Over the years, I've asked and answered some of the hardest questions in Active Directory Security, so today I'm only going to ask a question, with the hope that there is someone out there, and I mean anyone, who is the answer to this question!

Here's my Question -
Can Anyone in the World (i.e. any Cyber Security Company or Expert) Out There Help Thousands (1000s) of Microsoft's Organizational Customers Mitigate the Serious Cyber Security Risk Posed by Mimikatz DCSync?


There are 6,000,000,000+ people across 190+ countries worldwide, there are millions of IT personnel employed at 1000s of organizations, there are 1000s of cyber security experts and over a 1000 cyber security companies. I'm looking for just ONE.

By the way, by mitigate, I mean "render Mimikatz DCSync unusable in an AD environment" in that, say in an organization that had 10,000 employees and thus had 10,000 domain user accounts, and say 10 privileged users, even if every single one of these 10,000 accounts had been compromised by a perpetrator, he/she still couldn't use Mimikatz DCSync against their AD.

Also, I'm looking for an answer that's beyond the most obvious answer, which is to not grant anyone the required access. In other words, I'm looking for an answer that will work in every real, production Active Directory domain in the world, you know, wherein various default Active Directory security groups and users are already granted various permissions in Active Directory.

Here's what I've found thus far -
  1. This brilliant, gentle, highly-accomplished cyber security expert developed Mimikatz DCSync
  2. This AD security enthusiast educated the world about its usage, exploitation and detection (but not about its mitigation)
  3. This famous cyber security expert showed an example in action (; Oh my! ;-))
  4. This expert shared some guidance on how to detect it (; if you're detecting it, its likely too late)
  5. These cyber security experts don't seem to know that much about it, or about Active Directory Security
  6. These wonderful folks present an inaccurate script to help detect who can use Mimikatz DCSync
I could go on and on sharing the identities of so many who talk about it, but there isn't a single one who can help mitigate it :-(

Not to mention the 1000+ cyber security companies, including some big names such as (mentioned in no particular order) Palantir, Gemalto, Tanium, Tripwire, CheckPoint, Palo Alto Networks, Symantec, McAfee, Cisco, Kaspersky Labs, CrowdStrike, SentinelOne, BAE Systems, Qualys, Sophos, Gemalto, CyberArk, ZScaler, Preempt, BeyondTrust, Quest, HP, etc. etc.!

Oh, here's the amusing part - in all likelihood, most of these cyber security companies too very likely run on Active Directory, and if I had to guess, I don't think even one of them, know how to, or possess the means to mitigate Mimikatz DCSync!

Funny haan? ;-)

Why Does this Matter?

By now, I shouldn't have to tell anyone involved in Active Directory or cyber security why this matters, but I will nonetheless -

Most simply put, should a perpetrator be able to successfully run Mimikatz DCSync against your foundational Active Directory domain, you're DONE, as it would be tantamount to a massive, systemic cyber security breach. The entirety of your user populace's credentials would have been compromised, and the perpetrator would have obtained control over your entire Active Directory forever. It would be time for everyone, including all Domain Admins, the CISO, the CIO and the CEO to find another job (assuming you can find one, considering your resume would highlight your previous employment, and since your previous employer (i.e. the one that was breached) would likely have been all over the news for quite some time, it may perhaps end up being a little difficult to find suitable employment.)

How about an Illustrative Scenario?

Sure, if you'd like one, here you go -  A Massive Breach at a Company whilst it was Considering the Cloud.

A Request

We often come across Domain Admins, and every now and then CISOs, who have no idea what Mimikatz DCSync is, and that is scary. If you are such a Domain Admin / CISO, my earnest request to you would be to immediately learn about it, or, in the best interest of your employer's foundational cyber security, please let someone else take over your vital responsibilities.

Let Me Know

Very well then. If ANYONE in the world knows ANYONE who can help (and by that I mean  possesses the capability to be able to help) thousands of organizations worldwide (easily and correctly) MITIGATE the serious risk posed by Mimikatz DCSync, please let me know. I'm all ears, and I think, so are thousands of organizations worldwide, including perhaps Microsoft too ;-).

In short, I'm looking for someone/thing that could render the extremely powerful and dangerous Mimikatz DCSync, unusable. With 6 billion people, millions of IT and cyber security pros, and a 1000+ cyber security companies worldwide, I'm hopeful.

So if you know of someone (and I mean, anyone) who can do so, please let me know by leaving a comment below.

If I don't get an answer by July 02, perhaps I'll take a shot at the answer, over at -

Best wishes,

PS: On an unrelated note, when you use Windows Update
       to update your Windows 10 PC every week, do you
       EVER check to see just what got downloaded?
       Perhaps you SHOULD, and here's why.

July 03 Update. Here's the answer >

Tuesday, June 19, 2018

Some Interesting Figures from an Active Directory ACL Dump of Security Permissions from a default Windows Server 2016 Active Directory Domain


I had only 2 minutes to blog today, so within the 2 minutes I had, I thought I'd generate, put together and share some interesting figures about the default Active Directory security permissions in a Windows Server 2016 based Active Directory domain.

It took a mere 3 seconds to do a domain-wide ACL dump of a Windows Server 2016 based Active Directory domain -

Active Directory Domain-wide ACL Dump

Domain-wide ACL Dump Download URL

You can download the entire actual domain-wide ACL dump from here.

Some Interesting Figures

Here are some interesting figures that took a minute to put together -
  • Total number of object classes instantiated in domain partition: 40
  • Total number of Active Directory objects in the domain: 242
  • Total number of Active Directory ACLs (duh, obviously!): 242
  • Total number of Active Directory security permissions (aka ACEs): 6677
  • Total number of explicit Active Directory security permissions: 1323
  • Total number of inherited Active Directory security permissions: 5354  
  • Total number of inherit-only Active Directory security permissions: 3746
  • Total number of unique security principals for whom permissions are specified: 27
  • Total number of objects whose ACLs were marked "Protected" : 20

  • Total number of Allow security permissions: 6677
  • Total number of Deny security permissions: 0
  • Total number of security permissions specified for Domain Admins: 246
  • Total number of security permissions specified for Enterprise Admins: 230
  • Total number of security permissions specified for Administrators: 231
  • Total number of security permissions in the ACL of the AdminSDHolder object: 24
  • Total number of security permissions in the ACL of the domain root objects: 53
  • Total number of specific extended rights specified in these security permissions: 19
  • Total number of attribute-specific write-property security permissions: 15

The exact security permissions can be viewed in the downloadable ACL dump (link provided above).

Unique Security Principals

Here's the list of the 27 unique security principals for whom security permissions are granted in the domain -
  1. Pre-Windows 2000 Compatible Access
  2. Cloneable Domain Controllers
  3. Enterprise Read-only Domain Controllers
  4. Domain Controllers
  5. Key Admins
  6. Enterprise Key Admins
  7. Creator Owner
  8. Self
  9. Enterprise Domain Controllers
  10. Administrators
  11. Incoming Forest Trust Builders
  12. Authenticated Users
  13. Domain Admins
  14. Enterprise Admins
  1. Everyone
  2. System
  3. Account Operators
  4. Print Operators
  5. Group Policy Creator Owners
  6. RAS and IAS Servers
  7. Domain Computers
  8. Network Service
  9. Cert Publishers
  10. Windows Authorization Access Group
  11. Terminal Server License Servers
  12. DnsAdmins
  13. DC1 (<domain computer account>)

The exact permissions granted to each one of these security principals can be viewed in the ACL dump (; link provided above).

Instantiated Object Classes

Here's the list of the 40 object classes, instances of which exist in the domain -

  1. Domain-DNS
  2. Container
  3. Organizational-Unit
  4. Lost-And-Found
  5. Infrastructure-Update
  6. ms-DS-Quota-Container
  7. Rpc-Container
  8. File-Link-Tracking
  9. Link-Track-Volume-Table
  10. Link-Track-Object-Move-Table
  11. Domain-Policy
  12. Class-Store
  13. Group-Policy-Container
  14. NTFRS-Settings
  15. Dfs-Configuration
  16. Ipsec-Policy
  17. Ipsec-ISAKMP-Policy
  18. Ipsec-NFA
  19. Ipsec-Negotiation-Policy
  20. Ipsec-Filter
  1. ms-DS-Password-Settings-Container
  2. ms-Imaging-PSPs
  3. TPM-InformationObjectsContainer
  4. User
  5. Builtin-Domain
  6. Group
  7. Foreign-Security-Principal
  8. Sam-Server
  9. Computer
  10. RID-Manager
  11. RID-Set
  12. ms-DFSR-GlobalSettings
  13. ms-DFSR-ReplicationGroup
  14. ms-DFSR-Content
  15. ms-DFSR-ContentSet
  16. ms-DFSR-Topology
  17. ms-DFSR-Member
  18. ms-DFSR-LocalSettings
  19. ms-DFSR-Subscriber
  20. ms-DFSR-Subscription

Each instance of these object classes, and their complete ACLs can also be viewed in the ACL dump (;link provided above).

Permission-Specific Breakdown

Finally, here's a breakdown of the number of security permissions of each Active Directory permission type -
  • Number of security permissions (ACEs) granting Read Control (RC): 1977
  • Number of security permissions (ACEs) granting List Child (LC): 2171
  • Number of security permissions (ACEs) granting List Object (LO): 1968
  • Number of security permissions (ACEs) granting Read Property (RP): 5704
  • Number of security permissions (ACEs) granting Write Property (WP): 2072
  • Number of security permissions (ACEs) granting Create Child (CC): 1001
  • Number of security permissions (ACEs) granting Delete Child (DC): 779
  • Number of security permissions (ACEs) granting Standard Delete (SD): 803
  • Number of security permissions (ACEs) granting Delete Tree (DT): 586
  • Number of security permissions (ACEs) granting Extended Right (CR): 1299
  • Number of security permissions (ACEs) granting Validated Write (SW): 1389
  • Number of security permissions (ACEs) granting Modify Permissions (WD): 978
  • Number of security permissions (ACEs) granting Modify Owner (WD): 978

Finally, the exact ACEs that specify each one of these permissions can also be viewed in the ACL dump (;link provided above).

Detailed Security Permissions Analysis

Time permitting, you can analyze the entire ACL dump to perform detailed Active Directory security permissions analysis. Since the tooling splits the permissions field up into individual columns for permissions, it makes it very easy to analyze these ACLs.

For instance, you can easily find out exactly what security permissions are granted to a specific user or group, or find out exactly which users or groups are granted a specific Active Directory permission. You can also easily identify all inherit-only security permissions, as well as all Allow permissions, Deny permissions, Explicit permissions, Inherited permissions etc. etc.. I could go on with many more interesting facts/figures, but I'll stop here because my 2 minutes are up :-).

BTW, this is super easy and what we consider child's play (which is also why I didn't want to give this more than 2 minutes of my time.) Since it took just 3 seconds to dump these ACLs, I was happy to give it 2 minutes ; Oh, and we use our own tooling.

Alright then, my 2 minutes are up, so back to work.


Monday, June 18, 2018

Evidence Matters (, and We Have a Mountain of It)


Earlier today, I had shared details of how we, by sheer chance, discovered that an untrusted (self-signed) purportedly Lenovo Kernel-mode device driver had been automatically downloaded and installed on a brand-new Microsoft Surface device.

The evidence is in, and lies on, that specific Microsoft Surface device itself, and we had quarantined that device the minute we made this discovery, to preserve the evidence, so that if needed, Microsoft's engineers could identify what caused this issue.

Speaking of evidence, as we know, in literally everything, evidence matters, because in it lies proof, and thus evidence prevails.

Thus and in fact, from day one, we've made sure that every single claim we have ever made, whether it be about an inaccuracy in a specific vendor's effective permissions tooling, or the lack of sufficient knowledge in the Domain Admin community, or the list of our marquee customers, or our global customer base, or our Microsoft testimonials, or the claims made in The Paramount Brief, or when we inform a specific organization's executive management team about deficiencies in their existing cyber security defenses, or our claim regarding our innovative products being unique in their ability to empower organizations worldwide to be able to audit effective privileged access in their Active Directory, is backed by concrete evidence, and a mountain of it at that.

You see, when you've spent 30,000 hours specializing on a single subject matter, you end up being the very best at what you do, and when you're the very best at what you do, unintended accomplishments come your way, and as they do, you not only end up standing tall upon a mountain of accomplishments, along the way, you also end up collecting, savoring and preserving every single trophy you've earned along the way, both small and big, which ultimately end up building a mountain of evidence.

So to anyone who wishes to take us on, please know that we stand tall and operate formidably, upon a mountain of evidence.

Best wishes,

PS: This message is certainly NOT directed at Microsoft.
       It is solely intended to convey the value of evidence.

Thursday, June 14, 2018

Hello Again


Hello again! I hope this finds you doing well. Wow, its been 6 months since I blogged, and I'm sorry for the unintended absence.

Perhaps I should introduce ourselves again ;-)

Hello World, We are ...

I should mention that I've been missing blogging, especially considering that I penned 60+ posts in 2017, so starting Monday, June 18, 2018, I'm going to get back to blogging, because its time to help safeguard Microsoft's global ecosystem.

Until then, perhaps I should share with you a bit of what's kept me away during the last 6 months -
  • In January, one of the world's top technology companies, one that likely impacts hundreds of millions of computers worldwide, had requested our help in accurately identifying privileged access in their foundational Active Directory, and considering that they had 50,000+ objects in their domain, and the ACL of each object had a whopping 600+ ACEs, we had to enhance Gold Finger so it could efficiently take into account 30 million ACEs to determine effective permissions across their domain, so as Gold Finger's lead architect, I had to get involved to enhance it a bit.

  • In February, one of the world's most important national defense forces had reached out to us with a rather unique requirement within which they wanted Gold Finger to operate, and since it potentially impacted that country's national security, as one of Gold Finger's lead programmers, I had to help lead the effort to help them out.

  • During March and April, we finished work on Gold Finger Mini 6.0, the world's only cyber security tool that democratizes and delivers the power of real cyber intelligence by empowering 500 million+ people worldwide to find out for free exactly who can compromise their Active Directory credentials. It shipped on time, on May 01.

  • In May, amongst others, one of the world's largest insurance companies joined our global family of customers by licensing Gold Finger 007, and I personally got involved to ensure that everything went off smoothly for them. In addition, one of America's top defense contractors had specially requested our assistance in helping them verify least-privileged access (LPA) in their foundational Active Directory, and I decided to get involved to help them out. 

I just realized that almost half the year's over, and I hadn't blogged anything yet, so I've decided to get back to blogging.

Very well then, onward to June 18, 2018.  Stay tuned!

Best wishes,

Sunday, December 31, 2017

Looking Back at 2017 - An Eventful Year for Active Directory Security


As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.

This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!

I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.

Top-10 Notable Active Directory Security Events of 2017

Here are the Top-10 most notable events in Active Directory Security this year -

  1. Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.

  2. On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?"  From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.

  3. On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.

  4. On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!

  5. On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access. 

  6. On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.

  7. Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.

  8. On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.

  9. On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.

  10. From January 26, 2017 through December 27, 2017, Paramount Defenses' CEO conducted Active Directory Security School for Microsoft, so that in turn Microsoft could help not just every entity mentioned in points 1- 9 above, but the whole world realize that in fact the key and the only correct way to mitigate each one of the security risks and challenges identified in points 1 - 9  above, lies in Active Directory Effective Permissions and Active Directory Effective Access.

Helping Defend Microsoft's Global Customer Base
( i.e. 85% of Business and Govt. Organizations Worldwide )

Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...

...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctly secure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.

This year, I ( / we) ...

  1. conducted 30-days of advanced Active Directory Security School for the $ 650+ Billion Microsoft Corporation

    Introduction, How Well Does Microsoft Understand Cyber Security, The Importance of Active Directory Security, The Impact of an Active Directory Security Breach, The Active Directory Attack Surface, The Top-5 Security Risks to Active Directory, Active Directory Privilege Escalation, An Ocean of Access Privileges, AdminSDHolder, Active Directory ACLs - Attack and Defense (Actual),  Active Directory Effective Permissions, and so many more ...

  2. showed thousands of organizations worldwide How to Render Mimikatz DCSync Useless in their Active Directory

  3. helped millions of pros (like Mr. Metcalf) worldwide learn How to Correctly Identify Privileged Users in Active Directory

  4. helped the developers of BloodHound understand How to Easily Identify Sneaky Persistence in Active Directory

  5. helped Microsoft's ATA Team learn advanced stuff About Active Directory ACLs - Actual Attack and Defense

  6. showed CyberArk, trusted by 50% of Fortune 100 CISOs, How to Correctly Identify Shadow Admins in Active Directory

  7. helped cyber security startup Preempt's experts learn How to Correctly Identify Stealthy Admins in Active Directory

  8. helped the presenters of The Active Directory Botnet learn How to Easily Solve the Problem of Active Directory Botnets

  9. helped millions of cyber security folks worldwide understand and illustrate Active Directory Privilege Escalation

  10. Most importantly, I helped thousands of organizations worldwide, including Microsoft, understand the paramount importance of Active Directory Effective Permissions and Active Directory Effective Access to Active Directory Security

In fact, we're not just providing guidance, we're uniquely empowering organizations worldwide to easily solve these challenges.


All in all, its been quite an eventful year for Active Directory Security (, and one that I saw coming over ten years ago.)

In 2017, attackers, pen-testers and defenders finally seem to have realized the importance of Active Directory Security.

Perhaps, in 2018, they'll realize that the key to Active Directory Security lies in being able to accurately determine this.

Best wishes,

PS: Why I do, What I do.

Friday, December 29, 2017

Why I do, What I do


I trust you're well. Today, I just wanted to take a few minutes to answer a few questions that I've been asked so many times.

Here are the answers to the Top-5 questions I am frequently asked -

  1. You're the CEO of a company (Paramount Defenses), so why do you blog so often, and how do you have time to do so?

    Good question. This is a bit of a unique situation, in that whilst I am the CEO of a company, I am also a subject matter expert in Active Directory Security (simply by virtue of my background) and thus I feel that it is my civic duty to help organizations understand the paramount importance of securing their foundational Active Directory deployments.

    In fact, over the last 7+ years, I've penned 150+ blog posts on Active Directory Security (here) and Cyber Security (here) on various topics such as Active Directory Privilege Escalation, the OPM Breach, Kerberos Token Bloat, Eff Perms, AdminSDHolder, Mimikatz DCSync, Sneaky Persistence, How to Correctly Identify Stealthy Admins in Active Directory, How to Correctly Identify Shadow Admins in Active Directory etc. and most recently on Active Directory Botnets.

    As to how I have the time to do so, that's actually not that difficult. We have a world-class team at Paramount Defenses, and I've been able to delegate a substantial amount of my CEO-related work amongst our executive leadership team.

  2. Speaking of which, how big is Paramount Defenses?

    At Paramount Defenses, we believe that less is more, so our entire global team is less than a 100 people. For security reasons, 100% of our staff are U.S. Citizens, and to-date, the entirety of our R&D team are former Microsoft employees.

    If by how big we are, you meant how many organizations we impact, today our unique high-value cyber security solutions and insights help adequately secure and defend thousands of prominent organizations across six continents worldwide.

  3. Why is it just you (and why aren't your employees) on Social Media (e.g. LinkedIn, Facebook, Twitter etc.)?

    The simple answer to this question - For Security Reasons.

    At Paramount Defenses, we care deeply about cyber security, so we also strive to lead by example in every way.

    As it pertains to cyber security, we have found that the presence of an organization's employees on social-media almost always results in excessive information disclosure that could be very valuable for hackers and various other entities who may have malicious intent, so our corporate policies do not permit a social media presence.

    Also, we're not huge fans of Twitter, and we certainly don't care about being on Facebook. We do like and appreciate LinkedIn, and in fact, we lead the world's largest community of Active Directory Security Professionals on LinkedIn.

  4. What do you intend to accomplish by blogging?

    The intention is to help organizations worldwide understand just how profoundly important Active Directory Security is to organizational cyber security, and how paramount Active Directory Effective Permissions are to Active Directory Security.

    That's because this impacts global security today, and here's why -

    You see, the Crown Jewels of cyber security reside in Active Directory, and if they're compromised, its Game Over. By Crown Jewels, I'm referring to privileged access, or as commonly known, Domain Admin equivalent accounts.

    It is a fact that 100% of all major recent cyber security breaches (except Equifax) involved the compromise of a single Active Directory privileged user account. Such accounts are Target #1 for hackers, which is why it is so very important that organizations be able to exactly identify and minimize the number of such privileged accounts in Active Directory.

    Now, when it comes to identifying privileged user accounts in Active Directory, most organizations focus on enumerating the memberships of their default administrative groups in Active Directory, and that's it. Unfortunately, that's just the Tip of the Iceberg, and we have found that most of them do not even seem to know that in fact there are FAR many more accounts with varying levels of elevated admin/privileged access in Active Directory than they seem to know about.

    This isn't a secret; its something you know if you've ever heard about Active Directory's most powerful and capable cyber security feature - Delegation of Administration. The truth is that at most organizations, a substantial amount of delegation has been done over the years, yet no one seems to have a clue as to who has what privileged access. Here's why.

    In fact, Active Directory privileged access accounts have been getting a lot of attention lately, because so many cyber security experts and companies are starting to realize that there exists a treasure-trove of privileged access in Active Directory. Thus, recently many such cyber security expert and companies have started shedding light on them (for example, one, two, three etc.), and some have even started developing amateur tools to identify such accounts.

    What these experts and companies may not know is that their amateur tools are substantially inaccurate since they rely on finding out "Who has what Permissions in Active Directory" WHEREAS the ONLY way to correctly identify privileged user accounts in Active Directory is by accurately finding out "Who has what Effective Permissions in Active Directory?"

    On a lighter note, I find it rather amusing that for lack of knowing better, most cyber security experts and vendors that may be new to Active Directory Security have been referring to such accounts as Stealthy Admins, Shadow Admins etc.

    To make matters worse, there are many prominent vendors in the Active Directory space that merely offer basic Active Directory Permissions Analysis/Audit Tooling, yet they mislead organizations by claiming to help them "Find out who has what privileged access in Active Directory," and since so many IT personnel don't seem to know better, they get misled.

    Thus, there's an imperative need to help organizations learn how to correctly audit privileged users in Active Directory.

    Consequently, the intention of my blogging is to HELP thousands of organizations and cyber security experts worldwide UNDERSTAND that the ONLY correct way to identify privileged users in Active Directory is by accurately determining effective permissions / effective access in Active Directory. There is only ONE correct way to accomplish this objective.

  5. Why have you been a little hard on Microsoft lately?

    Let me begin by saying that I deeply love and care for Microsoft. It may appear that I may have been a tad hard on them, but that is all well-intentioned and only meant to help them realize that they have an obligation to their global customer base to adequately educate them about various aspects of cyber security in Windows, particularly the most vital aspects.

    In that regard, if you truly understand cyber security in Windows environments, you know that Active Directory Effective Permissions and Active Directory Effective Access play an absolutely paramount role in securing Windows deployments worldwide, and since Active Directory has been around for almost two decades by now, one would expect the world to unequivocally understand this by now. Unfortunately, we found that (as evidenced above) no one seems to have a clue.

    You may be surprised if I were to share with you that at most organizations worldwide, hardly anyone seems to even know about what Active Directory Effective Permissions are, let alone why they're paramount to their security, and this a highly concerning fact, because this means that most organizations worldwide are operating in the proverbial dark today.

    It is upon looking into the reason for this that we realized that in the last decade, it appears that (for whatever reason) Microsoft may not have educated its global customer based about Active Directory Effective Permissions at all - Proof.

    Thus, it is in the best interest of organizations worldwide that we felt a need to substantially raise awareness.

    As to how on earth Microsoft may have completely forgotten to educate the world about this, I can only guess that perhaps they must've gotten so involved in building their Cloud offering and dealing with the menace of local-machine credential-theft attack vectors that they completely seem to have missed this one paramount aspect of Windows security.

    Fortunately for them and the world, we've had our eye on this problem for a decade know and we've been laser-focused. Besides, actions speak louder than words, so once you understand what it is we do at Paramount Defenses, you'll see that we've done more to help secure Microsoft's global customer base than possibly any other company on the planet.

    Those who understand what we've built, know that we may be Microsoft's most strategic ally in the cyber security space.

Finally, the most important reason as to why I do, what I do is because I care deeply and passionately about cyber security.

Best wishes,