Today Active Directory Security has become mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Gold Finger The Paramount Brief Gold Finger Mini World Peace

Wednesday, October 18, 2017

Coming Soon... How to Thwart Sneaky Persistence in Active Directory

Folks,

As I briefly mentioned earlier, a few weeks ago, at the Black Hat Conference 2017 (which we skipped) on Cyber Security, two fine gentlemen made an interesting presentation titled An ACE Up The Sleeve - Designing Active Directory DACL Backdoors.


In this presentation, a whitepaper on which can now be downloaded from here, its authors have presented what may seem like a ground-breaking revelation to those uninitiated to the subject, but what in reality is actually just Active Directory Security 101.

With full respect to its authors, I will say that for someone who may have been relatively new to this subject (which most cyber security pen testers, ethical hackers and hackers are these days) and coming from a mainstream pen-testing/attack background (i.e. generally focused on and employing local credential-theft attack-vectors) they got close to actual sneaky persistence in AD.


Incredulously and amazingly, perhaps because a majority of cyber security experts (both, defenders and attackers) and IT pros may not know Active Directory Security that well, this presentation has been garnering a lot of attention, including at Microsoft.


Here's proof - In the last ONE month alone, Microsoft's Advanced Threat Analytics (ATA) Team has published TWO blog posts in response to this presentation (on Sep 18 here and on Oct 11 here), so this clearly seems to have Microsoft's attention!

Speaking of which, here's a quote from Microsoft's latest blog post regarding this topic/presentation - "In general, this is a very important goal for an attacker and is a big part of a successful mission performed either by a nation state or by a hacker group."

Wow!   Hmm.    Keep reading ;-)





How to Easily Thwart Sneaky Persistence in Active Directory

I may no longer officially be an employee of Microsoft, but I am former Microsoft Program Manager for Active Directory Security, and just because I work for a different company now, that neither diminishes my knowledge nor my passion to help the world.


So, in a few days, right here, to help organizations worldwide, including to help my fine colleagues at Microsoft who seem to be struggling to figure out how to deal with this, I will share just how EASY it is to thwart sneaky persistence in Active Directory -


If you truly understand Active Directory Security, then you know that there are far greater challenges facing most organizations worldwide, so to help put this behind them, and to adequately address that whitepaper, I'll pen an insightful post on the subject.


BTW, in the whitepaper, regarding Defenses, the authors state - "Some defenders may believe the detection of these types of backdoors is a lost cause... ...the primary method for detection and investigation remains properly tuned event logs for DCs...  ... one interesting defensive tool is the use of AD replication metadata." etc. It appears these wonderful folks are trying too hard!

Oh, and the most amusing part is to see Microsoft try even harder, and I'm quoting this verbatim from here - "This does sound like an issue...  ...so, this made me think - Is there a way we can identify all the objects to which I don't have permissions?;-)


This one's actually quite simple.  The answer, coming up, in a few days...

Best,
Sanjay

CEO, Paramount Defenses

Wednesday, October 11, 2017

A Paramount Question for Microsoft Azure CTO : he said 'Ask me anything'


Dear Mark,

You Sir, are Mark Russinovich, Chief Technology Officer (CTO) of Microsoft Azure, and for you I have the greatest of respect.

A few days ago at Microsoft Ignite, you said - "Ask me anything!" -


By the way, I must compliment you for doing so, because when you do so, you really have to be ready for any/every question!




So, I'd like to ask 1 Question

Mark, on behalf of 1000s of Microsoft's organizational customers, I'd like to most respectfully ask you just one simple question -

Question: How can/should organizations find out exactly who actually has what privileged access in their Active Directory ?


Specifically, how can organizations determine exactly who can do what on the 1000s of domain user accounts, domain computer accounts, domain security groups, containers, OUs, SCPs etc., including of course all their privileged and executive domain user accounts and groups that reside in their foundational Active Directory?


I only ask this question because as you too will likely agree, this 1 simple question directly impacts and thus is paramount to the foundational cyber security of over 85% of all organizations worldwide, all of whom operate on Microsoft Active Directory.


I really do hope that on behalf of Microsoft, you'll answer this question, for organizations worldwide look forward to the answer.

Most respectfully,
Sanjay

CEO, Paramount Defenses


PS: Sir, if you've ever heard of AccessChk.exe and know what it does,
(and I believe you have), then you know the answer to this question.

PS2: As former Microsoft Program Manager for Active Directory Security, I'd like to offer a hint. The answer to this question is also the (premise for, and thus the same as the) key to the ten questions below, and in essence it involves just two words -
1. What Constitutes a Privileged User in Active Directory?

2. How to Correctly Audit Privileged Users/Access in Active Directory?

3. How to Render Mimikatz DCSync Useless in an Active Directory Environment?

4. How to Easily Identify and Thwart Sneaky Persistence in Active Directory?

5. How to Easily Solve The Difficult Problem of Active Directory Botnets?

6. Why are the World's Top Active Directory Permissions Analysis Tools Are Mostly Useless?

7. Why is the Need to Lockdown Access Privileges in Active Directory Paramount to its Defense?

8. How to Attain (Lockdown) and Maintain Least Privileged Access (LPA) in Active Directory?

9. How to Securely Delegate and Correctly Audit Administrative Access in Active Directory?

10. How to Easily Secure Active Directory and Operate a Bulletproof Active Directory deployment?

In short, the answer is (something like) this -
Ans: To do so, all that organizations need to do is to accurately and adequately determine e******** p**********/a***** on their Active Directory objects. That's it.

Monday, October 9, 2017

Some Love For Microsoft + Time to Help Microsoft (and the Entire World)


Folks,

This is a Trillion $ post. I wanted to show some love for Microsoft and help them out, as it appears they could use some help.

BTW, for those wondering who I am to make such a statement, I'm a nobody who knows a thing about a thing that impacts WD.




Trillion $ Background

From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.


Active Directory is the Foundation of Cyber Security Worldwide

The compromise of an organization's foundational Active Directory deployment could have disastrous consequences for the organization and its stakeholders, and the real extent of damage would be a function of the perpetrators' proficiency and intent.

If you understand the inner workings of Active Directory based networks, then you know that the amount of damage that we've seen in recent breaches such as the Equifax breach, is nothing, compared to the amount of damage that can actually be done.



Thus far, perpetrators have been focused on simple attack vectors such as credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins), and over time Microsoft has made their enactment much harder.

As these attack vectors become harder to enact, perpetrators have started focusing on increasing their knowledge about Active Directory, and exploring ways to try and target and compromise Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.

Today Active Directory security, and in particular Active Directory access control lists (ACLs) impact organizational security and national security, worldwide. Speaking of which, and just so the world knows, here is Microsoft's take on them, and here is ours.

Perpetrators seem to be learning fast, and building rapidly, so the next big wave of cyber breaches could involve compromise of Active Directory deployments, unless organizations act swiftly to lock-down their foundational Active Directory deployments.

To do so, organizations worldwide need the right insight, guidance and tooling to adequately lock-down their Active Directory deployments. Unfortunately, Microsoft doesn't seem to know much about it (proof: 1, 2, 34), and thus may be unable to help.




Some Love for Microsoft

Today I may be the CEO of Paramount Defenses, but I'm also former Microsoft Program Manager for Active Directory Security, and I for one deeply love Microsoft, and deeply care about the foundational cyber security of all organizations worldwide, so I'm going to help Microsoft and the entire world adequately secure and defend their foundational Active Directory deployments.


To Satya (Nadella) and my former colleagues at Microsoft I say - "Microsoft is one of the greatest companies in the world today, and we care deeply and passionately about not only the role we play in society and the impact we have on billions of people, but also the responsibility that goes along, so we're* going to help the world address this colossal cyber security challenge."

* I may no longer be a Microsoft employee, but I still do care deeply and equally, so I'm happy to help you.
  If I were you, I'd most respectfully embrace this opportunity, be thankful for it, and not squander it.

To my friends at Microsoft, if I may have recently been a tad critical of you, its only because I care deeply about our customers, and I know that Microsoft can do much better at educating its global customer base about a matter of paramount importance.





Er, What Cyber Security Challenge?

Now, there might be billions of people and thousands of organizations worldwide who may have absolutely no idea about what I'm talking about, so perhaps I should succinctly and unequivocally spell it out not just for the entire world, but also for Microsoft.


Stated simply, and as described in The Paramount Brief, here's the #1 cyber security challenge that impacts the world today -


"From Silicon Valley to New York and London to Sydney, at the very foundation of cyber security and IT of 85+% of all business and government organizations across 190+ countries worldwide lies Microsoft's Active Directory.
Within the foundational Active Directory domains of these organization lie the entirety of their building blocks of their cyber security i.e. their user accounts, computer accounts, security groups, security policies etc. each one of which is represented by an Active Directory object & protected by an Active Directory Access Control List (ACL).
Today, in most of these organizations, there exist millions of ACLs in their Active Directory, and within these ACLs exists an ocean of excessive/unauthorized access, that today paves thousands of privilege escalation paths to literally the entirety of all objects in these Active Directory deployments, including to all their privileged users.
This ocean of unauthorized access exists worldwide today because Active Directory lacks and has always lacked the essential ability to help organizations correctly and adequately audit effective access in Active Directory, and consequently even though organizations have been delegating/provisioning all kinds of access in Active Directory to fulfill various business needs, they've never had the opportunity to correctly audit this ocean of access, resulting in a situation caused over time (i.e. over the years) wherein today unauthorized access pervades Active Directory.
In short, today, at most organizations, no one knows exactly who has what access on any of their building blocks of security, and possibly an excessive number of users, computers and service accounts may have substantial unauthorized access on them, and thus be in a position to easily and instantly compromise their security.

  • A Trillion $ Note: Most organizations (and perpetrators, as well as the Bloodhound Tool) audit "Who has what permissions in Active Directory?" Unfortunately, that does not provide the accurate picture. What they need to audit is "Who has what effective permissions/access in Active Directory?" Sadly, Microsoft has NEVER provided this guidance in an entire decade, so no one even seems to know this.

Anyone who possesses the tooling to correctly analyze effective access in Active Directory could instantly identify, and either eliminate or exploit, all such unauthorized access grants and the 1000s of privilege escalation paths they pave, and thus be in a position to either formidably defend or completely compromise these organizations.
The potential impact of this huge cyber security challenge is best illustrated by these 7 examples. Its that simple."


As simple as it is, not a single one* of the 1000+ cyber security companies that exist today has a solution for this challenge.


Let there be no mistake about this - a proficient intruder who possesses tooling that lets him/her correctly analyze effective permissions/access in Active Directory, could easily find, hundreds if not thousands, of unauthorized access grants in most Active Directory domains, and exploit them to compromise and obtain complete command and control over the organization.


If you find this hard to believe, you don't have to take my word for it, as here is Microsoft finally acknowledging it, and doing their best to downplay it. By the way, if they truly understood the depth of this problem, what they should've actually said is here.

Unfortunately, perpetrators can develop their own tooling and they don't even have to be 100% accurate (e.g. Bloodhound.)

Fortunately, organizations that possess the right tooling (e.g. 1, 2) can reliably mitigate all such security risks to Active Directory, from Mimikatz DCSync to Active Directory Privilege Escalation and from Sneaky Persistence to Active Directory Botnets, before perpetrators have the opportunity to exploit them, leaving no unauthorized access in Active Directory for perpetrators to exploit.





Time to Help Microsoft (and the Entire World)

Over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.


Of course, today we can also uniquely empower organizations worldwide to adequately secure and defend their foundational Active Directory deployments, and we are happy to help organizations that request our help, but we are not going to go to anyone explicitly offering our help, because we're not your ordinary company.


So, in days to come, we'll begin by educating the world about the following -


  1. What Constitutes a Privileged User in Active Directory

  2. How to Correctly Audit Privileged Users/Access in Active Directory

  3. How to Render Mimikatz DCSync Useless in an Active Directory Environment

  4. How to Easily Identify and Thwart Sneaky Persistence in Active Directory

  5. How to Easily Solve The Difficult Problem of Active Directory Botnets

  6. Why the World's Top Active Directory Permissions Analysis Tools Are Mostly Useless

  7. Why is the Need to Lockdown Access Privileges in Active Directory Paramount to its Defense?

  8. How to Attain (Lockdown) and Maintain Least Privileged Access (LPA) in Active Directory

  9. How to Securely Delegate and Correctly Audit Administrative Access in Active Directory

  10. How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment

You see, each one of these Active Directory security focused objectives can actually be easily accomplished today, but and in order to do so, what is required is the ability to be able to accurately and adequately audit effective access in Active Directory.

Each one of these topics is absolutely essential for organizational cyber security worldwide, and if you know of even one other entity (e.g. individual/company) on the planet that can help the world address each one of these objectives today, let me know.

So, within the next 7 days, as a part of this, I'll start penning the above, and you'll be able to read them right here.




In Summary

If you truly understand Active Directory Security, then you know that literally the entire world's wealth is being protected by it, so and thus we just cannot afford for organizations to start having their foundational Active Directory deployments being breached.


Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.


Best wishes,
Sanjay

CEO, Paramount Defenses

Formerly, Program Manager,
Active Directory Security,
Microsoft Corporation


PS: To anyone who believes they know more about Active Directory Security than us, or can help the world more than we can, go ahead and demonstrate that you can - this is your opportunity. If you can, let's see it. If you can't, you'll want to listen to us.

PS2: If you liked this post, you may also like the 20+ posts that are a part of - Helping Microsoft with Active Directory Security.

Friday, October 6, 2017

Microsoft, Have 1000s of Major Organizations Been Furnishing Inaccurate Evidence to Demonstrate Compliance of Access Rights in Active Directory?


Dear Microsoft,

(This is my last post of being a tad tough on you. From the next post onwards, I'm going to be helping you out tremendously, because I am on your side.  As for this last tough post, I hope you've got the point I have been trying to make all this while.)


Today is Day-20 of our Active Directory Security School for you. Thus far, I've asked you a few basic/elemental questions (e.g. this one, this one, this one, this one, this one or this one) concerning Active Directory Security, and I don't think you may have an answer for even one of them, perhaps as they may seem to be difficult, so today I'll ask you a simple question.



Regulatory Compliance 101 and Active Directory

As you may know, for many years now, thousands of organizations across the world, such as all publicly-traded organizations in the United States, the European Union and in other legal jurisdictions, have, for various reasons, been required to and continue to be required to demonstrate regulatory compliance of access rights in Active Directory.


The reason for this very simply is that many critical organizational IT assets that fall under the purview of these regulations, such as the domain user accounts of key executives (e.g. C*Os), are all stored, protected and managed in Active Directory.


So, for illustrative purposes, let's take a closer look at just ONE such requirement, and ask ourselves whether 1000s of such organizations may have been furnishing inaccurate evidence to demonstrate compliance of access rights in Active Directory?

Specifically, let's consider just one specific ask, which is to determine and furnish evidence to demonstrate exactly -
Who can reset the password of an organization's Chief Executive Officer's (CEO's) and Chief Financial Officer's (CFO's) domain user accounts?

I hope I don't have to explain why something as basic as this would fall under the purview of most regulatory compliance asks.

(If someone could reset the password of the CEO or the CFO of an organization, he/she could instantly gain access to highly sensitive and confidential information, the knowledge (and the unauthorized use or unauthorized disclosure) of which could be used to substantially impact the organization's stock-price, and thus its valuation, and this could adversely impact shareholders.)




Who can Reset the CEOs Password?

Let's consider what it takes to find out who can reset the password of the CEO's domain (i.e. Active Directory) user account.

As I have indicated numerous times by now (1, 2, 3), to make this paramount determination, what organizational IT personnel need to do is find out exactly who has Reset-Password extended right effective permissions on the CEO's domain user account -


The keyword here is effective permissions i.e. and to be most specific, I mean Active Directory Effective Permissions.

It is impossible to accurately make this determination without being able to accurately determine effective permissions on the CEO's domain user account in Active Directory, and consequently, it is impossible to furnish accurate evidence in this regard to demonstrate regulatory compliance without having the ability to accurately determine effective permissions in Active Directory.

Now, let alone having the ability to accurately determine effective permissions in Active Directory, at most organizations, IT personnel don't even seem to know that in order to make this paramount determination, they need to determine effective permissions in Active Directory! In fact, all along, at most organizations, IT personnel have merely been finding out "who has what permissions in Active Directory" as opposed to finding out "who has what effective permissions in Active Directory."

Thus it logically follows that most organizations worldwide have not even been making this determination correctly, and thus it can be stated with a reasonably high degree of confidence that 1000s of organizations worldwide may have been, for years now, furnishing inaccurate evidence to demonstrate the regulatory compliance of access rights in Active Directory!

I do not know what the specific penalties for furnishing inaccurate regulatory compliance evidence might be, but the CFOs of these organizations (including yours) will likely know, as they are required to personally sign-off on all such furnished evidence.

Microsoft, if only you would've educated the world years ago about "Active Directory Effective Permissions" and their paramount role in literally everything related to cyber security in Windows environments, including of course regulatory compliance, you could've saved the world a lot of trouble. Thankfully, today these C*Os can now themselves audit who can reset their password!

Speaking of which, not just to demonstrate regulatory compliance but to maintain cyber security, ideally, all organizations must, at all times, know exactly who can reset the passwords of all domain user accounts in their Active Directory, and now they can.




Speaking of Auditors

By the way, I should mention that we've had so many organizations request our assistance in this regard, and when asked as to the reason, we've been told that their "regulatory compliance auditors asked to furnish a list of everyone who can CHANGE the CEO's & CFO's password!" We thought we may have heard incorrectly, so we asked twice, and the answer again was that their "regulatory compliance auditors asked to furnish a list of everyone who can CHANGE the CEO's & CFO's password!"

CHANGE Password or RESET Password ?!


Do these auditors NOT know that it is not who can CHANGE a user's password that matters but in fact it is who can RESET a user's password that matters, BECAUSE by nature, in order to CHANGE a user's password, you need to (i.e. are required to) demonstrate knowledge of the EXISTING password, which is something ONLY the CEO him/herself should know about.

You see, in contrast to a password change, a password RESET operation does NOT require one to demonstrate knowledge of the EXISTING password, but in fact only requires that you have sufficient effective permissions to be able to reset the user's password, which is governed by the Reset Password extended right on the individual's domain user account!

So, if any there are any auditors out there still asking for "Who can change the CEO's password?" they'll want to read this.

Like so many other things, I cannot stress this enough. The subtle yet profound difference between a Password Change and Password Reset is possibly one of the most misunderstood yet important areas of organizational cyber security today!





Just One More Thing - SmartCards!

Organizations that use Smartcards for user authentication may perceive this as not being too applicable to them considering that they may be operating under a heightened (but false) sense of security, given that they're using Smartcards (or some other means) for two-factor authentication for their domain user accounts, including thus for their executive domain user accounts.



Well, all such organizations should know that smartcard authentication on a domain user account can be turned off at the flip of a single bit on the domain user account, and the moment it is turned off, authentication on that account automatically falls back to being password based, with a random password being applied to the domain user account!

To all such organizations, I'd humbly recommend trying to find out exactly who can disable the use of smart-cards on all their domain user accounts. Oh and by the way, in order to make that determination, they'll need to determine effective permissions on each one of their domain user accounts. Yes, I'm aware that this determination is not at all easy to make and it could take weeks, if not months, but this is after all extremely important to organizational security, isn't it. (What if it took just minutes ?!)





Tip of the Iceberg

Demonstrating compliance of "Who can Reset the Password of the C*O's Domain User Accounts" is just the Tip of the Iceberg!


In reality, there is so much more that most publicly held organizations in most legal jurisdictions worldwide need to assess and demonstrate the regulatory compliance of, that requires the determination of effective permissions/access in Active Directory.

Unfortunately, because so many organizations worldwide may still not know about the subtle but profound difference between  "Who has what permissions in Active Directory"  and  "Who has what effective permissions in Active Directory", they very likely may have been furnishing inaccurate evidence all these years!




In Summary

Microsoft, given what it is we uniquely do, my time is extremely valuable, and over the past few weeks, I've invested a lot of my valuable time towards helping you understand why it is so very important for you to help thousands of organizations understand the paramount importance of being able to determine effective permissions (/ effective access) in Active Directory.


It is paramount to the foundational cyber security of your customers, and I'd still like to believe that you're not just all talk.

Today's post was meant to demonstrate that Active Directory Effective Permissions impact not just the foundational cyber security of organizations worldwide, but in fact also impact all related areas, such as demonstrating regulatory compliance.

In all seriousness, Microsoft, perhaps likely thanks to you, thousands of prominent organizations worldwide may very well have been furnishing inaccurate evidence to demonstrate compliance of access rights in Active Directory, and doing so for years!

Alright, that's all for today.

Best,
Sanjay


This post marks the end of my being tough on Microsoft. Next post onwards, I'm going to be helping them out tremendously.

Wednesday, September 27, 2017

Active Directory Access Control Lists (ACLs) - "Actual" Attack and Defense

Folks,

This post impacts the cyber security of every foundational Active Directory deployment in the world, so you may want to read it.


Active Directory Access Control Lists (ACLs)

Active Directory is the foundation of cyber security worldwide because it enables distributed security in Windows environments and it stores, protects and enables the administration of the entirety of an organization's building blocks of cyber security.

In essence, literally from the entirety of the user accounts of an organization's workforce (including those of all privileged users), to the entirety of computer accounts that represent the organization's computers, and from the entirety of the domain security groups that protect the entirety of an organization's IT resources to the entirety of an organization's security policies (GPOs), at thousands of organizations worldwide, all building blocks of cyber security are stored, secured and managed in Active Directory.

Guess what protects each & every one of these building blocks of cyber security i.e. these Active Directory objects, worldwide?

It is Active Directory Access Control Lists (ACLs) -


An Active Directory Access Control List (ACL) protecting an Active Directory Object

Specifically, it is the ACL of an Active Directory object in which the organization's access intent for that object is specified (whether it be the CEO's user account or the Domain Admins group,) and it is this intent that is enforced by the "System."

In fact, today, billions of Active Directory ACLs that exist in Active Directory deployments worldwide, together serve to secure and defend the very building blocks of organizational cyber security at thousands of business and government organizations.

In short, not only do Active Directory ACLs today help protect trillions of dollars of wealth worldwide, they play a paramount role in securing and defending most business and government organizations, and thus they impact business and national security.

(By the way, if you want to get a complete look at an Active Directory object's ACL, here's likely the most capable tool to do so.)





Attack and Defense - Microsoft's Version

On September 18, 2017, i.e. about one week ago, Microsoft shared its thoughts on this subject in a blog post titled -



If you haven't read it, I highly recommend that you read it, NOT because you'll learn anything at all, but only because it reveals volumes about just how little Microsoft may actually seem to know about Active Directory Security, ACLs, attacks and defense.


Attack

If you listen to what today's Microsoft has to say, they'll downplay the exploitation of Active Directory ACLs as an attack vector, suggest that recently there's been some attention given to Active Directory ACLs by amateurs, indirectly concede that it may be possible to exploit weaknesses in Active Directory ACLs, tell you about AdminSDHolder to claim that this couldn't likely be used to escalate privilege to privileged users, reticently agree that it might be possible to find ways to compromise non-privileged users/objects in Active Directory and end by saying - "If you find a path with no obstacles, it probably leads somewhere!"


Defense

In regards to defense, the best today's Microsoft can do is tell you that that their latest toy, Microsoft Advanced Threat Analytics (ATA) can detect recon methods used by newbie tooling like Bloodhound (which incidentally is massively inaccurate.)


Folks, what today's Microsoft is telling you about attack and defense, sounds like Baloney.


Sadly, I don't think they're doing it intently though, as it very well might be that they actually either have no one from the old-guard working on this, and/or the new guards truly have no idea about any of this, both of which are really scary scenarios!








The Actual Attack and Defense

Folks, if you understand the subject of Active Directory Security well enough, then you know that Active Directory access control lists (ACLs) today don't just impact organizational security worldwide, they likely impact national and global security.


Further, you also know that today not only does there lie an ocean of access privileges specified within Active Directory ACLs at almost every organization worldwide, but also because Active Directory lacks the ability to adequately help organizations find out who actually what access in Active Directory, for so many years, most organizations have been operating in the dark, and today there likely exist thousands of privilege escalation paths leading to all kinds of privileges, including to privileged users.

By the way, it is now seventeen (17) years since Active Directory has been around, and even though this attack surface has existed since then, it is only now that a few enthusiasts are starting to realize what a gold-mine of information Active Directory is, and just how many privilege escalation paths one could find to just about everything in Active Directory. In fact, some of these enthusiasts may have gotten a little too excited and even released some infantile tooling, which I believe goes by the name Bloodhound, and lo and behold it is one of the hottest pen-test tools today, even though it is massively inaccurate!




Attack

Speaking of attack, the exploitation of excessive/unauthorized access specified in Active Directory ACLs, as illustrated here, summarized here, described here and a realistic example of which is shown here, is a very real and serious possibility today.


That's because in most Active Directory deployments worldwide, today there likely exist thousands of privilege escalation paths in Active Directory ACLs, just waiting to be found (and exploited (by the bad guys), or eliminated (by the good guys)) by anyone who has the skills or the tooling required to accurately perform effective permissions analysis in Active Directory deployments.


To illustrate how serious this is, here are 7 specific examples of Attack that involve the exploitation of Active Directory ACLs -
  1. The complete compromise of an organization's entire workforce's credentials, by an unauthorized individual, such as an intruder or a rogue insider, enactable by the use of the hacking tool Mimikatz DCSync which involves requesting and retrieving the secrets (passwords) of the entirety of an organization's domain user accounts, is possible (and can only be made possible) if that unauthorized individual has sufficient Get-Replication-Changes-All effective permissions in the Active Directory ACL of the target Active Directory domain's domain root object. 

  2. The complete compromise of an organization's Active Directory privileged domain user accounts and security groups, such as the Administrator account, the Domain Admins group etc., involving an unauthorized password reset and/or a group membership change etc., is possible if that unauthorized individual has sufficient Write-Property (member or blanket), effective permissions or Reset-Password Extended Right effective permissions in the Active Directory ACL of the target Active Directory domain's unique AdminSDHolder object.

    An Important Note: AdminSDHolder protection only protects the members of those default Active Directory administrative groups that it is intended to cover, and it does so transitively.

    However, if any security principals other than those that fall under the AdminSDHolder protection, were to be granted any kind of access in the AdminSDHolder object's ACL, then those security principals would NOT be protected by AdminSDHolder protection, and THAT opens up the possibility of there existing privilege escalation paths from non-privileged users to privileged users protected by AdminSDHolder.

    Many organizations do modify the default AdminSDHolder object's ACL for various reasons, such as to implement their own custom delegations, configure or lockdown access to privileged users etc.
  3.   
  4. The complete compromise of the majority of an organization's Active Directory content, i.e. all of their domain user accounts, computer accounts, domain security groups, containers, OUs, service connection points etc. whose Active Directory ACL is not marked Protected, by an unauthorized individual, is possible if that unauthorized individual has sufficient Modify Permissions effective permissions in the Active Directory ACL of any large or Top-level Organizational Unit (OU), or on the domain root, because it would allow the unauthorized individual to make a single malicious change and leverage permission inheritance to obtain full control over the entirety* of all objects whose Active Directory ACLs will end up inheriting that malicious ACL change. 

  5. A massive (even if temporary i.e. ranging from a few hours to a few days) denial-of-service (DoS) attack on virtually an organization's entire IT infrastructure, their entire workforce and their ability to do business, made possible by something as simple as the deletion of a top-level Organizational Unit (OU) by an unauthorized individual, is possible if that unauthorized individual has sufficient Delete* (details) effective permissions in the Active Directory ACL of that OU.

  6. The identity theft and thus compromise of organizational users, involving a password reset of their domain user accounts by an unauthorized individual, is possible if that unauthorized individual has sufficient Reset-Password Extended Right effective permissions in the Active Directory ACL of the victim's Active Directory domain user account. This could also be used to in effect escalate privilege in Active Directory, and there could possibly exist privilege escalation paths leading from a non-privileged user to highly privileged users, in effect also providing a perpetrator system-wide command and control over an organization's IT infrastructure.

    An Important Note: Organizations that may have various kinds of multi-factor authentication (MFA) in place, such as Smartcards for domain user accounts, should note that if an unauthorized individual has sufficient Write-Property (either blanket, or for the appropriate attribute) effective permissions on a user's domain account, then he/she could easily turn MFA off on the account, in which case, the account's security will fallback to being password based ( i.e. a system-generated random password) and a password reset (assuming the perpetrator also has sufficient effective permissions to do so) would then allow the unauthorized individual to effortlessly steal its identity, i.e. effectively take over that account.

  7. A critical denial-of-service (DoS) attack aimed at disrupting one or more possibly mission-critical applications, such as Microsoft Exchange, Centrify Server Suite, Microsoft Rights Management Server, Microsoft Group Policy, Microsoft Terminal Server, Microsoft Azure, Quest Active Roles Server, Quest Change Auditor, Quest InTrust, Quest Privileged Password Manager, BeyondTrust PowerBroker for Windows, Citrix XenApp and XenDesktop, IBM DB2, to name a few, that rely on the use of Service Connection Points in Active Directory, by an unauthorized individual, is possible if that unauthorized individual has sufficient Write-Property (keywords or Blanket) effective permissions in the Active Directory ACL of one or more of the Service Connection Points of that specific mission-critical application.

  8. A massive cyber security breach in which an unauthorized individual, such an intruder, a disgruntled or rogue insider, an APT, a compromised delegated admin/service account etc., is able to obtain access to and leak/divulge, exfiltrate, tamper or destroy literally any (some, or all) organizational IT resource of his/her/their choice, such as a specific file, folder, database, server, application etc., or thousands thereof, is possible if that unauthorized individual simply has Write-Property (member or blanket) effective permissions in the Active Directory ACL of the specific domain security group (, such as All EmployeesBlueprint Access Group, Email Servers, Project Windham Group, etc.) in Active Directory that is currently gating access to that organizational IT resource, as this would allow that individual to add any domain account under his/her control to the membership of this domain security group and subsequently instantly and legitimately gain unrestricted access to the target organizational IT resource.

Note: In each case above, in lieu of the effective permissions mentioned above, it would alternatively be sufficient for the unauthorized individual to have Modify-Permissions effective permissions of Modify-Owner effective permissions in the ACL of the involved target Active Directory objects.

I could give many more examples, but to the wise a hint is enough, and I've given you 7 concrete examples of just how much damage an unauthorized individual who possesses various levels of unauthorized access in Active Directory ACLs, could do.

The reality is that literally anything and everything in Active Directory could be a target - The Active Directory Attack Surface


Now, that said, let's talk about Defense.





Defense

Take a deep breath of calm because this risk can be actually be easily, swiftly and completely eliminated by organizations.


The truth of the matter is that even though the serious cyber security risk posed by the potential exploitation of the vast number of excessive/unauthorized privilege access grants that are today specified in billions of Active Directory ACLs across thousands of Active Directory deployments, likely poses a clear and present danger to organizational cyber security worldwide, this risk can actually be easily, swiftly and completely eliminated by organizations, leaving no opportunity on the table for perpetrators.


How, you ask?  Keep reading...

A Small Digression
To understand how to mitigate this risk, we need to understand what caused this risk in the first place.


For years now, organizations have been leveraging Active Directory's precise administrative delegation / access provisioning capability to delegate/provision all kinds of access in Active Directory to fulfill business needs.  
While Active Directory makes it very easy to precisely delegate/provision access, unfortunately, it completely lacks the capability to help precisely assess/audit the actual resulting access that ends up getting implemented, and thus organizational IT personnel / AD admins have no way of being able to precisely a) verify the accuracy of their delegations or b) audit who actually has what access provisioned in Active Directory at any point in time.
Further, 3 factors contribute to exacerbating the situation -
  1. Active Directory's security model is quite rich and powerful, and thus complex, since it has almost a dozen generic security permissions and five dozen special security permissions (known as extended rights), and further, because mechanisms like inheritance of permissions involve and require precedence orders, applicability etc. all of this makes it difficult to determine the actual access implemented in Active Directory.

  2. A majority of all access specified in Active Directory is specified for security groups (as it should be), which given the possibility of group nesting, and often to multiple levels, further complicates not only who all might be ending end up with all kinds of access, but also trying to find out who actually has what access, especially since the membership of any of these groups could be changed by so many others, anytime.

  3. Considering the above, the slightest change made in even one place in Active Directory, such as in the ACL of a top-level OU, or the membership of even a single mid-level nested domain security group, could easily end up changing the actual state of access in Active Directory quickly & in many cases substantially.

Consequently, though organizations have been delegating/provisioning access in Active Directory for years now, they have almost never had the means or the opportunity to be able to accurately audit the actual existing state of access in Active Directory, and in light of the above, considering that in most Active Directory domains there may thus far have been 1000s of changes made, there likely exists a vast amount of excessive / unauthorized access, and no one actually knows exactly who can do what in their Active Directory deployments.
End of Digression.

The reason there exists vast amounts of excessive/unauthorized access in Active Directory is that organizations don't have the means to easily and correctly audit/assess who is actually i.e. effectively delegated/provisioned what access in Active Directory.

In order to be able to correctly do so, all that organizations need is the ability to be able to accurately, adequately and efficiently determine exactly who has what effective permissions/access in Active Directory, on a per-object basis, & ideally domain-wide.

By "adequately", I mean that given an Active Directory object, organizations should be able to easily determine a) the complete set of effective permissions provisioned on it, b) as well as the complete list of individuals that have these effective permissions, and c) HOW each one of these individuals is getting these effective permissions, as that data is needed to lock-down access.

Unfortunately, this capability does not seem to natively exist in Active Directory, so most organizations have just been performing basic Active Directory Permissions Audits, which are almost useless, and as a result, no one really knows exactly who can do what in Active Directory!

Over the years, this has resulted in a substantial amount of excessive/unauthorized access in Active Directory, which is best evidenced by the fact that even a tool as massively inaccurate as Bloodhound is able to find so many privilege escalation paths!


That said, here's Defense -

Conceptually, to defend against these attacks, all that organizations require is the ability to be able to accurately and adequately determine Active Directory Effective Permissions on their Active Directory objects, as this will give them a correct picture of who can actually do what on these objects, and show them how these users have such access today, and thus enable them to know exactly which security permissions to tweak in the ACLs of which Active Directory objects, and/or which group memberships to tweak, to lockdown any and all excessive / unauthorized access that is currently provisioned on their Active Directory objects.

Again, by "adequately", I mean that, given an Active Directory object, organizations should be able to determine a) the complete set of effective permissions provisioned on it, b) as well as the complete list of individuals that have these effective permissions, and c) HOW each one of these individuals is getting these effective permissions, as that data is needed to lock-down access.





A Simple 3-Step Defense Process

To defend against these attacks, this simple 3-step process is all that organizations need to perform -

  • Step 1 - Perform an Active Directory Effective Privileged Access Audit. This is a simple audit that involves the accurate determination of effective permissions/access in Active Directory, and it is the correct way to identify exactly who actually i.e. effectively has what access (anywhere and everywhere) in an Active Directory domain.

  • Step 2 - Analyze the results of this audit to identify all such users who currently possess any kind of access in Active Directory that they should NOT ideally be in possession of. Also identify where they currently possess such access.

  • Step 3 - For each such user identified in the analysis of Step 2, for each object on which they have such identified access, further analyze the results of this audit to additionally identify the HOW i.e. the underlying permissions in the ACL of the object that are entitling them to such effective access. Then, use this information to appropriately tweak the underlying ACL or the involved group membership to revoke all such identified excessive / unauthorized access.

In essence, in Step 1 we accurately determine object-specific/domain-wide effective permissions/access, in Step 2 we analyze these results to identify all "unauthorized access" and the underlying permissions in Active Directory ACLs that cause them, and in Step 3 we use this data to tweak these permissions in the ACLs (, or group memberships,) to lockdown Active Directory.

That's it!

For an illustrative step-by-step example that shows how to follow these
steps on a specific Active Directory object, see section IX of this post.



A Simple Example

If I had more time at hand, I would've shown you exactly how to do so, domain-wide. Since I don't, I'll share a quick example.

Lets assume that your organization wants to ensure that no one can make an unauthorized group membership change to any of the thousands of domain security groups in your Active Directory that are being used to protect the entirety of your IT resources.


To do so, technically what you need to do is accurately determine effective permissions on every domain security group in your Active Directory to find out who has Write-Property Member effective permissions on each one of these domain security groups.

Now, this in itself might seem like a herculean undertaking, and it is, but with the involved tooling, you can easily get it done.

Once you've done so, you'll have the accurate technical data that shows you exactly who can change the group membership of each one of your domain security groups in Active Directory, and once you have this insight, you'll be able to identify exactly how many individuals can currently enact this task versus how many should ideally be able to do so, and thus you'll be able to easily identify all such individuals who are not supposed to be able to do so, but nonetheless are able to do so today i.e. you'll be able to identify all users who possess "unauthorized access" as it pertains to this example.

Once you have identified all such users who possess this "unauthorized access", if you know which underlying permissions in the Active Directory object's ACLs are entitling them to this unauthorized access (and you will have this data if you perform the above mentioned audit, because the involved tooling will provide it to you), you can now tweak either the permissions or the membership of the domain security groups to which these permissions are granted, as needed, to revoke this unauthorized access, and in this manner, you can easily, efficiently and provably lockdown the access granted in Active Directory.

An Effective Privileged Access Audit is thus a simple, logical and straight-forward process that involves enacting the above to help organizations easily and accurately obtain the insight they need to identify unauthorized access in Active Directory.

One last thing - wouldn't it be nice if instead of having to determine who has what effective permissions in terms of technical Active Directory permissions (e.g.  Write-Property Member), we could just obtain this information in terms of administrative access entitlements i.e. in terms of who can enact what administrative tasks (e.g. Who can change a group's membership)?

I happen to think so, because security is best kept simple, and we humans can think about and analyze situations described in terms of administrative tasks much better than we can do so in terms of arcane technical permissions. In this regard, the tooling involved in such an audit is designed to deliver this insight in terms of administrative tasks rather than technical permissions. Of course, should you also like the data in terms of technical permissions, the involved tooling can certainly deliver that as well.

Thus, as it pertains to this example, an Effective Privileged Access Audit will deliver the following data to you - a complete list of all individuals who can change domain security groups in our Active Directory, the exact identity of each domain security group whose membership they can change, and the exact underlying security permission in the ACL of that domain security group that entitles this user to being able to change its membership. Armed with this valuable insight, we can easily and completely lockdown Active Directory vis-à-vis this example, in a matter of days.

End of Example.


A comprehensive Effective Privileged Access Audit will thus empower your organization to easily, efficiently and accurately determine the entirety of access that is currently provisioned/delegated in your Active Directory, i.e. it will span finding out who can do what concerning account management, group management, OU and Container management, SCP management, Directory Services management etc. and do so in a matter of hours, not months, and thus it will get you the data you need to adequately lockdown your Active Directory, and in doing so enable your organization to swiftly, measurably and demonstratably attain and maintain least privileged access in Active Directory.

Any organization or individual who needs additional information or clarity into this process may be feel free to contact us. Our technical specialists will be happy to help you adequately understand this process, our compliments (i.e. free of charge.)



So you see, this is all we need to do, and once we've done this, there will be no unauthorized access left in our Active Directory, no matter how large it is, and there will be no unknown privilege escalation paths left for perpetrators to find and exploit. None!


Let me repeat that. Once you've done this, there will be no unauthorized access left in your Active Directory. None... 
Zero!      нуль, nul, صفر , 零,Null, μηδέν, ʻole, אֶפֶס , शून्य, ゼロ,제로, nihil, sero !

This is all that organizations need to do to easily, efficiently and accurately identify and lockdown all unauthorized access in Active Directory. From that point on, you'll want to maintain this least privileged access state by performing regular audits.


So, what tooling is needed to perform an Active Directory Effective Privileged Access Audit?  You're going to need this & this.

In fairness, to be totally objective, strictly speaking you can use any tool that can help you accurately and adequately determine effective permissions in Active Directory, at a minimum on a per-object basis, and ideally domain-wide (unless you have years to solve this problem). I only mentioned those two tools because those are the only tools that I know of that can help do this.




In Summary

The potential exploitation of the vast amount of excessive/unauthorized access that exists in billions of Active Directory ACLs worldwide today is a serious challenge that 1000s of organizations face because it impacts their foundational cyber security.

Fortunately, with the right guidance, tooling and executive support, it can be quickly, efficiently and completely addressed.


Here's what we at Paramount Defenses believe -
"We at Paramount Defenses care deeply about cyber security and we understand that left unaddressed, this could pose a serious cyber security risk to organizations worldwide that operate on Active Directory. Be rest assured that Active Directory is a highly robust, trustworthy and securable technology, and here is exactly how organizations can easily, adequately and reliably identify and lock-down privileged access in their foundational Active Directory deployments, leaving no room for perpetrators to identify and exploit any weaknesses."

Lastly, I know that I make it sound so simple, but in reality, this is a very difficult problem to solve, and without the ability to be able to obtain accurate effective access insight, which in turn requires the right tooling, it really is almost impossible to solve.

As for the right tooling, building it requires vision, a deep understanding of the subject, and years to build, test and perfect.

Best wishes,
Sanjay

CEO, Paramount Defenses

Formerly, Program Manager,
Active Directory Security,
Microsoft Corporation


PS: I could've easily communicated all of this in just a simple Executive Summary, and we did - its called The Paramount Brief. In fact, last year, we had even FedEx overnighted it to the CEOs, CFOs and Chairmen of the Top-200 organizations worldwide, and FedEx tracking helped ensure that they all received it. They've all been informed. I even shared it with Microsoft (MSRC).

PS2: To my friends at Microsoft - "This only took a decade of vision, persistence, grit and laser-focused execution to address."

PS3: If you liked this post, you're likely going to love the next few posts.