Today Active Directory Security has become mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Gold Finger The Paramount Brief Gold Finger Mini World Peace

Monday, June 19, 2017

The Top-5 Cyber Security Risks to Active Directory Deployments (Day-5)

Dear Microsoft,

Today is Day-5 of our advanced Active Directory Security school for you. Since you've been busy trying to address risks posed by credential-theft attacks, and making paradigm shifts, you may likely have forgotten about the top risks to Active Directory.


So, today, I'll educate you about the Top-5 security risks that most Active Directory deployments are likely vulnerable to today.



The Top-5 Security Risks to Active Directory Deployments

The following are the Top 5 security risks that most Active Directory deployments are likely exposed to today -

  1. The complete and instant compromise of the credentials of all domain user accounts, including those of all privileged users, enactable via Mimikatz DCSync, by any intruder/insider that has sufficient effective permissions to replicate secrets from Active Directory.

  2. The complete and instant compromise of all default Active Directory privileged user accounts and groups, enactable via any AD mgmt. tool, by any intruder/insider that has sufficient effective permissions on the AdminSDHolder object.

  3. The complete and instant compromise of most* IT assets stored in Active Directory, enactable via any AD mgmt. tool, by any intruder/insider that has sufficient effective permissions, resulting from wide-scoped insecure inheritable permissions.

  4. The complete and instant compromise of all Domain Controllers in the domain, enactable via any AD mgmt. tool, by any intruder/insider that has sufficient effective permissions to link a malicious GPO to the default Domain Controllers OU.

  5. The complete and instant compromise of specific IT assets stored in Active Directory, such as the CEO's user account, enactable via any AD mgmt. tool, by any intruder/insider that has sufficient effective permissions to do so.

[ Sufficient reasoning for what makes these risks the top 5 risks, as well as technical details, are furnished below. ]


It is vital to understand that a SINGLE occurrence of risks #1, #2 and #4 above (, and depending on the target, also of risks #3 and #5) could result in the compromise of the ENTIRE Active Directory deployment. This fact CANNOT be overstated enough.




But First, 5 Notable Points About These 5 Risks

Organizations that care about their foundational security may find the following points interesting to note -

  1. Not a single one of these risks either requires or involves the use of any credential-theft technique (such as Pass-the-Hash, Kerberos Golden Tickets etc.) and none of these band-aids can prevent an attacker from enacting these risks.

  2. Not a single one of these risks requires the attacker to compromise any computer whatsoever i.e. he/she need not compromise even a single Domain Controller, admin workstation, member server, employee laptop etc.

  3. Not a single one of these risks requires the attacker to have physical or system access to even a single Domain Controller, data center, admin workstation, or for that matter even a single copy of an Active Directory backup.

  4. Not a single one of these risks requires the attacker to possess tooling that is not freely available. Microsoft's native Active Directory management tools, and Mimikatz DCSync, all of which are freely available, are amply sufficient.

  5. Not a single one of these risks requires the attacker to be at a specific location. Each one of these risks can be enacted from anywhere in the world (HQ, branch, offshore) as long as the attacker has network access to your Active Directory.

All that an attacker needs to enact these risks is sufficient effective access i.e. Active Directory Effective Permissions.




Oh and , 2 Other Quick Points

For those who may wonder why these risks are higher than risks posed by the compromise of a Domain Controller or an admin workstation, or the risks posed by credential-theft techniques involving the compromise of Active Directory privileged users -

  1. For those wondering as to why these risks are higher than the risk posed by the compromise of a Domain Controller (DC) or an admin workstation, it is because to compromise a DC or an admin workstation, one typically requires either unrestricted physical access to it, and/or the ability to breach its system security, both of which are almost always more difficult to obtain than mere network access to Active Directory, which (obviously in addition to sufficient effective permissions) is all that a perpetrator needs to successfully enact any or each of these 5 risks to Active Directory.

  2. For those wondering as to why these risks are higher than the risk posed by predominant credential-theft techniques involving the compromise of Active Directory privileged users, we're focused on mature defendable IT environments, wherein organizations have been able to either largely eliminate or minimize the possibility of credential-theft attacks involving the compromise of Active Directory privileged users in their environments, or be in a position to detect their occurrence (via technologies such as Microsoft ATA) and thwart them. Speaking of which, may I suggest reading this.


And now...



An Objective, Formal Risk-Management based Substantiation of these Top-5 Risks -



1. Complete and Instant Compromise of the Credentials of All Domain User Accounts -

  • Asset at Risk – Credentials of all Active Directory domain user accounts (including those of all privileged users)
  • Threat Source – Any sufficiently privileged intruder (hacker, APT etc.) / insider (disgruntled, rogue or coerced user)
  • Attack Surface – Active Directory domain root object
  • Enabler - Anyone who possesses Get-Replication-Changes-All extended right effective permissions on the domain root object is allowed to, and thus can, replicate all data including secrets (i.e. passwords) from Active Directory
  • Exploitation ProcedureDCSync feature of the Mimikatz tool
  • DifficultyMinimal
  • ImpactVery high
  • Likelihood / Probability of OccurrenceHigh
  • Physical / System Level Access to DC Required No
  • Resources Required – Network access to Active Directory + Sufficient Effective Permissions in Active Directory
  • Mitigation / Prevention – Ensure (at all times) that only the smallest number of most highly trustworthy IT personnel have the Get-Replication-Changes-All effective permissions granted on the domain root object in Active Directory
  • Risk Assessment – To find out exactly who can enact this risk, audit Active Directory effective permissions on the domain root object to find out exactly who all effectively have the Get-Replication-Changes-All right granted today
  • Detection – Potentially possible via use of Active Directory auditing. However, detection is hardly useful because by the time an audit event/notification is generated / acted upon, substantial damage will likely already have been done
  • Additional Info - Here



2. Complete and Instant Compromise of All Default Active Directory Privileged Domain User Accounts and Groups -

  • Asset at Risk – All default Active Directory privileged/administrative domain user accounts and security groups (e.g. Administrators, Domain Admins, Enterprise Admins, Server Operators, Print Operators, Account Operators etc.)
  • Threat Source – Any sufficiently privileged intruder (hacker, APT etc.) / insider (disgruntled, rogue or coerced user)
  • Attack SurfaceAdminSDHolder object in Active Directory
  • Enabler - Anyone who possesses any one of various modify (WP, WD, CR, FC) effective permissions on the AdminSDHolder object is allowed to, and thus can, manage all default Active Directory domain accounts and groups
  • Exploitation Procedure – Use native Microsoft Active Directory management tooling (e.g. ADUC etc.) to maliciously enact an authorized administrative task such as a password reset or a group membership change
  • DifficultyMinimal
  • ImpactVery high
  • Likelihood / Probability of OccurrenceHigh
  • Physical / System Level Access to DC Required No
  • Resources Required – Network access to Active Directory + Sufficient Effective Permissions in Active Directory
  • Mitigation / Prevention – Ensure (at all times) that only the smallest number of most highly trustworthy IT personnel have modify (WP, WD, CR, FC) effective permissions granted on the AdminSDHolder object in Active Directory
  • Risk Assessment – To find out exactly who can enact this risk, audit Active Directory effective permissions on the AdminSDHolder object to find out exactly who all effectively have various modify effective permissions granted today
  • Detection – Possible via use of Active Directory auditing. However, detection is hardly useful because by the time an audit event/notification is generated / acted upon, substantial damage will most likely already have been done.
  • Additional Info - Here



3. Complete and Instant Compromise of Most IT Assets Stored in Active Directory -

  • Asset at Risk – Almost all Active Directory content (i.e. all Active Directory objects except those whose ACLs are not marked Protected), such as all domain user accounts, security groups, computer accounts, OUs, SCPs etc. 
  • Threat Source – Any sufficiently privileged intruder (hacker, APT etc.) / insider (disgruntled, rogue or coerced user)
  • Attack Surface – The entire Active Directory
  • Enabler - Anyone who ends up being entitled to any one of various modify (WP, WD, CR, FC) effective permissions on any object in Active Directory is allowed to, and thus can manage that Active Directory object. A single incorrectly specified (whether accidentally or intentionally) inheritable security permission specified at the domain root or at a top-level OU could impact the effective permissions on thousands of Active Directory objects in that domain/OU. 
  • Exploitation Procedure – Use native Microsoft Active Directory management tooling (e.g. ADUC etc.) to maliciously enact an authorized administrative task such as a password reset or a group membership change
  • DifficultyMinimal
  • ImpactHigh to Very high
  • Likelihood / Probability of OccurrenceHigh
  • Physical / System Level Access to DC Required No
  • Resources Required – Network access to Active Directory + Sufficient Effective Permissions in Active Directory
  • Mitigation / Prevention – Ensure (at all times) that all access provisioned in Active Directory adheres to the principle of least privilege, so as to ensure that net resulting effective permissions / effective access on all Active Directory objects only permits authorized personnel to enact administrative tasks on these objects
  • Risk Assessment – To find out exactly who can enact this risk, perform a domain-wide Effective Privileged Access Audit in Active Directory to find out exactly who can enact which privileged/admin tasks where in Active Directory
  • Detection – Possible via use of Active Directory auditing. However, detection is hardly useful because by the time an audit event/notification is generated / acted upon, substantial damage will most likely already have been done.
  • Additional Info - Here



4. Complete and Instant Compromise of All Domain Controllers in the Domain -

  • Asset at Risk – All Domain Controllers in an Active Directory domain 
  • Threat Source – Any sufficiently privileged intruder (hacker, APT etc.) / insider (disgruntled, rogue or coerced user)
  • Attack Surface – The default Domain Controllers organizational-unit (OU) in Active Directory
  • Enabler - Anyone who has sufficient effective permissions to be able to modify the list of Group Policy Objects (GPOs) linked to the default Domain Controllers OU in Active Directory is allowed to, and thus can link a GPO to that OU. The linking of a single weak or malicious GPO to the default Domain Controllers OU could weaken the System security of all DCs in that domain, and be used to easily obtain administrative command and control over all DCs. 
  • Exploitation Procedure – Use native Microsoft Active Directory management tooling (e.g. ADUC etc.) to link a weak or malicious GPO to the default Domain Controllers OU
  • DifficultyMinimal
  • ImpactVery high
  • Likelihood / Probability of OccurrenceHigh
  • Physical / System Level Access to DC Required No
  • Resources Required – Network access to Active Directory + Sufficient Effective Permissions in Active Directory
  • Mitigation / Prevention – Ensure (at all times) that only the smallest number of most highly trustworthy IT personnel have sufficient effective permissions to be able to link GPOs to the default Domain Controllers OU in Active Directory
  • Risk Assessment – To find out exactly who can enact this risk, audit Active Directory effective permissions on the default Domain Controllers organizational unit (OU) object to find out exactly who can link GPOs to this OU
  • Detection – Possible via use of Active Directory auditing. However, detection is hardly useful because by the time an audit event/notification is generated / acted upon, substantial damage will most likely already have been done.
  • Additional Info - Here



5. Complete and Instant Compromise of Specific IT Assets Stored in Active Directory -

  • Asset at Risk – Almost all Active Directory content, such as and including as all domain user accounts (including any executive and non-default privileged user accounts), security groups, computer accounts, OUs, SCPs etc.

  • Asset Examples –  The following are a few simple illustrative examples of such assets:

    1. The domain user account of a non-default highly privileged user, one that is not protected by AdminSDHolder, yet possesses Domain-Admin equivalent privilege in Active Directory based on custom access provisioning
    2. The domain user account of an organizational executive (e.g. Chairman, CEO, CFO, CIO, CISO, VP etc.)
    3. A large membership domain security group such as All Employees, or (all) Domain Computers etc.
    4. The domain computer account of a specific computer, such as a high-value email, app or database server
    5. A top-level Organizational Unit that contains thousands of users, computers, groups and other objects
    6. A service connection point of a mission-critical Active Directory integrated service/app, e.g. this one (; here)

  • Threat Source – Any sufficiently privileged intruder (hacker, APT etc.) / insider (disgruntled, rogue or coerced user)
  • Attack Surface – The entire Active Directory
  • Enabler - Anyone who ends up being entitled to any one of various modify (WP, WD, CR, FC) effective permissions on any object in Active Directory is allowed to, and thus can manage that Active Directory object. A single incorrectly specified security permission (inherited or explicit) in an Active Directory object's ACL could substantially impact the actual resulting effective permissions entitled on that object, resulting in unauthorized effective access on the object.
  • Exploitation Procedure – Use Microsoft's Active Directory management tooling (e.g. ADUC etc.) to enact an (un-)authorized administrative task such as a malicious password reset, a group membership change, a user account creation, a computer account delegation change, an OU deletion, a service connection point keyword change etc.
  • DifficultyMinimal
  • ImpactHigh to Very high
  • Likelihood / Probability of OccurrenceHigh
  • Physical / System Level Access to DC Required No
  • Resources Required – Network access to Active Directory + Sufficient Effective Permissions in Active Directory
  • Mitigation / Prevention – Ensure (at all times) that all access provisioned in Active Directory adheres to the principle of least privilege, so as to ensure that net resulting effective permissions / effective access on all Active Directory objects only permits authorized personnel to enact various administrative tasks on those objects
  • Risk Assessment – To find out exactly who can enact this risk, either audit Active Directory effective access on all vital objects in Active Directory (e.g. all exec accounts, sensitive groups large OUs etc.) one-by-one, or perform a tree-wide effective privileged access audit to find out exactly who all can enact which admin tasks on these objects
  • Detection – Possible via use of Active Directory auditing. However, detection is hardly useful because by the time an audit event/notification is generated / acted upon, substantial damage will most likely already have been done.
  • Additional Info - Here



So Microsoft, there you have it. These are the actual and REAL Top-5 cyber security risks that almost all Active Directory deployments worldwide (including possibly yours) are likely exposed to today. You may want to read this many times over.

BTW, for anyone who needs it, an Executive Summary of the above (in PDF format) can be downloaded from here.



Summary

Today I just wanted to share with Microsoft and the whole world the actual Top-5 cyber security risks that most Active Directory deployments worldwide are substantially exposed to today (; most organizations may not even know that they're exposed.)


In light of the above, I would also encourage folks worldwide to first read the above (with attention to detail, and in its entirety) and then read the following 3 insightful posts, and you'll see why I believe Microsoft doesn't seem to have a clue -
  1. 30 Days of Advanced Active Directory Security School for Microsoft

  2. A Trillion $ Cyber Security Question for Microsoft regarding Defending Active Directory

  3. How Well Does Microsoft Really Understand Cyber Security?

If you still need a hint, I'll give you one - in factually and objectively describing  the Top-5 security risks to Active Directory, how many times did I need to use the term "effective permissions" above? In contrast, when you read the 3 linked posts pointed to above make a note of and compare how many times Microsoft has educated the world about the term "effective permissions."


Microsoft, you'll want to read this (50 times) and absorb it like a sponge absorbs water - Active Directory Effective Permissions.


Alright, Microsoft, this is it for today. Later this week we shall continue with Day-6 of our advanced Active Directory Security school for you, during which I'll cover another fascinating trillion $ topic for you and the world - you likely won't want to miss it.

Best wishes,


PS: I've been meaning to do this on a daily basis, but given my responsibilities (i.e. a global cyber security company to head), time is difficult to take out, thus the delay. That said, if this weren't vital to global security, I wouldn't be wasting my time on it.

Monday, June 12, 2017

The Active Directory Attack Surface (Day 4)

Dear Microsoft,

Today is Day-4 of our advanced Active Directory Audit School for you. Today, I'll help you better understand the Active Directory attack surface, and because my time's valuable, I'll focus on the two specific areas that you don't seem to understand too well.
(If you want to know why I think that you don't understand them that well, just read the post and the PS section that follows.)


The Active Directory Attack Surface


As most organizations know today, the Active Directory attack surface is primarily comprised of 5 components -

1. Domain Controllers
2. Active Directory Backups
3. Active Directory Administrative Accounts and Security Groups
4. Administrative Workstations used by Active Directory Administrative Personnel
5*. Last but not the least, unique to Active Directory, Administrative Delegations / Ocean of Security Permissions

* Note: Strictly speaking, if implemented perfectly the compromise of administrative delegations whilst could result in substantial damage, could not result in the compromise of Active Directory. However, because in reality, today, at most organizations worldwide, the implementation of administrative delegations is far from perfect, realistically speaking the compromise of administrative delegations can easily result in the compromise of Active Directory.

Suffice it to say that if a perpetrator can compromise any one of the above, he/she can compromise Active Directory.




Rationale

Here's why these five components constitute the Active Directory Attack Surface -


  1. Domain Controllers (DCs) - The protection of DCs is of utmost importance because the compromise of even a single DC is tantamount to a compromise of the entire Active Directory, considering that Active Directory is hosted on DCs.

  2. Active Directory Backups - The protection of physical Active Directory backups is equally important because should a perpetrator be able to obtain physical access to such a backup, with the right tooling, he/she could extract the credentials of all accounts from the backup, including of course, the credentials of all privileged accounts, resulting in a compromise.

  3. Active Directory Administrative Accounts and Security Groups - The protection of all Active Directory Administrative Accounts and Security Groups is of utmost importance, because the compromise of a single such Active Directory privileged user account or security group could instantly result in the compromise of the entire Active Directory.

  4. Administrative Workstations used by Active Directory Administrative Personnel - The protection of all computers used by all Active Directory administrative/privileged users is of equal importance as well, since their compromise could be used to have malicious code designed to compromise Active Directory, be easily executed in a privileged context.

  5. Administrative Delegations / Ocean of Security Permissions in Active Directory - The need to ensure that all administrative delegations done in Active Directory and all access provisioned in Active Directory adhere to the principle of least privilege, is also of utmost importance, as even a single excessive/unauthorized delegation / security permission could give instantly perpetrators the opportunity to easily gain complete command and control over Active Directory.

Since Microsoft's Active Directory Security guidance adequately covers speaking about #1, #2 and #4 above, in the remainder of this post, we will focus on certain aspects of #3 and an overview of #5, especially considering that Active Directory ACLs are rapidly and increasingly becoming the focus of topics like Persistence in Active Directory, and being targeted by amateur pen-testing tools like BloodHound (which incidentally is substantially inaccurate) and other such Active Directory ACL analysis tools.




Speaking of the Attack Vectors to Active Directory Administrative/Privileged Accounts and Security Groups

It is a well known fact by know that Active Directory administrative (privileged) domain accounts (and groups) are target #1 for perpetrators, (because their compromise instantly provides domain-wide root access,) as evidenced by the fact that 100% of all major recent cyber security breaches involved the compromise and misuse of an Active Directory privileged user account.



Speaking of Active Directory administrative accounts and groups, there are 5 main attack vectors that are commonly used to try and compromise them -
  1. Credential guessing - This is an archaic approach that is seldom employed today because it is easily thwarted by the presence of simple security measures like domain account lockout security policies.

  2. Credential theft and re-use - This has recently been the predominant approach, and includes techniques like Pass-the-Hash (PtH) etc., most of which are becoming harder to enact as Microsoft improves the security of its operating systems and organizations employ various solutions to combat the use, efficacy and success rate of these attack vectors.

    Mass credential-theft, enabled by the Mimikatz DCSync remains a very serious threat, but can today be easily thwarted.

  3. User Impersonation - This approach primarily involves leveraging Kerberos delegation, wherein a service trusted for (Kerberos) delegation could impersonate a client, and in cases where the client happens to be an Active Directory administrative user or service account, the service could effectively then be impersonate the client across the network.  

  4. Credential change (/reset) - This simple approach involves measures aimed affecting a change in a user's credentials, and the primary technique involves simply resetting the user's password, a legitimate administrative task that can be enacted most easily as long as one has sufficient privileges (i.e. effective permissions) to be able to do so.

  5. Entitlement misuse - As it pertains to administrative accounts and groups, this simple approach involves resetting user account passwords and/or modifying an administrative group's membership, legitimate administrative tasks that can be enacted most easily as long as one has sufficient privileges (i.e. effective permissions) to enact them. This is likely going to be the next predominant approach as perpetrators have started focusing their attention within Active Directory.

Of the 5 ways listed, #4 and #5 are most relevant today. Speaking of #4 and #5, i.e. credential change and entitlement misuse, consider that any individual who could enact any of the following tasks could instantly obtain admin access in Active Directory -


  1. Reset the password of any Active Directory administrative domain user account

  2. Modify the membership of any Active Directory administrative domain security group

  3. Modify the permissions protecting any Active Directory administrative domain user account

  4. Modify the permissions protecting any Active Directory administrative domain security group

  5. Modify the permissions protecting any Active Directory Organizational Unit in which a non-default administrative domain user account or domain security group resides (and there could easily be hundreds of such accounts in Active Directory.)

Again, suffice it to say that anyone who can enact any of the tasks above can instantly gain admin access over Active Directory.

Unfortunately, in most Active Directory deployments today, password resets and entitlement misuse remain the #1 real threat, as no one seems to have any clue as to exactly who can enact any of these simple administrative tasks, and as a consequence, most organizations are operating in the dark today.

There are two simple reasons for this - 1) Most organizations have yet to even start giving thought to this remarkably simple attack vector, and 2) of those that may have, most organizations do not know how to correctly analyze permissions on Active Directory objects, which is essential to making these simple yet paramount determinations.

Specifically, they may not know yet that what matters when making these determinations is not "who has what permissions in Active Directory", but "who has what effective permissions in Active Directory", and most simply stated, the difference between the two could be the difference between compromise and security!

Thus, when speaking of the Active Directory attack surface, the protection of admin accounts and groups, albeit vital, remains a weak area, and if left unaddressed, could leave the door WIDE open for perpetrators to gain admin access in Active Directory.

In days to come, I will be sharing a substantial amount of additional detail on this, so anyone interested may want to stay tuned.




The Largest Component of the Active Directory Attack Surface -
Administrative Delegations / Security Permissions

One could easily write a book on this single subject (and Microsoft, as you know, I actually did write a 400-page one on it, titled Microsoft's Best Practices for Delegating Active Directory Administration), yet this is the one area that unfortunately still remains largely unaddressed, and thus provides an OCEAN of opportunities for perpetrators to compromise organizational security.


You see, the most important part of Active Directory is its content, i.e. thousands of domain user accounts, computer accounts, security groups, group policies etc., which are the very building blocks of IT and cyber security today, and the entirety of this content is protected by thousands of access control lists (ACLs), within which lie millions of access control entries ACEs) that together (and not individually/separately) specify who has what permissions on these objects, AND it is this ocean of security permissions that exists within each Active Directory that together ultimately determines the true effective access provisioned in/across Active Directory, and today it comprises the vastest component of the Active Directory attack surface.

Putting it most simply, in addition to the default administrative accounts and groups that exist in Active Directory, and the default permissions that have been provisioned for them, over the years an extensive amount of administrative delegation and/or access provisioning has been done in most Active Directory deployments to fulfill various business needs, and as a result, today substantially many more than just the default administrative accounts and groups have all kinds of access provisioned in the Active Directory, yet no one knows exactly who actually (i.e. effectively) has what access and where in Active Directory.

Want the simplest example? Look no further than Mimikatz DCSync - by default only certain default admin groups have the Get-Replication-Changes-All extended right effectively granted on the domain root. However, a single intended (or unintended) administrative delegation / provisioned access could instantly end up granting this right to who knows how many individuals, and as a consequence, the accounts of any one of them could be used to compromise everyone's credentials within minutes!

It could have been something as simple as an admin trying to provision a single specific permission in Active Directory - Allow All Extended Rights on Descendant objects only on the domain root object, but accidentally ended up provisioning this - Allow All Extended Rights on This object and all descendant objects. Right there, in that one accidental mistake, one could jeopardize the entire organization's security! And this is merely one example. I could give you hundreds of such examples, wherein a single accidental or intentional misconfiguration of Active Directory security permissions could result in the existence of a HUGE hole.

Considering that by default Active Directory grants Authenticated Users blanket read access across Active Directory, literally anyone who knows anything about Active Directory security can use mere authenticated user access to analyze this ocean of security permissions and find thousands of vulnerabilities and privilege escalation paths, which can be easily exploited to inflict damage, and in many cases easily escalate privilege to that of a Domain Admin equivalent account.

In fact, the recently introduced BloodHound penetration testing tool leverages this exact authenticated user access to attempt to make this determination. Unfortunately, it is substantially inaccurate because it makes the same classic mistake that so many IT professionals in the world do i.e. it simply attempts to try and determine "who has what permissions" instead of trying to determine "who has what effective permissions" in Active Directory. (More on this tool's ludicrous inaccuracy in days to come.)

More pertinently, as evidenced by the emergence of such tooling, as Microsoft finally makes progress towards making most of today's predominant hacking/compromise avenues/attack vectors (e.g. Pass-the-Hash etc.) much more difficult to carry out, hackers seem to be rapidly shifting their focus, effort and attention on trying to learn more about and finding ways to exploit any weakness they can find in this ocean of Active Directory security permissions (and there are thousands to be found today.)

In essence, in virtually every foundational Active Directory deployment in the world, this vast ocean of security permissions in Active Directory presents a vulnerable attack surface the size of the Pacific ocean, and in light of the above, this worries us.

So, in days to come, I will be also sharing a substantial amount of detail on this, so anyone interested may want to tune in.





In Summary

To summarize, today I just wanted to help Microsoft and the world better understand what constitutes the Active Directory attack surface, and where organizations should really be focusing their energies if they truly want to protect their foundational Active Directory deployments (because as BloodHound, Mimikatz DCSync etc. show us, that is likely the next wave perpetrators are going to be focused on in the near future; apparently they're still learning, so there is still a little time before the tsunami hits.)

Alright then, that'll be it for today.

Best wishes,
Sanjay


PS: Dear Microsoft, consider this - in light of what I have shared above, the best you've got is baby tools like dsacls, acldiag, an (inaccurate and inadequate) Effective Permissions Tab, PowerShell etc. and you've given the world nothing in this area during the last entire decade, not even guidance, which is what prompted me to say this and ask this. Organizations trying to reduce (i.e. identify, lock-down and protect) the vastest part of their Active Directory attack surface (described above) with your native tools (or with any one of numerous woefully inadequate "Active Directory permissions audit" solutions out there) is like someone trying to accomplish a herculean task, one that actually requires Iron Man's skills and intellectual depth, but has to make do with Donald's (no not this one's, this one's) instead.

Monday, June 5, 2017

The Impact of an Active Directory Security Breach / Compromise (Day 3)

Dear Microsoft,

Today is Day 3 of our advanced Active Directory Security school for you. Today's post too is partly non-technical (since we're covering this over 30 days, and it builds up for subsequent posts) but it's vital and must be addressed because as we help you better understand this, along the way, the world learns too, and so many organizations clearly need help understanding this.

We are shocked to see just how many IT personnel, IT managers, CISOs, CIOs and CEOs still don't understand the importance of Active Directory, and thus don't understand the impact an Active Directory security breach could have on their business.

So let's address this once and for all so that it is unequivocally clear for everyone, and we can move on discussing technicals.


Impact on an Active Directory Compromise / Security Breach - It's Game Over



From this point on, let there be no doubt about one fact - if indeed the security of an organization's foundational Active Directory deployment has been breached/compromised, then technically speaking, it's GAME OVER, right then and there. Period.

(Any one who would like to challenge the validity of this simple purely technical fact, may do so by leaving a comment below.)

That's right. From the Active Directory Domain Admin to the CEO, it's time to pack up, go home, and find another job, because believe you me, until they completely re-build the forest from scratch, he who knows what to do will have them for ETERNITY.

Only organizations that do not know better will continue to operate on that Active Directory forest, because they'd be operating on a compromised foundation, and if they continue to do so, and their perpetrators truly understand Active Directory security, then, from that point on, for as long as they continue to do so, their perpetrators will know (and could divulge) everything there is to know about that organization, tamper with anything, destroy anything at will etc. etc.

Here's why -


You see, when the security of your Active Directory deployment is compromised, the very fabric of trust i.e. the very foundation upon which the security of all IT assets in the IT infrastructure (powered by that Active Directory) depends, is compromised.

Consequently from that point on, short of rebuilding the entire IT infrastructure from the ground up, there is no way to get back to a trustworthy (provably known to be secure) state, because that is the only sure-shot way to provably (re-)bootstrap trust.

To find out why, please keep reading.

(Now while some might say suggest, contend and argue that in such cases simply using an Active Directory backup to perform an authoritative restore would be sufficient to restore the Active Directory to a previously known good state, in reality, that is hardly sufficient, and no organization that cares about its security should rely solely on doing so. To find out why, keep reading.)

First, let me clarify what I mean by an Active Directory security breach/compromise - by that I mean any situation in which someone has been able to directly or indirectly obtain what is tantamount to administrative access over Active Directory.

[ Quick Digression: For many (novices), that list usually simply is whoever is a member of Domain Admins and Enterprise Admins groups. Those who know a little more take it to be all accounts whose admincount value is 1. Those who truly know Active Directory security know its a little more complicated than that, as described here. ]

In the interest of brevity and completeness, let me first share a few things such an individual can do WITHIN Active Directory -
1. He/she can completely control and manage all Active Directory domain accounts, including all privileged ones
2. He/she can completely control and manage all Active Directory domain groups, both security and distribution
3. He/she can completely control and manage the computer accounts of all Active Directory joined computers
4. He/she can completely control and manage all group policies being deployed to all computers in the domain
5. He/she can completely control and manage all trust relationships
6. He/she can completely control and manage all service connection points, print queues and any custom data
7. He/she can completely control and manage all Active Directory configuration partition data
8. He/she can completely control and manage the entire Active Directory Schema 
9. He/she can completely control and manage the domain security policy 
10. He/she can completely control and manage the domain controller's security policy

In other words, he/she can completely control the cyber security of your entire Active Directory based IT infrastructure!

In short, if your foundational Active Directory is compromised, you just lost control of your entire IT infrastructure.

(By the way, the most important point I want to make is after the following section, so please keep reading.)



Business Impact of an Active Directory Security Breach

For the CEOs, CFOs, CIOs and any and all non-technical stakeholders, perhaps I should translate this into business parlance.


Should the security of an organization's foundational Active Directory deployment be breached/compromised, here's what the perpetrator could do -
1. Completely own your entire IT infrastructure
2. Launch an internal denial-of-service (DoS) attack that would cripple your entire IT infrastructure  
2. Logon as anyone (e.g. C*O, Domain Admin, Attorney, Engineer, Security Guard etc.) in your IT infrastructure
3. Obtain access to, divulge and/or destroy the entirety of your organization's IT assets i.e. all your trade/business secrets, all your product blue prints and source-code, employee, customer, legal, financial and other data etc.
4. Use the power of automation to easily, swiftly and effortlessly destroy and/or render the entirety of your organization's IT infrastructure (i.e. all your accounts, computers and access) virtually useless and unusable  
I could share more, but I think that to the wise, even just these few points alone, and the profound ramifications on business, of even any single one of them materializing, need not be spelled out. In short, organizations that are powered by Active Directory are only as secure as are their foundational Active Directory deployments. It really is as simple and as factual as that. Period.




Why an Active Directory Restore Isn't Sufficient

Here's the most important point I wanted to make - Once an admin, forever an admin!


You see, given the above, as I mentioned above, some might say that in the event that an Active Directory breach occurs, even if the perpetrator changed something WITHIN Active Directory, we can always get back to a known trustworthy state by simply performing an authoritative restore. They could say that, but they would be (very) wrong.

Here's why...

Take #4 above i.e. He/she can completely control and manage all group policies being deployed to all computers in the domain, and consider that this could easily be used to obtain administrative control over any computer in the domain, and this is just ONE of many things that someone who has been able to obtain administrative access over Active Directory can do OUTSIDE of Active Directory - i.e. obtain admin access to and change just about everything on any machine joined to that Active Directory.

For a simple illustration, lets consider a situation wherein he/she exercises his/her administrative control over Active Directory to leverage group policy to gain administrative control over and subsequently make any one of the following subtle changes on just any one (of who knows how many) machine(s) used by just any one (of who knows how many) Domain Admin(s) -



1. Installs custom malware on the machine, that could do various things, from logging and transmitting keystrokes to allowing remote access to that machine from half way around the world to ... <use your imagination> etc. etc.
2. (Assuming the computer account of this computer is a member of Domain Admins,) Configures a service to be installed and run on that computer that at a set future date would make a single subtle change in Active Directory (e.g. reset the password of the default Active Directory Administrator account) that would effectively result in the perpetrator being in a position to (effortlessly) regain administrative privilege over Active Directory.
3. (Or, the most effective one) Leaves a simple PowerShell script designed to run in Domain Admin context, and when one (i.e. a Domain Admin) logs on, it will simply run as him/her and quietly make a single subtle change in Active Directory (e.g. change the ACL protecting the Domain Admins group) that would effectively result in the perpetrator being in a position to (effortlessly) regain administrative privilege over Active Directory.


Note that I'm just talking about someone doing this on any ONE domain-joined machine on which a Domain Admin is known to log on to, (or as is in the case of #2 above, a machine whose account is a member of the Domain Admins group to begin with).

A perpetrator who has obtained administrative access over Active Directory once could make numerous such changes and with hundreds/thousands of domain-joined machines in the network, it would be practically impossible to identify each such change.

Now, why is this important?!

The reason this is so important is that, even if the act of performing an authoritative restore could get the organization's Active Directory back to a previously known good state, from that point on, there would now (still) be who knows how many backdoors planted by the perpetrator in the IT infrastructure that he/she could use to regain administrative control of Active Directory!

That is the Billion dollar point that organizations worldwide need to comprehend i.e. should an organization's foundational Active Directory be compromised, performing an Active Directory restore is not sufficient at all. Strictly speaking, the only way to get back to a known provably reliable / trustworthy (secure) state is to rebuild the entire IT infrastructure from the ground-up.



In Summary

In summary, today I just wanted to make one point -


Considering that not only could an Active Directory security breach result in a colossal cyber security incident that could cost an organization (in some cases, hundreds of) millions of dollars, but also that recovering from it could in itself be a massive, time- and cost-intensive undertaking, it is so much better to do all that you can to prevent your Active Directory from being compromised in the first place, than it is to get breached, and then recover from it!

In light of the above you can be the judge of whether or not IT personnel, IT managers, CISOs, CIOs and CEOs should profoundly understand the importance of Active Directory and the consequences of an Active Directory security breach.

That's it for today. Tomorrow, I'll shed light on Active Directory's vast attack surface because reducing the attack surface is one of the most effective proactive measures organizations can enact to prevent an Active Directory security breach.

Best wishes,
Sanjay


PS: Humor -
Today's post was partly motivated by a scenario we amusingly encounter on a daily basis - a Domain Admin from a multi-billion dollar organization will request an eye-opening trial of our incredibly powerful and unique tooling, (which is most nominally priced and can do for them in minutes what could take them years to do assuming they know how to do it, and) then request a price quote, and upon its receipt, say - "Oh, that's way out of our budget!"
On a lighter note, if such a nominal amount (i.e. a few thousand dollars) is way outside a huge multi-billion dollar organization's budget, to acquire tooling that could help prevent an Active Directory Security breach by helping them identify and exponentially reduce their current attack surface, perhaps they could consider borrowing some from the CEO/CFO/CIO/CISOs (multi-)million dollar paychecks.
I'll tell you what - just frankly tell us that no one in your organization understands this well enough yet, and we'll graciously gift it to you, our compliments, if it'll help. That's the least we can do for small (billion dollar) companies.
On a serious note, such a statement from a Domain Admin only shows that neither its middle not its senior IT management or Executive management yet understand the profound impact that an Active Directory security breach could have on the organization's business (, so perhaps someone can share today's post with them.)

Friday, June 2, 2017

Active Directory Security is Paramount to Global Security Today (Day 2)

Folks,

Today is Day 2 of advanced Active Directory Security school for Microsoft. Today's post, albeit short and non-technical, is also very important, because the world needs to understand just how important Active Directory Security is to global security today.

From the White House to the British Houses of Parliament, and from Microsoft to the Fortune 1000, at the very foundation of IT, identity and access management, and cyber security at over 85% of all organizations worldwide today lies Active Directory.


In other words, the foundational security of thousands of government and business organizations depends on Active Directory.

To paint a picture - Governments, Militaries, Law Enforcement Agencies, Banks, Stock Exchanges, Energy Suppliers, Defense Contractors, Hospitals, Airlines, Airports, Hotels, Oil and Gas Companies, Internet, Tech and Cyber Security Companies, Manufacturing Companies, Pharmaceutical Companies, Retail Giants ... <the list is long> all run on Microsoft Active Directory.

Now imagine a scenario wherein a perpetrator is able to write and unleash malware designed to target and exploit weaknesses in and compromise foundational Active Directory deployments worldwide. Just how much damage do you think that could do?

If that's a stretch for your imagination, consider this and a much simpler scenario, wherein a perpetrator (e.g. a hacker, an APT, an insider) specifically targets and is able to compromise the Active Directory of even just a few of the world's top organizations.

Hopefully you can now see why Active Directory Security is paramount to global security today. What could be more important?


Now consider this - in almost every Active Directory deployment in the world, there exist thousands of exploitable unauthorized effective access grants, yet neither do most organizations seem to know this, nor do they possess the means to identify them.

Considering the above, one would think Microsoft would be aware of this problem, and if so, have a solution for it, for the world. Sadly, neither Microsoft nor any cyber security company on the planet has a(ny) solution to help these organizations adequately i.e. accurately and swiftly identify and eliminate the billions of unauthorized effective access grants that endanger foundational Active Directory deployments worldwide. Well, except one.

In light of the above, you may want to read Day 1's entry (a few times over, if needed) again - here.

That's all for today.

Good night,
Sanjay


PS: Responsible disclosure/picture-painting: I wouldn't have shed light on this if there was no solution. There is a solution today, and it can help the entire world address and eliminate this problem very quickly, but we can't help these organizations until they themselves first recognize, understand and acknowledge the problem, comprehend its magnitude, & then seek our assistance.

Thursday, June 1, 2017

How Well Does Microsoft Really Understand Cyber Security? (Day-1)

Dear Microsoft,

Today is Day-1 of Advanced Active Directory School for you. Today onwards, for the next 30-days, I am going to help you better understand Active Directory Security, so that you in turn can help organizations worldwide better understand the same.


As I have already said, I am only doing this because today almost the entire world operates on Active Directory and based on what we're seeing, thousands of your organizational customers, many of whom are globally prominent multi-billion dollar companies, may be minutes away from being completely compromised, and they don't even seem to have a clue!


So, (oh and I don't care who you are at Microsoft, or what it is you're working on, because most likely nothing is more important than what you're going to learn here so) you may want to take a break from whatever you're working on and listen to what I've to say intently, because by the end of these 30 days, what's being communicated in these 2 videos is going to sound like a joke -
Kool-aid sounds wow in marketing videos!  Here's what Mr. Nadella ended this talk with - "When we talk about empowering every person and every organization on the planet, it becomes even more paramount, to build trust into the core of computing."

BTW, a quick side-note: saying "even more paramount" is grammatically incorrect. "Paramount" is a superlative to begin with.

Oh, and here's what your built-to-impress Microsoft Cloud commercial ends with - "When it comes to the cloud, trust and security are paramount. We're building what we've learnt back into the cloud to make people and organizations safer."

Well, after what I'm going to share with you over the next 30-days, you may not only find these videos to be rather humorous, you'll also find that you still have much to learn and a long way to go before you can truly make people and organizations safer.

Oh, and is it just me, or have you too noticed that y'all have started using the word "paramount" a lot lately? It was a decade ago that I had realized that in years to come, cyber security would become mission-critical to business, and that nothing would be more important than defending the very foundation of cyber security worldwide, and thus the name - Paramount Defenses.


But I digress, and alright, enough boring talk. Let's get down to some real technical stuff, shall we?



An Ocean of Vulnerabilities in Microsoft Active Directory Deployments Worldwide

Microsoft, do you know what this string represents, and why even a tiny bit of it is profoundly important to global security today?:
(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (A;CI;RPWDLCLO;;;WD)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

I promise to fill you in on the details in days to come, so I'll just give you a hint today - Who needs WMDs Today?

Okay, I'll speak to it just a little bit today. This is a Windows security descriptor on one single specific Active Directory object, and were this exact security descriptor, or even a very small specific portion thereof to exist in an Active Directory deployment today, that Active Directory deployment could be completely compromised in a matter of minutes, and none of these kiddish band-aids will be able to prevent that from happening.

And this is merely the tip of the TIP of the Iceberg!


In most Active Directory deployments there are thousands if not hundreds of thousands of such security descriptors protecting an ocean of mission-critical Active Directory content, yet no one seems to have a clue as to how to even begin to analyze them, let alone how to correctly analyze them, or for that matter lock them down, and as a result, today the vast amount of unauthorized access they allow, and that thus exists in most Active Directory deployments worldwide is simply UNBELIEVABLE!

Close your eyes and imagine for a moment what it must be like to stare at thousands of such security descriptors to try and make any reasonable sense of them i.e. trying to determine precisely what access they end up granting, and to whom, and you'll get a sense of what your customers, (and if I may add, only those who understand a bit of this stuff,) have to deal with!

In case you're wondering why on earth someone might want to make sense of them, its because organizations need to make these determinations to attain and maintain least-privileged access (LPA) in their foundational Active Directory deployments.

Oh, and if a malicious entity (e.g. an intruder, a rogue insider, an APT etc.) could do so, and do so accurately, he/she/they could instantly proverbially play God, because he/she/they would be instantly privy to extremely valuable intel, such as exactly -

1. Who can replicate secrets from Active Directory to compromise everyone's credentials?
2. Who can change the membership of any one of various Domain-Admin equivalent groups to gain root access?
3. Who can reset the password of any Domain-Admin equivalent privileged user account to gain root access?
4. Who can link a rogue GPO to the domain-root, a site, or an OU to compromise all domain-joined hosts?
5. Who can modify the membership of any of the thousands of security groups to gain system-wide access?

6. Who can reset the password of any employee (e.g. the CEOs) in the organization to login as him/her?
7. Who can modify a mission-critical application's service connection points to prevent it from functioning?
8. Who can delete an entire OU with thousands of objects in it to launch a crippling denial-of-service attack?
9. Who can modify a single attribute in the Configuration partition to disrupt the Active Directory itself? 
   etc. etc.  .... you get the drift?

I think most reasonable IT and cyber security professionals will agree that knowing who can enact these tasks is not only vital to organizational cyber security today, it is in fact essential to operating a trustworthy Active Directory based IT infrastructure.

Yet, because no one really knows how to make any reasonable sense of the thousands of these security descriptors in Active Directory, let alone how to do it correctly and/or efficiently, most organizations worldwide are operating in the proverbial dark.

In fact, and here's the most shocking part - based on our vast global insight, I can tell you that at so many organizations worldwide, IT departments don't even have this on their radar, let alone knowing the paramount importance of this stuff!

In other words, most Active Directory deployments today may be sitting ducks for any proficient perpetrator who understands Active Directory ACLs well enough to know how to translate what seems like gibberish to the uninitiated, into extremely valuable cyber security intel that can then be effortlessly leveraged to instantly gain root access and swiftly inflict colossal damage.

Oh, and now imagine if someone could automate this extremely difficult process, such that he/she could quickly and of course accurately translate thousands of Active Directory security descriptors into extremely valuable privileged access entitlement insight in any Active Directory deployment in the world. (You know, something like this.) You can complete the sentence...

But I digress.



How Well Does Microsoft Really Understand Cyber Security?

Over the last ten years, Domain-Admin equivalent IT personnel from thousands of organizations from across 150+ countries worldwide have knocked at our doors, completely unsolicited, so we've had a chance to talk to them, and you might fall off your chair if I told you just how much (or should I say how little) most of them know about this stuff, and that to us is unbelievable!

So, Microsoft, do you know why so many organizations are operating in the dark today vis-à-vis this stuff?


The only plausible explanation I could come up with is that its because you, the $550B Microsoft Corporation, seem to have provided virtually NO guidance to your customers, over an entire decade, neither on why it is so important (and in fact as you may soon hopefully agree, paramount) to determine effective access in Active Directory, nor on how to do so correctly!

Which leads me to wonder, why not?

The only plausible explanation I could come up with is that its because most likely, you, the $550B Microsoft Corporation, who built Active Directory, yourself do not seem to have figured out just how important being able to do this, is for cyber security!

If you have any other explanation to offer, not just me, the entire world is all ears by now!

If you don't, then hopefully you can see how the videos above seem to some of us to be humorous, in that most likely you don't even seem to possess the ability to make such paramount determinations in your own Active Directory deployments, let alone being in a position to help organizations worldwide address such a paramount cyber security need.

By the way, if you think little toys like dsacls, acldiag, LDP, your Effective Permissions Tab, or any PowerShell script anywhere, or any "Active Directory Permissions Audit" solution from over a dozen or so vendors can solve this problem, then let me tell you that neither you nor they (i.e. these clueless vendors) have any idea how to solve this problem correctly!

Oh and speaking of which, not only are these wonderful folks way off mark as well, their infantile wares are technically deeply flawed, so their excitement may be premature - there's a mountain the size of Mount Everest to be scaled before anyone can solve this problem. (See, since you've never shed light on what it takes to correctly do this, even such flawed stuff makes the bar for the famed Black Hat Conference! Incidentally, last year I personally discovered how little they too know about this!)

That's coming from someone who had the will and the grit to spend 20,000+ hours solving this one problem for the world - here.

That's it for today. Today, I just wanted the lay the foundation. Tomorrow onwards, we'll start getting deeper into technicals and over the next 30 days, I'll help you understand this stuff a little better, so you can help you customers understand it better.

Good night,
Sanjay


PS: Simply acquiring a puny start-up and offering their nascent technology as ATA is by no means enough to demonstrate the degree to which one expects Microsoft to go to, as claimed in those two videos above! As I have said earlier as well, Microsoft ATA is basically a detection measure. In the list of protection measures, detection comes third. The first is prevention (best accomplished by attack surface reduction), the second is avoidance. If detection is the best you can offer, you're conceding that you don't have the ability to provide the first two measures. And the world expects better than that from a $550 Billion company, especially one courting the world to embrace and trust its Cloud offering (; see 2 videos above :-))

PS2: We're happy to help your customers, but we need (you to help) them to understand this to a certain degree before seeking our assistance; we simply cannot individually teach 1000s of organizations what Active Directory effective permissions are!

Monday, May 22, 2017

A Trillion $ Letter to Microsoft concerning Cyber Security Worldwide

[This is a letter to all my esteemed former colleagues at Microsoft Corporation, for whom I have the greatest of respect. This is Day-0 of Active Directory Security School so you may want to read it as well as the PS section below.]


Dear Microsoft,

Let me begin by saying that you're one of the world's most high-impact companies, and that I love and respect Microsoft.


I may have spent only a few years at Microsoft, but when you're working 16 hour days, so immersed and in love with what it is you do, driven by the satisfaction and adrenalin of knowing that your work impacts billions of people worldwide, it truly is an incredibly satisfying and gratifying feeling. For me, working at Microsoft was a truly memorable and incredible experience.

If I might add, as Program Manager for Active Directory Security, I was at the epicenter of cyber security in Microsoft's Windows ecosystem, and when your work directly impacts the foundational cyber security of thousands of organizations worldwide, and you get to work with and earn the respect of some of the best security folks on the planet, John Lambert, David Cross, Michael Howard, Stuart Kwan, Paul Leach, Steve Riley, Ben Smith, Scott Charney and so many others, its an indelible experience.



But this isn't about me. This is about the thousands of organizations that we (you and us) have the opportunity to impact (, and in turn the billions of people whose lives they impact,) and the responsibility to do so in a positive manner that betters their lives.



As you know, Active Directory plays a foundational and in fact a monumental role in IT and cyber security across the world, or as I like to put it - "not a leaf moves in the organizational IT and cyber security world without Active Directory being involved."


As former Microsoft Program Manager for Active Directory Security, i.e. someone who spent years on this ocean of an esoteric subject, after having moved on from Microsoft in 2005, upon taking time to reflect back, it became clear to me a decade ago that as solid as Active Directory is, it unfortunately lacks one fundamental capability, the absence of which could likely pose a huge security risk for thousands of (y)our organizational customers worldwide, in years to come.

Thus in the late 2000s, I several times dutifully brought this deficiency in Active Directory to the attention of several individuals at several levels within Microsoft. Unfortunately, for reasons know best to them, no one seemed to want to do much about it.


It is because I knew just how critical this capability would be for the world to have in years to come, that I was convinced that it had to be built. Of course, back then, I was merely an ex-Microsoftie with the mere meagre resources of an average citizen, so I knocked the doors of some of the world's biggest venture capital (VC) firms, who all were kind enough to give me an audience.
(They were Kleiner Perkins Caufield and Byers (KPCB), Greylock Partners, Sequoia Capital, and a few others in Menlo Park.)

Unfortunately [for me then :-( , and for them now :-)] they too didn't " get it ", so they respectfully passed, and wished me luck.

Speaking of luck, there's an old saying - "Luck is the residue of diligence." They (i.e. those VC firms) may not have realized that they not only turned down a former Microsoft cyber security expert, but more importantly, they turned down someone who cares deeply about doing the right thing. Perhaps they may have underestimated the power of human will.


Undeterred, I decided to do something about it myself, within my own meagre financial means. I'll spare you the details of my journey, but in short I worked four years (1,460 days) straight without earning a penny, and when I was done, I had architected and developed one of the most important cyber security capabilities and amongst the most innovative patented intellectual property on the planet, which is today formidably backed and embodied into some of the world's most innovative solutions by some of the world's most professional developers (our employees), and can today do at a button's touch, what no one else can.


As a completely unintended consequence, I ended up creating possibly the most important, relevant and valuable cyber security company on the planet, and today, not all the financial resources at the disposal of all the venture capital companies combined, could possibly compete with us. (You may not yet understand why I say so, but you'll hopefully understand it by the end of this.)


(You see, there are 100s of cyber security companies in the world today, most of whom also run on Active Directory, but not a single one of them can help accurately determine effective permissions in Active Directory. If you can find even one that can do so, on even just one Active Directory object, let alone on an entire domain comprised of 100s of 1000s of objects, let me know.

Now, in case you're wondering why being able to do so is a BIG deal, its because he/she who can accurately and efficiently determine effective permissions on the thousands of objects that reside in each Active Directory domain worldwide, ultimately holds the keys to global security ; don't worry if you don't understand this now, for you will by the time we're done with school.)

Incidentally, given the nature of what it is we so uniquely do, today we are formidably backed by an entity who understands the strategic  importance of our endeavor to the business and national security interests of the United States AND its allies.



But again, this isn't about me. This is about applying the best one is capable of, towards solving one of the most important cyber security challenges on the planet for our customers, the thousands of business and government organizations worldwide that operate Active Directory, to help them stay safe and secure. In other words, this is about you and (y)our customers worldwide.



You're not going to believe this, but imagine our surprise when after having solved arguably the biggest cyber security challenge facing Microsoft's organizational customers today, we found that hardly any of your customers seem to understand this problem!


Thus, last year, we had to bring this to the attention of the executive leadership of the Top-200 organizations worldwide, and to this day we continue to help thousands of your organizational customers understand this, for they all seem to be in the dark.

It appears that the reason most of them are in the dark is perhaps because while you were busy making a paradigm shift, you may have (completely) forgotten to provide them sufficient guidance on one of the most vital aspects of Windows Security.

I believe that it is not our burden to educate your customers about this profoundly important challenge; that's yours to do; we've done the hardest part, which is to solve it; you can do the rest. However, it appears that even you do not seem to understand it.

So, in the best interest of the foundational security of thousands of organizations worldwide, who are (y)our customers, in days to come, I'm going to most respectfully help you understand this profoundly important yet esoteric cyber security challenge.

(Also, I'm sorry if I may have been a little hard on you recently - one, two. That was only because I care deeply about everyone ; as they say, along with great power comes great responsibility, and I felt that you may inadvertently have not been living up to that. When we play such a vital & foundational role in global security, we have an obligation to do so as responsibly as we can.)




Please know that the only reason I'm doing so is so that you can help your customers understand this problem, because we worry greatly that if they don't understand this soon, the not-so-good folks out there could seriously endanger their security.

In fact, considering that 100% of all major recent cyber security breaches involved the compromise and misuse of a single Active Directory privileged user account, organizations that ignore The Paramount Brief may be doing so at their own peril.

(Also and most pertinently, as credential-theft attacks (e.g. Pass-the-Hash, Kerberos Golden Tickets etc.) become harder to enact, perpetrators are shifting their efforts towards directly attacking Active Directory, a fact concretely evidenced by Mimikatz DCSync, which leverages unauthorized / excessive effective permissions in Active Directory to compromise all credentials.)

Thus, I hope that once you understand this risk, you'll see why you need to help organizations worldwide understand it ASAP.


In conclusion, I've been one of you; I represent what every responsible, hard-working individual who passionately believes in solving a problem for the world is capable of, and once you understand this esoteric challenge, you'll realize that I (and today we) have done more to help safeguard the cyber security of Microsoft's global organizational customer base than any other entity (individual or company) on the planet, and that the world needs our combined help and guidance, so in your own (ecosystem's) interest, I hope you'll listen most intently and respectfully to what I have to say in days to come.

Thank you very much.

Most Respectfully,
Sanjay


PS: Active Directory Security School: Today was supposed to be Day-1 of Active Directory Security School, but I decided to make June 2017 Active Directory Security Awareness Month, so I figured it might be best to hold school from June 01 to June 30, 2017. So, the official Day-1 of School will start right here on June 01, 2017.  Until then, you may want to read this.