As you may know, at Paramount Defenses, we lead and operate the world's largest community of Active Directory Security Professionals on LinkedIn, compromised of 2500+ individuals from 1000+ top organizations across 100+ countries worldwide.
(Our group is a sales-free and recruiter-free technical discussion group, and is completely free to join.)
|Active Directory Domain Controllers|
Earlier today, during one of our many technical discussions titled "What are the security implications of someone being able to modify the security descriptor protecting the domain root object in Active Directory", one of our valued members, Daniel Ulrichs raised a very good question (mentioned below) that merited its own discussion.
(Incidentally, on the question above, Daniel also recently publicly shared his thoughts on the question on his blog here.)
Q: Who can control the AdminSDHolder object in Active Directory?
Daniel's thoughtful inputs prompted our latest conversation which focuses on the question - "How to find out who can control AdminSDHolder i.e. who can change the ACL stamped on the AdminSDHolder object?"
This is one of the most important questions in cyber security today since it directly impacts privileged user access in Microsoft Active Directory deployments and thus profoundly impacts the foundational security of 85% of all organizations worldwide.
Ideally, along the same lines, there are many such questions that all organizations must know the exact answers to at all times, but for now, we're focused on this one fundamental Active Directory security question because it is cardinal to cyber security.
I, of course know the answer to the question. I'm only asking this for the benefit of our group members. Should you wish to participate in this discussion, or explore numerous such discussions, you're welcome to join the group and the conversation.
To join, simply visit - http://www.linkedin.com/groups?gid=2006946