Today Active Directory Security has become mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Gold Finger The Paramount Brief Gold Finger Mini World Peace

Wednesday, January 4, 2017

The World's Only Professional Kerberos Token-Size Calculator

Folks,

Hope the New Year's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 4th.

Kerberos Token Size Calculations - A Vital Need for Many Organizations

For many medium and large organizations that operate on Microsoft's Active Directory, the need to be able to calculate Kerberos token sizes for their domain user accounts has become vital, given the large number of Active Directory security groups their users likely belong to. A few examples of such basic Kerberos Token Size Calculation audits include -


  1. Which domain accounts might be at a risk of being denied a logon due to a large number of SIDs in their access tokens?
  2. Is a specific domain account at a risk of being denied a logon due to a large number of SIDs in his/her access token?
  3. What are the token sizes of all domain user accounts in our Active Directory?
  4. Are any executive/privileged accounts at a risk of being denied a logon due to the Windows Kerberos Token Bloat issue?
To make these determinations, IT admins at many organizations worldwide attempt various means, such as writing in-house LDAP/ PowerShell scripts, using free MS tools like Tokensz etc., or relying on 3rd party scripts most of which are inaccurate.

In doing so, here are some issues/challenges they could run into -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone.
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise.
  3. Most 3rd party scripts in this space seem to be rather inaccurate. (See point 4 in capability overview below.)

In our experience, we found that what is ideally needed is a purpose-specific and reliable (tamper-proof) Kerberos token size calculation tool that can help IT personnel easily & trustworthily audit and calculate the token sizes of multiple domain users.

So we built the world's first dedicated, professional-grade Kerberos token size calculator to help IT admins, analysts, auditors and other stakeholders easily and trustworthily calculate Kerberos token sizes and thus fulfill a vital organizational audit need.



Gold Finger Kerberos Token Size Calculator / Audit Tool

The Gold Finger Kerberos Token Size Calculator is quite simply the world's only professional fully-automated audit tool that can automatically calculate the Kerberos token sizes of any, some or all domain accounts in any Active Directory domain -

Gold Finger - Kerberos Token Size Calculator

If you can touch a button, you can now easily and automatically calculate the Kerberos token sizes of any, some or all domain accounts in any Active Directory domain, at once, based on Microsoft's recommended formula Token Size = 1200 + 40d + 8s.



Capability Overview

Here's a quick overview of the tool's top 5 features/capabilities -
  1. Fully-automated multiple-account Kerberos Token Size Calculation – Calculate token sizes of multiple domain accounts.
  2. Based on Microsoft Recommendations – Calculations based on Microsoft's formula: Token Size = 1200 + 40d + 8s.
  3. Kerberos Token Size Exports – Generate and export Kerberos token sizes of any, some or all accounts in a domain.
  4. Domain-specific Token Size Analysis – Calculate domain-specific access token sizes since Windows access tokens are always domain specific. This point is very important, yet most 3rd party scripts do not seem to take it into account.
  5. Access Token Contents Analysis – Obtain the list of all security identifiers (SIDs) in any domain account's access token.



Design Goals

Here are the 5 main design goals we set and met for Gold Finger -
  1. Automation- Automate Kerberos token-size calculation process for multiple domain accounts in a single assessment. 
  2. Ease-of-use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  3. Effortless Analysis - It can calculate the token sizes of multiple domain users accounts in a single assessment. 
  4. Flexibility - It can use LDAP filters to specify a sub-set of domain accounts whose token-sizes are to be calculated.
  5. Data output - IT personnel can effortlessly export the raw data for archival, rich analysis etc.



Example Reports

Here are 10 real-world examples of the kinds of Kerberos token-size audits you can perform with Gold Finger -

  1. Calculate the Kerberos token sizes of all domain user accounts in the Corp domain.
  2. Calculate the Kerberos token sizes of all administrative and executive domain user accounts in the Corp domain.
  3. Identify all domain accounts in the HQ OU that might be at a risk of being denied a logon due to Kerberos token bloat.
  4. See which security groups show up in the access token of JDoe's account when he logs on to Corp domain machine.
  5. Find out if a specific security group Executive Committee Members shows up in CEO's user account's access token.
  6. Identify all administrative accounts that might be at a risk of being denied a logon due to Kerberos token bloat issue.
  7. Identify all computer accounts in Servers OU that might be at a risk of being denied a logon due to Kerberos token bloat.
  8. Find out if the Builtin Admins security group shows up in the access token of a temporary admin's alternate user account.
  9. Find out if Anonymous includes Everyone by being able to view the contents of any domain account's access token.
  10. Generate a professional PDF audit report  that documents the token-sizes of all user accounts in the Corp domain.



Trusted Worldwide

Today, our unique Kerberos Token Size Calculator helps organizations worldwide automatically calculate token sizes of multiple domain user accounts and identify all accounts that might be at a risk of being denied a logon due to the token bloat issue.

Best wishes,
Sanjay

PS: This is about 1% of what we do, so this is as much as I'd like to say about it.

No comments:

Post a Comment