Today Active Directory Security has become mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Gold Finger The Paramount Brief Gold Finger Mini World Peace

Monday, July 31, 2017

A Trillion $ Question to Microsoft regarding "Identities" and Cyber Security

Dear Microsoft,

Today is Day-11 of our advanced Active Directory Security School for you, and today I'd like to ask you a very simple question that concerns the most elemental and fundamental aspect of cyber security in Windows-based networks worldwide - Identities.

Identity is fundamental to Cyber Security

Identity is an elemental and fundamental aspect of cyber security, as each one of the 3-As of cyber security i.e. Authentication, Authorization and Auditing, require the ability to be able to uniquely identify entities i.e. people, computers, service accts etc.

The importance of identities is evidenced by that fact that an entire field of IT security is devoted to it, i.e. Identity Management, and that numerous multi-million $ companies such as Ping Identity, Centrify etc. exist only to help make identities more secure.

So, ...

Identities in Windows Environments

Now, as you know, at the foundation of over 90% of all business and government organizations worldwide lies Active Directory, and in these organizations, the Identities of their employees, contractors, executives, privileged users and other stakeholders are all represented by ...

A Domain User Account in Active Directory
... none other than their  unique  Active Directory domain user accounts !

(For completeness, it must be mentioned that computers have identities too represented by their domain computer accounts, and that strictly/technically speaking, it is a domain account's Security Identifier (i.e. SID) that uniquely represents its identity.)

That's right. In Active Directory based IT infrastructures, it is domain (i.e. Active Directory) accounts that represent identities.

In fact, at thousands of organizations worldwide, it is Active Directory domain user accounts that represent corporate identities, and in Active Directory deployments worldwide, today hundreds of millions of identities are represented by these accounts.

Uniqueness Is Imperative

Now, of vital note here is that, as you know, the keyword above is unique, because the entire premise of cyber security in Active Directory based networks rests on each user having a single, irrefutably uniquely identifiable domain user account!

After all, you likely don't have two domain user accounts at Microsoft for say, Satya Nadella, right? Yes I know that to address certain needs, some users like privileged users have multiple (e.g. alt) accounts, but they are always explicitly labeled as such.

In fact, here's why it is so important that users have only (one identity, i.e.) one domain user account -
  1. Security - Uniqueness is required to eliminate ambiguity. Ensuring secure access to securable resources in a network requires that resource owners be able to uniquely identify the entities/individuals for whom access is to be specified.

  2. Accountability - Accountability necessitates uniqueness. Should a user be able to authenticate him/herself using an account other than one assigned to him/her, he/she could engage in malicious activity, such as obtaining unauthorized access to, divulging and/or destroying various IT resources, that could not be irrefutably tied/traced back to him/her.

In fact, ensuring security requires that, ideally speaking, no user (except for a known few explicitly authorized administrative personnel) must ever be in a position that provides him/her access to more than one uniquely authenticatable domain account.

Now there are generally only two ways in which one could obtain access to an additional account - 1) a user could create a new domain user account in Active Directory, or 2) a user could reset the password of an existing domain user account in Active Directory. For now, let's assume that the second way is not that important (although it is), and lets just focus on the first one.

It turns out that the seemingly simple and mundane task of being able to create domain user accounts in Active Directory is actually very important to cyber security, because, as explained above, if someone could create a domain user account in Active Directory, he/she could instantly obtain and be in possession of an additional, separate uniquely authenticable identity.

Incidentally, the very least one could do with an additional domain user account is use it to scour the entire IT network for vulnerabilities, perform network logons on to most computers, and access anything and everything (e.g. files on servers, databases, SharePoint portals, ) to which Domain Users and Authenticated Users have read access (and you would be surprised to know as to just how much these two well-knowns (-RID and -SID) have access to in most organizations today.)

Of course, a proficient individual (intruder/perpetrator) could use an alternate domain account to engage in all sorts of nefarious activities, and the smartest ones could possibly find and exploit privilege escalation paths to take over the entire network.

In fact, if you consider even just the recent critical vulnerability that you just patched i.e. CVE-2017-8563 (Windows Elevation of Privilege), note that its exploit vector too involved/required that the perpetrator create a domain user account in Active Directory!

A Simple Trillion Dollar Question -

So, in light of the above, as you'll hopefully agree, it is absolutely imperative that organizations know at all times as to exactly who can create new identities in their environment, i.e. who can create new domain user accounts in their Active Directory?!

So, and speaking of which, here's yet another a very simple Trillion dollar question for you, Microsoft -

Exactly how do/should organizations find out exactly who can create domain user accounts in their Active Directory? (and ideally also, where they can do so & how)

[ My apologies for harping on "exactly" ; it is just that when it comes to cyber security, accuracy is paramount. ] 

Make no mistake about it - organizations that do not know the answer to this most fundamental of cyber security questions concerning identity management in Windows based networks cannot be considered secure from a cyber perspective.

Now, in case this seems like a simple question, consider what it might take to accurately answer this question at an organization that may have numerous (say even 20+, if not 100s of) organizational units and containers in their Active Directory domain(s).

Here's a hint - In all likelihood, even you*, the $ 550+ Billion Microsoft, that may be spending billions to so convince the world to get on its recent Cloud offering, don't possess the ability to help organizations answer this simplest of cyber security questions.

(In light of which, this might now 
make sense, esp. paragraph 7.)

I, and the whole world, look forward to your answer.  (Also, since you're likely not going to answer it, I'll answer it on Day-12.)

Best wishes,

* Not just you, not a single one of dozens of multi-million/billion $ IT, cyber security, tech and defense companies focused on identity management and cyber security can help organizations answer this simple cyber security question. Well, except one.

PS: August 05, 2017 Update - I've answered the question here.

No comments:

Post a Comment