Today Active Directory Security has become mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Gold Finger The Paramount Brief Gold Finger Mini World Peace

Wednesday, September 27, 2017

Active Directory Access Control Lists (ACLs) - "Actual" Attack and Defense


This post impacts the cyber security of every foundational Active Directory deployment in the world, so you may want to read it.

Active Directory Access Control Lists (ACLs)

Active Directory is the foundation of cyber security worldwide because it enables distributed security in Windows environments and it stores, protects and enables the administration of the entirety of an organization's building blocks of cyber security.

In essence, literally from the entirety of the user accounts of an organization's workforce (including those of all privileged users), to the entirety of computer accounts that represent the organization's computers, and from the entirety of the domain security groups that protect the entirety of an organization's IT resources to the entirety of an organization's security policies (GPOs), at thousands of organizations worldwide, all building blocks of cyber security are stored, secured and managed in Active Directory.

Guess what protects each & every one of these building blocks of cyber security i.e. these Active Directory objects, worldwide?

It is Active Directory Access Control Lists (ACLs) -

An Active Directory Access Control List (ACL) protecting an Active Directory Object

Specifically, it is the ACL of an Active Directory object in which the organization's access intent for that object is specified (whether it be the CEO's user account or the Domain Admins group,) and it is this intent that is enforced by the "System."

In fact, today, billions of Active Directory ACLs that exist in Active Directory deployments worldwide, together serve to secure and defend the very building blocks of organizational cyber security at thousands of business and government organizations.

In short, not only do Active Directory ACLs today help protect trillions of dollars of wealth worldwide, they play a paramount role in securing and defending most business and government organizations, and thus they impact business and national security.

(By the way, if you want to get a complete look at an Active Directory object's ACL, here's likely the most capable tool to do so.)

Attack and Defense - Microsoft's Version

On September 18, 2017, i.e. about one week ago, Microsoft shared its thoughts on this subject in a blog post titled -

If you haven't read it, I highly recommend that you read it, NOT because you'll learn anything at all, but only because it reveals volumes about just how little Microsoft may actually seem to know about Active Directory Security, ACLs, attacks and defense.


If you listen to what today's Microsoft has to say, they'll downplay the exploitation of Active Directory ACLs as an attack vector, suggest that recently there's been some attention given to Active Directory ACLs by amateurs, indirectly concede that it may be possible to exploit weaknesses in Active Directory ACLs, tell you about AdminSDHolder to claim that this couldn't likely be used to escalate privilege to privileged users, reticently agree that it might be possible to find ways to compromise non-privileged users/objects in Active Directory and end by saying - "If you find a path with no obstacles, it probably leads somewhere!"


In regards to defense, the best today's Microsoft can do is tell you that that their latest toy, Microsoft Advanced Threat Analytics (ATA) can detect recon methods used by newbie tooling like Bloodhound (which incidentally is massively inaccurate.)

Folks, what today's Microsoft is telling you about attack and defense, sounds like Baloney.

Sadly, I don't think they're doing it intently though, as it very well might be that they actually either have no one from the old-guard working on this, and/or the new guards truly have no idea about any of this, both of which are really scary scenarios!

The Actual Attack and Defense

Folks, if you understand the subject of Active Directory Security well enough, then you know that Active Directory access control lists (ACLs) today don't just impact organizational security worldwide, they likely impact national and global security.

Further, you also know that today not only does there lie an ocean of access privileges specified within Active Directory ACLs at almost every organization worldwide, but also because Active Directory lacks the ability to adequately help organizations find out who actually what access in Active Directory, for so many years, most organizations have been operating in the dark, and today there likely exist thousands of privilege escalation paths leading to all kinds of privileges, including to privileged users.

By the way, it is now seventeen (17) years since Active Directory has been around, and even though this attack surface has existed since then, it is only now that a few enthusiasts are starting to realize what a gold-mine of information Active Directory is, and just how many privilege escalation paths one could find to just about everything in Active Directory. In fact, some of these enthusiasts may have gotten a little too excited and even released some infantile tooling, which I believe goes by the name Bloodhound, and lo and behold it is one of the hottest pen-test tools today, even though it is massively inaccurate!


Speaking of attack, the exploitation of excessive/unauthorized access specified in Active Directory ACLs, as illustrated here, summarized here, described here and a realistic example of which is shown here, is a very real and serious possibility today.

That's because in most Active Directory deployments worldwide, today there likely exist thousands of privilege escalation paths in Active Directory ACLs, just waiting to be found (and exploited (by the bad guys), or eliminated (by the good guys)) by anyone who has the skills or the tooling required to accurately perform effective permissions analysis in Active Directory deployments.

To illustrate how serious this is, here are 7 specific examples of Attack that involve the exploitation of Active Directory ACLs -
  1. The complete compromise of an organization's entire workforce's credentials, by an unauthorized individual, such as an intruder or a rogue insider, enactable by the use of the hacking tool Mimikatz DCSync which involves requesting and retrieving the secrets (passwords) of the entirety of an organization's domain user accounts, is possible (and can only be made possible) if that unauthorized individual has sufficient Get-Replication-Changes-All effective permissions in the Active Directory ACL of the target Active Directory domain's domain root object. 

  2. The complete compromise of an organization's Active Directory privileged domain user accounts and security groups, such as the Administrator account, the Domain Admins group etc., involving an unauthorized password reset and/or a group membership change etc., is possible if that unauthorized individual has sufficient Write-Property (member or blanket), effective permissions or Reset-Password Extended Right effective permissions in the Active Directory ACL of the target Active Directory domain's unique AdminSDHolder object.

    An Important Note: AdminSDHolder protection only protects the members of those default Active Directory administrative groups that it is intended to cover, and it does so transitively.

    However, if any security principals other than those that fall under the AdminSDHolder protection, were to be granted any kind of access in the AdminSDHolder object's ACL, then those security principals would NOT be protected by AdminSDHolder protection, and THAT opens up the possibility of there existing privilege escalation paths from non-privileged users to privileged users protected by AdminSDHolder.

    Many organizations do modify the default AdminSDHolder object's ACL for various reasons, such as to implement their own custom delegations, configure or lockdown access to privileged users etc.
  4. The complete compromise of the majority of an organization's Active Directory content, i.e. all of their domain user accounts, computer accounts, domain security groups, containers, OUs, service connection points etc. whose Active Directory ACL is not marked Protected, by an unauthorized individual, is possible if that unauthorized individual has sufficient Modify Permissions effective permissions in the Active Directory ACL of any large or Top-level Organizational Unit (OU), or on the domain root, because it would allow the unauthorized individual to make a single malicious change and leverage permission inheritance to obtain full control over the entirety* of all objects whose Active Directory ACLs will end up inheriting that malicious ACL change. 

  5. A massive (even if temporary i.e. ranging from a few hours to a few days) denial-of-service (DoS) attack on virtually an organization's entire IT infrastructure, their entire workforce and their ability to do business, made possible by something as simple as the deletion of a top-level Organizational Unit (OU) by an unauthorized individual, is possible if that unauthorized individual has sufficient Delete* (details) effective permissions in the Active Directory ACL of that OU.

  6. The identity theft and thus compromise of organizational users, involving a password reset of their domain user accounts by an unauthorized individual, is possible if that unauthorized individual has sufficient Reset-Password Extended Right effective permissions in the Active Directory ACL of the victim's Active Directory domain user account. This could also be used to in effect escalate privilege in Active Directory, and there could possibly exist privilege escalation paths leading from a non-privileged user to highly privileged users, in effect also providing a perpetrator system-wide command and control over an organization's IT infrastructure.

    An Important Note: Organizations that may have various kinds of multi-factor authentication (MFA) in place, such as Smartcards for domain user accounts, should note that if an unauthorized individual has sufficient Write-Property (either blanket, or for the appropriate attribute) effective permissions on a user's domain account, then he/she could easily turn MFA off on the account, in which case, the account's security will fallback to being password based ( i.e. a system-generated random password) and a password reset (assuming the perpetrator also has sufficient effective permissions to do so) would then allow the unauthorized individual to effortlessly steal its identity, i.e. effectively take over that account.

  7. A critical denial-of-service (DoS) attack aimed at disrupting one or more possibly mission-critical applications, such as Microsoft Exchange, Centrify Server Suite, Microsoft Rights Management Server, Microsoft Group Policy, Microsoft Terminal Server, Microsoft Azure, Quest Active Roles Server, Quest Change Auditor, Quest InTrust, Quest Privileged Password Manager, BeyondTrust PowerBroker for Windows, Citrix XenApp and XenDesktop, IBM DB2, to name a few, that rely on the use of Service Connection Points in Active Directory, by an unauthorized individual, is possible if that unauthorized individual has sufficient Write-Property (keywords or Blanket) effective permissions in the Active Directory ACL of one or more of the Service Connection Points of that specific mission-critical application.

  8. A massive cyber security breach in which an unauthorized individual, such an intruder, a disgruntled or rogue insider, an APT, a compromised delegated admin/service account etc., is able to obtain access to and leak/divulge, exfiltrate, tamper or destroy literally any (some, or all) organizational IT resource of his/her/their choice, such as a specific file, folder, database, server, application etc., or thousands thereof, is possible if that unauthorized individual simply has Write-Property (member or blanket) effective permissions in the Active Directory ACL of the specific domain security group (, such as All EmployeesBlueprint Access Group, Email Servers, Project Windham Group, etc.) in Active Directory that is currently gating access to that organizational IT resource, as this would allow that individual to add any domain account under his/her control to the membership of this domain security group and subsequently instantly and legitimately gain unrestricted access to the target organizational IT resource.

Note: In each case above, in lieu of the effective permissions mentioned above, it would alternatively be sufficient for the unauthorized individual to have Modify-Permissions effective permissions of Modify-Owner effective permissions in the ACL of the involved target Active Directory objects.

I could give many more examples, but to the wise a hint is enough, and I've given you 7 concrete examples of just how much damage an unauthorized individual who possesses various levels of unauthorized access in Active Directory ACLs, could do.

The reality is that literally anything and everything in Active Directory could be a target - The Active Directory Attack Surface

Now, that said, let's talk about Defense.


Take a deep breath of calm because this risk can be actually be easily, swiftly and completely eliminated by organizations.

The truth of the matter is that even though the serious cyber security risk posed by the potential exploitation of the vast number of excessive/unauthorized privilege access grants that are today specified in billions of Active Directory ACLs across thousands of Active Directory deployments, likely poses a clear and present danger to organizational cyber security worldwide, this risk can actually be easily, swiftly and completely eliminated by organizations, leaving no opportunity on the table for perpetrators.

How, you ask?  Keep reading...

A Small Digression
To understand how to mitigate this risk, we need to understand what caused this risk in the first place.

For years now, organizations have been leveraging Active Directory's precise administrative delegation / access provisioning capability to delegate/provision all kinds of access in Active Directory to fulfill business needs.  
While Active Directory makes it very easy to precisely delegate/provision access, unfortunately, it completely lacks the capability to help precisely assess/audit the actual resulting access that ends up getting implemented, and thus organizational IT personnel / AD admins have no way of being able to precisely a) verify the accuracy of their delegations or b) audit who actually has what access provisioned in Active Directory at any point in time.
Further, 3 factors contribute to exacerbating the situation -
  1. Active Directory's security model is quite rich and powerful, and thus complex, since it has almost a dozen generic security permissions and five dozen special security permissions (known as extended rights), and further, because mechanisms like inheritance of permissions involve and require precedence orders, applicability etc. all of this makes it difficult to determine the actual access implemented in Active Directory.

  2. A majority of all access specified in Active Directory is specified for security groups (as it should be), which given the possibility of group nesting, and often to multiple levels, further complicates not only who all might be ending end up with all kinds of access, but also trying to find out who actually has what access, especially since the membership of any of these groups could be changed by so many others, anytime.

  3. Considering the above, the slightest change made in even one place in Active Directory, such as in the ACL of a top-level OU, or the membership of even a single mid-level nested domain security group, could easily end up changing the actual state of access in Active Directory quickly & in many cases substantially.

Consequently, though organizations have been delegating/provisioning access in Active Directory for years now, they have almost never had the means or the opportunity to be able to accurately audit the actual existing state of access in Active Directory, and in light of the above, considering that in most Active Directory domains there may thus far have been 1000s of changes made, there likely exists a vast amount of excessive / unauthorized access, and no one actually knows exactly who can do what in their Active Directory deployments.
End of Digression.

The reason there exists vast amounts of excessive/unauthorized access in Active Directory is that organizations don't have the means to easily and correctly audit/assess who is actually i.e. effectively delegated/provisioned what access in Active Directory.

In order to be able to correctly do so, all that organizations need is the ability to be able to accurately, adequately and efficiently determine exactly who has what effective permissions/access in Active Directory, on a per-object basis, & ideally domain-wide.

By "adequately", I mean that given an Active Directory object, organizations should be able to easily determine a) the complete set of effective permissions provisioned on it, b) as well as the complete list of individuals that have these effective permissions, and c) HOW each one of these individuals is getting these effective permissions, as that data is needed to lock-down access.

Unfortunately, this capability does not seem to natively exist in Active Directory, so most organizations have just been performing basic Active Directory Permissions Audits, which are almost useless, and as a result, no one really knows exactly who can do what in Active Directory!

Over the years, this has resulted in a substantial amount of excessive/unauthorized access in Active Directory, which is best evidenced by the fact that even a tool as massively inaccurate as Bloodhound is able to find so many privilege escalation paths!

That said, here's Defense -

Conceptually, to defend against these attacks, all that organizations require is the ability to be able to accurately and adequately determine Active Directory Effective Permissions on their Active Directory objects, as this will give them a correct picture of who can actually do what on these objects, and show them how these users have such access today, and thus enable them to know exactly which security permissions to tweak in the ACLs of which Active Directory objects, and/or which group memberships to tweak, to lockdown any and all excessive / unauthorized access that is currently provisioned on their Active Directory objects.

Again, by "adequately", I mean that, given an Active Directory object, organizations should be able to determine a) the complete set of effective permissions provisioned on it, b) as well as the complete list of individuals that have these effective permissions, and c) HOW each one of these individuals is getting these effective permissions, as that data is needed to lock-down access.

A Simple 3-Step Defense Process

To defend against these attacks, this simple 3-step process is all that organizations need to perform -

  • Step 1 - Perform an Active Directory Effective Privileged Access Audit. This is a simple audit that involves the accurate determination of effective permissions/access in Active Directory, and it is the correct way to identify exactly who actually i.e. effectively has what access (anywhere and everywhere) in an Active Directory domain.

  • Step 2 - Analyze the results of this audit to identify all such users who currently possess any kind of access in Active Directory that they should NOT ideally be in possession of. Also identify where they currently possess such access.

  • Step 3 - For each such user identified in the analysis of Step 2, for each object on which they have such identified access, further analyze the results of this audit to additionally identify the HOW i.e. the underlying permissions in the ACL of the object that are entitling them to such effective access. Then, use this information to appropriately tweak the underlying ACL or the involved group membership to revoke all such identified excessive / unauthorized access.

In essence, in Step 1 we accurately determine object-specific/domain-wide effective permissions/access, in Step 2 we analyze these results to identify all "unauthorized access" and the underlying permissions in Active Directory ACLs that cause them, and in Step 3 we use this data to tweak these permissions in the ACLs (, or group memberships,) to lockdown Active Directory.

That's it!

For an illustrative step-by-step example that shows how to follow these
steps on a specific Active Directory object, see section IX of this post.

A Simple Example

If I had more time at hand, I would've shown you exactly how to do so, domain-wide. Since I don't, I'll share a quick example.

Lets assume that your organization wants to ensure that no one can make an unauthorized group membership change to any of the thousands of domain security groups in your Active Directory that are being used to protect the entirety of your IT resources.

To do so, technically what you need to do is accurately determine effective permissions on every domain security group in your Active Directory to find out who has Write-Property Member effective permissions on each one of these domain security groups.

Now, this in itself might seem like a herculean undertaking, and it is, but with the involved tooling, you can easily get it done.

Once you've done so, you'll have the accurate technical data that shows you exactly who can change the group membership of each one of your domain security groups in Active Directory, and once you have this insight, you'll be able to identify exactly how many individuals can currently enact this task versus how many should ideally be able to do so, and thus you'll be able to easily identify all such individuals who are not supposed to be able to do so, but nonetheless are able to do so today i.e. you'll be able to identify all users who possess "unauthorized access" as it pertains to this example.

Once you have identified all such users who possess this "unauthorized access", if you know which underlying permissions in the Active Directory object's ACLs are entitling them to this unauthorized access (and you will have this data if you perform the above mentioned audit, because the involved tooling will provide it to you), you can now tweak either the permissions or the membership of the domain security groups to which these permissions are granted, as needed, to revoke this unauthorized access, and in this manner, you can easily, efficiently and provably lockdown the access granted in Active Directory.

An Effective Privileged Access Audit is thus a simple, logical and straight-forward process that involves enacting the above to help organizations easily and accurately obtain the insight they need to identify unauthorized access in Active Directory.

One last thing - wouldn't it be nice if instead of having to determine who has what effective permissions in terms of technical Active Directory permissions (e.g.  Write-Property Member), we could just obtain this information in terms of administrative access entitlements i.e. in terms of who can enact what administrative tasks (e.g. Who can change a group's membership)?

I happen to think so, because security is best kept simple, and we humans can think about and analyze situations described in terms of administrative tasks much better than we can do so in terms of arcane technical permissions. In this regard, the tooling involved in such an audit is designed to deliver this insight in terms of administrative tasks rather than technical permissions. Of course, should you also like the data in terms of technical permissions, the involved tooling can certainly deliver that as well.

Thus, as it pertains to this example, an Effective Privileged Access Audit will deliver the following data to you - a complete list of all individuals who can change domain security groups in our Active Directory, the exact identity of each domain security group whose membership they can change, and the exact underlying security permission in the ACL of that domain security group that entitles this user to being able to change its membership. Armed with this valuable insight, we can easily and completely lockdown Active Directory vis-à-vis this example, in a matter of days.

End of Example.

A comprehensive Effective Privileged Access Audit will thus empower your organization to easily, efficiently and accurately determine the entirety of access that is currently provisioned/delegated in your Active Directory, i.e. it will span finding out who can do what concerning account management, group management, OU and Container management, SCP management, Directory Services management etc. and do so in a matter of hours, not months, and thus it will get you the data you need to adequately lockdown your Active Directory, and in doing so enable your organization to swiftly, measurably and demonstratably attain and maintain least privileged access in Active Directory.

Any organization or individual who needs additional information or clarity into this process may be feel free to contact us. Our technical specialists will be happy to help you adequately understand this process, our compliments (i.e. free of charge.)

So you see, this is all we need to do, and once we've done this, there will be no unauthorized access left in our Active Directory, no matter how large it is, and there will be no unknown privilege escalation paths left for perpetrators to find and exploit. None!

Let me repeat that. Once you've done this, there will be no unauthorized access left in your Active Directory. None... 
Zero!      нуль, nul, صفر , 零,Null, μηδέν, ʻole, אֶפֶס , शून्य, ゼロ,제로, nihil, sero !

This is all that organizations need to do to easily, efficiently and accurately identify and lockdown all unauthorized access in Active Directory. From that point on, you'll want to maintain this least privileged access state by performing regular audits.

So, what tooling is needed to perform an Active Directory Effective Privileged Access Audit?  You're going to need this & this.

In fairness, to be totally objective, strictly speaking you can use any tool that can help you accurately and adequately determine effective permissions in Active Directory, at a minimum on a per-object basis, and ideally domain-wide (unless you have years to solve this problem). I only mentioned those two tools because those are the only tools that I know of that can help do this.

In Summary

The potential exploitation of the vast amount of excessive/unauthorized access that exists in billions of Active Directory ACLs worldwide today is a serious challenge that 1000s of organizations face because it impacts their foundational cyber security.

Fortunately, with the right guidance, tooling and executive support, it can be quickly, efficiently and completely addressed.

Here's what we at Paramount Defenses believe -
"We at Paramount Defenses care deeply about cyber security and we understand that left unaddressed, this could pose a serious cyber security risk to organizations worldwide that operate on Active Directory. Be rest assured that Active Directory is a highly robust, trustworthy and securable technology, and here is exactly how organizations can easily, adequately and reliably identify and lock-down privileged access in their foundational Active Directory deployments, leaving no room for perpetrators to identify and exploit any weaknesses."

Lastly, I know that I make it sound so simple, but in reality, this is a very difficult problem to solve, and without the ability to be able to obtain accurate effective access insight, which in turn requires the right tooling, it really is almost impossible to solve.

As for the right tooling, building it requires vision, a deep understanding of the subject, and years to build, test and perfect.

Best wishes,

CEO, Paramount Defenses

Formerly, Program Manager,
Active Directory Security,
Microsoft Corporation

PS: I could've easily communicated all of this in just a simple Executive Summary, and we did - its called The Paramount Brief. In fact, last year, we had even FedEx overnighted it to the CEOs, CFOs and Chairmen of the Top-200 organizations worldwide, and FedEx tracking helped ensure that they all received it. They've all been informed. I even shared it with Microsoft (MSRC).

PS2: To my friends at Microsoft - "This only took a decade of vision, persistence, grit and laser-focused execution to address."

PS3: If you liked this post, you're likely going to love the next few posts.

No comments:

Post a Comment