Today Active Directory Security has become mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Gold Finger The Paramount Brief Gold Finger Mini World Peace

Thursday, November 16, 2017

How to Discover Stealthy Admins in Active Directory (Part I)


Today I'd like to touch upon a very interesting topic i.e. how to identify / scan for / discover stealthy admins in Active Directory.

This post is not Part II of  How To Identify & Thwart Sneaky Persistence in Active Directory; that will follow shortly.

Stealthy Admins in Active Directory

Recently, there's been a lot of attention being given to what are being called "Stealthy Admins in Active Directory!"

Stealthy Admins in Active Directory

This concept of Stealthy Admins is along the lines of "Sneaky Persistence in Active Directory" and it deserves a befitting note.

First, An Apology !

[Begin Humor -

Folks, maybe I owe the whole world an apology, and here's what I owe it for -

For years, I've been trying to help the world understand that there exist in Active Directory deployments worldwide, 1000s of excessive / unauthorized privileges (i.e. security permissions), the existence of which endangers organizational cyber security.

To convey this fact, I've used all the right terminology, whether it be "effective permissions" , "effective access", "delegated access", "privilege escalation paths" etc. yet I doubt that most organizations worldwide get the depth of what I'm talking about.

Then come along a few new-comers to the field of Active Directory Security, and since they are just beginning to scratch the surface of Active Directory Security, they're likely amazed to know that there's (so much) more to administrative access in Active Directory than merely the members of the default Active Directory administrative groups (e.g. Domain Admins etc.), and perhaps because they may not be familiar with the notion of "Delegation of Administration" in Active Directory (and/or may not have read the 400-page whitepaper that I wrote on the subject for Microsoft way back in 2004,) they start referring to this stuff as "Stealthy Admins in Active Directory", and lo and behold, suddenly the whole world starts to understand this stuff!

How incredibly dumb must I be to not have figured that all I had to do is call this "Stealthy Admins in Active Directory!" ;-)

-- End of Humor ]

The answer - "Not at all dumb." In fact, anyone that's referring to these delegated administrative accounts as "Stealthy Admins" is merely demonstrating to the whole world how little they actually seem to know about the subject of Active Directory security!

Here's why - If you actually know Active Directory Security, then you likely know about its most capable feature, Delegation of Administration, and if you do, then you undoubtedly know that there are a LOT many more individuals who possess varying levels of admin/privileged access in Active Directory than just the members of the default admin groups in Active Directory.

Specifically, the fact that there might exist administrators in Active Directory (, other than members of the default administrative groups in Active Directory,) who may be able to enact various administrative tasks on default administrative accounts and groups and elsewhere in Active Directory, should come as NO surprise to those who understand Active Directory Security.

The fact that this "Stealthy Admins in Active Directory" misnomer is becoming so popular merely shows that not only those talking about it, but also those embracing it, may not seem to know much about Active Directory Security, and that's worrisome.

I can assure you that if you were to ask some of the best folks in Active Directory and Active Directory Security, such as Stuart Kwan, Joe Richards, Guido Grillenmeier, Micky Balladelli, Jan De Clerq, Andreas Luther and SO many others, they'll all likely agree with me, and laugh at this concept of "Stealthy Admins in Active Directory" introduced by a few folks new to the subject.

Likely Origins

Active Directory has been around for almost two decades, and at thousands of organizations worldwide, administrative authority for enacting administrative tasks such as password resets, group membership changes, account creations and deletions etc. have been delegated MILLIONS OF TIMES by thousands of IT personnel, and in fact, today there likely exist millions of individuals that possess varying levels of delegated administrative access in Active Directory deployments worldwide!

In other words, most organizations are intimately familiar with the concept of delegated access in Active Directory!

If that's the case, then it must be asked as to where this comical phrase "Stealthy Admins in AD" came from?

Here's the most likely answer -
Over the last few years, there's been a substantial increase in the focus on cyber security, and thus also on ways to obtain privileged access in Windows environments, and a large number of traditional "network security" hackers and cyber security professionals appear to have finally realized that at the very heart of cyber security in Windows Server based IT infrastructures lies the Active Directory, so they've started studying Active Directory security with a keen interest, and when you approach this subject from the outside-in (, as opposed to from the inside-out (i.e. you start with AD first)), then of course, the whole concept of administrative delegation is something you may not be aware of, and so of course, when you realize that there's a lot more to administrative access in AD than the mere members of the default administrative groups, you're likely to think of that indirect access as "stealthy access", whereas in fact to those familiar with the subject, that's just Active Directory Security 101!

In short, if you're new to the subject, you're likely going to be a bit surprised that there are actually (a LOT) many more folks that possess admin/privileged access in Active Directory than just the members of the default admin groups in Active Directory, and these to you might appear to be "Stealthy Admins!"

Speaking of Which

No matter what you call it, the fact remains that in virtually every Active Directory deployment in the world, there are far more individuals that possess varying levels of administrative access in Active Directory than the mere members of the default administrative groups, and it is imperative that not only must all those who hold such access in Active Directory be accurately identified, but also that if it is determined that the level of access that they hold is tantamount to unrestricted privileged access, then they must be rightly classified as "privileged users in Active Directory."

For example, consider the Domain Admins group. It may very well be that at an organization, there are only a handful of individuals that are members of this privileged access group in Active Directory. However, it is not sufficient to merely consider the group's membership. One must also accurately determine exactly how many individuals (and exactly who they are,) can enact the administrative task of being able to change the membership of the Domain Admins group. The reason this is so very important, and in fact paramount, is that because anyone who can change the membership of this group can add anyone else to the group and/or remove any existing member from the group!

Similarly, consider the default Administrator account in Active Directory, or for that matter the domain user account of any and every privileged user in Active Directory. Organizations must know at all times exactly who can enact the administrative task of being able to reset the password of each one of these domain user accounts. The reason this too is so very important, and in fact paramount, is that because anyone who can reset the password of any one of these accounts can instantly login as that account, and of course, if he/she can do so, he/she now 0wns your entire Kingdom!

In fact, it is not just group membership changes and password resets that can be used to gain administrative/privileged access in Active Directory. Any individual who enact the task of being able to modify the ownership or the permissions protecting any one of numerous direct and indirect administrative accounts and groups and/or certain objects in Active Directory, is just one step away from being a highly privileged user in Active Directory, and thus must be considered to be equally privileged.

In days to come, I'll shed some light on the various administrative tasks that one can perform in Active Directory to gain/escalate privileged access in Active Directory. That blog post will be Part II of this post. If you need to know right away, you can read this.

The Key to it All

There are some who albeit new to the subject may have at least realized that those who can enact administrative tasks such as password resets, group membership changes etc. also in effect possess the equivalent of privileged access in Active Directory.

Some of them may also claim to offer free tooling that can help organizations identify "Stealthy Admins in Active Directory."

As former Microsoft Program Manager for Active Directory Security, I can almost state with a high degree of confidence that these folks too may be making the classic mistake of mistaking "Who has what permissions in Active Directory" for "Who has what effective permissions in Active Directory", and thus their tooling too (just like this tool and Bloodhound) might also very likely be substantially and dangerously inaccurate, and thus may be delivering vastly incomplete or inaccurate data, reliance upon which could put in jeopardy the security of any organization relying on that data.

To help all such folks, allow me to share that the key to being able to accurately figure out who can enact which administrative tasks in Active Directory lies in being able to accurately determine effective permissions / effective access in Active Directory.

Let me repeat that - the Key to identifying privileged users in Active Directory lies in Active Directory Effective Permissions.

For instance, consider the ACL protecting a domain user account in Active Directory. Just because there exists an ACE in the ACL of this Active Directory object granting a security group, say Group X, to which a user John Doe might belong, say "Allow Group X Reset Password" permissions, it does NOT imply that that specific user John Doe might actually be able to reset that account's password, as there could easily be one or more ACEs, such as a "Deny Group Y All Extended Rights" that could effectively negate the allow access granted by the first ACE, if John Doe were also directly or indirectly a member of Group Y.

I say it could because ultimately it all depends on numerous factors, such as to begin with, which ACE is explicit in nature and which one is inherited, which one allows access and which one denies access, what combination of permissions are they allowing/denying, whether or not they actually apply to the object etc. etc. Further, there could easily be hundreds of ACEs in that (and in each) Active Directory object's ACL, and it is absolutely possible that each one could potentially impact the access granted/denied by each other one!

Those who know the subject well know that the what I've shared above is a super highly simplified example of Active Directory effective permissions are, so perhaps I should share a few helpful pointers to help illustrate this subtle yet profound difference.

Here's some recommended reading to help understand the subtle but profound difference between "Who has what permissions in Active Directory" and "Who has what effective permissions in Active Directory" - Active Directory Effective Permissions

Lastly, for those who truly want to understand this paramount subject, may I recommend reading the patent that governs the accurate determination of who actually has what effective access in Active Directory - United States Patent # 8429708.

As to how to actually discover stealthy admins in Active Directory,
that will follow in part II of this blog post, in a few days.

That's all for now.

The next post (within 5 days) will be Part II of  How To Identify & Thwart Sneaky Persistence in Active Directory.


No comments:

Post a Comment