tag:blogger.com,1999:blog-59584991177210897632024-03-25T23:47:34.747-07:00Active Directory Security BlogOfficial Blog of Former Microsoft Program Manager for Active Directory SecurityUnknownnoreply@blogger.comBlogger111125tag:blogger.com,1999:blog-5958499117721089763.post-24946240022458398752021-05-25T09:59:00.004-07:002021-05-25T09:59:58.510-07:00New Coordinates<p> Folks,</p><p>I hope this finds you all doing well. As some of you may now, over the years, I have shared numerous perspectives on <span style="color: #cc0000;">foundational cyber security</span> and on <span style="color: #cc0000;">Active Directory security</span>, both here (i.e. on this blog) and at my <a href="https://www.cyber-security-blog.com" target="_blank">first</a> blog.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipj0NfRFrFtywXkXjEOyiuWrCTsGokEUJ3WBWftwxqy3_9iYkKKmkJPxVR6zIj9KSEAD-MUPYqx_PrmkshfGGh1I-wmWXcSp492_XDeZCmnSlsBmGgMvylSaEEakiCvymGBpKBefJCGBJz/s900/Vantage+Point.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="900" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipj0NfRFrFtywXkXjEOyiuWrCTsGokEUJ3WBWftwxqy3_9iYkKKmkJPxVR6zIj9KSEAD-MUPYqx_PrmkshfGGh1I-wmWXcSp492_XDeZCmnSlsBmGgMvylSaEEakiCvymGBpKBefJCGBJz/w640-h426/Vantage+Point.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><p>Unfortunately, given my <a href="https://www.paramountdefenses.com" target="_blank">immense responsibilities</a> today, and the sheer paucity of time, I will no longer be able to share my perspectives on multiple blogs, so from now on, I will mostly be sharing my perspectives at the <a href="https://blog.paramountdefenses.com" target="_blank">Paramount Defenses Blog</a>.</p><p>I recently penned two relevant posts, including <a href="https://blog.paramountdefenses.com/2021/05/whats-common-between-colonial-pipeline-hack-and-solarwinds-breach.html" target="_blank">What's common between the Colonial Pipeline Hack and the SolarWinds Breach</a> and one on what actually was <a href="https://blog.paramountdefenses.com/2021/05/at-the-heart-of-the-solarwinds-breach.html">At the Heart of the SolarWinds Breach</a> i.e. none other than <a href="https://blog.paramountdefenses.com/2021/05/at-the-heart-of-the-solarwinds-breach.html" target="_blank">Privileged Access in Active Directory</a>.</p><p>The URL for my new coordinates is - <a href="https://blog.paramountdefenses.com">https://blog.paramountdefenses.com</a></p><p>Thanks,<br />Sanjay</p>Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-51183661229568271542020-04-28T03:13:00.003-07:002020-04-28T03:13:38.267-07:00Coming Soon - "Active Directory Security Beyond the MCT"Folks,<br />
<br />
From the U.S. Dept. of Defense to Microsoft, over 85% of organizations worldwide operate on Microsoft Active Directory.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu3kFB-wkIbbAiUVvXqLuCqVUHVjSBeO25HpC5Yv31YfVA_PPUFceMeZLZLfI4kKO_b9OAauCPsbqIM77_DZPziFqLEcT2P8Q35-O0dwfIY7fIrdLpBb1t9F-OIUOTXJmaWTGp6kuTDfOd/s1600/Active-Directory-Security.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu3kFB-wkIbbAiUVvXqLuCqVUHVjSBeO25HpC5Yv31YfVA_PPUFceMeZLZLfI4kKO_b9OAauCPsbqIM77_DZPziFqLEcT2P8Q35-O0dwfIY7fIrdLpBb1t9F-OIUOTXJmaWTGp6kuTDfOd/s640/Active-Directory-Security.jpg" width="640" /></a></div>
<br />
The security of <a href="https://www.paramountdefenses.com/insights/active-directory.html" target="_blank">foundational</a> Active Directory deployments worldwide is thus paramount to cyber security worldwide, and yet, unfortunately, the Active Directory deployments of most organizations remain <a href="https://www.paramountdefenses.com/insights/the-paramount-brief.html" target="_blank">alarmingly</a> vulnerable to compromise.<br />
<br />
To help thousands of organizations adequately bolster their existing Active Directory security defenses, and to help millions of cyber security and IT personnel worldwide enhance their proficiency in this paramount subject, starting May 05, 2020, I will personally share vital Active Directory security insights for everyone's benefit at the <a href="https://blog.paramountdefenses.com/" target="_blank">Paramount Defenses Blog</a>.<br />
<br />
Save the date - <span style="color: #cc0000;">May 05, 2020</span><span style="color: #cc0000;">.</span> <br />
<br />
Best wishes,<br />
Sanjay<br />
<br />
<br />
<br />
PS: Until then, if you're into Active Directory Security, here's some <a href="https://blog.paramountdefenses.com/2020/01/advanced-active-directory-security-insights.html" target="_blank">recommended reading</a>.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-20645318491812642492020-02-24T08:00:00.000-08:002020-02-24T20:16:52.936-08:00Bloodhound for Active Directory : Bloody InaccurateFolks,<br />
<br />
As former Microsoft Program Manager for Active Directory Security, and today as CEO of Paramount Defenses, my time is EXTREMELY valuable, so I don't have too much time for blogging etc. but I wanted to make a very important point today.<br />
<br />
<b></b><br />
<b><span style="color: #cc0000;"><br /></span></b>
<b><span style="color: #cc0000;">Bloodhound for AD</span></b><br />
<b></b><span style="color: #cc0000;"></span><br />
There's a tool out there called <b>Bloodhound for AD</b> (Active Directory) and its designed to be able to analyze an organization's Active Directory security permissions and find privilege escalation paths leading to all-powerful privileged AD accounts.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi96u0_1blEMQfc6gHlYMP3IQZAvoV4BWBf0FH8riscWgOMNeEebyswrRaVBA4JcgaXbKB0Vwas6gEdtGAGGbVnmV2R_jksCn42pYsxItYNWMjJV0V2kmumRiBcLp9WK9VRHmDVFIGaZGo/s1600/Active-Directory-Security.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="505" data-original-width="1096" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi96u0_1blEMQfc6gHlYMP3IQZAvoV4BWBf0FH8riscWgOMNeEebyswrRaVBA4JcgaXbKB0Vwas6gEdtGAGGbVnmV2R_jksCn42pYsxItYNWMjJV0V2kmumRiBcLp9WK9VRHmDVFIGaZGo/s640/Active-Directory-Security.jpg" width="640" /></a></div>
<br />
Over the years, its gained a lot of attention, and from what I'm told, today hundreds of thousands, if not millions, of Red and Blue Teamers worldwide use Bloodhound to find privilege escalation paths in Active Directory deployments.<br />
<br />
In fact, these days even $ 10 B cyber security companies like <b>CrowdStrike </b>write about Bloodhound, as can be seen <a href="https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/" rel="nofollow" target="_blank">here</a>; sadly, when they do so, all they do is show the whole wide world just how little they too know about Active Directory Security.<br />
<br />
<br />
<br />
<b>Bloodhound for AD - <span style="color: #cc0000;">Bloody Inaccurate </span></b><br />
<span style="color: #cc0000;"></span><b></b><br />
Folks, please pardon my French but when someone can design a tool to exploit weaknesses in Active Directory deployments, which could then be used to harm organizations, and call it <i>Bloodhound</i>, then I hope its designers and the world won't mind it if I could accordingly use the word <span style="color: #cc0000;">BLOODY</span> in pointing out just how <span style="color: #cc0000;">INACCURATE</span> this tool actually is.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVpyJRjzIDRyMq8BNBAhvtjalxAK3st7VEly1y4rHt3OLMkSwLLm4LJVeBNsJQ4C_P4w8tmGICNu2UcIf7khpQq0JHVU9Wixm5w5T7qjnrH6v3fMIJvMca8mIldRDp6SJfIKlpN6u0DAw/s1600/Yours-Truly.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1068" data-original-width="1600" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVpyJRjzIDRyMq8BNBAhvtjalxAK3st7VEly1y4rHt3OLMkSwLLm4LJVeBNsJQ4C_P4w8tmGICNu2UcIf7khpQq0JHVU9Wixm5w5T7qjnrH6v3fMIJvMca8mIldRDp6SJfIKlpN6u0DAw/s640/Yours-Truly.jpg" width="640" /></a></div>
<br />
I've personally tested Bloodhound, and in less than two minutes, I was able to determine that it is not accurate. I spent fifteen more minutes testing several advanced factors involved in Active Directory security, and it seemed to fail virtually all of them.<br />
<br />
In less than 15 minutes, I was able to factually (technically) determine that Bloodhound's results were far from being accurate.<br />
<br />
<br />
<b><br /></b>
<b><br /></b>
<b>Details and <span style="color: #cc0000;">Proof</span></b><br />
<b></b><span style="color: #cc0000;"></span><br />
I've invested almost twenty years of life in being the best in the world at Active Directory Security, so I'm NOT about to provide FREE feedback to whoever built this tool to help them make it accurate, because conceptually this tool empowers bad guys to exploit weaknesses and take out good guys. I'd encourage them to work harder to learn more, and figure it out on their own.<br />
<br />
I'll share the ESSENCE of what makes it bloody inaccurate - it does not take <a href="https://www.paramountdefenses.com/insights/active-directory-effective-permissions.html" target="_blank">THIS</a> one essential technicality into account.<br />
<br />
That said, to anyone who may want <span style="color: #cc0000;">proof</span> that Bloodhound is inaccurate, all one has to do is <span style="color: #cc0000;">compare</span> its output on even just a few core test cases, with the output of the world's <span style="color: #cc0000;">only</span> accurate Active Directory privileged access audit tool, Gold Finger.<br />
<br />
<br />
<br />
<b><br /></b>
<b>Gold Finger for AD - The GOLD Standard</b><br />
<b></b><br />
Even after a decade, there's still just only one tool on planet Earth that can <span style="color: #cc0000;">ACCURATELY</span> determine privileged access in Active Directory, based on the accurate determination of effective permissions, and it is the world's ONLY accurate privileged access audit tool for Microsoft Active Directory - the Microsoft-endorsed <b><a href="https://www.paramountdefenses.com/products/goldfinger.html" target="_blank">Gold Finger</a></b>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.paramountdefenses.com/products/goldfinger.html" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="747" data-original-width="1600" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQxA1_y2uD_rSbdSf2NAPvuGN5qTybAIEEYRjOTPbicC6fFHQJvsJul8GP_FLgskHLBG-L-W8oQFZRbYAp5zrbumcIaHMNWW8QXUbKgi91QfUPqYdlUfvQQ_pGUFXxNbpEEcuIi7gu9aw/s640/The-Gold-Standard.jpg" width="640" /></a></div>
<br />
Over the last decade, from the United States <span style="color: #cc0000;">Department of Defense</span> to the United States <span style="color: #cc0000;">Treasury</span>, the world's most powerful and important government and business organizations across six continents worldwide have used and <a href="https://www.paramountdefenses.com/company/customers.html" target="_blank">trusted</a> Gold Finger to make these paramount determinations in their foundational Active Directory deployments.<br />
<br />
Gold Finger includes the world's <span style="color: #cc0000;">best</span> Active Directory ACL Analyzer, ACL Exporter, Permissions Analyzer, the world's only accurate Active Directory Effective Permissions Calculator, the world's only accurate Active Directory Effective Access Auditor, AND most importantly, the world's <span style="color: #cc0000;">only</span> accurate, fully-automated, domain-wide Privileged Access Auditor for Active Directory.<br />
<br />
<span style="color: #cc0000;"><br /></span>
<span style="color: #cc0000;">Now</span>, unlike those who built Bloodhound and made it available for free, we do NOT license Gold Finger to individuals ; we only license it to legitimate organizations, and only for use in their own Active Directory deployments, for a very simple reason.<br />
<br />
The reason very simply is that the <span style="color: #cc0000;">information</span> that Gold Finger can <span style="color: #cc0000;">uniquely</span> determine and reveal can <span style="color: #cc0000;">ACTUALLY</span> be used to either protect and lock down or compromise and take down entire $ Billion/Trillion companies, all within a matter of <span style="color: #cc0000;">minutes</span>.<br />
<br />
<br />
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b>A <span style="color: #cc0000;">Much</span> Bigger Problem</b><br />
<b><br /></b>
From a technical standpoint, its hard to have an issue with its concept, as it seems to be a penetration testing tool that seeks to identify exploitable privilege escalation paths leading to Domain-Admin equivalent <a href="https://www.paramountdefenses.com/insights/privileged-access.html" target="_blank">privileged accounts</a> in Active Directory.<br />
<br />
What <span style="color: #cc0000;">amazes</span> me and should amaze everyone is that even with its limited accuracy, based on its ability to take basic factors into account, those using it can still easily find so very many privilege escalation paths in almost any Active Directory deployment.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx7x0zTOOyhBgLJPOhEHRaCGk8cMBcqoExiGRSVbfpefC8shI-W9tq1maJCLb4Odr6e92f1ZiZAC-XGoE5O5dQT4ftHum6yQMR5qhDfbkZjr1tXr0k5-V0LvNRnEewyxeQtq2-kPRLdfA/s1600/Most-Organizations.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="598" data-original-width="1259" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx7x0zTOOyhBgLJPOhEHRaCGk8cMBcqoExiGRSVbfpefC8shI-W9tq1maJCLb4Odr6e92f1ZiZAC-XGoE5O5dQT4ftHum6yQMR5qhDfbkZjr1tXr0k5-V0LvNRnEewyxeQtq2-kPRLdfA/s640/Most-Organizations.png" width="640" /></a></div>
<br />
There's a <span style="color: #cc0000;">MUCH</span> bigger problem here, which is that even today, 99% of organizations operating on Active Directory, either do not know enough about Active Directory Security to care to lock it down, or that they do not know how to <a href="https://www.paramountdefenses.com/insights/how-to-correctly-audit-privileged-access-in-active-directory.html" target="_blank">correctly audit</a> and lockdown privileged access in their Active Directory, as a result of which they all remain massively vulnerable.<br />
<br />
That is a <span style="color: #cc0000;">far more concerning problem</span> than a tool like this, because this is merely one tool. Proficient hackers could easily write their own tools to identify and exploit such privilege escalation paths in Active Directory, AND until organizations accurately identify and lockdown privileged access in their Active Directory, they will remain <a href="https://www.paramountdefenses.com/insights/the-paramount-brief.html" target="_blank">substantially exposed</a> to compromise.<br />
<b><br /></b>
<br />
<b><br /></b>
<b><br /></b>
<b>Time's <span style="color: #cc0000;">Up</span></b><br />
<b></b><span style="color: #cc0000;"></span><br />
That's it. That's all the time I had for this. I'll end on this - just because millions of people use something doesn't mean it is either accurate ; it just means that these millions of people TOO may not yet know enough (or at all) about Active Directory Security.<br />
<br />
Best wishes,<br />
Sanjay.<br />
<br />
<br />
PS: If <span style="color: #cc0000;">you</span> want to <span style="color: #cc0000;">learn</span> <b>Active Directory Security</b>, reading the <span style="color: #cc0000;">contents</span> of the <span style="color: #cc0000;">list</span> in <a href="https://blog.paramountdefenses.com/2020/01/advanced-active-directory-security-insights.html" target="_blank">this <span style="font-size: large;">1</span> post</a> alone is a good place to <span style="color: #cc0000;">start</span>.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-51618635965838407982020-01-21T09:00:00.000-08:002020-01-21T09:00:09.578-08:00Advanced Active Directory Security InsightsFolks,<br />
<br />
Today, I just wanted to share a few advanced cyber security insights on Active Directory Security -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ2_0wRvlOzdN6ziPe32JenrKLABS8wNbSlKSwbzZLh92zkTQ3_b4zMfW__4indkUegoFWhuxmcvDz9Yzrtd7Rn82K5bdK1iREPDjUE4BmtPnExAZBX0pF6-QsgdBtk_e3xRTj80jZYcqv/s1600/Laser+Focused.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="482" data-original-width="1600" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ2_0wRvlOzdN6ziPe32JenrKLABS8wNbSlKSwbzZLh92zkTQ3_b4zMfW__4indkUegoFWhuxmcvDz9Yzrtd7Rn82K5bdK1iREPDjUE4BmtPnExAZBX0pF6-QsgdBtk_e3xRTj80jZYcqv/s640/Laser+Focused.jpg" width="640" /></a></div>
<ol>
<li><a href="https://www.cyber-security-blog.com/2016/07/a-letter-to-benjamin-delpy-re-mimikatz-and-active-directory-security.html" target="_blank">A Letter to Benjamin Delpy Regarding Mimikatz and AD Security</a></li>
<br />
<li><a href="https://www.active-directory-security.com/2016/08/active-directory-credential-theft-mimikatz-dcsync-mitigation.html" target="_blank">How to Mitigate the Risk Posed by Mimikatz DCSync</a></li>
<br />
<li><a href="https://www.active-directory-security.com/2016/07/active-directory-beyond-the-mcse-for-black-hat-conference-2016.html" target="_blank">Active Directory Beyond the MCSE</a></li>
<br />
<li><a href="https://www.active-directory-security.com/2017/12/how-to-discover-stealthy-admins-in-active-directory.html" target="_blank">How to Discover Stealthy Admins in Active Directory</a></li>
<br />
<li><a href="https://www.active-directory-security.com/2017/12/how-to-correctly-discover-shadow-admins.html" target="_blank">How to Correctly Discover Shadow Admins in Active Directory</a></li>
<br />
<li><a href="https://www.active-directory-security.com/2017/09/active-directory-access-control-lists-attack-and-defense.html" target="_blank">Active Directory Access Control Lists - Actual Attack and Defense</a></li>
<br />
<li><a href="https://www.active-directory-security.com/2017/12/how-to-easily-solve-the-active-directory-botnet-problem.html" target="_blank">How to Easily Solve the Difficult Problem of Active Directory Botnets</a></li>
<br />
<li><a href="https://www.active-directory-security.com/2017/10/how-to-thwart-sneaky-persistence-in-active-directory.html">How to Easily Identify and Thwart Sneaky Persistence in Active Directory</a></li>
<br />
<li><a href="https://www.active-directory-security.com/2017/06/a-simple-trillion-dollar-active-directory-privilege-escalation-example.html">A Simple Trillion Dollar Active Directory Privilege Escalation Example</a></li>
<br />
<li><a href="https://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Active Directory Effective Permissions</a> - <span style="color: #cc0000;">Paramount</span> to Global Security</li>
</ol>
<br />
<br />
If you appreciate the above, then you may also appreciate <a href="https://www.paramountdefenses.com/insights/the-paramount-brief.html" target="_blank">this</a>.<br />
<br />
Best wishes,<br />
<a href="https://www.paramountdefenses.com/company/leadership.html" target="_blank">Sanjay</a>.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-59415519895839256922020-01-17T09:00:00.000-08:002020-01-18T22:04:01.123-08:00Active Directory Security - A Guide for CISOsFolks,<br />
<br />
Over the last decade, we've had thousands of organizations reach out to us to request our assistance on numerous aspects of Active Directory Security, so we have a very good idea of exactly how well organizations worldwide, as well as their CISOs, understand the paramount importance of Active Directory Security today.<br />
<br />
In our vast experience, we have found that the thousands of organizations worldwide still do not yet understand the paramount importance of securing and defending their foundational Active Directory, and unfortunately that is <span style="color: #cc0000;">deeply</span> concerning.<br />
<br />
<br />
Today cyber security begins at the top, so to help the CISOs of all organizations worldwide unequivocally understand the <a href="https://www.paramountdefenses.com/solutions/active-directory-security.html" target="_blank">paramount</a> importance of Active Directory Security, we released an <b>Executive Summary</b> on Active Directory Security -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.paramountdefenses.com/resources/guidance/Active-Directory-Security.pdf" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Active Directory Security" border="0" data-original-height="429" data-original-width="639" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixzx4VUojnhd4LG35qnIyOfUHpqHeoXPmOGWssRJGiM7wBdmyh21VOwYBl1DezA8KbwFWPHCBbzoC_9j1-8YecChp1oIvp30lh_q3k2KqpolETeHCX_fcqMXGjbnYjSjh-l_Geue4V1UN1/s1600/Active-Directory-Security.png" title="Active Directory Security" /></a></div>
<br />
This simple <span style="color: #cc0000;">Executive Summary</span> (PDF) can be downloaded from here - <a href="https://www.paramountdefenses.com/resources/guidance/Active-Directory-Security.pdf" target="_blank">Active Directory Security</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
In the interest of their organization's foundational security, I highly recommend that all CISOs worldwide read it.<br />
<br />
Best wishes,<br />
<a href="https://www.paramountdefenses.com/company/leadership.html">Sanjay</a>.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-68927979309159686632020-01-07T23:59:00.000-08:002020-01-08T01:36:50.724-08:00A Simple Question for all Self-Proclaimed Active Directory Security ExpertsFolks,<br />
<br />
As former Microsoft Program Manager for Active Directory Security, I find it <span style="color: #cc0000;">amusing</span> every time I come across some Active Directory vendor's or self-proclaimed AD security expert's website that claims that they know Active Directory Security well.<br />
<br />
(You see, not one of these Active Directory Security vendors or self-proclaimed Active Directory security experts seem to have a CLUE as to the most important Active Directory Security Capability in the world, let alone possessing that paramount capability.)<br />
<br />
So, I thought I'd pose a very simple Active Directory Security question to all Active Directory Security vendors and experts -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDot1eLAUu2_I6atDNBpT2R0JupX2hSNC6EWFXugnJRCYWrfZRsiW90-edNZNftaNiiKv-FCZJ8G_5I70cb9QMZ27IUdZN-ThtxNZb0m7dzI6Un2-HJA3mgE3CW8SnJb1JV007Gdu2eZE/s1600/Seriously.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1068" data-original-width="1600" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDot1eLAUu2_I6atDNBpT2R0JupX2hSNC6EWFXugnJRCYWrfZRsiW90-edNZNftaNiiKv-FCZJ8G_5I70cb9QMZ27IUdZN-ThtxNZb0m7dzI6Un2-HJA3mgE3CW8SnJb1JV007Gdu2eZE/s640/Seriously.jpg" width="640" /></a></div>
<br />
<div style="text-align: center;">
<span style="font-size: x-large;">Q</span><span style="font-size: large;">uestion</span>: <span style="font-size: large;">Do you know the answer to <a href="https://www.cyber-security-blog.com/2020/01/who-needs-wmds-today.html" target="_blank">this</a> ONE simple question?</span></div>
<span style="font-size: large;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Specifically, in that question, I have shared a simple non-default string, and I have indicated that is a cause for great concern.<br />
<br />
What I would like to know is what it represents and why is it a great cause of concern for 85% of organizations worldwide?<br />
<br />
<span style="background-color: white; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></span>On a scale of 1 to 10, 1 being easy and 10 being difficult, I'd rate this question as a 3, so if you're truly an Active Directory expert, this should be easy for you, and shouldn't take you a minute. You can leave your answer in a comment below.<br />
<br />
<br />
Here's your chance to impress me (and the whole world.) Oh, and Microsoft employees too may feel free to take a shot ;-)<br />
<br />
Best wishes,<br />
Sanjay.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-42657389427619634762020-01-06T23:59:00.000-08:002020-01-07T13:35:05.606-08:00What is Active Directory, and Why Is it Important? Folks,<br />
<br />
Today is January 06, 2020, and as <a href="https://www.active-directory-security.com/2019/12/its-time-to-help-secure-active-directory-worldwide.html" target="_blank">promised</a>, here I am getting back to sharing thoughts on Active Directory Security.<br />
<br />
<br />
<b>Back to the Basics (Cyber Security <span style="color: #cc0000;">101)</span></b><br />
<b></b><span style="color: #cc0000;"></span><br />
I'd like to kick off this blog this year/decade by asking and answering a very simple yet vital question - <span style="color: #cc0000;"><b>What</b> is Active Directory?</span><br />
<br />
You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies <span style="color: #cc0000;">the key</span> to organizational cyber security worldwide.<br />
<br />
The reason is very simple - if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and of course, since "<b>who really cares about a phone book</b>" it is <b>this</b> shallow view that leads so many organizations to greatly diminish the value of Active Directory to the point of sheer negligence!<br />
<br />
In fact, for years now, this has been the predominant view held by most CISOs and organizations worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.<br />
<br />
<br />
<b><br /></b>
<b>Active Directory - The Very <span style="color: #cc0000;">Foundation</span> </b><b>of </b><b>Organizational Cyber Security Worldwide</b><br />
<b></b><br />
If as they say, a "<i>A Picture is Worth a Thousand Words</i>", perhaps I should paint you a very simple Trillion $ picture -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbQgQRlEkHI9BuvuodlUN40ajtLMpoVF8oX5ybQl-oYs-2Ry1-l9u7r3JsobSWhqtFk4ybGizuiWNeOjsG4SaKxKyiFZl7DYbB4-NHkQ8SN6k6-KxBRQPKMuOfKEDfMSzeYUrpe9iGAA7O/s1600/microsoft-active-directory.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="615" data-original-width="634" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbQgQRlEkHI9BuvuodlUN40ajtLMpoVF8oX5ybQl-oYs-2Ry1-l9u7r3JsobSWhqtFk4ybGizuiWNeOjsG4SaKxKyiFZl7DYbB4-NHkQ8SN6k6-KxBRQPKMuOfKEDfMSzeYUrpe9iGAA7O/s1600/microsoft-active-directory.png" /></a></div>
<br />
An organization's Active Directory deployment is quite simply its single most valuable IT and corporate asset, worthy of the highest protection at all times, because <span style="color: #cc0000;">it is the very <b>foundation</b></span> of an organization's cyber security.<br />
<br />
You see, <span style="color: #cc0000;">the entirety</span> of an organization's building blocks of cyber security i.e. <span style="color: #cc0000;">all</span> organizational user accounts and passwords used to <span style="color: #cc0000;">authenticate</span> their people, <span style="color: #cc0000;">all</span> security groups used to <span style="color: #cc0000;">authorize</span> access to all their IT resources, <span style="color: #cc0000;">all</span> their privileged user accounts, <span style="color: #cc0000;">all</span> the accounts of all their computing devices (laptops, desktops, servers etc.) are <span style="color: #cc0000;">all</span> stored, managed and secured <span style="color: #cc0000;"><b>in</b></span> (i.e. inside) the organization's foundational Active Directory, and all sensitive/privileged actions on them are <span style="color: #cc0000;">audited</span> in it.<br />
<br />
In other words, should an organization's foundational Active Directory, or even a single Active Directory privileged user account, be compromised, the very foundation of the organization's cyber security, and thus the entire organization could be exposed to the risk of complete, swift and colossal compromise.<br />
<br />
<br />
<b><br /></b><b>Active Directory Security Must Be </b><b><span style="color: #cc0000;">Organizational Cyber Security</span> <span style="color: #cc0000;">Priority #1</span></b><br />
<b></b><br />
Ensuring the highest protection of an organization's foundational Active Directory deployment <span style="color: #cc0000;">must,</span> without a doubt, be the <span style="color: #cc0000;"><b>#1</b></span> priority of every organization that cares about cyber security, protecting shareholder value and business continuity.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzRqEJ_ASxoMiA-Q7b9BjN8pOLlcet68mOmbVll1fBfFxUKJI127TEmEBiPm1K_iATlBy-2mAL2m-41WpzUc3A4vV_vsAcKMyG8kk8QZfCg5FcYTbZ2k_104SU4kS8_-3fiz2nkiFTsoA6/s1600/active-directory-security-is-paramount.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="599" data-original-width="1600" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzRqEJ_ASxoMiA-Q7b9BjN8pOLlcet68mOmbVll1fBfFxUKJI127TEmEBiPm1K_iATlBy-2mAL2m-41WpzUc3A4vV_vsAcKMyG8kk8QZfCg5FcYTbZ2k_104SU4kS8_-3fiz2nkiFTsoA6/s640/active-directory-security-is-paramount.jpg" width="640" /></a></div>
<br />
<div style="text-align: center;">
Here's why - A deeper, detailed look into <a href="https://blog.paramountdefenses.com/2020/01/what-is-active-directory.html"><span style="font-size: x-large;">What is Active Directory</span></a> <span style="font-size: x-large;">?</span></div>
<br />
<br />
For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)<br />
<br />
<br />
In essence, today every organization in the world is <span style="color: #cc0000;">only as secure</span> as is its foundational Active Directory deployment, and from the <a href="https://www.paramountdefenses.com/insights/for-ceos.html" target="">CEO</a> to the <a href="https://www.paramountdefenses.com/insights/for-cisos.html" target="">CISO</a>, from <a href="https://www.paramountdefenses.com/insights/for-it-managers.html" target="_blank">IT Managers</a> to <a href="https://www.paramountdefenses.com/insights/for-security-and-compliance-auditors.html" target="_blank">Auditors</a> and from <a href="https://www.paramountdefenses.com/insights/for-domain-admins.html" target="_blank">Domain Admins</a> to <a href="https://www.paramountdefenses.com/insights/for-citizens.html" target="">employees</a>, everyone should know <a href="https://www.paramountdefenses.com/insights/active-directory.html">this</a> fact.<br />
<br />
Best wishes,<br />
Sanjay.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-82104339773200373522019-12-06T09:00:00.000-08:002019-12-31T11:16:48.211-08:00Its Time to Help Secure Active Directory WorldwideFolks,<br />
<br />
I trust this finds you all doing well. It has been a few months since I last blogged - pardon the absence. I had to focus my energies on helping the world get some <a href="https://www.paramountdefenses.com/" target="_blank">perspective</a>, getting <a href="https://www.paramountdefenses.com/products/goldfinger-007g.html" target="_blank">007G</a> ready for launch, and dealing with a certain nuisance.<br />
<br />
Having successfully accomplished all three objectives, it is now finally TIME to help thousands of organizations worldwide adequately secure and defend their foundational <a href="https://www.paramountdefenses.com/insights/active-directory.html" target="_blank">Active Directory</a> deployments from the proverbial SKYFALL(ing on them).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtMQfUprj4bCPy_FdIf3B_Plwah_3ZBNN9SJW_KUJJqE1qSa0i1xJcf9Jdi2kZySYtJfJ4HwJRSb3WjchTV0dHTo14MlMndVEajSisf3QjEbH3A0YpmukeCmreFYI2KNMLy8f4jmIJkcg/s1600/Washington.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="418" data-original-width="1600" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtMQfUprj4bCPy_FdIf3B_Plwah_3ZBNN9SJW_KUJJqE1qSa0i1xJcf9Jdi2kZySYtJfJ4HwJRSb3WjchTV0dHTo14MlMndVEajSisf3QjEbH3A0YpmukeCmreFYI2KNMLy8f4jmIJkcg/s640/Washington.jpg" width="640" /></a></div>
<br />
I'm BLOWN away by just how little organizations (as well as AD/cyber security companies) worldwide seem to know and understand not just the paramount importance of, but also what it takes to adequately ensure Active Directory Security.<br />
<br />
<br />
When you <a href="https://www.paramountdefenses.com/insights.html" target="_blank">know</a> as much as I do, care as much as I do, and possess as much <a href="https://www.paramountdefenses.com/solutions.html" target="_blank">capability</a> as I do, you not only shoulder a great responsibility, you almost have an obligation to educate the whole world about cyber security risks that threaten their security.<br />
<br />
So, even though I barely have any time to do this anymore, in the interest of foundational cyber security worldwide, I'm going to start sharing some valuable perspectives again, and do so, on three blogs - this one, <a href="https://www.cyber-security-blog.com/" target="_blank">that</a> one, and the one below.<br />
<br />
<br />
Speaking of which, earlier this week, I had the PRIVILEGE to launch the official PD blog - <a href="https://blog.paramountdefenses.com/">https://blog.paramountdefenses.com</a><br />
<br />
<br />
Stay tuned for high-value AD security insights right here from January 06, 2020 onwards,<br />
and let me take your leave with a befitting (and one of my favorite) songs(s) -<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/q-gLRp5bSpw/0.jpg" frameborder="0" height="337" src="https://www.youtube-nocookie.com/embed/q-gLRp5bSpw?feature=player_embedded" width="600"></iframe></div>
<br />
Best wishes,<br />
Sanjay.<br />
<br />
<br />
PS: Just a month ago, the $ Billion Czech cyber security company Avast was substantially compromised, and guess what the perpetrators used to compromise them? They used the EXACT means I had clearly warned about TWO years ago, right <a href="https://www.cyber-security-blog.com/2017/10/a-massive-cyber-breach-whilst-considering-the-cloud.html" target="_blank">here</a>.
Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-90847557906493561262019-02-01T13:01:00.001-08:002019-02-01T13:04:03.881-08:00Pardon the DelayFolks,<br />
<br />
I trust this finds you doing well. The last time I blogged was on Nov 05, 2018, and I had said that it was <a href="https://www.active-directory-security.com/2018/11/time-to-help-microsoft-and-the-world.html" target="_blank">time to help Microsoft and the world</a> better understand Active Directory Security and that I would be sharing additional insights starting Nov 18, 2018.<br />
<br />
Please pardon the delay - something important came up, and<br />
today I'd like to share with you the reason for this delay...<br />
<br />
<br />
<b>One of the <span style="color: #cc0000;">World's Most Powerful Defense Organizations</span> Requested Our Assistance</b><br />
<b></b><br />
Back in Nov 2018, just as I was about to start blogging that series, one of the most powerful defense organizations in the world reached out to us requesting our assistance in correctly identifying privileged users within their foundational Active Directory.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXpSD6800_dl8htFxUzPoM_QKQiwwLepTq1L6WEx8KvrtduyngqB60q6zDDccBqX15hGHrti0-2-JVsmWEfphk3Ggu4sM6jc8bsa7N3ARD_zV4P-vDpgn6WR83pOx0uUe1WQw75yISrBg/s1600/Army.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="433" data-original-width="805" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXpSD6800_dl8htFxUzPoM_QKQiwwLepTq1L6WEx8KvrtduyngqB60q6zDDccBqX15hGHrti0-2-JVsmWEfphk3Ggu4sM6jc8bsa7N3ARD_zV4P-vDpgn6WR83pOx0uUe1WQw75yISrBg/s640/Army.jpg" width="640" /></a></div>
<br />
(You see, organizations that actually understand Active Directory Security know that there is ONLY <a href="http://www.paramountdefenses.com/active-directory-effective-permissions-tool.html" target="_blank">one way</a> to correctly identify privileged access in Active Directory. Organizations that don't yet know this simple fact still resort to acquiring and using what basically are petty but pretty looking Active Directory permissions analyzers (and there still are 1000s of such organizations.))<br />
<br />
Whilst we were happy to assist them, due to certain operational constraints, it turned out that in order for us to help them, we would have to make some non-trivial changes to <a href="https://www.paramountdefenses.com/goldfinger.html" target="_blank">Gold Finger</a>. This was very important for them so we went straight to work.<br />
<br />
We put our entire development team to work, and we worked 60 days straight without taking a break; there were no Christmas holidays, no New Years holidays, no weekends. There was only work, and within 60 days we had made and thoroughly tested all the enhancements required for us to be able to assist this one particular organization, and as a result, 1000s of others.<br />
<br />
As Gold Finger's architect, I too was substantially involved in the process, and as a leader, I too worked 60 days straight, and it is my privilege to share that earlier today we officially released Gold Finger version 6.5, complete with all the required changes.<br />
<br />
<br />
<b><span style="color: #38761d;"><br /></span></b>
<b><span style="color: #38761d;">Introducing </span>Gold Finger 6.5</b><br />
<b></b><i></i><i></i><i></i><i></i><i></i><i></i><br />
Earlier today, we announced the release of Gold Finger v6.5, featuring amongst other enhancements, support for Windows 10.<br />
<br />
Here's the Press Release from this morning - <a href="https://www.businesswire.com/news/home/20190201005168/en/Paramount-Defenses-Releases-Gold-Finger-6.5-World's" target="_blank">Paramount Defenses Releases Gold Finger Version 6.5</a><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_rtC81NrRrPcxaQl0Tq2NnQxag0YoZ9PPUJGVTUyqbYf9-Hv8WP3mizGB_dkkwaC7-54ns0xeJii_xv0ivWJbfnFlD3gtzA77KAGGQuSTJnjFBzMLVX-VBZ4TUL0RY6FOZxG3vlS1two/s1600/Active-Directory-Privileged-User-Audit-Tool.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="738" data-original-width="1023" height="460" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_rtC81NrRrPcxaQl0Tq2NnQxag0YoZ9PPUJGVTUyqbYf9-Hv8WP3mizGB_dkkwaC7-54ns0xeJii_xv0ivWJbfnFlD3gtzA77KAGGQuSTJnjFBzMLVX-VBZ4TUL0RY6FOZxG3vlS1two/s640/Active-Directory-Privileged-User-Audit-Tool.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Gold Finger v6.5</td></tr>
</tbody></table>
<br />
If you can <b>touch</b> a button, you can <b>now</b> instantly, automatically and accurately determine exactly who has what privileged access, where and how, in any Active Directory, and on any Microsoft Windows operating system, <b>including</b> Windows 10!<br />
<br />
<br />
The free version of Gold Finger v6.5 is also available at - <a href="https://www.paramountdefenses.com/goldfinger.html">https://www.paramountdefenses.com/goldfinger.html</a><br />
<br />
<br />
With this little but important detour out of the way, you can expect me to get back to some blogging one of these days because Microsoft and thousands of its customers worldwide still seem to need of help understanding the very basics of Active Directory security i.e. without the ability to accurately determine effective permissions in Active Directory, you cannot secure a single object in Active Directory, and by corollary you can't accomplish a single Active Directory security related objective, and that includes all the latest buzzwords - Privileged Access Management, Privileged Account Discovery, Zero-Trust, Blah Blah, etc. etc.<br />
<br />
So, thank you for pardoning the delay, and stay tuned! <br />
<br />
Any day now!<br />
<br />
Best wishes,<br />
Sanjay.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-56916121727237827312018-11-05T09:00:00.000-08:002018-11-05T12:39:11.213-08:00It is TIME to Help Microsoft AND Thousands of Organizations Worldwide Better Understand Active Directory SecurityFolks,<br />
<br />
As former Microsoft Program Manager for Active Directory Security, and today as the CEO of Paramount Defenses, I feel that it is time to help the $800 Billion Microsoft, and 1000s of organizations worldwide better understand Active Directory Security.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9sH0rhRvAkkG94D43qpZIUu3jdOlkM_dGmNo6_Ovo98hIoc2X0GXMWsN3yqlBak2xjEMUwXzz9mReCjL2XFLMa_4bpucSOQiFaJLLh1pDRyC2MeNX616JkEIIRKTd4XKM8Wsxp59G5q4/s1600/Active-Directory.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="354" data-original-width="636" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9sH0rhRvAkkG94D43qpZIUu3jdOlkM_dGmNo6_Ovo98hIoc2X0GXMWsN3yqlBak2xjEMUwXzz9mReCjL2XFLMa_4bpucSOQiFaJLLh1pDRyC2MeNX616JkEIIRKTd4XKM8Wsxp59G5q4/s640/Active-Directory.jpg" width="640" /></a></div>
<br />
Here's why - Over the last few years, 1000s of organizations from across over 150 countries worldwide have requested our assistance (completely unsolicited), so we know about the various challenges that most organizations have to deal with, and based on what we're seeing across the globe, the state of foundational cyber security worldwide seems to be worrisome.<br />
<br />
Incidentally, a large majority of these organizations do have several piece-meal cyber security controls such as Active Directory Auditing, Advanced Threat Analytics, Two-Factor Authentication, Privileged Session Managers, Password Vaults, Zero-Trust Security, Privileged Access Management (PAM) etc., <u>yet</u> their Active Directory deployments are still <span style="color: #cc0000;">likely <b>vastly </b>vulnerable</span>.<br />
<br />
<span style="color: #cc0000;">I'll say only this much</span> - TODAY Microsoft Active Directory is at the foundation of cyber security and privileged access at over 85% of all business and government organizations worldwide, AND the current state of awareness and (the substantially inadequate level of) protection afforded to these foundational Active Directory deployments is concerning enough that it warrants the attention of all stakeholders, including executive and IT leadership, customers and investors, worldwide.<br />
<br />
Thus, in weeks to come, we may reach out to the Executive Management of organizations worldwide to make them aware.<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5UrWLHM8mrlOfpsVIzl132miDASEwcD4EK1V4qB6mmbdXQOdrHtUNirr4bLYzBhTWkKA8eNhBTC9Jcsg9BUu9NBNODD8IwS3HvZMpeIj63BCfpDG1PRk95hDiZVczLarD1xOHFK0PzWs/s1600/Line.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="27" data-original-width="800" height="10" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5UrWLHM8mrlOfpsVIzl132miDASEwcD4EK1V4qB6mmbdXQOdrHtUNirr4bLYzBhTWkKA8eNhBTC9Jcsg9BUu9NBNODD8IwS3HvZMpeIj63BCfpDG1PRk95hDiZVczLarD1xOHFK0PzWs/s320/Line.png" width="320" /></a></div>
<br />
<br />
<span style="color: #cc0000;"><br /></span>
<span style="color: #cc0000;"><b>In addition</b></span>, to help educate Microsoft AND the world, starting next Monday, Nov 12, 2018, I'll be penning the following -<br />
<br />
<ol>
<li>Active Directory Security For Everyone - Why is Active Directory Security Paramount to Organizational Cyber Security?</li>
<br />
<li>Active Directory Security For Novices and Enthusiasts - A Closer Look at Active Directory's Security Model etc.</li>
<br />
<li>Active Directory Security for IT Admins and Security Auditors - An Overview of Active Directory Security Permissions</li>
<br />
<li>The World's Most Important Active Directory Need and Security Capability - Active Directory ___ ___</li>
<br />
<li>For Self-Proclaimed Active Directory Security Experts - Why <i>Analyzing Active Directory Security Permissions </i>is Useless</li>
<br /><br />
<li>For IT Managers and CISOs - The Billion $ Difference Between <i>Active Directory Auditing</i> and <i>Active Directory Audit</i></li>
<br />
<li>For all Organizations - What Happens When an Organization Deploys a Cheap Auditing Solution Built Overseas?</li>
<br />
<li>For Microsoft, Domain Admins and CISOs Worldwide - What Constitutes a Privileged User in Active Directory?</li>
<br />
<li>For the CyberArks of the World - How to Correctly Identify/Audit Privileged Access/Users in Active Directory?</li>
<br />
<li>For All Audit Organizations Worldwide - Are You Sure Your Auditors Know How to Correctly Audit Active Directory?</li>
<br /><br />
<li>To All Cloud & Cyber Security Companies Worldwide - Isn't Active Directory at the Very Foundation of Your Security Too?</li>
</ol>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyduRDU8FMAg-TXsBJe1r2JRisu-YbIqGDw7JTb5iKP1tjlwiemw9ZM6PJsbnuBlV406z6KFqvcEeq8LK9fgA6YmAGq3IMY362VpRsRqwTG3JhFoOVM5VfH5lxpRB02f-LeosyOzLgsEk/s1600/Line.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="27" data-original-width="800" height="10" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyduRDU8FMAg-TXsBJe1r2JRisu-YbIqGDw7JTb5iKP1tjlwiemw9ZM6PJsbnuBlV406z6KFqvcEeq8LK9fgA6YmAGq3IMY362VpRsRqwTG3JhFoOVM5VfH5lxpRB02f-LeosyOzLgsEk/s320/Line.png" width="320" /></a></div>
<br />
<div style="text-align: left;">
<span style="color: #cc0000;"><br /></span></div>
<div style="text-align: left;">
<span style="color: #cc0000;">Finally, for C*Os worldwide</span>, I penned this today - <a href="https://www.cyber-security-blog.com/2018/11/cyber-security-101-for-the-c-suite.html" target="_blank">Cyber Security 101 for the C-Suite - Active Directory Security is Paramount</a>.<br />
<div>
<br /></div>
</div>
<br />
Ideally, Microsoft should be doing this (i.e. helping adequately educate their customers worldwide), but it appears that these days all they seem to care about is that new fad called "The Cloud", so we're left with no choice but to do this for the world.<br />
<div>
<br /></div>
<span style="color: #cccccc;">Very well then, onward to Nov 12, 2018, right here.</span><br />
<br />
<br />
Sincerely,<br />
<a href="https://www.paramountdefenses.com/leadership.html" target="_blank">Sanjay</a>Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-54151618632086226362018-10-31T09:00:00.000-07:002018-10-31T09:00:12.672-07:00Looking for a Few Good Active Directory Security ExpertsFolks,<br />
<br />
In days to come, I'll be helping thousands of organizations worldwide better understand Active Directory Security essentials / fundamentals, so that they can adequately secure and defend their foundational Active Directory deployments.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVLTtlIUi6kR7VSO5zgJxWl4WGZjjh7rnRKybji38EnKuHzdJyTTavfqrPf_mu78b1aFuxC_4VvJww-pWeQtGSxuBu5Fd5m53Z5kCw7VY3R8fowbSGWVOa7PA5558JS0MoIlinqxKTeKM/s1600/American-Leadership.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1192" data-original-width="1600" height="476" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVLTtlIUi6kR7VSO5zgJxWl4WGZjjh7rnRKybji38EnKuHzdJyTTavfqrPf_mu78b1aFuxC_4VvJww-pWeQtGSxuBu5Fd5m53Z5kCw7VY3R8fowbSGWVOa7PA5558JS0MoIlinqxKTeKM/s640/American-Leadership.jpg" width="640" /></a></div>
<br />
Albeit, we have no dearth of resources, I'm looking for a few good external Active Directory Security Experts (e.g. DS MVPs), who may be willing to assist in this noble objective, so if you're interested, please feel free to <a href="https://www.linkedin.com/in/sanjaytandon" target="_blank">connect</a>, and I'll tell you more.<br />
<br />
We're all in it together, <span style="color: #000077;">and</span> <span style="color: #cc0000;">together</span> we can make a difference.<br />
<br />
Thanks,<br />
Sanjay<br />
<br />
PS: If you understand <a href="https://www.paramountdefenses.com/resources/presentations/Active-Directory-Security.pdf" target="_blank">this stuff</a>, you're ready to help.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-33852976548577434252018-10-28T00:00:00.000-07:002018-10-28T00:00:10.348-07:00How Massive Could the Impact of an Active Directory Security Breach Be?Folks,<br />
<br />
Today I'd like to ask a simple but <span style="color: #cc0000;">paramount question</span>, the answer to which impacts not just <a href="https://www.paramountdefenses.com/" target="_blank">trillions of dollars</a> of organizational and investor wealth worldwide, but also likely the national security of over one hundred and fifty countries worldwide.<br />
<br />
<b>Here</b> it is -<br />
<blockquote class="tr_bq">
<span style="color: #cc0000; font-size: x-large;">Q</span><span style="color: #cc0000; font-size: large;">: How <b>Massive</b> Could the Impact of an Active Directory Security Breach Be?</span></blockquote>
<blockquote class="tr_bq">
Specifically, exactly what could happen if the foundational Active Directory of an organization were <a href="https://www.paramountdefenses.com/privileged-access-insight.html" target="_blank">breached</a>? </blockquote>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-h4heifhEyyB5Ay-50ITdfJLb5lxZ6Qs_UFt6lWwdXL6vxFFC-pffjnDcHQNhdXXknAeogl22o4weeBmL0JgcoiHEtoR9fkHPU8n-9veqmzPj3Ju2BSMqeTLcwCq8yyo-aaHOmU6OHuQ/s1600/Active-Directory.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="794" data-original-width="1199" height="422" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-h4heifhEyyB5Ay-50ITdfJLb5lxZ6Qs_UFt6lWwdXL6vxFFC-pffjnDcHQNhdXXknAeogl22o4weeBmL0JgcoiHEtoR9fkHPU8n-9veqmzPj3Ju2BSMqeTLcwCq8yyo-aaHOmU6OHuQ/s640/Active-Directory.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Active Directory is the Foundation of Cyber Security Worldwide </td></tr>
</tbody></table>
<blockquote class="tr_bq">
<br />
<span style="color: #cc0000;">If you need me to paint you a picture</span>, consider the potential impact of an Active Directory security breach at virtually any organization that impacts your life - from the world's biggest IT (Cloud, Operating Systems, Phones, Computers, Networking, Internet, Social Media etc.) companies to the world's biggest cyber security companies, or for that matter from virtually every financial institution on Wall Street, to just about every company traded on any stock exchange in any country in the world, or any one of thousands of government agencies/departments in over 150 countries worldwide.</blockquote>
<br />
The reason I am publicly asking this question, is because its 2018 today, not 2004, and this is possibly the most important cyber security question that Executive Management, Cyber Security and IT leadership at thousands of organizations worldwide should be asking themselves today, but <span style="color: #cc0000;">most likely are not</span>.<br />
<br />
In fact, at most organizations, this isn't even on their radar, let alone rightly being their top (#1) cyber security priority.<br />
<br />
Thus, I felt the need to ask this paramount question.<br />
<br />
Also, for once, <span style="color: #cc0000;">I am NOT going to answer</span> a question that I have asked, but instead <span style="color: #cc0000;">let organizations worldwide ponder</span> over it. Over the years, I've already <a href="https://www.cyber-security-blog.com/2017/08/teaching-microsoft-about-active-directory-security.html" target="_blank">asked and answered</a> many of the world's most vital Active Directory / cyber security questions.<br />
<br />
I'll only say this much - Any organization whose CEO and CISO <span style="color: #cc0000;"><b>do not</b></span> know the answer to this question is <span style="color: #cc0000;"><b>not</b></span> secure today.<br />
<br />
Sicnerely,<br />
<a href="http://www.sanjaytandon.com/" target="_blank">Sanjay</a>Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-3246938374316398832018-10-22T09:00:00.000-07:002018-10-27T17:27:08.562-07:00What are the Minimum Security Permissions Needed in Active Directory to Run Mimikatz DCSync?Folks,<br />
<br />
In days to come, I'll be helping organizations worldwide understand what constitutes a privileged user in Active Directory, how to correctly audit privileged access in Active Directory, and <a href="http://www.active-directory-security.com/2018/10/did-anyone-at-microsoft-ignite-2018-know-the-answer.html" target="_blank">what</a> the world's most important Active Directory security capability is.<br />
<br />
Today though, I just wanted to ask a very simple and elemental cyber security multiple-choice question, so here it is -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIvgIrZAHtiGF8cYpbjlvYk0ZcpSRLuxWvy59iNIG4X5wxGB-HADh7uANO1sWhq1512IxF1HOJBGvzKEpz-tPLovCzdTAephFibxtJVUjYRbOL3kci8zT7ieBEqbcWbzGb9dz-pFhuGMu5/s1600/Mimikatz-DCSync.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="275" data-original-width="640" height="274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIvgIrZAHtiGF8cYpbjlvYk0ZcpSRLuxWvy59iNIG4X5wxGB-HADh7uANO1sWhq1512IxF1HOJBGvzKEpz-tPLovCzdTAephFibxtJVUjYRbOL3kci8zT7ieBEqbcWbzGb9dz-pFhuGMu5/s640/Mimikatz-DCSync.png" width="640" /></a></div>
<br />
<b><span style="color: #cc0000;"><span style="font-size: large;">Q</span>.</span> </b><span style="color: #cc0000;">What are the minimum Active Directory Security Permissions that a perpetrator needs to be able to successfully run <b>Mimikatz DCSync</b> against an organization's foundational Active Directory deployment?</span><br />
<span style="color: #cc0000;"></span><br />
Is it -<br />
<blockquote class="tr_bq">
<span style="color: #38761d;"><b>A.</b></span> The "<i>Get Replication Changes</i>" Extended Right </blockquote>
<blockquote class="tr_bq">
<span style="color: #38761d;"><b>B.</b></span> The "<i>Get Replication Changes All</i>" Extended Right </blockquote>
<blockquote class="tr_bq">
<b><span style="color: #38761d;">C.</span> </b>Both A and B above </blockquote>
<blockquote class="tr_bq">
<span style="color: #38761d;"><b>D.</b></span> Something else
</blockquote>
<br />
I already know the answer to this simple question. I'm only asking because I believe that today every Domain Admin and every CISO at every organization that operates on Active Directory MUST know the answer to this question, and <a href="https://www.cyber-security-blog.com/2017/10/a-massive-cyber-breach-whilst-considering-the-cloud.html" target="_blank">here</a>'s why.<br />
<br />
You may be surprised if I were to share with you just how many Domain Admins and CISOs (at so many of the world's most prominent organizations) don't know even seem to know what <a href="http://www.active-directory-security.com/2017/06/the-top-5-cyber-security-risks-to-active-directory.html" target="_blank">Mimikatz DCSync</a> is, let alone knowing the answer!<br />
<br />
<br />
If you know the answer to this question, please <span style="color: #38761d;">feel free to share it by leaving a comment</span> below.<br />
<br />
Best wishes,<br />
<a href="http://www.sanjaytandon.com/" target="_blank">Sanjay</a>.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-39085251430160623632018-10-16T12:10:00.001-07:002018-10-19T17:07:43.895-07:00Mimikatz DCSync DetectionFolks,<br />
<br />
I trust this finds you doing well. I know so many of you are waiting for me to answer the question - <a href="https://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">What's the World's Most Important Active Directory Security Capability?</a> but before I did so, I just wanted to address something very simple and vital.<br />
<br />
<b><br /></b>
<span style="font-size: large;"><b>Mimikatz DCSync Detection </b><span style="color: #cccccc;"><span style="color: #cccccc;">?! ;-)</span> </span></span><br />
<b><br /></b>
If you're into Cyber Security, unless you live on another planet, by now you know that at the very foundation of cyber security worldwide lies Microsoft <a href="https://www.paramountdefenses.com/active-directory.html" target="_blank">Active Directory</a>, you know that little thing within which lie not just everyone's accounts and passwords, or for that matter the computer accounts of every single domain-joined machine, or for that matter every single domain security group that is used to protect the entirety of an organization's IT assets, but also the proverbial "<a href="https://www.paramountdefenses.com/privileged-access-insight.html" target="_blank">Keys to the Kingdom</a>!" etc. etc.<br />
<br />
By the way, this isn't some secret - this is CYBER SECURITY 101 that millions of IT personnel, IT managers, CISOs and just about everyone in IT ought to know by know, considering that Active Directory has been around for almost two decades now!<br />
<br />
<span style="color: #cc0000;">Alright, fast forward...</span><br />
<br />
A few years ago, a remarkably intelligent and talented <a href="https://www.cyber-security-blog.com/2016/07/a-letter-to-benjamin-delpy-re-mimikatz-and-active-directory-security.html" target="_blank">Benjamin Delpy</a> introduced a new feature in his hacking tool Mimikatz, and that feature was called <b>Mimikatz DCSync</b>. In essence, if you can run Mimikatz DCSync against an Active Directory, you can instantly obtain access to the credentials of literally everyone who has a domain account in that domain - we're talking the accounts of literally everyone, from Domain Admins to the CISO and from the Enterprise Admin to the CEO, etc. etc.<br />
<br />
Now, technically, DCSync leverages the ability of a security principal to be able to request and replicate Active Directory content (including secrets i.e. <i>password hashes</i>) out of Active Directory. It turns out anyone who has sufficient effective permissions to be able to replicate secrets out of Active Directory can run Mimikatz DCSync, and <span style="color: #cc0000;">within minutes be proverbial God!</span><br />
<br />
So, what happens? In time, Mimikatz DCSync finds global fame and glory, it becomes a must have tool in the arsenal of these so called kiddish Red Teams and Blue Teams, and in addition today there's no dearth of cyber security experts who will want to blog about Mimikatz DCSync sharing with the world, its usage, how to exploit it etc. etc. and in particular how to detect it!<br />
<br />
Here are a few random blogs a Google search seemed to suggest -<br />
<ol>
<li><a href="https://adsecurity.org/?p=1729" rel="nofollow" target="_blank">Mimikatz DCSync Usage, Exploitation, and Detection</a></li>
<li><a href="http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/" rel="nofollow" target="_blank">Mimikatz and DCSync and ExtraSids, Oh My</a></li>
<li><a href="https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=1460" rel="nofollow" target="_blank">Modern Active Directory Attack Scenarios and How to Detect Them</a></li>
<li><a href="https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync" rel="nofollow" target="_blank">DCSYNC</a></li>
</ol>
<br />
Now, please pardon me for expressing serious concern here because <span style="color: #cc0000;">if the best an organization can do is DETECT the use of Mimikatz DCSync</span>, that's sort of like, well let me paint you a picture:<br />
<br />
<br />
<br />
<span style="color: #38761d;">A Billion $ Organization or for that matter a Government Agency </span>having to rely on detection of Mimikatz DCSync<span style="color: #38761d;"> is akin to ....</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhndN10OyIRkFfDZBjq-rF27kFUivF0A2S3FmSaMXeXX-MWNPpkkIUem1xhKjIdvLCYes4C1_BT7WncadjLtj_I-BJptVWtlrQySN6zD_vT4cla0H8TwUz5muO3furWfCOGsYVcIUfCQNo/s1600/Sniper.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="401" data-original-width="600" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhndN10OyIRkFfDZBjq-rF27kFUivF0A2S3FmSaMXeXX-MWNPpkkIUem1xhKjIdvLCYes4C1_BT7WncadjLtj_I-BJptVWtlrQySN6zD_vT4cla0H8TwUz5muO3furWfCOGsYVcIUfCQNo/s640/Sniper.jpg" width="640" /></a></div>
<br />
... lets assume a SNIPER takes a shot at a target from point blank range, and the best those protecting the target can do is try and detect the bullet in flight milliseconds before it hits its target. Well, I shouldn't have to complete the sentence for you.<br />
<br />
<span style="color: #cc0000;"><br /></span>
<span style="color: #cc0000;">Here's the Trillion $ point</span> - if an organization is having to rely on the DETECTION of the use of Mimikatz DCSync, <b>its too late.</b><br />
<br />
From the Domain Admin to the CISO, its time to go home and find another job, because it would already have been too late. You're done. Once a malicious perpetrator has gained administrative access in even a single Active Directory domain, those who know anything about Active Directory Security will tell you that you've lost the entire Active Directory forest. Oh, and if you think you could easily recover that forest from a trusted forest, you've likely been getting some amateur advice ;-)<br />
<br />
<br />
<b>Mimikatz DCSync <span style="color: #38761d;">Mitigation</span></b><br />
<b><br /></b>
I cannot stress this enough - this is not a risk that can be addressed by detection. It needs to be mitigated and today, every single organization that operates on Microsoft Active Directory can easily mitigate the risk posed by Mimikatz DCSync. I've already spent enough time educating the world about this, so I'm not going to waste one more precious minute on this.<br />
<br />
For every org that wants to learn how to do so - <a href="https://www.cyber-security-blog.com/2016/08/how-to-lockdown-active-Directory-to-thwart-use-of-mimikatz-dcsync.html" target="_blank">How to Lockdown Active Directory to Thwart the Use of Mimikatz DCSync</a><br />
<br />
<br />
Incidentally, the astute mind will observe, that whether it be mitigating the risk posed by Mimikatz DCSync or securing access to just about anything and everything in Active Directory, all organizations worldwide (including likely the $800 Billion Microsoft) require is <span style="font-size: large;">1</span> single, fundamental cyber security capability - <a href="https://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">The Most Important Active Directory Security Capability in the World</a>.<br />
<br />
<br />
<b><br /></b>
<b><span style="color: #cc0000;"><br /></span></b><br />
<b>A Request to All Experts Out There</b><br />
<br />
To all cyber security experts and cyber security companies (including Microsoft) out there, I have a request - if you truly know Active Directory Security, lets see you go beyond helping the world learning how to use, exploit and detect Mimikatz DC Sync...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqWfyxF0vcM1pGW3IHDwcvtiOy46RxV33zcHJn9B2Kvxlw3bA2Dhr7DGzof1hRs0w6VMUbXT3VXEW20X6p7Zodd7XdiG6MbmmjNYiUJiHnEXVstx9b9yjHZnXqKSKy6E8ujUjgkQX3lSo/s1600/CEO.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="376" data-original-width="700" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqWfyxF0vcM1pGW3IHDwcvtiOy46RxV33zcHJn9B2Kvxlw3bA2Dhr7DGzof1hRs0w6VMUbXT3VXEW20X6p7Zodd7XdiG6MbmmjNYiUJiHnEXVstx9b9yjHZnXqKSKy6E8ujUjgkQX3lSo/s640/CEO.jpg" width="640" /></a></div>
<br />
...lets see you teach the world how to actually mitigate this risk, perhaps with an example, for when you get there, you'll likely realize that not a single object in any Active Directory domain worldwide can be adequately secured without possessing <a href="https://www.active-directory-security.com/2018/10/did-anyone-at-microsoft-ignite-2018-know-the-answer.html" target="_blank">this</a>.<br />
<br />
<br />
<span style="color: #cc0000;">Alright that's it</span>, I'm not wasting one more minute of my precious time<br />
on this little distraction of a thing called Mimikatz DCSync.<br />
<br />
<br />
After all this dry stuff, perhaps I should end on a humorous note - <a href="https://www.cyber-security-blog.com/2018/09/time-to-ignite-an-intellectual-spark-at-microsoft-ignite-2018.html" target="_blank">Time to Ignite an Intellectual Spark at Microsoft Ignite 2018</a> ;-)<br />
<br />
Best wishes,<br />
<a href="http://www.sanjaytandon.com/" rel="nofollow" target="_blank">Sanjay</a>.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-37099533659460054492018-10-01T06:00:00.000-07:002018-10-01T06:00:00.737-07:00Did Anyone at Microsoft Ignite 2018 Know the Answer To This Question?<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Folks,<br />
<br />
Last week, thousands of IT professionals, managers, CISOs and CIOs were in Orlando, attending, well, <a href="https://www.microsoft.com/en-us/ignite" target="_blank">Microsoft Ignite 2018</a> !<br />
<br />
<table align="center" cellapadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFY0Xqwzhvr7Ow2Rzu_kupCYttqkZe2qOwckyG7Dzj8b-QFtFHrfTBv0_HJEpyU0I7cCFbuIHDog1ZtB4U-07BLMTHWlyvLyaogtUnHx0NbkDM531kHjXdFx7cE0TY-CUiAfHuvVx8sdAR/s1600/Microsoft-Ignite-2018.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="417" data-original-width="835" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFY0Xqwzhvr7Ow2Rzu_kupCYttqkZe2qOwckyG7Dzj8b-QFtFHrfTBv0_HJEpyU0I7cCFbuIHDog1ZtB4U-07BLMTHWlyvLyaogtUnHx0NbkDM531kHjXdFx7cE0TY-CUiAfHuvVx8sdAR/s640/Microsoft-Ignite-2018.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="background-color: transparent; color: #cccccc; display: inline; float: none; font-family: "times new roman"; font-size: 12.8px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: center; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Image Courtesy Microsoft. Source: https://www.microsoft.com/en-us/ignite</span><b></b><i></i><u></u><sub></sub><sup></sup><strike></strike></td></tr>
</tbody></table>
<br />
Not surprisingly, the Microsoft Ignite Conference had <span style="color: #cc0000;">SOLD OUT</span>! There were 900+ sessions, 100+ instructor-led technology workshops, 60+ Microsoft Immersion workshops, and 50+ hands-on labs with access to <b>expert proctors</b>! <span style="color: #38761d;">That's great!</span><br />
<span style="color: #38761d;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Did I mention that likely hundreds of Microsoft's own experts were also there, and collectively, they covered numerous vital areas such as <i>Securing the Enterprise</i>, <i>Simplified IT Management</i>, <i>Identity‚ Access & Compliance</i>, <i>Enterprise Security</i> etc.<br />
<br />
<br />
<span style="color: #cc0000;"><span style="font-size: x-large;">So</span>, with over 1000 sessions, 1000s of attendees, access to "expert proctors", and 100s of Microsoft's very own IT experts,</span><span style="color: #38761d;"> </span>one would hope THERE MUST'VE BEEN AT LEAST ONE PERSON AT MICROSOFT IGNITE 2018 who could have answered A VERY SIMPLE QUESTION -<br />
<br />
<span style="font-size: x-large;"></span><span style="color: #cc0000;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5Sz4OjftNs7KaOcAT_SpNHMWCKWuvbfvc2OyR45MKpU3Bl7ogiS7Rjl3zr0EYZWzbxZTdEGpATJMhrQmx0sEX9E8MKxE_-_B_B0L0arHu5vBjO6MzOpq4WOET5oyhi5LRx8xDaEmd2IAj/s1600/Red-Line.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="10" data-original-width="664" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5Sz4OjftNs7KaOcAT_SpNHMWCKWuvbfvc2OyR45MKpU3Bl7ogiS7Rjl3zr0EYZWzbxZTdEGpATJMhrQmx0sEX9E8MKxE_-_B_B0L0arHu5vBjO6MzOpq4WOET5oyhi5LRx8xDaEmd2IAj/s1600/Red-Line.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<span style="color: #cc0000; font-size: large;">Question:</span><span style="font-size: large;"> What's The World's <a href="http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">Most Important</a> Active Directory Security Capability?</span><span id="goog_52231147"></span><br />
<a href="https://www.blogger.com/"></a><span style="font-size: large;"></span><br />
<div style="text-align: center;">
<span style="font-size: x-small;">( URL: <a href="http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html</a> )</span></div>
<span style="font-size: x-small;"></span><br />
<span style="color: #b45f06;"><span style="font-size: large;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-dPGOHFlZoMy_VoUjbliWQs1Mlh6KmUADJ2pym_BrkTwEssny67XL-ZlHLqXvBjzNNRZXW5yJ2Z-utIVW-E7bCHofpG7HaoCLI2Iy2SW2A16bJmCQkLfsxbEDp2R1AfVsaIt6wVbqRqq7/s1600/Red-Line.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="10" data-original-width="664" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-dPGOHFlZoMy_VoUjbliWQs1Mlh6KmUADJ2pym_BrkTwEssny67XL-ZlHLqXvBjzNNRZXW5yJ2Z-utIVW-E7bCHofpG7HaoCLI2Iy2SW2A16bJmCQkLfsxbEDp2R1AfVsaIt6wVbqRqq7/s1600/Red-Line.png" /></a></div>
<span style="color: #b45f06;"><span style="font-size: large;"><br /></span></span>
<span style="color: #b45f06;"><span style="font-size: large;"><br /></span></span><span style="color: #cc0000;"><span style="font-size: large;">T</span>his is paramount, and here's why. In case you're wondering</span> why anyone, and everyone who attended Microsoft Ignite 2018 should care about this question AND know the answer, its because in any Microsoft Windows Server based IT Infrastructure, NOT A SINGLE ONE of the many vital areas listed above i.e. <i>Securing the Enterprise</i>, <i>Simplified IT Management</i>, <i>Identity‚ Access & Compliance</i>, <i>Enterprise Security</i> etc. etc. can be adequately addressed without involving Active Directory Security.<br />
<br />
<br />
<span style="color: #38761d;"><span style="font-size: x-large;">I</span>n fact, here's proof - </span><br />
<br />
<span style="color: #cc0000;">Not a single one</span> of the following fundamental cyber security / Windows security questions can be answered without knowing the answer to the question above and possessing that capability -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCB8DqLEBkVxTlY9gh8hlKhyphenhyphenAIRXjyBxIBtLKIQpuHphdD9Ep7Kr-98hD9nweVkPic3PiC6rCaersoUIC4ma_d1sDctsmmvvcZoXybBExP4qzs3V5E2AH-SLqtG6bPERQU86XYupSFlYXx/s1600/Active-Directory-Effective-Permissions.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="267" data-original-width="640" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCB8DqLEBkVxTlY9gh8hlKhyphenhyphenAIRXjyBxIBtLKIQpuHphdD9Ep7Kr-98hD9nweVkPic3PiC6rCaersoUIC4ma_d1sDctsmmvvcZoXybBExP4qzs3V5E2AH-SLqtG6bPERQU86XYupSFlYXx/s400/Active-Directory-Effective-Permissions.png" width="400" /></a></div>
<br />
<ol>
<li>Who can <span style="color: #cc0000;">reset the passwords</span> of any/every Domain Admin in an organization?</li>
<br />
<li>Who can <span style="color: #cc0000;">disable two-factor authentication</span> on privileged and other domain user accounts?</li>
<br />
<li>Who can <span style="color: #cc0000;">change the membership</span> of the Domain Admins group, or of any domain security group?</li>
<br />
<li>Who can <span style="color: #cc0000;">use Mimikatz DCSync</span> to completely compromise the credentials of all domain user accounts?</li>
<br />
<li>Who can <span style="color: #cc0000;">delete an(y) Organizational Unit</span> (OU) in a(ny) of the organization's Active Directory domains?</li>
<br />
<li>Who can <span style="color: #cc0000;">link a malicious group policy</span> to an OU to instantly compromise all domain computer accounts in that OU?</li>
<br />
<li>Who can <span style="color: #cc0000;">modify the attributes</span> of a mission-critical service's service connection points to instantly render it useless?</li>
<br />
<li>Who can <span style="color: #cc0000;">set the "<i>Trusted for Unconstrained Delegation</i>" bit</span> on a server's domain account to compromise security*?</li>
<br />
<li>Who can <span style="color: #cc0000;">create, delete and manage</span> domain user accounts, domain security groups, OUs etc. in Active Directory?</li>
<br />
<li>Who can <span style="color: #cc0000;">control/change privileged access</span> as well as delegated access within and across the entire Active Directory?</li>
</ol>
<br />
<br />
<span style="color: #cc0000;"><span style="font-size: large;">E</span></span><span style="color: #cc0000;">ach and every single organization </span>whose IT personnel / CISOs attended Microsoft Ignite 2018 (including Microsoft itself) must have precise answers to each and every one of the above listed fundamental cyber security questions at all times.<br />
<br />
<br />
<br />
<br />
<span style="font-size: large;">S</span>o, <span style="color: #cc0000;">if <b>anyone</b> who attended Microsoft Ignite 2018 </span>(including Microsoft's own experts) knows the answer to this <b><span style="color: #cc0000; font-size: x-large;">1</span></b> <a href="http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">question</a>, please be my guest and answer the question by leaving a comment at the end of <a href="http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">that blog post</a>, and you'll earn <a href="https://www.paramountdefenses.com/leadership.html" target="_blank">my</a> respect.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhY8OM-XDgc7s5F9IVe9PyKRYyA_78eeO9BZDg7z0uUE-wVk8LFjsOaUv-8IZz22klq7bx9BuSgrSx7ZNv_gGkbRR8P05YgTs-k-FzJnbiFpQExwI1sodrw07zV7QNORafSMsgt2tdSEi8/s1600/CISO.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="426" data-original-width="640" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhY8OM-XDgc7s5F9IVe9PyKRYyA_78eeO9BZDg7z0uUE-wVk8LFjsOaUv-8IZz22klq7bx9BuSgrSx7ZNv_gGkbRR8P05YgTs-k-FzJnbiFpQExwI1sodrw07zV7QNORafSMsgt2tdSEi8/s640/CISO.jpg" width="640" /></a></div>
<br />
If you don't know the answer, I highly recommend reading, <a href="http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">one</a>, <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">two</a> and <a href="https://www.paramountdefenses.com/resources/presentations/Active-Directory-Security.pdf" target="_blank">three</a>, because without knowing the answer to this question (and without possessing this capability,) <span style="color: #cc0000;">you cannot secure anything</span> in an Active Directory based Windows network.<br />
<br />
<span style="color: #999999;">The last time I checked, virtually the whole world runs on Active Directory.</span><br />
<span style="color: #999999;"></span><br />
Best wishes,<br />
SanjaySanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-6162194452373296882018-09-28T09:00:00.000-07:002018-09-30T23:19:38.307-07:00A Few Notable Names in the Active Directory (AD) / AD Security SpaceFolks,<br />
<br />
Today I wanted to take a moment to share a few notable names in the Active Directory space, of those individuals who I feel have done a lot to help IT admins and IT personnel worldwide better understand Active Directory and Active Directory Security.<br />
<br />
<span style="color: #38761d;">Oh, and for those wondering who I am to come up with such a list,</span> I'm a <a href="http://www.sanjaytandon.com/" target="_blank">nobody</a> whose <a href="http://www.paramountdefenses.com/" target="_blank">work</a> however likely impacts <a href="https://www.paramountdefenses.com/company/the-entire-world-runs-on-active-directory.html" rel="nofollow" target="_blank">everybody</a>, and here's a very small sample of my work -<br />
<ol>
<li><a href="http://www.active-directory-security.com/2017/02/adminsdholder.html" target="_blank">AdminSDHolder</a></li>
<li><a href="http://www.active-directory-security.com/2014/05/An-Automated-Kerberos-Token-Size-Calculation-Tool.html" target="_blank">Kerberos Token Bloat</a></li>
<li><a href="http://www.active-directory-security.com/2016/08/active-directory-credential-theft-mimikatz-dcsync-mitigation.html" target="_blank">Mimikatz DCSync Mitigation</a></li>
<li><a href="http://www.active-directory-security.com/2017/06/a-simple-trillion-dollar-active-directory-privilege-escalation-example.html" target="_blank">Active Directory Privilege Escalation</a></li>
<li><a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Active Directory Effective Permissions</a> </li>
<li><a href="http://www.active-directory-security.com/2017/09/active-directory-access-control-lists-attack-and-defense.html" target="_blank">Active Directory ACLs - Attack and Defense</a></li>
<li><a href="http://www.active-directory-security.com/2017/12/how-to-discover-stealthy-admins-in-active-directory.html" target="_blank">How to Discover Stealthy Admins in Active Directory</a></li>
<li><a href="http://www.active-directory-security.com/2017/10/how-to-thwart-sneaky-persistence-in-active-directory.html" target="_blank">How to Thwart Sneaky Persistence in Active Directory</a> </li>
<li><a href="http://www.active-directory-security.com/2017/12/how-to-easily-solve-the-active-directory-botnet-problem.html" target="_blank">How to Easily Solve the Difficult Problem of Active Directory Botnets</a></li>
<li>and of course, the 30-day series on <a href="http://www.active-directory-security.com/2017/01/advanced-active-directory-security-school-for-microsoft.html" target="_blank">Active Directory Security School for Microsoft</a></li>
</ol>
<br />
BTW, in the next few days, you can expect much more, including <span style="color: #cc0000;"><i>What Constitutes a Privileged User in Active Directory</i></span>, <span style="color: #38761d;"><i>The Most Important Active Directory Security Capability</i></span>, <i><span style="color: #cc0000;">How to Make an Organization's Domain Admins Powerless in 2 Minutes</span></i>, <i><span style="color: #38761d;">How to Actually Secure and Defend an Active Directory</span></i>, <i><span style="color: #cc0000;">Breach to 0wned in 5 Minutes</span></i>, <i><span style="color: #38761d;">Defending Active Directory</span></i> and more.<br />
<br />
<span style="color: #999999;">But this isn't about me, so lets keep reading.</span><br />
<span style="color: #999999;"></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<b><span style="color: #cc0000;"><br /></span></b></div>
<b><span style="color: #725800;">A <span style="color: #38761d; font-size: large;">Few Notable Names</span> in the Active Directory / Active Directory Security Space</span></b><br />
<span style="color: #cc0000;"></span><br />
<b>Without further adieu</b>, I'd like to take a moment to share a few notable names in the Active Directory / Active Directory Security space, as I feel that in the last 10 to 20 years, these individuals have done a lot to helps hundreds of thousands (if not millions) of IT admins and personnel worldwide, better understand various aspects of Active Directory and Active Directory Security.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpCJkbUblPub-IMnuqFH2djQquLnPvosxf4WBIbmO48D4U_c6LVyLNzmN7qALOSQEN7EOzK5uYEg8xN7vheCH3lBSpP1rzaReGg-07dLnp0DGDJrpBTS1ygbfk86avsC6WGzei8igoech8/s1600/Active-Directory-Security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="125" data-original-width="640" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpCJkbUblPub-IMnuqFH2djQquLnPvosxf4WBIbmO48D4U_c6LVyLNzmN7qALOSQEN7EOzK5uYEg8xN7vheCH3lBSpP1rzaReGg-07dLnp0DGDJrpBTS1ygbfk86avsC6WGzei8igoech8/s640/Active-Directory-Security.png" width="640" /></a></div>
<br />
<br />
So here's a list of a few notable folks in the Active Directory space, <span style="color: #cc0000;">listed in no particular (i.e. random) order</span> -<br />
<br />
<ol>
<li><a href="https://blog.joeware.net/" rel="nofollow" target="_blank">Joe Richards</a> - Joe is one of the most knowledgeable and experienced folks in the Active Directory space.</li>
<br />
<li><a href="https://secureidentity.se/" rel="nofollow" target="_blank">Daniel Ulrichs</a> - Daniel is one of the most knowledgeable and experienced folks in Active Directory Security.</li>
<br />
<li><a href="https://blogs.chrisse.se/tag/active-directory/" rel="nofollow" target="_blank">Christoffer Andersson</a> - Christoffer, a longtime Directory MVP is very knowledgeable in Active Directory.</li>
<br />
<li>Robbie Allen - Robbie needs no introduction in the space and is the author of multiple books on Active Directory. </li>
<br />
<li><a href="https://portal.sivarajan.com/" rel="nofollow" target="_blank">Santhosh Sivarjan</a> - Santhosh has been working on Active Directory for years and is very knowledgeable.</li>
<br />
<li>Guido Grillemeier - Guido is amongst the most knowledgeable and finest Active Directory Security experts out there.</li>
<br />
<li><a href="https://www.briandesmond.com/" target="_blank">Brian Desmond</a> - Brian is a recognized Microsoft infrastructure expert with years of experience.</li>
<br />
<li><a href="https://www.derekseaman.com/" rel="nofollow" target="_blank">Derek Seaman</a> - Derek is a highly experienced Active Directory practioner, now focused on virtualization.</li>
<br />
<li><a href="https://dirteam.com/sander/" rel="nofollow" target="_blank">Sander Berkouwer</a> - Sander is a multiple-time Directory Services MVP and has been working on AD for years.</li>
<br />
<li><a href="https://www.xtseminars.co.uk/" rel="nofollow" target="_blank">John Craddock</a> - John is an accomplished Microsoft MVP who has been working on AD since pre-Windows 2000.</li>
<br />
<li><a href="https://www.linkedin.com/in/alistaln" rel="nofollow" target="_blank">Alistair G. Lowe-Norris</a> - Alistair too needs no introduction and is the author of several books on Active Directory. </li>
<br />
<li><a href="https://jorgequestforknowledge.wordpress.com/" rel="nofollow" target="_blank">Jorge de Almeida Pinto</a> - Jorge, a multiple time MVP, is a highly experienced Active Directory consultant/engineer.</li>
<br />
<li><a href="https://www.linkedin.com/in/brian-puhl" rel="nofollow" target="_blank">Brian Puhl</a> - Brian is a highly experienced Active Directory Domain Admin, and is one of Microsoft IT's finest.</li>
<br />
<li>Gil Kirkpatrick - Gil is one of the most recognized and experienced Active Directory experts out there.</li>
<br />
<li><a href="https://www.savilltech.com/category/active-directory/" rel="nofollow" target="_blank">John Savill</a> - John is a 11-time Microsoft MVP currently focused on Microsoft Azure.</li>
<br />
<li>Ulf Simon-Weidner - Ulf is an 8-time MVP, an MCT, and has been working on Active Directory since Windows 2000.</li>
<br />
<li>Sean Deuby - Sean is a highly experienced IT Architect and has been working on Active Directory since Windows 2000.</li>
<br />
<li><a href="https://jimmytheswede.blogspot.com/" rel="nofollow" target="_blank">Jimmy Andersson</a> - Jimmy is a highly experienced AD expert, and has been awarded Microsoft MVP for 20 years now</li>
<br />
<li><a href="https://markparris.co.uk/" rel="nofollow" target="_blank">Mark Parris</a> - Mark is an experienced AD consultant with almost two decades of experience on Active Directory </li>
<br />
<li>Jackson Shaw - Jackson is a longtime Active Directory veteran, who is very knowledgeable and well-known. </li>
</ol>
<br />
In my opinion, the work, efforts and contributions of these individuals, whether it be in the form of sharing knowledge on blogs, answering questions on forums, providing feedback, presenting at conferences, or helping organizations directly, have likely helped millions of IT folks worldwide better understand various aspects of Active Directory and Active Directory security.<br />
<br />
There are many more folks out there who have been working on Active Directory and Active Directory Security for years now, such as the hundreds of incredible folks who work for Microsoft Consulting Services, as well as other organizations in the Active Directory space such as Quest Software, HP Services and others, so if I may have unintentionally missed a few names I'm sorry. If you know of someone whose name you feel should be on this list, please leave me a comment below to let me know.<br />
<br />
<span style="color: #38761d;">In addition, there are also a few notable new comers</span> to the Active Directory / Active Directory Security space who have been working very hard and are making an impact, and this post wouldn't be complete without recognizing the new comers as well, so here they are (shared in random order) - <a href="https://adsecurity.org/" rel="nofollow" target="_blank">Sean Metcalf</a>, <a href="https://wald0.com/?page_id=4" rel="nofollow" target="_blank">Andy Robbins</a>, <a href="https://blog.harmj0y.net/" rel="nofollow" target="_blank">Will Schroeder</a> and Lucas Bouillot to name a few.<br />
<br />
Of course, I should also mention that in the list above, I haven't included my former Microsoft colleagues on the Active Directory Dev Team, because if I did so, the list would be long. Oddly enough, I think most of them may be working on Azure now ;-)<br />
<span style="color: #38761d;"><br /></span>
<span style="color: #38761d;"><br /></span>
<span style="color: #38761d;">That's all for today.</span> In the next two weeks, I'm going to answer <a href="https://www.cyber-security-blog.com/2018/07/a-trillion-dollar-cyber-security-question-for-microsoft-and-cisos-worldwide.html" target="_blank">this question</a> to help Microsoft and organizations worldwide.<br />
<span style="color: #38761d;"></span><br />
Best wishes,<br />
Sanjay.<br />
<br />Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-59286848965129967632018-09-24T08:00:00.000-07:002018-09-30T17:06:01.418-07:00Pardon the Absence, and Get Ready!Folks,<br />
<br />
Hello again. I trust this finds you all doing well. It has been a few weeks since I last blogged. I hope you'll pardon my absence.<br />
<br />
Yes I was supposed to answer a rather important question, in fact, possibly <a href="http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html" target="_blank">the world's most important cyber security question</a>, for the whole world, back in July, but I had to postpone doing so, for a few good reasons, which I may reveal in days to come.<br />
<br />
Let's just say that amongst other things (e.g. a rather interesting trip across the Atlantic), I was working on finalising a project that directly impacts cyber security worldwide today, <span style="color: #cc0000;">you know, the kind of stuff that even James Bond doesn't have yet!</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGFRb-H1NG0fepaZfvMpmLvsfd3wkS-3gn7hlYQNWXJ7CS8RliuFvqzf08D8MH-iFPQgWXkNDdm9ccVTZbmqcHf1OeIEecVP-1HbuCHcpiZy39YPXpjfl5w9ByU5j1BKr_n-jRVgb2nxk/s1600/The-Worlds-Most-Powerful-Weapon.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGFRb-H1NG0fepaZfvMpmLvsfd3wkS-3gn7hlYQNWXJ7CS8RliuFvqzf08D8MH-iFPQgWXkNDdm9ccVTZbmqcHf1OeIEecVP-1HbuCHcpiZy39YPXpjfl5w9ByU5j1BKr_n-jRVgb2nxk/s640/The-Worlds-Most-Powerful-Weapon.jpg" width="640" /></a></div>
<br />
<br />
By the way, speaking of Mr. Bond, as you probably know, I'm a huge fan, so thought I'd share a catchy tune with you - <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/mNgdH1OVs4Q/0.jpg" frameborder="0" height="337" src="https://www.youtube-nocookie.com/embed/mNgdH1OVs4Q?feature=player_embedded" width="600"></iframe></div>
<br />
<br />
Oh, that project I was working is almost over (i.e. RC1), so its time for me to get back to blogging, and... … well, <span style="color: #cc0000;">get ready</span>!<br />
<br />
Best wishes,<br />
SanjayUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-22457389540069019112018-07-09T09:00:00.000-07:002020-02-22T16:32:03.620-08:00What's The World's Most Important Active Directory Security Capability?<br />
Folks,<br />
<br />
A few days ago, I had <a href="http://www.cyber-security-blog.com/2018/06/active-directory-security-101-for-organizations-worldwide.html" target="_blank">asked</a> likely the most important Cyber Security question in the world today, one that today DIRECTLY impacts the <span style="color: #cc0000;">foundational </span>cyber security of 1000s of business and government organizations across 190 countries worldwide.<br />
<b><br /></b>
<b><span style="color: #cc0000;">Here</span></b> <b>It Is </b>-<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF_8RhpGii_8eahekV1X8tzTmNMHUhucn0VUXzyD3fJuL8d5MImKrj-E0NicCaxgPzFFjiqgXCpH_Y5Xk1THnvDgRhO5_FdyW2XfJtq58vzOvvY_jUkd58gb93xWh-tO7gYaxGP69kwG0w/s1600/Active-Directory-Security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="530" data-original-width="760" height="446" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF_8RhpGii_8eahekV1X8tzTmNMHUhucn0VUXzyD3fJuL8d5MImKrj-E0NicCaxgPzFFjiqgXCpH_Y5Xk1THnvDgRhO5_FdyW2XfJtq58vzOvvY_jUkd58gb93xWh-tO7gYaxGP69kwG0w/s640/Active-Directory-Security.png" width="640" /></a></div>
<blockquote class="tr_bq">
<span style="font-size: large;">What Is the <span style="color: #cc0000; font-size: x-large;">1</span> Essential Cyber Security Capability Without Which <span style="color: #cc0000;">NOT</span> a <span style="color: #cc0000;">Single</span> Active Directory object, domain, forest or deployment can be <span style="color: #38761d;">adequately</span> secured?</span></blockquote>
<br />
<div style="text-align: center;">
[ Here's it is - <a href="http://www.cyber-security-blog.com/2018/06/active-directory-security-101-for-organizations-worldwide.html">www.cyber-security-blog.com/2018/06/active-directory-security-101-for-organizations-worldwide.html</a>. ]</div>
<b><br />
</b><br />
I had even provided a hint - it controls exactly who is <span style="color: #cc0000;">denied</span> and who is <span style="color: #38761d;">granted</span> access to literally everything within Active Directory, and it comes into play every time anyone accesses anything in any Active Directory domain in any organization.<br />
<br />
Thusfar, thousands of IT professionals from across the world, including some of the world's most famous/renowned Windows and Active Directory Security experts and CISOs, as well as Microsoft employees, have all seen the question on my blog.<br />
<br />
<span style="color: #cc0000;">Unfortunately</span>, not ONE individual in the world (okay, except <a href="https://twitter.com/BeHumbleNKind/status/1013867008616591360" target="_blank">one</a>) has answered this ONE most simple and basic question yet!<br />
<br />
<br />
<b><br /></b>
<b><span style="color: #cc0000;">Why</span> Not?</b><br />
<b></b><br />
Do organizations worldwide <span style="color: #cc0000;">NOT</span> know the answer, <span style="color: #cc0000;">OR</span> are they afraid to answer it because they don't possess this capability?<br />
<br />
<span style="color: #38761d;">Let's find out.</span> To help organizations worldwide, including Microsoft, figure out the answer, <span style="color: #38761d;">I'm going to give a few more hints.</span><br />
<span style="color: #38761d;"></span><span style="color: #38761d;"></span><br />
<br />
<b><br /></b>
<b>A Few More <span style="color: #cc0000;">BIG</span> Hints</b><br />
<b></b><br />
Ladies and Gentlemen, <span style="color: #cc0000;">NOT a single organization in the world</span> whose IT infrastructure operates on Microsoft Active Directory, <span style="color: #cc0000;">can fulfill </span>even ONE of the following mission-critical IT and cyber security needs <span style="color: #cc0000;">without possessing</span> this ONE capability -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwBwbBgOTFC2dkMfYGemqU4sKlBdR4nJqpLiUeDeEPWvIJ8vow7k6TO9CCeCSMu9HukIkPFwtQKEDOeQ77uD6pa3SfDf1tE3LO-ODaeuYT3HzJPvwV49Ucy_-aL-752LHMkHdg7r-ly8Zi/s1600/Foundational-Cyber-Security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="139" data-original-width="557" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwBwbBgOTFC2dkMfYGemqU4sKlBdR4nJqpLiUeDeEPWvIJ8vow7k6TO9CCeCSMu9HukIkPFwtQKEDOeQ77uD6pa3SfDf1tE3LO-ODaeuYT3HzJPvwV49Ucy_-aL-752LHMkHdg7r-ly8Zi/s1600/Foundational-Cyber-Security.png" /></a></div>
<br />
<ol>
<li>Adequately <a href="http://www.active-directory-security.com/2017/06/the-top-5-cyber-security-risks-to-active-directory.html" target="_blank">secure</a> their foundational Active Directory</li>
<br />
<li>Adequately <a href="https://www.cyber-security-blog.com/2018/07/mimikatz-dcsync-mitigation.html" target="_blank">mitigate</a> the risk posed by the use of Mimikatz DCSync</li>
<br />
<li>Adequately <a href="http://www.active-directory-security.com/2017/06/a-simple-trillion-dollar-active-directory-privilege-escalation-example.html" target="_blank">mitigate</a> the risk posed by Active Directory Privilege Escalation</li>
<br />
<li>Accurately <a href="http://www.active-directory-security.com/2015/07/how-to-search-identify-and-minimize-privileged-users-accounts-in-active-directory.html" target="_blank">identify</a> privileged users in their foundational Active Directory domains</li>
<br />
<li>Accurately <a href="http://www.active-directory-security.com/2017/12/how-to-discover-stealthy-admins-in-active-directory.html" target="_blank">discover</a> stealthy admins in their foundational Active Directory domains</li>
<br />
<li>Adequately <a href="http://www.active-directory-security.com/2017/09/active-directory-access-control-lists-attack-and-defense.html" target="_blank">protect</a> all organizational computers and user accounts (including <a href="http://www.active-directory-security.com/2013/09/Active-Directory-Privilege-Escalation-Example-CFO-Account-Compromise.html" target="_blank">C*O</a> accounts)</li>
<br />
<li>Adequately <a href="http://www.active-directory-security.com/2017/09/security-implications-of-unauthorized-service-connection-point-modification-in-active-directory.html" target="_blank">secure</a> mission-critical Active Directory integrated applications (e.g. Exchange, Centrify)</li>
<br />
<li>Securely <a href="http://www.active-directory-security.com/2017/12/preempt-microsoft-security-advisory-4056318-active-directory-privilege-escalation-office-365-azure-ad-connect.html" target="_blank">integrate</a> their on-premises Active Directory deployments with Microsoft Azure in the "Cloud"</li>
<br />
<li>Correctly <a href="http://www.active-directory-security.com/2017/10/re-regulatory-compliance-of-access-rights-in-active-directory.html" target="_blank">demonstrate</a> regulatory compliance of access privileged provisioned within their Active Directory</li>
<br />
<li>Reliably <a href="http://www.active-directory-security.com/2017/03/top-10-active-directory-security-questions.html" target="_blank">control</a> the distribution and delegation of administrative authority in their foundational Active Directory</li>
</ol>
<br />
<span style="color: #cc0000;">Let me repeat it again</span> so there is NO ambiguity - not a single one of the above mission-critical IT and cyber security needs can be fulfilled without possessing this ONE capability, only because it is technically impossible to do so without this ONE capability.<br />
<br />
<b><br /></b><b><br /></b><br />
<b><br /></b>
<b>I'll Make it <span style="color: #38761d;">Easy</span></b><br />
<span style="color: #38761d;"></span><br />
Ladies and Gentlemen, Active Directory has been around for almost two decades now, and yet most organizations worldwide do not currently possess this ONE essential, fundamental and paramount cyber security capability yet. The reason they don't currently possess it is likely that they may <a href="http://www.active-directory-security.com/2017/01/advanced-active-directory-security-school-for-microsoft.html" target="_blank">not even know</a> about it, and that sounds as <a href="http://www.active-directory-security.com/2017/05/a-trillion-dollar-letter-to-microsoft-concerning-cyber-security-worldwide.html" target="_blank">unbelievable</a> to me as it does to you!<br />
<br />
If they haven't figured it out in almost TWO decades, they're not likely to figure it on their own, so let me make it easy for them.<br />
<br />
It is <span style="color: #38761d;">ONE</span> of the <span style="color: #cc0000;">following five</span> <b>Active Directory Security</b> Capabilities -<br />
<ol>
<li>Active Directory Auditing</li>
<li>Active Directory Permissions/ACL Analysis</li>
<li>Active Directory Effective Permissions/Access</li>
<li>Microsoft Advanced Threat Analytics (aka ATA)</li>
<li><You can throw in all the latest buzzwords here <span style="color: #999999;">e.g. Privileged Identity/Account Management, Zero Trust, blah blah <a href="http://www.paramountdefenses.com/privileged-account-security-solution-misconceptions.html" target="_blank">etc</a> </span>></li>
</ol>
<br />
Here's one FINAL hint. If you possess this ONE capability (on the right object in Active Directory,) then you can also easily turn off i.e. <span style="color: #cc0000;">deactivate, disable, and/or render useless</span>, all of the other listed security capabilities in an Active Directory deployment!<br />
<br />
<br />
<span style="color: #38761d;">So</span>, which <span style="color: #cc0000;">ONE</span> is it ?<br />
<b><br /></b>
<b><br /></b>
<b><br />
</b><br />
<b><br /></b>
<b>Make <span style="color: #cc0000;">No</span> Mistake + </b><b>Only <span style="color: #cc0000;">Two Kinds</span> of Organizations</b><br />
<b><i></i><u></u><sub></sub><sup></sup><strike></strike><br /></b>
Make no mistake about it - one simply CANNOT adequately protect anything in any Active Directory WITHOUT possessing this ONE capability, and thus one simply cannot protect the very foundation of an organization's cyber security without possessing this ONE paramount cyber security capability. It unequivocally is as remarkably simple, elemental and fundamental as this.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieaHnfLDXB5b-YRKB_mXibc6MIdOlQZ60EAxP6XOerIIg-RnzO7hwrqAj_XEm9FAarbDDu2yrLZyd8uQ8Vp2kh8cnFl2MaW5fDi5tmDyXZEnQsEAYcuatfWovZvaNL1oiaVCoYiPUV8nVR/s1600/Deeply-Concerned.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="404" data-original-width="640" height="404" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieaHnfLDXB5b-YRKB_mXibc6MIdOlQZ60EAxP6XOerIIg-RnzO7hwrqAj_XEm9FAarbDDu2yrLZyd8uQ8Vp2kh8cnFl2MaW5fDi5tmDyXZEnQsEAYcuatfWovZvaNL1oiaVCoYiPUV8nVR/s640/Deeply-Concerned.png" width="640" /></a></div>
<br />
Thus, today there are only two kinds of organizations worldwide - those that possess this paramount cyber security capability, <span style="color: #cc0000;">and those that don't</span>. Those that don't possess this essential capability do not have the means to, and thus cannot adequately protect, their foundational Active Directory deployments, and thus by logic are <span style="color: #cc0000;">provably</span> and <span style="color: #cc0000;">demonstrably</span> vastly <span style="color: #cc0000;">insecure</span>.<br />
<br />
<br />
<br />
<b><br /></b>
<b>My <span style="color: #cc0000;">Concern - </span> This Impacts Organizational Security Worldwide</b><br />
<b></b><span style="color: #38761d;"></span><span style="color: #cc0000;"></span><span style="color: #999999;"></span><br />
I hope that with the hints I've provided above, organizations worldwide will <span style="color: #cc0000;">finally</span> realize what this ONE essential capability is.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKGV_14NhufLM2PzShwX92XdNECFjqlKbROX6wjHUUG8rJ3wE44rIj4RDH5aNuqmKgSitncIgGlc4L5403I9yYYm4yx4O0gI8dVYv5QNmneZIMLCSMhBs399mTgbOifzNLWDmnctKwlpLR/s1600/Global-Security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="609" data-original-width="1241" height="314" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKGV_14NhufLM2PzShwX92XdNECFjqlKbROX6wjHUUG8rJ3wE44rIj4RDH5aNuqmKgSitncIgGlc4L5403I9yYYm4yx4O0gI8dVYv5QNmneZIMLCSMhBs399mTgbOifzNLWDmnctKwlpLR/s640/Global-Security.png" width="640" /></a></div>
<br />
<span style="color: #cc0000;">More importantly</span>, I hope that at organizations worldwide, IT personnel, Domain Admins, CISOs and CIOs realize and recognize that without possessing this ONE essential and paramount Active Directory Security capability, their $ Billion organizations may currently be operating on a highly <a href="http://www.theparamountbrief.com/" target="_blank">vulnerable</a> foundation, which is a matter so serious that it should concern all stakeholders.<br />
<br />
<br />
<br />
<b>The <span style="color: #cc0000;">Answer</span></b><br />
<b></b><span style="color: #cc0000;"></span><br />
February 24, 2020 Update: Here's the answer - <a href="https://www.paramountdefenses.com/insights/active-directory-effective-permissions.html" target="_blank"><span style="font-size: large;">THIS</span></a> is the world's most important Active Directory Security Capability.<br />
<br />
<br />
Best,<br />
<a href="http://www.sanjaytandon.com/" target="_blank">Sanjay</a>.Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-20948022540917368492018-06-21T09:00:00.000-07:002018-07-03T19:47:23.540-07:00Can Anyone (i.e. any Cyber Security Company or Expert) Help Thousands of Microsoft's Customers MITIGATE the Risk Posed by Mimikatz DCSync?Folks,<br />
<br />
Over the years, I've <a href="http://www.paramountdefenses.com/blog/30-days-of-advanced-active-directory-security-school-for-microsoft/" target="_blank">asked and answered</a> some of the hardest questions in <a href="http://www.paramountdefenses.com/defending-active-directory-against-cyberattacks.html" target="_blank">Active Directory Security</a>, so today I'm only going to <span style="color: #cc0000;">ask</span> a question, with the hope that there is someone out there, and I mean anyone, who <b>is</b> the answer to this question!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7TV9nEsdj-STuAteZfyB2OtnIK3_e0Kf5pBOLixo6_zddNGQ-JdHlQ8e4gXX55YY_vJgss5ziT0IDumgPfbYN72RIjV05rCwnmdp2Er-6BsEzGn0DJx0eWMA0KBmfpGBX37A0lYd1hOqr/s1600/Hello.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="426" data-original-width="640" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7TV9nEsdj-STuAteZfyB2OtnIK3_e0Kf5pBOLixo6_zddNGQ-JdHlQ8e4gXX55YY_vJgss5ziT0IDumgPfbYN72RIjV05rCwnmdp2Er-6BsEzGn0DJx0eWMA0KBmfpGBX37A0lYd1hOqr/s640/Hello.jpg" width="640" /></a></div>
<br />
<br />
<b>Here's my <span style="color: #cc0000;">Question</span></b> -<br />
<blockquote class="tr_bq">
<span style="font-size: large;">Can Anyone in the World (i.e. any Cyber Security Company or Expert) Out There Help Thousands (1000s) of Microsoft's Organizational Customers <span style="color: #cc0000;">Mitigate</span> the Serious Cyber Security Risk Posed by Mimikatz DCSync?</span></blockquote>
<br />
<b><span style="color: #38761d;">Anyone?</span></b><br />
<b><span style="color: #38761d;"></span><br /></b>There are 6,000,000,000+ people across 190+ countries worldwide, there are millions of IT personnel employed at 1000s of organizations, there are 1000s of cyber security experts and over a 1000 cyber security companies. <span style="color: #cc0000;">I'm looking for just ONE.</span><br />
<br />
<br />
By the way, by mitigate, I mean "render Mimikatz DCSync unusable in an AD environment" in that, say in an organization that had 10,000 employees and thus had 10,000 domain user accounts, and say 10 privileged users, even if every single one of these 10,000 accounts had been compromised by a perpetrator, he/she still <span style="color: #cc0000;">couldn't</span> use Mimikatz DCSync against their AD.<br />
<br />
Also, I'm looking for an answer that's beyond the most obvious answer, which is to not grant anyone the required access. In other words, I'm looking for an answer that will work in every real, production Active Directory domain in the world, you know, wherein various default Active Directory security groups and users are already granted various permissions in Active Directory.<br />
<br />
<br />
<b><span style="color: #cc0000;">Here's </span>what I've found thus far </b>-<br />
<ol>
<li><a href="https://github.com/gentilwiki" rel="nofollow" target="_blank">This</a> brilliant, gentle, highly-accomplished cyber security expert developed Mimikatz DCSync</li>
<li><a href="https://adsecurity.org/?p=1729" rel="nofollow" target="_blank">This</a> AD security enthusiast educated the world about its usage, exploitation and detection (<span style="color: #cc0000;">but not about its mitigation</span>)</li>
<li><a href="http:/www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/" rel="nofollow" target="_blank">This</a> famous cyber security expert showed an example in action (; Oh my! ;-))</li>
<li><a href="https://blog.didierstevens.com/2017/10/08/quickpost-mimikatz-dcsync-detection/" rel="nofollow" target="_blank">This</a> expert shared some guidance on how to detect it (; if you're detecting it, its likely too late)</li>
<li><a href="https://mva.microsoft.com/en-us/training-courses/defending-active-directory-against-cyberattacks-16327" rel="nofollow" target="_blank">These</a> cyber security experts don't seem to know that much about it, or about Active Directory Security</li>
<li><a href="https://www.blogger.com/blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/" rel="nofollow" target="_blank">These</a> wonderful folks present <span style="color: #cc0000;">an inaccurate script</span> to help detect who can use Mimikatz DCSync</li>
</ol>
I could go on and on sharing the identities of so many who talk about it, but there isn't a single one who can help mitigate it :-(<br />
<br />
Not to mention the 1000+ cyber security companies, including some big <i>names</i> such as (mentioned in no particular order) Palantir, Gemalto, Tanium, Tripwire, CheckPoint, Palo Alto Networks, Symantec, McAfee, Cisco, Kaspersky Labs, CrowdStrike, SentinelOne, BAE Systems, Qualys, Sophos, Gemalto, CyberArk, ZScaler, Preempt, BeyondTrust, Quest, HP, etc. etc.!<br />
<br />
Oh, here's the amusing part - in all likelihood, most of these cyber security companies too very likely run on Active Directory, and if I had to guess, I don't think even one of them, know how to, or possess the means to mitigate Mimikatz DCSync!<br />
<span style="color: #38761d;"><br /></span>
<span style="color: #38761d;">Funny haan? ;-)</span><br />
<span style="color: #38761d;"></span><br />
<br />
<b><span style="color: #cc0000;">Why </span>Does this Matter?</b><br />
<b></b><br />
By now, I shouldn't have to tell anyone involved in Active Directory or cyber security why this matters, but I will nonetheless -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh972veZUR0XyVX6cjDKkP7YZdecIyfic08BHVrXcGbdM0mDUk-y-iEy957tC-H6u4yUQ4p89RLMuN6YnVV9oB-A1N_vXwtWH5ieQFAqtqIo9jbySUPODQfD10_EagrxH03pZaohq1SzDZ/s1600/Mimikatz-DCSync.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="275" data-original-width="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh972veZUR0XyVX6cjDKkP7YZdecIyfic08BHVrXcGbdM0mDUk-y-iEy957tC-H6u4yUQ4p89RLMuN6YnVV9oB-A1N_vXwtWH5ieQFAqtqIo9jbySUPODQfD10_EagrxH03pZaohq1SzDZ/s1600/Mimikatz-DCSync.png" /></a></div>
<br />
Most simply put, should a perpetrator be able to successfully run Mimikatz DCSync against your foundational Active Directory domain, <span style="color: #cc0000;">you're DONE</span>, as it would be tantamount to a massive, systemic cyber security breach. The entirety of your user populace's credentials would have been compromised, and the perpetrator would have obtained control over your entire Active Directory forever. It would be time for everyone, including all Domain Admins, the CISO, the CIO and the CEO to find another job (assuming you can find one, considering your resume would highlight your previous employment, and since your previous employer (i.e. the one that was breached) would likely have been all over the news for quite some time, it may perhaps end up being a little difficult to find suitable employment.)<br />
<br />
<br />
<b><br /></b>
<b>How about an <span style="color: #cc0000;">Illustrative Scenario?</span></b>
<br />
<br />
Sure, if you'd like one, here you go - <a href="http://www.cyber-security-blog.com/2017/10/a-massive-cyber-breach-whilst-considering-the-cloud.html" target="_blank">A Massive Breach at a Company whilst it was Considering the Cloud</a>.<br />
<br />
<br />
<b><span style="color: #cc0000;">A</span> Request</b><br />
<b></b><br />
We often come across Domain Admins, and every now and then CISOs, who have no idea what Mimikatz DCSync is, and that is scary. If you are such a Domain Admin / CISO, my earnest request to you would be to immediately learn about it, or, in the best interest of your employer's foundational cyber security, please let someone else take over your vital responsibilities.<br />
<br />
<br />
<br />
<b><span style="color: #38761d;">Let Me </span>Know</b><br />
<b></b><br />
Very well then. If ANYONE in the world knows ANYONE who can help (and by that I mean <i>possesses the capability to be able to help</i>) thousands of organizations worldwide (easily and correctly) MITIGATE the serious risk posed by Mimikatz DCSync, please let me know. I'm all ears, and I think, so are thousands of organizations worldwide, including perhaps Microsoft too ;-).<br />
<br />
In short, I'm looking for someone/thing that could render the extremely powerful and dangerous Mimikatz DCSync, unusable. With 6 billion people, millions of IT and cyber security pros, and a 1000+ cyber security companies worldwide, I'm hopeful.<br />
<br />
So if you know of someone (and I mean, <b>anyone</b>) who can do so, please let me know by leaving a comment below.<br />
<br />
If I don't get an answer by July 02, perhaps I'll take a shot at the answer, over at - <a href="http://www.cyber-security-blog.com/" target="_blank">www.cyber-security-blog.com</a>.<br />
<br />
Best wishes,<br />
Sanjay<br />
<br />
<br />
PS: On an unrelated note, when you use Windows Update<br />
to update your Windows 10 PC every week, do you<br />
EVER check to see just what got downloaded?<br />
Perhaps you SHOULD, and <a href="http://www.cyber-security-blog.com/2018/06/windows-update-installed-an-untrusted-lenovo-driver-on-a-microsoft-surface-device.html" target="_blank">here</a>'s why.<br />
<br />
<br />
<br />
<span style="color: #38761d;">July 03 Update. Here's the answer > </span> <a href="http://www.cyber-security-blog.com/2018/07/mimikatz-dcsync-mitigation.html">www.cyber-security-blog.com/2018/07/mimikatz-dcsync-mitigation.html</a>
Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-33133218419909174032018-06-19T18:00:00.000-07:002018-06-20T11:25:42.711-07:00Some Interesting Figures from an Active Directory ACL Dump of Security Permissions from a default Windows Server 2016 Active Directory DomainFolks,<br />
<br />
I had only 2 minutes to blog today, so within the 2 minutes I had, I thought I'd generate, put together and share some interesting figures about the default <a href="http://www.paramountdefenses.com/active-directory-security/permissions.html" target="_blank">Active Directory security permissions</a> in a Windows Server 2016 based Active Directory domain.<br />
<br />
It took a mere 3 seconds to do a domain-wide ACL dump of a Windows Server 2016 based Active Directory domain -<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiN-DZM-TlFbSj6FaroUxYmQvKUIHBECMyHCzYpjAcKvaydC4UJWYK8vR7HaNGLm-LSLgwGvZLGWzIylBrRxzV3rW-2gVzpoOopmi7Jp_UqCpnK5WhOGR9NJNTqvdDSuFmiyCHwyLxsae2/s1600/Domainwide-ACL-Dump.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="784" data-original-width="1600" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiN-DZM-TlFbSj6FaroUxYmQvKUIHBECMyHCzYpjAcKvaydC4UJWYK8vR7HaNGLm-LSLgwGvZLGWzIylBrRxzV3rW-2gVzpoOopmi7Jp_UqCpnK5WhOGR9NJNTqvdDSuFmiyCHwyLxsae2/s640/Domainwide-ACL-Dump.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div>
<br /></div>
<div>
Active Directory Domain-wide ACL Dump</div>
</td></tr>
</tbody></table>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
<b>Domain-wide <span style="color: #cc0000;">ACL Dump Download URL</span></b><br />
<b></b><span style="color: #cc0000;"></span><br />
You can download the entire actual domain-wide ACL dump from <a href="https://drive.google.com/open?id=10dTN2l73dLXDr9KEq1emEDS1d_kiSsBh" target="_blank">here</a>.<br />
<br />
<br />
<br />
<br />
<b>Some <span style="color: #38761d;">Interesting Figures</span></b><br />
<span style="color: #38761d;"></span><br />
Here are some interesting figures that took a minute to put together -<br />
<ul>
<li>Total number of object classes instantiated in domain partition: 40</li>
<li>Total number of Active Directory objects in the domain: 242</li>
<li>Total number of Active Directory ACLs (duh, obviously!): 242</li>
<li>Total number of Active Directory security permissions (aka ACEs): 6677</li>
<li>Total number of explicit Active Directory security permissions: 1323</li>
<li>Total number of inherited Active Directory security permissions: 5354 </li>
<li>Total number of inherit-only Active Directory security permissions: 3746</li>
<li>Total number of unique security principals for whom permissions are specified: 27</li>
<li>Total number of objects whose ACLs were marked "<span style="color: #cc0000;">Protected</span>" : 20</li>
<br />
<li>Total number of <span style="color: #38761d;">Allow</span> security permissions: 6677</li>
<li>Total number of <span style="color: #cc0000;">Deny</span> security permissions: 0</li>
<li>Total number of security permissions specified for Domain Admins: 246</li>
<li>Total number of security permissions specified for Enterprise Admins: 230</li>
<li>Total number of security permissions specified for Administrators: 231</li>
<li>Total number of security permissions in the ACL of the <a href="http://www.active-directory-security.com/2017/02/adminsdholder.html" target="_blank">AdminSDHolder</a> object: 24</li>
<li>Total number of security permissions in the ACL of the domain root objects: 53</li>
<li>Total number of specific extended rights specified in these security permissions: 19</li>
<li>Total number of attribute-specific write-property security permissions: 15</li>
</ul>
<div>
<br />
The exact security permissions can be viewed in the downloadable ACL dump (link provided above).<br />
<br />
<br />
<br />
<b>Unique <span style="color: #cc0000;">Security Principals</span></b></div>
<div>
<b></b><span style="color: #cc0000;"></span><br /></div>
<div>
Here's the list of the 27 unique security principals for whom security permissions are granted in the domain -</div>
<div>
<table style="width: 100%px;">
<tbody>
<tr>
<td valign="top" width="50%"><ol>
<li>Pre-Windows 2000 Compatible Access</li>
<li>Cloneable Domain Controllers</li>
<li>Enterprise Read-only Domain Controllers</li>
<li>Domain Controllers</li>
<li>Key Admins</li>
<li>Enterprise Key Admins</li>
<li>Creator Owner</li>
<li>Self</li>
<li>Enterprise Domain Controllers</li>
<li>Administrators</li>
<li>Incoming Forest Trust Builders</li>
<li>Authenticated Users</li>
<li>Domain Admins</li>
<li>Enterprise Admins</li>
</ol>
</td>
<td valign="top" width="50%"><ol>
<li value="15">Everyone</li>
<li>System</li>
<li>Account Operators</li>
<li>Print Operators</li>
<li>Group Policy Creator Owners</li>
<li>RAS and IAS Servers</li>
<li>Domain Computers</li>
<li>Network Service</li>
<li>Cert Publishers</li>
<li>Windows Authorization Access Group</li>
<li>Terminal Server License Servers</li>
<li>DnsAdmins</li>
<li>DC1 (<domain computer account>)</li>
</ol>
</td>
</tr>
</tbody></table>
</div>
<br />
The exact permissions granted to each one of these security principals can be viewed in the ACL dump (; link provided above).<br />
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b>Instantiated <span style="color: #cc0000;">Object Classes</span></b><br />
<b></b><span style="color: #cc0000;"></span><br />
Here's the list of the 40 object classes, instances of which exist in the domain -<br />
<br />
<div>
<table style="width: 100%px;">
<tbody>
<tr>
<td valign="top" width="50%"><ol>
<li>Domain-DNS</li>
<li>Container</li>
<li>Organizational-Unit</li>
<li>Lost-And-Found</li>
<li>Infrastructure-Update</li>
<li>ms-DS-Quota-Container</li>
<li>Rpc-Container</li>
<li>File-Link-Tracking</li>
<li>Link-Track-Volume-Table</li>
<li>Link-Track-Object-Move-Table</li>
<li>Domain-Policy</li>
<li>Class-Store</li>
<li>Group-Policy-Container</li>
<li>NTFRS-Settings</li>
<li>Dfs-Configuration</li>
<li>Ipsec-Policy</li>
<li>Ipsec-ISAKMP-Policy</li>
<li>Ipsec-NFA</li>
<li>Ipsec-Negotiation-Policy</li>
<li>Ipsec-Filter</li>
</ol>
</td>
<td valign="top" width="50%"><ol>
<li value="21">ms-DS-Password-Settings-Container</li>
<li>ms-Imaging-PSPs</li>
<li>TPM-InformationObjectsContainer</li>
<li>User</li>
<li>Builtin-Domain</li>
<li>Group</li>
<li>Foreign-Security-Principal</li>
<li>Sam-Server</li>
<li>Computer</li>
<li>RID-Manager</li>
<li>RID-Set</li>
<li>ms-DFSR-GlobalSettings</li>
<li>ms-DFSR-ReplicationGroup</li>
<li>ms-DFSR-Content</li>
<li>ms-DFSR-ContentSet</li>
<li>ms-DFSR-Topology</li>
<li>ms-DFSR-Member</li>
<li>ms-DFSR-LocalSettings</li>
<li>ms-DFSR-Subscriber</li>
<li>ms-DFSR-Subscription</li>
</ol>
</td>
</tr>
</tbody></table>
</div>
<br />
Each instance of these object classes, and their complete ACLs can also be viewed in the ACL dump (;link provided above).<br />
<br />
<br />
<br />
<b><span style="color: #cc0000;">Permission-Specific</span> Breakdown</b><br />
<b></b><br />
Finally, here's a breakdown of the number of security permissions of each Active Directory permission type -<br />
<ul>
<li>Number of security permissions (ACEs) granting Read Control (RC): 1977</li>
<li>Number of security permissions (ACEs) granting List Child (LC): 2171</li>
<li>Number of security permissions (ACEs) granting List Object (LO): 1968</li>
<li>Number of security permissions (ACEs) granting Read Property (RP): 5704</li>
<li>Number of security permissions (ACEs) granting Write Property (WP): 2072</li>
<li>Number of security permissions (ACEs) granting Create Child (CC): 1001</li>
<li>Number of security permissions (ACEs) granting Delete Child (DC): 779</li>
<li>Number of security permissions (ACEs) granting Standard Delete (SD): 803</li>
<li>Number of security permissions (ACEs) granting Delete Tree (DT): 586</li>
<li>Number of security permissions (ACEs) granting Extended Right (CR): 1299</li>
<li>Number of security permissions (ACEs) granting Validated Write (SW): 1389</li>
<li>Number of security permissions (ACEs) granting Modify Permissions (WD): 978</li>
<li>Number of security permissions (ACEs) granting Modify Owner (WD): 978</li>
</ul>
<br />
Finally, the exact ACEs that specify each one of these permissions can also be viewed in the ACL dump (;link provided above).<br />
<br />
<br />
<br />
<b>Detailed Security <span style="color: #38761d;">Permissions Analysis</span></b><br />
<b></b><span style="color: #38761d;"></span><br />
Time permitting, you can analyze the entire ACL dump to perform detailed Active Directory security permissions analysis. Since the tooling splits the permissions field up into individual columns for permissions, it makes it very easy to analyze these ACLs.<br />
<br />
For instance, you can easily find out exactly what security permissions are granted to a specific user or group, or find out exactly which users or groups are granted a specific Active Directory permission. You can also easily identify all inherit-only security permissions, as well as all Allow permissions, Deny permissions, Explicit permissions, Inherited permissions etc. etc.. I could go on with many more interesting facts/figures, but I'll stop here because my 2 minutes are up :-).<br />
<br />
BTW, this is super easy and what we consider child's play (which is also why I didn't want to give this more than 2 minutes of my time.) Since it took just 3 seconds to dump these ACLs, I was happy to give it 2 minutes ; Oh, and we use our own <a href="http://www.paramountdefenses.com/active-directory-acl-permissions-viewer.html" target="_blank">tooling</a>.<br />
<br />
Alright then, my 2 minutes are up, so back to work.<br />
<br />
Thanks,<br />
SanjaySanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-51159196120795345712018-06-18T18:16:00.000-07:002018-06-18T19:00:19.455-07:00Evidence Matters (, and We Have a Mountain of It)Folks,<br />
<br />
Earlier today, I had <a href="http://www.cyber-security-blog.com/2018/06/windows-update-installed-an-untrusted-lenovo-driver-on-a-microsoft-surface-device.html" target="_blank">shared details</a> of how we, by sheer chance, discovered that an untrusted (self-signed) purportedly Lenovo Kernel-mode device driver had been automatically downloaded and installed on a brand-new Microsoft Surface device.<br />
<br />
The evidence is in, and lies on, that specific Microsoft Surface device itself, and we had quarantined that device the minute we made this discovery, to preserve the evidence, so that if needed, Microsoft's engineers could identify what caused this issue.<br />
<br />
Speaking of evidence, as we know, in literally everything, <span style="color: #cc0000;">evidence matters</span>, because in it lies proof, and thus <span style="color: #073763;">evidence prevails</span>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmZ0POTLnUmKAqO-tXZjRnSuWM_iQ7XIBSQ6UNNSp68XLV2OPU31asSbdYrr0PZ_c5JZcj_fzUsSW7EypwdtK9cCfN_Z8D-iFYo3ZNMI3RhyphenhyphenBzcExO9E4oU4YNcODQnUKqkIE4zQOPWcs/s1600/CEO.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1067" data-original-width="1600" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmZ0POTLnUmKAqO-tXZjRnSuWM_iQ7XIBSQ6UNNSp68XLV2OPU31asSbdYrr0PZ_c5JZcj_fzUsSW7EypwdtK9cCfN_Z8D-iFYo3ZNMI3RhyphenhyphenBzcExO9E4oU4YNcODQnUKqkIE4zQOPWcs/s640/CEO.jpg" width="640" /></a></div>
<br />
Thus and in fact, from day one, we've made sure that <u>every single claim</u> we have ever made, whether it be about an inaccuracy in a specific vendor's effective permissions tooling, or the lack of sufficient knowledge in the Domain Admin community, or the list of our marquee customers, or our global customer base, or our Microsoft testimonials, or the claims made in The Paramount Brief, or when we inform a specific organization's executive management team about deficiencies in their existing cyber security defenses, or our claim regarding our innovative products being unique in their ability to empower organizations worldwide to be able to audit effective privileged access in their Active Directory, is backed by <span style="color: #cc0000;">concrete</span> evidence, and a <span style="color: #073763;">mountain</span> of it at that.<br />
<br />
You see, when you've spent 30,000 hours specializing on a single subject matter, you end up being the very best at what you do, and when you're the very best at what you do, unintended accomplishments come your way, and as they do, you not only end up standing tall upon a mountain of accomplishments, along the way, you also end up collecting, savoring and preserving every single trophy you've earned along the way, both small and big, which ultimately end up building a mountain of evidence.<br />
<br />
So to anyone who wishes to take us on, please know that we stand tall and operate formidably, upon a <span style="color: #cc0000;">mountain</span> of evidence.<br />
<br />
Best wishes,<br />
Sanjay<br />
<br />
<span style="color: #cccccc;"><br /></span>
<span style="color: #cccccc;">PS: This message is certainly NOT directed at Microsoft.</span><br />
<span style="color: #cccccc;"> It is solely </span><span style="color: #cccccc;">intended to convey the value of evidence.</span>Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-79230241316679917432018-06-14T09:00:00.000-07:002018-06-14T09:00:06.058-07:00Hello AgainFolks,<br />
<br />
Hello again! I hope this finds you doing well. Wow, its been 6 months since I blogged, and I'm sorry for the unintended absence.<br />
<br />
Perhaps I should introduce ourselves again ;-) <br />
<br />
<b>Hello World, We are ...</b><br />
<b></b><i></i><br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/PF2KOjWiM6k/0.jpg" frameborder="0" height="337" src="https://www.youtube.com/embed/PF2KOjWiM6k?feature=player_embedded" width="600"></iframe></div>
<br />
I should mention that I've been missing blogging, especially considering that I <a href="http://www.active-directory-security.com/2017/12/looking-back-at-2017-an-eventful-year-for-active-directory-security.html" target="_blank">penned 60+ posts</a> in 2017, so starting Monday, June 18, 2018, I'm going to get back to blogging, because its time to help safeguard Microsoft's global ecosystem.<br />
<br />
<br />
Until then, perhaps I should share with you a bit of what's kept me away during the last 6 months -<br />
<ul>
<li><span style="color: #cc0000;">In January</span>, one of the world's top technology companies, one that likely impacts hundreds of millions of computers worldwide, had requested our help in accurately identifying privileged access in their foundational Active Directory, and considering that they had 50,000+ objects in their domain, and <span style="color: #cc0000;">the ACL of each object had a whopping 600+ ACEs</span>, we had to enhance Gold Finger so it could efficiently take into account 30 million ACEs to determine effective permissions across their domain, so as Gold Finger's lead architect, I had to get involved to enhance it a bit.</li>
<br />
<li><span style="color: #cc0000;">In February</span>, one of the world's most important national defense forces had reached out to us with a rather unique requirement within which they wanted Gold Finger to operate, and since it potentially impacted that country's <span style="color: #cc0000;">national security</span>, as one of Gold Finger's lead programmers, I had to help lead the effort to help them out.</li>
<br />
<li><span style="color: #cc0000;">During March and April</span>, we finished work on <a href="http://www.paramountdefenses.com/goldfinger-mini.html" target="_blank">Gold Finger Mini</a> <span style="color: #cc0000;">6.0</span>, the world's only cyber security tool that democratizes and delivers the power of real cyber intelligence by <span style="color: #cc0000;">empowering 500 million+ people worldwide</span> to find out for free exactly who can compromise their Active Directory credentials. It shipped on time, on May 01.</li>
<br />
<li><span style="color: #cc0000;">In May</span>, amongst others, <span style="color: #cc0000;">one of the world's largest insurance companies</span> joined our global family of customers by licensing Gold Finger 007, and I personally got involved to ensure that everything went off smoothly for them. In addition, one of America's top defense contractors had specially requested our assistance in helping them verify least-privileged access (LPA) in their foundational Active Directory, and I decided to get involved to help them out. </li>
<br />
</ul>
I just realized that almost half the year's over, and I hadn't blogged anything yet, so I've decided to get back to blogging.<br />
<br />
Very well then, onward to June 18, 2018. Stay tuned!<br />
<br />
Best wishes,<br />
Sanjay<br />
<br />
<br />Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-25477381792805499432017-12-31T23:59:00.000-08:002018-01-05T12:15:04.177-08:00Looking Back at 2017 - An Eventful Year for Active Directory SecurityFolks,<br />
<br />
As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.<br />
<br />
This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9sH0rhRvAkkG94D43qpZIUu3jdOlkM_dGmNo6_Ovo98hIoc2X0GXMWsN3yqlBak2xjEMUwXzz9mReCjL2XFLMa_4bpucSOQiFaJLLh1pDRyC2MeNX616JkEIIRKTd4XKM8Wsxp59G5q4/s1600/Active-Directory.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="354" data-original-width="636" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9sH0rhRvAkkG94D43qpZIUu3jdOlkM_dGmNo6_Ovo98hIoc2X0GXMWsN3yqlBak2xjEMUwXzz9mReCjL2XFLMa_4bpucSOQiFaJLLh1pDRyC2MeNX616JkEIIRKTd4XKM8Wsxp59G5q4/s640/Active-Directory.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - <i><span style="color: #cc0000;">Privileged User</span>, Privileged Access, <span style="color: #cc0000;">Domain Admins</span>, Enterprise Admins, <span style="color: #cc0000;">Mimikatz DCSync</span>, AdminSDHolder, <span style="color: #cc0000;">Active Directory ACLs</span>, Active Directory Privilege Escalation, <span style="color: #cc0000;">Sneaky Persistence in Active Directory</span>, Stealthy Admins in Active Directory, <span style="color: #cc0000;">Shadow Admins in Active Directory</span>, Domain Controllers, <span style="color: #cc0000;">Active Directory Botnets</span></i>, etc. etc.<br />
<br />
<br />
<b><span style="color: #cc0000; font-size: large;"><br /></span></b>
<b><span style="color: #cc0000; font-size: large;">Top-10</span> Notable <span style="color: #cc0000;">Active Directory Security</span> Events of 2017</b><br />
<b></b><br />
Here are the Top-10 most notable events in Active Directory Security this year -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqKtmOe4LicD3hWV6eylJCv7RbJrc2lW8B9c6hjLiLebSdlMgk-sx77bfBR6K7MsoRW_rwCEq6SZLNjC9vZqMQpSQrg6jylU5DFGt74lcs7ebYcFbcdCnSjj6AJLy8xzPcKhEbnCd2Kfg/s1600/Cyber-Security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="320" data-original-width="1100" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqKtmOe4LicD3hWV6eylJCv7RbJrc2lW8B9c6hjLiLebSdlMgk-sx77bfBR6K7MsoRW_rwCEq6SZLNjC9vZqMQpSQrg6jylU5DFGt74lcs7ebYcFbcdCnSjj6AJLy8xzPcKhEbnCd2Kfg/s640/Cyber-Security.png" width="640" /></a></div>
<br />
<ol>
<li>Since the beginning on the year, i.e. January 01, 2017, <a href="http://www.cyber-security-blog.com/2017/10/a-massive-cyber-breach-whilst-considering-the-cloud.html" target="_blank">Mimikatz DCSync</a>, an incredibly and dangerously powerful tool built by <a href="http://www.cyber-security-blog.com/2016/07/a-letter-to-benjamin-delpy-re-mimikatz-and-active-directory-security.html" target="_blank">Benjamin Delpy</a>, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.<br />
</li>
<br />
<li>On May 15, 2017, the developers of <a href="https://wald0.com/?p=112" rel="nofollow" target="_blank">BloodHound</a> introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?" From that point on, Bloodhound, <span style="color: #cc0000;">which is massively inaccurate</span>, seems to have started becoming very popular in the hacking community.</li>
<br />
<li>On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (<span style="color: #cc0000;">massively inaccurate</span>) tool called <a href="https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/" rel="nofollow" target="_blank">ACLight</a> to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.</li>
<br />
<li>On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast <a href="https://adsecurity.org/?p=3658" rel="nofollow" target="_blank">penned</a> an entry-level post "<i>Scanning for Active Directory Privileges and Privileged Accounts</i>" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!</li>
<br />
<li>On July 11, 2017, Preempt, a Cyber Security <a href="https://blog.preempt.com/new-ldap-rdp-relay-vulnerabilities-in-ntlm" rel="nofollow" target="_blank">announced</a> that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access. </li>
<br />
<li>On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled <a href="https://www.blackhat.com/us-17/briefings/schedule/#an-ace-up-the-sleeve-designing-active-directory-dacl-backdoors-6223" rel="nofollow" target="_blank">An ACE Up the Sleeve - Designing Active Directory DACL Backdoors</a> at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.</li>
<br />
<li>Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled <a href="https://www.blackhat.com/us-17/briefings/schedule/#the-active-directory-botnet-7423" rel="nofollow" target="_blank">The Active Directory Botnet</a> introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.</li>
<br />
<li>On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled <a href="https://blogs.technet.microsoft.com/enterprisemobility/2017/09/18/active-directory-access-control-list-attacks-and-defense/" rel="nofollow" target="_blank">Active Directory Access Control List - Attacks and Defense</a>, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up <a href="http://www.active-directory-security.com/2017/09/active-directory-access-control-lists-attack-and-defense.html" target="_blank">revealing</a> just how little its ATA team seems to know about the subject.</li>
<br />
<li>On December 12, 2017, Preempt, a Cyber Security <a href="https://blog.preempt.com/advisory-flaw-in-azure-ad-connect" rel="nofollow" target="_blank">announced</a> that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also <a href="https://blog.preempt.com/advisory-flaw-in-azure-ad-connect" rel="nofollow" target="_blank">suggested</a> that organizations worldwide use their (<span style="color: #cc0000;">massively inaccurate</span>) tooling to find these Stealthy Admins in Active Directory.</li>
<br />
<li>From January 26, 2017 through December 27, 2017, Paramount Defenses' CEO conducted <a href="http://www.cyber-security-blog.com/2017/08/teaching-microsoft-about-active-directory-security.html" target="_blank">Active Directory Security School</a> for Microsoft, so that in turn Microsoft could help not just every entity mentioned in points 1- 9 above, but the whole world realize that in fact the key and the only correct way to mitigate each one of the security risks and challenges identified in points 1 - 9 above, lies in <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Active Directory Effective Permissions</a> and <a href="http://www.paramountdefenses.com/company/cyber-security-innovation.html" target="_blank">Active Directory Effective Access.</a></li>
</ol>
<br />
<br />
<span style="color: #cccccc;"></span><br />
<b><span style="color: #38761d;"><br /></span></b>
<b><span style="color: #38761d;"><br /></span></b><b>Helping <span style="color: #cc0000;">Defend</span> Microsoft's Global </b><b>Customer Base</b><br />
<b><span style="color: #cccccc;">( i.e. <span style="color: #cccccc; font-size: large;">85%</span> of Business and Govt. Organizations Worldwide )</span></b><br />
<span style="color: #cccccc;"></span><br />
Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to <a href="http://www.active-directory-security.com/2017/12/why-i-do-what-i-do.html" target="_blank">help </a>educate thousands of organizations worldwide about...<b><br /></b><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi58hsCx9Wc-Eq7lEhHUmqGiPNPEmEUnauD64s4uss1pNRGlyaEJkAL_-2vy-KfuJ44gvXdIsQCanElcOvMathW-TlFUD5BRSX7klR03b3Lb4lE9MhldVg3sCt3XqDGgY0MTz9hoHyGsUc/s1600/Paramount-Defenses.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi58hsCx9Wc-Eq7lEhHUmqGiPNPEmEUnauD64s4uss1pNRGlyaEJkAL_-2vy-KfuJ44gvXdIsQCanElcOvMathW-TlFUD5BRSX7klR03b3Lb4lE9MhldVg3sCt3XqDGgY0MTz9hoHyGsUc/s640/Paramount-Defenses.png" width="640" /></a></div>
<b><br /></b>
...not just the paramount <a href="http://www.active-directory-security.com/2017/06/active-directory-security-is-paramount.html" target="_blank">importance</a> of Active Directory Security to their <a href="http://www.paramountdefenses.com/active-directory.html" target="_blank">foundational</a> security, but also about how to <span style="color: #38761d;">correctly</span> <span style="color: #cc0000;">secure and defend</span> their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.<br />
<br />
This year, <span style="color: #38761d; font-family: "verdana" , sans-serif; font-size: x-large;">I</span> ( / <a href="http://www.paramountdefenses.com/" target="_blank">we</a>) ...<br />
<br />
<ol>
<li>conducted 30-days of advanced <a href="http://www.paramountdefenses.com/blog/30-days-of-advanced-active-directory-security-school-for-microsoft/" target="_blank">Active Directory Security School</a> for the $ 650+ Billion Microsoft Corporation<br />
<br />
<dd><a href="http://www.active-directory-security.com/2017/05/a-trillion-dollar-letter-to-microsoft-concerning-cyber-security-worldwide.html" target="_blank">Introduction</a>, How Well <a href="http://www.active-directory-security.com/2017/06/how-well-does-microsoft-really-understand-cyber-security.html" target="_blank">Does Microsoft Understand Cyber Security</a>, The <a href="http://www.active-directory-security.com/2017/06/active-directory-security-is-paramount.html" target="_blank">Importance of Active Directory Security</a>, The <a href="http://www.active-directory-security.com/2017/06/the-impact-of-an-active-directory-security-breach.html" target="_blank">Impact of an Active Directory Security Breach</a>, The <a href="http://www.active-directory-security.com/2017/06/the-active-directory-attack-surface.html" target="_blank">Active Directory Attack Surface</a>, The <a href="http://www.active-directory-security.com/2017/06/the-top-5-cyber-security-risks-to-active-directory.html" target="_blank">Top-5 Security Risks to Active Directory</a>, <a href="http://www.active-directory-security.com/2017/06/a-simple-trillion-dollar-active-directory-privilege-escalation-example.html" target="_blank">Active Directory Privilege Escalation</a>, An <a href="http://www.active-directory-security.com/2017/07/an-ocean-of-access-privileges-in-active-directory.html" target="_blank">Ocean of Access Privileges</a>, <a href="http://www.active-directory-security.com/2017/02/adminsdholder.html" target="_blank">AdminSDHolder</a>, <a href="http://www.active-directory-security.com/2017/09/active-directory-access-control-lists-attack-and-defense.html" target="_blank">Active Directory ACLs - Attack and Defense</a> (Actual), <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Active Directory Effective Permissions</a>, and <a href="http://www.active-directory-security.com/search/label/Active%20Directory%20Privileged%20Access%20Audit" target="_blank">so many more</a> ...</dd></li>
<br /><br />
<li>showed thousands of organizations worldwide <a href="http://www.active-directory-security.com/2016/08/active-directory-credential-theft-mimikatz-dcsync-mitigation.html" target="_blank">How to Render Mimikatz DCSync Useless</a> in their Active Directory</li>
<br />
<li>helped millions of pros (like Mr. Metcalf) worldwide learn <a href="http://www.paramountdefenses.com/cyber-security/privileged-access.html" target="_blank">How to Correctly Identify Privileged Users in Active Directory</a></li>
<br />
<li>helped the developers of BloodHound understand <a href="http://www.active-directory-security.com/2017/10/how-to-thwart-sneaky-persistence-in-active-directory.html" target="_blank">How to Easily Identify Sneaky Persistence in Active Directory</a></li>
<br />
<li>helped Microsoft's ATA Team learn advanced stuff <a href="http://www.active-directory-security.com/2017/09/active-directory-access-control-lists-attack-and-defense.html" target="_blank">About Active Directory ACLs - Actual Attack and Defense</a></li>
<br />
<li>showed <a href="http://www.cyber-security-blog.com/2017/12/privileged-account-security-guidance-for-cyberark.html" target="_blank">CyberArk</a>, trusted by 50% of Fortune 100 CISOs, <a href="http://www.active-directory-security.com/2017/12/how-to-correctly-discover-shadow-admins.html" target="_blank">How to Correctly Identify Shadow Admins in Active Directory</a></li>
<br />
<li>helped cyber security startup Preempt's experts learn <a href="http://www.active-directory-security.com/2017/12/how-to-discover-stealthy-admins-in-active-directory.html" target="_blank">How to Correctly Identify Stealthy Admins in Active Directory</a></li>
<br />
<li>helped the presenters of The Active Directory Botnet learn <a href="http://www.active-directory-security.com/2017/12/how-to-easily-solve-the-active-directory-botnet-problem.html" target="_blank">How to Easily Solve the Problem of Active Directory Botnets</a></li>
<br />
<li>helped millions of cyber security folks worldwide understand and illustrate <a href="http://www.active-directory-security.com/2017/06/a-simple-trillion-dollar-active-directory-privilege-escalation-example.html" target="_blank">Active Directory Privilege Escalation</a></li>
<br />
<li>Most importantly, I helped thousands of organizations worldwide, including Microsoft, understand the paramount importance of <a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">Active Directory Effective Permissions</a> and <a href="http://www.paramountdefenses.com/company/cyber-security-innovation.html" target="_blank">Active Directory Effective Access</a> to Active Directory Security</li>
</ol>
<div>
<br />
<br />
In fact, we're not just providing <a href="http://www.paramountdefenses.com/defending-active-directory-against-cyberattacks.html" target="_blank">guidance</a>, we're uniquely <a href="http://www.paramountdefenses.com/company/provide-mission-critical-cyber-security-insight-worldwide.html" target="_blank">empowering</a> organizations <a href="http://www.paramountdefenses.com/company/customers.html" target="_blank">worldwide</a> to easily <a href="http://www.paramountdefenses.com/solutions.html" target="_blank">solve</a> these challenges.<br />
<br />
<br />
<br />
<br />
<b><span style="color: #cc0000;"><span style="font-size: large;"><br /></span></span></b>
<b><span style="color: #cc0000;"><span style="font-size: large;">S</span>ummary</span></b><br />
<b></b><span style="color: #38761d;"></span><span style="color: #cc0000;"></span><br />
All in all, its been quite an eventful year for Active Directory Security <span style="color: #cccccc;">(, and one that I saw coming over ten years ago.)</span><br />
<br />
In 2017, attackers, pen-testers and defenders finally seem to have realized the importance of Active Directory Security.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim3jG1GVBjbzrMLUWpoJAstOoO8M3VyLpllN0axwOOhtMHhe7zu4XL_zqyP5bVe8XxOfAoGXESTkYpDC30GY98HKb0PPjO4D_JA-YLzk2hDlQuTEbEeo59PaxTGZr5FrIg7rVqhBGsrEA/s1600/Active-Directory-Privileged-User-Access-Audit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="500" data-original-width="1100" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim3jG1GVBjbzrMLUWpoJAstOoO8M3VyLpllN0axwOOhtMHhe7zu4XL_zqyP5bVe8XxOfAoGXESTkYpDC30GY98HKb0PPjO4D_JA-YLzk2hDlQuTEbEeo59PaxTGZr5FrIg7rVqhBGsrEA/s640/Active-Directory-Privileged-User-Access-Audit.png" width="640" /></a></div>
<br />
Perhaps, in 2018, they'll realize that the <a href="http://www.paramountdefenses.com/resources/presentations/Active-Directory-Security.pdf" target="_blank">key</a> to Active Directory Security lies in being able to accurately determine <a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">this</a>.</div>
<br />
Best wishes,<br />
Sanjay.<br />
<br />
PS: <a href="http://www.cyber-security-blog.com/2017/12/why-i-do-what-i-do.html" target="_blank">Why I do, What I do</a>.<br />
<br />Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-78630457903091917332017-12-29T09:30:00.000-08:002019-12-02T11:55:08.713-08:00Why I do, What I doFolks,<br />
<br />
I trust you're well. Today, I just wanted to take a few minutes to answer a few questions that I've been asked so many times.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinVr-f5nfcgFSTHHAYiN9gOkRJiCZZ1pvVMuI_7h5k_4gGOiImk_0UYLEvnP-zeyeGbFi6e2aQUYNGWuMuFtDngH2Sxvh2oGf4UUON0GfEXleKoJ80r5eoY_oq4BIw7HcC-hjheh02yNo/s1600/Thought-Leadership.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="309" data-original-width="800" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinVr-f5nfcgFSTHHAYiN9gOkRJiCZZ1pvVMuI_7h5k_4gGOiImk_0UYLEvnP-zeyeGbFi6e2aQUYNGWuMuFtDngH2Sxvh2oGf4UUON0GfEXleKoJ80r5eoY_oq4BIw7HcC-hjheh02yNo/s640/Thought-Leadership.png" width="640" /></a></div>
<br />
Here are the answers to the <b><span style="color: #cc0000; font-size: large;">Top-5</span></b> questions I am frequently asked -<br />
<br />
<ol>
<li><span style="color: #cc0000;">You're the CEO of a company (Paramount Defenses), so why do you blog so often, and how do you have time to do so?</span>
<br /><br />Good question. This is a bit of a unique situation, in that whilst I am the CEO of a company, I am also a subject matter expert in Active Directory Security (simply by virtue of my <a href="http://www.paramountdefenses.com/leadership.html" target="_blank">background</a>) and thus I feel that it is my civic duty to help organizations understand the paramount importance of securing their foundational Active Directory deployments.<br /><br />
In fact, over the last 7+ years, I've penned 150+ blog posts on Active Directory Security (<a href="http://www.active-directory-security.com/" target="_blank">here</a>) and Cyber Security (<a href="http://www.cyber-security-blog.com/" target="_blank">here</a>) on various topics such as Active Directory Privilege Escalation, the OPM Breach, Kerberos Token Bloat, Eff Perms, AdminSDHolder, Mimikatz DCSync, Sneaky Persistence, How to Correctly Identify Stealthy Admins in Active Directory, How to Correctly Identify Shadow Admins in Active Directory etc. and most recently on Active Directory Botnets.<br /><br />
As to how I have the time to do so, that's actually not that difficult. We have a world-class team at Paramount Defenses, and I've been able to delegate a substantial amount of my CEO-related work amongst our executive leadership team.<br />
</li>
<br /><br /><br /><br />
<li><span style="color: #cc0000;">Speaking of which, how big is Paramount Defenses?</span>
<br /><br />At Paramount Defenses, we believe that less is more, so our entire global team is less than a 100 people. For security reasons, 100% of our staff are U.S. Citizens, and to-date, the entirety of our R&D team are former Microsoft employees.<br />
<br />If by how big we are, you meant how many organizations we impact, today our unique high-value cyber security solutions and insights help adequately secure and defend thousands of <a href="http://www.paramountdefenses.com/company/customers.html" target="_blank">prominent</a> organizations across six continents worldwide.<br />
</li>
<br /><br /><br /><br />
<li><span style="color: #cc0000;">Why is it just you (and why aren't your employees) on Social Media (e.g. LinkedIn, Facebook, Twitter etc.)?</span>
<br /><br />The simple answer to this question - <i><span style="color: #cc0000;">For Security Reasons</span></i>.<br />
<br />At Paramount Defenses, we care deeply about cyber security, so we also strive to lead by example in every way.<br />
<br />As it pertains to cyber security, we have found that the presence of an organization's employees on social-media almost always results in excessive information disclosure that could be very valuable for hackers and various other entities who may have malicious intent, so our corporate policies do not permit a social media presence.<br />
<br />Also, we're not huge fans of Twitter, and we certainly don't care about being on Facebook. We do like and appreciate LinkedIn, and in fact, we lead the world's largest <a href="http://www.paramountdefenses.com/leadership/global-community.html" target="_blank">community</a> of Active Directory Security Professionals on LinkedIn.<br />
</li>
<br /><br /><br /><br />
<li><span style="color: #cc0000;">What do you intend to accomplish by blogging?</span><br /><br />The intention is to help organizations worldwide understand just how <a href="http://www.active-directory-security.com/2017/06/active-directory-security-is-paramount.html" target="_blank">profoundly</a> important <a href="http://www.paramountdefenses.com/defending-active-directory-against-cyberattacks.html" target="_blank">Active Directory Security</a> is to organizational cyber security, and how paramount <a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">Active Directory Effective Permissions</a> are to Active Directory Security.<br />
<br />
That's because this impacts <a href="http://www.paramountdefenses.com/company/the-entire-world-runs-on-active-directory.html" target="_blank">global security</a> today, and here's why -
<br />
<br /><br /><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirDe3uFkBlUZeV1sK08Gf3aFyJhcvXLBwp7lWgGw7MyYNyUPgVo7j4YaE3Bg8XAF7gnhg8rMCKaynP-KN1sOA0frF8V7J25k6sOOkZqq-P_TEafJ6BJ1jgADR5jZkJaObJpJpgNGwEBsY/s1600/Active-Directory-Privileged-Access.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="234" data-original-width="676" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirDe3uFkBlUZeV1sK08Gf3aFyJhcvXLBwp7lWgGw7MyYNyUPgVo7j4YaE3Bg8XAF7gnhg8rMCKaynP-KN1sOA0frF8V7J25k6sOOkZqq-P_TEafJ6BJ1jgADR5jZkJaObJpJpgNGwEBsY/s320/Active-Directory-Privileged-Access.jpg" width="320" /></a></div>
<br />
<br />
You see, the <b><span style="font-size: large;">Crown Jewels</span></b> of cyber security reside in Active Directory, and if they're compromised, its Game Over. By <i>Crown Jewels</i>, I'm referring to <a href="http://www.paramountdefenses.com/cyber-security/privileged-access.html" target="_blank">privileged access</a>, or as commonly known, <i>Domain Admin</i> equivalent accounts.<br />
<br />It is a fact that <a href="http://www.paramountdefenses.com/privileged-access.html" target="_blank">100%</a> of all major recent cyber security breaches (except Equifax) involved the compromise of a single Active Directory privileged user account. Such accounts are Target #1 for hackers, which is why it is so very important that organizations be able to exactly identify and minimize the number of such privileged accounts in Active Directory.<br />
<br />
Now, when it comes to identifying privileged user accounts in Active Directory, most organizations focus on enumerating the memberships of their default administrative groups in Active Directory, and that's it. Unfortunately, that's just the <a href="http://www.active-directory-security.com/2015/07/how-to-search-identify-and-minimize-privileged-users-accounts-in-active-directory.html" target="_blank">Tip of the Iceberg</a>, and we have found that most of them do not even seem to know that in fact there are FAR many more accounts with varying levels of elevated admin/privileged access in Active Directory than they seem to know about.<br />
<br />This isn't a secret; its something you know if you've ever heard about Active Directory's most powerful and capable cyber security feature - Delegation of Administration. The truth is that at most organizations, a substantial amount of delegation has been done over the years, yet no one seems to have a clue as to who has what privileged access. <a href="http://www.paramountdefenses.com/company/insight.html" target="_blank">Here</a>'s why.<br />
<br />In fact, <span style="color: #cc0000;">Active Directory privileged access accounts have been getting a lot of attention lately</span>, because so many cyber security experts and companies are starting to realize that there exists a treasure-trove of privileged access in Active Directory. Thus, recently many such cyber security expert and companies have started shedding light on them (for example, <a href="https://wald0.com/?p=112" rel="nofollow" target="_blank">one</a>, <a href="https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/" rel="nofollow" target="_blank">two</a>, <a href="https://blog.preempt.com/advisory-flaw-in-azure-ad-connect" rel="nofollow" target="_blank">three</a> etc.), and some have even started developing amateur tools to identify such accounts.<br />
<br />What these experts and companies may not know is that their amateur tools are substantially inaccurate since they rely on finding out "<i>Who has what Permissions in Active Directory</i>" <span style="color: #cc0000;">WHEREAS</span> the <span style="color: #38761d;">ONLY</span> way to correctly identify privileged user accounts in Active Directory is by accurately finding out "<i>Who has what <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Effective Permissions</a> in Active Directory</i>?"<br />
<br />On a lighter note, I find it rather amusing that for lack of knowing better, most cyber security experts and vendors that may be new to Active Directory Security have been referring to such accounts as Stealthy Admins, Shadow Admins etc.<br />
<br />To make matters worse, there are many prominent vendors in the Active Directory space that merely offer basic Active Directory Permissions Analysis/Audit Tooling, yet they mislead organizations by claiming to help them "<i>Find out who has what privileged access in Active Directory,</i>" and since so many IT personnel don't seem to know better, they get misled.<br />
<br /><span style="color: #cc0000;">
Thus, there's an imperative need</span> to help organizations learn how to correctly audit privileged users in Active Directory.<br />
<br />Consequently, the intention of my blogging is to HELP thousands of organizations and cyber security experts worldwide UNDERSTAND that the ONLY correct way to identify privileged users in Active Directory is by accurately determining <a href="http://www.paramountdefenses.com/active-directory-effective-permissions-tool.html" target="_blank">effective permissions </a>/ <a href="http://www.paramountdefenses.com/active-directory-effective-permissions-tool.html" target="_blank">effective access</a> in Active Directory. There is only ONE correct way to accomplish this objective.</li>
<br /><br /><br /><br />
<li><span style="color: #cc0000;">Why have you been a little hard on Microsoft lately?</span>
<br /><br />Let me begin by saying that I deeply love and care for Microsoft. It may appear that I may have been a tad hard on them, but that is all well-intentioned and only meant to help them realize that they have an obligation to their global customer base to adequately educate them about various aspects of cyber security in Windows, particularly the most vital aspects.
<br /><br />In that regard, if you truly understand cyber security in Windows environments, you know that <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Active Directory Effective Permissions</a> and <a href="http://www.paramountdefenses.com/company/cyber-security-innovation.html" target="_blank">Active Directory Effective Access</a> play an absolutely paramount role in securing Windows deployments worldwide, and since Active Directory has been around for almost two decades by now, one would expect the world to unequivocally understand this by now. Unfortunately, we found that (as evidenced above) <span style="color: #cc0000;">no one seems to have a clue.</span><br />
<br />You may be surprised if I were to share with you that at most organizations worldwide, hardly anyone seems to even know about what <span id="goog_1223718632"></span>Active Directory Effective Permissions<span id="goog_1223718633"></span> are, let alone why they're paramount to their security, and this a highly concerning fact, because this means that most organizations worldwide are operating in the <a href="http://www.paramountdefenses.com/operating-in-the-dark.html" target="_blank">proverbial dark</a> today.<br />
<br />It is upon looking into the reason for this that we realized that in the last decade, it appears that (for whatever reason) Microsoft may not have educated its global customer based about Active Directory Effective Permissions at all - <a href="http://www.active-directory-security.com/2017/01/advanced-active-directory-security-school-for-microsoft.html" target="_blank">Proof</a>.<br />
<br />Thus, it is in the best interest of organizations worldwide that we felt a need to substantially raise <a href="http://www.businesswire.com/news/home/20160226006223/en/Paramount-Defenses-World's-Top-Cyber-Security-Companies" target="_blank">awareness</a>.<br /><div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />As to how on earth Microsoft may have completely forgotten to educate the world about this, I can only guess that perhaps they must've gotten so involved in building their Cloud offering and dealing with the menace of local-machine credential-theft attack vectors that they completely seem to have missed this one paramount aspect of Windows security.<br />
<br />Fortunately for them and the world, we've had our eye on this problem for a decade know and we've been <a href="http://www.paramountdefenses.com/company/timeline.html" target="_blank">laser-<span id="goog_1733657356"></span>focused</a><span id="goog_1733657357"></span>. Besides, actions speak louder than words, so once you understand what it is <a href="http://www.paramountdefenses.com/company/provide-mission-critical-cyber-security-insight-worldwide.html" target="_blank">we do</a> at Paramount Defenses, you'll see that we've done more to help secure Microsoft's global customer base than possibly any other company on the planet.<br />
<br />Those who understand what we've <a href="http://www.paramountdefenses.com/company/develop-innovative-mission-critical-cyber-security-solutions.html" target="_blank">built</a>, know that we may be Microsoft's most strategic <a href="http://www.paramountdefenses.com/company.html" target="_blank">ally</a> in the cyber security space.</li>
<br />
</ol>
<div>
<br /></div>
<div>
Finally, the most important reason as to why I do, what I do is because I care deeply and passionately about cyber security.<br />
<br />
Best wishes,</div>
<div>
<a href="http://www.sanjaytandon.com/" target="_blank">Sanjay</a></div>Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0tag:blogger.com,1999:blog-5958499117721089763.post-15531962964527307742017-12-27T07:00:00.000-08:002017-12-31T04:53:26.357-08:00How to Easily Solve the Difficult Problem of Active Directory Botnets<b><span style="color: #0b4000;"></span></b><br />
Folks,<br />
<br />
The year's almost coming to an end, and I just realized that one of the topics that I had not yet addressed as a part of my basic <a href="http://www.cyber-security-blog.com/2017/08/teaching-microsoft-about-active-directory-security.html" target="_blank">Active Directory Security School for Microsoft</a> was this inane topic of <span style="color: #cc0000;">Active Directory Botnets</span> so today's post is on AD Botnets.<br />
<br />
There's less than 100 hours left this year, and I value every minute, so this one's going to be short, yet sufficient.<br />
<br />
<br />
<h2>
<span style="color: #cc0000;"><br /></span></h2>
<h2>
<span style="color: #cc0000;">Active Directory Botnets</span><b><br /></b></h2>
<br />
Earlier this year, one of the two presentations on Active Directory Security at the famous Black Hat Conference USA 2017 was titled - <a href="https://www.blackhat.com/us-17/briefings/schedule/#the-active-directory-botnet-7423" rel="nofollow" target="_blank">The Active Directory Botnet</a>. (The other one was <a href="http://www.active-directory-security.com/2017/07/an-ace-up-the-sleeve-designing-active-directory-acl-backdoors.html" target="_blank">An ACE Up the Sleeve - Designing Active Directory ACL Backdoors</a>.) <br />
<br />
Both of these presentations seem to have gotten a lot of attention, and as to the presentation on Active Directory Botnets, its authors said that this is (and I <a href="https://www.darkreading.com/endpoint/the-active-directory-botnet/v/d-id/1329756?" rel="nofollow" target="_blank">quote</a>) "<span style="color: #cc0000;"><i>a nightmare of an implementation error with no easy fix</i>!</span>"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht5GEEfZq2MK48YfgeUUO_jM__AMF_UE5eUOhmoM4xVoLRg3A6faGi_nIZXqbUYY5I8ML_a3WoBFOYyNY94wcKQ2GZkLfL44V2zzaPCG1OFybhPVnnI77EP5DYIGZOcwHCjU0OLQ_vsvU/s1600/Active-Directory-Botnet.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="300" data-original-width="700" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht5GEEfZq2MK48YfgeUUO_jM__AMF_UE5eUOhmoM4xVoLRg3A6faGi_nIZXqbUYY5I8ML_a3WoBFOYyNY94wcKQ2GZkLfL44V2zzaPCG1OFybhPVnnI77EP5DYIGZOcwHCjU0OLQ_vsvU/s1600/Active-Directory-Botnet.png" /></a></div>
<br />
Well, today I'll show you just how easy it is to solve/fix this supposedly difficult problem :-)<br />
<br />
In today's post, I am <span style="color: #cc0000;">not going to</span> go into the details of how attackers could set up these botnets because my focus is on helping organizations eliminate the very possibility of this issue, so if you're interested in the technical details, here are a few pointers -
<br />
<ol>
<li>The <a href="https://www.blackhat.com/docs/us-17/wednesday/us-17-Miller-The-Active-Directory-Botnet.pdf" rel="nofollow" target="_blank">slides</a> of the presentation titled <i>The Active Directory Botnet</i> that was made at the Black Hat Conference 2017</li>
<li>A <a href="https://youtube.com/watch?v=kulJYLaOnll" rel="nofollow" target="_blank">video</a> of the presentation titled <i>The Active Directory Botnet</i> that was made at the Black Hat Conference 2017</li>
<li>A short <a href="https://www.darkreading.com/endpoint/the-active-directory-botnet/v/d-id/1329756?" rel="nofollow" target="_blank">interview</a> with the presenters of this presentation.</li>
</ol>
<br />
Since my purpose is on helping organizations mitigate this issue,<span style="color: #38761d;"> I'm going to focus on the mitigation aspect.
</span><b><br /></b>
<br />
<span style="color: #38761d;"></span><br />
<br />
<br />
<b><span style="color: #cc0000;">What Makes This Possible
</span></b><br />
<b></b><span style="color: #cc0000;"></span><br />
In order to find out how to easily mitigate this issue, it helps to first understand what makes this issue possible in the first place.<br />
<br />
Here's the short of what makes this all possible -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGWixjnjAeMB1xXnZJpD60XpEm_MgA0rf88Vqh3folwr30lwtKd_XnLFDmpGwv0Hn6xQvt7zbZh1bGq71P0BsHmM2oQRVQ630z06FvNfM34YrtYt0eyhZK5cIhOhmatx4b8XaQLLqC63g/s1600/Permissions-Granted-to-Personal-Self.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="469" data-original-width="626" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGWixjnjAeMB1xXnZJpD60XpEm_MgA0rf88Vqh3folwr30lwtKd_XnLFDmpGwv0Hn6xQvt7zbZh1bGq71P0BsHmM2oQRVQ630z06FvNfM34YrtYt0eyhZK5cIhOhmatx4b8XaQLLqC63g/s1600/Permissions-Granted-to-Personal-Self.png" /></a></div>
<br />
<br />
As you may know, Active Directory, being the very foundation of cyber security in a Microsoft Windows Server network, stores and protects the entirety of an organization's domain user accounts, security groups, computer accounts, security policies etc.<br />
<br />
As you may also know, in Active Directory literally everything is an object, and an object is essentially a collection of numerous attributes, as defined in the Active Directory Schema. So for example, there exist attributes for elements such as a user's first name, last name, password, manager, contact details, address details, user profile, a picture etc. etc.<br />
<br />
Further, Active Directory's powerful security/delegation model makes it very easy for IT personnel to provision access in Active Directory for various stakeholders, to fulfill business needs wherein these stakeholders may need to be able to modify any of these fields/attributes. For example, if an HR application may have a need to change the <i>Manager</i> field/attribute on user accounts, such access can be very easily and precisely delegated for that HR application's service account.<br />
<br />
Now, it turns out that by default, Active Directory also lets all domain user account holders modify certain fields/attributes on their own domain user accounts. Examples of such fields/attributes include <i>Address</i>, <i>Assistant</i>, <i>Personal-Title</i>, <i>Phone-Home-Other</i>, <i>Phone-Ip-Other</i>, <i>Picture</i>, <i>Street-Address</i>, <i>WWW-Home-Page </i> etc. to name a few.
<br />
<br />
These attributes could store values of various data-types, so for instance, while some could simply and solely store a text string, others could store a distinguished name, and still others could store binary data. An example of an attribute that can solely store a text value is <i>Surname</i> and an example of an attribute that can store binary data is <i> Picture</i>.<br />
<b><br /></b>Finally, to simplify access control, numerous such related fields/attributes can be aggregated together into an Active Directory construct known simply as a <span style="color: #38761d;">Property-Set</span>.<br />
<br />
Examples of <a href="https://msdn.microsoft.com/en-us/library/ms683990.aspx" rel="nofollow" target="_blank">Active Directory Property Sets</a> include Personal Information, Private Information, Web Information, etc.<br />
<br />
<br />
Tying all of the above together, in the access control list (ACL) of every domain user account, <b>by default</b> there are explicit access control entries (ACEs) that grant the security principal <i>Personal Self</i>, the ability to modify the <i>Personal Information</i>, <i>Phone and Mail Options</i> and <i>Web Information</i> property sets. Since the <i>Personal Self </i>security principal on an Active Directory user object maps to the domain user account itself, the presence of these security permissions provides sufficient effective access to the domain user account holder to be able to modify all the attributes that are members of these property sets!<br />
<br />
Now, imagine a scenario wherein the computer onto which this domain user account usually logs on has been compromised. In that scenario, the attacker could now have malicious code run in the security context of this domain user account, and if so, then one of the things that malicious code could do is update these attributes on the user's domain user account! <br />
<br />
In such a scenario, how the attacker chooses to use this default ability to update these attributes in Active Directory is purely a function of his/her imagination, and it so happens that in this particular case, the presenters of that specific presentation at Black Hat came up with a scenario wherein attackers could choose to use this default access granted to domain user accounts to introduce and operate Botnets in Active Directory environments! <br />
<br />
<b><br /></b>
<b><br /></b>
<b><br /></b>
<br />
<br />
<b><span style="color: #38761d;">How to Easily Solve the Supposedly Difficult Problem of </span></b><br />
<b><span style="color: #38761d; font-size: x-large;">Active Directory Botnets -</span></b><br />
<b></b><span style="color: #38761d;"></span><span style="font-size: large;"></span><span style="font-size: x-large;"></span><br />
According to the authors of this presentation, this is (and I quote) "<span style="color: #cc0000;"><i>a nightmare of an implementation error with no east fix</i>!</span>" <br />
<br />
If you ask me, I'll tell you "<i><span style="color: #38761d;">this is an issue that can be mitigated in minutes, and here's how</span></i>" -<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif9i18DI2cJGUH5nCwrwCRj2P6iQfZQPxL-kUS-bq12In23XmhKdjUnaBaqhskSyKoKZgVXGxsNtMY_pmFUDpGGU-GPZrAhX2lyI3QK95WdbfyQFNgU50R2SM-FZ0R1E3LrsdLPGPwg9A/s1600/Mitigate-Active-Directory-Botnet-Risk.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="469" data-original-width="626" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif9i18DI2cJGUH5nCwrwCRj2P6iQfZQPxL-kUS-bq12In23XmhKdjUnaBaqhskSyKoKZgVXGxsNtMY_pmFUDpGGU-GPZrAhX2lyI3QK95WdbfyQFNgU50R2SM-FZ0R1E3LrsdLPGPwg9A/s1600/Mitigate-Active-Directory-Botnet-Risk.png" /></a></div>
<br />
<br />
All that organizational IT personnel need to do is write a simple script whose purpose is simply to remove those <span style="color: #38761d;">explicit</span> ACEs in the ACLs of domain user accounts in an Active Directory that grant the <i>Personal Self </i>security principal <i>Write-Property </i>permissions to the involved property sets.<br />
<br />
Specifically, here are the three <b>explicit</b> ACEs that you may want to remove -<br />
<ol>
<li>{ <span style="color: #38761d;">Allow</span> SELF Read/write personal information }</li>
<li>{ <span style="color: #38761d;">Allow</span> SELF Read/write phone and mail options }</li>
<li>{ <span style="color: #38761d;">Allow</span> SELF Read/write web information }</li>
</ol>
<br />
<span style="color: #38761d;">Such a script can be written and be executed within minutes</span>, and once it has been executed, there should no longer<span style="color: #cc0000;">*</span> be any ACEs in the ACLs of the organization's domain user accounts that would allow these domain user accounts the ability to modify these attributes on their own objects, and as a consequence, perpetrators will no longer be able to leverage this default modify access in Active Directory, resulting in a situation where this issue would no longer be an issue at all, since the underlying enabler of this issue would have been eliminated!<br />
<blockquote class="tr_bq">
<b><span style="color: #cc0000;">*</span></b> Kindly see sections titled <i>A Caveat</i> and <i>An Advanced Tip</i> below</blockquote>
<br />
<span style="color: #38761d;">It really is as simple as this!</span> That's it!<br />
<br />
<br />
Now, some might ask - "<i>But wouldn't this impact the ability to users to modify such attributes in Active Directory and/or cause potential application compatibility issues if certain apps were relying on this default access to properly function today</i>?!"<br />
<br />
The answer to that question is that realistically speaking, domain user accounts holders should not ideally possess any level of modify access in the Active Directory, and <span style="color: #38761d;">most likely</span> no default applications should be relying on this default access granted to domain user accounts to function, so the application compatibility impact of making this change could be none to minimal.<br />
<blockquote class="tr_bq">
<u><span style="color: #cc0000;">Disclaimer</span></u>: Organizations know their unique Active Directory environments best, so before acting on this advice, organizations will want to ensure that there in fact are no Active Directory integrated applications or business use-cases that leverage this default modify access granted to domain users on their accounts. This advice is provided on a best-efforts basis and your use of it is subject to our <a href="http://www.paramountdefenses.com/terms-of-use.html" rel="nofollow" target="_blank">Terms of Use</a>.</blockquote>
<br />
<span style="color: #38761d;">That's literally all there is to it, and that is literally how easy it is to solve this inane problem!</span><br />
<div>
<span style="color: #38761d;"><br /></span></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span style="color: #cc0000;"><br /></span></div>
<div>
<b>One <span style="color: #cc0000;">Caveat</span></b></div>
<b></b><br />
There is ONE caveat that could possibly still enable a perpetrator to still try and leverage the limited write-property access that might remain even after you remove each one of those explicit ACEs that grant SELF modify access to those property sets.<br />
<br />
Here's the caveat - at the domain root, there is an <span style="color: #38761d;">inheritable</span> permission specified that is inherited by all objects, including all user objects, and it grants SELF the ability to read and write the <i>Private Information </i>property set - { <span style="color: #38761d;">Allow</span> SELF Special }<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRXX7RV1O7KLQ5yGrxdaQPIx-SER8-_4S87KaECOM-HYIE6fbafHx3_99GI_kzqLc0Vk_qSGVEBzRrLnZ2Rad4SyzDmVPrTvb9__MHqh1dCSwAlbuoyPzxXzgQ8BnZRzFy5tAYdYgtREU/s1600/Private-Information-Property-Set.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="469" data-original-width="626" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRXX7RV1O7KLQ5yGrxdaQPIx-SER8-_4S87KaECOM-HYIE6fbafHx3_99GI_kzqLc0Vk_qSGVEBzRrLnZ2Rad4SyzDmVPrTvb9__MHqh1dCSwAlbuoyPzxXzgQ8BnZRzFy5tAYdYgtREU/s1600/Private-Information-Property-Set.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Members of the <b>Private Information</b> property-set include* - </div>
<ol>
<li><i>ms-PKI-Credential-Roaming-Tokens</i></li>
<li><i>MS-PKI-RoamingTimeStamp</i></li>
<li><i>MS-PKI-DPAPIMasterKeys</i></li>
<li><i>MS-PKI-AccountCredentials</i></li>
</ol>
<blockquote class="tr_bq">
* This property-set has the above four members in Windows Server 2008 R2 and beyond.</blockquote>
<br />
<br />
<span style="color: #cc0000;">As a result, theoretically speaking</span>, a perpetrator could possibly try to use these attributes to achieve the same mal-effect. <br />
<br />
<span style="color: #38761d;">However, in practice</span>, should the system be using these attributes, then any values that the perpetrator might write into these attributes will likely get overwritten by whatever the system writes into them, thus in practice rendering that option infeasible.<br />
<br />
Of course, if you know for a fact that these attributes are not being used in your environment, then you can simply remove this ACE from the domain root, which will then have the effect of it being removed from all domain user accounts as well.<br />
<blockquote class="tr_bq">
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<u><span style="color: #cc0000;">Disclaimer</span></u>: Organizations know their unique Active Directory environments best, so before acting on this advice, organizations will want to ensure that there in fact are no Active Directory integrated applications or business use-cases that leverage this default modify access granted to domain users on their accounts. This advice is provided on a best-efforts basis and your use of it is subject to our <a href="http://www.paramountdefenses.com/terms-of-use.html" rel="nofollow" target="_blank">Terms of Use</a>.</div>
</blockquote>
<br />
<br />
<b><br /></b>
<b></b><br />
<b><br /></b>
<b>An <span style="color: #999999;">Advanced</span> Tip</b><br />
<b><br /></b>
Those who know the <a href="http://www.paramountdefenses.com/resources/presentations/Active-Directory-Security.pdf" target="_blank">subject</a> well know that even if each one of these ACEs no longer exist, a user could still possibly have sufficient <a href="http://www.paramountdefenses.com/blog/active-directory-effective-permissions/" target="_blank">effective permissions</a> so as to be able to modify one or more attributes on the domain user account, should there be other permissions in the ACL of the account that might effectively grant the user sufficient effective access so as to be able to do so. The only way to correctly find out whether or not a user can in fact still modify attributes on his/her domain user account is by accurately determining <a href="http://www.active-directory-security.com/2017/07/active-directory-effective-permissions.html" target="_blank">Active Directory effective permissions</a> on that domain user account. <br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzZz_Zg7yMfUf9hVFOrOyNvPxf8KrPWIGJgGG1Fwx_L4t8Qgr_m9jvC0V0e_RSMEnKGU9jtrXJ706nRgv275SMEajGuEjzn_rQmtFizkuOMQOkilvaCmjYuS5vNpXZ5OzlffhH4W_h8VQ/s1600/Active-Directory-Effective-Permissions.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="738" data-original-width="1023" height="460" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzZz_Zg7yMfUf9hVFOrOyNvPxf8KrPWIGJgGG1Fwx_L4t8Qgr_m9jvC0V0e_RSMEnKGU9jtrXJ706nRgv275SMEajGuEjzn_rQmtFizkuOMQOkilvaCmjYuS5vNpXZ5OzlffhH4W_h8VQ/s640/Active-Directory-Effective-Permissions.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Gold Finger <a href="http://www.paramountdefenses.com/active-directory-effective-permissions-tool.html">Active Directory Effective Permissions Calculator</a></td></tr>
</tbody></table>
<br />
For instance, in the snapshot above, one can see that on the domain user account of a user, Jeff Bezos, the user Jeff Bezos still has write-property effective permissions to the <i>Phone-Ip-Other</i> attribute (which is a member of the <i>Personal Information </i>property-set), and he has this access on his own account not by virtue of those SELF ACEs but in fact by virtue of the fact that there exists an ACE that grants the IT Cloud DevOps Team domain security group, of which he is a member, Write-Property information to the <i>Personal Information </i>property set.<br />
<br />
The likelihood of this is low, yet in the interest of completeness, since it is always a possibility, I felt the need to mention this, and security conscious organizations will want to take <a href="http://www.paramountdefenses.com/active-directory-effective-permissions-tool.html" target="_blank">Active Directory Effective Permissions</a> into account for completeness.<br />
<br />
<br />
<br />
<b><span style="color: #38761d;"><br /></span></b>
<b><span style="color: #38761d;"><br /></span></b>
<b><span style="color: #38761d;">Summary</span></b><br />
<b><span style="color: #38761d;"></span><br /></b>
Today, I just wanted to take a few minutes to share with you just how easily organizations worldwide can solve this supposedly difficult problem of Active Directory Botnets! Of all the problems I've helped solve this year, this one was by far the easiest.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjwceh5JpxCxZNmK0SiM-CIPQzNFi3fTXTwK22kp1bzpw39hVVjtj3Md0gGRorvG8ZH2K9qb6d_3ffcbxXJ0aWoQOglekXU9EFbYr1Lu_EtYaFMPOP_4YEZZHD0BVF-Etnxi8E3QkU5Fs/s1600/I-Care-Deeply.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1067" data-original-width="1600" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjwceh5JpxCxZNmK0SiM-CIPQzNFi3fTXTwK22kp1bzpw39hVVjtj3Md0gGRorvG8ZH2K9qb6d_3ffcbxXJ0aWoQOglekXU9EFbYr1Lu_EtYaFMPOP_4YEZZHD0BVF-Etnxi8E3QkU5Fs/s640/I-Care-Deeply.jpg" width="640" /></a></div>
<br />
The short of it is that this inane issue can be mitigated within minutes by simply using basic scripting to remove the very ACEs that grant domain user accounts the ability to modify the attributes that this attack vector leverages. It really is as simple as that!<br />
<br />
I apologize if this post was short and to the point. I usually spend a lot more time on my posts, but its almost the end of the year, and my time is very valuable, so I decided to keep it short. Besides this is so easy, that it only needed minutes to address.<br />
<b><br /></b>
Best wishes,<br />
<a href="http://www.paramountdefenses.com/leadership.html" target="_blank">Sanjay</a><br />
<b><a href="https://www.blogger.com/"></a><br /></b>
Sanjayhttp://www.blogger.com/profile/12709732449993946585noreply@blogger.com0