Today Active Directory Security has become mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Gold Finger The Paramount Brief Gold Finger Mini World Peace

Friday, February 1, 2019

Pardon the Delay

Folks,

I trust this finds you doing well. The last time I blogged was on Nov 05, 2018, and I had said that it was time to help Microsoft and the world better understand Active Directory Security and that I would be sharing additional insights starting Nov 18, 2018.

Please pardon the delay - something important came up, and
today I'd like to share with you the reason for this delay...


One of the World's Most Powerful Defense Organizations Requested Our Assistance

Back in Nov 2018, just as I was about to start blogging that series, one of the most powerful defense organizations in the world reached out to us requesting our assistance in correctly identifying privileged users within their foundational Active Directory.


(You see, organizations that actually understand Active Directory Security know that there is ONLY one way to correctly identify privileged access in Active Directory. Organizations that don't yet know this simple fact still resort to acquiring and using what basically are petty but pretty looking Active Directory permissions analyzers (and there still are 1000s of such organizations.))

Whilst we were happy to assist them, due to certain operational constraints, it turned out that in order for us to help them, we would have to make some non-trivial changes to Gold Finger. This was very important for them so we went straight to work.

We put our entire development team to work, and we worked 60 days straight without taking a break; there were no Christmas holidays, no New Years holidays, no weekends. There was only work, and within 60 days we had made and thoroughly tested all the enhancements required for us to be able to assist this one particular organization, and as a result, 1000s of others.

As Gold Finger's architect, I too was substantially involved in the process, and as a leader, I too worked 60 days straight, and it is my privilege to share that earlier today we officially released Gold Finger version 6.5, complete with all the required changes.



Introducing Gold Finger 6.5

Earlier today, we announced the release of Gold Finger v6.5, featuring amongst other enhancements, support for Windows 10.

Here's the Press Release from this morning - Paramount Defenses Releases Gold Finger Version 6.5

Gold Finger v6.5

If you can touch a button, you can now instantly, automatically and accurately determine exactly who has what privileged access, where and how, in any Active Directory, and on any Microsoft Windows operating system, including Windows 10!


The free version of Gold Finger v6.5 is also available at - https://www.paramountdefenses.com/goldfinger.html


With this little but important detour out of the way, you can expect me to get back to some blogging one of these days because Microsoft and thousands of its customers worldwide still seem to need of help understanding the very basics of Active Directory security i.e. without the ability to accurately determine effective permissions in Active Directory, you cannot secure a single object in Active Directory, and by corollary you can't accomplish a single Active Directory security related objective, and that includes all the latest buzzwords - Privileged Access Management, Privileged Account Discovery, Zero-Trust, Blah Blah, etc. etc.

So, thank you for pardoning the delay, and stay tuned!  

Any day now!

Best wishes,
Sanjay.

Monday, November 5, 2018

It is TIME to Help Microsoft AND Thousands of Organizations Worldwide Better Understand Active Directory Security

Folks,

As former Microsoft Program Manager for Active Directory Security, and today as the CEO of Paramount Defenses, I feel that it is time to help the $800 Billion Microsoft, and 1000s of organizations worldwide better understand Active Directory Security.


Here's why - Over the last few years, 1000s of organizations from across over 150 countries worldwide have requested our assistance (completely unsolicited), so we know about the various challenges that most organizations have to deal with, and based on what we're seeing across the globe, the state of foundational cyber security worldwide seems to be worrisome.

Incidentally, a large majority of these organizations do have several piece-meal cyber security controls such as Active Directory Auditing, Advanced Threat Analytics, Two-Factor Authentication, Privileged Session Managers, Password Vaults, Zero-Trust Security, Privileged Access Management (PAM) etc., yet their Active Directory deployments are still likely vastly vulnerable.

I'll say only this much - TODAY Microsoft Active Directory is at the foundation of cyber security and privileged access at over 85% of all business and government organizations worldwide, AND the current state of awareness and (the substantially inadequate level of) protection afforded to these foundational Active Directory deployments is concerning enough that it warrants the attention of all stakeholders, including executive and IT leadership, customers and investors, worldwide.

Thus, in weeks to come, we may reach out to the Executive Management of organizations worldwide to make them aware.






In addition, to help educate Microsoft AND the world, starting next Monday, Nov 12, 2018, I'll be penning the following -

  1. Active Directory Security For Everyone - Why is Active Directory Security Paramount to Organizational Cyber Security?

  2. Active Directory Security For Novices and Enthusiasts - A Closer Look at Active Directory's Security Model etc.

  3. Active Directory Security for IT Admins and Security Auditors - An Overview of Active Directory Security Permissions

  4. The World's Most Important Active Directory Need and Security Capability - Active Directory ___ ___

  5. For Self-Proclaimed Active Directory Security Experts - Why Analyzing Active Directory Security Permissions is Useless


  6. For IT Managers and CISOs - The Billion $ Difference Between Active Directory Auditing and Active Directory Audit

  7. For all Organizations - What Happens When an Organization Deploys a Cheap Auditing Solution Built Overseas?

  8. For Microsoft, Domain Admins and CISOs Worldwide - What Constitutes a Privileged User in Active Directory?

  9. For the CyberArks of the World - How to Correctly Identify/Audit Privileged Access/Users in Active Directory?

  10. For All Audit Organizations Worldwide - Are You Sure Your Auditors Know How to Correctly Audit Active Directory?


  11. To All Cloud & Cyber Security Companies Worldwide - Isn't Active Directory at the Very Foundation of Your Security Too?



Finally, for C*Os worldwide, I penned this today - Cyber Security 101 for the C-Suite - Active Directory Security is Paramount.


Ideally, Microsoft should be doing this (i.e. helping adequately educate their customers worldwide), but it appears that these days all they seem to care about is that new fad called "The Cloud", so we're left with no choice but to do this for the world.

Very well then, onward to Nov 12, 2018, right here.


Sincerely,
Sanjay

Wednesday, October 31, 2018

Looking for a Few Good Active Directory Security Experts

Folks,

In days to come, I'll be helping thousands of organizations worldwide better understand Active Directory Security essentials / fundamentals, so that they can adequately secure and defend their foundational Active Directory deployments.


Albeit, we have no dearth of resources, I'm looking for a few good external Active Directory Security Experts (e.g. DS MVPs), who may be willing to assist in this noble objective, so if you're interested, please feel free to connect, and I'll tell you more.

We're all in it together, and together we can make a difference.

Thanks,
Sanjay

PS: If you understand this stuff, you're ready to help.

Sunday, October 28, 2018

How Massive Could the Impact of an Active Directory Security Breach Be?

Folks,

Today I'd like to ask a simple but paramount question, the answer to which impacts not just trillions of dollars of organizational and investor wealth worldwide, but also likely the national security of over one hundred and fifty countries worldwide.

Here it is -
Q: How Massive Could the Impact of an Active Directory Security Breach Be?
      Specifically, exactly what could happen if the foundational Active Directory of an organization were breached
Active Directory is the Foundation of Cyber Security Worldwide 

If you need me to paint you a picture, consider the potential impact of an Active Directory security breach at virtually any organization that impacts your life - from the world's biggest IT (Cloud, Operating Systems, Phones, Computers, Networking, Internet, Social Media etc.) companies to the world's biggest cyber security companies, or for that matter from virtually every financial institution on Wall Street, to just about every company traded on any stock exchange in any country in the world, or any one of thousands of government agencies/departments in over 150 countries worldwide.

The reason I am publicly asking this question, is because its 2018 today, not 2004, and this is possibly the most important cyber security question that Executive Management, Cyber Security and IT leadership at thousands of organizations worldwide should be asking themselves today, but most likely are not.

In fact, at most organizations, this isn't even on their radar, let alone rightly being their top (#1) cyber security priority.

Thus, I felt the need to ask this paramount question.

Also, for once, I am NOT going to answer a question that I have asked, but instead let organizations worldwide ponder over it. Over the years, I've already asked and answered many of the world's most vital Active Directory / cyber security questions.

I'll only say this much - Any organization whose CEO and CISO do not know the answer to this question is not secure today.

Sicnerely,
Sanjay

Monday, October 22, 2018

What are the Minimum Security Permissions Needed in Active Directory to Run Mimikatz DCSync?

Folks,

In days to come, I'll be helping organizations worldwide understand what constitutes a privileged user in Active Directory, how to correctly audit privileged access in Active Directory, and what the world's most important Active Directory security capability is.

Today though, I just wanted to ask a very simple and elemental cyber security multiple-choice question, so here it is -


Q. What are the minimum Active Directory Security Permissions that a perpetrator needs to be able to successfully run Mimikatz DCSync against an organization's foundational Active Directory deployment?

Is it -
A. The "Get Replication Changes" Extended Right 
B. The "Get Replication Changes All" Extended Right 
C. Both A and B above 
D. Something else

I already know the answer to this simple question. I'm only asking because I believe that today every Domain Admin and every CISO at every organization that operates on Active Directory MUST know the answer to this question, and here's why.

You may be surprised if I were to share with you just how many Domain Admins and CISOs (at so many of the world's most prominent organizations) don't know even seem to know what Mimikatz DCSync is, let alone knowing the answer!


If you know the answer to this question, please feel free to share it by leaving a comment below.

Best wishes,
Sanjay.

Tuesday, October 16, 2018

Mimikatz DCSync Detection

Folks,

I trust this finds you doing well. I know so many of you are waiting for me to answer the question - What's the World's Most Important Active Directory Security Capability? but before I did so, I just wanted to address something very simple and vital.


Mimikatz DCSync Detection ?! ;-)

If you're into Cyber Security, unless you live on another planet, by now you know that at the very foundation of cyber security worldwide lies Microsoft Active Directory, you know that little thing within which lie not just everyone's accounts and passwords, or for that matter the computer accounts of every single domain-joined machine, or for that matter every single domain security group that is used to protect the entirety of an organization's IT assets, but also the proverbial "Keys to the Kingdom!" etc. etc.

By the way, this isn't some secret - this is CYBER SECURITY 101 that millions of IT personnel, IT managers, CISOs and just about everyone in IT ought to know by know, considering that Active Directory has been around for almost two decades now!

Alright, fast forward...

A few years ago, a remarkably intelligent and talented Benjamin Delpy introduced a new feature in his hacking tool Mimikatz, and that feature was called Mimikatz DCSync. In essence, if you can run Mimikatz DCSync against an Active Directory, you can instantly obtain access to the credentials of literally everyone who has a domain account in that domain - we're talking the accounts of literally everyone, from Domain Admins to the CISO and from the Enterprise Admin to the CEO, etc. etc.

Now, technically, DCSync leverages the ability of a security principal to be able to request and replicate Active Directory content (including secrets i.e. password hashes) out of Active Directory. It turns out anyone who has sufficient effective permissions to be able to replicate secrets out of Active Directory can run Mimikatz DCSync, and within minutes be proverbial God!

So, what happens? In time, Mimikatz DCSync finds global fame and glory, it becomes a must have tool in the arsenal of these so called kiddish Red Teams and Blue Teams, and in addition today there's no dearth of cyber security experts who will want to blog about Mimikatz DCSync sharing with the world, its usage, how to exploit it etc. etc. and in particular how to detect it!

Here are a few random blogs a Google search seemed to suggest -
  1. Mimikatz DCSync Usage, Exploitation, and Detection
  2. Mimikatz and DCSync and ExtraSids, Oh My
  3. Modern Active Directory Attack Scenarios and How to Detect Them
  4. DCSYNC

Now, please pardon me for expressing serious concern here because if the best an organization can do is DETECT the use of Mimikatz DCSync, that's sort of like, well let me paint you a picture:



A Billion $ Organization or for that matter a Government Agency having to rely on detection of Mimikatz DCSync is akin to ....


... lets assume a SNIPER takes a shot at a target from point blank range, and the best those protecting the target can do is try and detect the bullet in flight milliseconds before it hits its target. Well, I shouldn't have to complete the sentence for you.


Here's the Trillion $ point - if an organization is having to rely on the DETECTION of the use of Mimikatz DCSync, its too late.

From the Domain Admin to the CISO, its time to go home and find another job, because it would already have been too late. You're done. Once a malicious perpetrator has gained administrative access in even a single Active Directory domain, those who know anything about Active Directory Security will tell you that you've lost the entire Active Directory forest. Oh, and if you think you could easily recover that forest from a trusted forest, you've likely been getting some amateur advice ;-)


Mimikatz DCSync Mitigation

I cannot stress this enough - this is not a risk that can be addressed by detection. It needs to be mitigated and today, every single organization that operates on Microsoft Active Directory can easily mitigate the risk posed by Mimikatz DCSync. I've already spent enough time educating the world about this, so I'm not going to waste one more precious minute on this.

For every org that wants to learn how to do so - How to Lockdown Active Directory to Thwart the Use of Mimikatz DCSync


Incidentally, the astute mind will observe, that whether it be mitigating the risk posed by Mimikatz DCSync or securing access to just about anything and everything in Active Directory, all organizations worldwide (including likely the $800 Billion Microsoft) require is 1 single, fundamental cyber security capability - The Most Important Active Directory Security Capability in the World.





A Request to All Experts Out There

To all cyber security experts and cyber security companies (including Microsoft) out there, I have a request - if you truly know Active Directory Security, lets see you go beyond helping the world learning how to use, exploit and detect Mimikatz DC Sync...


...lets see you teach the world how to actually mitigate this risk, perhaps with an example, for when you get there, you'll likely realize that not a single object in any Active Directory domain worldwide can be adequately secured without possessing this.


Alright that's it, I'm not wasting one more minute of my precious time
on this little distraction of a thing called Mimikatz DCSync.


After all this dry stuff, perhaps I should end on a humorous note - Time to Ignite an Intellectual Spark at Microsoft Ignite 2018 ;-)

Best wishes,
Sanjay.

Monday, October 1, 2018

Did Anyone at Microsoft Ignite 2018 Know the Answer To This Question?


Folks,

Last week, thousands of IT professionals, managers, CISOs and CIOs were in Orlando, attending, well, Microsoft Ignite 2018 !

Image Courtesy Microsoft. Source: https://www.microsoft.com/en-us/ignite

Not surprisingly, the Microsoft Ignite Conference had SOLD OUT!  There were 900+ sessions, 100+ instructor-led technology workshops, 60+ Microsoft Immersion workshops, and 50+ hands-on labs with access to expert proctors! That's great!

Did I mention that likely hundreds of Microsoft's own experts were also there, and collectively, they covered numerous vital areas such as Securing the Enterprise, Simplified IT Management, Identity‚ Access & Compliance, Enterprise Security etc.


So, with over 1000 sessions, 1000s of attendees, access to "expert proctors", and 100s of Microsoft's very own IT experts, one would hope THERE MUST'VE BEEN AT LEAST ONE PERSON AT MICROSOFT IGNITE 2018 who could have answered A VERY SIMPLE QUESTION -




       Question: What's The World's Most Important Active Directory Security Capability?






This is paramount, and here's why. In case you're wondering why anyone, and everyone who attended Microsoft Ignite 2018 should care about this question AND know the answer, its because in any Microsoft Windows Server based IT Infrastructure, NOT A SINGLE ONE of the many vital areas listed above i.e. Securing the Enterprise, Simplified IT Management, Identity‚ Access & Compliance, Enterprise Security etc. etc. can be adequately addressed without involving Active Directory Security.


In fact, here's proof - 

Not a single one of the following fundamental cyber security / Windows security questions can be answered without knowing the answer to the question above and possessing that capability -


  1. Who can reset the passwords of any/every Domain Admin in an organization?

  2. Who can disable two-factor authentication on privileged and other domain user accounts?

  3. Who can change the membership of the Domain Admins group, or of any domain security group?

  4. Who can use Mimikatz DCSync to completely compromise the credentials of all domain user accounts?

  5. Who can delete an(y) Organizational Unit (OU) in a(ny) of the organization's Active Directory domains?

  6. Who can link a malicious group policy to an OU to instantly compromise all domain computer accounts in that OU?

  7. Who can modify the attributes of a mission-critical service's service connection points to instantly render it useless?

  8. Who can set the "Trusted for Unconstrained Delegation" bit on a server's domain account to compromise security*?

  9. Who can create, delete and manage domain user accounts, domain security groups, OUs etc. in Active Directory?

  10. Who can control/change privileged access as well as delegated access within and across the entire Active Directory?


Each and every single organization whose IT personnel / CISOs attended Microsoft Ignite 2018 (including Microsoft itself) must have precise answers to each and every one of the above listed fundamental cyber security questions at all times.




So, if anyone who attended Microsoft Ignite 2018 (including Microsoft's own experts) knows the answer to this 1 question, please be my guest and answer the question by leaving a comment at the end of that blog post, and you'll earn my respect.


If you don't know the answer, I highly recommend reading, one, two and three, because without knowing the answer to this question (and without possessing this capability,) you cannot secure anything in an Active Directory based Windows network.

The last time I checked, virtually the whole world runs on Active Directory.

Best wishes,
Sanjay