Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Monday, February 24, 2020

Bloodhound for Active Directory : Bloody Inaccurate


As former Microsoft Program Manager for Active Directory Security, and today as CEO of Paramount Defenses, my time is EXTREMELY valuable, so I don't have too much time for blogging etc. but I wanted to make a very important point today.

Bloodhound for AD

There's a tool out there called Bloodhound for AD (Active Directory) and its designed to be able to analyze an organization's Active Directory security permissions and find privilege escalation paths leading to all-powerful privileged AD accounts.

Over the years, its gained a lot of attention, and from what I'm told, today hundreds of thousands, if not millions, of Red and Blue Teamers worldwide use Bloodhound to find privilege escalation paths in Active Directory deployments.

In fact, these days even $ 10 B cyber security companies like CrowdStrike write about Bloodhound, as can be seen here; sadly, when they do so, all they do is show the whole wide world just how little they too know about Active Directory Security.

Bloodhound for AD - Bloody Inaccurate 

Folks, please pardon my French but when someone can design a tool to exploit weaknesses in Active Directory deployments, which could then be used to harm organizations, and call it Bloodhound, then I hope its designers and the world won't mind it if I could accordingly use the word BLOODY in pointing out just how INACCURATE this tool actually is.

I've personally tested Bloodhound, and in less than two minutes, I was able to determine that it is not accurate. I spent fifteen more minutes testing several advanced factors involved in Active Directory security, and it seemed to fail virtually all of them.

In less than 15 minutes, I was able to factually (technically) determine that Bloodhound's results were far from being accurate.

Details and Proof

I've invested almost twenty years of life in being the best in the world at Active Directory Security, so I'm NOT about to provide FREE feedback to whoever built this tool to help them make it accurate, because conceptually this tool empowers bad guys to exploit weaknesses and take out good guys. I'd encourage them to work harder to learn more, and figure it out on their own.

I'll share the ESSENCE of what makes it bloody inaccurate - it does not take THIS one essential technicality into account.

That said, to anyone who may want proof that Bloodhound is inaccurate, all one has to do is compare its output on even just a few core test cases, with the output of the world's only accurate Active Directory privileged access audit tool, Gold Finger.

Gold Finger for AD - The GOLD Standard

Even after a decade, there's still just only one tool on planet Earth that can ACCURATELY determine privileged access in Active Directory, based on the accurate determination of effective permissions, and it is the world's ONLY accurate privileged access audit tool for Microsoft Active Directory - the Microsoft-endorsed Gold Finger.

Over the last decade, from the United States Department of Defense to the United States Treasury, the world's most powerful and important government and business organizations across six continents worldwide have used and trusted Gold Finger to make these paramount determinations in their foundational Active Directory deployments.

Gold Finger includes the world's best Active Directory ACL Analyzer, ACL Exporter, Permissions Analyzer, the world's only accurate Active Directory Effective Permissions Calculator, the world's only accurate Active Directory Effective Access Auditor, AND most importantly, the world's only accurate, fully-automated, domain-wide Privileged Access Auditor for Active Directory.

Now, unlike those who built Bloodhound and made it available for free, we do NOT license Gold Finger to individuals ; we only license it to legitimate organizations, and only for use in their own Active Directory deployments, for a very simple reason.

The reason very simply is that the information that Gold Finger can uniquely determine and reveal can ACTUALLY be used to either protect and lock down or compromise and take down entire $ Billion/Trillion companies, all within a matter of minutes.

A Much Bigger Problem

From a technical standpoint, its hard to have an issue with its concept, as it seems to be a penetration testing tool that seeks to identify exploitable privilege escalation paths leading to Domain-Admin equivalent privileged accounts in Active Directory.

What amazes me and should amaze everyone is that even with its limited accuracy, based on its ability to take basic factors into account, those using it can still easily find so very many privilege escalation paths in almost any Active Directory deployment.

There's a MUCH bigger problem here, which is that even today, 99% of organizations operating on Active Directory, either do not know enough about Active Directory Security to care to lock it down, or that they do not know how to correctly audit and lockdown privileged access in their Active Directory, as a result of which they all remain massively vulnerable.

That is a far more concerning problem than a tool like this, because this is merely one tool. Proficient hackers could easily write their own tools to identify and exploit such privilege escalation paths in Active Directory, AND until organizations accurately identify and lockdown privileged access in their Active Directory, they will remain substantially exposed to compromise.

Time's Up

That's it. That's all the time I had for this. I'll end on this - just because millions of people use something doesn't mean it is either accurate ; it just means that these millions of people TOO may not yet know enough (or at all) about Active Directory Security.

Best wishes,

PS: If you want to learn Active Directory Security, reading the contents of the list in this 1 post alone is a good place to start.

Friday, January 17, 2020

Active Directory Security - A Guide for CISOs


Over the last decade, we've had thousands of organizations reach out to us to request our assistance on numerous aspects of Active Directory Security, so we have a very good idea of exactly how well organizations worldwide, as well as their CISOs, understand the paramount importance of Active Directory Security today.

In our vast experience, we have found that the thousands of organizations worldwide still do not yet understand the paramount importance of securing and defending their foundational Active Directory, and unfortunately that is deeply concerning.

Today cyber security begins at the top, so to help the CISOs of all organizations worldwide unequivocally understand the paramount importance of Active Directory Security, we released an Executive Summary on Active Directory Security -

Active Directory Security

This simple Executive Summary (PDF) can be downloaded from here - Active Directory Security.

In the interest of their organization's foundational security, I highly recommend that all CISOs worldwide read it.

Best wishes,

Tuesday, January 7, 2020

A Simple Question for all Self-Proclaimed Active Directory Security Experts


As former Microsoft Program Manager for Active Directory Security, I find it amusing every time I come across some Active Directory vendor's or self-proclaimed AD security expert's website that claims that they know Active Directory Security well.

(You see, not one of these Active Directory Security vendors or self-proclaimed Active Directory security experts seem to have a CLUE as to the most important Active Directory Security Capability in the world, let alone possessing that paramount capability.)

So, I thought I'd  pose a very simple Active Directory Security question to all Active Directory Security vendors and experts -

Question: Do you know the answer to this ONE simple question?

Specifically, in that question, I have shared a simple non-default string, and I have indicated that is a cause for great concern.

What I would like to know is what it represents and why is it a great cause of concern for 85% of organizations worldwide?

On a scale of 1 to 10, 1 being easy and 10 being difficult, I'd rate this question as a 3, so if you're truly an Active Directory expert, this should be easy for you, and shouldn't take you a minute. You can leave your answer in a comment below.

Here's your chance to impress me (and the whole world.) Oh, and Microsoft employees too may feel free to take a shot ;-)

Best wishes,

Monday, January 6, 2020

What is Active Directory, and Why Is it Important?


Today is January 06, 2020, and as promised, here I am getting back to sharing thoughts on Active Directory Security.

Back to the Basics (Cyber Security 101)

I'd like to kick off this blog this year/decade by asking and answering a very simple yet vital question - What is Active Directory?

You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies the key to organizational cyber security worldwide.

The reason is very simple -  if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and of course, since "who really cares about a phone book" it is this shallow view that leads so many organizations to greatly diminish the value of Active Directory to the point of sheer negligence!

In fact, for years now, this has been the predominant view held by most CISOs and organizations worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.

Active Directory - The Very Foundation of Organizational Cyber Security Worldwide

If as they say, a "A Picture is Worth a Thousand Words", perhaps I should paint you a very simple Trillion $ picture -

An organization's Active Directory deployment is quite simply its single most valuable IT and corporate asset, worthy of the highest protection at all times, because it is the very foundation of an organization's cyber security.

You see, the entirety of an organization's building blocks of cyber security i.e. all organizational user accounts and passwords used to authenticate their people, all security groups used to authorize access to all their IT resources, all their privileged user accounts, all the accounts of all their computing devices (laptops, desktops, servers etc.) are all stored, managed and secured in (i.e. inside) the organization's foundational Active Directory, and all sensitive/privileged actions on them are audited in it.

In other words, should an organization's foundational Active Directory, or even a single Active Directory privileged user account, be compromised, the very foundation of the organization's cyber security, and thus the entire organization could be exposed to the risk of complete, swift and colossal compromise.

Active Directory Security Must Be Organizational Cyber Security Priority #1

Ensuring the highest protection of an organization's foundational Active Directory deployment must, without a doubt, be the #1 priority of every organization that cares about cyber security, protecting shareholder value and business continuity.

Here's why - A deeper, detailed look into What is Active Directory ?

For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)

In essence, today every organization in the world is only as secure as is its foundational Active Directory deployment, and from the CEO to the CISO, from IT Managers to Auditors and from Domain Admins to employees, everyone should know this fact.

Best wishes,

Friday, December 6, 2019

Its Time to Help Secure Active Directory Worldwide


I trust this finds you all doing well. It has been a few months since I last blogged - pardon the absence. I had to focus my energies on helping the world get some perspective, getting 007G ready for launch, and dealing with a certain nuisance.

Having successfully accomplished all three objectives, it is now finally TIME to help thousands of organizations worldwide adequately secure and defend their foundational Active Directory deployments from the proverbial SKYFALL(ing on them).

I'm BLOWN away by just how little organizations (as well as AD/cyber security companies) worldwide seem to know and understand not just the paramount importance of, but also what it takes to adequately ensure Active Directory Security.

When you know as much as I do, care as much as I do, and possess as much capability as I do, you not only shoulder a great responsibility, you almost have an obligation to educate the whole world about cyber security risks that threaten their security.

So, even though I barely have any time to do this anymore, in the interest of foundational cyber security worldwide, I'm going to start sharing some valuable perspectives again, and do so, on three blogs - this one, that one, and the one below.

Speaking of which, earlier this week, I had the PRIVILEGE to launch the official PD blog -

Stay tuned for high-value AD security insights right here from January 06, 2020 onwards,
and let me take your leave with a befitting (and one of my favorite) songs(s)  -

Best wishes,

PS: Just a month ago, the $ Billion Czech cyber security company Avast was substantially compromised, and guess what the perpetrators used to compromise them? They used the EXACT  means I had clearly warned about TWO years ago, right here.

Friday, February 1, 2019

Pardon the Delay


I trust this finds you doing well. The last time I blogged was on Nov 05, 2018, and I had said that it was time to help Microsoft and the world better understand Active Directory Security and that I would be sharing additional insights starting Nov 18, 2018.

Please pardon the delay - something important came up, and
today I'd like to share with you the reason for this delay...

One of the World's Most Powerful Defense Organizations Requested Our Assistance

Back in Nov 2018, just as I was about to start blogging that series, one of the most powerful defense organizations in the world reached out to us requesting our assistance in correctly identifying privileged users within their foundational Active Directory.

(You see, organizations that actually understand Active Directory Security know that there is ONLY one way to correctly identify privileged access in Active Directory. Organizations that don't yet know this simple fact still resort to acquiring and using what basically are petty but pretty looking Active Directory permissions analyzers (and there still are 1000s of such organizations.))

Whilst we were happy to assist them, due to certain operational constraints, it turned out that in order for us to help them, we would have to make some non-trivial changes to Gold Finger. This was very important for them so we went straight to work.

We put our entire development team to work, and we worked 60 days straight without taking a break; there were no Christmas holidays, no New Years holidays, no weekends. There was only work, and within 60 days we had made and thoroughly tested all the enhancements required for us to be able to assist this one particular organization, and as a result, 1000s of others.

As Gold Finger's architect, I too was substantially involved in the process, and as a leader, I too worked 60 days straight, and it is my privilege to share that earlier today we officially released Gold Finger version 6.5, complete with all the required changes.

Introducing Gold Finger 6.5

Earlier today, we announced the release of Gold Finger v6.5, featuring amongst other enhancements, support for Windows 10.

Here's the Press Release from this morning - Paramount Defenses Releases Gold Finger Version 6.5

Gold Finger v6.5

If you can touch a button, you can now instantly, automatically and accurately determine exactly who has what privileged access, where and how, in any Active Directory, and on any Microsoft Windows operating system, including Windows 10!

The free version of Gold Finger v6.5 is also available at -

With this little but important detour out of the way, you can expect me to get back to some blogging one of these days because Microsoft and thousands of its customers worldwide still seem to need of help understanding the very basics of Active Directory security i.e. without the ability to accurately determine effective permissions in Active Directory, you cannot secure a single object in Active Directory, and by corollary you can't accomplish a single Active Directory security related objective, and that includes all the latest buzzwords - Privileged Access Management, Privileged Account Discovery, Zero-Trust, Blah Blah, etc. etc.

So, thank you for pardoning the delay, and stay tuned!  

Any day now!

Best wishes,