Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Tuesday, October 8, 2013

5 Facts You Must Know about Active Directory Privilege Escalation


Last month, we declassified the #1 cyber security risk to Active Directory deployments - Active Directory Privilege Escalation.

Active Directory Privilege Escalation based on identification and exploitation of unauthorized access grants in Active Directory deployments.

Today, I wanted to share with you 5 things that we all must know about Active Directory Privilege Escalation –

#5 – Domain Admin accounts only account for 1% of the attack-surface. Accounts of delegated admins, executive and regular employees, and all other Active Directory content (i.e. all group memberships, GPOs, OUs etc. ) accounts for 99% of the attack surface

#4 – We may not know it or realize it yet, but most Active Directory deployments worldwide are currently exposed to this risk today. In fact, most domain user and computer accounts, domain security groups, GPOs, OUs, SCPs etc are potentially at risk of compromise.

#3 – This risk is far more damaging and easier to carry out than even the risk posed by the Pass-the-Hash (PtH) attack vector, because unlike Domain Admins, the likelihood of a non-admin user logging on to the attacker’s machine is quite low. (Consider this - what is the likelihood that your organization's CEO will logon to your machine, whether for legitimate reasons, or even if social engineered into doing so?)

#2 – This risk exists because Active Directory lacks the ability to help IT personnel precisely assess and verify provisioned access. Active Directory does let us precisely provision access, but it is unable to help us precisely assess/verify/audit effective provisioned access.

#1 – The presence of an Auditing solution does nothing whatsoever to mitigate this risk. It merely helps detect its occurrence. By the time an associated event shows up in the audit log, it is already too late, because the damage has been done. (E.g. - if a malicious entity has been able to reset a Domain Admin's password, or the CEO's password, even though the event may show up in the audit log, by the time you react to it, the damage is already done.)

In days to come, I will share with you how organizations can assess whether they're at risk, and how they can mitigate this risk.

For now, perhaps its worth asking yourself a simple question – “Do we know exactly who can do what in our Active Directory, especially in light of the fact that anyone with a domain user account can find this out on any object within minutes?

Best wishes,

PS: This is a very simple and fundamental problem that stems from the lack of verifiable implemented least privilege access (LPA) in a major foundational technology. Frankly, I’m really surprised that over 80% of organizations worldwide still do not realize this simple fact! The only thing more concerning is that based on our intelligence, the Chinese have most likely already figured this out.

Wednesday, September 18, 2013

How an Insider Could Easily Compromise the CFO's Account - An Example of Active Directory Privilege Escalation Based on Access Grant Exploitation


Today, I will share with you a concrete example of how any insider could potentially compromise the user account of the Chief Financial Officer (CFO) of an organization by exploiting weaknesses in access grants provisioned in Active Directory, which is the basis of the Active Directory Privilege Escalation security risk that I declassified one week ago.

Chief Financial Officer

This specific example is a very realistic illustration of this risk, that today could be carried out in most organizations worldwide.


  • Target: The CFO's domain user account which resides in the Finance OU in the Active Directory
  • Attacker: John Doe, a temporary contractor working on some project, who has a domain user account
  • Attack Methodology -
    • Step 1 - Obtain a tool that can aid in performing Active Directory Security Analysis.
    • Step 2 - Use this tool to a) locate the CFO's domain user account in Active Directory, and then b) analyze access provisioned in the ACL of the CFO's domain user account to identify the list of all individuals who can reset the CFO's password.
    • Step 3 - Use the same tool to analyze security permissions on the user accounts of each of these individuals to identify who can reset their passwords. Iterate this process on this list of accounts, and continue iterating until the single weakest link i.e. an account that can be easily compromised by  the attacker, has been found.
    • Step 4 - Begin by compromising the account identified as the weakest link. Then, login using that account and reset the password of the next account in the chain. Repeat this process until you have reset the password of a delegated admin who can reset the CFO's user account.
    • Step 5 - Login using the final compromised delegated admin's account, and reset the CFO's password.
  • Time Requirement - The exploitation process is very quick, since a password reset operation only takes 5 seconds, and a subsequent logon about 30 seconds. The only part that takes some time is the process of determining who can actually reset a target account's password.
  • Compromising the Initial Account - The initial account can be compromised by any one of various means, an encyclopedia of which is known to most malicious individuals. Examples of such means include Password Guessing, Password Stealing (Keystroke Logger), Phishing, Hash Replays (Pass-the-Hash) etc.


Step 1 - Obtain a tool that can aid in performing Active Directory Security Analysis

Since John already has a domain user account, he already has complete read access to Active Directory content. All he needs is an Active Directory Security Analysis tool to view Active Directory content, analyze Active Directory permissions and enumerate group memberships i.e. aid in the process of determining effective access in Active Directory.

The Advanced Security Settings Tab of the Active Directory Users and Computers Tool

There are many freely available tools that can aid the attacker in performing Active Directory Security Analysis, such as Microsoft Active Directory Users and Computers Snap-In, Administrative Center, dsacls, acldiag, LDP, LIZA etc.

Step 2a - Use this tool to locate the CFO's domain user account in Active Directory

Once John has installed a tool of his choice, he can launch it to view the contents of the Active Directory. Using the tool's inbuilt search abilities, he should easily be able to locate the CFO's account -
Locating the CFO's User Account in Active Directory
CFO's User Account in Active Directory

Once John has located the CFO's domain user account, he can access the ACL protecting the account. Since authenticated users have default read access in Active Directory, no special access is needed to access and examine AD ACLs.

Step 2b - Use this tool to analyze access provisioned in the ACL of the CFO's domain user account to identify the list of all individuals who can reset the CFO's password.

The next step is to analyze the object's ACL to identify the list of all individuals who can reset the CFO's password. The following is the access control list (ACL) protecting the CFO's domain user account -

Analyzing Security Permissions Specified in the ACL of the CFO's User Account

In order to determine who can reset the CFO's password, John will need to determine who effectively has Reset Password rights granted on the CEO's user account.

To do so, he will need to engage in the process of determining who has what effective access in Active Directory. Kindly note that this process is NOT the same as the one involved in determining who has what permissions in Active Directory.

In essence, all John needs to do is determine who effectively has Reset Password rights allowed on the CFO's user account. Anyone who is effectively allowed the Reset Password extended right, or All Extended Rights, or Full Control over the object will make the list. This is because All Extended Rights includes the Reset Password right, and because Full Control includes All Extended Rights.

As you can see above, there are many security permissions specified in the ACL, each one specified in an individual access control entry (ACE). Some ACEs grant permissions whereas others deny permissions. Some are explicitly specified on the object, whereas others are inherited. Some inherited ones apply to the object (CIID), whereas others merely exist to be inherited down to other objects (CIIO).

In order to determine effective access on the CFO's object, John will need to perform a process similar to the following -
  1. Identify all relevant ACEs i.e. all ACEs that allow/deny Reset Password, or All Extended Rights or Full Control.
  1. Then flatten all group memberships for which access is specified in all relevant ACEs, generating lists that enumerating the list of all individuals who are allowed access, as well as enumerating the list of all individuals who are denied access. (Ensure that any and all nested group memberships are completely flattened as well.)
  1. Then, intersect these lists taking into account all pertinent factors, such as inheritance rules, ACE applicability, conflict resolution etc. to ultimately arrive at a list of all individuals who can reset the CFO's password.

Upon completion of these steps, John would have the list of all individuals who can effectively reset the CFO's password.

List of individuals who can reset the CFO's password

It is worth noting that even if John did not know how to do engage in this process with 100% precision, even with 80% precision, he could determine 80% of the individuals who could reset the CFO's password.

Step 3 - Analyze security permissions on the accounts of these individuals to identify who can reset their passwords.

If John is already a delegated admin, and his account is already on that list, he may not need to analyze effective access on any more accounts. However, if his account is not on that list, then he could continue the process to find a weakest link, which is described below.

Once John has put together the list of all the individuals who can reset the CFO's password, he would then proceed to determine who can reset the passwords of these individuals. This would give him a broader attack base, and one that would also usually constitute a set of weaker targets to compromise.

He could then iterate this process on this new list of accounts, and continue iterating until the single weakest link i.e. an account that can be easily compromised by the attacker, has been found.

Any ONE of a large number of IT admins may be the starting point for privilege escalation i.e. the weakest link

For instance, he might find that a total of 12 individuals can reset the CFO's password, but that a total of 36 individuals can reset the passwords of these 12 individuals. He could iterate further to find potentially 50 or so individuals who could in turn reset the passwords of these 36 individuals.

He only needs to iterate the process until he can find at least one account that is easily or readily compromisable i.e. until he has found the weakest link. For instance, he could stop identifying accounts as soon as he finds the account of a single local IT admin whose account he could compromise using various known means.

By engaging in this process, he would have in effect identified a privilege escalation path, which would start from an easily compromsable account and lead all the way up to the CFO's user account.

Step 4 - Escalate Privilege by Performing Password Resets

Once John has identified a privilege escalation chain, all he needs to do is act upon it at a day and time of his choosing and to his advantage. He would begin by compromising the first account using any one of several known means to do so.

Once he has compromised the first account, the rest of escalation is simply a matter of logging in using the compromised account, then resetting the next target's password, then logging off, and logging on using the next compromised account, and so on, and by the end of it, he would have effectively escalated his privilege to that of the CFO of the company

Final Privilege Escalation Step - Resetting the CFO's account's password

In most cases, John would only have to repeat these steps 2 to 4 times (i.e his privilege escalation depth would be 2-4.)

Step 5 - Login as the CFO

Once John has reset the CFO's account's password to one of his choice (e.g. Th@WasEasy!), he can instantly login as the CFO i.e. using the CFO's account -

Once logged in as the CFO, he would have whatever read and modify access the CFO's account may have been provisioned across the IT infrastructure. Since in most organizations, single-sign-on is in use, he could almost instantly access, copy, change or delete any information that the CFO's account might have access to.

(Imagine the financial and legal ramifications of John being able to access the organization's quarterly earnings numbers just 10 minutes before the official scheduled earnings release, using the CFO's account, and then leaking them on the Internet.)

Some Observations about Active Directory Privilege Escalation Based on Exploitation of Unauthorized Access Grants

As seen above, the process of identifying and exploiting unauthorized access grants in Active Directory is rather simple. Here are some noteworthy observations -

  • Easier than the Pass-The-Hash (PtH) Attack Vector - This attack vector is much easier than the PtH attack vector because of the following reasons -
    • Opportunity - The PtH attack vector may be easy to carry out against Domain Admins because the likelihood of having a Domain Admin logon to a machine the attacker controls is high. However, the likelihood of a specific non-administrative high-value account such as that of the CFO, CEO, CIO, CISO, IT Director, a Vice President, a manager etc. logging on to a machine controlled by the attacker is rather low. (Most folks usually logon to their own dedicated machines.) Thus, the likelihood of compromising a non-administrative account with PtH is low, whereas with this attack vector it is high.
    • Lower Bar - In most organizations, there is already sufficient awareness about the PtH attack vector, and administrators are careful as to not to logon to machines they do not trust. However, most organizations still have no idea as to exactly who can reset whose passwords, so there are ample opportunities to escalate privilege by resetting passwords and thus the bar is much lower
    • No Specialized Tooling Required - Unlike the PtH attck vector, this attack vector does not require any specialized tooling. It only requires some security analysis and the enactment of basic tasks, which can easily be carried out using Microsoft's native tools.
    • Higher Probability - If a potential target never logs on to the attacker's host, the attacker will NEVER be able to use PtH to escalate privilege. However, with password resets, not only does the potential target not need to logon to the attacker's machine, the probability of finding at least one unauthorized individual who can reset the target user's account is substantially higher.
  • A Vast Attack Surface - It is not just domain user accounts that are vulnerable. All Active Directory content, including security groups (and their memberships), computer accounts, GPOs, entire organizational units (OUs), service connection points (SCPs) etc. can all be compromised by simply determining who can manage them and then using this approach to take over the account of a delegated administrator who can manage that object.
  • AdminSDHolder Protection does not mitigate this risk - Contrary to popular belief,  AdminSDHolder does not mitigate this risk for two reasons -
    • Non-administrative accounts - AdminSDHolder only serves to ensure that a standard set of permissions in applied to all administrative accounts and groups. It does not provide any protection for non-administrative accounts and groups. So for example, executive (C*O) accounts, VP accounts, director and manager accounts are not protected by it, neither are regular employee and contractor accounts.
    • Administrative accounts - Even for administrative accounts, it only serves to ensure that a single standardized set of permissions are applied to all accounts. It does NOT protect the groups to whom access is specified in the ACL of the AdminSDHolder object itself, or the users that belong to these groups. Thus, this attack vector can also be used against all administrative accounts and groups.
  • Security Analysis is not Audited - The act of performing security analysis only involves read access to Active Directory. Read access to Active Directory is almost never audited because of the sheer volume of read access that takes place everyday in the course of normal business/IT operations. As a result, it is virtually impossible for IT personnel to know whether or not, and if so, when, someone might be performing such security analysis in their environments. This aspect gives attackers the luxury of time. They could take anywhere from hours to weeks to identify weaknesses, then act at a day and time of their choosing to exploit their findings.
  • This Risk is 100% Mitigatable - This risk is 100% mitigatable. In other words, organizations can easily take steps to mitigate it, such that even if every user in the environment were to scour all their Active Directory ACLs, all they would find are tightly locked access grants i.e. least privilege access (LPA) implemented in their Active Directory. In order to mitigate this risk and attain an LPA state in their Active Directory, all that organizational IT personnel need to do is identify and eliminate unauthorized access grants in their Active Directory. This can easily be done by using any advanced Active Directory Security Analysis Tool that is capable of determining True Active Directory Effective Permissions (i.e. true/accurate effective permissions on Active Directory objects). Organizations that have abundant IT resources and expertise could also choose to develop and test their own Active Directory effective access assessment capabilities in-house.

Real-World Proof

For most IT personnel familiar with Active Directory, the example presented above should be sufficient to illustrate the risk.

For those who must have real-world proof, you can use this tool (its free), to see for yourself, in under 2 minutes, exactly how many individuals can reset your own password, as well as the password of any of your colleagues, including that of your organization's CFO.

Need one say more?

Best wishes,

Friday, September 13, 2013

Active Directory Privilege Escalation based on Exploitation of Unauthorized Access Grants in Active Directory - The #1 Insider Threat to Organizations


Today, I will objectively substantiate not only why the risk I declassified yesterday (i.e. Active Directory Privilege Escalation based on Exploitation of Unauthorized Access Grants in Active Directory) is the #1 cyber security risk to Active Directory, but also why it is also the #1 insider threat to 85% of organizations worldwide -

The Building Blocks of Security in an Organization

In every IT infrastructure, there is a security infrastructure that is responsible for providing Authentication, Authorization and Auditing (AAA), which provides the foundation upon which all secure access is based i.e. it facilitates secure authenticated and authorized access to securable resources and it enables the auditing of access to these resources.

In the IT infrastructure of every organization in the world, no matter how small or large, there are 5 basic building blocks of the security infrastructure that together facilitate AAA / secure access to resources -
  1. The User Accounts (and their passwords/ other credentials) that are used to uniquely identify and authenticate users
  1. The Computer Accounts that represent the computing devices in the system on to which users logon, and on which all computing occurs i.e. your laptops, desktops, file servers, application servers, database servers etc.
  1. The Securable Resources to which access can be granted, i.e files, directories, applications and their content, databases and their content, directory services and their content etc.
  1. The Security Groups that are used to aggregate users for the purposes of authorization
  1. The Auditing Mechanisms that enable the auditing of secure access to securable resources
Together, these User Accounts, Computer Accounts, Security Groups and the Auditing Mechanisms facilitate secure authenticated, authorized and auditable access to all Securable Resources in the organizations IT infrastructure,  24-7.

Where are the Building Blocks of Security Stored, Managed and Protected?

In IT infrastructures powered by Microsoft's Windows Server platform, i.e. in about 85% of IT infrastructures worldwide, these building blocks are stored and managed in, and protected by the Active Directory.

Specifically -
  1. All User Accounts and their passwords are stored in the Active Directory
  1. All Computer Accounts representing all domain-joined hosts are stored in the Active Directory
  1. All Securable Resources in turn are stored on domain-joined machines, which can be completely controlled via Group Policy from the Active Directory
  1. All Security Groups and their memberships, that are used to specify access to all Securable Resources (e.g. files, directories, shares, SharePoint portals etc.) are all stored in the Active Directory
  1. All Auditing for identity & access management is done on Domain Controllers (i.e. machines that host Active Directory)
In other words, it is Active Directory that stores and protects (directly or inditectly) the entirety of all security building blocks, as well as facilitates their management by administrative IT personnel.

What are the Consequences of the Compromise of These Building Blocks?

Now let us consider what the consequences of the compromise of any of these building blocks could be, and how they could impact organizational security.
  Specifically -
  1. If a specific User Account, such as that of the CEO is compromised, the attacker can instantly access everything the CEO has access to, including all confidential data, documents, groups, databases etc etc. as well as modify or destroy everything the CEO has modify access to.
  1. If a Computer Account, such as that of a file server that stores highly confidential information (e.g. trade secrets, blue prints, financials, customer records) etc. is compromised, the entirety of data stored on that server can be easily accessed, tampered, divulged or destroyed.
  1. If a Securable Resource, such as the spreadsheet that contains Earnings Numbers can be accessed and leaked minutes before a public organization's Earnings Call, the untimely disclosure of that data could result in a loss of billions of dollars in market capitalization.
  1. If a Security Group such as Human Resources Personnel can be compromised, i.e. if an attacker can add his/her account to this group, all confidential information such as all employee records being protected by that group can now be instantly accessed by that attacker.
  1. If the Auditing settings can be tampered with, than an attacker can disable auditing in the system, before he/she proceeds to engage in other malicious tasks, thus ensuring that there is no trail of malicious actions left.
In other words, the amount of damage that can be done by an attacker if he/she can compromise the very foundational building blocks of security is potentially colossal, and can result in serious consequences ranging from substantial monetary loss to reputational damage.

What is the Easiest Way for Someone to Compromise These Building Blocks?

In light of these consequences of the compromise of any of these building blocks, let us consider what is the easiest way that someone could use to compromise these building blocks.

Specifically -
  1. The easiest way to compromise a User Account is to reset the user's account's password to one of your choice (e.g. H@cked!) then instantly login as the user.
  1. The easiest way to compromise a Computer Account is to take over its computer account in Active Directory, and/or cause a Group Policy designed to take over the computer to be sent out to the computer via the trusted channel between the computer and the DC, by applying it to the OU in which the computer account resides.
  1. The easiest way to compromise any Securable Resource is to find out which Security Group has modify access to it, then just add your own account to that security group, to instantly gain access.
  1. The easiest way to compromise a Security Group is the find out who can change its membership, and compromise that individual's account by resetting their password, then login as that individual and add your own account to the group.
  1. The easiest way to compromise Auditing is to turn either turn OFF auditing in the Active Directory, or modify the SACL of objects to disable auditing on specific objects.
In other words, the easiest way to compromise the building blocks of security is to find out who has what access on them, then compromise their accounts to take control of the building blocks.

In Most Organizations, No One Knows Exactly Who can do What on these Building Blocks?

In most Active Directory deployments large number of IT personnel currently posses the ability to perform various administrative tasks on these building blocks, but NO ONE really knows EXACTLY who can do what on these building blocks in their Active Directory deployments.

This most simply put, is primarily because all of these building blocks are protected by Active Directory's security model, which makes it very easy to precisely provision secure access but lacks the ability to help IT personnel precisely assess/audit effective provisioned access.

As a result, although IT admins provision access for delegating administrative responsibilities frequently, due to the lack of a single point of control on both delegations and group memberships, as well as the sophistication of Active Directory's security model, they have no way of knowing whether access was infact provisioned on the principle of least privilege, or whether they may have accidentally/inadvertently ended up granting additional IT personnel access that they should not ideally have. They also have no way to precisely assess/verify/audit provisioned access, so they continue fulfilling provisioning needs based on "approximations" and over time (years), the presence of excessive unauthorized administrative access in Active Direcory deployments becomes pervasive.

As a result, IT admins may have an "approximate" idea of who has what access, but most do not have "precise" insight, and almost always, the difference between security and compromise is "precision" (referred to as "vulnerability" in security parlance.)

ANY Insider Can Potentially Assess Security (Effective Access) on and Compromise these Build Blocks

Anyone with a domain user account, from IT Personnel to Executives, and from Executive Assistants to Contractors, can with some basic and readily available free tools EASILY access and analyze the universe of all security permissions that protect all of these building blocks, and with a little skill and sufficient time (hours/weeks/days), easily find out exactly who has what access over these building blocks, and (mis)use this information to compromise virtually any IT asset of choice.

The "little skill" requirement, as well as the "sufficient time" requirement can be easily obviated by the availability of tools (e.g. an Active Directory Permissions Analysis Tool, or an Active Directory Password Reset Analysis Tool) that automate the determination of effective access in Active Directory.

Whether analyzed manually or via a tool, these access assessment are all read-only in nature, and thus IT personnel cannot audit or detect the occurrence of such an access assessment. Once completed, such an assessment can provide a very rich "road-map" of sorts to insiders, as to how to go about compromising anything from a basic file all the way to down to how to completely take over and control the entire Active Directory deployment.

The #1 Insider Threat to Organizations

For reasons stated below, I believe that Active Directory Privilege Escalation based on Exploitation of Unauthorized Access Grants in Active Directory, is the #1 insider threat to organizations today -

  1. It can be carried out by ANY insider, from highly technical delegated administrators to completely non-tech savvy Executive Assistants. Tech-savvy individuals can use Microsoft's native tools (e.g. dsacls) to assessments and non-tech savvy individuals can use 3rd party tools (e.g. any Active Directory Password Reset Analysis Tool) to do so.
  1. The attack surface is VAST, because literally the entirety of all Active Directory content, i.e. any user account, computer account, security group, OU, GPO, Service Connection Point etc. is a potential target.
  1. The analysis part of the attack vector only involves READ access which is NOT audited, and cannot be realistically audited, thus can hardly ever be detected.
  1. The exploitation part of the attack vector (i.e. one involving the password resets or the group membership changes) literally takes seconds and can at best be responded to, meaning the damage would already have been done. In most cases, by the time someone responds, it would have been too late (; e.g. sure you can catch the individual who leaked the earnings report, but the damage (in billions of dollars) would already have been done.
  1. Unlike the sophisticated Pass-The-Hash (Pth) attack, this attack vector does not require ANYONE to LOGON to any machine. It only requires READ access to Active Directory, which everyone has, basic (e.g. dsacls) or advanced tooling (e.g. any Active Directory Permissions Analysis Tool), and the implementation of basic tasks for which User Interfaces (e.g. Active Directory Users and Computers Snap-In) are freely and readily available from Microsoft.

In light of the above, given the fact that ANY insider can enact this threat, the VAST attack surface, the inability to audit the core part of this attack vector (read-only effective permissions analysis) and the availability of the tooling required to enact this threat, it is clearly a very serious insider threat to organizations today.

From gaining unauthorized access to a single confidential document to automating the destruction of the entire Active Directory deployment, the expanse of the damage an insider can do with it is limited only to their skill. In that light, it may be very well be the #1 insider threat to Active Directory today.

But We don't worry about Insider Threats

Organizations that do not worry about insider threats need only be reminded of one name - Edward Snowden, the classic Trusted Insider, who may not only have caused monumental and irreversible damage, but also great embarrassment to arguably the world's most powerful and clandestine national security agency, the U.S. NSA.

Best wishes,

PS: If you're still not convinced, I'll prove it to you - using this free tool you can see for yourself just how many people could reset your password and login as you today. (The threat, in most cases, is not directly from them, but frm someone who first resets their password, then resets yours to login as you.) In case you didn't know, a password reset takes about 5 seconds to perform.

Thursday, September 12, 2013

Active Directory Privilege Escalation based on Exploitation of Unauthorized Grants in Active Directory - The #1 Cyber Security Risk to Active Directory


The #1 cyber security risk to Active Directory deployments is summarized in the following Executive Summary document (which can be downloaded by clicking the image below, or by clicking here) -

Active Directory Privilege Escalation Executive Summary - 
  To access this Executive Summary, click image above, or here.
Those who understand it, know that it is powerful enough that it can be used to instantly compromise any Active Directory deployment in the world. (We can demonstrate its enactment in any production Active Directory deployment in the world.)

Those who don't understand it yet may wish to ramp up their Active Directory Security skills. A good starting point is to research "Active Directory Effective Permissions" and "Active Directory Privilege Escalation".

In days to come I will shed light on its various aspects, such as what makes it substantially more critical than the Pass-the-Hash attack vector, etc. Until then, here are some thoughts, some details, and a concrete example.

Best wishes,

PS2: For those of you who downloaded the password-protected version of the document this past week, the password to that document was "SkyFall"

Tuesday, August 27, 2013

Microsoft IT’s Best Practices for Securing Active Directory – A Must Read (5 Takeaways and 1 Glaring Omission)


If you’re a part of the Microsoft ecosystem, in all likelihood, you already know how valuable Active Directory is to Microsoft's Windows Server ecosystem, and how important the security of Active Directory deployments is to organizations worldwide.

(For those of you who don’t, Active Directory is the very foundation of cyber security in every organization whose IT infrastructure is powered by Microsoft Windows Server i.e. about 85% of all organizations worldwide.)

As you may also know, Microsoft's own global Active Directory deployment is one of the world’s most prominent and important Active Directory deployments, as it serves as the foundation for Microsoft’s global organizational security infrastructure.

Microsoft IT’s Best Practices for Securing Active Directory

Earlier this year, Microsoft IT released a whitepaper titled Best Practices for Securing Active Directory, which encompasses experience from several hundred Active Directory security assessments, critical incident responses, and recovery engagements -
Best Practices for Securing Active Directory
If you are in the Active Directory space, I highly recommend reading this whitepaper.

This whitepaper seems quite well written and covers a lot of interesting ground, (although a tad bit of the content seems repetitive.) The four key sections it covers include Avenues to Compromise, Reducing the Active Directory Attack SurfaceMonitoring Active Directory for Signs of Compromise and Planning for Compromise.
I wanted to summarize the 5 key takeaways from this paper (below) but I also wanted to add that I was really surprised to see a glaring omission from this whitepaper i.e. that of the #1 risk to Active Directory deployments today (; more on that below.)

(BTW, I happen to know a thing or two about Microsoft's Active Directory deployment because I had the opportunity to propose and perform a risk assessment of Microsoft’s global Active Directory deployment SEVEN years ago i.e. long before Bret was the CISO. One of the outcomes of that assessment was that Microsoft IT's Directory Services Team was moved under the IT Corporate Security team, for the first time in the history of Microsoft IT. But I digress.)

5 Key Active Directory Security Takeaways

The following, in my humble opinion, are the Top 5 key takeaways from this whitepaper –
1.      Active Directory Security is Mission-Critical To Business

The very first thing that is noteworthy about it is that the Foreword of this whitepaper is by none other than Microsoft’s Chief Information Office Security Officer (CISO.)
Quoting Bret Arsenault, Microsoft’s CISO – “Active Directory plays a critical role in the IT infrastructure, and ensures the harmony and security of different network resources in a global, interconnected environment. 

IMHO nothing conveys the criticality of Active Directory Security more than the CISO of Microsoft Corporation stating in clear words that “Active Directory plays a critical role in the IT infrastructure
At Paramount Defenses, we have been saying this for over 7 years now. It was about time that Microsoft too publicly acknowledged the importance of Active Directory Security, and I am glad to see that they finally have done so.

I do sincerely hope that CIOs across the world are listening to what Bret has to say, and taking this seriously, in their own best interest, and of course in the best interest of their employees, customers, partners and shareholders.

2.      Active Directory Security Incidents (Compromises) Do and Have Occurred

IT personnel and management at so many organizations worldwide continue to think that Active Directory security incidents do not occur, and/or that the likelihood of occurrence in their organizations is low. Well, here’s a snippet from this whitepaper that might encourage them to give this fallacy a second thought – 

Much of the content of this document is derived from the ADSA (Active Directory Security Assessment) and other ACE (Assessment, Consulting and Engineering) Team assessments performed for compromised customers and customers who have not experienced significant compromise.

The fact that much of the content of this document has been derived from assessments performed at compromised customers clearly indicates that there have been enough Active Directory security incidents (compromises) to warrant the issuance of such guidance from Microsoft IT and to provide sufficient content for an entire whitepaper on Active Directory Security.


In fact, an introduction of the Avenues to Compromise section reads as follows – “This section provides information about some of the most commonly leveraged vulnerabilities we have found to be used by attackers to compromise customers’ infrastructures. This section begins with general categories of vulnerabilities and how they are leveraged to initially penetrate customers’ infrastructures, propagate compromise across additional systems, and eventually target AD DS and domain controllers to obtain complete control of organizations’ forests.

Need one say more?

3.      The #1 Mitigation Step is to reduce the Number of Privileged Administrative Accounts

The #1 topic that the introduction to the section of Reducing the Attack Surface begins with reads – “This section begins by providing background information about privileged accounts and groups in Active Directory to provide the information that helps clarify the reasons for the subsequent recommendations for securing and managing privileged groups and accounts. We then discuss approaches to reduce the need to use highly privileged accounts for day-to-day administration, which does not require the level of privilege that is granted to groups such as the Enterprise Admins (EA), Domain Admins (DA), and Built-in Administrators (BA) groups in Active Directory. Next, we provide guidance for securing the privileged groups and accounts and for implementing secure administrative practices and systems.” 

At Paramount Defenses, we have been saying for years now that nothing is more important than minimizing the number of privileged administrative accounts in Active Directory by delegating all non-critical administrative tasks based on the principal of least privilege access (LPA) and ensuring that you know exactly who can do what in your Active Directory deployments, because the compromise of a single privileged administrative account/group is sufficient and tantamount to compromise the entire Active Directory.

Also, as any Active Directory security expert will tell you, it is not sufficient to minimize the membership of the default privileged administrative groups. In order to achieve true security, you have to know exactly who can perform which administrative tasks on which IT resources in Active Directory, because the ability to perform a single administrative task could be sufficient to take over the Active Directory.

For instance, a user John Doe may not be a member of any default administrative group, but if he effectively has the ability to modify the membership of any administrative group, or reset the password of any administrative account, he is effectively just one step away from being a privileged administrator himself.

Incidentally, the only way to know for sure exactly who has what privileged access in Active Directory is to perform an Active Directory Effective Access Audit to find out who really (i.e. effectively) has what administrative access provisioned in AD.

4. Active Directory Auditing only helps see Signs of Compromise

Most organizations view Active Directory Auditing as the #1 Active Directory security risk mitigation measure, but in fact, its use is primarily limited to delivering accountability and helping see signs of compromise.

An introduction of the section titled Monitoring Active Directory for Signs of Compromise reads – “Whether you have implemented robust SIEM in your environment or are using other mechanisms to monitor the security of the infrastructure, this section provides information that can be used to identify events on Windows systems that may indicate that an organization is being attacked.

If you’re looking at an event in an event log, the administrative task / access corresponding to that event has already occurred. The keyword here is “already” meaning that it is in the past.

Should that event indicate the occurrence of a malicious action, then that action has ALREADY taken place. In other words, the system has already been compromised; now, all you can do is react to it, by trying to contain it if possible, and/or investigate for legal/accountability purposes. In other words, you’re reacting to a security incident.

Now, because no action can be performed without authorization, whether explicit, or implicit, the fact that someone was able to enact a specific action implies that he/she had sufficient effective access to be able to do so. He/she may not be supposed to have that access by policy, but it was effectively provisioned in the system, which is the only reason, he/she was able to carry out that action.

In most organizations today, no one really knows who has what effective access, and thus they’re operating in the proverbial dark, relying on auditing to give them some clue as to the misuse of excessive (unauthorized/unintended) access in Active Directory deployments.

On the other hand, if one knows exactly who can do what, one can have the assurance of knowing exactly who has the authorization to take a specific action to begin with, and that is SO MUCH BETTER than having no idea, and then relying on auditing to let you know that someone has ALREADY done something bad.

In that regard, a proactive Active Directory Audit of Effective Access is substantially more valuable than Active Directory Auditing, and in fact is an activity that should be performed by every organization on a periodic basis, ideally once a week, and at least once a month, because access changes frequently.

5. Accurate (Effective) Access Visibility is Mission-Critical To Active Directory Security

As you may know, most systems start in a known good secure state, and it is only over time that driven by access changes, that gaps start to appear between the "intended" state and the "actual" state, and over time, it is these gaps that become vulnerabilities that malicious entities identify and exploit.
Quoting from the first paragraph of the section on Avenues to Compromise – “In organizations that have experienced catastrophic compromise events, assessments usually reveal that the organizations have limited visibility into the actual state of their IT infrastructures, which may differ significantly from their “as documented” states. These variances introduce vulnerabilities that expose the environment to compromise, often with little risk of discovery until the compromise has progressed to the point at which the attackers effectively “own” the environment.


The second paragraph continues to read – “Detailed assessments of these organizations’ AD DS configuration, public key infrastructures (PKIs), servers, workstations, applications, access control lists (ACLs), and other technologies reveal mis-configurations and vulnerabilities that, if remediated, could have prevented the initial compromise.

In regards to vulnerabilities and mis-configurations in Active Directory content (i.e. the thousands of objects that reside in Active Directory), as such all Active Directory deployments are highly securable, because every IT resource is adequately securable via its access control list (ACL), and most IT resources in Active Directory deployments start out being adequately secured initially.

However, with the passage of time, the state of provisioned access changes quickly, and the “actual” state of provisioned access can deviate very quickly from the “documented” state of access, resulting in a situation wherein numerous vulnerabilities are introduced that can be identified an exploited to inflict damage and take over the Active Directory.

For example, one of the easiest ways to become a Domain Admin and gain complete control over an Active Directory deployment is to add one’s own account to the Domain Admins group. In order to do so, one only needs to find out who currently possesses the ability to change the membership of the Domain Admins group.

In 99% of organizations worldwide, there is a “documented” list which states the identities of individuals who should be able to do so, and there is the “actual” list, which is the list of individuals who can currently effectively change the membership of the Domain Admins group, and in a 100% of these organizations, these two lists are not identical.

In fact, there are always more individuals who can change this group’s membership than there are individuals on the “documented” list. The “actual” list can be put together by anyone with a domain user account and some Windows security knowledge, and used to identify at least one non administrative individual who has sufficient privilege to modify this group’s membership. This one individual then becomes the easiest avenue to obtaining privileged and unrestricted administrative access in the Active Directory deployment.

This is why it is very important (in fact paramount) to always have accurate visibility into who really has what effective access on which objects in Active Directory. At a minimum, organizations must always know exactly who can modify administrative group memberships and reset administrative account passwords, because these two tasks are the easiest avenues to gaining administrative power in Active Directory.

It is never easy to keep track of access in medium to large systems, which is why vulnerabilities exist to begin with. The ability to identify access vulnerabilities in Active Directory quickly and reliably can go a long way in identifying and eliminating vulnerabilities, and thus substantially help ensure security.
I'm sure there are other takeaways from the whitepaper as well, but these were the most interesting ones in my humble opinion. I'm a big believer in "Prevention is better than cure" because not everything is easy to cure, especially an Active Directory security compromise, so while I found the sections on Planning for Compromise interesting, I seriously do hope no organization needs to be in a situation wherein they actually have to use that information. They should be ready though, but I hope they never have to use it.
One Glaring Omission

Microsoft IT has done a good job at providing both, information on key threats to Active Directory, as well as actionable guidance on how to enhance Active Directory security. In regards to the threats, they’ve rightly pointed out that the single biggest target in Active Directory deployments are the administrative accounts and groups that can easily be targeted in an attempt to compromise Active Directory, and they have mentioned some of the top attack vectors including the pass the hash attack (PTH) vector.

But there was NO mention whatsoever of the #1 risk to Active Directory deployments.

The omission of the #1 risk to Active Directory is intriguing. Perhaps it is intentional, or perhaps, even Microsoft IT does not know what the #1 risk to Active Directory deployments is.
(The latter I find a little hard to believe, although it is not out of the realm of possibilities because there was hardly any coverage in the whitepaper on one of the most important areas of Active Directory Security, which is so extensively used worldwide, and to which the #1 risk is related.)

Anyway, since we’re about to declassify it shortly, if Microsoft IT does not know about it yet, they too will know about it, shortly, along with the rest of the world.

All in all, this whitepaper is a must-read and I highly recommend it. Although there seems to be some duplication of content within the whitepaper, there is still much information of value to learn from.

Kindest regards,

PS: You may find this interesting as well - Responding to a Domain Admin Account Compromise

Monday, August 12, 2013

The "Pass-The-Hash" (PTH) Attack is NOT the Top (#1) Security Risk to Microsoft Windows Server / Active Directory Environments


Hope you're well. Sorry for the momentary absence. Time to blog is just not a luxury I can afford these days given my responsibilities. However, I did want to take a few moments to share a thought on something that so many believe is the #1 risk to Active Directory deployments...

Pass-the-Hash (PTH) Attack

... it is widely believed that the Pass-The-Hash (PTH) attack is the #1 attack against Active Directory deployments, primarily because it can be used to easily obtain administrative access i.e. the keys to the kingdom in Active Directory deployments.

It is undoubtedly a powerful attack vector because, with the right tooling, it provides an insider a relatively easy way to obtain powerful, unrestricted administrative access in an Active Directory environment.

However, it is most certainly NOT the top attack vector against Active Directory. There is at least ONE attack vector which makes it far easier to obtain administrative access in Active Directory deployments than does the PTH attack vector.

Unlike the pass-the-hash attack vector which absolutely requires a victim to have logged on to a computer owned by the attacker, the #1 attack vector has no such requirements. In fact, it does not require the victim to logon to any particular computer, and it most certainly does not require the use of such advanced tooling such as hash capture and replay tools.

(If only folks who built these sophisticated hash capture and replay tools would've thought out-of -the-box, they could've saved themselves a lot of painstaking effort. Oh well, I suppose if they were Active Directory security experts, they would have figured this out way back.)

The attack vector I am referring to is far easier to carry out than to carry out the PTH attack vector, and it can be carried out by any insider, without requiring any technical know-how or hacking prowess. In fact, its attack surface is substantially vaster, and with the right tooling, it could be used to obtain administrative access in Active Directory environments almost instantly.

(The good news is that, with the right capabilities, it can be reliably mitigated (more on that later), and it doesn't require the use of advanced security measures such as Authentication Mechanism Assurance.)

We have reason to believe that certain Advanced Persistent Threats may have gotten adrift of it, and may be in the process of developing exploits, so to help organizations worldwide put adequate risk mitigation measures in place before such exploits make their way, we'll share the knowledge of this attack vector and its mitigation shortly.

The only other thing I'll add is that it is not based on any classified information. In fact it is based on a very logical premise, and if anything, only involves a little bit of novel thinking and common sense. However, as goes the old saying, "common sense is not so common."

I'll share it with you on Sep 12, 2013 on this blog. Until then, here's a hint - Top 5 Active Directory Security Risks

September 12, 2013 Update: Here is the link to the declassified risk -

Best wishes,

PS: What surprises me is that even prominent cyber security experts don't seem to have a clue about this specific vector!

Monday, July 15, 2013

The Active Directory Security Resource Center


I hope this finds you all doing well. As you may know, the Cyber Security temperature around the world continues to rise, and as it does, it potentially threatens organizational Active Directory deployments worldwide.

In an effort to help organizations worldwide adequately secure and defend their Active Directory deployments from compromise, I recently commissioned the development of an Active Directory Security Resource Center.

Active Directory Security

The intention was to help organizations better understand the risks to which their Active Directory deployments may be exposed, as well as to help them determine how to assess and mitigate risks to their Active Directory deployments, measurably, efficiently and reliably.

It thus provides valuable information on numerous aspects of Active Directory such, including the Top Security Risks to Active Directory, as well as a set of adequate risk mitigation measures that can be enacted to protect Active Directory from these risks.

It thus touches upon numerous aspects of Active Directory Security, including Domain Controller Security, Administrative Account Reduction, Active Directory Audit, Active Directory Auditing, Active Directory Security Tools, Active Directory Checklists, as well as other Active Directory Resources.

One of the main reasons for commissioning it was that, based on what we're seeing, most organizations around the world, are substantially deficient in their ability to successfully thwart potential cyber security attacks aimed  at Active Directory deployments. The only part more worrisome is that most of these organizations don't actually even realize the ramifications of an Active Directory compromise. That's a worrisome situation, and one that we intend to help improve to the extent we can.

The Active Directory Security Resource Center is thus one of many ways in which we intend to help organizations.

Its over at -

Kindly note that it is not intended to be a comprehensive source of information, as we expect Microsoft Corporation to be that source. It is however, intended to provide highly actionable and valuable guidance, as well as pointers to other resources, so organizations can better understand the threats to Active Directory, as well as determine how to mitigate those threats in a timely manner.

In days to come, we will also declassify the #1 cyber security risk to Active Directory deployments today. Before we do so, we will also share valuable additional information on this vital subject, so that organizations can better understand how to protect their Active Directory deployments from harm.

Best wishes,

Wednesday, May 29, 2013

Active Directory Security - A Top Cyber Security Priority Today


As you may know, today Active Directory is at the very foundation of enterprise security and cyber security worldwide.

Given Active Directory's foundational role in enterprise security worldwide, based on the principle of adequate protection, it is only logical that the security of the Active Directory itself is paramount to organizational security worldwide.

As logical as it may sound, based on what we have seen in our vast experience over the last decade, we are deeply concerned to see that most organizations today across the world do NOT yet realize just how important Active Directory security really is.

I suppose the only thing more concerning is that not only do so many organizations not realize this yet, they also do not seem to possess the level of technical skill-set and expertise that is required to adequately protect their underbelly.

(You'd be surprised if we told you just how many government agencies are still looking for mere account lockout status tools.)

In addition, so many organizations believe that the presence of an Active Directory auditing solution is generally sufficient to provide adequate security for Active Directory because it can help them audit the enactment of a malicious task.

Little do they realize that auditing is merely a reactive security measure, that at best, aids in potentially detecting the occurrence of a malicious action and determining the identity of the perpetrator. The key word here is REACTIVE. The fact that the occurrence of a malicious task showed up in an audit log indicates that the malicious task has already been performed.

The keyword here is ALREADY. In such a situation, although auditing could potentially help identify the perpetrator, depending on the perpetrator's skill, the opportunity to enact a single malicious task could be (/have been) sufficient to inflict substantial, and often irreversibly damage to not just the Active Directory, but the entire Windows Server based IT infrastructure. (The first thing a smart perpetrator would do is disable all the admin accounts so no one can even login to try and stop him/her.)

The point is that the presence of any one single security measure such as reactionary auditing, is hardly sufficient to provide adequate security for an Active Directory deployment. Providing adequate security for Active Directory requires and involves the presence of numerous procedural, policy and technical security controls, that work together to provide adequate protection.

So many organizations today seem to be substantially deficient in providing adequate protection for their Active Directory deployments, and the #1 reason for this is that Active Directory security does not appear to be a high enough priority for them.

Thus, in the best interest of all organizations, we've put together a simple succinct document that unequivocally communicates the importance of protecting foundational Active Directory deployments. You can download it by clicking the image below, or clicking here.

The Importance of Active Directory Security
We do hope that this simple document helps organizations unequivocally understand just how important the security of their foundational Active Directory is to their security, and in their own best interest, ensure its adequate protection at all times.

As the very foundation of enterprise security worldwide, Active Directory security is not just important, it is paramount.

What else could be more important?

Best wishes,

Tuesday, May 21, 2013

Active Directory Security Checklist


As you may know, today Active Directory is at the very foundation of enterprise security and cyber security, worldwide.

At Paramount Defenses, we go to great lengths to provide thought leadership in this vital area of cyber security, by not only delivering the world's most valuable Active Directory security solutions that today help secure and defend the world's most respected organizations , but also by responsibly sharing valuable subject matter expertise with 1000s of organizations across 100+ countries worldwide.

In days to come, we will be declassifying arguably the #1 Active Directory security risk that organizations face today.

Before we did so, we felt it necessary to share a simple yet effective Active Directory Security Checklist designed to help organizations assess and mitigate risks to their foundational Active Directory deployments. (One of the reasons for doing so is that the #1 security risk to Active Directory deployments can be easily mitigated by ensuring that one of the items on this checklist is adequately fulfilled.)

You can download this Active Directory Security Checklist by clicking here or on the image below.

This checklist is intended to be a succinct, prioritized high-level check-list and is designed to help IT personnel assess the security afforded to their Active Directory deployments.

We humbly advise all organizations to take the security of their foundational Active Directory deployments seriously because a Microsoft Windows Server based IT infrastructure, and the entirety of IT resources stored and protected by it, are arguably only as secure as is its underlying Active Directory.

Kindest regards,