Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Wednesday, September 18, 2013

How an Insider Could Easily Compromise the CFO's Account - An Example of Active Directory Privilege Escalation Based on Access Grant Exploitation


Today, I will share with you a concrete example of how any insider could potentially compromise the user account of the Chief Financial Officer (CFO) of an organization by exploiting weaknesses in access grants provisioned in Active Directory, which is the basis of the Active Directory Privilege Escalation security risk that I declassified one week ago.

Chief Financial Officer

This specific example is a very realistic illustration of this risk, that today could be carried out in most organizations worldwide.


  • Target: The CFO's domain user account which resides in the Finance OU in the Active Directory
  • Attacker: John Doe, a temporary contractor working on some project, who has a domain user account
  • Attack Methodology -
    • Step 1 - Obtain a tool that can aid in performing Active Directory Security Analysis.
    • Step 2 - Use this tool to a) locate the CFO's domain user account in Active Directory, and then b) analyze access provisioned in the ACL of the CFO's domain user account to identify the list of all individuals who can reset the CFO's password.
    • Step 3 - Use the same tool to analyze security permissions on the user accounts of each of these individuals to identify who can reset their passwords. Iterate this process on this list of accounts, and continue iterating until the single weakest link i.e. an account that can be easily compromised by  the attacker, has been found.
    • Step 4 - Begin by compromising the account identified as the weakest link. Then, login using that account and reset the password of the next account in the chain. Repeat this process until you have reset the password of a delegated admin who can reset the CFO's user account.
    • Step 5 - Login using the final compromised delegated admin's account, and reset the CFO's password.
  • Time Requirement - The exploitation process is very quick, since a password reset operation only takes 5 seconds, and a subsequent logon about 30 seconds. The only part that takes some time is the process of determining who can actually reset a target account's password.
  • Compromising the Initial Account - The initial account can be compromised by any one of various means, an encyclopedia of which is known to most malicious individuals. Examples of such means include Password Guessing, Password Stealing (Keystroke Logger), Phishing, Hash Replays (Pass-the-Hash) etc.


Step 1 - Obtain a tool that can aid in performing Active Directory Security Analysis

Since John already has a domain user account, he already has complete read access to Active Directory content. All he needs is an Active Directory Security Analysis tool to view Active Directory content, analyze Active Directory permissions and enumerate group memberships i.e. aid in the process of determining effective access in Active Directory.

The Advanced Security Settings Tab of the Active Directory Users and Computers Tool

There are many freely available tools that can aid the attacker in performing Active Directory Security Analysis, such as Microsoft Active Directory Users and Computers Snap-In, Administrative Center, dsacls, acldiag, LDP, LIZA etc.

Step 2a - Use this tool to locate the CFO's domain user account in Active Directory

Once John has installed a tool of his choice, he can launch it to view the contents of the Active Directory. Using the tool's inbuilt search abilities, he should easily be able to locate the CFO's account -
Locating the CFO's User Account in Active Directory
CFO's User Account in Active Directory

Once John has located the CFO's domain user account, he can access the ACL protecting the account. Since authenticated users have default read access in Active Directory, no special access is needed to access and examine AD ACLs.

Step 2b - Use this tool to analyze access provisioned in the ACL of the CFO's domain user account to identify the list of all individuals who can reset the CFO's password.

The next step is to analyze the object's ACL to identify the list of all individuals who can reset the CFO's password. The following is the access control list (ACL) protecting the CFO's domain user account -

Analyzing Security Permissions Specified in the ACL of the CFO's User Account

In order to determine who can reset the CFO's password, John will need to determine who effectively has Reset Password rights granted on the CEO's user account.

To do so, he will need to engage in the process of determining who has what effective access in Active Directory. Kindly note that this process is NOT the same as the one involved in determining who has what permissions in Active Directory.

In essence, all John needs to do is determine who effectively has Reset Password rights allowed on the CFO's user account. Anyone who is effectively allowed the Reset Password extended right, or All Extended Rights, or Full Control over the object will make the list. This is because All Extended Rights includes the Reset Password right, and because Full Control includes All Extended Rights.

As you can see above, there are many security permissions specified in the ACL, each one specified in an individual access control entry (ACE). Some ACEs grant permissions whereas others deny permissions. Some are explicitly specified on the object, whereas others are inherited. Some inherited ones apply to the object (CIID), whereas others merely exist to be inherited down to other objects (CIIO).

In order to determine effective access on the CFO's object, John will need to perform a process similar to the following -
  1. Identify all relevant ACEs i.e. all ACEs that allow/deny Reset Password, or All Extended Rights or Full Control.
  1. Then flatten all group memberships for which access is specified in all relevant ACEs, generating lists that enumerating the list of all individuals who are allowed access, as well as enumerating the list of all individuals who are denied access. (Ensure that any and all nested group memberships are completely flattened as well.)
  1. Then, intersect these lists taking into account all pertinent factors, such as inheritance rules, ACE applicability, conflict resolution etc. to ultimately arrive at a list of all individuals who can reset the CFO's password.

Upon completion of these steps, John would have the list of all individuals who can effectively reset the CFO's password.

List of individuals who can reset the CFO's password

It is worth noting that even if John did not know how to do engage in this process with 100% precision, even with 80% precision, he could determine 80% of the individuals who could reset the CFO's password.

Step 3 - Analyze security permissions on the accounts of these individuals to identify who can reset their passwords.

If John is already a delegated admin, and his account is already on that list, he may not need to analyze effective access on any more accounts. However, if his account is not on that list, then he could continue the process to find a weakest link, which is described below.

Once John has put together the list of all the individuals who can reset the CFO's password, he would then proceed to determine who can reset the passwords of these individuals. This would give him a broader attack base, and one that would also usually constitute a set of weaker targets to compromise.

He could then iterate this process on this new list of accounts, and continue iterating until the single weakest link i.e. an account that can be easily compromised by the attacker, has been found.

Any ONE of a large number of IT admins may be the starting point for privilege escalation i.e. the weakest link

For instance, he might find that a total of 12 individuals can reset the CFO's password, but that a total of 36 individuals can reset the passwords of these 12 individuals. He could iterate further to find potentially 50 or so individuals who could in turn reset the passwords of these 36 individuals.

He only needs to iterate the process until he can find at least one account that is easily or readily compromisable i.e. until he has found the weakest link. For instance, he could stop identifying accounts as soon as he finds the account of a single local IT admin whose account he could compromise using various known means.

By engaging in this process, he would have in effect identified a privilege escalation path, which would start from an easily compromsable account and lead all the way up to the CFO's user account.

Step 4 - Escalate Privilege by Performing Password Resets

Once John has identified a privilege escalation chain, all he needs to do is act upon it at a day and time of his choosing and to his advantage. He would begin by compromising the first account using any one of several known means to do so.

Once he has compromised the first account, the rest of escalation is simply a matter of logging in using the compromised account, then resetting the next target's password, then logging off, and logging on using the next compromised account, and so on, and by the end of it, he would have effectively escalated his privilege to that of the CFO of the company

Final Privilege Escalation Step - Resetting the CFO's account's password

In most cases, John would only have to repeat these steps 2 to 4 times (i.e his privilege escalation depth would be 2-4.)

Step 5 - Login as the CFO

Once John has reset the CFO's account's password to one of his choice (e.g. Th@WasEasy!), he can instantly login as the CFO i.e. using the CFO's account -

Once logged in as the CFO, he would have whatever read and modify access the CFO's account may have been provisioned across the IT infrastructure. Since in most organizations, single-sign-on is in use, he could almost instantly access, copy, change or delete any information that the CFO's account might have access to.

(Imagine the financial and legal ramifications of John being able to access the organization's quarterly earnings numbers just 10 minutes before the official scheduled earnings release, using the CFO's account, and then leaking them on the Internet.)

Some Observations about Active Directory Privilege Escalation Based on Exploitation of Unauthorized Access Grants

As seen above, the process of identifying and exploiting unauthorized access grants in Active Directory is rather simple. Here are some noteworthy observations -

  • Easier than the Pass-The-Hash (PtH) Attack Vector - This attack vector is much easier than the PtH attack vector because of the following reasons -
    • Opportunity - The PtH attack vector may be easy to carry out against Domain Admins because the likelihood of having a Domain Admin logon to a machine the attacker controls is high. However, the likelihood of a specific non-administrative high-value account such as that of the CFO, CEO, CIO, CISO, IT Director, a Vice President, a manager etc. logging on to a machine controlled by the attacker is rather low. (Most folks usually logon to their own dedicated machines.) Thus, the likelihood of compromising a non-administrative account with PtH is low, whereas with this attack vector it is high.
    • Lower Bar - In most organizations, there is already sufficient awareness about the PtH attack vector, and administrators are careful as to not to logon to machines they do not trust. However, most organizations still have no idea as to exactly who can reset whose passwords, so there are ample opportunities to escalate privilege by resetting passwords and thus the bar is much lower
    • No Specialized Tooling Required - Unlike the PtH attck vector, this attack vector does not require any specialized tooling. It only requires some security analysis and the enactment of basic tasks, which can easily be carried out using Microsoft's native tools.
    • Higher Probability - If a potential target never logs on to the attacker's host, the attacker will NEVER be able to use PtH to escalate privilege. However, with password resets, not only does the potential target not need to logon to the attacker's machine, the probability of finding at least one unauthorized individual who can reset the target user's account is substantially higher.
  • A Vast Attack Surface - It is not just domain user accounts that are vulnerable. All Active Directory content, including security groups (and their memberships), computer accounts, GPOs, entire organizational units (OUs), service connection points (SCPs) etc. can all be compromised by simply determining who can manage them and then using this approach to take over the account of a delegated administrator who can manage that object.
  • AdminSDHolder Protection does not mitigate this risk - Contrary to popular belief,  AdminSDHolder does not mitigate this risk for two reasons -
    • Non-administrative accounts - AdminSDHolder only serves to ensure that a standard set of permissions in applied to all administrative accounts and groups. It does not provide any protection for non-administrative accounts and groups. So for example, executive (C*O) accounts, VP accounts, director and manager accounts are not protected by it, neither are regular employee and contractor accounts.
    • Administrative accounts - Even for administrative accounts, it only serves to ensure that a single standardized set of permissions are applied to all accounts. It does NOT protect the groups to whom access is specified in the ACL of the AdminSDHolder object itself, or the users that belong to these groups. Thus, this attack vector can also be used against all administrative accounts and groups.
  • Security Analysis is not Audited - The act of performing security analysis only involves read access to Active Directory. Read access to Active Directory is almost never audited because of the sheer volume of read access that takes place everyday in the course of normal business/IT operations. As a result, it is virtually impossible for IT personnel to know whether or not, and if so, when, someone might be performing such security analysis in their environments. This aspect gives attackers the luxury of time. They could take anywhere from hours to weeks to identify weaknesses, then act at a day and time of their choosing to exploit their findings.
  • This Risk is 100% Mitigatable - This risk is 100% mitigatable. In other words, organizations can easily take steps to mitigate it, such that even if every user in the environment were to scour all their Active Directory ACLs, all they would find are tightly locked access grants i.e. least privilege access (LPA) implemented in their Active Directory. In order to mitigate this risk and attain an LPA state in their Active Directory, all that organizational IT personnel need to do is identify and eliminate unauthorized access grants in their Active Directory. This can easily be done by using any advanced Active Directory Security Analysis Tool that is capable of determining True Active Directory Effective Permissions (i.e. true/accurate effective permissions on Active Directory objects). Organizations that have abundant IT resources and expertise could also choose to develop and test their own Active Directory effective access assessment capabilities in-house.

Real-World Proof

For most IT personnel familiar with Active Directory, the example presented above should be sufficient to illustrate the risk.

For those who must have real-world proof, you can use this tool (its free), to see for yourself, in under 2 minutes, exactly how many individuals can reset your own password, as well as the password of any of your colleagues, including that of your organization's CFO.

Need one say more?

Best wishes,

Friday, September 13, 2013

Active Directory Privilege Escalation based on Exploitation of Unauthorized Access Grants in Active Directory - The #1 Insider Threat to Organizations


Today, I will objectively substantiate not only why the risk I declassified yesterday (i.e. Active Directory Privilege Escalation based on Exploitation of Unauthorized Access Grants in Active Directory) is the #1 cyber security risk to Active Directory, but also why it is also the #1 insider threat to 85% of organizations worldwide -

The Building Blocks of Security in an Organization

In every IT infrastructure, there is a security infrastructure that is responsible for providing Authentication, Authorization and Auditing (AAA), which provides the foundation upon which all secure access is based i.e. it facilitates secure authenticated and authorized access to securable resources and it enables the auditing of access to these resources.

In the IT infrastructure of every organization in the world, no matter how small or large, there are 5 basic building blocks of the security infrastructure that together facilitate AAA / secure access to resources -
  1. The User Accounts (and their passwords/ other credentials) that are used to uniquely identify and authenticate users
  1. The Computer Accounts that represent the computing devices in the system on to which users logon, and on which all computing occurs i.e. your laptops, desktops, file servers, application servers, database servers etc.
  1. The Securable Resources to which access can be granted, i.e files, directories, applications and their content, databases and their content, directory services and their content etc.
  1. The Security Groups that are used to aggregate users for the purposes of authorization
  1. The Auditing Mechanisms that enable the auditing of secure access to securable resources
Together, these User Accounts, Computer Accounts, Security Groups and the Auditing Mechanisms facilitate secure authenticated, authorized and auditable access to all Securable Resources in the organizations IT infrastructure,  24-7.

Where are the Building Blocks of Security Stored, Managed and Protected?

In IT infrastructures powered by Microsoft's Windows Server platform, i.e. in about 85% of IT infrastructures worldwide, these building blocks are stored and managed in, and protected by the Active Directory.

Specifically -
  1. All User Accounts and their passwords are stored in the Active Directory
  1. All Computer Accounts representing all domain-joined hosts are stored in the Active Directory
  1. All Securable Resources in turn are stored on domain-joined machines, which can be completely controlled via Group Policy from the Active Directory
  1. All Security Groups and their memberships, that are used to specify access to all Securable Resources (e.g. files, directories, shares, SharePoint portals etc.) are all stored in the Active Directory
  1. All Auditing for identity & access management is done on Domain Controllers (i.e. machines that host Active Directory)
In other words, it is Active Directory that stores and protects (directly or inditectly) the entirety of all security building blocks, as well as facilitates their management by administrative IT personnel.

What are the Consequences of the Compromise of These Building Blocks?

Now let us consider what the consequences of the compromise of any of these building blocks could be, and how they could impact organizational security.
  Specifically -
  1. If a specific User Account, such as that of the CEO is compromised, the attacker can instantly access everything the CEO has access to, including all confidential data, documents, groups, databases etc etc. as well as modify or destroy everything the CEO has modify access to.
  1. If a Computer Account, such as that of a file server that stores highly confidential information (e.g. trade secrets, blue prints, financials, customer records) etc. is compromised, the entirety of data stored on that server can be easily accessed, tampered, divulged or destroyed.
  1. If a Securable Resource, such as the spreadsheet that contains Earnings Numbers can be accessed and leaked minutes before a public organization's Earnings Call, the untimely disclosure of that data could result in a loss of billions of dollars in market capitalization.
  1. If a Security Group such as Human Resources Personnel can be compromised, i.e. if an attacker can add his/her account to this group, all confidential information such as all employee records being protected by that group can now be instantly accessed by that attacker.
  1. If the Auditing settings can be tampered with, than an attacker can disable auditing in the system, before he/she proceeds to engage in other malicious tasks, thus ensuring that there is no trail of malicious actions left.
In other words, the amount of damage that can be done by an attacker if he/she can compromise the very foundational building blocks of security is potentially colossal, and can result in serious consequences ranging from substantial monetary loss to reputational damage.

What is the Easiest Way for Someone to Compromise These Building Blocks?

In light of these consequences of the compromise of any of these building blocks, let us consider what is the easiest way that someone could use to compromise these building blocks.

Specifically -
  1. The easiest way to compromise a User Account is to reset the user's account's password to one of your choice (e.g. H@cked!) then instantly login as the user.
  1. The easiest way to compromise a Computer Account is to take over its computer account in Active Directory, and/or cause a Group Policy designed to take over the computer to be sent out to the computer via the trusted channel between the computer and the DC, by applying it to the OU in which the computer account resides.
  1. The easiest way to compromise any Securable Resource is to find out which Security Group has modify access to it, then just add your own account to that security group, to instantly gain access.
  1. The easiest way to compromise a Security Group is the find out who can change its membership, and compromise that individual's account by resetting their password, then login as that individual and add your own account to the group.
  1. The easiest way to compromise Auditing is to turn either turn OFF auditing in the Active Directory, or modify the SACL of objects to disable auditing on specific objects.
In other words, the easiest way to compromise the building blocks of security is to find out who has what access on them, then compromise their accounts to take control of the building blocks.

In Most Organizations, No One Knows Exactly Who can do What on these Building Blocks?

In most Active Directory deployments large number of IT personnel currently posses the ability to perform various administrative tasks on these building blocks, but NO ONE really knows EXACTLY who can do what on these building blocks in their Active Directory deployments.

This most simply put, is primarily because all of these building blocks are protected by Active Directory's security model, which makes it very easy to precisely provision secure access but lacks the ability to help IT personnel precisely assess/audit effective provisioned access.

As a result, although IT admins provision access for delegating administrative responsibilities frequently, due to the lack of a single point of control on both delegations and group memberships, as well as the sophistication of Active Directory's security model, they have no way of knowing whether access was infact provisioned on the principle of least privilege, or whether they may have accidentally/inadvertently ended up granting additional IT personnel access that they should not ideally have. They also have no way to precisely assess/verify/audit provisioned access, so they continue fulfilling provisioning needs based on "approximations" and over time (years), the presence of excessive unauthorized administrative access in Active Direcory deployments becomes pervasive.

As a result, IT admins may have an "approximate" idea of who has what access, but most do not have "precise" insight, and almost always, the difference between security and compromise is "precision" (referred to as "vulnerability" in security parlance.)

ANY Insider Can Potentially Assess Security (Effective Access) on and Compromise these Build Blocks

Anyone with a domain user account, from IT Personnel to Executives, and from Executive Assistants to Contractors, can with some basic and readily available free tools EASILY access and analyze the universe of all security permissions that protect all of these building blocks, and with a little skill and sufficient time (hours/weeks/days), easily find out exactly who has what access over these building blocks, and (mis)use this information to compromise virtually any IT asset of choice.

The "little skill" requirement, as well as the "sufficient time" requirement can be easily obviated by the availability of tools (e.g. an Active Directory Permissions Analysis Tool, or an Active Directory Password Reset Analysis Tool) that automate the determination of effective access in Active Directory.

Whether analyzed manually or via a tool, these access assessment are all read-only in nature, and thus IT personnel cannot audit or detect the occurrence of such an access assessment. Once completed, such an assessment can provide a very rich "road-map" of sorts to insiders, as to how to go about compromising anything from a basic file all the way to down to how to completely take over and control the entire Active Directory deployment.

The #1 Insider Threat to Organizations

For reasons stated below, I believe that Active Directory Privilege Escalation based on Exploitation of Unauthorized Access Grants in Active Directory, is the #1 insider threat to organizations today -

  1. It can be carried out by ANY insider, from highly technical delegated administrators to completely non-tech savvy Executive Assistants. Tech-savvy individuals can use Microsoft's native tools (e.g. dsacls) to assessments and non-tech savvy individuals can use 3rd party tools (e.g. any Active Directory Password Reset Analysis Tool) to do so.
  1. The attack surface is VAST, because literally the entirety of all Active Directory content, i.e. any user account, computer account, security group, OU, GPO, Service Connection Point etc. is a potential target.
  1. The analysis part of the attack vector only involves READ access which is NOT audited, and cannot be realistically audited, thus can hardly ever be detected.
  1. The exploitation part of the attack vector (i.e. one involving the password resets or the group membership changes) literally takes seconds and can at best be responded to, meaning the damage would already have been done. In most cases, by the time someone responds, it would have been too late (; e.g. sure you can catch the individual who leaked the earnings report, but the damage (in billions of dollars) would already have been done.
  1. Unlike the sophisticated Pass-The-Hash (Pth) attack, this attack vector does not require ANYONE to LOGON to any machine. It only requires READ access to Active Directory, which everyone has, basic (e.g. dsacls) or advanced tooling (e.g. any Active Directory Permissions Analysis Tool), and the implementation of basic tasks for which User Interfaces (e.g. Active Directory Users and Computers Snap-In) are freely and readily available from Microsoft.

In light of the above, given the fact that ANY insider can enact this threat, the VAST attack surface, the inability to audit the core part of this attack vector (read-only effective permissions analysis) and the availability of the tooling required to enact this threat, it is clearly a very serious insider threat to organizations today.

From gaining unauthorized access to a single confidential document to automating the destruction of the entire Active Directory deployment, the expanse of the damage an insider can do with it is limited only to their skill. In that light, it may be very well be the #1 insider threat to Active Directory today.

But We don't worry about Insider Threats

Organizations that do not worry about insider threats need only be reminded of one name - Edward Snowden, the classic Trusted Insider, who may not only have caused monumental and irreversible damage, but also great embarrassment to arguably the world's most powerful and clandestine national security agency, the U.S. NSA.

Best wishes,

PS: If you're still not convinced, I'll prove it to you - using this free tool you can see for yourself just how many people could reset your password and login as you today. (The threat, in most cases, is not directly from them, but frm someone who first resets their password, then resets yours to login as you.) In case you didn't know, a password reset takes about 5 seconds to perform.

Thursday, September 12, 2013

Active Directory Privilege Escalation based on Exploitation of Unauthorized Grants in Active Directory - The #1 Cyber Security Risk to Active Directory


The #1 cyber security risk to Active Directory deployments is summarized in the following Executive Summary document (which can be downloaded by clicking the image below, or by clicking here) -

Active Directory Privilege Escalation Executive Summary - 
  To access this Executive Summary, click image above, or here.
Those who understand it, know that it is powerful enough that it can be used to instantly compromise any Active Directory deployment in the world. (We can demonstrate its enactment in any production Active Directory deployment in the world.)

Those who don't understand it yet may wish to ramp up their Active Directory Security skills. A good starting point is to research "Active Directory Effective Permissions" and "Active Directory Privilege Escalation".

In days to come I will shed light on its various aspects, such as what makes it substantially more critical than the Pass-the-Hash attack vector, etc. Until then, here are some thoughts, some details, and a concrete example.

Best wishes,

PS2: For those of you who downloaded the password-protected version of the document this past week, the password to that document was "SkyFall"