Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Friday, June 20, 2014

Active Directory Account Password Security 101 for Regulatory Compliance Auditors - The Difference Between Change Password and Reset Password


I hope this finds you well. Today, I just wanted to take a few minutes to shed light on a matter that impacts virtually every publicly-held organization in the United States, and possibly most organizations across the world.

A few weeks ago, yet another globally prominent multi-$B publicly held U.S organization licensed Gold Finger 007.

Given Gold Finger 007’s numerous capabilities (Active Directory Delegation Audit, Active Directory Effective Permissions Analysis, Active Directory Permissions Analysis, Domain-wide Kerberos Token Size Computation etc.), we always like to learn about what our customers are using Gold Finger for.

So when we asked them what they intended to use Gold Finger for, they informed us that they wish to use it to “audit who can change whose passwords in Active Directory, because their SOX Compliance auditors required them to furnish this information.”

That was a bit surprising. We figured they meant to say “who can reset whose passwords” so we asked them again whether the auditors required them to furnish a report of “who can change whose passwords”, or “who can reset whose passwords.

They confirmed that the auditors wanted to know “who can change whose passwords”.

That to us was a bit worrying.

Here’s why –

The Difference between Change Password and Reset Password

Folks, the difference between “who can change passwords” and “who can reset passwords” is paramount to understand for organizational security, yet it remains largely misunderstood, and thus is worth shedding light on -

Active Directory Password Changes

Every domain user account in Active Directory is protected by a password, and it is the knowledge of this password that allows the account holder to authenticate him/herself, and in effect stake claim to the identity represented by that domain user account.

When a user’s account is initially set up, he/she is provided with a temporary password (ideally via secure means), and then asked to immediately change that password to a new value, i.e. one that only he/she has knowledge of.

Only the account’s holder is supposed to know the account’s password. No one else is supposed to know his/her password, because anyone who knows the account’s password can authenticate to the system as that user by using that password.

Now, for security reasons, most organizations require users to change their passwords on a periodic basis, so as to protect passwords from password guessing attacks, and as such the system provides a facility to let users change their passwords.

A user can change his/her password by invoking the Security Authentication Sequence (“Alt-Ctrl-Del”), then selecting the “Change Password” option. The user is then required to enter BOTH the new password AND the current password.

(Note: The Windows Change Password dialog refers to the current password as the old password.)

If the current password entered is valid, the system accepts the password change request, and proceeds to change the user’s password to the new value. If the current password entered is not valid, the system denies the password change request.

Now, it is very important to NOTE that in order to change the password, the user is REQUIRED to enter the current password i.e. WITHOUT demonstrating knowledge of the current password, he/she CANNOT change the password.

In other words, if one assumes that ONLY the user knows the password to his/her account, then one can infer that NO ONE ELSE can change the user’s password, because NO ONE ELSE knows the user’s current password.

In summary, there is NO need to audit who can change whose passwords because (in 99.9999% of cases), ONLY the user account holder knows the current password of the account, and without knowing the current user’s password, no one can change the user’s password.

Consequently, in my humble opinion, regulatory compliance auditors should not be asking organizations to audit “who can change whose passwords” only because there is no material benefit in doing so.

Active Directory Password Resets

NOW, in case you find yourself asking – “But wait, what about the situation wherein a user forgets his/her password, then calls Help Desk for assistance, as a result of which a Help Desk Operator resets the user’s password, and grants the user a temporary password with which he/she can then login, and immediately after logging in, change his/her password to a value only known to the user.”

The answer is that, the Help Desk Operator, did NOT CHANGE the user’s password, but in fact RESET the user’s password to a new temporary password, then provided this temporary password to the user (hopefully via a secure channel) AND (hopefully) instructed him/her to immediately change his/her password to a value only known to the user.

You see, in order to account for situations wherein a user forgets his/her password, and is thus unable to login, the system provides a facility by which authorized administrative personnel can reset the password of a user’s account.

This password reset facility can also be used to take control of a domain user account in situations wherein IT needs to take over the user's account, such as those involving employee termination, security incidents etc.

It may be noted that resetting a user’s password does NOT require demonstrating knowledge of the user’s existing/current password. Instead, it only requires that the individuals performing the password reset have the “User Force Change Password” extended right granted on the domain user account. Anyone who has this right granted on a domain user account can instantly reset the domain user account’s password.

(Strictly speaking, in order to change a user’s password, the user too requires the “User Change Password” extended right on his/her own account, which by default is granted to “Everyone” and “Everyone” implicitly includes the user him/herself. By the way, just because the right is granted to “Everyone” does not mean that everyone (/anyone) can change the user’s password; only those individuals who can demonstrate knowledge of the current password can change the user’s account’s password.)

(BTW, the Rights GUID for User-Force-Change-Password is 00299570-246d-11d0-a768-00aa006e0529 and the Rights GUID for User-Change-Password is ab721a53-1e2f-11d0-9819-00aa0040529b.)

Now, by default many Active Directory administrative groups, including Domain Admins, Enterprise Admins, Built-in Admins, Account Operators and other are granted the “User Force Change Password” (also known as “Reset Password”) extended right on all domain user accounts, and thus many administrative personnel are by default, already have the ability to reset the passwords of most domain user accounts. In addition, many organizations develop and implement custom delegation models resulting in an even larger number of individuals being able to reset the passwords of most of their domain user accounts.

It is imperative to understand that ANYONE who has the “User Force Change Password” (i.e. “Reset Password”) extended right effectively granted on a domain user account can instantly reset that account’s password and login as him/her.

Of course, once someone can reset a domain user account’s password, he/she can instantly login as him/her, obtain access to everything that user has access to, read and send email, access, tamper, copy or divulge everything that user has access to.

As a result, it is paramount to know AT ALL TIMES, exactly who can reset whose passwords in Active Directory.

Consequently, instead of asking organizations to audit “who can change whose passwords” regulatory compliance auditors should be asking them to audit “who can reset whose passwords”, since the ability to reset someone’s password instantly lets the perpetrator logon as the target user, and access everything the user has access to.

It is also possible for a malicious individual to reset a user’s password, then logon as the user, engage in unauthorized access, then logoff, and when the actual user account attempts to login the next time around, after a few unsuccessful attempts to logon using the old password, the user would unsuspectingly call Help Desk, and in most cases, a Help Desk operator will simply reset the password again, without suspecting that someone may have reset the user’s password and logged on.

You can imagine the consequences of someone being able to reset the password of an administrative account or an executive account – depending on the (mal-)intent and expertise of the perpetrator, the consequences could potentially be disastrous.

So, if I may, I’d like to humbly request compliance auditors to understand this vital difference, and perhaps the next time around, ask for a report of “who can reset user account passwords”, not “who can change user account passwords”.

Finally, when requesting this information, it is imperative to ensure that the audit report being furnished is based NOT on simply permissions analysis, but on effective permissions analysis, because only effective permissions reveal who can truly reset whose passwords.

This Impacts 85% of Organizations Worldwide

As you may know, today Active Directory is the bedrock of cyber security at over 85% of organizations worldwide.

Our global intelligence indicates that in most of these organizations, no one has any idea as to exactly who can reset whose passwords, even those of high-value targets i.e. Executive and Administrative Accounts.

This is unfortunately a highly concerning and alarming situation.

For instance, a while back, an employee of a multi-$B international company requested a trial of, and ran Gold Finger Mini in their environment here in the United States. In about 2 minutes, he was able to find out that over 700 individuals in the world had sufficient effective rights to be able to reset the password of that organization’s CEO’s domain user account. What was shocking to us is that neither the CEO, nor most of these 700+ individuals knew that that they had sufficient rights to be able to reset the CEO's password.

Incidentally, this organization had outsourced the management of their Active Directory deployment to another multi-$B international company, and imagine my surprise when we learnt that there were some very prominent individuals on that 700+ user list, some of whom I know personally (; most are in Europe and others in Asia.)

For security reasons, both these companies shall remain nameless. (You know who you are.)

Wrapping it Up

A few weeks ago we informed our customer about this subtle yet important difference, and I am pleased to let you know that today they are performing an audit of "who can reset whose passwords" instead.

In summary, it is very important to know (at all times) exactly who can reset whose passwords. At a minimum, all organizations should know at least who can reset the passwords of all their Administrative/Privileged Accounts and their Executive Accounts (CEO, CIO, CFO and CISO) because it is the ability to reset passwords that is at the heart of the world's top cyber security risk today.

Well, my 10 minutes are up. (More next time.)

Best wishes,

Monday, June 9, 2014

The Active Directory Permissions and Effective Permissions Analysis Challenge - Solved


I hope this finds you doing well. Today, I was planning on sharing technical and contextual insights on arguably the most important technical subject in Active Directory Security – Active Directory Effective Permissions.

However, due to lack of time (and one other reason), I’ll focus on the technicals today. (I'll provide the context in a few weeks.)

The intention of sharing this today is to save 1000s of IT professionals 1000s of hours of painful, laborious and error-prone work, because based on our assessment of what’s out there, most folks are unfortunately still operating in the proverbial Stone Age.

The Stone Age of Active Directory Access Analysis

In case you’re wondering what I mean by “most folks are unfortunately still operating in the proverbial stone age”, let me explain.

You see, having written the book on this vital subject almost 10 years ago, and then, having not just solved this problem for Microsoft’s ecosystem (more on that below), but having made it as easy as touching a button, I find it amazing that most of the world is still trying to re-invent the wheel, chipping away at a colossal rock (i.e. a mighty challenge) with little stones, and in the process not only wasting valuable time and effort, but also not getting what they actually need to know i.e. effective permissions.

It’s been 10+ years since Microsoft's released the whitepaper - Best Practices for Delegating Active Directory Administration.

(I happen to know so because I wrote that whitepaper.)
If you’re working on Active Directory delegations/permissions, chances are you’ve read it. If you haven’t read that paper yet, I highly recommend reading at least the first 2 chapters. If you’ve read it, you know how Active Directory’s security model works.

More importantly, if you've read it, you also know that if you need to find out who all effectively have a specific type of access on a specific Active Directory object, you need to find out who has what effective permissions on that object, NOT who has what permissions on that object.

Unfortunately, it appears that the subtle yet profound difference between permissions and effective permissions in Active Directory remains largely unknown, and as a result, everyday, in 1000s of organizations, IT personnel proceed to determine who has what permissions, when in fact what they really should be attempting to determine is who has what effective permissions.

The only thing more alarming is that to do so, they primarily seem to be relying on half-baked / amateur tools / scripts that not only cannot determine effective permissions, but in fact may not even always deliver reliable permissions insight. I say so because I doubt any of them have even been professionally and rigorously tested, let alone having been designed by proficient experts, and as you know, the only thing more dangerous/reckless than not having essential security insight, is acting upon unreliable insight.

Furthermore they’re most likely relying on incorrect/insufficient technical advice as well, such as this on Microsoft Technet.

Here’s the short of it –
Trying to manually determine effective permissions based on manual permissions analysis in Active Directory is a very difficult, time-consuming and highly error-prone process because it involves very precisely taking into all relevant factors that influence effective permissions, as illustrated here.

Microsoft’s Effective Permissions Tab

To help determine effective permissions on Active Directory objects, Microsoft has devoted an entire tab for Active Directory Effective Permissions in the Advanced Security Settings /ACL Editor dialog of the Active Directory User’s and Computers tool.
Unfortunately, 3 issues render it practically unusable –  

  1. It is self-admittedly inaccurate –
  2. It is realistically unusable because it will at best display a long list of check-boxes corresponding to the various permissions a specific user or group has, so if you’re trying to figure out who all have a given permission, and let's say you have 50,000 users in your Active Directory, you’ll have to manually enter the identity of each one of those 50,000 users to try and figure out the identities of everyone who has the specific access you’re trying to determine (e.g. Write Property access to the userAccountControl attribute.) That's not very user-friendly now, is it?
  3. The third issue I prefer not to shed light on yet.
I suspect that it is because of it being practically unusable that IT personnel worldwide have to end up resorting to writing scripts and/or using amateur tools to perform Active Directory permissions analysis.

The Aha! Moment

Finally, over 10 years later, IT personnel are starting to understand that this is actually a very difficult problem to solve, and in fact, here’s one of the first few public acknowledgments of this fact that we have seen, this one from a former Microsoft employee -
The author of the blog begins the post with the statement -

"Analyzing permissions in Active Directory is a quite difficult task for Active Directory administrators."

He continues, and I quote -
"First, because the Active Directory delegation capabilities are extremely powerful and could lead to highly complex hierarchy which is then hard to check."

"Second, because the built-in tools are limited: The permissions are displayed in the properties of each object, the effective permissions for a user on an object can be calculated but the usage is limited in large environment and provide approximated and sometimes inaccurate results (See Microsoft KB 933071). Other alternatives will also be describe in this post."

I commend him for taking the time to speak to the challenge. The challenge of trying to accurately determine effective access granted in Active Directory deployments is indeed one of the most difficult challenges in the field of Windows Security today.

Incidentally, he is a member of our global community of Active Directory Security Professionals, which today is comprised of 2000+ members from 100+ countries. I have to admit though that I am a bit surprised that he didn't mention that the problem's already been solved, because based on our records, he tried our Gold Finger solution on October 28, 2013, requesting a license for use in the domain.

Anyway, I wanted to save him and 1000s of other folks, 1000s of precious hours of their lives by letting them know that our patented technology has already solved this problem for the world, and made it as easy as touching a button. (See below.)

The Digital Age of Active Directory Access Analysis
Folks, we live in the digital age, and today, so many complex problems are being solved by automation, and this problem too is ideally one that is best solved by automation, because of the complexity involved and because of the analysis involved being highly error-prone.


However, before one can attempt to automate a solution to solve such a problem, one needs to understand it VERY well.
Over the last 14 years, I've personally spent 1000s of hours on this subject. In addition, our team at Paramount Defenses has collectively logged 20,000+ hours on solving the effective access audit challenge in Active Directory.

Based on our experience, I can tell you that this is a very difficult problem to solve especially when you’re trying to solve it on a domain full of objects. Trying to build an automated solution that can solve this problem in virtually any Active Directory environment is exponentially difficult.
(This is perhaps the reason that the Centrifys and Dells of the world, or for that matter the Hewlett Packards and Ciscos of the world, may not even have attempted to build a solution that can help organizations fulfil this fundamental cyber security need.)

At Paramount Defenses, we have invested over half a decade of innoavtive research and development to solve this one single problem for the world, and today we have made it as easy as touching a button -

Take a look -  
1. Let's say you wanted to find out who effectively has the Reset Password Extended Right (i.e. effective permissions) granted on Larry Page's (an IT admin) account. Point, click, done in about 8 seconds - 
Gold Finger 006 - Active Directory Effective Permissions Tool

2. Now, let's say you wanted to find out who all can effectively reset the passwords of all 50,000 domain user accounts in your Active Directory domain. Point, click, done in minutes -
Gold Finger 007 - Active Directory Access/Delegation Audit Tool

3. Having fully automated the difficult and the (almost) impossible, automating the easy stuff is well, easy, so let's say you wanted to find out who has Write-Property permissions to modify the the Account Restrictions Property Set, based both on an exact grant as well as on a blanket permissions grant (i.e. blanket Read Property) in a sub-tree rooted on the domain root, but only 6 levels deep, and you wished to apply an LDAP filter to focus it on specific objects, well, Point, click, done -  
Gold Finger 005 - Active Directory Permissions Analyzer
4. Speaking of much easier stuff, let's say you wanted to analyze the ACL on the Americas OU in detail. That's too easy - 
Gold Finger 004 - Active Directory Permissions (ACL) Viewer

I could go on, but I think you'll get the drift. (BTW, bigger snapshots here.)
In essence, from advanced Active Directory ACL Analysis to fully-customizable, comprehensive Active Directory Permissions Analysis, and from Accurate, True Active Directory Effective Permissions Analysis to fully-automated domain-wide Active Directory Effective Delegated Access Analysis (i.e. Delegation Audit), our innovative patented technology has already made everything related to Active Directory permissions and effective permissions analysis as easy as touching a button.

The Active Directory Permissions and Effective Permissions Analysis Challenge - Solved

Folks, our innovative globally trusted, patented access assessment technology has already solved the great Active Directory permissions and effective permissions analysis challenge for the world, so organizations and IT personnel worldwide can focus their energies on quickly locking down access in their Active Directory, rather than spending 1000s of hours trying to find out who actually has what access in Active Directory.

(In case you don't know why quickly locking down access in Active Directory is paramount today, you may want to read this.)
There is no longer a need for IT personnel to waste their precious time by trying to use half-baked/amateur tools to manually try and solve a mountain of a problem, when they can just touch a button, have a sip of coffee and be done with it in minutes.
So, perhaps the next time you're enjoying a cup of coffee at work, you could solve one of the biggest challenges for your organization while doing so -
Best wishes,
PS: As for the contextual insight, it will have to wait (just) a bit.