Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Wednesday, August 5, 2015

Good Presentation on Modern Day Active Directory Attacks (Red Vs Blue) at Black Hat USA 2015 but seems to have missed the #1 Attack Vector


As you may know, Black Hat USA 2015 is currently being held in Las Vegas, and I believe there was a certain presentation titled Red vs Blue: Modern Active Directory Attacks Detection and Protection by a certain Mr. Sean Metcalf.

[ Now of course, if you know what we do at Paramount Defenses, then you know that if we wanted, we could easily have stolen anybody's thunder at Black Hat. However, when you have thousands of organizations from across a 150 countries worldwide knocking at your doors every month, you just don't have the time or the need to present at conferences. ]

 That said, as seen below, there (rightfully) was quite a bit of interest in this Active Directory Security focused presentation.

After all, given that Active Directory is the foundation of cyber security at over 85% of all business and government organizations across the world today, no one should be surprised by the interest this topic and presentation may have garnered.

For those who may not know this yet, 100% of all major recent cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, the OPM Breach) involved the compromise and misuse of just ONE  Active Directory privileged user account.

However, what surprises me is to see that even cyber security experts don't seem to know much about certain aspects of this critically important area of cyber security. The short of it is that if your Active Directory is compromised, you're proverbially finished, and the easiest way that a perpetrator could use to compromise your Active Directory wasn't even mentioned in this presentation at Black Hat!

Active Directory Attack Vectors

Specifically, I don't know what Mr. Sean Metcalf's background is, and perhaps he's an expert at attack vectors involving Kerberos tickets, but I was really surprised to find that in a presentation in August 2015 at Black Hat 2015 USA that is on Modern Day Active Directory Attacks, there is no mention of the #1 of all Active Directory attack vectors that could allow perpetrators to instantly compromise the account of any or all Active Directory Privileged Users without so much so as knowing how to spell the word HASH, let alone capturing a hash, or for that matter obtaining and using Kerberos tickets regardless of their type (Golden/Bronze/Whatever.)

Not ONE mention. Nada. Zero!  Seriously, I'm not sure if its funny or scary.

Perhaps I should share a little something about Active Directory Security for all cyber security professionals out there...

...with the right tooling, ANYONE with access to a domain-joined computer could easily find an Active Directory privilege escalation path leading to virtually any privileged user account of choice, within minutes, and once such a path has been found, with minimal computer security know-how, he/she could gain administrative privilege within minutes, WITHOUT having to go through all the pain involved in sophisticated hash and/or Kerberos ticket capturing/replay/blah-blah attacks.

Unfortunately its too damn easy -

(That attack vector is Active Directory Privilege Escalation based on the identification and exploitation of unauthorized access grants in Active Directory deployments aka "Reset the Password" (RtP).)

Fortunately, its 100% mitigatable.

If you want to see how vulnerable your own domain user account or that of a colleague, such as a Domain Admin is, you can do so, our compliments by using the world's most advanced cyber security penetration testing tool, Gold Finger Mini (Its Free.)

Pass-the-Hash (PtH), Golden Tickets, Silver Tickets etc. etc. are so yesterday and lame.

Alright now, if you'll excuse me, I'll get back to work.

Best wishes,

PS: A humble word of advice to all Active Directory Security Gurus out there - you may want to ramp up your Active Directory Security skills. Here's a good starting point.

Sunday, July 12, 2015

How to Identify & Minimize Privileged Users/Accounts in Active Directory


As former Microsoft Program Manager for Active Directory Security, I have shared helpful guidance below on how organizations can correctly and quickly search for and identify privileged users in their Active Directory in a simple 3-step process, and how they can minimize the number of privileged users in their Active Directory deployments, and adequately protect them.

But first, some quick background, below.

White House Orders U.S. Federal Agencies to Minimize Number of Privileged Users

In light of the recent OPM data breach at the U.S. Federal Government, the White House has ordered all U.S. Federal agencies to "tighten policies and practices for privileged users, including minimizing the number of people in this category."

White House

The White House issued this directive because in all likelihood, perpetrators first gained access to a non-privileged domain user account in OPM's Active Directory, then engaged in Active Directory Privilege Escalation to compromise an Active Directory privileged user account, and then used this Active Directory privileged account to gain access to millions of SF-85 & SF-86 forms.

In essence, if the compromise of a single privileged user account can cause such colossal damage, then in order to reduce the attack surface, it is only logical that the  #1 action organizations can take is to minimize the number of privileged user accounts.

However, before an organization can minimize privileged users, it needs to be able to correctly identify them, and accuracy is paramount, because, as the OPM breach has shown,  a perpetrator only needs to compromise one inadequately protected / vulnerable privileged account to inflict colossal damage.

Thus, the step-by-step guidance below is to help organizations correctly identify all privileged users in their Active Directory.

The Entire U.S. Federal Government runs on Active Directory

There are over 600 U.S Federal Agencies in the U.S. Government, and at the foundation of their cyber security lie their Active Directory deployments. For instance, the the U.S. Capitol, the CIA, FBI, DoD, DHS, DoT etc. all run on Active Directory.


Consequently, by privileged users, the White House is technically referring to Active Directory Administrative Accounts, because in Active Directory environments, all privileged users are stored in, managed in and protected by Active Directory.

Active Directory Privileged User Accounts - Holders of  the Proverbial "Keys to the Kingdom"

In Active Directory environments, all privileged accounts are stored in, protected by and managed in the Active Directory itself, and they get their system-wide access privileges by virtue of membership in various Active Directory Administrative Groups.

Keys to the Kingdom

Thus, technically speaking, all members of all Active Directory Administrative Groups hold the proverbial "Keys to the Kingdom."

Examples of some default Active Directory Administrative Groups include the Administrators (Built-in Admins) group, the Enterprise Admins group, the Domain Admins group, the Server Operators Group, the Account Operators group etc.

Unfortunately, in so many organizations, there is still a misconception that the list of privileged users in Active Directory environments is restricted to those accounts that are members of the Enterprise Admins of the Domain Admins groups.

Tip of the Iceberg

In reality, the Enterprise Admins and Domain Admins Groups are merely the Tip of the Iceberg.

The complete list of all groups in Active Directory that are privileged/administrative in nature, can be found in the Privileged Access Hierarchy section of the Active Directory Privileged Users reference.

How to Correctly Identify Privileged Users in Active Directory

It is of utmost importance to ensure that every single privileged user account in Active Directory is correctly identified, because as evidenced by the OPM hack, the compromise of a single privileged user account can result in colossal damage.

Privileged User

Complete step-by-step guidance on how to accomplish this objective (i.e. how to correctly identify privileged users in Active Directory) can be found here i.e. at how to identify privileged users in Active Directory. What follows is a shortened reproduction.

In order to correctly identify privileged users in Active Directory, an organization simply needs to identify all Active Directory accounts that fall under three levels of privileged access -

  • Level 1 (Immediate Direct Access) - Each Active Directory domain account that is directly or indirectly a member of every group that is listed in (or falls under the criteria of) the Privileged Access Hierarchy

  • Level 2 (Immediate Indirect Access) - Each Active Directory domain account that has - 
    • i. Sufficient effective permissions to be able to modify the membership of every group that is listed in the Privileged Access Hierarchy.
    • ii. Sufficient effective permissions to be able to modify the security permissions protecting every group that is listed in the Privileged Access Hierarchy.

  • Level 3 (Non-immediate (30-seconds away) Indirect Access) - For each account identified in Levels 1 and 2 above, identify each Active Directory domain account that has -
    • i. Sufficient effective permissions to be able to reset the account's password
    • ii. Sufficient effective permissions to be able to set the Password-not-required flag. Alternatively, if smartcards are in use, uncheck the Smart card is required for interactive logon option.
    • iii. Sufficient effective permissions to be able to modify the security permissions protecting the account.

Kindly note that it is imperative to ensure that every security group listed in the Privileged Access Hierarchy is taken into account AND that effective permissions are correctly determined on all involved Active Directory administrative accounts and groups.

Three Helpful Tools

As indicated above, it is extremely important to ensure that the list of all privileged users in Active Directory is correctly identified.

The steps outlined above are essential for correctly fulfilling this need. However, they do involve performing advanced analysis (e.g. complete nested group membership enumeration and true effective permissions determination) which can be time-consuming and prone to error when attempted manually on numerous objects.

(Note for advanced IT Pros: PowerShell scripts, LDAP searches based on admincount etc. are not going to be sufficient.)

However, with the right tools, the steps outlined above can be easily accomplished, within a matter of minutes, thus substantially reducing the amount of time and effort involved in the correct identification of privileged user accounts.

Active Directory Audit Tools

Here are three tools that can be very helpful in accomplishing the above steps -

  1. Active Directory Group Membership Reporting Tool - Report #2 of this tool View the complete nested group membership of an Active Directory security group can help instantly enumerate the complete membership of any Active Directory group, including all privileged (i.e. administrative) security groups identified in the Privileged Access Hierarchy, as required for the adequate and complete fulfillment of Level 1 requirement above.
  1. Active Directory Effective Permissions Calculator - Report #1 of this tool, Who has what Effective Permissions on an Active Directory object can help fulfill the effective permissions/access calculation/audit needs required for Level 2 (i and ii) and Level 3 (i, ii and iii) requirement above, one Active Directory object at a time, on every relevant Active Directory security group and account.
  1. Active Directory Administrative Access and Delegation Audit Tool - Multiple reports of this tool can be used to instantly fulfill the effective permissions/access calculation/audit needs required for Level 2 (i and ii) and Level 3 (i, ii and iii) requirement above, on all Active Directory privileged and non-privileged accounts and groups in a single assessment and one mouse-click, in minutes.

In addition, you can always use Report #1 Who can reset my account's password and Report #2 Who can reset a colleague's password of this free tool to instantly identify exactly how many users can reset a specific user's password, including yours, and that of any colleague (e.g. a Domain Admin, an Enterprise Admin, the CIO etc.).

A Real-World Example on the Importance of Levels 2 and 3 Above

The importance of ensuring that all Level 2 and 3 accounts above are identified is perhaps best understood with an example.

Last week one of our Technical Specialists was assisting the Director of IT of a multi-billion dollar organization identify privileged users in their Active Directory deployment, upon their request.

Their chief Network Admin (i.e. an "Enterprise Admin") had reported that the organization only had 7 Enterprise Admin accounts.

However, when together we proceeded to determine effective permissions on the Enterprise Admin security group, we found that 35 additional individuals had the ability to change the membership of the Enterprise Admins group. In other words, the total number of individuals who had Enterprise Admin level access was actually 42 (7 + 35), not 7.

Similarly, when we determined effective permissions/access on that specific Network Admin's account (i.e. the one who was on the call and was an Enterprise Admin), we found that 47 individuals had sufficient effective permissions/access to be able to reset the password of that Network Admin's domain user account. In other words there were at least 47 additional individuals who could instantly (i.e. at the touch of a button) elevate their privilege to be that of an Enterprise Admin if they wanted to.

In this manner, we proceeded to follow the steps outlined above, enumerating all Level 1, 2and 3 users based on the Privilege Access Hierarchy and identified 227 individuals who effectively had privileged (system-wide administrative) access. In contrast, the total number of individuals based solely on the default administrative group memberships was 36.

Thus, by including Levels 1 and 2, they identified 191 additional privileged (system-wide administrative) users in their network.

In each case (group membership change and password reset), these individuals were already sufficiently privileged (i.e. had sufficient delegated administrative access in Active Directory) to be able to elevate their privilege to that of an Enterprise Admin, at a button's touch, i.e. they already had the effective access needed to perform these sensitive tasks.

This real-world example illustrates why it is not sufficient to merely enumerate the number of membership of default Active Directory administrative groups when trying to determine the number of individuals that have privileged access. It is very important, and in fact paramount to ensure that not just Level 1, but also Level 2 and 3 accounts are accurately identified.

A Quick Note on the Importance of Effective Permissions

In the process of identifying Level 2 and Level 3 accounts, you will most likely need to determine effective permissions/access on various accounts and groups, In this regard, I just wanted to add that the importance of determining effective permissions / effective access, and doing so accurately, cannot be overstated. Specifically, here are 3 important aspects to be aware of -
  1. It is very important to know that there is a substantial difference between identifying "who has what permissions" and "who has what effective permissions". The two are NOT the same. There is a world of a difference between the two. Merely identifying "who has what permissions" is insufficient and is bound to provide inaccurate and misleading results.

    For example, consider a situation wherein a user John Doe, a helpdesk operator may be denied Reset Password permissions via an inherited ACE in the ACL of a Domain Admin's account.

    Now, just because there is a permission denying John Doe Reset Password, does not in fact mean that John Doe cannot in fact reset the Domain Admin's account's password. There could be another explicit permission allowing the Outsourced Contractors group All Extended Rights, and assume that the HQ Onsite Contractors is be a member of this group, and finally that John Doe is a member of the HQ Onsite Contractors group. In other words, in addition to there being a direct Deny (inherited) permission for John Doe, there is also an indirect Allow (explicit) permission that applies to John Doe. 

    As a result, because an explicit allow permission will always override an inherited deny permission, in effect, John Doe will in fact be able to reset the Domain Admin's password.

    As illustrated in this example, if you were merely looking at "Who has what permissions", you would falsely arrive at the conclusion that John Doe cannot reset the Domain Admin's account's password. However if you had been looking for "Who has what effective permissions", you would have rightly arrived at the conclusion that John Doe can in fact reset the Domain Admin's account's password. 

  1. If you utilize a tool to determine effective permissions/access in Active Directory, it is of utmost importance to ensure that whatever tool you wish to utilize delivers accurate results and is trustworthy.

    Accuracy is paramount because a single inaccuracy can mean the difference between being secure and being vastly vulnerable. As recently brought to our attention by one of our customers, an example of one such tool that is substantially inaccurate can be found here.

    Trustworthiness is also very important, because you most likely wouldn't want software written in say Russia or China being run or deployed in your production environment. A few simple questions that you can ask to assess the trustworthiness of any such tool can be found here.

  2. If you utilize a tool to determine effective permissions/access in Active Directory, you'll ideally want to use a tool that can accurately identify and reveal the list of all users that have a given effective permission/access combination, as opposed to a tool wherein you need to enter the identity of every user in your domain one user at a time to manually arrive at a list of all the users that have a given specific set of effective permissions on a given object, or on multiple objects. (If your organization has even 1,000 users and computers in its Active Directory forest, you wouldn't want to enter 1,000 names each time you need to determine effective permissions.)

How to Minimize Privileged Users in Active Directory and Adequately Protect Them.

With executive support and trustworthy guidance, organizations can minimize the number of privileged users in Active Directory.

Risk Mitigation
To help organizations worldwide reduce the likelihood of a security breach involving the compromise and subsequent misuse of a privileged user account, as well as to help them mitigate the risk posed by Active Directory Privilege Escalation, at Paramount Defenses, we have provided trustworthy guidance on how to minimize privileged users in Active Directory environments, here.


Additional Information

To help organizations worldwide reduce the likelihood of a security breach involving the compromise and subsequent misuse of a privileged user account, we have also provided valuable information on the impact of compromise of a privileged user, on the attack surface that organizations need to defend, on the attack vectors that are commonly used by perpetrators, and on the various sources of threat, including insiders and APTs, as well as on Active Directory Security.

Threat Intelligence

You are welcome to use this information towards evaluating and enhancing your organizations security posture. Start here.


As evidenced by the OPM breach, the compromise of a single privileged user account can result in colossal damage. In order to reduce risk, it is thus of utmost importance that organizations correctly identify all existing privileged users in their Active Directory, quickly minimize this number down to a bare minimum, and adequately protect them. The guidance provided above is designed to help organizations accomplish this objective quickly and reliably.

Should you have any questions or thoughts, feel free to leave a comment. I will do my best to answer them, time permitting.

Best wishes,

PS: Standard disclaimer: The use of any information provided above is subject to the disclaimer provided on this page.

PS2: Incidentally, if you liked this, I think you'll like this too.