Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Wednesday, June 22, 2016

Our Free Active Directory Audit Tool

Folks,

In a few days, I'll start shedding some light on vital Active Directory Security related matters that I believe most organizations seem to be in the dark about today. Until then, I just wanted to share some simple technical stuff on a few technical topics.


Today's is on our Free Active Directory Audit Tool,  the free version of our Gold Finger Active Directory Audit Tool, that we released recently to help organizations worldwide have a trustworthy choice when it comes to free security audit tooling for Microsoft Active Directory -
Free Active Directory Audit Tool

My time is very valuable, and the only reason I'm going to spend any time on this is because we care deeply about the foundational cyber security of all organizations worldwide. In case you find yourself wondering as to what a free Active Directory audit tool has to do with foundational cyber security, I think you'll find the answer to that question here.

Now that you know why this is important, you'll hopefully understand why I'm spending precious time on a blog entry on a free Active Directory Audit Tool. That said, the rest of this blog entry illustrates reports that IT personnel can generate from this tool.



Download Point

First things first. The tool can be downloaded from - http://www.paramountdefenses.com/free-active-directory-audit-tool.html.


Download


Our audit tool can be instantly downloaded and installed on virtually any computer in under 2 minutes. It does not require any administrative access or any changes to Active Directory to install, and it does not require any technical knowledge to use.





7 Helpful Features of our Free Active Directory Audit Tool

Our free Active Directory Audit Tool is a limited version of our licensable Active Directory Security Audit Tool, which is used by the world's top organizations across 6 continents worldwide today. Here are 7 helpful audit/reporting features that it offers -

Fully-automated one-button touch
Active Directory Security Audit Reporting

1. 100 Built-in Reports – Instantly generate 100+ essential ready-to-generate Active Directory audit reports
2. Custom LDAP Filters – Customize any report by specifying an LDAP filter of your choice (e.g. (title=C*O))
3. LDAP Filter Library – Define and use a custom LDAP filter library to generate a repeatable set of audit reports
4. Scope and Depth Control – Target any scope (domain, OU, etc.) and optionally restrict scope up to 10 levels
5. DC Specific Analysis and Alternate Credential Use – Target any DC and use alternate credentials
6. True Last Logon Reports – Generate 9 true last-logon reports based on non-replicated lastLogon attribute
7. Last Logon DC Identification – Identify the DC that authenticated the actual last logon of any account

The only limitation in the free version of our Active Directory Audit Tool is in its ability to perform data exports to CSV and PDF.




Unmatched Ease of Use

Here's how easy it is to use our free Active Directory Audit Tool to perform basic yet essential Active Directory security audits -
Generating Active Directory Security Audit Reports in 3 Simple Steps

Once the Gold Finger application has been launched, generating reports as easy as -
Step 1 - Select a report from amongst 100+ built-in Active Directory security audit reports.
Step 2 - Enter the distinguished name of your target Active Directory domain in the Scope field.
Tip - You can point Gold Finger to any OU, container, user account etc. of your choice The inbuilt search utility can be used to instantly locate any object (and its DN) in Active Directory.
You can also specify any LDAP filter, set scope (Base, One-Level, Sub-Tree) and restrict depth.
Step 3 - Press the Gold Finger button.

That's it. Gold Finger will instantly generate the report for you within seconds, and display the results in the Results Pane.





25 Real-World Examples

Our free Active Directory Audit Tool was specifically designed to make it as easy as is possible for organizations worldwide to be able to fulfill a vast majority of their basic yet essential Active Directory cyber security audit needs.

Here are some real-world examples that illustrate its Active Directory security audit capabilities:


1. Let's say you want to enumerate the list of all domain user accounts in your Active Directory domain. Click, done -
List of all domain user accounts in Active Directory

Gold Finger instantly retrieves and displays all domain user accounts in your Active Directory and displays all relevant attributes on every domain user account, including, but not limited to their name, titledepartment, last-logon time*, the date their password was last set, their contact info, email-address, logon name, account statusSAM account namesecurity identifier (SID), account expiration date, and other valuable information.




2. Let's say you want to generate a true last-logon report that documents the actual times at which all Active Directory domain users were authenticated by any one of our Domain Controllers. Click, done -
Active Directory True Last-logon Report

Whether your have 1 domain controller or 1,000 domain controllers, Gold Finger will automatically determine the true last-logon time for every domain user account in the domain, based on the retrieval and comparison of last-logon values from every domain controller in the domain.




3. Let's say you want to identify all domain user accounts in the domain that may have failed a logon attempt in the last 24 hours. Click, done -
Active Directory user accounts that may have failed a logon attempt in the last 24 hours

Such a report could help identify domain user accounts against which an insider may possibly be trying to carry our a password guessing attack.




4. Let's say you want to audit all domain user accounts that do not currently require passwords to logon. Click, done -
Active Directory user accounts that do not require passwords to logon
 
Ideally, there should be no domain user accounts that do not require a password to logon. (For instance, in the report displayed above, only the disabled Guest account meets this criteria.)

However, sometimes due to an accidental change by an administrator, settings could accidentally be changed, resulting in a situation wherein some domain user accounts may not require a password to logon to.

If a user could logon using someone else's account, he/she could potentially engage in malicious activity that could not be traced to them. Such a report could help identify such accounts.




5. Let's say you want to audit all domain user accounts that have not changed their password in the last 90 days. Click, done -
Active Directory user accounts that have not changed their password in the last 90 days.

Such a report could help enforce an established organizational password policy, which for instance, may require that all domain user account holders change their passwords every 90 days.

With Gold Finger, the number of days for all time-based can range up to 5000 days.




6. Let's say you want to identify all domain user accounts that do not have an expiration date set. Click, done -
Active Directory user accounts that do not have an expiration date.

It is generally desirable to ensure that domain user accounts have an expiration date set. Such a report could help identify any domain user accounts that do not currently have an expiration date.




7. Let's say you want to generate an audit report that documents the list of all domain user accounts that are not marked as sensitive, and thus can be delegated (; Kerberos delegation). Click, done -
Active Directory user accounts that are not sensitive and can be delegated.

In general, at the very least, ideally all administrative and executive domain user accounts should be marked as "Sensitive and cannot be delegated." This report could help find out whether they are any administrative or executive domain user accounts that can currently be delegated. (By delegation, the reference is to Kerberos delegation, not to administrative delegation.)




8. Let's say you want to audit all domain user accounts that can logon to any workstation. Click, done -
Active Directory user accounts that can long to any workstation.

In general, at the very least, administrative accounts should have designated workstations and ideally should not be permitted to logon to other workstations. This advice is primarily intended to help organizations minimize the possibility of Pass-the-Hash (PtH) attacks as well as Kerberos ticket replay related attacks.

This simple report could help find out whether they are any administrative accounts that can currently logon to any workstation. (By delegation, the reference is to Kerberos delegation, not to administrative delegation.)




9. Let's say you want to generate an audit report that documents the list of all domain user accounts that are considered to be "administrative" by Active Directory. Click, done -
Active Directory accounts considered by Active Directory as "administrative".

At the very least, all organizations must know at all times, exactly who is effectively provisioned what level of privileged access in their foundational Active Directory. While most organizations are not there yet, at the very least they should be able to identify exactly which domain user accounts in their Active Directory are considered "administrative" by Active Directory. This simple report can help them make this determination in seconds.

For advanced users, this report can also help them identify orphaned AdminSDHolder objects/accounts.




10. Let's say you want to audit all executive domain user accounts in Active Directory. Click, done -
All executive domain user accounts in Active Directory.

This report is a good example of how you can focus Gold Finger on any organizational unit. For instance, in this case, all executive user accounts are located in the Executive Mgmt OU, so by focusing Gold Finger on this OU, you can instantly enumerate all domain user accounts in the OU.

Alternatively, the same report could also be generated by focusing on the domain root and adding an LDAP filter such as (title=Chief*Officer) with any domain user account management reports.




11. Let's say you want to take a closer look at the CEO's domain user account in Active Directory. Click, done -
The CEO's domain user account in Active Directory.

Similarly, you can focus Gold Finger on any object in your Active Directory, such as a domain user account, a computer account, an OU, a service connection point etc., as well as view its details.




12. Let's say you want to quickly enumerate the list of all computers joined to the Active Directory. Click, done -
List of all computers joined to Active Directory.

For each domain computer account in Active Directory, Gold Finger will retrieve and obtain all relevant attributes such as the computer's nameDNS name, location, operating system, who it's managed by, the time it last authenticated, its SAM account nameSecurity Identifier (SID) and other relevant details.




13. Let's say you want to identify all domain computers that are currently trusted for unconstrained delegation. Click, done -
Domain-joined computers that are trusted for unconstrained delegation.

This report could help you identify all computers, that if compromised, could potentially be used to impersonate any domain user account who could be lured into being a client of an application running as System on this computer. A knowledgeable perpetrator could easily use this information to identify prime entry-level targets in your Active Directory.




14. Let's say you want to obtain a list of all domain controllers in Active Directory. Click, done -
List of all Domain Controllers in Active Directory.

For each domain controller, Gold Finger will retrieve and obtain all important attributes including their DNS name, location, operating system, who it's managed by, the time it last authenticated, its SAM account nameSecurity Identifier (SID) and other relevant details.

Of course, with our advanced tooling, you can instantly obtain substantially more high-value information, such as who can change the group policies linked to the Domain Controllers OU, or obtain administrative access over the domain computer account of a Domain Controller to then be able to easily elevate their privilege to that of a Domain Admin /Enterprise Admin rather easily.




15. Let's say you want to obtain a list of all domain security groups in Active Directory. Click, done -
List of all domain security groups in Active Directory.

This report could help you identity how many domain security groups exist in Active Directory, who's responsible for managing them, where in Active Directory they are located, etc.

Of course, with our advanced tooling, you could also easily enumerate their memberships, analyze their ACLs, find out where they have permissions in Active Directory, determine who can change their memberships, as well as who can control all of them, at the touch of a button.




16. Let's say you want to identify all domain security groups that are considered "administrative" by Active Directory. Click, done -
List of all domain security groups considered "administrative" by Active Directory.

At the very least, all organizations must know at all times, which domain security groups in Active Directory are considered "administrative" by Active Directory. Although this is merely the tip of the iceberg, this simple report can help them make this determination in seconds.

In general, organizations that need to be able to identify all privileged users/groups in Active Directory can do so based on our advice on how to correctly identify privileged access in Active Directory.




17. Let's say you want to identify all non-empty domain security groups in Active Directory. Click, done -
List of all non-empty domain security groups in Active Directory.




18. Let's say you want to quickly obtain a list of all organizational units in Active Directory. Click, done -
List of all organizational units in Active Directory.

Such a report could help ensure that management responsibilities for all OUs are assigned to someone and adequately covered.





19. Let's say you wanted to obtain a list of all Organizational Units within a specific Organizational Unit. Click, done -
List of all organizational units within a specific organizational unit.

For instance, the snapshot above shows how to easily enumerate the list of all OUs in the USA OU.





20. Let's say you want to generate a list of all Organizational Units that are located that are within 3 levels of depth from the domain root. Click, done -
List of all OUs that are within 3 levels of depth away from Active Directory.

Such a report could help IT personnel easily enumerate all high-level OUs in your Active Directory, that might possibly contain a large number of Active Directory users, groups, computers etc.





21. Let's say you want to audit the list of all Group Policy Objects (GPOs) in Active Directory. Click, done -
List of all group policies in Active Directory.




22. Let's say you want to generate a list of all printers that are published in Active Directory. Click, done -
List of all printers published in Active Directory.




23. Let's say you want to obtain a list of all Service Connection Points (SCPs) in Active Directory. Click, done -
List of all service connection points in Active Directory.





24. Let's say you want to obtain a list of all objects in your Active Directory. Click, done -
List of all objects in Active Directory.

This report can be focused on any tree in any partition, including the Configuration and Schema partitions, so for instance, combined with an LDAP filter, you could audit everything from the list of all Sites in the Configuration container, to all Schema classes in the Schema, to all authenticable security principals in your domain all identified in a single report.





25. Finally, let's say you wanted to generate a custom Active Directory security audit report, such as generating a report that lists all domain user accounts whose title contains the world cloud. Click, done -
Scope options in Gold Finger.

I should also mention that you can not only focus any security audit report available in Gold Finger on any domain, organizational unit, container or object in Active Directory, you can also apply a custom LDAP filter to every report as well as specify the scope, and set a custom depth level.


With our free Active Directory Audit Tool, you can do this in any domain in the world today, for free.




1%

I should mention that Gold Finger's Security Audit Reports are only 1% of what Gold Finger is capable of and was designed for.

We primarily built Gold Finger to help organizations do what no other entity (company, vendor, group or individual) in the world can help them do i.e. correctly identify who effectively has what privileged access across an entire Active Directory domain.
Effective Privileged User/Access Insight

Again, the only reason we're even spending 5 minutes on sharing more about our free Active Directory audit tool is to protect 1000s of organizations worldwide from potentially being compromised by the use of untrustworthy (malicious) tooling.





Option to Generate CSV Exports and PDF Reports

It might be helpful to know that with a simple upgrade to a paid license, the results of every report available in our free Active Directory Audit Tool can both, be instantly exported (in CSV format), as well as you can also generate completely customizable professional-grade PDF reports, complete with custom headings, fields, logo, footer, password etc.
A custom PDF report.

For more information on CSV exports and PDF report generation, you can visit - http://www.paramountdefenses.com/active-directory-security-audit-tool.html





4 Benefits

Our free Active Directory Audit Tool delivers the following benefits to organizations worldwide –
Fully-automated Active Directory security audit report generation.

1.  Instantly, easily and trustworthily perform a complete or custom inventory of Active Directory content. 
2.  Easily audit the state, status and settings of any, some or all resources stored in Active Directory.
3.  Efficiently, cost-effectively and trustworthily fulfill all basic and essential Active Directory security audit requirements. 
4.  Obtain 365-24-7, on-demand, real-time insight into the security state of all vital IT resources and content stored in Active Directory.




Delivering Unique Value

As mentioned above, our Security Audit Tool delivers only about 1% of the value that we deliver to organizations worldwide. What we care deeply about is helping organizations address possibly the biggest cyber security challenge they are faced with today - helping them accurately identify exactly who has what privileged access in Active Directory -

Effective Privileged Access Audit

Towards that end, here are a few of our high-value tools that we uniquely focus on -
1. Active Directory Administrative/Privileged Access and Delegation Audit Tool
2. Active Directory True Effective Permissions / Effective Access Audit Tool

Of course, we also build simpler Active Directory audit tools including the world's best Active Directory Permissions Analyzer, Active Directory ACL Viewer/Exporter, Kerberos Token-size Calculator, and a Group Membership Enumeration tool.





Trustworthiness Matters

As the world's top cyber security company, we care deeply about security and trust, so we go to great lengths to set the gold standard when it comes to the trustworthiness of the software we build for the world.


We also believe that all organizations deserve to have a trustworthy option when it comes to free Active Directory Audit Tooling, which is why we decided to build and make available a free version of our tooling.





Wrapping up

So there you have it. My time's up - that was a quick 5 minute overview our free Active Directory Audit Tool.

It is my privilege to share with you that in less than 50 days of its release, our novel free Active Directory Audit Tool has been downloaded in 50+ countries worldwide and is being used by many of the world's top business and government organizations.

You too can download your free version from - http://www.paramountdefenses.com/free-active-directory-audit-tool.html

Thanks,
Sanjay.

No comments:

Post a Comment