Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Friday, July 29, 2016

Active Directory Beyond the MCSE for the Black Hat Conference 2016


Today, the reputed Black Hat Conference 2016 kicks off in Las Vegas. It is heavily sponsored by some of the biggest cyber security vendors, and over the next few days, 1000s of attendees will have over 100 briefings to choose from to attend.
The Black Hat Conference

A 100+ briefings. NOW, at the very foundation of cyber security of over 90% of all organizations worldwide, including at the foundation of most organizations that are sponsoring it and attending it, lies the bedrock of enterprise security in a Windows Server based IT infrastructure - Active Directory, and guess how many briefings out of 100 are on Active Directory Security?

1. In case you didn't get that, I'll spell it out: ONE.  ( Uno, Un, 一, один, एक.)  moja (that's 1 in Swahili for crying out loud!)

That's right, ladies and gentlemen, at the very foundation of cyber security of over 90% of all organizations worldwide lies Active Directory, and the Black Hat Conference 2016 has 1 briefing on it's security, titled Active Directory Beyond the MCSE.

Although I needn't say a word more, because the Black Hat Conference Review Board's selection of briefings only seems to have exemplified a global lack of gravitas on the paramount subject that is Active Directory Security, I will. Seriously, 1/100?

By the way, the abstract for the briefing Active Directory Beyond the MCSE by Sean Metcalf (whose efforts I respect) begins with - "Active Directory is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities." The word leveraged may be an understatement because it suggests that these organizations have a real choice.

Active Directory - An Organization's Most Valuable Digital Asset

In reality, in a Microsoft Windows Server based IT infrastructure, Active Directory is the very foundation of distributed security (network authentication, resource authorization and auditing) and in fact the very lifeline of the network. In reality, please know that in a Microsoft Windows Server based IT infrastructure, not a LEAF moves without the Active Directory being involved.

So, allow me to share the paramount importance of Active Directory Security with you - "Should an organization's foundational Active Directory deployment be compromised, its very foundation of cyber security would have been compromised." Period.

Should your Active Directory be compromised, from privileged user accounts to executive accounts (CEO, CFO, CIO, CISO etc.), and from the entirety of your hosts to the entirety of your data, everything could potentially be instantly compromised.

Need one say more?

In fairness, the Black Hat Conference Review Board did have an opportunity to demonstrate gravitas and double that ratio to (a still dismal) 2/100, because a briefing titled - "How to (i.e. an intruder could) own a Microsoft Active Directory deployment within minutes  / Zero to Enterprise Admin within Minutes." was also submitted. Unfortunately, to Black Hat's own loss, it was declined.

Let me repeat that. A briefing titled "Active Directory Beyond the MCSE" by a MCM was accepted, but a briefing titled "How to own a Microsoft Active Directory deployment within minutes" by an ex-Microsoft Active Directory security expert was declined.

To us, it made no difference. For thousands of Black Hat attendees though, they're unfortunately going to miss out on learning about something profoundly important - the existence of 1000s of easily exploitable privilege escalation paths that lie (literally) within the foundational Active Directory deployments of their employer's organizations, and jeopardize their security today.

Billions of ACLs within Active Directory Deployments Worldwide (An Attack Surface the Size of the Pacific Ocean)

Folks, today, in thousands of Active Directory deployments across the world, right within these Active Directory deployments, lie billions of access control lists (ACLs) protecting billions of vital Active Directory objects, which represent administrative accounts and groups, executive and employee user accounts, all domain computers accounts, all domain security groups, service connection points, group policies, contacts, and the entirety of Active Directory configuration content (including the Schema, the Configuration partition, the System container, the domain root object etc. etc.) The list goes on and on and on...

... yet, virtually no organization seems to know exactly who has what privileged access in their foundational Active Directory.

In short, if you're into Active Directory security, you'll want to (literally) look INTO Active Directory, and if when you'll look inside, you'll find an ocean of security permissions protecting Active Directory objects, with the ratio of permissions to objects exceeding 50:1 on average. Domain Admins are just the tip of the Iceberg in this ocean of Active Directory and its security permissions.

In fact I doubt anyone at the Black Hat Conference 2016 has any idea how to actually analyze these billions of ACLs worldwide to determine exactly who has what effective access across organizations worldwide. We were happy to open the world's eyes into this vast ocean that lies within Active Directory, and show them just how easy it is for intruders to connect the dots and obtain the keys to any door in the kingdom, as well as the Keys to the Kingdom. Unfortunately for the conference's attendees, thanks to the Conference Review Board's probable lack of understanding of this stuff, we're not going to (be) do(ing) that.

Oh well, I'm sure the Review Board must have had its reasons. They all seem to accomplished experts and we wish them well.

My time is very valuable, so I will leave it at this.

But I will pose just one question to the Black Hat Conference Review Board because it impacts global cyber security today. Of course, any presenter at Black Hat 2016, as well as any sponsor of Black Hat 2016 may also feel free to answer the question -

A Simple Question -

With the introduction of the DCSync feature in Mimikatz, the security of an entire Active Directory deployment (and by extension the security of the very foundation and thus the entirety of that organization) boils down to this:
Anyone who effectively has the Get Replication Changes All extended right granted to them in the access control list (ACL) protecting the domain root object can now easily compromise the credentials of all Active Directory domain accounts, including those of all Active Directory privileged user accounts, and 0wn the organization.

It logically follows that only the absolute bare minimum (0/1) number of individuals should effectively have this right granted.

Now, though by default, only the most highly privileged administrative personnel have this right effectively granted, since most Active Directory deployments have been around for many years, in almost all of them, the ACL protecting the domain root may have been modified several times, and as a consequence the default access may have changed substantially, resulting in a situation wherein a potentially excessive number of individuals might effectively possess this right, yet no one may really know exactly how many individuals effectively have the Get Replication Changes All extended right granted today, and who they are.

ACL on the domain root object in Active Directory

Thus today it is imperative and paramount for every organization in the world to know exactly who effectively has the Get Replication Changes All extended right granted in the ACL of their domain root object, and how they have it. (The need to know how is essential for being able to lock-down access for all those who currently have this critical access effectively granted, but should not have it.)

So the simple $100B question is -
"Precisely HOW should 90% of organizations worldwide (i.e. those that operate on Active Directory) make this paramount determination in their foundational Active Directory deployments?"  i.e. how do they find out exactly who effectively has the Get Replication Changes All extended right granted in the ACL of their domain root object, and how they have it?

By HOW, I mean that I'd like for someone (anyone) to demonstrate how to make this determination accurately and in a timely manner, in a real-world Active Directory environment, where there might easily by a 100+ permissions specified in the domain root ACL, each permission allowing or denying some form of access to some user, group or well-known security principal.

I look forward to an answer from the Black Hat Conference because it directly impacts foundational cyber security worldwide.

What else could be more important than denying perpetrators the 2nd easiest opportunity to 0wn entire Kingdoms worldwide?

I'll let you be the judge of whether or not this is important enough to have been presented at Black Hat, especially in light of this.

Best wishes,

PS: In fairness, I did ask them too - A Simple $100B Active Directory Security Question for Alex Simons at Microsoft.

PS2: I will answer this question in a few days, right here on this blog as well as there on that blog.

1 comment:

  1. Excellent read. Thank you. The harsh reality is that most IT leaders with their fascination for outsourcing have lost track of what Active Directory is and what it means to their organization.