Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Thursday, January 26, 2017

30 Days of Advanced Active Directory Security School for Microsoft (& WD)

Folks,

Starting May 22, 2017, as former Microsoft Program Manager for Active Directory Security and as one of Microsoft's biggest well-wishers, in the very best interest of Microsoft and thousands of its organizational customers worldwide, I will spend a few minutes each day for the next 30 days to help the brilliant folks at Microsoft better understand Active Directory Security.



Here's why -

Over the last ten years, almost 10,000 organizations from 150+ countries worldwide have knocked at our doors, completely unsolicited, to request our assistance in fulfilling a paramount organizational cyber security need, which is the need to know "Who has what privileged access in their foundational Active Directory deployments?" and here's how most dialogues start -
Organization:  "Hello. I'm a Domain Admin at <organization>.We have been provisioning and delegating access in our Active Directory for many years now, but we don't know exactly who is provisioned and delegated what access in our Active Directory today. We need to find out who has what permissions in our Active Directory so that we can identify exactly who is provisioned/delegated what privileged access in our Active Directory."
Our Response: "Hello. We can certainly help you 'audit who has what permissions in Active Directory'  BUT as you may know, to correctly identify who has what privileged access in Active Directory, one needs to (accurately) determine effective permissions in Active Directory, domain-wide. Identifying 'who has what permissions' is merely the starting point for determining effective permissions. Our unique Effective Permissions Calculator and Privileged User Access Audit Tool automate the entire process and could help you do so easily."
Organization:  "That's great, but wait, what are you talking about? What are Effective Permissions?! I'm not sure I've heard that term before. In fact, I don't think I've ever come across it in any Microsoft security guidance."

Let's stop right there for a moment and think about this!  If, (and this is what we're seeing across the world,) even Domain Admins at so many organizations worldwide do not seem to know what "effective permissions" are, that's a serious problem.

("Effective permissions", especially "Active Directory Effective Permissions" are paramount to organizational cyber security, because they control not only who has the keys to every door in the Kingdom, but also who has the "Keys to the Kingdom.")




Unbelievable

Shocked by such responses, we took a closer look at the top-3 official Microsoft Active Directory security guidance sources -
1. Microsoft's original 100+ page official Best Practice Guide for Securing Active Directory (Part I) and Part II
2. Microsoft's latest official Best Practices for Securing Active Directory guidance, introduced by Microsoft's CISO
3. Microsoft's latest 5+ hour series of 12+ videos on Defending Active Directory Against Cyber Attacks

Specifically, we did a simple keyword search for the term "effective permissions" across each of these three official authoritative sources of guidance from Microsoft, and guess how many instances of the term "effective permissions" we found across them?

Zero!      нуль, nul, صفر , 零,Null, μηδέν, ʻole, אֶפֶס , शून्य, ゼロ,제로, nihil, sero !


Effective permissions are so fundamental and important to Windows Security and Active Directory Security that in Microsoft's own tooling, it is one of the 4 main tabs - Owner, Permissions, Auditing and Effective Permissions! (Sadly, it is inadequate.)


Microsoft's security guidance amply covers Permissions, Auditing and Owner(ship), but when it comes to Effective Permissions, ZERO coverage!

To make a long story short, having spoken to 1000s of Microsoft's customers, we have found that due to a complete decade+ lack of guidance from Microsoft on the most important aspect of Active Directory Security i.e. "Effective Permissions", at 1000s of business and government organizations worldwide, let alone CISOs, IT Managers and IT Auditors, even highly-privileged Active Directory admins (i.e. Domain Admins) do not even seem to know what effective permissions are!

Now, if you don't even know what effective permissions are, you're far far away from understanding just how critical they are to organizational cyber security, and how paramount the ability to accurately determine effective permissions in Active Directory is!



This is Paramount

As you may know, 100% of all major recent cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise of a single Active Directory privileged user account. Considering that, did you know that each of the Top-10 ways to gain privileged user access in Active Directory exploit and involve having excessive effective permissions?!


Given Active Directory's foundational role at most business and government organizations worldwide today, this is paramount.

In light of this, we are completely baffled, stupefied, and blown-away to see a complete lack of guidance from Microsoft to its organizational customers on what undoubtedly is one of the most vital technical aspects of organizational cyber security today!

Could it be that Microsoft itself does not understand the importance of determining effective permissions in Active Directory?!

(I sincerely hope not, because if that's the case, it just shows that perhaps they don't deeply understand cyber security yet, and if that's the case, I'm not sure how the world can be expected to consider moving to their cloud offering, Microsoft Azure, yet?)

Personally speaking, having been on Microsoft's Windows Server Development Team, it appears that they may likely no longer have a dedicated role or team focused on Active Directory security (which if true, in itself, would be astonishing), and if so, given how esoteric the nature of this subject is and the depth required to comprehend it, the likelihood of anyone outside such a team easily comprehending it and driving the necessary education etc., is low. To me, that's the only plausible explanation that could explain how they could have totally forgotten to educate their customers about such an important security topic. All said and done, to have provided zero guidance on such a vital topic for over a decade suggests that likely they too don't understand it.

I will say this much - Active Directory is one of the most valuable, solid, secure and highly-securable foundational technologies ever built. It can be easily adequately secured and defended at all times with appropriate insight, expertise and resources. The only (one BIG) shortcoming in it is that it lacks an accurate and adequate* effective permissions / effective access assessment / audit capability (both, per-object and tree-wide.) Fortunately, our innovative patented technology (embodied in 1, 2) uniquely & perfectly fulfills this shortcoming, making Active Directory ROCK-solid and bullet-proof. We run a bullet-proof Active Directory.

* More on this in days to come.



In Summary

Its 2017, not 2007. Microsoft's organizational customers worldwide, in their own best interest i.e. to protect the very foundation of their cyber security, need to unequivocally understand the paramount importance of being able to accurately audit effective permissions/access in Active Directory, without any further delay, and Microsoft should be helping them understand it.

I would like to see Microsoft provide appropriate guidance to its customers, (because given the uniqueness and importance of what we do, our job is to help those organizations that understand this stuff, fulfill this essential need, help out with a few more, and address this foundational risk; it is NOT our job to educate ALL of Microsoft's customers on such a basic and fundamental Windows security topic), so to help Microsoft too better understand the paramount importance of effective permissions to Active Directory security, over the next 30 days, I'm going to most respectfully help them better understand Active Directory Security.

Fortunately for Microsoft and thousands of its valued customers, the most difficult part of the problem has already been solved. (The bigger problem is that so many organizations don't even seem to be aware that this is a massive problem to their security.)

Let there be no doubt or mistake about one fact - left unmitigated, this esoteric cyber security risk represents a hole the size of a football field in a jetliner's fuselage, and poses a serious threat to the foundational security of so many organizations worldwide.)



An Open Invitation

So, starting May 22, 2017, for the next 30 days, every day I'll speak to certain aspects from this syllabus, right here on this blog. By the way, strictly speaking the title should have been "Basic Active Directory Security School", but I shall leave it at such.

Everyone working on Active Directory and Cyber Security at Microsoft, such as at the Windows/AD Product Dev Team, Azure Team, Cyber Security Team, Microsoft Consulting Services, Product Support Services, TwC, MS IT, etc. is welcome to tune in.

In fact, anyone and everyone, across the world, interested in learning more about Active Directory Security, is equally welcome.

Best wishes,
Sanjay


PS1: BTW, WD (as mentioned in the title of this blog post, and also as alluded to here) is the SDDL mnemonic for "Everyone".

PS2: Speaking of everyone, last week, I shared some helpful Trillion Dollar Cyber Security Insight for President Donald Trump.

PS3: To my esteemed former colleagues at Microsoft, imagine a scenario wherein this problem exists (and poses a real threat to (y)our organizational customers) but a solution doesn't. (Fortunately it does, thanks to the vision and passion of one of you.)

Monday, January 23, 2017

Gold Finger - The World's Best Active Directory Audit Tool

Folks,

Hope your New Year's off to a good start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 9th.


Today most organizations that operate on Microsoft Active Directory (and there are 1000s across 150+ countries worldwide) have a need to be able to perform not just basic but also advanced audits to fulfill a variety of imperative cyber security needs -
  1. Active Directory Security ... details
  2. Privileged Access Audit ... details
  3. Attack Surface Reduction ... details
  4. Insider Threat Protection ... details
  5. Audit and Regulatory Compliance ... details
Unfortunately, at organizations worldwide 1000s of IT professionals struggle to fulfill a majority of these needs, because of two main reasons - a) the solutions required to fulfill these critical needs don't seem to exist (except for one), and b) the depth of knowledge and understanding required to fulfill these needs correctly i.e. precisely and accurately, is lacking substantially.

For instance, although Microsoft provides many basic tools such as dsacls, acldiag, LDP, ADUC, the Effective Permissions Tab, etc., these tools cannot help even one organization correctly answer even the most basic of cyber security questions such as -
  1. How many privileged users does the organization actually have?
  2. Who is delegated what administrative access where and how in Active Directory?
  3. How many individuals can reset the password of a Domain Admin to become proverbial God?
  4. How many individuals can change the Domain Admins group membership to become proverbial God?
  5. How many individuals can use Mimikatz DCSync to instantly compromise the credentials of the entire organization?
The lack of adequate solutions and the awareness required to perform such critical audits can primarily be attributed to the baffling lack of vital security guidance provided by Microsoft to its organizational customers. More on that on Jan 24th, 2017.

Thus, while there are many solutions today that can help organizations with reactive after-the-fact auditing, there are virtually no adequate audit solutions that can help organizations perform before-the-fact proactive effective access audits. Except one...




Gold Finger - Quite Simply The World's Best Active Directory Audit Tool

Any IT/AD/cyber-security pro worth his salt will tell you that not only is the need to know "Who can do what in Active Directory" paramount to cyber security, it is not "who has what permissions" but "who has what effective permissions/access" that matters.

Considering that, allow me to share with you the world's most capable, powerful and valuable Active Directory Audit Tool -

Gold Finger Active Directory Audit Tool

Simply put, Gold Finger can do in a matter of minutes, whenever needed, what could take an army of the world's best Active Directory security professionals and consultants from organizations like Microsoft Consulting Services an entire year to do -
  1. Automatically, precisely and correctly audit effective privileged access (incl. delegated) across an entire Active Directory
  2. Automatically, precisely and correctly audit effective permissions/access on any Active Directory object
  3. Automatically, precisely and correctly audit permissions across an entire Active Directory

Of course, considering it can do the impossible at a button's touch, it can also do the simple stuff with equal ease -
  1. Audit basic Active Directory security, such as account, group and OU management, true last-logons etc.
  2. Audit Active Directory group memberships, such as "What groups does a user belong to" etc.
  3. Audit Kerberos token-sizes including performing domain-wide Kerberos token-size calculations
  4. Audit Active Directory ACLs, security permissions/rights and domain-wide ACL dumps etc.

Also, because we care deeply about cyber security, we built it to the highest standards of trustworthiness.




The Swiss Army Knife of Active Directory Audit Tools

When you acquire and deploy Gold Finger, you have the world's most powerful cyber security arsenal at your finger tips -
  1. The World's only accurate Active Directory Administrative Access and Delegation Audit Tool
  2. The World's only accurate Active Directory Effective Permissions/Access Calculator
  3. The World's most comprehensive Active Directory Permissions Analyzer
  4. The World's most advanced Active Directory ACL Viewer and Exporter
  5. The Worlds' only fully-automated, professional Kerberos Token-size Calculator
  6. The World's simplest Active Directory Group Membership Reporting Tool
  7. The World's most trustworthy Active Directory Security Audit Tool (including the Free version)

So, if there's an audit to be done in Active Directory, chances are Gold Finger can get it done, and do so at a button's touch.



Simply put, if you truly understand Active Directory Security, and its role in cyber security worldwide, then you know that Gold Finger is possibly the most capable cyber security solution in the world. (There isn't a tool on the planet that comes close to it.)

Perhaps that's why, from the United States to Australia, the world's most powerful government and business organizations across six continents worldwide use it and depend on it to secure the very foundation of their cyber security today.

To learn more, please visit - http://www.paramountdefenses.com/goldfinger.html

Best wishes,
Sanjay

PS: I only know so much about it because I architected it.  Now, onward to January 26th, 2017.

Friday, January 20, 2017

The Top-10 Ways in which an Intruder or a Rogue Insider Could Escalate Privilege to Domain Admin in Active Directory

Folks,

I hope this finds you doing well. Earlier today, I just shared some cyber security insight for U.S. President Donald Trump.

Today I also wanted to share with you the top-10 easiest ways in which an intruder or a rogue/compromised/coerced insider could easily escalate their privilege to that of a Domain Admin in virtually any Active Directory environment in the world.

It should also be noted that not a single one of these ways involve using pass-the-hash or Kerberos ticket meddling techniques. In fact, not a single one of these ways requires the victim to logon to any computer, let alone one owned by the perpetrator.

The enactment of any one such way could result in the perpetrator obtaining privileged (Domain Admin equivalent) access.




Top-10 Ways to Escalate Privilege to Domain Admin in Active Directory

Here are the Top-10 Ways to Escalate Privilege to Domain Admin in Active Directory environments -


  1. If one has sufficient effective permissions to replicate secrets from Active Directory, one can effortlessly use the DCSync feature of Mimikatz tool to obtain the credentials of all domain users accounts, including those of all privileged users.

  2. If one has sufficient effective permissions to modify permissions on the domain root object, one could easily add an inheritable permission granting oneself or any account controlled by oneself Full Control across the entire domain, thus obtaining full control on 99% of all objects in the domain, i.e. on all objects whose ACL is not marked Protected.

  3. If one has sufficient effective permissions to reset the password of even one Domain Admin account, one can effortlessly reset the password of that Domain Admin account and logon as that account to escalate privilege.

  4. If one has sufficient effective permissions to modify the group membership of even one privileged Active Directory security group (e.g. Domain Admins, Enterprise Admins, Builtin Admins, etc. or any non-default group that has privileged access), one could easily add one's own account or an account controlled by the perpetrator, to escalate privilege.

  5. If one has sufficient effective permissions to modify critical Active Directory configuration content, such as vast amounts of information stored in the Configuration partition, the Schema partition and/or the System container in the domain partition, one could easily escalate privilege. For instance (and this is one of 100+ examples), if one could modify the defaultSecurityDescriptor attribute on the SchemaClass object User in the Schema partition, one could automatically control every newly created domain user account that may ever be made a member of any privileged group.

  6. If one has sufficient effective permissions to modify permissions on the access control list protecting the AdminSDHolder object, one could easily escalate privilege by granting oneself or any account controlled by oneself any desired level of control on all default administrative accounts and groups protected by the AdminSDHolder process in Active Directory.

  7. If one has sufficient effective permissions to modify gpLink and gpOptions attributes on the default Domain Controllers organizational unit (OU), one could easily link a compromising group policy (GPO) to the OU, and use it to gain sufficient user rights and privileges on all domain Domain Controllers (DCs) that would allow one to logon to any DC and obtain system-level access, such as by having the Act as part of Operating System user-right granted to oneself.

  8. If one has sufficient effective permissions to establish an incoming forest trust or an external trust with domain, one could instantly establish trust with a domain in which one possesses administrative control, and use well known means to elevate privilege in this domain.

  9. If one has sufficient effective permissions to modify the attribute that controls whether or not passwords are required for authentication on any one Domain Admin account, then one could easily set this setting and proceed to logon to that account without needing to enter a password, thus instantly elevating privilege to that of a Domain Admin.

  10. If any form of MFA (Multi-factor authentication) such as Smartcards etc. or a variety of other band-aids are in use, if one has sufficient effective permissions on even one Domain Admin user's account, one could simply disable the use of Smartcards and/or a 3rd party MFA control by tweaking the involved attribute on the user account, then proceed to perform a password reset and logon using one's password of choice, thus having escalated privilege within seconds.

To reiterate, the enactment of any one of these ways, by any one individual, even one time, would be sufficient in a perpetrator obtaining privileged access in an Active Directory environment, and strictly speaking this would be a colossal security breach.

Also to reiterate, not a single one of these ways involve using pass-the-hash or Kerberos ticket meddling techniques. In fact, and consequently, none of these ways requires the victim to logon to any computer, let alone one owned by the perpetrator.





Escalation, Not Persistence

Perhaps that are some who might say that these are the top ways of establishing "persistence", not of "escalating privilege."


To them I say that "persistence" is just a fancy concept that Microsoft seems to have recently come up with.

Those who truly understand security know that once a privileged user account has been compromised in your system, it is technically Game-over, because from that point on, the very fabric of trust would have been pierced and compromised, and continuing to operate on such a compromised system would be tantamount to, from that point on and onward, exposing the entirety of the organization's digital footprint i.e. all digital communications, assets, secrets, data etc. to the intruder.


As such, there is always the scenario, wherein a proficient perpetrator, given a single opportunity to obtain such privileged access, having gained so, could easily automate the destruction of an entire domain, leaving nothing more to protect.

(In such a scenario, "persistence" would be meaningless.)

The other thing to note is each of these methods of privilege escalation could be enacted by anyone that has a domain user account or access to a domain-joined computer. All the perpetrator needs are sufficient rights i.e. sufficient effective permissions in Active Directory to be able to enact certain tasks that are typically delegated amongst many IT personnel.

Now, in most Active Directory environments today, there are many many more individuals and service accounts that already possess the ability to enact the ways outlined above. This is because most Active Directory deployments have been around for years, and an extensive amount of delegation and/or provisioning of access rights has been done in Active Directory over the years. Further, since most organizations do not possess the means to audit these delegations, in all likelihood, they have no idea as to exactly who can enact these tasks in their environments, and in most organizations there could be many accounts including those belonging to various contractors and service accounts that have sufficient privileges to enact these tasks today.

In essence, today intruders could identify the presence of a vast number of existent yet arcane unauthorized privileged access grants in Active Directory and easily exploit them to elevate privileges and gain Domain-Admin equivalent privileged access.

To reiterate, each and any one of these ways can give the perpetrator instant privileged access, and once a perpetrator has privileged access, he/she could instantly lock everyone else out, rendering any attempts to stop him/her virtually useless.




Mitigation

I should also mention that each of these risks can be easily, swiftly and reliably mitigated by every organization today.


All that organizations require to mitigate these risks is the ability to accurately audit effective permissions in Active Directory.

This simple fundamental capability can be used to ensure that all access provisioned/delegated in Active Directory is adherent to the principle of least privilege, thereby ensuring that no unauthorized individuals possess the ability to enact any such tasks.

To learn more about Active Directory Effective Permissions, see slides 31 through 44 of this deck on Active Directory Security.

(Note: Keyword here is accurately. Beware of freely available yet dangerously inaccurate effective permissions tooling - here.)





A Double-Edged Sword

The ability to determine effective permissions in Active Directory environments is a double-edged sword today. Here's why -


If attackers could determine effective permissions in Active Directory even if only with partial (e.g. 20%) accuracy, such as by using a free but inaccurate effective permissions calculator such as this one, they could still identify multiple domain accounts that possess the ability to enact any one of these tasks, thereby having identified highly valuable and potent yet substantially less-protected domain user accounts that they could then focus their target and compromise efforts at to gain privileged access.

For instance, should an intruder be able to determine that a certain delegated admin John Doe possesses the ability to enact any one of the tasks above, all he/she has to do is compromise John Doe's account and he/she would be seconds away from escalating privilege and taking over the entire environment. This is about 100 times easier than trying to directly compromise a highly-protected domain Admin account OR find out where a Domain Admin may have logged on and/or may logon, or trying to lure him to logon, and then use archaic pass-the-hash or Kerberos ticket meddling techniques to try and gain privileged access. I'll repeat that - it is 100 TIMES EASIER.

By the same token, defenders could use the ability to determine effective permissions in Active Directory to identify and eliminate all unauthorized access in Active Directory, thus eliminating any opportunities for the attackers to exploit them.

The ability to determine effective permissions in Active Directory is thus extremely valuable to both attackers and to defenders.

While partial accuracy (e.g. 20%) may be sufficient for attackers (as they only need to identify a few such accounts) and can today be obtained by using dangerously inaccurate free effective permissions tooling such as this, defenders do require 100% accuracy, because they do need to identify and eliminate all unauthorized access, and thus absolutely require trustworthy, accurate effective permissions tooling, such as this. A highly pertinent and relevant real example that illustrates the substantial advantage that defenders (organizations) can swiftly gain over attackers by using effective permissions can be found here.




Concluding Thoughts

As I conclude this post, allow me to share two insightful pointers with you, which concern the easiest way in which a perpetrator could compromise an entire Active Directory environment within minutes, as well as how to easily thwart his/her ability to do so -


  1. A Simple $100B Active Directory Security Question for Alex Simons at Microsoft
  2. How to Lockdown Active Directory to Thwart the Use of Mimikatz DCSync
Incidentally, these 2 pointers concern and impact the foundational security of every organization operating on Active Directory.

To those who wish to learn more (including Microsoft), I highly recommend - Defending Active Directory Against CyberAttacks


Finally, as I had indicated a few days ago, starting January 26th, 2017, I'll be doing my bit to help the wonderful folks at Microsoft and across the world better understand the most vital aspect of organizational cyber security, Active Directory Security, right here on this blog.  Stay tuned!

Best wishes,
Sanjay

Tuesday, January 10, 2017

World's Only Accurate Active Directory Privileged User/Access Audit Tool

Folks,

Hope your 2017's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 8th.

Active Directory Privileged User/Access Audits - A Paramount Need

Today every single organization that operates on Microsoft Active Directory has a paramount cyber security need to be able to accurately audit privileged access in its foundational Active Directory deployment. What else could be more important?
A few examples of such paramount Active Directory privileged access audits include -


  1. Exactly how many privileged access users do we have in our foundational Active Directory?
  2. Exactly who has what privileged access in our foundational Active Directory?
  3. Exactly how does someone have privileged access in our Active Directory?
  4. Exactly who can manage all of our privileged users and groups in our Active Directory?
  5. Exactly who has what privileged access over all our vital Active Directory domain user accounts, domain computer accounts, domain security groups, Organizational Units, etc. (and there could be 1000s of them)?

If you truly know Active Directory Security, then you know that it is not "Who has what permissions" but "Who has what effective permissions" that matters, ; the difference is colossal and could very well be the difference between security and compromise.

Most organizations do not even seem to know that they need to be able to determine effective permissions/access in Active Directory, and do so accurately, to maintain a sound cyber security posture. At those who do know, IT personnel struggle to fulfill this paramount need; they try writing advanced in-house LDAP/ PowerShell scripts, using free MS tools like dsacls, acldiag, LDP, the Effective Permissions Tab, etc., or relying on one free 3rd party audit tool that is dangerously inaccurate.

To begin with, the knowledge required to write a script that could accurately determine effective permissions on even a single Active Directory object, let alone thousands of Active Directory objects, is such a rarity that let alone most IT personnel I doubt even many $ Billion cyber security companies would know where to even begin. That said, many well-intentioned IT admins who care deeply about security do proceed to endeavor to write and use substantially inaccurate scripts to do so.

Assuming they could write an accurate script to do so, here are 5 issues/challenges that they will most likely run into -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone.
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise.
  3. The Microsoft Effective Permissions Tab is not only self-admittedly inaccurate, it is woefully inadequate.
  4. All free 3rd party tools that claim to do Active Directory effective permissions are substantially inaccurate.
  5. Manually attempting to determine effective permissions on thousands of Active Directory objects could take years.

It is unequivocally clear to use that what organizations need is an accurate, efficient and reliable (tamper-proof) Active Directory Privileged Access Audit Tool that could help IT personnel worldwide easily & trustworthily fulfill this paramount need.

So we built the world's only accurate Active Directory Privileged Access Audit Tool so it could help all IT admins, analysts, auditors and others easily and trustworthily fulfill their paramount Active Directory privileged user access audit needs.



Gold Finger Active Directory Administrative Access and Delegation Audit Tool

The Gold Finger Administrative Access and Delegation Audit Tool is quite simply the world's only accurate Active Directory Privileged User/Access Audit Tool. There's simply nothing quite like it in the world, and once you've used it, you'll know why -  

Gold Finger Active Directory Privileged User Access Audit Tool

If you can touch a button, you can now (for the first time ever) accurately and easily find out exactly who has what privileged access across an entire Active Directory domain, in effect accomplishing an almost impossible feat, at the click of a button!


Capability Overview

Here's a quick overview of the tool's top 10 features/capabilities -
  1. Accurate Assessment – Accurately audit exactly who has what privileged access in Active Directory, taking all factors (e.g. precedence orders, memberships expansions, conflict resolution etc.) that impact effective access into account.
  2. Complete Automation Automatically audit effective privileged access across an entire Active Directory domain.
  3. Enterprise Scalability – Swiftly assess effective privileged access across even large Active Directory deployments.
  4. Source Identification – Find out exactly which underlying permissions grants a user specific effective privileged access.
  5. Zero Configuration – Instantly deploy the tool on any machine without requiring a single change anywhere whatsoever.
  6. Real-Time Analysis – Instantly audit and verify an administrative delegation as soon as it is made in Active Directory.
  7. Intuitive Interface – Easily view all privileged access, all users who have such access, where they have it and how so.
  8. Professional-grade Report Generation – Easily generate and furnish privileged access audit reports in PDF format.
  9. Analysis Exports – Instantly export audit results for offline analysis, sharing, report submission and archival.
  10. DC Specific Analysis and Alternate Credential Use – Target any domain controller, and use alternate credentials.



Design Goals

Here are the 7 main design goals we set and met for Gold Finger -
  1. Accuracy - Accuracy is everything, and Gold Finger is the world's only accurate privileged access audit tool.
  2. Automation - The tool must be able to automatically determine effective permissions/access across thousands of Active Directory objects accurately and quickly so organizations can obtain this paramount insight within minutes, not months.
  3. Actionable Insight - The tool must deliver results in the form of actionable insight i.e. its results must be calculated and displayed in terms of entitled administrative tasks, and also show exactly who can perform them, and exactly how so.
  4. Source-Identification - It can pinpoint the underlying permission that entitles a user to performing a specific task.
  5. Data output - IT personnel should be able to effortlessly export the raw data for archival, rich analysis etc.
  6. Ease of use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  7. Trustworthiness - When it comes to security, Gold Finger also sets the bar and gold standard for trustworthiness.



Example Reports

Here are 10 real-world examples of the kinds of Active Directory effective permissions audits you can perform with Gold Finger -


  1. Discover exactly who has unrestricted privileged access in the Corp domain.
  2. Find out exactly who can create, delete, manage and control entire Organizational Units in the Corp domain.
  3. Find out exactly who can manage and control all privileged and executive domain user accounts in the Corp domain.
  4. Find out exactly who can change the membership of critical privileged/administrative groups such as Domain Admins.
  5. Find out exactly who can manage every executive and administrative account and security group in the Corp domain.
  6. Find out exactly who can create and delete domain user accounts, security groups and OUs in the Corp domain.
  7. Find out exactly who can reset the passwords of all domain user accounts, including those of privileged/executive users.
  8. Find out exactly who can disable the requirement to have Smart-card authentication for all domain user accounts.
  9. Find out exactly who can modify or delegate administrative (privileged) access in Active Directory, where and how.
  10. Uncover thousands of privilege escalation paths leading to critical privileged access across an entire Active Directory.




Trusted Worldwide

Today, our Gold Finger Active Directory Administrative Access and Delegation Audit Tool is used worldwide by the world's top organizations to easily fulfill the paramount cyber security need of being able to precisely identify privileged users and privileged access in their foundational Active Directory deployments.

Best wishes,
Sanjay

Monday, January 9, 2017

The World's Only Accurate Active Directory Effective Permissions Tool

Folks,

Hope your 2017's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 7th.

Active Directory Effective Permissions Audits - A Mission-Critical Need

Today every organization that operates on Microsoft's Active Directory has a mission-critical cyber security need to be able to accurately audit effective permissions in their foundational Active Directory deployments, to protect the entirety of their organizational IT resources. A few examples of such essential Active Directory effective permissions audits include -


  1. Who has sufficient effective permissions to be able to replicate secrets from Active Directory? (Implications & details.)
  2. Who has what sufficient effective permissions to be able to control every Active Directory administrative account?
  3. Who has sufficient effective permissions to be able to control every Active Directory administrative group?
  4. Who has sufficient effective permissions to be able to manage all executive accounts (i.e. those of the CEO, CIO etc.)?
  5. Who has sufficient effective permissions to be able to manage all vital Active Directory domain user accounts, domain computer accounts, domain security groups, Organizational Units, etc. (and there could be 1000s of such objects)?

If you truly know Active Directory Security, then you know that it is not "Who has what permissions" but "Who has what effective permissions" that matters, ; the difference is colossal and could very well be the difference between security and compromise.

Most organizations do not even seem to know that they need to be able to determine effective permissions in Active Directory, and do so accurately, to maintain a sound cyber security posture. At those who do know, IT personnel struggle to fulfill this mission-critical need - they try writing advanced in-house LDAP/ PowerShell scripts, using free MS tools like dsacls, acldiag, LDP, the Effective Permissions Tab, etc., or relying on this free 3rd party audit tool which is dangerously inaccurate.

To begin with, the expertise required to write a script that can accurately determine effective permissions in Active Directory is so rare that most IT personnel may not even know where to begin. That said, many may still proceed to write and use substantially inaccurate scripts to do so.

Further, assuming they could write an accurate script to do so, here are 4 issues/challenges that they will most likely run into -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone.
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise
  3. The Microsoft Effective Permissions Tab is not only self-admittedly inaccurate, it is woefully inadequate.
  4. All free 3rd party tools that claim to do Active Directory effective permissions are substantially inaccurate.

It is unequivocally clear to use that what organizations need is an accurate, reliable (tamper-proof) and above all a trustworthy Active Directory Effective Permissions Audit Tool that could help IT personnel worldwide easily & trustworthily fulfill this need.

So we built the world's best and only accurate Active Directory Effective Permissions Calculator / Audit Tool so it could help all IT admins, analysts, auditors and others easily and trustworthily fulfill their Active Directory effective permissions audit needs.



Gold Finger Active Directory Effective Permissions Calculator / Audit Tool

The Gold Finger Effective  Permissions Calculator is the world's only accurate Active Directory Effective Permissions Audit Tool:

Gold Finger Active Directory Effective Permissions Calculator / Audit Tool


If you can touch a button, you can now (for the first time ever) accurately and easily fulfill all your Active Directory effective permissions audit and compliance reporting needs. Click, done. It quite simply is as simple and as remarkable as that.


Capability Overview

Here's a quick overview of the tool's top 10 features/capabilities -
  1. Accurate Analysis – Accurately determine effective permissions on any Active Directory object, taking all factors (e.g. precedence orders, memberships expansions, conflict resolution etc.) that influence effective access into account.
  2. Real-Time Analysis – Instantly view & verify resulting change in effective permissions as soon as a permission changes.
  3. Full Automation – Instantly determine effective permissions and effective access at the touch of a single button.
  4. Full Coverage – Determine effective permissions on any Active Directory object in any Active Directory partition.
  5. Intuitive Interface – Easily view all effective permissions, all users who have them, and their underlying permissions.
  6. Permission-Centric Analysis – Instantly enumerate all users who are granted a specific effective permission / admin task.
  7. Source Identification – Find out exactly which underlying permission is granting a user a specific effective permission.
  8. Effective Access Insight – Find out both, who has what effective permissions and who has what effective access.
  9. Analysis Exports – Export effective permissions for offline analysis, sharing, audit report submission and archival.
  10. DC Specific Analysis and Alternate Credential Use – Target any Domain Controller, and use alternate credentials.


Design Goals

Here are the 6 main design goals we set and met for Gold Finger -
  1. Accuracy - Accuracy is everything, and Gold Finger is the world's only accurate effective permissions calculator.
  2. Complete Picture - It calculates and shows the complete set of effective permissions entitled on an Active Directory object, and it also shows the identities of all security principals for whom a specific effective permission is entitled.
  3. Source-Identification - It pinpoints the underlying security permission that entitles a user to a specific effective permission
  4. Data output - IT personnel can effortlessly export the raw data for archival, rich analysis etc.
  5. Ease of use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  6. Trustworthiness - When it comes to security, Gold Finger also sets the bar and gold standard for trustworthiness.



Example Reports

Here are 10 real-world examples of the kinds of Active Directory effective permissions audits you can perform with Gold Finger -


  1. Find out exactly who has Extended Right - Get Replication Changes All effective permissions granted on domain root.
  2. Find out exactly who has what effective permissions (e.g. Blanket Write-Property) granted on the Domain Admins group.
  3. Determine exactly who has Write-Property - Member effective permissions on the Domain Admins security group.
  4. Find out exactly who has Write Property - userAccountControl effective permissions on a DC's computer account.
  5. Determine exactly who has Delete or Delete Tree effective permissions on the Corp OU containing 1000s of objects.
  6. Find out exactly who has Extended Right - Reset Password effective permissions on the CEO's domain user account.
  7. Determine exactly who has Extended Right - Send As effective permissions on the CFO's domain user account.
  8. Find out exactly who has Modify Permissions effective permissions on the domain root object or on AdminSDHolder.
  9. Determine exactly who has Extended Right - Apply Group Policy effective permissions on the Domain Controllers OU.
  10. Determine exactly how John Doe has Write-Property - Member effective permissions on the Domain Admins group.




Trusted Worldwide

Today, our Gold Finger Active Directory Effective Permissions Calculator is used worldwide by the world's top organizations to easily fulfill the mission-critical cyber security need of being able to accurately audit Active Directory effective permissions.

Best wishes,
Sanjay

Friday, January 6, 2017

The World's Best Active Directory Permissions Analyzer

Folks,

Hope your 2017's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 6th.

Active Directory Permissions Audits - An Essential Need

It goes without saying that today virtually every organization that operates on Microsoft's Active Directory has an essential need to be able to audit Active Directory security permissions because Active Directory security permissions ultimately protect the entirety of the organizations IT resources. A few examples of such essential Active Directory permissions audits include -


  1. Who has what security permissions/rights in Active Directory, which ones and where?
  2. Who has what security permissions/rights on a specific Active Directory object and how?
  3. What security permissions/rights does a specific user or security group have in Active Directory?
  4. Where does a specific user or group have any kind of modify permissions/rights in Active Directory?
  5. Who has what security permissions/rights on critical Active Directory objects such as the domain root object etc.?

Now, let me be the first to tell you that if you truly know Active Directory Security, then you know that it is not "Who has what permissions" but "Who has what effective permissions" that matters (and the difference is colossal and could be the difference between security and compromise), but for now let's just play along and assume that this is what organizations need to audit.

To fulfill these essential needs, IT admins worldwide use various means, such as writing advanced in-house LDAP/ PowerShell scripts, using free MS tools like dsacls, acldiag, LDP etc., or relying on some 3rd party audit tools many of which aren't reliable.

In doing so, here are some issues/challenges they could run into -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise
  3. Many 3rd party tools, whilst inexpensive, may or may not always be sufficiently trustworthy (e.g. built in Russia etc.)

In our experience, we found that what is ideally needed is a dedicated and reliable (tamper-proof) permissions audit tool that can help all these IT personnel easily & trustworthily fulfill their essential Active Directory security permissions audit needs.

So we built possibly the world's best (most capable) Active Directory Permissions Analyzer that could help IT admins, analysts, auditors and other stakeholders easily and trustworthily fulfill their essential Active Directory security permissions audit needs.



Gold Finger Active Directory Permissions Analyzer

The Gold Finger Permissions Analyzer is the world's most capable and trustworthy Active Directory Permissions Audit Tool -

Gold Finger Active Directory Permissions Analyzer

If you can touch a button, you can now easily, comprehensively and above all, trustworthily fulfill all your Active Directory security permissions/rights audit and compliance reporting needs. Active Directory permissions audits could not be simpler.


Capability Overview

Here's a quick overview of the tool's top 5 features/capabilities -
  1. Rapid Analysis and Enterprise Scalability – Analyze entire Active Directory domains within a matter of minutes.
  2. Rich Analysis Criteria – Find permissions based on grant type (allow/deny), inheritance (explicit/inherited), permission type (e.g. Write Property), security principal (any user, security group or well-known security principal) and scope.
  3. Group Membership Inclusion – Automatically include the impact of group memberships when analyzing permissions.
  4. Real-time Schema Availability – Specify any class, attribute or extended right defined in your organization's AD Schema.
  5. Complete Flexibility – Customize analysis scope via use of custom LDAP filters (e.g. (&(objectClass=user)(title=C*O)).)



Design Goals

Here are the 5 main design goals we set and met for Gold Finger -
  1. Trustworthiness - When it comes to security, Gold Finger sets the bar and gold standard for trustworthiness.
  2. Ease-of-use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  3. Customization - Every report can be completely customized using LDAP filters as well as scope and depth control.
  4. Complete Flexibility - IT personnel can search for any kind of Active Directory security permission, including specific permissions and extended rights, as well as permissions granted anywhere to a specific user/group etc. 
  5. Data output - IT personnel can effortlessly export the raw data for archival, rich analysis etc.



Example Reports

Here are 10 real-world examples of the kinds of Active Directory security permissions audits you can perform with Gold Finger -

  1. Identify all security principals that have any kind of modify permissions granted anywhere in the Corp domain.
  2. Identify all security groups that have All Extended Rights granted anywhere in the Corp domain.
  3. Identify all users that have the Reset Password Extended right granted on any domain accounts in the Executives OU.
  4. Identify all security principals that have Delete permissions granted on any organizational unit (OU) in the Corp domain.
  5. Find out if the Temporary Contractors group is granted any security permissions anywhere in the Corp domain.
  6. Find out which security permissions, if any, are granted to John Doe anywhere in the Production OU.
  7. Find out which users are explicitly granted the Create Child - User permission anywhere in the Headquarters OU.
  8. Find out who has Deny permission granted anywhere in the Corp domain, and whether they are Explicit or Inherited.
  9. Determine whether John Doe has Write Property - Member permissions on any administrative group in the Corp domain.
  10. Determine who has Send As permissions granted on the CEO's mail-enabled domain user account.




Trusted Worldwide

Today, our Gold Finger Active Directory Permissions Analyzer is used worldwide by the world's top organizations to easily, efficiently and trustworthily fulfill the entirety of their essential Active Directory security permissions/rights audit needs.

Best wishes,
Sanjay

PS: This is about 1% of what we do, so this is as much as I'd like to say about it.

Thursday, January 5, 2017

The World's Best Active Directory ACL / Security Permissions Audit Tool

Folks,

Hope your 2017's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 5th.

Active Directory ACL / Security Permissions Audit - A Basic Need

Today virtually every organization that operates on Microsoft's Active Directory has a basic and essential need to be able to easily view, analyze and audit Active Directory ACLs (Access Control Lists) because Active Directory permissions ultimately protect virtually all of the organization's IT resources. A few examples of such basic Active Directory ACL audit needs include -


  1. Who security permissions/rights does a specific user/group have in a specific Active Directory object's ACL?
  2. Who has a specific Active Directory security permission allowed in the ACL of a specific Active Directory object?
  3. Which ACEs (access control entries) grant a specific Active Directory security permission to various security principals?
  4. Which ACEs explicitly deny a specific Active Directory security permission in an object's ACL?
  5. Which ACEs explicitly grant a specific Active Directory security permission to a specific user or group in an object's ACL?

Now, let me be the first to tell you that if you truly know Active Directory Security, then you know that it is not "Who has what permissions" but "Who has what effective permissions" that matters (and the difference is colossal and could be the difference between security and compromise), but for now let's just play along and assume that this is what organizations need to audit.

To fulfill their ACL analysis needs, IT admins worldwide use numerous means, such as writing in-house LDAP/ PowerShell scripts, using free MS tools like dsacls, acldiag, LDP etc., or relying on some 3rd party audit tools many of which aren't reliable.

In doing so, here are some issues/challenges they could run into -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone.
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise.
  3. Many 3rd party tools, whilst inexpensive, may or may not always be sufficiently trustworthy (e.g. built in Russia etc.)

In our experience, we found that what is ideally needed is a dedicated and reliable (tamper-proof) Active Directory ACL analysis, viewing and dump tool that can help easily & trustworthily fulfill all Active Directory ACL/permissions audit needs.

So we built possibly the world's best (most advanced) Active Directory ACL Viewer and Exporter that could help IT admins, analysts, auditors and other stakeholders easily and trustworthily fulfill their basic Active Directory ACL/permissions audit needs.



Gold Finger Active Directory ACL / Security Permissions Audit and Dump Tool

The Gold Finger Active Directory ACL Viewer and Exporter is the world's most advanced and trustworthy Active Directory ACL/Permissions Audit Tool -

Gold Finger Active Directory ACL Audit Tool, Viewer and Exporter
If you can touch a button, you can now easily, comprehensively and above all, trustworthily view, analyze, audit as well as instantly export/dump Active Directory ACLs and security permissions/rights, both on a per-object and a domain-wide basis.


Capability Overview

Here's a quick overview of the tool's top 5 features/capabilities -
  1. Complete View – Obtain a complete, fully sortable view of the ACL (both DACL & SACL) of any Active Directory object.
  2. Detailed View – Obtain a detailed view wherein each ACL field is expanded into individually sortable columns.
  3. ACL Exports – Export the complete ACL of an Active Directory object for analysis, comparison, archival and audit.
  4. Tree-wide ACL Exports – Export/dump the ACLs of all Active Directory objects in any Active Directory tree (e.g. OU).
  5. Advanced ACL Export Options – Export only those ACLs that are marked Protected or owned by a specific user/group.


Design Goals

Here are the 5 main design goals we set and met for Gold Finger -
  1. Trustworthiness - When it comes to security, Gold Finger sets the bar and gold standard for trustworthiness.
  2. Ease-of-use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  3. Rich Analysis - IT personnel can easily analyze every aspect of the ACL, including sorting the ACL by individual Active Directory security permissions (e.g. Write Property, Extended Right etc.), inheritance fields etc.
  4. Instant Export - IT personnel can easily export/dump the ACLs of any, some or all Active Directory objects. 
  5. Data output - IT personnel can effortlessly export the raw data for archival, rich analysis etc.



Example Reports

Here are 10 real-world examples of the kinds of Active Directory ACL/permissions audits you can perform with Gold Finger -

  1. Alphabetically sort the ACL on the AdminSDHolder object to list all security principals for whom access is specified.
  2. Identify all permissions in the ACL of the Administrators group object that grant Write Property - Member permissions.
  3. Export/dump the ACL on the Enterprise Admins group object to furnish it as evidence for a regulatory compliance report.
  4. Identify every permission in the ACL on the Corporate OU object that grants a user or group Create Child permissions.
  5. Enumerate the list of all security permissions in the ACL of the Help Desk Operators object that are Explicit in nature.
  6. Instantly dump/export the security permissions/ACLs of all objects contained in any Active Directory domain/partition.
  7. Easily dump/export the security permissions/ACLs protecting all executive (e.g. all C*O) and privileged user accounts.
  8. Instantly dump/export Active Directory security permissions/ACLs protecting all Organizational Units in a domain.
  9. Obtain a snapshot of all Active Directory permissions/ACLs protecting the Configuration, Schema and domain partitions.
  10. Dump/export Active Directory security permissions/ACLs to a file to furnish evidence for a compliance/security audit.



Trusted Worldwide

Today, our Gold Finger Active Directory ACL Viewer and Exporter is used worldwide by the world's top organizations to easily, efficiently and trustworthily fulfill all their basic Active Directory ACL/security permissions/rights analysis and audit needs.

Best wishes,
Sanjay

PS: This is about 1% of what we do, so this is as much as I'd like to say about it.