Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Monday, January 2, 2017

A Highly Trustworthy Active Directory Security Audit Tool


Hope your New Year's off to a good start. As I had indicated yesterday, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way, this being the 1st.

Trustworthy Active Directory Security Audits - A Basic Universal Need

Today most organizations that operate on Microsoft's Active Directory have a need to be able to perform basic Active Directory Security audits to maintain security and demonstrate compliance. Examples of such basic Active Directory audits include -

  1. List of all domain user accounts in Active Directory, including their states, status, true last-logon time etc.
  2. List of all domain user accounts and groups considered administrative in nature by Active Directory
  3. List of all domain security groups in Active Directory, including their type, membership etc.
  4. List of all domain computer accounts in Active Directory, and their various details
  5. List of all organizational units, containers, service connection points, print queues, GPOs in Active Directory etc.

To fulfill these basic needs, IT admins usually employ various means, such as writing in-house LDAP/PowerShell scripts, using free MS utilities like LDP etc., or relying on basic 3rd party AD audit tools. However, there is usually a trade-off involved -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise
  3. Many 3rd party tools, whilst inexpensive, may or may not always be sufficiently trustworthy (e.g. built in Russia etc.)

In our experience, we found that what is ideally needed is a simple, reliable (tamper-proof) and customizable audit tool that can help all IT personnel (AD admins, IT managers and others) easily & trustworthily fulfill their basic Active Directory audit needs.

So we built possibly the world's simplest and most trustworthy Active Directory Security Audit Tool that can help both advanced technical experts as well as IT managers and others, easily and trustworthily fulfill their basic Active Directory audit needs.

Gold Finger Active Directory Security Audit Tool

The Gold Finger Security Audit Tool is quite simply the world's most trustworthy basic Active Directory Security Audit Tool -

Gold Finger Active Directory Security Audit Tool

If you can touch a button, you can now trustworthily fulfill most of your basic Active Directory security audit and compliance reporting needs, including obtaining and furnishing evidence in terms of raw data and professional-grade (PDF) reports.

Capability Overview

Here's a quick overview of the tool's top 5 features/capabilities -
  1. 100 Built-in Reports – Instantly generate 100+ essential ready-to-generate Active Directory security audit reports
  2. Custom LDAP Filters – Customize any built-in report by specifying an LDAP filter of your choice (e.g. (title=C*O))
  3. DC Specific Analysis and Alternate Credential Use – Target any Domain Controller, as well as use alternate credentials
  4. Data Exports – Instantly export data from Active Directory (domain, OU etc.), including based on custom LDAP filters
  5. Professional-grade PDF Report Generation – Generate customizable, ready-to-furnish professional-grade PDF reports

Design Goals

Here are the 5 main design goals we set and met for Gold Finger -
  1. Trustworthiness - When it comes to security, Gold Finger sets the bar and gold standard for trustworthiness.
  2. Ease-of-use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  3. Customization - Every report can be completely customized using LDAP filters as well as scope and depth control.
  4. Data output - Gold Finger retrieves the data, lets you analyze and easily export it, as well as generate PDF reports. 
  5. Flexible Licensing - Gold Finger can be licensed on a weekly, monthly, quarterly and annual basis, starting at just $ 99*.

Example Reports

Here are 10 real-world examples of the kinds of reports you can generate with Gold Finger -
  1. Identify all domain user accounts in Active Directory, including their state, status (active/stale) and last-logon times.
  2. List all domain computer accounts in Active Directory, including their operating system, status and DNS name.
  3. Enumerate all domain security groups in Active Directory, including their type and other details.
  4. Enumerate the entire contents (accounts, groups etc.) of any Organizational Unit (OU) in Active Directory.
  5. Identify all accounts and groups that are considered/marked as administrative by Active Directory.
  6. Enumerate the list of all active and inactive domain user accounts (based on True Last Logon ).
  7. Identify all computer accounts that are trusted for unconstrained delegation in Active Directory.
  8. Identify all accounts based on a specific criteria such as a combined value of Title and a custom attribute Division.
  9. View the details of the CEO's domain user account, export them to a CSV file, or generate a professional PDF report.
  10. Generate an audit report in PDF format that lists all Active Directory user accounts, including their state and status.

A Free Version

We believe that everyone worldwide should be able to obtain basic Active Directory security insight trustworthily so we also offer a free version which can be downloaded here -

Trusted Worldwide

Today, our Gold Finger Active Directory Security Audit Tool is used worldwide by the world's top organizations including the United States Government and Fortune 10 companies to trustworthily fulfill their basic Active Directory security audit needs.

For more information and free trials, please visit -

Best wishes,

PS: This is about 0.01% of what we do, so this is as much as I'd like to say about it.

No comments:

Post a Comment