Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Thursday, January 26, 2017

30 Days of Advanced Active Directory Security School for Microsoft (& WD)


Starting May 22, 2017, as former Microsoft Program Manager for Active Directory Security and as one of Microsoft's biggest well-wishers, in the very best interest of Microsoft and thousands of its organizational customers worldwide, I will spend a few minutes each day for the next 30 days to help the brilliant folks at Microsoft better understand Active Directory Security.

Here's why -

Over the last ten years, almost 10,000 organizations from 150+ countries worldwide have knocked at our doors, completely unsolicited, to request our assistance in fulfilling a paramount organizational cyber security need, which is the need to know "Who has what privileged access in their foundational Active Directory deployments?" and here's how most dialogues start -
Organization:  "Hello. I'm a Domain Admin at <organization>.We have been provisioning and delegating access in our Active Directory for many years now, but we don't know exactly who is provisioned and delegated what access in our Active Directory today. We need to find out who has what permissions in our Active Directory so that we can identify exactly who is provisioned/delegated what privileged access in our Active Directory."
Our Response: "Hello. We can certainly help you 'audit who has what permissions in Active Directory'  BUT as you may know, to correctly identify who has what privileged access in Active Directory, one needs to (accurately) determine effective permissions in Active Directory, domain-wide. Identifying 'who has what permissions' is merely the starting point for determining effective permissions. Our unique Effective Permissions Calculator and Privileged User Access Audit Tool automate the entire process and could help you do so easily."
Organization:  "That's great, but wait, what are you talking about? What are Effective Permissions?! I'm not sure I've heard that term before. In fact, I don't think I've ever come across it in any Microsoft security guidance."

Let's stop right there for a moment and think about this!  If, (and this is what we're seeing across the world,) even Domain Admins at so many organizations worldwide do not seem to know what "effective permissions" are, that's a serious problem.

("Effective permissions", especially "Active Directory Effective Permissions" are paramount to organizational cyber security, because they control not only who has the keys to every door in the Kingdom, but also who has the "Keys to the Kingdom.")


Shocked by such responses, we took a closer look at the top-3 official Microsoft Active Directory security guidance sources -
1. Microsoft's original 100+ page official Best Practice Guide for Securing Active Directory (Part I) and Part II
2. Microsoft's latest official Best Practices for Securing Active Directory guidance, introduced by Microsoft's CISO
3. Microsoft's latest 5+ hour series of 12+ videos on Defending Active Directory Against Cyber Attacks

Specifically, we did a simple keyword search for the term "effective permissions" across each of these three official authoritative sources of guidance from Microsoft, and guess how many instances of the term "effective permissions" we found across them?

Zero!      нуль, nul, صفر , 零,Null, μηδέν, ʻole, אֶפֶס , शून्य, ゼロ,제로, nihil, sero !

Effective permissions are so fundamental and important to Windows Security and Active Directory Security that in Microsoft's own tooling, it is one of the 4 main tabs - Owner, Permissions, Auditing and Effective Permissions! (Sadly, it is inadequate.)

Microsoft's security guidance amply covers Permissions, Auditing and Owner(ship), but when it comes to Effective Permissions, ZERO coverage!

To make a long story short, having spoken to 1000s of Microsoft's customers, we have found that due to a complete decade+ lack of guidance from Microsoft on the most important aspect of Active Directory Security i.e. "Effective Permissions", at 1000s of business and government organizations worldwide, let alone CISOs, IT Managers and IT Auditors, even highly-privileged Active Directory admins (i.e. Domain Admins) do not even seem to know what effective permissions are!

Now, if you don't even know what effective permissions are, you're far far away from understanding just how critical they are to organizational cyber security, and how paramount the ability to accurately determine effective permissions in Active Directory is!

This is Paramount

As you may know, 100% of all major recent cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise of a single Active Directory privileged user account. Considering that, did you know that each of the Top-10 ways to gain privileged user access in Active Directory exploit and involve having excessive effective permissions?!

Given Active Directory's foundational role at most business and government organizations worldwide today, this is paramount.

In light of this, we are completely baffled, stupefied, and blown-away to see a complete lack of guidance from Microsoft to its organizational customers on what undoubtedly is one of the most vital technical aspects of organizational cyber security today!

Could it be that Microsoft itself does not understand the importance of determining effective permissions in Active Directory?!

(I sincerely hope not, because if that's the case, it just shows that perhaps they don't deeply understand cyber security yet, and if that's the case, I'm not sure how the world can be expected to consider moving to their cloud offering, Microsoft Azure, yet?)

Personally speaking, having been on Microsoft's Windows Server Development Team, it appears that they may likely no longer have a dedicated role or team focused on Active Directory security (which if true, in itself, would be astonishing), and if so, given how esoteric the nature of this subject is and the depth required to comprehend it, the likelihood of anyone outside such a team easily comprehending it and driving the necessary education etc., is low. To me, that's the only plausible explanation that could explain how they could have totally forgotten to educate their customers about such an important security topic. All said and done, to have provided zero guidance on such a vital topic for over a decade suggests that likely they too don't understand it.

I will say this much - Active Directory is one of the most valuable, solid, secure and highly-securable foundational technologies ever built. It can be easily adequately secured and defended at all times with appropriate insight, expertise and resources. The only (one BIG) shortcoming in it is that it lacks an accurate and adequate* effective permissions / effective access assessment / audit capability (both, per-object and tree-wide.) Fortunately, our innovative patented technology (embodied in 1, 2) uniquely & perfectly fulfills this shortcoming, making Active Directory ROCK-solid and bullet-proof. We run a bullet-proof Active Directory.

* More on this in days to come.

In Summary

Its 2017, not 2007. Microsoft's organizational customers worldwide, in their own best interest i.e. to protect the very foundation of their cyber security, need to unequivocally understand the paramount importance of being able to accurately audit effective permissions/access in Active Directory, without any further delay, and Microsoft should be helping them understand it.

I would like to see Microsoft provide appropriate guidance to its customers, (because given the uniqueness and importance of what we do, our job is to help those organizations that understand this stuff, fulfill this essential need, help out with a few more, and address this foundational risk; it is NOT our job to educate ALL of Microsoft's customers on such a basic and fundamental Windows security topic), so to help Microsoft too better understand the paramount importance of effective permissions to Active Directory security, over the next 30 days, I'm going to most respectfully help them better understand Active Directory Security.

Fortunately for Microsoft and thousands of its valued customers, the most difficult part of the problem has already been solved. (The bigger problem is that so many organizations don't even seem to be aware that this is a massive problem to their security.)

Let there be no doubt or mistake about one fact - left unmitigated, this esoteric cyber security risk represents a hole the size of a football field in a jetliner's fuselage, and poses a serious threat to the foundational security of so many organizations worldwide.)

An Open Invitation

So, starting May 22, 2017, for the next 30 days, every day I'll speak to certain aspects from this syllabus, right here on this blog. By the way, strictly speaking the title should have been "Basic Active Directory Security School", but I shall leave it at such.

Everyone working on Active Directory and Cyber Security at Microsoft, such as at the Windows/AD Product Dev Team, Azure Team, Cyber Security Team, Microsoft Consulting Services, Product Support Services, TwC, MS IT, etc. is welcome to tune in.

In fact, anyone and everyone, across the world, interested in learning more about Active Directory Security, is equally welcome.

Best wishes,

PS1: BTW, WD (as mentioned in the title of this blog post, and also as alluded to here) is the SDDL mnemonic for "Everyone".

PS2: Speaking of everyone, last week, I shared some helpful Trillion Dollar Cyber Security Insight for President Donald Trump.

PS3: To my esteemed former colleagues at Microsoft, imagine a scenario wherein this problem exists (and poses a real threat to (y)our organizational customers) but a solution doesn't. (Fortunately it does, thanks to the vision and passion of one of you.)

1 comment:

  1. Hi
    I have been following this blog since Feb 1st but no comment or suggestion was found. I am working on Active directory security enhancement project and need to understand AD attack surface and work towards reducing the same. Majorly tracking the delegation of privileges and password hashes