Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Tuesday, January 10, 2017

World's Only Accurate Active Directory Privileged User/Access Audit Tool


Hope your 2017's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 8th.

Active Directory Privileged User/Access Audits - A Paramount Need

Today every single organization that operates on Microsoft Active Directory has a paramount cyber security need to be able to accurately audit privileged access in its foundational Active Directory deployment. What else could be more important?
A few examples of such paramount Active Directory privileged access audits include -

  1. Exactly how many privileged access users do we have in our foundational Active Directory?
  2. Exactly who has what privileged access in our foundational Active Directory?
  3. Exactly how does someone have privileged access in our Active Directory?
  4. Exactly who can manage all of our privileged users and groups in our Active Directory?
  5. Exactly who has what privileged access over all our vital Active Directory domain user accounts, domain computer accounts, domain security groups, Organizational Units, etc. (and there could be 1000s of them)?

If you truly know Active Directory Security, then you know that it is not "Who has what permissions" but "Who has what effective permissions" that matters, ; the difference is colossal and could very well be the difference between security and compromise.

Most organizations do not even seem to know that they need to be able to determine effective permissions/access in Active Directory, and do so accurately, to maintain a sound cyber security posture. At those who do know, IT personnel struggle to fulfill this paramount need; they try writing advanced in-house LDAP/ PowerShell scripts, using free MS tools like dsacls, acldiag, LDP, the Effective Permissions Tab, etc., or relying on one free 3rd party audit tool that is dangerously inaccurate.

To begin with, the knowledge required to write a script that could accurately determine effective permissions on even a single Active Directory object, let alone thousands of Active Directory objects, is such a rarity that let alone most IT personnel I doubt even many $ Billion cyber security companies would know where to even begin. That said, many well-intentioned IT admins who care deeply about security do proceed to endeavor to write and use substantially inaccurate scripts to do so.

Assuming they could write an accurate script to do so, here are 5 issues/challenges that they will most likely run into -
  1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone.
  2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise.
  3. The Microsoft Effective Permissions Tab is not only self-admittedly inaccurate, it is woefully inadequate.
  4. All free 3rd party tools that claim to do Active Directory effective permissions are substantially inaccurate.
  5. Manually attempting to determine effective permissions on thousands of Active Directory objects could take years.

It is unequivocally clear to use that what organizations need is an accurate, efficient and reliable (tamper-proof) Active Directory Privileged Access Audit Tool that could help IT personnel worldwide easily & trustworthily fulfill this paramount need.

So we built the world's only accurate Active Directory Privileged Access Audit Tool so it could help all IT admins, analysts, auditors and others easily and trustworthily fulfill their paramount Active Directory privileged user access audit needs.

Gold Finger Active Directory Administrative Access and Delegation Audit Tool

The Gold Finger Administrative Access and Delegation Audit Tool is quite simply the world's only accurate Active Directory Privileged User/Access Audit Tool. There's simply nothing quite like it in the world, and once you've used it, you'll know why -  

Gold Finger Active Directory Privileged User Access Audit Tool

If you can touch a button, you can now (for the first time ever) accurately and easily find out exactly who has what privileged access across an entire Active Directory domain, in effect accomplishing an almost impossible feat, at the click of a button!

Capability Overview

Here's a quick overview of the tool's top 10 features/capabilities -
  1. Accurate Assessment – Accurately audit exactly who has what privileged access in Active Directory, taking all factors (e.g. precedence orders, memberships expansions, conflict resolution etc.) that impact effective access into account.
  2. Complete Automation Automatically audit effective privileged access across an entire Active Directory domain.
  3. Enterprise Scalability – Swiftly assess effective privileged access across even large Active Directory deployments.
  4. Source Identification – Find out exactly which underlying permissions grants a user specific effective privileged access.
  5. Zero Configuration – Instantly deploy the tool on any machine without requiring a single change anywhere whatsoever.
  6. Real-Time Analysis – Instantly audit and verify an administrative delegation as soon as it is made in Active Directory.
  7. Intuitive Interface – Easily view all privileged access, all users who have such access, where they have it and how so.
  8. Professional-grade Report Generation – Easily generate and furnish privileged access audit reports in PDF format.
  9. Analysis Exports – Instantly export audit results for offline analysis, sharing, report submission and archival.
  10. DC Specific Analysis and Alternate Credential Use – Target any domain controller, and use alternate credentials.

Design Goals

Here are the 7 main design goals we set and met for Gold Finger -
  1. Accuracy - Accuracy is everything, and Gold Finger is the world's only accurate privileged access audit tool.
  2. Automation - The tool must be able to automatically determine effective permissions/access across thousands of Active Directory objects accurately and quickly so organizations can obtain this paramount insight within minutes, not months.
  3. Actionable Insight - The tool must deliver results in the form of actionable insight i.e. its results must be calculated and displayed in terms of entitled administrative tasks, and also show exactly who can perform them, and exactly how so.
  4. Source-Identification - It can pinpoint the underlying permission that entitles a user to performing a specific task.
  5. Data output - IT personnel should be able to effortlessly export the raw data for archival, rich analysis etc.
  6. Ease of use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
  7. Trustworthiness - When it comes to security, Gold Finger also sets the bar and gold standard for trustworthiness.

Example Reports

Here are 10 real-world examples of the kinds of Active Directory effective permissions audits you can perform with Gold Finger -

  1. Discover exactly who has unrestricted privileged access in the Corp domain.
  2. Find out exactly who can create, delete, manage and control entire Organizational Units in the Corp domain.
  3. Find out exactly who can manage and control all privileged and executive domain user accounts in the Corp domain.
  4. Find out exactly who can change the membership of critical privileged/administrative groups such as Domain Admins.
  5. Find out exactly who can manage every executive and administrative account and security group in the Corp domain.
  6. Find out exactly who can create and delete domain user accounts, security groups and OUs in the Corp domain.
  7. Find out exactly who can reset the passwords of all domain user accounts, including those of privileged/executive users.
  8. Find out exactly who can disable the requirement to have Smart-card authentication for all domain user accounts.
  9. Find out exactly who can modify or delegate administrative (privileged) access in Active Directory, where and how.
  10. Uncover thousands of privilege escalation paths leading to critical privileged access across an entire Active Directory.

Trusted Worldwide

Today, our Gold Finger Active Directory Administrative Access and Delegation Audit Tool is used worldwide by the world's top organizations to easily fulfill the paramount cyber security need of being able to precisely identify privileged users and privileged access in their foundational Active Directory deployments.

Best wishes,

No comments:

Post a Comment