Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Wednesday, March 15, 2017

Top-10 Active Directory Security Questions For Organizations Worldwide


I was supposed to start 30 days of advanced Active Directory Security School for Microsoft yesterday, but we've just been so busy helping folks worldwide that I'm going to have to postpone the start date for that one final time to May 22, 2017.

So, until then, to help Microsoft prep for school, and generally to help thousands of organizations worldwide I'll share the Top-10 Active Directory security questions that every organization that operates on Active Directory must have answers to at all times.

Here they are -

Top-10 Active Directory Security Questions Every Organization Must Have Answers To -

1. Exactly how many privileged users are there in Active Directory? 
2. Exactly who can reset the password of a privileged user to elevate privilege in Active Directory?
3. Exactly how many privileged security groups are there in Active Directory? 
4. Exactly who can modify the membership of a privileged security group to elevate privilege in Active Directory?
5. Exactly who can instantly replicate secrets from Active Directory, and thus compromise the credentials of all accounts by using a tool such as Mimikatz DCSync?
6. Exactly who can modify the ACL protecting the AdminSDHolder object so as to be able to instantly gain administrative privileges in Active Directory?
7. Exactly who can create, delete and manage domain controllers, administrative workstations, trust relationships, user accounts, computer accounts, security groups, organizational units, service connection points etc. in Active Directory? 
8. Exactly who can modify critical configuration content in the Configuration and Schema partitions, changes to which could be used to gain administrative privileges in Active Directory? 
9. Exactly who manage the domain user accounts of the organization’s executives (Chairman of the Board, CEO, CFO, CIO, CISO etc.) in Active Directory?
10. If Smartcard authentication or other similar Active Directory integrated defense-in-depth measures (e.g. MFA, Auditing, Random Password Manager, Password Vault etc.)  are in use, exactly who can disable their use? 

In their own best interest, we highly recommend that all organizations have answers to these 10 security questions at all times.

(In the interest of objectivity, I must add that you don't have to take my word for it; I'm merely trying to help. If you can think of any other question concerning Active Directory Security that might be more important than these, you should focus on them.)

Finally, a simple $100 Billion QUESTION for Microsoft:  Dear Microsoft, in preparation for your Active Directory Security School starting 04-01-2017, here's a question for you -  What is the only way to answer each one of the questions enumerated above?

Since my esteemed colleagues at Microsoft may be too busy making the shift to the Cloud, let me answer the question for them:

Here's what it takes to answer these questions -

Best wishes,

PS: If you know of ANY cyber security (or other) company on the planet that can help answer these questions, let me know.

No comments:

Post a Comment