Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Saturday, April 1, 2017

Hey Microsoft - What Constitutes a Privileged User in Active Directory?

Dear Microsoft,

I was supposed to start your 30-Days of advanced Active Directory Security school for you today, but before I did so, I wanted to ask you arguably the most fundamental yet important (and might I add, paramount) question in all of Windows and Active Directory Security, because not a single* one of your customers can be secured without the answer to this ONE question.

Here's the Question - What constitutes a Privileged User in Active Directory?

You see, this is the #1 cyber security question that every organization in the world (including all cyber security companies) must have an answer to today, given that 85% of all organizations worldwide operate on Active Directory, and that 100% of all major recent cyber security breaches involved the compromise and misuse of a single Active Directory privileged user account.

I deeply value my time, and based on what I'm seeing, thanks to you, let alone most of your organizational customers across a 150+ countries, not even you seem to have a clue as to an adequate answer to this question, and I'm not inclined to waste my valuable time taking you or anyone to school yet, until I've seen at least a basic understanding of this paramount question.

[ Here is proof that you don't seem to have a clue: Quoting a Microsoft security expert from a huge 7-part series of videos titled "Defending Active Directory against Cyberattacks" developed and released by Microsoft in May 2016 - "We are working to identify which ACLs in Active Directory can lead to command and control of Active Directory." Seriously?! You, the $ 550 Billion Microsoft are just now (i.e. in 2016/17) working to identify this!?  If you want to know how to defend Active Directory, start here.

As such, based on what I've seen thus far, you've been predominantly focused on credential-theft attacks (Pass-the-Hash, Kerberos ticket meddling etc.), which you likely may have been compelled to do something about (likely based on pressure from your customers) and all you did is acquire a puny fledgling start-up to help detect ongoing activity against Active Directory. Now, detection is #3 in the list of protection measures - #1 is prevention, and #2 is avoidance. So, Microsoft ATA is at #3. To be fair, you're not alone in being clueless - from self-proclaimed SME's, gurus & experts, to others, no one seems to have the answer. ]

So, let me give you some time to think about and answer this question to the best of your ability, (and not so much for me, but primarily for the 1000s of organizations that are your customers) and based on your answer, we'll start your school. Alright?

Everyone's Tuned In

BTW, you may not know this, so let me tell you that from your largest business customers to the most important of our 3-letter acronym government agencies & from the biggest cyber security companies to the Russians, everyone's tuned in here & here.

The world needs & looks forward to an answer. (You may not answer this question, so know that silence too speaks volumes.)

Of course, we can most easily answer this question for them in 10 seconds, and I will in days to come, on day 1 of your school,  but I wanted to give you an opportunity to show some thought leadership. As for your school, I'll start it later this month...  

...once everyone's had some time to adequately reflect on the importance of this most fundamental of cyber security questions, because this impacts the foundational cyber security of 85% of all organizations worldwide, in both business and government.


PS: If you want a head start, you're welcome to join our free global community of Active Directory security professionals from 1000s of organizations across 100+ countries worldwide, where we're already discussing this and other paramount questions. For instance, our members already know that accounts protected by AdminSDHolder in AD are merely the Tip of the Iceberg.

PS2: Since you haven't figured it out in over 10 years now (because if you had, I wouldn't have to ask you this question today), perhaps I should help you out with a hint: to answer this question, organizations worldwide need one simple capability - this.

PS3: When you've fathomed the depth (and impact on global security) of what I'm talking about, if you want to talk, have Satya (yes Mr. Nadella, your wonderful CEO) call me, as this is a conversation that an employee at his pay-grade should be having.