Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Thursday, June 1, 2017

How Well Does Microsoft Really Understand Cyber Security? (Day-1)

Dear Microsoft,

Today is Day-1 of Advanced Active Directory School for you. Today onwards, for the next 30-days, I am going to help you better understand Active Directory Security, so that you in turn can help organizations worldwide better understand the same.

As I have already said, I am only doing this because today almost the entire world operates on Active Directory and based on what we're seeing, thousands of your organizational customers, many of whom are globally prominent multi-billion dollar companies, may be minutes away from being completely compromised, and they don't even seem to have a clue!

So, (oh and I don't care who you are at Microsoft, or what it is you're working on, because most likely nothing is more important than what you're going to learn here so) you may want to take a break from whatever you're working on and listen to what I've to say intently, because by the end of these 30 days, what's being communicated in these 2 videos is going to sound like a joke -
[ Note - These videos were mysteriously removed from LinkedIn shortly after I wrote this post. ]

Kool-aid sounds wow in marketing videos!  Here's what Mr. Nadella ended this talk with - "When we talk about empowering every person and every organization on the planet, it becomes even more paramount, to build trust into the core of computing."

BTW, a quick side-note: saying "even more paramount" is grammatically incorrect. "Paramount" is a superlative to begin with.

Oh, and here's what your built-to-impress Microsoft Cloud commercial ends with - "When it comes to the cloud, trust and security are paramount. We're building what we've learnt back into the cloud to make people and organizations safer."

Well, after what I'm going to share with you over the next 30-days, you may not only find these videos to be rather humorous, you'll also find that you still have much to learn and a long way to go before you can truly make people and organizations safer.

Oh, and is it just me, or have you too noticed that y'all have started using the word "paramount" a lot lately? It was a decade ago that I had realized that in years to come, cyber security would become mission-critical to business, and that nothing would be more important than defending the very foundation of cyber security worldwide, and thus the name - Paramount Defenses.

But I digress, and alright, enough boring talk. Let's get down to some real technical stuff, shall we?

An Ocean of Vulnerabilities in Microsoft Active Directory Deployments Worldwide

Microsoft, do you know what this string represents, and why even a tiny bit of it is profoundly important to global security today?:
(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (A;CI;RPWDLCLO;;;WD)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

I promise to fill you in on the details in days to come, so I'll just give you a hint today - Who needs WMDs Today?

Okay, I'll speak to it just a little bit today. This is a Windows security descriptor on one single specific Active Directory object, and were this exact security descriptor, or even a very small specific portion thereof to exist in an Active Directory deployment today, that Active Directory deployment could be completely compromised in a matter of minutes, and none of these kiddish band-aids will be able to prevent that from happening.

And this is merely the tip of the TIP of the Iceberg!

In most Active Directory deployments there are thousands if not hundreds of thousands of such security descriptors protecting an ocean of mission-critical Active Directory content, yet no one seems to have a clue as to how to even begin to analyze them, let alone how to correctly analyze them, or for that matter lock them down, and as a result, today the vast amount of unauthorized access they allow, and that thus exists in most Active Directory deployments worldwide is simply UNBELIEVABLE!

Close your eyes and imagine for a moment what it must be like to stare at thousands of such security descriptors to try and make any reasonable sense of them i.e. trying to determine precisely what access they end up granting, and to whom, and you'll get a sense of what your customers, (and if I may add, only those who understand a bit of this stuff,) have to deal with!

In case you're wondering why on earth someone might want to make sense of them, its because organizations need to make these determinations to attain and maintain least-privileged access (LPA) in their foundational Active Directory deployments.

Oh, and if a malicious entity (e.g. an intruder, a rogue insider, an APT etc.) could do so, and do so accurately, he/she/they could instantly proverbially play God, because he/she/they would be instantly privy to extremely valuable intel, such as exactly -

1. Who can replicate secrets from Active Directory to compromise everyone's credentials?
2. Who can change the membership of any one of various Domain-Admin equivalent groups to gain root access?
3. Who can reset the password of any Domain-Admin equivalent privileged user account to gain root access?
4. Who can link a rogue GPO to the domain-root, a site, or an OU to compromise all domain-joined hosts?
5. Who can modify the membership of any of the thousands of security groups to gain system-wide access?

6. Who can reset the password of any employee (e.g. the CEOs) in the organization to login as him/her?
7. Who can modify a mission-critical application's service connection points to prevent it from functioning?
8. Who can delete an entire OU with thousands of objects in it to launch a crippling denial-of-service attack?
9. Who can modify a single attribute in the Configuration partition to disrupt the Active Directory itself? 
   etc. etc.  .... you get the drift?

I think most reasonable IT and cyber security professionals will agree that knowing who can enact these tasks is not only vital to organizational cyber security today, it is in fact essential to operating a trustworthy Active Directory based IT infrastructure.

Yet, because no one really knows how to make any reasonable sense of the thousands of these security descriptors in Active Directory, let alone how to do it correctly and/or efficiently, most organizations worldwide are operating in the proverbial dark.

In fact, and here's the most shocking part - based on our vast global insight, I can tell you that at so many organizations worldwide, IT departments don't even have this on their radar, let alone knowing the paramount importance of this stuff!

In other words, most Active Directory deployments today may be sitting ducks for any proficient perpetrator who understands Active Directory ACLs well enough to know how to translate what seems like gibberish to the uninitiated, into extremely valuable cyber security intel that can then be effortlessly leveraged to instantly gain root access and swiftly inflict colossal damage.

Oh, and now imagine if someone could automate this extremely difficult process, such that he/she could quickly and of course accurately translate thousands of Active Directory security descriptors into extremely valuable privileged access entitlement insight in any Active Directory deployment in the world. (You know, something like this.) You can complete the sentence...

But I digress.

How Well Does Microsoft Really Understand Cyber Security?

Over the last ten years, Domain-Admin equivalent IT personnel from thousands of organizations from across 150+ countries worldwide have knocked at our doors, completely unsolicited, so we've had a chance to talk to them, and you might fall off your chair if I told you just how much (or should I say how little) most of them know about this stuff, and that to us is unbelievable!

So, Microsoft, do you know why so many organizations are operating in the dark today vis-à-vis this stuff?

The only plausible explanation I could come up with is that its because you, the $550B Microsoft Corporation, seem to have provided virtually NO guidance to your customers, over an entire decade, neither on why it is so important (and in fact as you may soon hopefully agree, paramount) to determine effective access in Active Directory, nor on how to do so correctly!

Which leads me to wonder, why not?

The only plausible explanation I could come up with is that its because most likely, you, the $550B Microsoft Corporation, who built Active Directory, yourself do not seem to have figured out just how important being able to do this, is for cyber security!

If you have any other explanation to offer, not just me, the entire world is all ears by now!

If you don't, then hopefully you can see how the videos above seem to some of us to be humorous, in that most likely you don't even seem to possess the ability to make such paramount determinations in your own Active Directory deployments, let alone being in a position to help organizations worldwide address such a paramount cyber security need.

By the way, if you think little toys like dsacls, acldiag, LDP, your Effective Permissions Tab, or any PowerShell script anywhere, or any "Active Directory Permissions Audit" solution from over a dozen or so vendors can solve this problem, then let me tell you that neither you nor they (i.e. these clueless vendors) have any idea how to solve this problem correctly!

Oh and speaking of which, not only are these wonderful folks way off mark as well, their infantile wares are technically deeply flawed, so their excitement may be premature - there's a mountain the size of Mount Everest to be scaled before anyone can solve this problem. (See, since you've never shed light on what it takes to correctly do this, even such flawed stuff makes the bar for the famed Black Hat Conference! Incidentally, last year I personally discovered how little they too know about this!)

That's coming from someone who had the will and the grit to spend 20,000+ hours solving this one problem for the world - here.

That's it for today. Today, I just wanted the lay the foundation. Tomorrow onwards, we'll start getting deeper into technicals and over the next 30 days, I'll help you understand this stuff a little better, so you can help you customers understand it better.

Good night,

PS: Simply acquiring a puny start-up and offering their nascent technology as ATA is by no means enough to demonstrate the degree to which one expects Microsoft to go to, as claimed in those two videos above! As I have said earlier as well, Microsoft ATA is basically a detection measure. In the list of protection measures, detection comes third. The first is prevention (best accomplished by attack surface reduction), the second is avoidance. If detection is the best you can offer, you're conceding that you don't have the ability to provide the first two measures. And the world expects better than that from a $550 Billion company, especially one courting the world to embrace and trust its Cloud offering (; see 2 videos above :-))

PS2: We're happy to help your customers, but we need (you to help) them to understand this to a certain degree before seeking our assistance; we simply cannot individually teach 1000s of organizations what Active Directory effective permissions are!

No comments:

Post a Comment