A Most Important Microsoft Video on Defending Active Directory (Day-9)

Dear Microsoft,

Today is Day-9 of our Active Directory security school for Microsoft. I was finally going to talk about effective permissions today, but I figured I should first share an incredibly important video on AD Security from Microsoft, since it bridges the gap so well between Day-8 ("An Ocean of Access Privileges In Active Directory") and Day-10 ("Active Directory Effective Permissions".)



Defending Active Directory

Here's that incredibly important video from Microsoft (and you can watch it right here, or online at Microsoft's website here) -

(Please click the Start Lesson button to view the video. If it does not play, you can see it on Microsoft's website here.)

The summary of this video titled Defending the Directory is - "Do you know who your admins are? Learn why maintaining solid access control to sensitive directory objects is important for mitigating stealthy means of persistence & escalation of privilege."

By the way, I highly recommend all IT Professionals involved with Active Directory Security to see this entire video at least once.





12 Very Important Points Made in this Video from Microsoft -

Today, I just wanted to highlight 12 incredibly important points made in this video, and I've quoted them directly from the video -

1. "The first thing I want to discuss is admins that are a little bit less obvious, or you don't realize they're admins" 


2. "Lots of customers I work with are laser focused on Domain Admins, Enterprise Admins, Builtin Admins and Schema Admins, and they think that if I know who is a member in any one of those groups, I know who my admins are, which isn't always necessarily the case, because with the way that Active Directory works, you can delegate access to different objects through access control lists"


3. "If I had permissions to say link a GPO to the Domain Controllers OU, then I could use that to go from what appears to be an unprivileged account to having full control over Active Directory"


4.  "I am able to do this (i.e. use Mimikatz DCSync to replicate everyone's hashes from Active Directory) using a plain domain user account because this account has been delegated some rights at the Domain level"


5. "A lot of organizations have been using Active Directory since it was released back in 2000, and then they went to 2003 and then 2008 and now they're on 2012, and over that time period they've probably had a lot of turnover in the organization, so the guy that setup AD 10 years ago isn't with the company anymore, and the guy that's doing this now is inheriting a mess potentially from several previous administrators, and people could have delegated this for what they thought was a legitimate reason, and it leaves another attack vector that is less obvious."


6. "Absolutely everything inside of Active Directory is an object, protected by ACLs and these things (ACLs) can be manipulated in a great number of ways depending on what permissions you have there"


7. "You can be an admin through (deeply) nested groups. I have seen that quite a bit. It can get pretty messy."


8. "Contest your delegates. Challenge them. Go and find out who has been delegated what privileges"


9. "If I have write member permissions on a group, I can add myself to this group, and since this group via group nesting is a member of the Domain Admins group, I could easily and instantly escalate my privilege to that of a Domain Admin"


10. "So effectively that is a means of escalation!"


11. "If a group or account has been granted change reset password on an account, and that account is privileged, I can change the password on that account, and now I own it!"


12. "We're getting pretty deep into the inner workings of Active Directory, but based on what you showed us in the demo, its super important. It is, it is VERY IMPORTANT because these are all different ways that I could use to escalate privilege, and they're not obvious because its controlled by the access control lists (ACLs)! "

Microsoft, great advice! Each one of them is worth is proverbial weight in Gold, and is exactly what we've been saying for years.

Now, that said...




Just 1 Question

Dear Microsoft, I just have one question for you, and I have asked this before as well, but nonetheless I will ask it again.

Possibly the most important message in this video is, and I quote - "Go and find out who has been delegated what privileges" because "everything in Active Directory is an object" "protected by access control lists" and "this is very, very important"

BUT, you completely forget to tell them the most important part, which is - "how to correctly assess who has actually been delegated what privileges in Active Directory i.e. who actually has what effective / resulting access in Active Directory?!"

So the simple question is -

Exactly what do organizations worldwide need to do to correctly find out who has been delegated what privileges in Active Directory? i.e. What is the ONE technical aspect that governs the accurate determination of who can actually do what in Active Directory that they need to know about to make this paramount determination?

HINT: The presenter completely missed it even though it was right in front of his eyes (from 0:21:50 - 0:22:05)

The simple answer, also the topic of our next post (Day-10), is - "Active Directory Effective Permissions / Effective Access." 

Best wishes,
Sanjay


PS: By the way, see how "everything in AD is an object protected by ACLs" ties into Day-8, An Ocean of Access Privileges.

PS 2: Is it just us, or do you too find it so co-incidental that in May 2016, i.e. within 2 months of this, and for the first time in the 16 years that Active Directory has been around, Microsoft develops and releases a 7-part series of 12 videos titled "Defending Active Directory against Cyberattacks". The entire series can be found here. They even made a promo for it.