Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Wednesday, July 5, 2017

An Ocean of Access Privileges in Active Directory Deployments (Day 8)


Today is Day-8 of our Active Directory security school for Microsoft. I was going to talk about effective permissions today, but perhaps I should shed light on the ocean of access privileges that lies within Active Directory deployments worldwide today.

An Ocean of Access Privileges within Active Directory Deployments Worldwide

In virtually every Active Directory deployment in the world today, irrespective of its size (small or big), the entirety of its content i.e. the thousands of objects that reside within each Active Directory deployment, is protected by an ocean of access privileges.

Specifically, each object in Active Directory is protected by a unique Windows security descriptor, which contains amongst other components, an access control list (ACL) which is comprised of numerous access control entries (ACEs), each one of which serves to Allow or Deny a specific type of access (of which there are a dozen types) for a specific security principal, and together i.e. collectively (, and not individually) it is this entire set of security permissions specified in an Active Directory object's ACL that determine the actual (i.e. resulting/effective) access that is authorized on each one of these Active Directory objects.

For instance here is the ACL protecting the domain user account of the CEO of a fictional multi-billion dollar organization -

The ACL on the CEO's Domain User Account  
(To view the ACL (generated via this tool) click here.)

As you can see, there are numerous security permissions that specify various types of access, some of which Allow access and some of which Deny access, and of these, some are explicitly specified while others are inherited from parent objects, and while some specify access for individual users, others specify access for security groups and well-known security principals. Further while most of these might actually be applicable on the object some may exist only to be inherited downstream to child objects.

In a typical Active Directory domain, in these ACLs, access privileges, of which there are a dozen generic Active Directory security permissions and over five dozen special security permissions (extended rights), are specified for 100s if not 1000s of unique domain security groups, domain user accounts, domain computer accounts and various well-known security principals.

Further, in many Active Directory deployments worldwide, there are easily over 100 security permissions (ACEs) specified in the ACL of each Active Directory object, and there are easily 10s of 1000s of objects in Active Directory, and consequently today there likely exist millions of security permissions in most Active Directory deployments.

Here's what 0.001% of this ocean of security permissions in an Active Directory domain actually looks like - here.

(At one of our customers, one of their Active Directory domains had 100,000+ objects and 250+ ACEs in each object's ACL.)

In other words, as you can see, in each Active Directory deployment there is an ocean of access privileges today, and it is this ocean of access privileges that together controls and governs who ultimately has what access on everything in Active Directory, including who ultimately has privileged access (the Keys to the Kingdom), in these foundational Active Directory deployments.

In this Ocean Lie the Answers

In order to be able to answer even one (1) of the following paramount cyber security questions, organizations must be able to accurately determine "who has what effective permissions" in this ocean of access privileges that lies in their Active Directory -

  1. Exactly how many privileged users are there in an organization’s Active Directory?
  2. Exactly how many privileged security groups are there in an organization’s Active Directory?
  3. Exactly who can reset the password of a privileged user to elevate privilege in an organization’s Active Directory?
  4. Exactly who can modify the group membership of a privileged security group to elevate privilege in Active Directory?
  5. Exactly who can create, delete and manage user accounts, computer accounts, groups, OUs etc. in Active Directory?
  6. Exactly who can compromise the credentials of all accounts by using Mimikatz DCSync ?
  7. Exactly who manage the domain user accounts of the organization’s executives (Chairman, CEO, CFO, CIO, VPs etc.)?
  8. If Smartcard authentication or similar measures (i.e. band-aids) are in use, exactly who can instantly disable them?

The operative and paramount word here is "effective permissions" i.e. to be able to answer these questions, one must be able to accurately determine "who has what effective permissions" not "who has what permissions" in and across Active Directory.

More on that in days to come.

Best wishes,

PS: I'm going to try and keep these posts short and to the point from now on.

No comments:

Post a Comment