Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Monday, July 3, 2017

Lack of Gravitas at Organizations + Risks of Amateur Tooling (Day 7)


If you review what I've shared thus far on Active Directory Security, you may likely see why I believe that Microsoft may have completely missed out, for over a decade, on educating the world about what clearly is such a vital aspect of cyber security.

However, in Microsoft's slight defense, I'd also like to add that organizations and amateur vendors are partly responsible too.

In Ever So Slight Defense of Microsoft

First and foremost, I would like everyone to know that I love and care deeply for Microsoft, (and have many friends at Microsoft,) which is the only reason that I am spending so much effort on helping Microsoft and the world understand all this important stuff.

As I indicated on Day-0, the sole objective of conducting this school for Microsoft is because they completely missed out on educating their customers about the importance of "Effective Permissions" to Active Directory security for an entire decade.

In support, I provided irrefutable proof: Top-3 official/primary sources of guidance from Microsoft on Active Directory security -
1. Microsoft's original 100+ page official Best Practice Guide for Securing Active Directory (Part I) and Part II
2. Microsoft's latest official Best Practices for Securing Active Directory guidance, introduced by Microsoft's CISO
3. Microsoft's latest 5+ hour series of 12+ videos on Defending Active Directory Against Cyber Attacks

As of Jan 26, 2017 (and likely even today), if you did even a simple keyword search for the term "effective permissions" across these 3 official authoritative sources of guidance from Microsoft, you'll find 0 instances of the term "effective permissions."

Zero!      нуль, nul, صفر , 零,Null, μηδέν, ʻole, אֶפֶס , शून्य, ゼロ,제로, nihil, sero !

In all likelihood, if you were to additionally review 10+ years worth of Microsoft TechEd presentations, i.e. a 1000+ of them, presented by Microsoft and other industry experts, again you may likely find virtually zero mention of "effective permissions."

In light of these facts, as hard as I try, it is very difficult for me to defend Microsoft's complete ignorance on the subject.

That said, if I had to try, I would probably have said the following -

If I were still at Microsoft, in its defense I would probably have said - "generally speaking, at Microsoft our primary charter is to make BIG, lasting changes, such as embracing the Cloud, and of course helping safeguard our customers from serious risks to their security (e.g. combating credential-theft attacks.) It does appear though that, for whatever reason, one such serious risk (illustrated here) may not have been on our radar all this while, and we will begin by looking into how and why we may have systemically and completely forgotten to educate our customers about it, for an entire decade.

(Most of my friends at Microsoft would agree that at the very least Microsoft should have adequately educated its customers.)

After all, for Microsoft to have completely missed providing any guidance on such a vital security topic for more than a decade, more than a few folks would've had to have missed this / not gotten it (at all) - several folks on the Product Development Team, Security Business Unit, Microsoft Research, Trustworthy Computing Group, MCS, PSS, MS IT and others, but we'll let it go and focus on helping them get it.

Moving on to...

Lack of Gravitas at Organizations

Microsoft may not be entirely responsible for a global lack of understanding on such a fundamental aspect of cyber security.

Over the last decade, at Paramount Defenses, we've had an opportunity to learn a lot about several thousand organizations, all of whom knocked at our doors unsolicited, and if there is one commonality we've found, it is that most organizations seem to lack gravitas and the depth of knowledge required to adequately protect their foundational Active Directory deployments.

IT Personnel at Organizations

We could share stories many almost unbelievable stories with you, and we're talking about so many of the biggest organizations in the world, but we will never do that because we're professionals. I will just leave it at saying that at the end of the day, based on what we have seen thus far, there are 3 aspects that organizations seem to lack (to varying degrees) -
  1. First and foremost, the understanding that if their Active Directory is compromised, the very foundation of their cyber security is compromised and thus that the very fabric of trust across their network would have been pierced.

  2. Secondly and as a consequence, (the fact that) adequate protection of foundational Active Directory deployments may not even be on their radar, let alone it being one of the top (and adequately funded) cyber security priorities today.

  3. Lastly, at many organizations, IT groups/departments seem to lack the depth of knowledge as well as the expertise required to adequately protect their foundational Active Directory deployments.

Given that Microsoft's documentation at least unequivocally states the value and importance of adequately protecting Active Directory, in light of the above 3 points, it appears that perhaps organizations may likely also be partly responsible -

Quoting Bret Arsenault, Microsoft’s CISO from the Foreward of Microsoft's official whitepaper on Active Directory Security – “Active Directory plays a critical role in the IT infrastructure, and ensures the harmony and security of different network resources in a global, interconnected environment.

How much clearer could Microsoft have been than the CISO of Microsoft Corporation stating the above?

Sadly, the reality on the ground today is that so many organizations worldwide do not yet seem to be taking the security of their foundational Active Directory deployments as seriously as they should, and thus may not even know what the attack surface is, what the top Active Directory security risks are, what the easiest avenues to compromise may be, how colossal the impact of an Active Directory security breach could be, what risk mitigation measures they should be enacting to protect Active Directory etc.

Here's super simple evidence - Each week we get to speak to Domain Admin equivalent IT personnel from many organizations across the world, and in many cases, they just do not seem to know what effective permissions in Active Directory are.

I must ask this with complete respect - "Realistically speaking, if Domain Admins at such prominent business and government organizations do not even seem to what effective permissions are, how can these organizations protect their foundational Active Directory deployments?" (No, we're not talking about Mom and Pop Stores, we are talking about multi-billion $ organizations.)

Lastly, Risks of Amateur Tooling (From Amateur Vendors)

The one other thing I will add is that the presence of amateur vendors in the Active Directory security space worries us, because they may be worsening the situation. I say that because not only may their solutions actually be exposing organizations to far greater security risks, their misleading marketing may be giving customers a false sense of security, and that's dangerous.

Sales Associate at Amateur Vendor

Allow me to explain. We know of several vendors in the Active Directory Security space that offer very basic Active Directory reporting/management solutions. If you look into whose behind them, you'll find that many of them are built by puny companies in developing countries by mostly amateur developers, which makes you wonder how reliable and secure their solutions might be. Some of them are outright inaccurate and many of them are not even digitally signed, and they are being sold to and being used by Domain Admin equivalent IT personnel at multi-billion dollar business and government organizations across the world.

Further, more concerning is that fact that many of them are required to be run either as System on Domain Controllers or in highly elevated security contexts such as Domain Admin! Specifically, many of them require organizations to add the service account being used by that solution to the membership of the Domain Admins group.


That, in our professional opinion, is a serious risk, because in essence you have potentially untrustworthy code that isn't even digitally signed, written by amateur developers, with its codebase residing who knows where, running as System on DCs or as Domain Admin at thousands of prominent business and government organizations in the United States, Europe and far beyond!

Think about it. If a nefarious entity or an APT were to be able to compromise even one of these vendors and acquire the ability to tamper with their code-base, it could very quickly completely compromise hundreds, if not thousands of organizations!

This also raises the question as to who at these organizations is authorizing the deployment of a solution to be run as System on DCs or as an Domain/Enterprise Admin, when it is not even digitally signed, i.e. that's trustworthiness evaluation 101.

Finally, there is the part about misleading marketing giving customers a false sense of security, elaborated below.

There are several vendors that offer very basic Active Directory Permissions Audit solutions (i.e. basically well-presented Active Directory ACL dumps) that are substantially inadequate if what you're trying to do is audit privileged access in Active Directory.

Yet, their marketing verbiage (both on-site and in advertisements displayed on Google, Bing etc.) misleads organizations into believing that their products are sufficiently capable of getting the job done, and because these customers don't know better (because Microsoft has never talked about Effective Permissions), they end up acquiring these solution to perform basic Active Directory permissions audits, which obviously provide them with a substantially misleading picture, as a result of which they end up making highly sensitive access-control decisions based on inaccurate data, and in doing so, from that point on, they end up operating on a false sense of security.

Should you like to see what I'm talking about for yourself, simply click here, or Google Active Directory Permissions Audit.

In contrast, technically speaking there is only one correct way to audit privileged access in Active Directory - this.

In fact, one of these solutions is so inaccurate that (to paint you a picture) if it were a security scanner being used at an airport, let alone boarding the flight, we would get out of the airport immediately. The shocking part is that not only does its vendor not know that its not accurate, they've actually spent some marketing dollars to get coverage in a few publications, and of course the publications ran with it, so now you have a vendor that has an inaccurate solution that is also vouched for by small-time publications, and how many IT personnel do you think actually have the expertise to evaluate its accuracy? They'll just see the endorsement from a publication, give it a second's thought, and run with it, and in doing so will have jeopardized their security.

In short, the availability of misleading and potentially low-assurance solutions from many puny vendors does not help security.

Wrapping It Up

Alright, I've said enough today. The point is that Microsoft alone may not be entirely to call out for the fact that 99% of the world has no clue that there's likely a security hole the size of the Pacific Ocean in their foundational Active Directory deployments.

Organizations too likely bear some responsibility for being deep in the dark, especially given that so many of them have been operating on Active Directory for years. Lastly, vendors with misleading marketing and products don't help the situation either.

Next post onwards, we'll get objective and technical and dive into some serious Active Directory security internals.


PS: The objective of this is to help Microsoft get the importance of effective permissions/access to Active Directory security, so that they in turn can help their global customer base understand the sheer vitality of this essential cyber security capability.

No comments:

Post a Comment