Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Wednesday, September 6, 2017

A Trillion $ Question to Microsoft regarding Domain Security Groups

Dear Microsoft,

Today is Day-15 of our Active Directory Security School for you. Since you may still be trying to grasp and comprehend the depth and complexity of what I shared with you on Day 14, I'll keep today's post/lesson really simple, short and to the point.

Domain Security Groups:  An All-Access Pass to 1000s of IT Resources

As you know, at the foundation of cyber security of most IT networks powered by Windows Server lies Active Directory.

As you may also know, in all such IT networks/infrastructures powered by Active Directory, one building block of cyber security in particular is extensively used to provision access to almost all IT resources in the network. Do you know which block it is?

Of course you do! In most IT networks powered by Active Directory, it is Domain Security Groups that are used to provision access to most organizational IT resources such as files, folders, SharePoint portals, Intranet sites etc. across the network!

In fact, in almost every Active Directory deployment in the world, today there exist 1000s of domain security groups within Active Directory that are used to provision secure access to almost the entirety of the organization's IT resources!

For anyone living on Mars, here are a few examples of such domain security groups -

  1. Domain Admins - A small but all-powerful group of privileged user that possess system-wide administrative access.

  2. All Employees - A large membership security group whose members include all organizational employees' accounts.

  3. Contractors - A medium-sized security group whose members may include the accounts of all existing contractors.

  4. Executives - A small security group whose members include all organizational executives' (e.g. C*Os) user accounts.

  5. <Resource-specific> Group - One of thousands of domain security groups that may be used to provision access on various IT resources for various business purposes. For example, Legal Team, R&D Team, Product X Group, etc.

In fact, today Active Directory domain security groups are used to aggregate (group) organizational users for the purpose of facilitating secure access to just about everything in a Microsoft Windows Server based network powered by Active Directory.

And by just about everything, I do mean just about everything - computers, files, folders, documents, emails, SharePoint portals, intranet sites, line-of-business applications, data, databases, VPN, remote access, web access ... <the list goes on and on.>

Thus, it is after all Active Directory domain security groups that help secure the entirety of the organization's IT resources!

Further, often a domain security group in Active Directory gates access to either a large or a highly-sensitive set of IT resources.

It thus logically follows that possibly the easiest way to obtain access to a specific IT resource (or 1000s thereof) that is(/are) protected by an Active Directory domain security group might be to literally just be a member of that domain security group!

Which Begs A Question

If by virtue of being a member of the a specific domain security group, one could instantly and automatically get access to all IT resources protected by the domain security group, then one cannot help but ask the simplest of cyber security questions i.e. -

Who can change the membership of a domain security group in Active Directory?

After all, if someone could modify the membership of a specific domain security group, such as All Employees, or Executives, or Secret Project "X" Staff , Project "Stratosphere" Source-Code Access Group etc., he/she could instantly obtain access to literally everything (i.e. all IT resources) that specific domain security group currently has access to, across the entire network!

A Simple Example

Perhaps this is best understood with a simple example, so here's a very simple one.

Consider that its Friday evening, and that a multi-billion dollar organization is going to announce their quarterly earnings on Monday at the close of the market. Further consider that this sensitive and highly confidential information (i.e. their Earnings) resides in a simple Microsoft Excel file titled Q3 2017 P&L, the only copy of which resides on a highly-protected server that's both physically located in their ultra secure data-center, and to which (server) all suspicious network access is monitored -

Now, consider that an intruder (funded by a wealthy nefarious entity) has been able to breach their perimeter and compromise a domain-joined machine and further has been able to ascertain that this specific file contains the information this entity has an interest in acquiring prior to Monday afternoon, because if they could access this information, they could possibly make $100M.

The intruder may not be able to obtain physical access to the server on which it resides, and he/she may not want to attempt trying to breach the security of the server over the network since all suspicious network activity is being monitored, (and for all Mimikatz fans, sadly no Domain Admin either has or is going to logon to the one machine you've compromised and now 0wn), so might there be an easier way for him/her to obtain access to this file?

Consider this! He/she may not be able to access the contents of the file but he/she can view its ACL, and thus he/she can see (as shown in the snapshot above) that the domain security group Executives has Full Control over this file. So, if he/she could somehow become a member of this domain security group (or compromise the user account of an existing member of this domain security group), he/she will be able to instantly (and in fact as far as the "System" is concerned, legitimately) access the contents of this high-value confidential file without any suspicion being raised anywhere or a single alarm going off anywhere!

In effect, his/her challenge has now been reduced to finding out exactly who can change the membership of the Executives domain security group, because if he/she can compromise the account of any one such individual, he/she would literally be a minute away from being able to change the membership of that group, and thus consequently obtaining access to that file!

In other words, the entire focus of attack just shifted from a highly secured IT resource to a single Active Directory object!

(In the interest of brevity, I'm not going to into further detail, but for those skilled in the art, the rest should be obvious.)

So, Microsoft, What's the Answer?

Dear Microsoft, you are a $550 Billion company today and one of the most important and valuable organizations in the world.

(You can take that as a compliment from the CEO of the most important and valuable cyber security company in the world.)

As you'll hopefully agree, since domain security groups help protect trillions of dollars in wealth worldwide today, the discussion and example above lead us back to and prompt one of the most simple and fundamental questions in cyber security -

Question: Who can change the membership of a domain security group in  Active Directory ? ( and ideally that of each domain security group in each one of 1000s of Active Directory domains of business and govt. organizations worldwide? )

Microsoft, you have now had 17+ years to demonstrate your deep expertise and thought leadership to the World in the vital Active Directory Security, Windows Security and the Cyber Security spaces, and you've spent Billions on it, so I ask you -

"Do YOU think this (i.e. the one above) is an important question for organizations to know the answer to, 
  and if so, can YOU please (at least) tell them HOW they can/should answer this question?!"

Oh, and since you're Microsoft, I have just one more question for you
(i.e. an opportunity for you to earn a few bonus points ;-) ) -

"Can YOU help them answer this question?"

That's it for today. The answer tomorrow on Day 16.


PS: See, I told you that today's would be a much simpler question than the previous one i.e. this one. Besides, if you've been attending your school regularly, by now you know that this is a rhetorical question that I've already answered many times over!

PS2: Microsoft, I may be a bit hard on you, but please know that I care deeply for you, and that you enjoy my goodwill. By the way, if I'm hard on you, its only because I feel that you had 17 years to educate your customers about this / this, yet you didn't, and likely as a result 1000s of organizations worldwide are blissfully operating in the dark, minutes away from compromise :-(

No comments:

Post a Comment