Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Friday, October 6, 2017

Microsoft, Have 1000s of Major Organizations Been Furnishing Inaccurate Evidence to Demonstrate Compliance of Access Rights in Active Directory?

Dear Microsoft,

(This is my last post of being a tad tough on you. From the next post onwards, I'm going to be helping you out tremendously, because I am on your side.  As for this last tough post, I hope you've got the point I have been trying to make all this while.)

Today is Day-20 of our Active Directory Security School for you. Thus far, I've asked you a few basic/elemental questions (e.g. this one, this one, this one, this one, this one or this one) concerning Active Directory Security, and I don't think you may have an answer for even one of them, perhaps as they may seem to be difficult, so today I'll ask you a simple question.

Regulatory Compliance 101 and Active Directory

As you may know, for many years now, thousands of organizations across the world, such as all publicly-traded organizations in the United States, the European Union and in other legal jurisdictions, have, for various reasons, been required to and continue to be required to demonstrate regulatory compliance of access rights in Active Directory.

The reason for this very simply is that many critical organizational IT assets that fall under the purview of these regulations, such as the domain user accounts of key executives (e.g. C*Os), are all stored, protected and managed in Active Directory.

So, for illustrative purposes, let's take a closer look at just ONE such requirement, and ask ourselves whether 1000s of such organizations may have been furnishing inaccurate evidence to demonstrate compliance of access rights in Active Directory?

Specifically, let's consider just one specific ask, which is to determine and furnish evidence to demonstrate exactly -
Who can reset the password of an organization's Chief Executive Officer's (CEO's) and Chief Financial Officer's (CFO's) domain user accounts?

I hope I don't have to explain why something as basic as this would fall under the purview of most regulatory compliance asks.

(If someone could reset the password of the CEO or the CFO of an organization, he/she could instantly gain access to highly sensitive and confidential information, the knowledge (and the unauthorized use or unauthorized disclosure) of which could be used to substantially impact the organization's stock-price, and thus its valuation, and this could adversely impact shareholders.)

Who can Reset the CEOs Password?

Let's consider what it takes to find out who can reset the password of the CEO's domain (i.e. Active Directory) user account.

As I have indicated numerous times by now (1, 2, 3), to make this paramount determination, what organizational IT personnel need to do is find out exactly who has Reset-Password extended right effective permissions on the CEO's domain user account -

The keyword here is effective permissions i.e. and to be most specific, I mean Active Directory Effective Permissions.

It is impossible to accurately make this determination without being able to accurately determine effective permissions on the CEO's domain user account in Active Directory, and consequently, it is impossible to furnish accurate evidence in this regard to demonstrate regulatory compliance without having the ability to accurately determine effective permissions in Active Directory.

Now, let alone having the ability to accurately determine effective permissions in Active Directory, at most organizations, IT personnel don't even seem to know that in order to make this paramount determination, they need to determine effective permissions in Active Directory! In fact, all along, at most organizations, IT personnel have merely been finding out "who has what permissions in Active Directory" as opposed to finding out "who has what effective permissions in Active Directory."

Thus it logically follows that most organizations worldwide have not even been making this determination correctly, and thus it can be stated with a reasonably high degree of confidence that 1000s of organizations worldwide may have been, for years now, furnishing inaccurate evidence to demonstrate the regulatory compliance of access rights in Active Directory!

I do not know what the specific penalties for furnishing inaccurate regulatory compliance evidence might be, but the CFOs of these organizations (including yours) will likely know, as they are required to personally sign-off on all such furnished evidence.

Microsoft, if only you would've educated the world years ago about "Active Directory Effective Permissions" and their paramount role in literally everything related to cyber security in Windows environments, including of course regulatory compliance, you could've saved the world a lot of trouble. Thankfully, today these C*Os can now themselves audit who can reset their password!

Speaking of which, not just to demonstrate regulatory compliance but to maintain cyber security, ideally, all organizations must, at all times, know exactly who can reset the passwords of all domain user accounts in their Active Directory, and now they can.

Speaking of Auditors

By the way, I should mention that we've had so many organizations request our assistance in this regard, and when asked as to the reason, we've been told that their "regulatory compliance auditors asked to furnish a list of everyone who can CHANGE the CEO's & CFO's password!" We thought we may have heard incorrectly, so we asked twice, and the answer again was that their "regulatory compliance auditors asked to furnish a list of everyone who can CHANGE the CEO's & CFO's password!"

CHANGE Password or RESET Password ?!

Do these auditors NOT know that it is not who can CHANGE a user's password that matters but in fact it is who can RESET a user's password that matters, BECAUSE by nature, in order to CHANGE a user's password, you need to (i.e. are required to) demonstrate knowledge of the EXISTING password, which is something ONLY the CEO him/herself should know about.

You see, in contrast to a password change, a password RESET operation does NOT require one to demonstrate knowledge of the EXISTING password, but in fact only requires that you have sufficient effective permissions to be able to reset the user's password, which is governed by the Reset Password extended right on the individual's domain user account!

So, if any there are any auditors out there still asking for "Who can change the CEO's password?" they'll want to read this.

Like so many other things, I cannot stress this enough. The subtle yet profound difference between a Password Change and Password Reset is possibly one of the most misunderstood yet important areas of organizational cyber security today!

Just One More Thing - SmartCards!

Organizations that use Smartcards for user authentication may perceive this as not being too applicable to them considering that they may be operating under a heightened (but false) sense of security, given that they're using Smartcards (or some other means) for two-factor authentication for their domain user accounts, including thus for their executive domain user accounts.

Well, all such organizations should know that smartcard authentication on a domain user account can be turned off at the flip of a single bit on the domain user account, and the moment it is turned off, authentication on that account automatically falls back to being password based, with a random password being applied to the domain user account!

To all such organizations, I'd humbly recommend trying to find out exactly who can disable the use of smart-cards on all their domain user accounts. Oh and by the way, in order to make that determination, they'll need to determine effective permissions on each one of their domain user accounts. Yes, I'm aware that this determination is not at all easy to make and it could take weeks, if not months, but this is after all extremely important to organizational security, isn't it. (What if it took just minutes ?!)

Tip of the Iceberg

Demonstrating compliance of "Who can Reset the Password of the C*O's Domain User Accounts" is just the Tip of the Iceberg!

In reality, there is so much more that most publicly held organizations in most legal jurisdictions worldwide need to assess and demonstrate the regulatory compliance of, that requires the determination of effective permissions/access in Active Directory.

Unfortunately, because so many organizations worldwide may still not know about the subtle but profound difference between  "Who has what permissions in Active Directory"  and  "Who has what effective permissions in Active Directory", they very likely may have been furnishing inaccurate evidence all these years!

In Summary

Microsoft, given what it is we uniquely do, my time is extremely valuable, and over the past few weeks, I've invested a lot of my valuable time towards helping you understand why it is so very important for you to help thousands of organizations understand the paramount importance of being able to determine effective permissions (/ effective access) in Active Directory.

It is paramount to the foundational cyber security of your customers, and I'd still like to believe that you're not just all talk.

Today's post was meant to demonstrate that Active Directory Effective Permissions impact not just the foundational cyber security of organizations worldwide, but in fact also impact all related areas, such as demonstrating regulatory compliance.

In all seriousness, Microsoft, perhaps likely thanks to you, thousands of prominent organizations worldwide may very well have been furnishing inaccurate evidence to demonstrate compliance of access rights in Active Directory, and doing so for years!

Alright, that's all for today.


This post marks the end of my being tough on Microsoft. Next post onwards, I'm going to be helping them out tremendously.

No comments:

Post a Comment