Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Tuesday, December 12, 2017

How to Correctly Discover Shadow Admins in Active Directory

Shadow Admins - The Stealthy Accounts That You Should Fear The Most, but Needn't Anymore


Folks,

A few weeks ago, CyberArk, a $ Billion+ cyber security company in the Privileged Account Security space, published guidance on how organizations could identify dangerous "Shadow Admin" accounts that exist in almost every Active Directory today.

Here's their blog post - Shadow Admins - The Stealthy Accounts that You Should Fear The Most.


Unfortunately, their well-intentioned guidance (and accompanying tooling) for organizations worldwide, although on-point concerning the real danger that undetected "Shadow Admins" pose to organizations, seems substantially inaccurate.

Thus, to help CyberArk's own cyber security experts, as well as to help all IT and Cyber Security professionals at thousands of organizations better understand this subject, today, I'll show you how to correctly identify "Shadow Admins" in Active Directory.

This is Part II of the following, so you'll absolutely want to read - Paramount Privileged Account Security Guidance for CyberArk.

Pre-Requisites: To follow the contents of, and the examples shared in this post, you'll want to read the following -
  1. Shadow Admins - The Stealthy Accounts that You Should Fear The Most
  2. Paramount Privileged Account Security Guidance for CyberArk




First, Some Quick Background

As we all know, over 85% of organizations worldwide operate on Microsoft's Windows Server platform, and in IT infrastructures powered by Windows Server, at the very heart of cyber security and privileged access lies Microsoft Active Directory.


Not only does Active Directory store and protect the most powerful administrative/privileged accounts in a Windows network, it is also the focal point of  administrative delegation, and over the last 17 years, at most organizations, a substantial amount of access provisioning has been done in Active Directory, both to delegate administrative authority and to fulfill business needs.

Consequently, generally speaking, there are 3 levels of privileged access in Windows networks -
  1. Local administrative/privileged access on domain-joined machines
  2. Delegated administrative access within Active Directory
  3. Unrestricted privileged access (accounts and groups) in Active Directory

Of these 3 levels of privileged access, 1 is least powerful and 3 is most powerful. Level 2 is interesting because depending on the access provisioned/delegated, many level 2 access holders, unbeknownst to anyone, could in fact possess Level 3 access!

Now, consider Level 2 accounts that may not be members of any default admin (privileged) access group in Active Directory.

Should any of these Level 2 accounts directly or indirectly have certain modify access effectively allowed on one or more level 3 accounts or groups, then in effect even though they're not members of any default administrative (privileged) access groups in Active Directory, they would still have access that it tantamount to possessing unrestricted privileged access in Active Directory, and it is such accounts that CyberArk's experts are referring to as "Shadow Admins."

Further, since these accounts are not members of any default admin Active Directory groups, and the extent to which most organizations go to identify privileged users in Active Directory is to enumerate the membership of these default admin groups, at most organizations all such accounts will likely remain undetected, even though a proficient intruder who knows how to identify such accounts could easily identify and subsequently exploit them to effortlessly obtain complete command and control over the entire organization!

Up until this point, CyberArks guidance is accurate.




Ah, Active Directory Effective Permissions 

Now consider this - consider the domain user account of an ordinary user John Doe. Assume that he is not a member of any default admin (privileged) user group in Active Directory. Further assume that in the ACL of the Domain Admins group, he has been directly granted the following Active Directory security permissions -  { Allow John Doe Write-property Member }

Based on the above, do you think John Doe will be able to modify the membership of the Domain Admins group?

Most IT personnel, including CyberArks experts will likely say - YES!

However, if you ask an Active Directory Security expert, his answer will be - Maybe. (It depends.)

So, what does it depend on?!

Consider this. Imagine that there is a security group in Active Directory called Active Directory Security Novices and assume that this security group is NOT a member of any default Active Directory admin groups. However, assume that perhaps a few months ago, someone specified ANY ONE of the following several security permissions in the Domain Admins group's ACL -
  1. { Deny Active Directory Security Novices Write-property Member } OR
  2. { Deny Active Directory Security Novices Write All Properties } OR
  3. { Deny Active Directory Security Novices Full Control }

Now, if you ask an Active Directory Security expert, his answer will still be - Maybe. (It depends.)

The reason it is still Maybe, is because it depends on whether these Deny permissions were explicit (i.e. specified directly in the object's ACL) or whether they were inherited, and whether the Allow permissions for John Doe are explicit or inherited.

If these deny permissions were explicit, then even though there exists an { Allow John Doe Write-property Member } permission for John Doe in the ACL of the Domain Admins group's object, John Doe will NOT be able to change the group's membership!

What I have just shared with you is a very highly simplified example of Active Directory Effective Permissions.


Thus, if one were to merely "search and analyze the ACL permissions granted to each account" one could easily end up with inaccurate results, and in security, even ONE such inaccuracy could mean the difference between secure and breach!

This is where CyberArk's guidance is inaccurate.

Specifically, their guidance and tooling does NOT involve determining effective permissions in Active Directory; it merely involves searching Active Directory ACLs for any permissions granted to individual user accounts, and as we have just seen, such an approach is not only the incorrect way to discover such "Shadow Admin" accounts, it is also dangerously misleading!




The Only Correct Way

The only correct way to find out who actually has what access, including privileged access, in Active Directory is to accurately determine effective permissions in Active Directory. There is NO other way to accurately make this determination. Period.

In fact, Active Directory Effective Permissions are paramount to cyber security because they determine exactly who can do what on any and every object in Active Directory, from the CEO's domain user account to the Domain Admins domain security group!

It is for this simple reason that an organization that does not possess the ability to accurately identify effective permissions in Active Directory could not possibly adequately secure and defend its foundational Active Directory deployment.




Lets See a Demo -

Let us see this in action. In order to keep this very simple, we've used the same domain name for our test Active Directory so that everyone can follow this as an assumed continuation of the examples shared in CyberArk's post.


The Setup

We begin by installing a brand-new Active Directory domain, so it only has default administrative groups and default ACLing.


For our demo, to begin with, we'll create only five objects -
  1. An OU named Demo, to store our demo accounts and groups
  2. A regular domain user account named James
  3. A regular domain user account named Emily
  4. A regular domain security group named Cyberdark Gurus
  5. A regular domain security group named Active Directory Security Novices

That's it. We do not need to create any other objects right now as we're trying to keep this super simple.

Note: Please note that each one of these two domain user accounts and two domain security groups are regular accounts and groups i.e. they are not members of any default Active Directory administrative groups.


The only other thing we will do is make the Cyberdark Gurus group a member of the Active Directory Security Novices group -


Thus, as you can see above, the Cyberdark Gurus group is now a member of the Active Directory Security Novices group.



Demo #1

To begin, we make James a member of the Cyberdark Gurus domain security group -


Next, we will modify the (up until now) default ACL on the Domain Admins security group, and specify the following two explicit permissions -
  1. { Deny Active Directory Security Novices Special* }
  2. { Allow James Write-Property Member}
Special*: Modify Owner, Modify Permissions, Delete, Delete Tree, All Extended Rights, All Validated Writes AND Write All Properties. (We could've easily just denied Write-All Properties and that would have been sufficient.)

Here is the resulting ACL on the Domain Admins security group -



Since we're unable to view the Special permissions in ADUC, we can launch this tool to view the ACL more clearly -



As seen above, we can now clearly see the two permissions we just added (; see Rows #1 and #2.)

Now, as we can see there is clearly a permission allowing James Write-Property member on the Domain Admins group, so does this mean that he is a "Shadow Admin" who can change the Domain Admin group's membership?


To see what CyberArk's ACLight tool determines, let's run it and examine its findings/results -



ACLight has finished its analysis, so let us view its results -


Per ACLight, James is a "Shadow Admin" because the tool seems to have determined that James can modify the membership of the Domain Admins group, as there is an Allow permission granted to him directly in the ACL of the Domain Admins group.

To verify this finding perhaps we should login as James and try to modify the membership of the Domain Admins security group, and see if we are able to succeed in doing so -



As you can see above, the Add and Remove buttons are disabled, which is because ADUC has determined that James does not in fact have sufficient access so as to be able to do so!

Hmm... does this mean that ACLight's findings are inaccurate? Is there even a way to verify this?


Well, let's launch the world's only accurate Active Directory Effective Permissions Calculator, and see what it reveals -


According to this tool, James is NOT on the list of individuals who have sufficient Write-Property Member effective permissions on the Domain Admins security group, and since he is not on the list, according to this tool's findings, he cannot in fact change the membership of the Domain Admins security group, and thus he is NOT a "Shadow Admin"!

In other words, CyberArk's ACLight tool is delivering inaccurate results, because as we have experimentally verified as well, James was NOT in fact able to modify the Domain Admins group membership!

To conclude Demo #1, let us examine why he was not able to do so.

Let us take a closer look at the ACL of the Domain Admins group -


As we can see, the explicit Deny Write All Properties permission specified for Active Directory Security Novices will override the explicit Allow Write-Property Member permission specified for James, BECAUSE James is a member of the Cyberdark Gurus group, which in turn is a member of the Active Directory Security Novices group (which is something not readily apparent here!)

Now, in case you're a CISO or someone who may not know as much about Active Directory effective permissions, you can still make this determination most easily by using the second tool on this page -


As you can see, this tool make this determination and provides its output in plain English, completely obviating the need for you to know any Active Directory security technical details.

Thus, we just saw and verified that indeed the ACLight tool is NOT delivering accurate results!

Before moving on to the second demo, you'll want to undo these two ACL changes to continue to keep it simple.




Demo #2

For our second demo, we'll create a new domain user account called SysAdmin in the Users container, and then we will add it to the default Builtin Admins (i.e. Administrators) group so that it is now a privileged user account -


Now that we have an additional privileged user account to experiment on, let's proceed with demo #2.

To begin, we make Emily a member of the Cyberdark Gurus domain security group -



Next, we will modify the (up until now) default ACL on the SysAdmins privileged domain user account, and specify the following two explicit permissions -
  1. { Deny Active Directory Security Novices All Extended Rights }
  2. { Allow Emily Extended Right Reset Password}

Here is the resulting ACL on the SysAdmin privileged user account -



Again, to see these permissions most clearly, let us view this object's ACL using this tool -



As seen above, we can now clearly see the two permissions we just added (; see Rows #1 and #2.)

Now, as we can see there is clearly a permission allowing Emily the Reset Password extended right on the SysAdmins account, so does this mean that she is a "Shadow Admin" who can reset the SysAdmin's privileged user account's password?


To see what CyberArk's ACLight tool determines, let's run it and examine its findings/results -



ACLight has finished its analysis, so let us view its results -


Per ACLight, Emily is a "Shadow Admin" because the tool seems to have determined that Emily can reset the password of the SysAdmins user account, as there is an Allow permission granted to her directly in the ACL of the SysAdmins account.


To verify this finding perhaps we should login as Emily and try to reset the password of the SysAdmins privileged user account, and see if we are able to succeed in doing so -



As you can see above, Emily is unable to reset the password of the SysAdmins privileged user account and ADUC has displayed the message "Windows cannot complete the password change for SysAdmin because: Access is Denied." In other words Emily does not in fact have sufficient access so as to be able to do so!

Hmm... does this mean that ACLight's findings are inaccurate?

Let's launch the world's only accurate Active Directory Effective Permissions Calculator, and see what it reveals -


According to this tool, Emily is NOT on the list of individuals who have sufficient Reset Password extended right effective permissions on the SysAdmins domain user account, and since she is not on the list, according to this tool's findings, she cannot in fact reset the SysAdmins privieged user account's password, and thus she too is NOT a "Shadow Admin"!

In other words, CyberArk's ACLight tool appears to have yet again delivered inaccurate results, because as we have experimentally verified as well, Emily was NOT in fact able to reset the SysAdmins privileged account's password!

To conclude Demo #2, let us examine why she was not able to do so.

Let us take a closer look at the ACL of the SysAdmins privileged user account -



As we can see, the explicit Deny All Extended Rights permission specified for Active Directory Security Novices will override the explicit Allow Reset Password Extended Right permission specified for Emily, BECAUSE Emily is a member of the Cyberdark Gurus group, which in turn is a member of the Active Directory Security Novices group (which too isn't apparent here!)

Now, in case you're a CISO or someone who may not know as much about Active Directory effective permissions, you can still make this determination most easily by using the second tool on this page -


As you can see, this tool make this determination and provides its output in plain English, completely obviating the need for you to know any Active Directory security technical details.

Thus, we just saw and verified twice that indeed the ACLight tool is NOT delivering accurate results!




Domain-wide Assessment

Now, some of you may find yourself pointing out that the tools we used above only seem to be able to determine effective permissions/access on a per object basis. That is in fact right, and yet they are the only tools on the planet that can accurately determine effective permissions and effective access in Active Directory.

However, there is hope. Organizations can in fact make these determinations domain-wide today by using the following tool, which is the world's only accurate Active Directory Administrative Access / Delegation Audit Tool - 


This tool can make these determinations domain-wide, i.e. on thousands of objects in an Active Directory domain, in a single assessment, at the touch of a single button, and usually within minutes!

Perhaps, if we were Active Directory novices, we may have called is an Active Directory Shadow Admin Discovery/Audit Tool, but since we're experts, we know that what are being referred to as "Shadow Admins", "Stealthy Admins" etc. are merely just "Delegated Admins" in Active Directory, thus the name of this tool i.e. Active Directory Access and Delegation Audit Tool.

In fact this tool above can do in minutes what a thousand Active Directory security experts put together couldn't accomplish in a year, and do so in real (complex) Active Directory environments comprised of thousands of objects, accounts and groups.

Finally to anyone or any organization who may be inspired to make such a tool, by all means, please go ahead and try it. It took us six years of highly disciplined laser-focused Research and Development to build our tooling, and we know a thing or two about Active Directory Security. Should you like some guidance, you may want to read our 120-page patent on how to do so.

That wraps up the Demo.

Note: These two demos above were purposely keep super simple so that anyone (including CyberArk's experts) could replicate these exact steps in any new Active Directory domain and verify that what we have demo'ed above is accurate.




Complexity

Now, if these examples look so simple, that's because they were intended to look simple for illustrative purposes.

In reality, the challenge is exponentially hard. Consider a typical Active Directory deployment - there could easily be well over a hundred ACEs in the ACL of each Active Directory object, there could possibly be thousands of domain security groups to which users could belong, and many of these domain security groups could possibly be nested in other domain security groups, and some of these could be circularly nested, and there could be a substantial amount of administrative delegation and/or access provisioning done in Active Directory, and there could easily be thousands of objects in an Active Directory domain and there could possibly be numerous domains in an Active Directory forest.

Any tool designed to accurately identify such "Shadow Admin" accounts would have to be able to accurately determine effective permissions on every single one of thousands of object in Active Directory, in light of the complexity that I've just shared above.

Based on my assessment, not only does CyberArk's ACLight not evaluate effective permissions in Active Directory, it is light years away from being able to do what I've just described above. The same is true of every other tool you may have heard of out there, including BloodHound, or any PowerShell script anyone could ever write, or anything available from Microsoft.

There is only ONE tool that I know of that can accomplish this monumental feat - its this one, and I know so because I built it.



Summary

Folks, in closing, Privileged Account Security is paramount to organizational cyber security, and please don't just take my word for it, for here's CyberArk communicating in effect the same fact -
"Privileged accounts represent the largest security vulnerability an organization faces today. These powerful accounts are used in nearly every cyber-attack, and they allow anyone who gains possession of them to control organization(al) resources, disable security systems, and access vast amounts of sensitive data."
As I've said above, CyberArk is 100% right. The compromise of even just 1 (i.e. ONE) such privileged account could easily grant perpetrators complete command and control over your entire network and empower them to swiftly take over everything.

In fact, 100% of all major recent high-impact cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and subsequent misuse of a single, i.e. just ONE Active Directory Privileged User Account.


CyberArk is also 100% right that in most Active Directory deployments worldwide, today there likely exist a dangerously and excessively large number of such "Shadow Admin" accounts, that for all practical reasons possess the same level of privileged access as do members of default Active Directory administrative / privileged access groups, yet because they're not members of any default Active Directory privileged access groups, these accounts are in fact very difficult to accurately identify.

Consequently, their presence may possibly post a FAR greater risk to organizational cyber security, which is why it is so very important for organizations to be able to accurately discover/identify all such accounts i.e. each and every single one of them.

In this blog post, I wanted to show you why CyberArk's well-intentioned guidance and tooling are in fact inaccurate, as well as show you why we need to be able to accurately determine Active Directory Effective Permissions / Active Directory Effective Access to correctly discover all such "Shadow Admin" accounts in Active Directory.

I hope you've found this to be helpful, and I wish you all, including CyberArk, all the very best.

Best wishes,
Sanjay


PS: Recommended Technical Reading -
  1. Active Directory Privileged Access Insight
  2. Active Directory Effective Permissions
  3. Defending Active Directory Against CyberAttacks (Slide 88 alludes to CyberArk)
  4. The Impact of Compromise of Shadow Admin Accounts in Active Directory
  5. How to Audit Who Can Change Group Memberships in Active Directory?
  6. How to Audit Who Can Delete an Organizational Unit in Active Directory?
  7. How to Audit Who can Create User Accounts in Active Directory?
  8. How to Audit Who can Reset Domain User Accounts Passwords in Active Directory?
  9. How to Correctly Audit/Identify/Discover Privileged Accounts in Active Directory
  10. Active Directory Access Control Lists (ACLs) - Real Attack and Defense 

No comments:

Post a Comment