Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Monday, July 9, 2018

What's The World's Most Important Active Directory Security Capability?


A few days ago, I had asked likely the most important Cyber Security question in the world today, one that today DIRECTLY impacts the foundational cyber security of 1000s of business and government organizations across 190 countries worldwide.

Here It Is -

What Is the 1 Essential Cyber Security Capability Without Which NOT a Single Active Directory object, domain, forest or deployment can be adequately secured?

I had even provided a hint - it controls exactly who is denied and who is granted access to literally everything within Active Directory, and it comes into play every time anyone accesses anything in any Active Directory domain in any organization.

Thusfar, thousands of IT professionals from across the world, including some of the world's most famous/renowned Windows and Active Directory Security experts and CISOs, as well as Microsoft employees, have all seen the question on my blog.

Unfortunately, not ONE individual in the world (okay, except one) has answered this ONE most simple and basic question yet!

Why Not?

Do organizations worldwide NOT know the answer, OR are they afraid to answer it because they don't possess this capability?

Let's find out. To help organizations worldwide, including Microsoft, figure out the answer, I'm going to give a few more hints.

A Few More BIG Hints

Ladies and Gentlemen, NOT a single organization in the world whose IT infrastructure operates on Microsoft Active Directory, can fulfill even ONE of the following mission-critical IT and cyber security needs without possessing this ONE capability -

  1. Adequately secure their foundational Active Directory

  2. Adequately mitigate the risk posed by the use of Mimikatz DCSync

  3. Adequately mitigate the risk posed by Active Directory Privilege Escalation

  4. Accurately identify privileged users in their foundational Active Directory domains

  5. Accurately discover stealthy admins in their foundational Active Directory domains

  6. Adequately protect all organizational computers and user accounts (including C*O accounts)

  7. Adequately secure mission-critical Active Directory integrated applications (e.g. Exchange, Centrify)

  8. Securely integrate their on-premises Active Directory deployments with Microsoft Azure in the "Cloud"

  9. Correctly demonstrate regulatory compliance of access privileged provisioned within their Active Directory

  10. Reliably control the distribution and delegation of administrative authority in their foundational Active Directory

Let me repeat it again so there is NO ambiguity - not a single one of the above mission-critical IT and cyber security needs can be fulfilled without possessing this ONE capability, only because it is technically impossible to do so without this ONE capability.

I'll Make it Easy

Ladies and Gentlemen, Active Directory has been around for almost two decades now, and yet most organizations worldwide do not currently possess this ONE essential, fundamental and paramount cyber security capability yet. The reason they don't currently possess it is likely that they may not even know about it, and that sounds as unbelievable to me as it does to you!

If they haven't figured it out in almost TWO decades, they're not likely to figure it on their own, so let me make it easy for them.

It is ONE of the following five Active Directory Security Capabilities -
  1. Active Directory Auditing
  2. Active Directory Permissions/ACL Analysis
  3. Active Directory Effective Permissions/Access
  4. Microsoft Advanced Threat Analytics (aka ATA)
  5. <You can throw in all the latest buzzwords here e.g. Privileged Identity/Account Management, Zero Trust, blah blah etc >

Here's one FINAL hint. If you possess this ONE capability (on the right object in Active Directory,) then you can also easily turn off i.e. deactivate, disable, and/or render useless, all of the other listed security capabilities in an Active Directory deployment!

So, which ONE is it ?

Make No Mistake + Only Two Kinds of Organizations

Make no mistake about it - one simply CANNOT adequately protect anything in any Active Directory WITHOUT possessing this ONE capability, and thus one simply cannot protect the very foundation of an organization's cyber security without possessing this ONE paramount cyber security capability. It unequivocally is as remarkably simple, elemental and fundamental as this.

Thus, today there are only two kinds of organizations worldwide - those that possess this paramount cyber security capability, and those that don't. Those that don't possess this essential capability do not have the means to, and thus cannot adequately protect, their foundational Active Directory deployments, and thus by logic are provably and demonstrably vastly insecure.

My Concern - This Impacts Organizational Security Worldwide

I hope that with the hints I've provided above, organizations worldwide will finally realize what this ONE essential capability is.

More importantly, I hope that at organizations worldwide, IT personnel, Domain Admins, CISOs and CIOs realize and recognize that without possessing this ONE essential and paramount Active Directory Security capability, their $ Billion organizations may currently be operating on a highly vulnerable foundation, which is a matter so serious that it should concern all stakeholders.

The Answer

February 24, 2020 Update: Here's the answer - THIS  is the world's most important Active Directory Security Capability.