Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Monday, October 22, 2018

What are the Minimum Security Permissions Needed in Active Directory to Run Mimikatz DCSync?

Folks,

In days to come, I'll be helping organizations worldwide understand what constitutes a privileged user in Active Directory, how to correctly audit privileged access in Active Directory, and what the world's most important Active Directory security capability is.

Today though, I just wanted to ask a very simple and elemental cyber security multiple-choice question, so here it is -


Q. What are the minimum Active Directory Security Permissions that a perpetrator needs to be able to successfully run Mimikatz DCSync against an organization's foundational Active Directory deployment?

Is it -
A. The "Get Replication Changes" Extended Right 
B. The "Get Replication Changes All" Extended Right 
C. Both A and B above 
D. Something else

I already know the answer to this simple question. I'm only asking because I believe that today every Domain Admin and every CISO at every organization that operates on Active Directory MUST know the answer to this question, and here's why.

You may be surprised if I were to share with you just how many Domain Admins and CISOs (at so many of the world's most prominent organizations) don't know even seem to know what Mimikatz DCSync is, let alone knowing the answer!


If you know the answer to this question, please feel free to share it by leaving a comment below.

Best wishes,
Sanjay.

No comments:

Post a Comment