Gold Finger - The World's Best Active Directory Audit Tool

Folks,

Hope your New Year's off to a good start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 9th.

Today most organizations that operate on Microsoft Active Directory (and there are 1000s across 150+ countries worldwide) have a need to be able to perform not just basic but also advanced audits to fulfill a variety of imperative cyber security needs -

1. Active Directory Security ... details
2. Privileged Access Audit ... details
3. Attack Surface Reduction ... details
4. Insider Threat Protection ... details
5. Audit and Regulatory Compliance ... details

Unfortunately, at organizations worldwide 1000s of IT professionals struggle to fulfill a majority of these needs, because of two main reasons - a) the solutions required to fulfill these critical needs don't seem to exist (except for one), and b) the depth of knowledge and understanding required to fulfill these needs correctly i.e. precisely and accurately, is lacking substantially.

For instance, although Microsoft provides many basic tools such as dsacls, acldiag, LDP, ADUC, the Effective Permissions Tab, etc., these tools cannot help even one organization correctly answer even the most basic of cyber security questions such as -

1. How many privileged users does the organization actually have?
2. Who is delegated what administrative access where and how in Active Directory?
3. How many individuals can reset the password of a Domain Admin to become proverbial God?
4. How many individuals can change the Domain Admins group membership to become proverbial God?
5. How many individuals can use Mimikatz DCSync to instantly compromise the credentials of the entire organization?

The lack of adequate solutions and the awareness required to perform such critical audits can primarily be attributed to the baffling lack of vital security guidance provided by Microsoft to its organizational customers. More on that on Jan 24th, 2017.

Thus, while there are many solutions today that can help organizations with reactive after-the-fact auditing, there are virtually no adequate audit solutions that can help organizations perform before-the-fact proactive effective access audits. Except one...




Gold Finger - Quite Simply The World's Best Active Directory Audit Tool

Any IT/AD/cyber-security pro worth his salt will tell you that not only is the need to know "Who can do what in Active Directory" paramount to cyber security, it is not "who has what permissions" but "who has what effective permissions/access" that matters.

Considering that, allow me to share with you the world's most capable, powerful and valuable Active Directory Audit Tool -

Gold Finger Active Directory Audit Tool

Simply put, Gold Finger can do in a matter of minutes, whenever needed, what could take an army of the world's best Active Directory security professionals and consultants from organizations like Microsoft Consulting Services an entire year to do -

1. Automatically, precisely and correctly audit effective privileged access (incl. delegated) across an entire Active Directory
2. Automatically, precisely and correctly audit effective permissions/access on any Active Directory object
3. Automatically, precisely and correctly audit permissions across an entire Active Directory

Of course, considering it can do the impossible at a button's touch, it can also do the simple stuff with equal ease -

4. Audit basic Active Directory security, such as account, group and OU management, true last-logons etc.
5. Audit Active Directory group memberships, such as "What groups does a user belong to" etc.
6. Audit Kerberos token-sizes including performing domain-wide Kerberos token-size calculations
7. Audit Active Directory ACLs, security permissions/rights and domain-wide ACL dumps etc.

Also, because we care deeply about cyber security, we built it to the highest standards of trustworthiness.




The Swiss Army Knife of Active Directory Audit Tools

When you acquire and deploy Gold Finger, you have the world's most powerful cyber security arsenal at your finger tips -

1. The World's only accurate Active Directory Administrative Access and Delegation Audit Tool
2. The World's only accurate Active Directory Effective Permissions/Access Calculator
3. The World's most comprehensive Active Directory Permissions Analyzer
4. The World's most advanced Active Directory ACL Viewer and Exporter
5. The Worlds' only fully-automated, professional Kerberos Token-size Calculator
6. The World's simplest Active Directory Group Membership Reporting Tool
7. The World's most trustworthy Active Directory Security Audit Tool (including the Free version)

So, if there's an audit to be done in Active Directory, chances are Gold Finger can get it done, and do so at a button's touch.



Simply put, if you truly understand Active Directory Security, and its role in cyber security worldwide, then you know that Gold Finger is possibly the most capable cyber security solution in the world. (There isn't a tool on the planet that comes close to it.)

Perhaps that's why, from the United States to Australia, the world's most powerful government and business organizations across six continents worldwide use it and depend on it to secure the very foundation of their cyber security today.

To learn more, please visit - http://www.paramountdefenses.com/goldfinger.html

Best wishes,
Sanjay

PS: I only know so much about it because I architected it.  Now, onward to January 26th, 2017.

World's Only Accurate Active Directory Privileged User/Access Audit Tool

Folks,

Hope your 2017's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 8th.

Active Directory Privileged User/Access Audits - A Paramount Need

Today every single organization that operates on Microsoft Active Directory has a paramount cyber security need to be able to accurately audit privileged access in its foundational Active Directory deployment. What else could be more important?
A few examples of such paramount Active Directory privileged access audits include -

1. Exactly how many privileged access users do we have in our foundational Active Directory?
2. Exactly who has what privileged access in our foundational Active Directory?
3. Exactly how does someone have privileged access in our Active Directory?
4. Exactly who can manage all of our privileged users and groups in our Active Directory?
5. Exactly who has what privileged access over all our vital Active Directory domain user accounts, domain computer accounts, domain security groups, Organizational Units, etc. (and there could be 1000s of them)?

If you truly know Active Directory Security, then you know that it is not "Who has what permissions" but "Who has what effective permissions" that matters, ; the difference is colossal and could very well be the difference between security and compromise.

Most organizations do not even seem to know that they need to be able to determine effective permissions/access in Active Directory, and do so accurately, to maintain a sound cyber security posture. At those who do know, IT personnel struggle to fulfill this paramount need; they try writing advanced in-house LDAP/ PowerShell scripts, using free MS tools like dsacls, acldiag, LDP, the Effective Permissions Tab, etc., or relying on one free 3rd party audit tool that is dangerously inaccurate.

To begin with, the knowledge required to write a script that could accurately determine effective permissions on even a single Active Directory object, let alone thousands of Active Directory objects, is such a rarity that let alone most IT personnel I doubt even many $ Billion cyber security companies would know where to even begin. That said, many well-intentioned IT admins who care deeply about security do proceed to endeavor to write and use substantially inaccurate scripts to do so.

Assuming they could write an accurate script to do so, here are 5 issues/challenges that they will most likely run into -

1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone.
2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise.
3. The Microsoft Effective Permissions Tab is not only self-admittedly inaccurate, it is woefully inadequate.
4. All free 3rd party tools that claim to do Active Directory effective permissions are substantially inaccurate.
5. Manually attempting to determine effective permissions on thousands of Active Directory objects could take years.

It is unequivocally clear to use that what organizations need is an accurate, efficient and reliable (tamper-proof) Active Directory Privileged Access Audit Tool that could help IT personnel worldwide easily & trustworthily fulfill this paramount need.

So we built the world's only accurate Active Directory Privileged Access Audit Tool so it could help all IT admins, analysts, auditors and others easily and trustworthily fulfill their paramount Active Directory privileged user access audit needs.



Gold Finger Active Directory Administrative Access and Delegation Audit Tool

The Gold Finger Administrative Access and Delegation Audit Tool is quite simply the world's only accurate Active Directory Privileged User/Access Audit Tool. There's simply nothing quite like it in the world, and once you've used it, you'll know why -  

Gold Finger Active Directory Privileged User Access Audit Tool

If you can touch a button, you can now (for the first time ever) accurately and easily find out exactly who has what privileged access across an entire Active Directory domain, in effect accomplishing an almost impossible feat, at the click of a button!

Capability Overview

Here's a quick overview of the tool's top 10 features/capabilities -

1. Accurate Assessment – Accurately audit exactly who has what privileged access in Active Directory, taking all factors (e.g. precedence orders, memberships expansions, conflict resolution etc.) that impact effective access into account.
2. Complete Automation – Automatically audit effective privileged access across an entire Active Directory domain.
3. Enterprise Scalability – Swiftly assess effective privileged access across even large Active Directory deployments.
4. Source Identification – Find out exactly which underlying permissions grants a user specific effective privileged access.
5. Zero Configuration – Instantly deploy the tool on any machine without requiring a single change anywhere whatsoever.
6. Real-Time Analysis – Instantly audit and verify an administrative delegation as soon as it is made in Active Directory.
7. Intuitive Interface – Easily view all privileged access, all users who have such access, where they have it and how so.
8. Professional-grade Report Generation – Easily generate and furnish privileged access audit reports in PDF format.
9. Analysis Exports – Instantly export audit results for offline analysis, sharing, report submission and archival.
10. DC Specific Analysis and Alternate Credential Use – Target any domain controller, and use alternate credentials.

Design Goals

Here are the 7 main design goals we set and met for Gold Finger -

1. Accuracy - Accuracy is everything, and Gold Finger is the world's only accurate privileged access audit tool.
2. Automation - The tool must be able to automatically determine effective permissions/access across thousands of Active Directory objects accurately and quickly so organizations can obtain this paramount insight within minutes, not months.
3. Actionable Insight - The tool must deliver results in the form of actionable insight i.e. its results must be calculated and displayed in terms of entitled administrative tasks, and also show exactly who can perform them, and exactly how so.
4. Source-Identification - It can pinpoint the underlying permission that entitles a user to performing a specific task.
5. Data output - IT personnel should be able to effortlessly export the raw data for archival, rich analysis etc.
6. Ease of use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
7. Trustworthiness - When it comes to security, Gold Finger also sets the bar and gold standard for trustworthiness.

Example Reports

Here are 10 real-world examples of the kinds of Active Directory effective permissions audits you can perform with Gold Finger -

1. Discover exactly who has unrestricted privileged access in the Corp domain.
2. Find out exactly who can create, delete, manage and control entire Organizational Units in the Corp domain.
3. Find out exactly who can manage and control all privileged and executive domain user accounts in the Corp domain.
4. Find out exactly who can change the membership of critical privileged/administrative groups such as Domain Admins.
5. Find out exactly who can manage every executive and administrative account and security group in the Corp domain.
6. Find out exactly who can create and delete domain user accounts, security groups and OUs in the Corp domain.
7. Find out exactly who can reset the passwords of all domain user accounts, including those of privileged/executive users.
8. Find out exactly who can disable the requirement to have Smart-card authentication for all domain user accounts.
9. Find out exactly who can modify or delegate administrative (privileged) access in Active Directory, where and how.
10. Uncover thousands of privilege escalation paths leading to critical privileged access across an entire Active Directory.

Trusted Worldwide

Today, our Gold Finger Active Directory Administrative Access and Delegation Audit Tool is used worldwide by the world's top organizations to easily fulfill the paramount cyber security need of being able to precisely identify privileged users and privileged access in their foundational Active Directory deployments.

Details over at - http://www.paramountdefenses.com/active-directory-administrative-access-and-delegation-audit-tool.html

Best wishes,

Sanjay

The World's Best Active Directory ACL / Security Permissions Audit Tool

Folks,

Hope your 2017's off to a great start. As I had indicated a few days ago, starting January 26th I'll be sharing some valuable insights on Active Directory Security; until then just wanted to get some very basic stuff out of the way; this one being the 5th.

Active Directory ACL / Security Permissions Audit - A Basic Need

Today virtually every organization that operates on Microsoft's Active Directory has a basic and essential need to be able to easily view, analyze and audit Active Directory ACLs (Access Control Lists) because Active Directory permissions ultimately protect virtually all of the organization's IT resources. A few examples of such basic Active Directory ACL audit needs include -

1. Who security permissions/rights does a specific user/group have in a specific Active Directory object's ACL?
2. Who has a specific Active Directory security permission allowed in the ACL of a specific Active Directory object?
3. Which ACEs (access control entries) grant a specific Active Directory security permission to various security principals?
4. Which ACEs explicitly deny a specific Active Directory security permission in an object's ACL?
5. Which ACEs explicitly grant a specific Active Directory security permission to a specific user or group in an object's ACL?

Now, let me be the first to tell you that if you truly know Active Directory Security, then you know that it is not "Who has what permissions" but "Who has what effective permissions" that matters (and the difference is colossal and could be the difference between security and compromise), but for now let's just play along and assume that this is what organizations need to audit.

To fulfill their ACL analysis needs, IT admins worldwide use numerous means, such as writing in-house LDAP/ PowerShell scripts, using free MS tools like dsacls, acldiag, LDP etc., or relying on some 3rd party audit tools many of which aren't reliable.

In doing so, here are some issues/challenges they could run into -

1. In-house scripts are prone to human-error, need to be maintained and could be maliciously modified by someone.
2. The use of PowerShell, and/or utilities like LDP requires a certain level of technical Active Directory expertise.
3. Many 3rd party tools, whilst inexpensive, may or may not always be sufficiently trustworthy (e.g. built in Russia etc.)

In our experience, we found that what is ideally needed is a dedicated and reliable (tamper-proof) Active Directory ACL analysis, viewing and dump tool that can help easily & trustworthily fulfill all Active Directory ACL/permissions audit needs.

So we built possibly the world's best (most advanced) Active Directory ACL Viewer and Exporter that could help IT admins, analysts, auditors and other stakeholders easily and trustworthily fulfill their basic Active Directory ACL/permissions audit needs.



Gold Finger Active Directory ACL / Security Permissions Audit and Dump Tool

The Gold Finger Active Directory ACL Viewer and Exporter is the world's most advanced and trustworthy Active Directory ACL/Permissions Audit Tool -

Gold Finger Active Directory ACL Audit Tool, Viewer and Exporter

If you can touch a button, you can now easily, comprehensively and above all, trustworthily view, analyze, audit as well as instantly export/dump Active Directory ACLs and security permissions/rights, both on a per-object and a domain-wide basis.

Capability Overview

Here's a quick overview of the tool's top 5 features/capabilities -

1. Complete View – Obtain a complete, fully sortable view of the ACL (both DACL & SACL) of any Active Directory object.
2. Detailed View – Obtain a detailed view wherein each ACL field is expanded into individually sortable columns.
3. ACL Exports – Export the complete ACL of an Active Directory object for analysis, comparison, archival and audit.
4. Tree-wide ACL Exports – Export/dump the ACLs of all Active Directory objects in any Active Directory tree (e.g. OU).
5. Advanced ACL Export Options – Export only those ACLs that are marked Protected or owned by a specific user/group.

Design Goals

Here are the 5 main design goals we set and met for Gold Finger -

1. Trustworthiness - When it comes to security, Gold Finger sets the bar and gold standard for trustworthiness.
2. Ease-of-use - It can be installed in 2 minutes on any machine* and requires no Active Directory knowledge to use.
3. Rich Analysis - IT personnel can easily analyze every aspect of the ACL, including sorting the ACL by individual Active Directory security permissions (e.g. Write Property, Extended Right etc.), inheritance fields etc.
4. Instant Export - IT personnel can easily export/dump the ACLs of any, some or all Active Directory objects. 
5. Data output - IT personnel can effortlessly export the raw data for archival, rich analysis etc.

Example Reports

Here are 10 real-world examples of the kinds of Active Directory ACL/permissions audits you can perform with Gold Finger -

1. Alphabetically sort the ACL on the AdminSDHolder object to list all security principals for whom access is specified.
2. Identify all permissions in the ACL of the Administrators group object that grant Write Property - Member permissions.
3. Export/dump the ACL on the Enterprise Admins group object to furnish it as evidence for a regulatory compliance report.
4. Identify every permission in the ACL on the Corporate OU object that grants a user or group Create Child permissions.
5. Enumerate the list of all security permissions in the ACL of the Help Desk Operators object that are Explicit in nature.
6. Instantly dump/export the security permissions/ACLs of all objects contained in any Active Directory domain/partition.
7. Easily dump/export the security permissions/ACLs protecting all executive (e.g. all C*O) and privileged user accounts.
8. Instantly dump/export Active Directory security permissions/ACLs protecting all Organizational Units in a domain.
9. Obtain a snapshot of all Active Directory permissions/ACLs protecting the Configuration, Schema and domain partitions.
10. Dump/export Active Directory security permissions/ACLs to a file to furnish evidence for a compliance/security audit.
    

Trusted Worldwide

Today, our Gold Finger Active Directory ACL Viewer and Exporter is used worldwide by the world's top organizations to easily, efficiently and trustworthily fulfill all their basic Active Directory ACL/security permissions/rights analysis and audit needs.

For more info and free trials, please visit - http://www.paramountdefenses.com/active-directory-acl-permissions-viewer.html

Best wishes,

Sanjay

PS: This is about 1% of what we do, so this is as much as I'd like to say about it.

Gold Finger 6.0, the Lamborghini of Active Directory Audit Tools

Folks,

Please accept my sincere apologies on account of the lapse in sharing thoughts via this blog. Something important came up, and required my personal involvement. Its taken care of now, and I look forward to getting back to sharing my 2c with you, with the intention of sharing potentially valuable insights on Active Directory security.

 

Anyway, before I get back to sharing insights, I just wanted to personally also introduce the latest version of Gold Finger, version 6.0, which in my humble opinion is the world's most capable Active Directory Audit  Tool –

Gold Finger 6.0

Here is a link to the Press Release - http://finance.yahoo.com/news/paramount-defenses-one-worlds-top-173000714.html

About two years ago, we shipped Gold Finger 5.0, and back then we referred to it as the Ferrari of Active Directory Security Solutions, because its capabilities represented the finest in Active Directory security analysis. Today, of course, Gold Finger 5.0 is deployed in five continents worldwide and it helps some of the world’s most important business and government organizations gain valuable security and access insight.

 

Gold Finger 6.0 – The Lamborghini of Active Directory Audit Tools

If Gold Finger 5.0’s unique and valuable capabilities made it the Ferrari of Active Directory Audit Tools, then Gold Finger 6.0’s speed and finesse surely make it the Lamborghini of Active Directory Audit Tools.

 

 

You see, when developing Gold Finger 6.0 we primarily focused our efforts on one thing - making it fast. Really fast!

 

I’m pleased to let you know that Gold Finger 6.0 is up to 5 times faster than Gold Finger 5.0. So, what used to sometimes take up to an hour in Gold Finger 5.0 can be done in about 5 minutes with Gold Finger 6.0. Five minutes.

For instance, if you wanted to find out exactly -

1. who can reset whose passwords in an Active Directory containing 20,000 accounts
2. who can create user accounts where in an Active Directory containing a 1000 OUs
3. who can change the security group memberships of each one of over 5,000 groups
4. who can delete which user accounts in an Active Directory containing over 10,000 accounts

... all you'd have to do is touch a button, and give it a few minutes. That's it.

 

Incidentally, in order to make any of the determinations listed above, one needs to analyze millions of security permissions and determine effective permissions on 1000s of objects. With Gold Finger, one can make these determinations in minutes. Without Gold Finger, making the same determinations could take months or even years.

This primarily being a technical blog, here's an enumeration of Gold Finger’s technical capabilities (listed in increasing order of difficulty) –

1. Generate 100+ fully customizable (via LDAP filters) security audit reports, with scope control and scope depth control
2. Enumerate the complete group membership of any Active Directory Security group, as well as view group nesting details
3. Enumerate the complete list of security groups to which a domain user or computer account belongs
4. View the contents of any domain user’s domain-specific and machine-type specific access token
5. View the ACL of any Active Directory object, both in a simple view and in a detailed view that provides unmatched clarity
6. Export/dump the ACLs of all objects in an Active Directory tree, with the ability to control tree depth
7. Perform comprehensive Active Directory permissions analysis/reporting, with unmatched flexibility in filter specification
8. Determine true effective permissions on any object in any Active Directory partition
9. Enumerate the list of all administrative tasks delegated on a given Active Directory object, including a list of delegatees
10. Find out exactly who has what effective administrative access, where and how across an entire Active Directory domain

Of course, each of the enumerations listed above can be done on-demand within mintues, at the touch of just ONE button.


Designed to Empower YOU

Gold Finger 6.0 is the embodiment of over half a decade of innovative cyber security research and development. Built at a cost of almost $10 million, today, it makes what is generally considered impossible as easy as touching a button.

We primarily built Gold Finger to help organizations worldwide swiftly and reliably mitigate the world's #1 cyber security risk - Active Directory Privilege Escalation based on the identification and exploitation of unauthorized grants in Active Directory deployments.

Along the way, we also got great feedback from some of the world's best Active Directory Security Practioners, most of whom are our customers today, and we embraced their feedback, resulting in the addition of over half a dozen valuable capabilities ranging from basic security audit reporting to true effective permissions.

In essence, we built this tool to empower all IT personnel worldwide, who, in our humble opinion, play a very important role in the protection of their organizations, because they help secure and defend the very foundation of their organizations, and because they work tirelessly to keep the lifeline of their organizations, the Active Directory, up and running, safe and sound, round-the-clock.

They already have a LOT on their plates, and the least we can do is empower them to obtain the mission-critical insight they need to keep their Active Directory deployments safe and secure at all times, quickly and easily, so they don't have to put in hundreds of hours to accomplish something that can now be done within minutes.

I personally have the greatest respect for all IT personnel, and I dedicate Gold Finger 6.0 to them. This one's for all of you, because the work that you do is VERY important, and I for one, know and deeply respect that. 

Kindest regards,
Sanjay

PS: With this behind us, you can expect me to get back to blogging again, very soon.