Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Showing posts with label Active Directory Cyber Security. Show all posts
Showing posts with label Active Directory Cyber Security. Show all posts

Wednesday, March 15, 2017

Top-10 Active Directory Security Questions For Organizations Worldwide

Folks,

I was supposed to start 30 days of advanced Active Directory Security School for Microsoft yesterday, but we've just been so busy helping folks worldwide that I'm going to have to postpone the start date for that one final time to May 22, 2017.

So, until then, to help Microsoft prep for school, and generally to help thousands of organizations worldwide I'll share the Top-10 Active Directory security questions that every organization that operates on Active Directory must have answers to at all times.

Here they are -

Top-10 Active Directory Security Questions Every Organization Must Have Answers To -



1. Exactly how many privileged users are there in Active Directory? 
2. Exactly who can reset the password of a privileged user to elevate privilege in Active Directory?
3. Exactly how many privileged security groups are there in Active Directory? 
4. Exactly who can modify the membership of a privileged security group to elevate privilege in Active Directory?
5. Exactly who can instantly replicate secrets from Active Directory, and thus compromise the credentials of all accounts by using a tool such as Mimikatz DCSync?
6. Exactly who can modify the ACL protecting the AdminSDHolder object so as to be able to instantly gain administrative privileges in Active Directory?
7. Exactly who can create, delete and manage domain controllers, administrative workstations, trust relationships, user accounts, computer accounts, security groups, organizational units, service connection points etc. in Active Directory? 
8. Exactly who can modify critical configuration content in the Configuration and Schema partitions, changes to which could be used to gain administrative privileges in Active Directory? 
9. Exactly who manage the domain user accounts of the organization’s executives (Chairman of the Board, CEO, CFO, CIO, CISO etc.) in Active Directory?
10. If Smartcard authentication or other similar Active Directory integrated defense-in-depth measures (e.g. MFA, Auditing, Random Password Manager, Password Vault etc.)  are in use, exactly who can disable their use? 

In their own best interest, we highly recommend that all organizations have answers to these 10 security questions at all times.

(In the interest of objectivity, I must add that you don't have to take my word for it; I'm merely trying to help. If you can think of any other question concerning Active Directory Security that might be more important than these, you should focus on them.)


Finally, a simple $100 Billion QUESTION for Microsoft:  Dear Microsoft, in preparation for your Active Directory Security School starting 04-01-2017, here's a question for you -  What is the only way to answer each one of the questions enumerated above?

Since my esteemed colleagues at Microsoft may be too busy making the shift to the Cloud, let me answer the question for them:

Here's what it takes to answer these questions - http://www.paramountdefenses.com/blog/active-directory-effective-permissions


Best wishes,
Sanjay

PS: If you know of ANY cyber security (or other) company on the planet that can help answer these questions, let me know.

No comments:
Labels: , , , , ,

Wednesday, May 29, 2013

Active Directory Security - A Top Cyber Security Priority Today

Folks,

As you may know, today Active Directory is at the very foundation of enterprise security and cyber security worldwide.



Given Active Directory's foundational role in enterprise security worldwide, based on the principle of adequate protection, it is only logical that the security of the Active Directory itself is paramount to organizational security worldwide.

As logical as it may sound, based on what we have seen in our vast experience over the last decade, we are deeply concerned to see that most organizations today across the world do NOT yet realize just how important Active Directory security really is.

I suppose the only thing more concerning is that not only do so many organizations not realize this yet, they also do not seem to possess the level of technical skill-set and expertise that is required to adequately protect their underbelly.

(You'd be surprised if we told you just how many government agencies are still looking for mere account lockout status tools.)

In addition, so many organizations believe that the presence of an Active Directory auditing solution is generally sufficient to provide adequate security for Active Directory because it can help them audit the enactment of a malicious task.

Little do they realize that auditing is merely a reactive security measure, that at best, aids in potentially detecting the occurrence of a malicious action and determining the identity of the perpetrator. The key word here is REACTIVE. The fact that the occurrence of a malicious task showed up in an audit log indicates that the malicious task has already been performed.

The keyword here is ALREADY. In such a situation, although auditing could potentially help identify the perpetrator, depending on the perpetrator's skill, the opportunity to enact a single malicious task could be (/have been) sufficient to inflict substantial, and often irreversibly damage to not just the Active Directory, but the entire Windows Server based IT infrastructure. (The first thing a smart perpetrator would do is disable all the admin accounts so no one can even login to try and stop him/her.)

The point is that the presence of any one single security measure such as reactionary auditing, is hardly sufficient to provide adequate security for an Active Directory deployment. Providing adequate security for Active Directory requires and involves the presence of numerous procedural, policy and technical security controls, that work together to provide adequate protection.

So many organizations today seem to be substantially deficient in providing adequate protection for their Active Directory deployments, and the #1 reason for this is that Active Directory security does not appear to be a high enough priority for them.

Thus, in the best interest of all organizations, we've put together a simple succinct document that unequivocally communicates the importance of protecting foundational Active Directory deployments. You can download it by clicking the image below, or clicking here.
 

The Importance of Active Directory Security
 
We do hope that this simple document helps organizations unequivocally understand just how important the security of their foundational Active Directory is to their security, and in their own best interest, ensure its adequate protection at all times.

As the very foundation of enterprise security worldwide, Active Directory security is not just important, it is paramount.

What else could be more important?

Best wishes,
Sanjay
No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)