Just ONE Question to Microsoft & Preempt re Security Advisory 4056318 and Active Directory Privilege Escalation in Office 365 / Azure AD Connect

(About the Flaw in Azure AD Connect Software That Can Allow Stealthy Admins to Gain Full Domain Control)

Folks,

On Dec 12, 2017, Microsoft issued Security Advisory 4056318 in response to a flaw that Preempt discovered in Microsoft's Azure AD Connect software that lets its customers synchronize directory data between their on-premises AD and Azure AD.

This is rather important, as evidenced by this headline - Microsoft launches privilege escalation attack on itself with Office 365 !

Indeed, Microsoft may just shot themselves (and their customers) in the foot by making one HUGE careless mistake!

I thought I'd share a few thoughts.



First, a quick SUMMARY

Here's the summary of the flaw -

Preempt (a startup, more on which below) discovered that when organizations run Azure AD Connect to integrate their on-premises Active Directory with Azure Active Directory, if they select Express Settings during installation, then the domain user account MSOL that is created for Azure AD Connect is granted the Get Replication Changes All extended right on the domain root (, so that it can sync content, including passwords,) YET this account is NOT afforded special protection under the umbrella of AdminSDHolder, AND AS A RESULT, this results in a non-administrative / non-privileged domain user account possessing what is clearly tantamount to administrative / privileged access in Active Directory, thus paving an Active Directory Privilege Escalation path.

What I've shared above is the essence of this issue. In short, if you run Azure AD Connect and select Express Settings, you will have introduced in your environment a privilege escalation path leading from a delegated admin to Domain Admin (equivalent) !




The VULNERABILITY

Herein lies the flaw/vulnerability -

Since this MSOL account is not protected by AdminSDHolder, its ACL (access control list) is neither protected nor locked-down, and thus it could easily contain many ACEs (access control entries), some Explicit, and others Inherited from its parent, that could in effect end up granting numerous non-privileged users sufficient Active Directory effective permissions (e.g. Reset Password, Modify Permissions,Modify Owner) on it so as to be able to obtain control over this account and then misuse the Get Replication Changes All effective permissions that this account has on the domain root by using tooling like Mimikatz DCSync to instantly compromise the passwords of every single account in the Active Directory, including those of all Active Directory privileged users!

Thus, this one little Active Directory ACL misconfiguration automatically enables this scenario - Massive Cyber Security Breach !

By the way, if you want to know who can reset the MSOL account's password today, all you have to do is touch a button.





A QUESTION to MICROSOFT

You do realize that a single such mistake could instantly jeopardize the security of thousands of organizations worldwide, yes?

Question: Since WHEN did we become SO careless?! How could this have passed basic vetting? I had just asked a question a few weeks ago, with the hope that y'all would start taking this seriously - How Well Does Microsoft Understand Cyber Security ?!

This stuff is very important, and I know you're capable of much better than this, so can we please be more careful next time?!

(It appears to me that you may likely not have the right set of folks working on Active Directory Security. If you need me to help you identify the right set of Microsoft employees that should be working on AD Security, or help you out generally, let me know.)





PREEMPT ISSUES ITS OWN GUIDANCE

Preempt, in addition to having found this flaw and reported it to Microsoft, also issued its own guidance for organizations.

Here it is - Advisory: Flaw in Azure AD Connect Software Can Allow Stealthy Admins to Gain Full Domain Control.

You'll want to read it, as here are the parts they discussed - Understanding Stealthy Admins, Details on the Azure AD Connect Account Flaw, Who is Impacted, How Stealthy Admins can be Exploited, How Organizations can Protect Themselves, Free Preempt Inspector Tool for Determining if you are at Risk. They even made two videos, and uploaded them to YouTube .

They also shared that Microsoft has acknowledged the issue and released a Microsoft Security Advisory and a PowerShell script that address the flaw by adjusting the permissions of the Active Directory domain accounts to address this issue.

Finally, they issued guidance on how organizations can protect themselves -

1. Review all stealthy administrators in your network
2. For each stealthy admin, decide whether added permissions are indeed necessary
3. Protect your privileged (known and stealthy) users by adding protection

Their guidance ends with:  FREE TOOL: Download Preempt Inspector to see if you have stealthy admins in your organization.

Their simple, well-intentioned guidance is spot-on. Can the same be said about their tooling? Well...  (keep reading.)




SOME GUIDANCE FOR PREEMPT

Since Preempt has been so helpful to a company I so love i.e. Microsoft, by discovering this flaw and sharing it with Microsoft, perhaps the gentlemanly thing to do here would be to return the favor by sharing a few thoughts with them -

1. As you'll hopefully agree, if there exist such "Stealthy Admins" in Active Directory, then it is paramount that organizations be able to accurately identify all such "Stealthy Admins", because even just ONE such account could be used to gain complete command and control over Active Directory, and consequently over the entire network.


2. This notion of "Stealthy Admins" that you likely seem to have introduced, as likely did CyberArk the notion of "Shadow Admins", does sound very catchy, but it is not actually new. What you seem to be referring to as "Stealthy Admins" is actually what thousands of organizations have, for almost two decades now, known simply as Delegated Admins.


3. I thought I'd share that in 2016, we had informed the Chairmen, CEOs and CFOs of the world's top 200 organizations, as well as MSRC that due to one specific deficiency in Active Directory, there likely exist hundreds of such stealthy / shadow admins (and thus thousands of privilege escalation paths) in most Active Directory deployments worldwide?


4. Did you know that most vendors in the Active Directory space do not seem to know that to correctly identify stealthy / shadow admins in Active Directory, one needs to be able to determine Active Directory Effective Permissions ?


5. Finally, I do recall having read a few articles on this very subject on the Internet (; if you merely replace the term "Delegated Admins" with "Stealthy Admins" in these articles, they may all sound very familiar) -


1. From way way back in 2013 - Active Directory Privilege Escalation  (+ again in 2017)


2. From way back in 2014 - Using Password Resets to Escalate Privilege in Active Directory   (+ again in 2017)


3. From back in 2015 - How to Identify and Minimize Privileged Users in Active Directory


4. From 2016 - 10 Examples of Delegated (Stealthy) Admins in Active Directory


5. From 2017 - How to Correctly Discover Stealthy Admins in Active Directory + 50 More

Thus, Preempt's focus on Stealthy Admins in Active Directory is spot-on, but the Bible on the subject has already been written.




A QUESTION TO PREEMPT

Finally, since Preempt's experts seem to be proficient at finding flaws, thought I'd ask most respectfully ask them a question -

The Question: Preempt, are you SURE that your free tool Preempt Inspector, which you've been recommending to organizations worldwide as a means to identify all Stealthy Admins in Active Directory deployments, can in fact accurately identify Stealthy Admins in Active Directory?  (or could there potentially be a(n equally big) flaw in it?)

Again, I ask this most respectfully, and I only ask this because
as you'll hopefully agree, accuracy after all is paramount.



The answer, in days to come
(; it'll be very similar to this.)


That's all for now.

Best wishes,
Sanjay.



PS: By the way, Microsoft's guidance in its Security Advisory 4056318 is INSUFFICIENT, in that even if you enacted it exactly as specified, you may still be left exposed. If you want to know why, please feel free to tune in here in a few days, or to ask us.

Some Love For Microsoft + Time to Help Microsoft (and the Entire World)

Folks,

This is a Trillion $ post. I wanted to show some love for Microsoft and help them out, as it appears they could use some help.

BTW, for those wondering who I am to make such a statement, I'm a nobody who knows a thing about a thing that impacts WD.




Trillion $ Background

From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.

Active Directory is the Foundation of Cyber Security Worldwide

The compromise of an organization's foundational Active Directory deployment could have disastrous consequences for the organization and its stakeholders, and the real extent of damage would be a function of the perpetrators' proficiency and intent.

If you understand the inner workings of Active Directory based networks, then you know that the amount of damage that we've seen in recent breaches such as the Equifax breach, is nothing, compared to the amount of damage that can actually be done.



Thus far, perpetrators have been focused on simple attack vectors such as credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins), and over time Microsoft has made their enactment much harder.

As these attack vectors become harder to enact, perpetrators have started focusing on increasing their knowledge about Active Directory, and exploring ways to try and target and compromise Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.

Today Active Directory security, and in particular Active Directory access control lists (ACLs) impact organizational security and national security, worldwide. Speaking of which, and just so the world knows, here is Microsoft's take on them, and here is ours.

Perpetrators seem to be learning fast, and building rapidly, so the next big wave of cyber breaches could involve compromise of Active Directory deployments, unless organizations act swiftly to lock-down their foundational Active Directory deployments.

To do so, organizations worldwide need the right insight, guidance and tooling to adequately lock-down their Active Directory deployments. Unfortunately, Microsoft doesn't seem to know much about it (proof: 1, 2, 3, 4), and thus may be unable to help.




Some Love for Microsoft

Today I may be the CEO of Paramount Defenses, but I'm also former Microsoft Program Manager for Active Directory Security, and I for one deeply love Microsoft, and deeply care about the foundational cyber security of all organizations worldwide, so I'm going to help Microsoft and the entire world adequately secure and defend their foundational Active Directory deployments.

To Satya (Nadella) and my former colleagues at Microsoft I say - "Microsoft is one of the greatest companies in the world today, and we care deeply and passionately about not only the role we play in society and the impact we have on billions of people, but also the responsibility that goes along, so we're* going to help the world address this colossal cyber security challenge."

* I may no longer be a Microsoft employee, but I still do care deeply and equally, so I'm happy to help you.
  If I were you, I'd most respectfully embrace this opportunity, be thankful for it, and not squander it.

To my friends at Microsoft, if I may have recently been a tad critical of you, its only because I care deeply about our customers, and I know that Microsoft can do much better at educating its global customer base about a matter of paramount importance.





Er, What Cyber Security Challenge?

Now, there might be billions of people and thousands of organizations worldwide who may have absolutely no idea about what I'm talking about, so perhaps I should succinctly and unequivocally spell it out not just for the entire world, but also for Microsoft.

Stated simply, and as described in The Paramount Brief, here's the #1 cyber security challenge that impacts the world today -

"From Silicon Valley to New York and London to Sydney, at the very foundation of cyber security and IT of 85+% of all business and government organizations across 190+ countries worldwide lies Microsoft's Active Directory.

Within the foundational Active Directory domains of these organization lie the entirety of their building blocks of their cyber security i.e. their user accounts, computer accounts, security groups, security policies etc. each one of which is represented by an Active Directory object & protected by an Active Directory Access Control List (ACL).

Today, in most of these organizations, there exist millions of ACLs in their Active Directory, and within these ACLs exists an ocean of excessive/unauthorized access, that today paves thousands of privilege escalation paths to literally the entirety of all objects in these Active Directory deployments, including to all their privileged users.

This ocean of unauthorized access exists worldwide today because Active Directory lacks and has always lacked the essential ability to help organizations correctly and adequately audit effective access in Active Directory, and consequently even though organizations have been delegating/provisioning all kinds of access in Active Directory to fulfill various business needs, they've never had the opportunity to correctly audit this ocean of access, resulting in a situation caused over time (i.e. over the years) wherein today unauthorized access pervades Active Directory.

In short, today, at most organizations, no one knows exactly who has what access on any of their building blocks of security, and possibly an excessive number of users, computers and service accounts may have substantial unauthorized access on them, and thus be in a position to easily and instantly compromise their security.

• A Trillion $ Note: Most organizations (and perpetrators, as well as the Bloodhound Tool) audit "Who has what permissions in Active Directory?" Unfortunately, that does not provide the accurate picture. What they need to audit is "Who has what effective permissions/access in Active Directory?" Sadly, Microsoft has NEVER provided this guidance in an entire decade, so no one even seems to know this.

Anyone who possesses the tooling to correctly analyze effective access in Active Directory could instantly identify, and either eliminate or exploit, all such unauthorized access grants and the 1000s of privilege escalation paths they pave, and thus be in a position to either formidably defend or completely compromise these organizations.

The potential impact of this huge cyber security challenge is best illustrated by these 7 examples. Its that simple."

As simple as it is, not a single one* of the 1000+ cyber security companies that exist today has a solution for this challenge.


Let there be no mistake about this - a proficient intruder who possesses tooling that lets him/her correctly analyze effective permissions/access in Active Directory, could easily find, hundreds if not thousands, of unauthorized access grants in most Active Directory domains, and exploit them to compromise and obtain complete command and control over the organization.

If you find this hard to believe, you don't have to take my word for it, as here is Microsoft finally acknowledging it, and doing their best to downplay it. By the way, if they truly understood the depth of this problem, what they should've actually said is here.

Unfortunately, perpetrators can develop their own tooling and they don't even have to be 100% accurate (e.g. Bloodhound.)

Fortunately, organizations that possess the right tooling (e.g. 1, 2) can reliably mitigate all such security risks to Active Directory, from Mimikatz DCSync to Active Directory Privilege Escalation and from Sneaky Persistence to Active Directory Botnets, before perpetrators have the opportunity to exploit them, leaving no unauthorized access in Active Directory for perpetrators to exploit.





Time to Help Microsoft (and the Entire World)

Over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.

Of course, today we can also uniquely empower organizations worldwide to adequately secure and defend their foundational Active Directory deployments, and we are happy to help organizations that request our help, but we are not going to go to anyone explicitly offering our help, because we're not your ordinary company.


So, in days to come, we'll begin by educating the world about the following -

1. What Constitutes a Privileged User in Active Directory


2. How to Correctly Audit Privileged Users/Access in Active Directory


3. How to Render Mimikatz DCSync Useless in an Active Directory Environment


4. How to Easily Identify and Thwart Sneaky Persistence in Active Directory


5. How to Easily Solve The Difficult Problem of Active Directory Botnets


6. Why the World's Top Active Directory Permissions Analysis Tools Are Mostly Useless


7. Why is the Need to Lockdown Access Privileges in Active Directory Paramount to its Defense?


8. How to Attain (Lockdown) and Maintain Least Privileged Access (LPA) in Active Directory


9. How to Securely Delegate and Correctly Audit Administrative Access in Active Directory


10. How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment

You see, each one of these Active Directory security focused objectives can actually be easily accomplished today, but and in order to do so, what is required is the ability to be able to accurately and adequately audit effective access in Active Directory.

Each one of these topics is absolutely essential for organizational cyber security worldwide, and if you know of even one other entity (e.g. individual/company) on the planet that can help the world address each one of these objectives today, let me know.

So, within the next 7 days, as a part of this, I'll start penning the above, and you'll be able to read them right here.

In Summary

If you truly understand Active Directory Security, then you know that literally the entire world's wealth is being protected by it, so and thus we just cannot afford for organizations to start having their foundational Active Directory deployments being breached.

Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.


Best wishes,
Sanjay

CEO, Paramount Defenses

Formerly, Program Manager,
Active Directory Security,
Microsoft Corporation


PS: To anyone who believes they know more about Active Directory Security than us, or can help the world more than we can, go ahead and demonstrate that you can - this is your opportunity. If you can, let's see it. If you can't, you'll want to listen to us.

PS2: If you liked this post, you may also like the 20+ posts that are a part of - Helping Microsoft with Active Directory Security.

Active Directory Recon

Folks,

As former Microsoft Program Manager for Active Directory Security, I just wanted to take a moment to share a very quick note regarding Active Directory Recon i.e. Active Directory Reconnaissance, which is something that several folks out there have recently been focusing on and sharing from a hacking perspective.

An Intruder performing Active Directory Recon

In the past few months, there has been a notable increase in the focus and attention on Active Directory security in the hacking community, considering that in the past few years, credential-theft attacks have been focused on Active Directory credentials, and as Microsoft's efforts makes make it harder for hackers to engage in credential-theft, the hackers have started shifting their focus on trying to find ways to breach the security of the Active Directory itself.



Empowering Organizations

In days to come, time permitting, I will try to share with you likely the world's most advanced ways to perform an Active Directory Recon, but with the focus and intention on helping organizations safeguard their foundational Active Directory deployments.

Organizational IT Personnel performing Active Directory Recon

This is important because we should empower IT personnel at organizations worldwide with the knowledge, skills and resources they need to be able to adequately protect their foundational Active Directory deployments from attempts to breach security.




Active Directory is Rock-Solid

Until then, due to paucity of time, I would like to make 3 important points for all organizations worldwide -

1. Active Directory is by definition a Directory Service, so obviously and by design, all Authenticated Users have blanket read-property access to literally everything in Active Directory. This includes domain (user and computer) account and security group enumerations, read access to all properties on all objects (including important security related attributes on all domain user accounts and computer accounts), sensitive contents of the System container, contents of the entire Schema and Configuration partitions, details of service connection points, trust relationships, replication meta-data, quota and security policy info, info exposed via rootDSE and of course prized info in Active Directory ACLs etc.
   
   Consequently, an intruder that has any form of authenticated access can easily access, obtain and analyze vast amounts of valuable information about not just your Active Directory but your entire Active Directory based IT infrastructure.
   



2. Mature organizations must always assume that intruders know everything there is to know (as an Authenticated User) in your Active Directory, and yet design, implement/deploy and enforce an adequate set of security measures to protect your foundational Active Directory deployments such that even if intruders know everything there is to know, they will still not be able to compromise your foundational Active Directory.
   
   I'd like organizations to know that it is absolutely possible to do so because Active Directory is one of the most rock-solid, securable and trustworthy technologies ever built. In days to come, time-permitting, I'll try and show you how to do so.



3. You can operate a highly resilient and trustworthy Active Directory. I cannot stress this enough, so I'm repeating it again.
   
   Even if a 1000 intruders know everything there is to know about your Active Directory, your Domain Controllers, your Privileged Users etc., you can still operate a highly resilient, defensible and trustworthy Active Directory. In fact, at Paramount Defenses, we do it 365-24-7. I will tell you that it takes knowledge, discipline and executive support.

In Essence

The point I wanted to make and the important thing to note here is that in order to be able to adequately secure and defend Active Directory, you have to know Active Directory better than the intruders do, and you have to have executive support.

I'd like all organizations that operate on Microsoft Active Directory to know that we're all in this together, and that together we can help safeguard the very foundation of our organizations, and in and by doing so, do our bit to make the world a safer place.

So, once I'm finished with Active Directory Security School for Microsoft, I will likely pen a post on Active Directory Recon.

For anyone that may want a head start, please feel free to review this.

Best wishes,
Sanjay.

PS: Humble advice to all CISOs - Help your AD Operations Teams gain the proficiency they need to adequately secure your organization's foundational AD deployments, and get your C*Os to understand the importance of adequately protecting AD.


PS2: Two quick points for folks out there shedding light on "Active Directory Recon" -

• To those who may want to show the world how to perform an Active Directory recon without admin rights, I would like to respectfully point out that it really is no big deal to that because by default Authenticated Users already have full read access to every object in every partition in Active Directory.
• To those cyber security enthusiasts who may just be discovering Active Directory and finding exuberance in showing to the world their new-found Active Directory recon skills, again I would only like to respectfully point out that Active Directory has been around for 17 years now, and thus there are 1000s of individuals who know a lot about it, many of whom may have already done a lot of this a decade ago, so while its great to discover new things and I wish you all the very best as you go about discovering the ocean that Active Directory is, its best to do so with humility.

A Simple Trillion $ Active Directory Privilege Escalation Example (Day 6)

Dear Microsoft,

Today is Day-6 of our advanced Active Directory security school for you. I was going to talk about effective permissions today, but perhaps a concrete example might help everyone first, so today I'll present a very simple, realistic illustrative example.

This example is representative of what you may find in most Active Directory deployments today so it merits undivided attention.

Hacker trying to elevate privilege in an Active Directory deployment

It may seem a bit long and I know that these days everyone prefers a 30-second exec summary, but this illustrates a MASSIVE cyber security challenge that thousands of organizations worldwide likely face today, so you'll want to read it completely.

I only hope that someone at Microsoft has the intellectual capacity to fathom the ramifications of what I've shared below.

A 1000 Paths to Escalate Privilege to a Domain/Enterprise Admin within Active Directory -

Quick Background

It is a well-known fact that if someone can escalate their privilege to that of an Active Directory privileged user (e.g. a Domain Admin, Enterprise Admin etc.), he/she would in effect have gained complete command and control over your IT infrastructure.

Microsoft's guidance does a decent job at describing the default administrative groups in Active Directory; it communicates that all members of (and) all domain security groups considered to be privileged by default in Active Directory are afforded special protection via AdminSDHolder, a process that involves stamping a special protected ACL on all such accounts and groups.  

AdminSDHolder

Most organizations have thus focused their Active Directory privileged user audit and security efforts on identifying (and protecting) all AdminSDHolder protected accounts, and have a fairly good idea of the count and identity of such accounts.

But if you look just ONE level deeper, you'll likely find...

...1000s of privilege escalation paths, leading to these privileged users.

Now, A Simple, Real-World Example

Microsoft, here's an actual real-world example with real data in the Active Directory deployment of a fictional organization. 

To keep it really simple, let's just begin by taking a look at their Domain Admins group -

The Domain Admins Group in Active Directory

As you can see, they've really locked their Active Directory down and have only 2 Domain Admins accounts in Active Directory.

In fact, let us assume that the entirety of their other default administrative groups in Active Directory, i.e. and e.g. Enterprise Admins, Administrators, Schema Admins, Account Operators, Server Operators, etc. also only have the same two members.

Based on the above, if an IT Auditor were required to report on the number of privileged users in their Active Directory, such as to demonstrate regulatory compliance, he/she'd say that this organization only has 2 privileged users in their Active Directory -

1. The default Administrator account, and
2. Steve Ballmer, the Domain Administrator

In fact, not only may this organization's CFO actually be signing-off on this to demonstrate regulatory compliance, but the organization would from this point on be operating on an assumption that they have only 2 privileged users in Active Directory.

Today, at most organizations worldwide, this is the extent of identifying and certifying the number of privileged users in Active Directory i.e. their IT departments do their best to identify all default administrative accounts protected by AdminSDHolder.

Keep reading...




Elementary, Watson!

One day, Mr. Watson, the organization's CISO has a visitor, Mr. Holmes, a friend. Mr. Watson gives an overview of what he does, and as the conversation flows, he shares with Mr. Holmes that in security there is such a thing as privileged users, and that their organization only has 2 privileged users in Active Directory, because the Domain Admins group only has 2 members!

Mr. Holmes

At which point, Mr. Holmes asks Mr. Watson - "But is there anyone who can change the Domain Admins group's membership?"

Slightly taken aback, Mr. Watson says - "Well, er, we never did think of that! Why do you ask?"

To which Mr. Holmes replies - "Its Elementary, Watson!

Here's why this is Elementary:  If someone can change the membership of the Domain Admin's group, he can easily control who is now and who is no longer a Domain Admin, so obviously he/she is also equivalent to being a privileged user, isn't he?!





A Simple Question, A Not So Simple Answer

Immediately after the meeting, Mr. Watson (CISO) called Mr. Ballmer, and asked - "Steve, I know we only have 2 members in the Domain Admins group, (i.e. you + the Admin account) but how many people can actually change the group's membership?"

To which Steve, the Domain Admin responded - "Er, that's a good question Sir! To be quite honest, I've never actually thought about it because I've always assumed it would just be us, but let me try to actually figure it out and get back to you!"

Steve, the Domain Admin, figured he'd begin by taking a look at the ACL of the Domain Admins group, because to answer the question, he'd need to figure out if anyone else had the ability to modify the Member attribute of the Domain Admins group -

The ACL on the Domain Admins Group

Sure enough, there were a few non-default permissions in the ACL protecting the Domain Admins group. (This was the same ACL as on AdminSDHolder, which had been customized, stamped on the Domain Admins group.) For instance, there were Special permissions granted to the IT Contingency Support Team, and Write all properties granted to IT Global Admins etc.

There were Allow permissions (and perhaps a few Deny permissions as well), there were permissions granted to individual users, security groups (which could have nested groups), well-known SIDs, relative SIDs (e.g. Self) etc. and while some were straight-forward, many were marked Special, and there were some granting Full-Control etc. In short, this didn't seem simple.

Where and how should he begin, and how might he be able to answer this simple and elemental question?!

For a moment, he sat there trying to figure out how to answer this question, as he had never really given it much thought before.





Small digression...

Humor

What a co-incidence that a world-renowned expert of Black Hat Conference Presenter fame recently (on June 13, 2017) shared light on this most basic super simple fact with the world! i.e. in Active Directory, admin rights are granted by more than groups -

I'm sorry but that snapshot above (which was sent to me by someone) was just too funny (and pertinent) not to include in here, considering that its 2017 and its been retweeted 326 times & liked 468 times thus far. Like kids say these days ROFL LMAO ;-)

A helpful tip for all such experts (including those who made BloodHound): You're off to a good start, (and (is it just me or do you too find it funny that) you're just realizing all this 15+ years after Active Directory was shipped! ;-) ) so let me help you a bit, like I helped one of your Twitter friends understand this stuff recently. If you want to do this correctly, you have a million miles to go.

In fact it's right there (two tabs to the right) in the snapshot above, but even Microsoft's experts don't get it, as evidenced here.

Oh one other thing - when it comes to Active Directory Security, I learnt that the folks at that Black Hat Conference don't seem to know much. They're so new to this stuff which is why I for one will never be applying to present at that conference again.

End of Small digression...

Aha!  (It is "Who has what Effective Permissions",  Not "Who has what Permissions")

He figured he'd Google the term "Active Directory Permissions Audit" and when he did, he mostly came across numerous advertisements from various vendors, all claiming to help him "Find out who can do what in Active Directory", so he requested trials from all of them, only to come to the realization that all they were doing is helping find "Who has what Permissions in Active Directory", which was hardly useful considering just how many complexities there are in determining who can actually do what in Active Directory, such as correctly taking into account conflicting permissions, precedence orders, overlapping permissions, inapplicable permissions, group memberships, well-known SID inclusions (e.g. Domain Users etc.) and numerous other factors, and that none of these solutions from these vendors could help him answer this simple question.

So much so for these (clueless) vendors trying to help organizations find out "who has what permissions in Active Directory!"

As he was giving it thought, his eyes seemed to notice (almost as though for the first time ever) that there was an Effective Permissions tab as well, and he thought that perhaps that might be something relevant and important given that there's an entire tab for it, so he figured it may have something to do with what he was trying to figure out, so he clicked on it to view it -

The Effective Permissions Tab

Aha! It is upon reviewing this tab he realized that indeed, in order to answer this simple question correctly (i.e. accurately), he would need to take all the permissions specified in the object's ACL into account TOGETHER (and not separately), and that he would need to determine who has sufficient "effective permissions" to modify (i.e. write) the "member" attribute on the group.

[ Quick background on why one needs to determine effective permissions to answer this, and all such questions - a user could be directly or via (direct or nested) group membership(s) allowed a specific set of permissions in one or more ACEs, but could also be denied the same or a subset of those permissions directly or via (direct or nested) group membership(s) in one or more other ACEs that exist in the ACL, and whilst some of these grants may be explicit, others may be inherited, and while some might apply to the object, others may not, and thus in order to determine the user's actual resulting access, one would need to collectively (i.e. TOGETHER) consider the cumulative impact of all the permissions specified in all the ACEs in the ACL. ]





Er, No Solution?

Once he had determined that he needed to determine effective permissions, he figured that he would just use Microsoft's Effective Permissions Tab to do so. It is when he tried to do so that he realized that this tab could at best determine (an approximation of) effective permissions for one user at a time. Since they have 1000s of users in their Active Directory, there was no way he was going to manually enter 1000s of names one-by-one into this tab, then make a note of each individual user's effective permissions.

Upon doing some research online, he realized that all of Microsoft's native tooling related to any sort of effective permissions calculations in Active Directory, such as dsacls, acldiag, accesschk, scripts on TechNet, PowerShell etc., (as well as this ridiculously stupid and dangerously inaccurate free tool) were all substantially inaccurate/inadequate, and thus hardly useful.

So he called the CISO and said - "Mr. Watson, it appears that to answer your question, we need to be able to accurately determine something called effective permissions on the Domain Admins group, but it appears there's no solution to do so, i.e. there appears to be no way to do so easily and accurately, so I'm afraid I don't think we'll be able to figure this out."

Mr. Watson

Mr. Watson replied - "Mr. Ballmer, its 2017. 100% of all major recent cyber security breaches have involved the compromise of a single Active Directory privileged user, and there are a 1000 cyber security companies out there, and you're telling me that there is no way to figure out something as elemental as how many people can control our Domain Admins group membership?!"

The Domain Admin replied - "Well, Microsoft does not have any tooling that can do this accurately and efficiently, nor does any cyber security company covered by what's that company again, yes Gartner. In addition, all the vendors in the Active Directory space merely have simple permissions audit solutions which cannot solve this problem, and no major cyber security or IT company including Dell, EMC, RSA, Palantir, Tanium, Cisco, HP, Centrify etc. and I could name 992 more, seem to have any solution to this problem."

Mr. Watson replied - "Well, look harder, because we have got to be able to figure this out! Can you imagine that we, a multi-billion $ company, don't even know how many individuals can change the membership of our Domain Admins group!"

So Mr. Ballmer did, and just as when he was just about to give up, he chanced upon this, and here's what happened next...





Click, Done

He launched Gold Finger, selected the Effective Permissions Calculator, pointed it to Domain Admins and clicked ONE button -

Gold Finger Effective Permissions Calculator

He realized that even if he did not know a thing about Active Directory technical stuff, he could still have been able to do this by selecting the Effective Access Calculator and done the same -

Gold Finger Effective Access Calculator

In less than 15 seconds, he had uncovered for the first time ever, that although they only had 2 Domain Admins, there were in fact 6 individuals in total who could change the membership of the Domain Admins security group -

1. The Administrator account
2. Erica Lockhart
3. Larry Page
4. Steve Ballmer (himself)
5. Ted Schlein
6. Victor Lombardi

(Technically speaking, here's what the tool did: convert this to this.)

It was partly shock and partly awe, so he immediately called the CISO and informed him that there were a total of 6 individuals who could change the membership of the Domain Admins group, and thus that they may have been operating under a false assumption all this while, and in fact may also have furnished inaccurate evidence to demonstrate regulatory compliance.

There was silence for a moment on the phone.

Mr. Watson asked the Domain Admin - "Well, is there anyone that stands out in particular?!"

Mr Ballmer replied - "While all four are surprising, one in particular is most surprising - Ted Schlein, he's a junior IT operator!"

Wow, they had just discovered that amongst others, a junior IT operator could control the Domain Admins group's membership.



Mr. Watson was a quick learner, so he asked "Well, can you find out how many people can reset Mr. Schlein's password?"

Slightly taken aback, Mr. Ballmer says - "Well, er, I've never thought of that! Why do you ask?"

To which, this time around, Mr. Watson replied - "Its Elementary, Ballmer!

Here's why this is Elementary:  If someone can reset the password of a Domain Admin, he can instantly become the Domain Admin and login as the Domain Admin, so obviously he/she is also equivalent to being a privileged user, isn't he?!






Whoa

This time around the Domain Admin, Mr. Ballmer, pointed Gold Finger at Ted Schlein's account and clicked a button -

Gold Finger Effective Permissions Calculator

In less than 15 seconds, he had discovered, again, for the first time ever, that 28 more individuals possessed sufficient effective access on Mr. Ted Schlein's domain user account in Active Directory so as to be able to reset his password -

Administrator Chris Warner Costas Dimitriou David Parker Ed Newman Eric Boyle Erica Lockhart Frank Murphy Gabriel Peterson James Walsh

Jeff Bezos Juan Batista Julia Walker Kid Zuckerburg Larry Page Laura Michelson Marc Benioff Michael Karp Patrick Sullivan Quincy Lawson

Ray Lane Ryan Johnson Satya Nadella Steve Ballmer Susan Williams Ted Schlein Troy Williams Victor Lombardi Vincent Smith Yaris Constantinou

In other words, they had just discovered at least 28 more individuals who were 10 seconds away from gaining sufficient access to an account that had sufficient access to instantly obtain complete command and control over the Domain Admins group!

(Technically speaking, here's what the tool did: convert this to this.)

Mr. Ballmer called Mr. Watson - "Sir, I think you'll want to see this in person!"





Privilege Escalation Paths

As I said, Mr. Watson was a quick study, and by now had figured out that if 28 more people (than they knew about) could reset the password of a user who could change the membership of the Domain Admins group, there were at least 28 privilege escalation paths to becoming a privileged user in their Active Directory.

He figured that if this simple logic was iteratively applied on to these 28 accounts, the number of paths could possibly be in the hundreds, and with each additional level of iteration, they would likely substantially increase. In fact, if one were to consider all the IT assets stored in Active Directory, by extrapolation, there could be 1000s of privilege escalation paths in Active Directory!

Privilege Escalation Paths in Active Directory

So he asked Mr. Ballmer, the Domain Admin a simple question - "With this tool that you've found, it appears you can do this one object at a time, but we have 1000s of users, so is there an easy way to quickly (efficiently) and accurately figure out who can reset whose passwords in Active Directory, because if we could do so, we may find 1000s of privilege escalation paths?"





Impossible? Done

It turns out that in the whole wide world, with trillions of $ being protected by Active Directory, there is all of ONE way to do this.

Mr. Ballmer used the tool selector in Gold Finger to select the Administrative Access / Delegation Audit Tool, selected the report Who can reset user account passwords?, set the scope to be the entire domain and clicked ONE button -

Gold Finger Administrative Access / Delegation Audit Tool

In seconds, Gold Finger had accurately and efficiently determined effective permissions / effective access on all domain user accounts in their Active Directory and revealed possibly the most valuable intelligence/insight they had seen in years - the complete and accurate list of exactly who can reset whose passwords in their Active Directory, and how they can do so.

To view the actual output of this effective access assessment in this small domain, please click here.

(Technically speaking, here's what the tool did: convert this to this.)

To make a long story short, if you have or possess the ability to accurately assess access entitlements of an entity in a system, which as it pertains to Active Directory means if you have the ability to accurately determine effective access provisioned in Active Directory, then you'll be able to uncover thousands of privilege escalation paths in Active Directory deployments.


In this puny Active Directory alone, there were hundreds, such as this one -

• Ted Schlein, a Junior IT Operator, can change the Domain Admins group membership
• Kid Zuckerburg, a Junior IT Analyst, can reset Ted Schlein's password
• Larry Page, an IT Support Admin, can reset Kid Zuckerburg's password
• James Walsh, an IT Web Administrator, can reset Larry Page's password 

So, the path is:  James Walsh > Larry Page > Kid Zuckerburg > Ted Schlein > Domain Admins group

For a limited time, you can do this for free (one object at time though), courtesy Gold Finger Mini, which we had recently decided to make available for free to help CEOs, CIOs and CISOs see for themselves just how bad the situation really is.

In most real-world, production Active Directory environments, you'll likely easily find 1000s of such privilege escalation paths.






The Weakest Link

For now, the CISO wanted to know what the weakest link might be i.e. is there a link wherein the starting point might be rather easily compromisable, and one that could within minutes easily lead to one gaining privileged access in Active Directory?

So they analyzed the effective access entitlement data that the tool had generated within seconds and guess what they found?

Here's likely the shortest privilege escalation path that could also possibly be the weakest link in this Active Directory -

• Larry Page, an IT Support Admin based in USA, can change the Domain Admins group membership
• James Walsh, an IT Web Administrator based in USA, can reset Larry Page's password
• Kevin Mandia, a temporary contractor based in India, can reset James Walsh's password 

So, the path is:  Kevin Mandia > James Walsh > Larry Page > Domain Admins group

It is possibly the weakest link because it begins with a temporary contractor's account, one that is located in a foreign country and possibly not as protected as the Domain Admin's account, and possibly one that is much more easily compromisable, and leads right to Domain Admin, and merely involves the enactment of 3 simple common tasks that all intermediate accounts involved in the escalation chain already have sufficient access to enact!

[ By the way, in case you're wondering how Mr. Mandia ended up with such access on Mr. Walsh's account, it turns out that someone meant to grant the IT Helpdesk Backup Team Send As permissions on Mr. Mandia's account, i.e. in the ACL (here) protecting his domain user account, but accidentally ended up granting the IT Helpdesk Team Reset Password permissions (which is right below the Send As permissions in Microsoft's ACL Editor UI), resulting in a situation wherein Kevin Mandia, a member of the IT Helpdesk Team ended up getting sufficient effective permissions to be able to reset Mr. Walsh's password. ]

Also, one doesn't need admin credentials to uncover such excessive grants; any domain account will do. In fact, intruders could use Microsoft's free tools (e.g. acldiag) to find low-hanging fruit i.e. any obvious and glaringly apparent excessive permissions. In fact, if you assume breach, then an intruder could take his sweet time to engage in unaudited read-only activity to analyze Active Directory ACLs, and over some time try and find various privilege escalation paths.

Here's a closer look at Kevin Mandia's domain user account in Active Directory -

Kevin Mandia's account viewed in Active Directory Users and Computers

As seen above in Microsoft's UI, Mr. Mandia is a temporary contractor based half way around the world, in Bangalore, India.


So, in effect, if perpetrators could compromise the domain account of this 1 temporary contractor located in Bangalore, India, they could obtain control over the foundational Active Directory of this fictional $ multi-Billion U.S. organization, in minutes!


Think about it for a minute - Microsoft suggests that organizations assume breach. Based on what's been going on, if credential-theft and other techniques can be used to compromise Domain Admin accounts, imagine how much easier it is to compromise a regular domain user account (or his computer), especially one belonging to a temporary contractor! All that the perpetrators need to do is to compromise Mr. Mandia's credentials or his computer and that's it, because the rest is child's play.


To visualize this, imagine that an APT is able to compromise Kevin Mandia's account in Bangalore at 12:30 pm local time (IST), which is 3:00 am (EST) in New York. By 3:02 am (EST) New York Time, they would have enacted 2 legitimate password resets and a group membership change to effectively gain Domain Admin privileges. By 3:05 pm New York Time (EST), they would have removed all existing members from the Domain Admins group, and completely locked down access on/to it, and in effect, they would have gained complete command and control over the Active Directory in less than 5 minutes!

This, while the organization has been operating on the assumption that they only have 2 privileged users in Active Directory.

The CISO

Once the CISO had visualized this, he called the CEO and said - "Sir, I think we may have a problem."

To which the CEO's immediate response was "Before you describe it, tell me, is there a solution?"

(To know the answer , please keep reading.)




There's an old saying - "To the wise, a hint is enough." 

If you're smart, I needn't say a word more; if you're not, I could go on forever and you still wouldn't get it, so this example ends here.

(But the answer is below.)

Oh, One Quick Point

To those who might say, well all that's involved here is a password reset, allow me to widen your horizons a bit, because a password reset is merely one of numerous ways in which you can exploit excessive/unauthorized permissions in Active Directory to gain all sorts of privilege -

1. Password Resets - Password resets are the most obvious and easiest way, because if you have sufficient rights to do so, all you have to do is click a button to compromise that user's identity and elevate privilege.


2. Membership Changes - Membership changes are the 2nd most obvious way, because if you have sufficient rights to do so, again all you have to do is click a button to be a member of that group and elevate privilege.


3. ACL Changes - ACL changes on objects are the most powerful way, because if you have sufficient rights to do so, again all you have to do is click a button to control all access on that object and elevate privilege.


4. GPO Linking - GPO linking is one of the easiest ways to compromise computers, because if you have sufficient rights to do so, all you have to do is click a button to gain privileged access to the computer (and thus to almost everything on it) and elevate privilege.


5. Kerberos Delegation Bits - Modifying bits that control an account's Kerberos delegation settings could enable you to impersonate a user across the network, and if you can do so, you could easily (set up to) impersonate a privileged user.


6. Disabling Smart-card Authentication - If you have sufficient access to disable Smartcard authentication on a domain account, you could weaken security as when you do so, the account will now only be protected by a random password, and if you also happen to have sufficient access to reset its password, you'll have elevated your privilege to that account.


7. Tampering a Service Connection Point - If your organization relies on a 3rd party solution (e.g. this one) to enhance and/or strengthen access, and to properly function that solution relies on service connection points (SCP) in Active Directory, then if you can tamper with that solution's SCPs (e.g. modify its keywords), you could instantly render it useless, thus weakening the security of all IT assets that service helps protect.  

I've shed light on just a few. The more time you spend on this stuff, the more you'll learn and the more ways you'll find.

Oh, and if you think these band-aids will solve the problem, request us, and we'll show you how easy it is to circumvent them.





The Root Cause

At the root/heart of everything I have shared above lies a deep and vast ocean of Active Directory security permissions.

A Vast Ocean

In fact, at the heart of everything I have shared above is a very simple fact - in most foundational Active Directory deployments worldwide, IT departments have been provisioning all kinds of access to fulfill various business needs for years now, and given the complexity of Active Directory's security model and the intricacies involved in access provisioning, such as the fact that when you use groups (as you should), their underlying memberships can change, and above all the fact that while it is easy to precisely provision access, it is very difficult to precisely assess resulting access (because the means to precisely assess resulting access don't exist, as described here) so obviously today there's a dark ocean of security permissions in Active Directory, and together they effectively end up granting an alarmingly vast amount of excessive/unauthorized access on literally everything in Active Directory.

Here's a clarified glimpse of what one drop in the ocean looks like -

ACL on Ted Schlein's Active Directory User Account

What I've shown above is merely a portion of the access control list (ACL) protecting Ted Schlein's account, here.

As you can see, there are numerous access control entries (ACEs) each one specifying one or more types of over a dozen Active Directory security permissions, some of which may be allowed while others denied, and some of which may be specified explicitly while others may be inherited, and of the ones inherited, some may actually apply to the object while others may not, and each such permission is specified for a security principal which might be an individual user, a security group (which may additionally have others security groups nested in it), a well-known security principal (such as Authenticated Users), relative SIDs (such as Self) etc. and it is the entirety of all this taken together that determines who can do what on an Active Directory object, in this case Schlein's account.

In most Active Directory deployments today, there are thousands, if not hundreds of thousands, of such ACLs, and in so many Active Directory deployments, there are as many as 100+ ACEs in each ACL, so there are millions of ACEs in Active Directory that whilst specified individually, ultimately collectively determine the resulting effective access across Active Directory.


Dear Microsoft, in light of this complexity, how are IT personnel reasonably supposed to make any sense out of it?!







What the World Needs

Today, the entire world (i.e. thousands of business and government organizations worldwide) operates on Active Directory.

What the world needs is the ability to accurately and efficiently convert this (protecting this) into this so that we can tractably and easily make sense of this ocean and achieve least-privileged access in our foundational Active Directory deployments, which today are paramount to cyber security.

Done.

Summary

To summarize, today via the above, I just wanted to make the following points -

1. A 1000 Ways to Become Domain Admin - Even in Active Directory deployments wherein credential-theft attacks may no longer be possible, there are still a 1000 ways to elevate privilege to Domain Admin, as shown above.


2. An Ocean of Active Directory Security Permissions - This is made possible because there exists an ocean of security permissions in each Active Directory that ultimately governs effective access on everything stored in Active Directory.


3. Perpetrators May Be On to It - As evidenced by recently introduced free tooling, notably BloodHound which incidentally is substantially & laughably inaccurate, the hacking community has started focusing on weaknesses in Active Directory. 


4. This Impacts all Active Directory Deployments - Today, irrespective of size, this problem is present in every Active Directory, and organizations that do not care about addressing it might end up being sitting ducks for perpetrators.


5. Today, an Easily Addressable Problem - Organizations that operate on Active Directory and wish to address this serious problem now actually have the ability to do so. Whether or not they choose to address it is entirely their call.

ONE LAST THING -

(This part was added later, inspired by a buffoon who left a most ridiculously immature and stupid comment.)

The only reason we had to use Gold Finger in this example is because it is the only tool (that we know of) that can so easily demonstrate the presence of 1000s of privilege escalation paths in Active Directory. This is NOT meant to promote Gold Finger.

Let me repeat that - we have no particular interest in promoting Gold Finger. In fact, in 10+ years as a company, we have NOT once marketed our products, sent a single unsolicited email to anyone, made a single unsolicited phone call, or pitched our product to ANYONE. Not once. During the same period, almost 10,000 organizations have knocked at our doors, unsolicited.

So to that buffoon I'd say - "Buzz off !"  (Why don't you focus on the problem, instead of on the tool used to shed light on it?)

Mature organizations have to assume that there may be nefarious entities out there, some possibly (heavily) state-sponsored, who could have clandestinely developed (and could use) similar tooling. To not assume so would be to be incredibly naïve.

All we care about is organizations addressing this risk (, because left unaddressed, it will remain a huge security risk (and we can demonstrate it to any organization that requests us)), and of course they can use any means they like, to address it.

Again, let there be NO mistake whatsoever about this. I should not have to repeat this again.

I will say this much though, and stand by it - "For all the marketing noise and grandiose claims that the 1000+ cyber security companies and major tech / defense companies out there make, we do find it laughable that not one of them has a solution for such a profoundly elemental and fundamental problem!"



That's it for today. More in the next few days to come. Stay tuned.

Best wishes,
Sanjay


PS: As to that Jr. IT Operator, Ted Schlein, his name and title were inspired by this supposedly brilliant cyber security visionary, who failed to understand even such simple stuff, a decade ago, and passed on helping out. Hey in a way, I'm thankful to him ;-)

PS2: Microsoft, in essence,  this  to  this.  Get it?!    (To gain a deeper understanding of how all this works, you'll want to read the one patent that governs the determination of effective access in Active Directory deployments across the world - this one.)