Bloodhound for Active Directory : Bloody Inaccurate

Folks,

As former Microsoft Program Manager for Active Directory Security, and today as CEO of Paramount Defenses, my time is EXTREMELY valuable, so I don't have too much time for blogging etc. but I wanted to make a very important point today.



Bloodhound for AD

There's a tool out there called Bloodhound for AD (Active Directory) and its designed to be able to analyze an organization's Active Directory security permissions and find privilege escalation paths leading to all-powerful privileged AD accounts.

Over the years, its gained a lot of attention, and from what I'm told, today hundreds of thousands, if not millions, of Red and Blue Teamers worldwide use Bloodhound to find privilege escalation paths in Active Directory deployments.

In fact, these days even $ 10 B cyber security companies like CrowdStrike write about Bloodhound, as can be seen here; sadly, when they do so, all they do is show the whole wide world just how little they too know about Active Directory Security.



Bloodhound for AD - Bloody Inaccurate 

Folks, please pardon my French but when someone can design a tool to exploit weaknesses in Active Directory deployments, which could then be used to harm organizations, and call it Bloodhound, then I hope its designers and the world won't mind it if I could accordingly use the word BLOODY in pointing out just how INACCURATE this tool actually is.

I've personally tested Bloodhound, and in less than two minutes, I was able to determine that it is not accurate. I spent fifteen more minutes testing several advanced factors involved in Active Directory security, and it seemed to fail virtually all of them.

In less than 15 minutes, I was able to factually (technically) determine that Bloodhound's results were far from being accurate.




Details and Proof

I've invested almost twenty years of life in being the best in the world at Active Directory Security, so I'm NOT about to provide FREE feedback to whoever built this tool to help them make it accurate, because conceptually this tool empowers bad guys to exploit weaknesses and take out good guys. I'd encourage them to work harder to learn more, and figure it out on their own.

I'll share the ESSENCE of what makes it bloody inaccurate - it does not take THIS one essential technicality into account.

That said, to anyone who may want proof that Bloodhound is inaccurate, all one has to do is compare its output on even just a few core test cases, with the output of the world's only accurate Active Directory privileged access audit tool, Gold Finger.




Gold Finger for AD - The GOLD Standard

Even after a decade, there's still just only one tool on planet Earth that can ACCURATELY determine privileged access in Active Directory, based on the accurate determination of effective permissions, and it is the world's ONLY accurate privileged access audit tool for Microsoft Active Directory - the Microsoft-endorsed Gold Finger.

Over the last decade, from the United States Department of Defense to the United States Treasury, the world's most powerful and important government and business organizations across six continents worldwide have used and trusted Gold Finger to make these paramount determinations in their foundational Active Directory deployments.

Gold Finger includes the world's best Active Directory ACL Analyzer, ACL Exporter, Permissions Analyzer, the world's only accurate Active Directory Effective Permissions Calculator, the world's only accurate Active Directory Effective Access Auditor, AND most importantly, the world's only accurate, fully-automated, domain-wide Privileged Access Auditor for Active Directory.


Now, unlike those who built Bloodhound and made it available for free, we do NOT license Gold Finger to individuals ; we only license it to legitimate organizations, and only for use in their own Active Directory deployments, for a very simple reason.

The reason very simply is that the information that Gold Finger can uniquely determine and reveal can ACTUALLY be used to either protect and lock down or compromise and take down entire $ Billion/Trillion companies, all within a matter of minutes.





A Much Bigger Problem

From a technical standpoint, its hard to have an issue with its concept, as it seems to be a penetration testing tool that seeks to identify exploitable privilege escalation paths leading to Domain-Admin equivalent privileged accounts in Active Directory.

What amazes me and should amaze everyone is that even with its limited accuracy, based on its ability to take basic factors into account, those using it can still easily find so very many privilege escalation paths in almost any Active Directory deployment.

There's a MUCH bigger problem here, which is that even today, 99% of organizations operating on Active Directory, either do not know enough about Active Directory Security to care to lock it down, or that they do not know how to correctly audit and lockdown privileged access in their Active Directory, as a result of which they all remain massively vulnerable.

That is a far more concerning problem than a tool like this, because this is merely one tool. Proficient hackers could easily write their own tools to identify and exploit such privilege escalation paths in Active Directory, AND until organizations accurately identify and lockdown privileged access in their Active Directory, they will remain substantially exposed to compromise.




Time's Up

That's it. That's all the time I had for this. I'll end on this - just because millions of people use something doesn't mean it is either accurate ; it just means that these millions of people TOO may not yet know enough (or at all) about Active Directory Security.

Best wishes,
Sanjay.


PS: If you want to learn Active Directory Security, reading the contents of the list in this 1 post alone is a good place to start.

How to Correctly Discover Shadow Admins in Active Directory

Shadow Admins - The Stealthy Accounts That You Should Fear The Most, but Needn't Anymore

Folks,

A few weeks ago, CyberArk, a $ Billion+ cyber security company in the Privileged Account Security space, published guidance on how organizations could identify dangerous "Shadow Admin" accounts that exist in almost every Active Directory today.

Here's their blog post - Shadow Admins - The Stealthy Accounts that You Should Fear The Most.

Unfortunately, their well-intentioned guidance (and accompanying tooling) for organizations worldwide, although on-point concerning the real danger that undetected "Shadow Admins" pose to organizations, seems substantially inaccurate.

Thus, to help CyberArk's own cyber security experts, as well as to help all IT and Cyber Security professionals at thousands of organizations better understand this subject, today, I'll show you how to correctly identify "Shadow Admins" in Active Directory.

This is Part II of the following, so you'll absolutely want to read - Paramount Privileged Account Security Guidance for CyberArk.

Pre-Requisites: To follow the contents of, and the examples shared in this post, you'll want to read the following -

1. Shadow Admins - The Stealthy Accounts that You Should Fear The Most
2. Paramount Privileged Account Security Guidance for CyberArk

First, Some Quick Background

As we all know, over 85% of organizations worldwide operate on Microsoft's Windows Server platform, and in IT infrastructures powered by Windows Server, at the very heart of cyber security and privileged access lies Microsoft Active Directory.

Not only does Active Directory store and protect the most powerful administrative/privileged accounts in a Windows network, it is also the focal point of  administrative delegation, and over the last 17 years, at most organizations, a substantial amount of access provisioning has been done in Active Directory, both to delegate administrative authority and to fulfill business needs.

Consequently, generally speaking, there are 3 levels of privileged access in Windows networks -

1. Local administrative/privileged access on domain-joined machines
2. Delegated administrative access within Active Directory
3. Unrestricted privileged access (accounts and groups) in Active Directory

Of these 3 levels of privileged access, 1 is least powerful and 3 is most powerful. Level 2 is interesting because depending on the access provisioned/delegated, many level 2 access holders, unbeknownst to anyone, could in fact possess Level 3 access!

Now, consider Level 2 accounts that may not be members of any default admin (privileged) access group in Active Directory.

Should any of these Level 2 accounts directly or indirectly have certain modify access effectively allowed on one or more level 3 accounts or groups, then in effect even though they're not members of any default administrative (privileged) access groups in Active Directory, they would still have access that it tantamount to possessing unrestricted privileged access in Active Directory, and it is such accounts that CyberArk's experts are referring to as "Shadow Admins."

Further, since these accounts are not members of any default admin Active Directory groups, and the extent to which most organizations go to identify privileged users in Active Directory is to enumerate the membership of these default admin groups, at most organizations all such accounts will likely remain undetected, even though a proficient intruder who knows how to identify such accounts could easily identify and subsequently exploit them to effortlessly obtain complete command and control over the entire organization!

Up until this point, CyberArks guidance is accurate.




Ah, Active Directory Effective Permissions 

Now consider this - consider the domain user account of an ordinary user John Doe. Assume that he is not a member of any default admin (privileged) user group in Active Directory. Further assume that in the ACL of the Domain Admins group, he has been directly granted the following Active Directory security permissions -  { Allow John Doe Write-property Member }

Based on the above, do you think John Doe will be able to modify the membership of the Domain Admins group?

Most IT personnel, including CyberArks experts will likely say - YES!

However, if you ask an Active Directory Security expert, his answer will be - Maybe. (It depends.)

So, what does it depend on?!

Consider this. Imagine that there is a security group in Active Directory called Active Directory Security Novices and assume that this security group is NOT a member of any default Active Directory admin groups. However, assume that perhaps a few months ago, someone specified ANY ONE of the following several security permissions in the Domain Admins group's ACL -

1. { Deny Active Directory Security Novices Write-property Member } OR
2. { Deny Active Directory Security Novices Write All Properties } OR
3. { Deny Active Directory Security Novices Full Control }

Now, if you ask an Active Directory Security expert, his answer will still be - Maybe. (It depends.)

The reason it is still Maybe, is because it depends on whether these Deny permissions were explicit (i.e. specified directly in the object's ACL) or whether they were inherited, and whether the Allow permissions for John Doe are explicit or inherited.

If these deny permissions were explicit, then even though there exists an { Allow John Doe Write-property Member } permission for John Doe in the ACL of the Domain Admins group's object, John Doe will NOT be able to change the group's membership!

What I have just shared with you is a very highly simplified example of Active Directory Effective Permissions.


Thus, if one were to merely "search and analyze the ACL permissions granted to each account" one could easily end up with inaccurate results, and in security, even ONE such inaccuracy could mean the difference between secure and breach!

This is where CyberArk's guidance is inaccurate.

Specifically, their guidance and tooling does NOT involve determining effective permissions in Active Directory; it merely involves searching Active Directory ACLs for any permissions granted to individual user accounts, and as we have just seen, such an approach is not only the incorrect way to discover such "Shadow Admin" accounts, it is also dangerously misleading!




The Only Correct Way

The only correct way to find out who actually has what access, including privileged access, in Active Directory is to accurately determine effective permissions in Active Directory. There is NO other way to accurately make this determination. Period.

In fact, Active Directory Effective Permissions are paramount to cyber security because they determine exactly who can do what on any and every object in Active Directory, from the CEO's domain user account to the Domain Admins domain security group!

It is for this simple reason that an organization that does not possess the ability to accurately identify effective permissions in Active Directory could not possibly adequately secure and defend its foundational Active Directory deployment.




Lets See a Demo -

Let us see this in action. In order to keep this very simple, we've used the same domain name for our test Active Directory so that everyone can follow this as an assumed continuation of the examples shared in CyberArk's post.


The Setup

We begin by installing a brand-new Active Directory domain, so it only has default administrative groups and default ACLing.

For our demo, to begin with, we'll create only five objects -

1. An OU named Demo, to store our demo accounts and groups
2. A regular domain user account named James
3. A regular domain user account named Emily
4. A regular domain security group named Cyberdark Gurus
5. A regular domain security group named Active Directory Security Novices

That's it. We do not need to create any other objects right now as we're trying to keep this super simple.

Note: Please note that each one of these two domain user accounts and two domain security groups are regular accounts and groups i.e. they are not members of any default Active Directory administrative groups.

The only other thing we will do is make the Cyberdark Gurus group a member of the Active Directory Security Novices group -

Thus, as you can see above, the Cyberdark Gurus group is now a member of the Active Directory Security Novices group.



Demo #1

To begin, we make James a member of the Cyberdark Gurus domain security group -

Next, we will modify the (up until now) default ACL on the Domain Admins security group, and specify the following two explicit permissions -

1. { Deny Active Directory Security Novices Special* }
2. { Allow James Write-Property Member}

Special*: Modify Owner, Modify Permissions, Delete, Delete Tree, All Extended Rights, All Validated Writes AND Write All Properties. (We could've easily just denied Write-All Properties and that would have been sufficient.)

Here is the resulting ACL on the Domain Admins security group -

Since we're unable to view the Special permissions in ADUC, we can launch this tool to view the ACL more clearly -

As seen above, we can now clearly see the two permissions we just added (; see Rows #1 and #2.)

Now, as we can see there is clearly a permission allowing James Write-Property member on the Domain Admins group, so does this mean that he is a "Shadow Admin" who can change the Domain Admin group's membership?


To see what CyberArk's ACLight tool determines, let's run it and examine its findings/results -

ACLight has finished its analysis, so let us view its results -

Per ACLight, James is a "Shadow Admin" because the tool seems to have determined that James can modify the membership of the Domain Admins group, as there is an Allow permission granted to him directly in the ACL of the Domain Admins group.

To verify this finding perhaps we should login as James and try to modify the membership of the Domain Admins security group, and see if we are able to succeed in doing so -

As you can see above, the Add and Remove buttons are disabled, which is because ADUC has determined that James does not in fact have sufficient access so as to be able to do so!

Hmm... does this mean that ACLight's findings are inaccurate? Is there even a way to verify this?


Well, let's launch the world's only accurate Active Directory Effective Permissions Calculator, and see what it reveals -

According to this tool, James is NOT on the list of individuals who have sufficient Write-Property Member effective permissions on the Domain Admins security group, and since he is not on the list, according to this tool's findings, he cannot in fact change the membership of the Domain Admins security group, and thus he is NOT a "Shadow Admin"!

In other words, CyberArk's ACLight tool is delivering inaccurate results, because as we have experimentally verified as well, James was NOT in fact able to modify the Domain Admins group membership!

To conclude Demo #1, let us examine why he was not able to do so.

Let us take a closer look at the ACL of the Domain Admins group -

As we can see, the explicit Deny Write All Properties permission specified for Active Directory Security Novices will override the explicit Allow Write-Property Member permission specified for James, BECAUSE James is a member of the Cyberdark Gurus group, which in turn is a member of the Active Directory Security Novices group (which is something not readily apparent here!)

Now, in case you're a CISO or someone who may not know as much about Active Directory effective permissions, you can still make this determination most easily by using the second tool on this page -

As you can see, this tool make this determination and provides its output in plain English, completely obviating the need for you to know any Active Directory security technical details.

Thus, we just saw and verified that indeed the ACLight tool is NOT delivering accurate results!

Before moving on to the second demo, you'll want to undo these two ACL changes to continue to keep it simple.




Demo #2

For our second demo, we'll create a new domain user account called SysAdmin in the Users container, and then we will add it to the default Builtin Admins (i.e. Administrators) group so that it is now a privileged user account -

Now that we have an additional privileged user account to experiment on, let's proceed with demo #2.

To begin, we make Emily a member of the Cyberdark Gurus domain security group -

Next, we will modify the (up until now) default ACL on the SysAdmins privileged domain user account, and specify the following two explicit permissions -

1. { Deny Active Directory Security Novices All Extended Rights }
2. { Allow Emily Extended Right Reset Password}

Here is the resulting ACL on the SysAdmin privileged user account -

Again, to see these permissions most clearly, let us view this object's ACL using this tool -

As seen above, we can now clearly see the two permissions we just added (; see Rows #1 and #2.)

Now, as we can see there is clearly a permission allowing Emily the Reset Password extended right on the SysAdmins account, so does this mean that she is a "Shadow Admin" who can reset the SysAdmin's privileged user account's password?


To see what CyberArk's ACLight tool determines, let's run it and examine its findings/results -

ACLight has finished its analysis, so let us view its results -

Per ACLight, Emily is a "Shadow Admin" because the tool seems to have determined that Emily can reset the password of the SysAdmins user account, as there is an Allow permission granted to her directly in the ACL of the SysAdmins account.


To verify this finding perhaps we should login as Emily and try to reset the password of the SysAdmins privileged user account, and see if we are able to succeed in doing so -

As you can see above, Emily is unable to reset the password of the SysAdmins privileged user account and ADUC has displayed the message "Windows cannot complete the password change for SysAdmin because: Access is Denied." In other words Emily does not in fact have sufficient access so as to be able to do so!

Hmm... does this mean that ACLight's findings are inaccurate?

Let's launch the world's only accurate Active Directory Effective Permissions Calculator, and see what it reveals -

According to this tool, Emily is NOT on the list of individuals who have sufficient Reset Password extended right effective permissions on the SysAdmins domain user account, and since she is not on the list, according to this tool's findings, she cannot in fact reset the SysAdmins privieged user account's password, and thus she too is NOT a "Shadow Admin"!

In other words, CyberArk's ACLight tool appears to have yet again delivered inaccurate results, because as we have experimentally verified as well, Emily was NOT in fact able to reset the SysAdmins privileged account's password!

To conclude Demo #2, let us examine why she was not able to do so.

Let us take a closer look at the ACL of the SysAdmins privileged user account -

As we can see, the explicit Deny All Extended Rights permission specified for Active Directory Security Novices will override the explicit Allow Reset Password Extended Right permission specified for Emily, BECAUSE Emily is a member of the Cyberdark Gurus group, which in turn is a member of the Active Directory Security Novices group (which too isn't apparent here!)

Now, in case you're a CISO or someone who may not know as much about Active Directory effective permissions, you can still make this determination most easily by using the second tool on this page -

As you can see, this tool make this determination and provides its output in plain English, completely obviating the need for you to know any Active Directory security technical details.

Thus, we just saw and verified twice that indeed the ACLight tool is NOT delivering accurate results!




Domain-wide Assessment

Now, some of you may find yourself pointing out that the tools we used above only seem to be able to determine effective permissions/access on a per object basis. That is in fact right, and yet they are the only tools on the planet that can accurately determine effective permissions and effective access in Active Directory.

However, there is hope. Organizations can in fact make these determinations domain-wide today by using the following tool, which is the world's only accurate Active Directory Administrative Access / Delegation Audit Tool - 

This tool can make these determinations domain-wide, i.e. on thousands of objects in an Active Directory domain, in a single assessment, at the touch of a single button, and usually within minutes!

Perhaps, if we were Active Directory novices, we may have called is an Active Directory Shadow Admin Discovery/Audit Tool, but since we're experts, we know that what are being referred to as "Shadow Admins", "Stealthy Admins" etc. are merely just "Delegated Admins" in Active Directory, thus the name of this tool i.e. Active Directory Access and Delegation Audit Tool.

In fact this tool above can do in minutes what a thousand Active Directory security experts put together couldn't accomplish in a year, and do so in real (complex) Active Directory environments comprised of thousands of objects, accounts and groups.

Finally to anyone or any organization who may be inspired to make such a tool, by all means, please go ahead and try it. It took us six years of highly disciplined laser-focused Research and Development to build our tooling, and we know a thing or two about Active Directory Security. Should you like some guidance, you may want to read our 120-page patent on how to do so.

That wraps up the Demo.

Note: These two demos above were purposely keep super simple so that anyone (including CyberArk's experts) could replicate these exact steps in any new Active Directory domain and verify that what we have demo'ed above is accurate.

Complexity

Now, if these examples look so simple, that's because they were intended to look simple for illustrative purposes.

In reality, the challenge is exponentially hard. Consider a typical Active Directory deployment - there could easily be well over a hundred ACEs in the ACL of each Active Directory object, there could possibly be thousands of domain security groups to which users could belong, and many of these domain security groups could possibly be nested in other domain security groups, and some of these could be circularly nested, and there could be a substantial amount of administrative delegation and/or access provisioning done in Active Directory, and there could easily be thousands of objects in an Active Directory domain and there could possibly be numerous domains in an Active Directory forest.

Any tool designed to accurately identify such "Shadow Admin" accounts would have to be able to accurately determine effective permissions on every single one of thousands of object in Active Directory, in light of the complexity that I've just shared above.

Based on my assessment, not only does CyberArk's ACLight not evaluate effective permissions in Active Directory, it is light years away from being able to do what I've just described above. The same is true of every other tool you may have heard of out there, including BloodHound, or any PowerShell script anyone could ever write, or anything available from Microsoft.

There is only ONE tool that I know of that can accomplish this monumental feat - its this one, and I know so because I built it.



Summary

Folks, in closing, Privileged Account Security is paramount to organizational cyber security, and please don't just take my word for it, for here's CyberArk communicating in effect the same fact -

"Privileged accounts represent the largest security vulnerability an organization faces today. These powerful accounts are used in nearly every cyber-attack, and they allow anyone who gains possession of them to control organization(al) resources, disable security systems, and access vast amounts of sensitive data."

As I've said above, CyberArk is 100% right. The compromise of even just 1 (i.e. ONE) such privileged account could easily grant perpetrators complete command and control over your entire network and empower them to swiftly take over everything.

In fact, 100% of all major recent high-impact cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and subsequent misuse of a single, i.e. just ONE Active Directory Privileged User Account.

CyberArk is also 100% right that in most Active Directory deployments worldwide, today there likely exist a dangerously and excessively large number of such "Shadow Admin" accounts, that for all practical reasons possess the same level of privileged access as do members of default Active Directory administrative / privileged access groups, yet because they're not members of any default Active Directory privileged access groups, these accounts are in fact very difficult to accurately identify.

Consequently, their presence may possibly post a FAR greater risk to organizational cyber security, which is why it is so very important for organizations to be able to accurately discover/identify all such accounts i.e. each and every single one of them.

In this blog post, I wanted to show you why CyberArk's well-intentioned guidance and tooling are in fact inaccurate, as well as show you why we need to be able to accurately determine Active Directory Effective Permissions / Active Directory Effective Access to correctly discover all such "Shadow Admin" accounts in Active Directory.

I hope you've found this to be helpful, and I wish you all, including CyberArk, all the very best.

Best wishes,
Sanjay


PS: Recommended Technical Reading -

1. Active Directory Privileged Access Insight
2. Active Directory Effective Permissions
3. Defending Active Directory Against CyberAttacks (Slide 88 alludes to CyberArk)
4. The Impact of Compromise of Shadow Admin Accounts in Active Directory
5. How to Audit Who Can Change Group Memberships in Active Directory?
6. How to Audit Who Can Delete an Organizational Unit in Active Directory?
7. How to Audit Who can Create User Accounts in Active Directory?
8. How to Audit Who can Reset Domain User Accounts Passwords in Active Directory?
9. How to Correctly Audit/Identify/Discover Privileged Accounts in Active Directory
10. Active Directory Access Control Lists (ACLs) - Real Attack and Defense 

Some Love For Microsoft + Time to Help Microsoft (and the Entire World)

Folks,

This is a Trillion $ post. I wanted to show some love for Microsoft and help them out, as it appears they could use some help.

BTW, for those wondering who I am to make such a statement, I'm a nobody who knows a thing about a thing that impacts WD.




Trillion $ Background

From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.

Active Directory is the Foundation of Cyber Security Worldwide

The compromise of an organization's foundational Active Directory deployment could have disastrous consequences for the organization and its stakeholders, and the real extent of damage would be a function of the perpetrators' proficiency and intent.

If you understand the inner workings of Active Directory based networks, then you know that the amount of damage that we've seen in recent breaches such as the Equifax breach, is nothing, compared to the amount of damage that can actually be done.



Thus far, perpetrators have been focused on simple attack vectors such as credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins), and over time Microsoft has made their enactment much harder.

As these attack vectors become harder to enact, perpetrators have started focusing on increasing their knowledge about Active Directory, and exploring ways to try and target and compromise Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.

Today Active Directory security, and in particular Active Directory access control lists (ACLs) impact organizational security and national security, worldwide. Speaking of which, and just so the world knows, here is Microsoft's take on them, and here is ours.

Perpetrators seem to be learning fast, and building rapidly, so the next big wave of cyber breaches could involve compromise of Active Directory deployments, unless organizations act swiftly to lock-down their foundational Active Directory deployments.

To do so, organizations worldwide need the right insight, guidance and tooling to adequately lock-down their Active Directory deployments. Unfortunately, Microsoft doesn't seem to know much about it (proof: 1, 2, 3, 4), and thus may be unable to help.




Some Love for Microsoft

Today I may be the CEO of Paramount Defenses, but I'm also former Microsoft Program Manager for Active Directory Security, and I for one deeply love Microsoft, and deeply care about the foundational cyber security of all organizations worldwide, so I'm going to help Microsoft and the entire world adequately secure and defend their foundational Active Directory deployments.

To Satya (Nadella) and my former colleagues at Microsoft I say - "Microsoft is one of the greatest companies in the world today, and we care deeply and passionately about not only the role we play in society and the impact we have on billions of people, but also the responsibility that goes along, so we're* going to help the world address this colossal cyber security challenge."

* I may no longer be a Microsoft employee, but I still do care deeply and equally, so I'm happy to help you.
  If I were you, I'd most respectfully embrace this opportunity, be thankful for it, and not squander it.

To my friends at Microsoft, if I may have recently been a tad critical of you, its only because I care deeply about our customers, and I know that Microsoft can do much better at educating its global customer base about a matter of paramount importance.





Er, What Cyber Security Challenge?

Now, there might be billions of people and thousands of organizations worldwide who may have absolutely no idea about what I'm talking about, so perhaps I should succinctly and unequivocally spell it out not just for the entire world, but also for Microsoft.

Stated simply, and as described in The Paramount Brief, here's the #1 cyber security challenge that impacts the world today -

"From Silicon Valley to New York and London to Sydney, at the very foundation of cyber security and IT of 85+% of all business and government organizations across 190+ countries worldwide lies Microsoft's Active Directory.

Within the foundational Active Directory domains of these organization lie the entirety of their building blocks of their cyber security i.e. their user accounts, computer accounts, security groups, security policies etc. each one of which is represented by an Active Directory object & protected by an Active Directory Access Control List (ACL).

Today, in most of these organizations, there exist millions of ACLs in their Active Directory, and within these ACLs exists an ocean of excessive/unauthorized access, that today paves thousands of privilege escalation paths to literally the entirety of all objects in these Active Directory deployments, including to all their privileged users.

This ocean of unauthorized access exists worldwide today because Active Directory lacks and has always lacked the essential ability to help organizations correctly and adequately audit effective access in Active Directory, and consequently even though organizations have been delegating/provisioning all kinds of access in Active Directory to fulfill various business needs, they've never had the opportunity to correctly audit this ocean of access, resulting in a situation caused over time (i.e. over the years) wherein today unauthorized access pervades Active Directory.

In short, today, at most organizations, no one knows exactly who has what access on any of their building blocks of security, and possibly an excessive number of users, computers and service accounts may have substantial unauthorized access on them, and thus be in a position to easily and instantly compromise their security.

• A Trillion $ Note: Most organizations (and perpetrators, as well as the Bloodhound Tool) audit "Who has what permissions in Active Directory?" Unfortunately, that does not provide the accurate picture. What they need to audit is "Who has what effective permissions/access in Active Directory?" Sadly, Microsoft has NEVER provided this guidance in an entire decade, so no one even seems to know this.

Anyone who possesses the tooling to correctly analyze effective access in Active Directory could instantly identify, and either eliminate or exploit, all such unauthorized access grants and the 1000s of privilege escalation paths they pave, and thus be in a position to either formidably defend or completely compromise these organizations.

The potential impact of this huge cyber security challenge is best illustrated by these 7 examples. Its that simple."

As simple as it is, not a single one* of the 1000+ cyber security companies that exist today has a solution for this challenge.


Let there be no mistake about this - a proficient intruder who possesses tooling that lets him/her correctly analyze effective permissions/access in Active Directory, could easily find, hundreds if not thousands, of unauthorized access grants in most Active Directory domains, and exploit them to compromise and obtain complete command and control over the organization.

If you find this hard to believe, you don't have to take my word for it, as here is Microsoft finally acknowledging it, and doing their best to downplay it. By the way, if they truly understood the depth of this problem, what they should've actually said is here.

Unfortunately, perpetrators can develop their own tooling and they don't even have to be 100% accurate (e.g. Bloodhound.)

Fortunately, organizations that possess the right tooling (e.g. 1, 2) can reliably mitigate all such security risks to Active Directory, from Mimikatz DCSync to Active Directory Privilege Escalation and from Sneaky Persistence to Active Directory Botnets, before perpetrators have the opportunity to exploit them, leaving no unauthorized access in Active Directory for perpetrators to exploit.





Time to Help Microsoft (and the Entire World)

Over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.

Of course, today we can also uniquely empower organizations worldwide to adequately secure and defend their foundational Active Directory deployments, and we are happy to help organizations that request our help, but we are not going to go to anyone explicitly offering our help, because we're not your ordinary company.


So, in days to come, we'll begin by educating the world about the following -

1. What Constitutes a Privileged User in Active Directory


2. How to Correctly Audit Privileged Users/Access in Active Directory


3. How to Render Mimikatz DCSync Useless in an Active Directory Environment


4. How to Easily Identify and Thwart Sneaky Persistence in Active Directory


5. How to Easily Solve The Difficult Problem of Active Directory Botnets


6. Why the World's Top Active Directory Permissions Analysis Tools Are Mostly Useless


7. Why is the Need to Lockdown Access Privileges in Active Directory Paramount to its Defense?


8. How to Attain (Lockdown) and Maintain Least Privileged Access (LPA) in Active Directory


9. How to Securely Delegate and Correctly Audit Administrative Access in Active Directory


10. How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment

You see, each one of these Active Directory security focused objectives can actually be easily accomplished today, but and in order to do so, what is required is the ability to be able to accurately and adequately audit effective access in Active Directory.

Each one of these topics is absolutely essential for organizational cyber security worldwide, and if you know of even one other entity (e.g. individual/company) on the planet that can help the world address each one of these objectives today, let me know.

So, within the next 7 days, as a part of this, I'll start penning the above, and you'll be able to read them right here.

In Summary

If you truly understand Active Directory Security, then you know that literally the entire world's wealth is being protected by it, so and thus we just cannot afford for organizations to start having their foundational Active Directory deployments being breached.

Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.


Best wishes,
Sanjay

CEO, Paramount Defenses

Formerly, Program Manager,
Active Directory Security,
Microsoft Corporation


PS: To anyone who believes they know more about Active Directory Security than us, or can help the world more than we can, go ahead and demonstrate that you can - this is your opportunity. If you can, let's see it. If you can't, you'll want to listen to us.

PS2: If you liked this post, you may also like the 20+ posts that are a part of - Helping Microsoft with Active Directory Security.

Active Directory Access Control Lists (ACLs) - "Actual" Attack and Defense

Folks,

This post impacts the cyber security of every foundational Active Directory deployment in the world, so you may want to read it.


Active Directory Access Control Lists (ACLs)

Active Directory is the foundation of cyber security worldwide because it enables distributed security in Windows environments and it stores, protects and enables the administration of the entirety of an organization's building blocks of cyber security.

In essence, literally from the entirety of the user accounts of an organization's workforce (including those of all privileged users), to the entirety of computer accounts that represent the organization's computers, and from the entirety of the domain security groups that protect the entirety of an organization's IT resources to the entirety of an organization's security policies (GPOs), at thousands of organizations worldwide, all building blocks of cyber security are stored, secured and managed in Active Directory.

Guess what protects each & every one of these building blocks of cyber security i.e. these Active Directory objects, worldwide?

It is Active Directory Access Control Lists (ACLs) -

An Active Directory Access Control List (ACL) protecting an Active Directory Object

Specifically, it is the ACL of an Active Directory object in which the organization's access intent for that object is specified (whether it be the CEO's user account or the Domain Admins group,) and it is this intent that is enforced by the "System."

In fact, today, billions of Active Directory ACLs that exist in Active Directory deployments worldwide, together serve to secure and defend the very building blocks of organizational cyber security at thousands of business and government organizations.

In short, not only do Active Directory ACLs today help protect trillions of dollars of wealth worldwide, they play a paramount role in securing and defending most business and government organizations, and thus they impact business and national security.

(By the way, if you want to get a complete look at an Active Directory object's ACL, here's likely the most capable tool to do so.)





Attack and Defense - Microsoft's Version

On September 18, 2017, i.e. about one week ago, Microsoft shared its thoughts on this subject in a blog post titled -

Active Directory Access Control List - Attacks and Defense

If you haven't read it, I highly recommend that you read it, NOT because you'll learn anything at all, but only because it reveals volumes about just how little Microsoft may actually seem to know about Active Directory Security, ACLs, attacks and defense.


Attack

If you listen to what today's Microsoft has to say, they'll downplay the exploitation of Active Directory ACLs as an attack vector, suggest that recently there's been some attention given to Active Directory ACLs by amateurs, indirectly concede that it may be possible to exploit weaknesses in Active Directory ACLs, tell you about AdminSDHolder to claim that this couldn't likely be used to escalate privilege to privileged users, reticently agree that it might be possible to find ways to compromise non-privileged users/objects in Active Directory and end by saying - "If you find a path with no obstacles, it probably leads somewhere!"


Defense

In regards to defense, the best today's Microsoft can do is tell you that that their latest toy, Microsoft Advanced Threat Analytics (ATA) can detect recon methods used by newbie tooling like Bloodhound (which incidentally is massively inaccurate.)


Folks, what today's Microsoft is telling you about attack and defense, sounds like Baloney.


Sadly, I don't think they're doing it intently though, as it very well might be that they actually either have no one from the old-guard working on this, and/or the new guards truly have no idea about any of this, both of which are really scary scenarios!








The Actual Attack and Defense

Folks, if you understand the subject of Active Directory Security well enough, then you know that Active Directory access control lists (ACLs) today don't just impact organizational security worldwide, they likely impact national and global security.

Further, you also know that today not only does there lie an ocean of access privileges specified within Active Directory ACLs at almost every organization worldwide, but also because Active Directory lacks the ability to adequately help organizations find out who actually what access in Active Directory, for so many years, most organizations have been operating in the dark, and today there likely exist thousands of privilege escalation paths leading to all kinds of privileges, including to privileged users.

By the way, it is now seventeen (17) years since Active Directory has been around, and even though this attack surface has existed since then, it is only now that a few enthusiasts are starting to realize what a gold-mine of information Active Directory is, and just how many privilege escalation paths one could find to just about everything in Active Directory. In fact, some of these enthusiasts may have gotten a little too excited and even released some infantile tooling, which I believe goes by the name Bloodhound, and lo and behold it is one of the hottest pen-test tools today, even though it is massively inaccurate!




Attack

Speaking of attack, the exploitation of excessive/unauthorized access specified in Active Directory ACLs, as illustrated here, summarized here, described here and a realistic example of which is shown here, is a very real and serious possibility today.

That's because in most Active Directory deployments worldwide, today there likely exist thousands of privilege escalation paths in Active Directory ACLs, just waiting to be found (and exploited (by the bad guys), or eliminated (by the good guys)) by anyone who has the skills or the tooling required to accurately perform effective permissions analysis in Active Directory deployments.


To illustrate how serious this is, here are 7 specific examples of Attack that involve the exploitation of Active Directory ACLs -

1. The complete compromise of an organization's entire workforce's credentials, by an unauthorized individual, such as an intruder or a rogue insider, enactable by the use of the hacking tool Mimikatz DCSync which involves requesting and retrieving the secrets (passwords) of the entirety of an organization's domain user accounts, is possible (and can only be made possible) if that unauthorized individual has sufficient Get-Replication-Changes-All effective permissions in the Active Directory ACL of the target Active Directory domain's domain root object. 


2. The complete compromise of an organization's Active Directory privileged domain user accounts and security groups, such as the Administrator account, the Domain Admins group etc., involving an unauthorized password reset and/or a group membership change etc., is possible if that unauthorized individual has sufficient Write-Property (member or blanket), effective permissions or Reset-Password Extended Right effective permissions in the Active Directory ACL of the target Active Directory domain's unique AdminSDHolder object.
   
   

   An Important Note: AdminSDHolder protection only protects the members of those default Active Directory administrative groups that it is intended to cover, and it does so transitively.
   
   However, if any security principals other than those that fall under the AdminSDHolder protection, were to be granted any kind of access in the AdminSDHolder object's ACL, then those security principals would NOT be protected by AdminSDHolder protection, and THAT opens up the possibility of there existing privilege escalation paths from non-privileged users to privileged users protected by AdminSDHolder.
   
   Many organizations do modify the default AdminSDHolder object's ACL for various reasons, such as to implement their own custom delegations, configure or lockdown access to privileged users etc.

  

3. The complete compromise of the majority of an organization's Active Directory content, i.e. all of their domain user accounts, computer accounts, domain security groups, containers, OUs, service connection points etc. whose Active Directory ACL is not marked Protected, by an unauthorized individual, is possible if that unauthorized individual has sufficient Modify Permissions effective permissions in the Active Directory ACL of any large or Top-level Organizational Unit (OU), or on the domain root, because it would allow the unauthorized individual to make a single malicious change and leverage permission inheritance to obtain full control over the entirety* of all objects whose Active Directory ACLs will end up inheriting that malicious ACL change. 


4. A massive (even if temporary i.e. ranging from a few hours to a few days) denial-of-service (DoS) attack on virtually an organization's entire IT infrastructure, their entire workforce and their ability to do business, made possible by something as simple as the deletion of a top-level Organizational Unit (OU) by an unauthorized individual, is possible if that unauthorized individual has sufficient Delete* (details) effective permissions in the Active Directory ACL of that OU.


5. The identity theft and thus compromise of organizational users, involving a password reset of their domain user accounts by an unauthorized individual, is possible if that unauthorized individual has sufficient Reset-Password Extended Right effective permissions in the Active Directory ACL of the victim's Active Directory domain user account. This could also be used to in effect escalate privilege in Active Directory, and there could possibly exist privilege escalation paths leading from a non-privileged user to highly privileged users, in effect also providing a perpetrator system-wide command and control over an organization's IT infrastructure.
   
   

   An Important Note: Organizations that may have various kinds of multi-factor authentication (MFA) in place, such as Smartcards for domain user accounts, should note that if an unauthorized individual has sufficient Write-Property (either blanket, or for the appropriate attribute) effective permissions on a user's domain account, then he/she could easily turn MFA off on the account, in which case, the account's security will fallback to being password based ( i.e. a system-generated random password) and a password reset (assuming the perpetrator also has sufficient effective permissions to do so) would then allow the unauthorized individual to effortlessly steal its identity, i.e. effectively take over that account.



6. A critical denial-of-service (DoS) attack aimed at disrupting one or more possibly mission-critical applications, such as Microsoft Exchange, Centrify Server Suite, Microsoft Rights Management Server, Microsoft Group Policy, Microsoft Terminal Server, Microsoft Azure, Quest Active Roles Server, Quest Change Auditor, Quest InTrust, Quest Privileged Password Manager, BeyondTrust PowerBroker for Windows, Citrix XenApp and XenDesktop, IBM DB2, to name a few, that rely on the use of Service Connection Points in Active Directory, by an unauthorized individual, is possible if that unauthorized individual has sufficient Write-Property (keywords or Blanket) effective permissions in the Active Directory ACL of one or more of the Service Connection Points of that specific mission-critical application.


7. A massive cyber security breach in which an unauthorized individual, such an intruder, a disgruntled or rogue insider, an APT, a compromised delegated admin/service account etc., is able to obtain access to and leak/divulge, exfiltrate, tamper or destroy literally any (some, or all) organizational IT resource of his/her/their choice, such as a specific file, folder, database, server, application etc., or thousands thereof, is possible if that unauthorized individual simply has Write-Property (member or blanket) effective permissions in the Active Directory ACL of the specific domain security group (, such as All Employees, Blueprint Access Group, Email Servers, Project Windham Group, etc.) in Active Directory that is currently gating access to that organizational IT resource, as this would allow that individual to add any domain account under his/her control to the membership of this domain security group and subsequently instantly and legitimately gain unrestricted access to the target organizational IT resource.

Note: In each case above, in lieu of the effective permissions mentioned above, it would alternatively be sufficient for the unauthorized individual to have Modify-Permissions effective permissions of Modify-Owner effective permissions in the ACL of the involved target Active Directory objects.

I could give many more examples, but to the wise a hint is enough, and I've given you 7 concrete examples of just how much damage an unauthorized individual who possesses various levels of unauthorized access in Active Directory ACLs, could do.

The reality is that literally anything and everything in Active Directory could be a target - The Active Directory Attack Surface


Now, that said, let's talk about Defense.





Defense

Take a deep breath of calm because this risk can be actually be easily, swiftly and completely eliminated by organizations.

The truth of the matter is that even though the serious cyber security risk posed by the potential exploitation of the vast number of excessive/unauthorized privilege access grants that are today specified in billions of Active Directory ACLs across thousands of Active Directory deployments, likely poses a clear and present danger to organizational cyber security worldwide, this risk can actually be easily, swiftly and completely eliminated by organizations, leaving no opportunity on the table for perpetrators.


How, you ask?  Keep reading...

A Small Digression

To understand how to mitigate this risk, we need to understand what caused this risk in the first place.

For years now, organizations have been leveraging Active Directory's precise administrative delegation / access provisioning capability to delegate/provision all kinds of access in Active Directory to fulfill business needs.  

While Active Directory makes it very easy to precisely delegate/provision access, unfortunately, it completely lacks the capability to help precisely assess/audit the actual resulting access that ends up getting implemented, and thus organizational IT personnel / AD admins have no way of being able to precisely a) verify the accuracy of their delegations or b) audit who actually has what access provisioned in Active Directory at any point in time.

Further, 3 factors contribute to exacerbating the situation -

1. Active Directory's security model is quite rich and powerful, and thus complex, since it has almost a dozen generic security permissions and five dozen special security permissions (known as extended rights), and further, because mechanisms like inheritance of permissions involve and require precedence orders, applicability etc. all of this makes it difficult to determine the actual access implemented in Active Directory.


2. A majority of all access specified in Active Directory is specified for security groups (as it should be), which given the possibility of group nesting, and often to multiple levels, further complicates not only who all might be ending end up with all kinds of access, but also trying to find out who actually has what access, especially since the membership of any of these groups could be changed by so many others, anytime.


3. Considering the above, the slightest change made in even one place in Active Directory, such as in the ACL of a top-level OU, or the membership of even a single mid-level nested domain security group, could easily end up changing the actual state of access in Active Directory quickly & in many cases substantially.

Consequently, though organizations have been delegating/provisioning access in Active Directory for years now, they have almost never had the means or the opportunity to be able to accurately audit the actual existing state of access in Active Directory, and in light of the above, considering that in most Active Directory domains there may thus far have been 1000s of changes made, there likely exists a vast amount of excessive / unauthorized access, and no one actually knows exactly who can do what in their Active Directory deployments.

End of Digression.

The reason there exists vast amounts of excessive/unauthorized access in Active Directory is that organizations don't have the means to easily and correctly audit/assess who is actually i.e. effectively delegated/provisioned what access in Active Directory.

In order to be able to correctly do so, all that organizations need is the ability to be able to accurately, adequately and efficiently determine exactly who has what effective permissions/access in Active Directory, on a per-object basis, & ideally domain-wide.

By "adequately", I mean that given an Active Directory object, organizations should be able to easily determine a) the complete set of effective permissions provisioned on it, b) as well as the complete list of individuals that have these effective permissions, and c) HOW each one of these individuals is getting these effective permissions, as that data is needed to lock-down access.

Unfortunately, this capability does not seem to natively exist in Active Directory, so most organizations have just been performing basic Active Directory Permissions Audits, which are almost useless, and as a result, no one really knows exactly who can do what in Active Directory!

Over the years, this has resulted in a substantial amount of excessive/unauthorized access in Active Directory, which is best evidenced by the fact that even a tool as massively inaccurate as Bloodhound is able to find so many privilege escalation paths!


That said, here's Defense -

Conceptually, to defend against these attacks, all that organizations require is the ability to be able to accurately and adequately determine Active Directory Effective Permissions on their Active Directory objects, as this will give them a correct picture of who can actually do what on these objects, and show them how these users have such access today, and thus enable them to know exactly which security permissions to tweak in the ACLs of which Active Directory objects, and/or which group memberships to tweak, to lockdown any and all excessive / unauthorized access that is currently provisioned on their Active Directory objects.

Again, by "adequately", I mean that, given an Active Directory object, organizations should be able to determine a) the complete set of effective permissions provisioned on it, b) as well as the complete list of individuals that have these effective permissions, and c) HOW each one of these individuals is getting these effective permissions, as that data is needed to lock-down access.

A Simple 3-Step Defense Process

To defend against these attacks, this simple 3-step process is all that organizations need to perform -

• Step 1 - Perform an Active Directory Effective Privileged Access Audit. This is a simple audit that involves the accurate determination of effective permissions/access in Active Directory, and it is the correct way to identify exactly who actually i.e. effectively has what access (anywhere and everywhere) in an Active Directory domain.


• Step 2 - Analyze the results of this audit to identify all such users who currently possess any kind of access in Active Directory that they should NOT ideally be in possession of. Also identify where they currently possess such access.


• Step 3 - For each such user identified in the analysis of Step 2, for each object on which they have such identified access, further analyze the results of this audit to additionally identify the HOW i.e. the underlying permissions in the ACL of the object that are entitling them to such effective access. Then, use this information to appropriately tweak the underlying ACL or the involved group membership to revoke all such identified excessive / unauthorized access.

In essence, in Step 1 we accurately determine object-specific/domain-wide effective permissions/access, in Step 2 we analyze these results to identify all "unauthorized access" and the underlying permissions in Active Directory ACLs that cause them, and in Step 3 we use this data to tweak these permissions in the ACLs (, or group memberships,) to lockdown Active Directory.

That's it!

For an illustrative step-by-step example that shows how to follow these

steps on a specific Active Directory object, see section IX of this post.

A Simple Example

If I had more time at hand, I would've shown you exactly how to do so, domain-wide. Since I don't, I'll share a quick example.

Lets assume that your organization wants to ensure that no one can make an unauthorized group membership change to any of the thousands of domain security groups in your Active Directory that are being used to protect the entirety of your IT resources.

To do so, technically what you need to do is accurately determine effective permissions on every domain security group in your Active Directory to find out who has Write-Property Member effective permissions on each one of these domain security groups.

Now, this in itself might seem like a herculean undertaking, and it is, but with the involved tooling, you can easily get it done.

Once you've done so, you'll have the accurate technical data that shows you exactly who can change the group membership of each one of your domain security groups in Active Directory, and once you have this insight, you'll be able to identify exactly how many individuals can currently enact this task versus how many should ideally be able to do so, and thus you'll be able to easily identify all such individuals who are not supposed to be able to do so, but nonetheless are able to do so today i.e. you'll be able to identify all users who possess "unauthorized access" as it pertains to this example.

Once you have identified all such users who possess this "unauthorized access", if you know which underlying permissions in the Active Directory object's ACLs are entitling them to this unauthorized access (and you will have this data if you perform the above mentioned audit, because the involved tooling will provide it to you), you can now tweak either the permissions or the membership of the domain security groups to which these permissions are granted, as needed, to revoke this unauthorized access, and in this manner, you can easily, efficiently and provably lockdown the access granted in Active Directory.

An Effective Privileged Access Audit is thus a simple, logical and straight-forward process that involves enacting the above to help organizations easily and accurately obtain the insight they need to identify unauthorized access in Active Directory.

One last thing - wouldn't it be nice if instead of having to determine who has what effective permissions in terms of technical Active Directory permissions (e.g.  Write-Property Member), we could just obtain this information in terms of administrative access entitlements i.e. in terms of who can enact what administrative tasks (e.g. Who can change a group's membership)?

I happen to think so, because security is best kept simple, and we humans can think about and analyze situations described in terms of administrative tasks much better than we can do so in terms of arcane technical permissions. In this regard, the tooling involved in such an audit is designed to deliver this insight in terms of administrative tasks rather than technical permissions. Of course, should you also like the data in terms of technical permissions, the involved tooling can certainly deliver that as well.

Thus, as it pertains to this example, an Effective Privileged Access Audit will deliver the following data to you - a complete list of all individuals who can change domain security groups in our Active Directory, the exact identity of each domain security group whose membership they can change, and the exact underlying security permission in the ACL of that domain security group that entitles this user to being able to change its membership. Armed with this valuable insight, we can easily and completely lockdown Active Directory vis-à-vis this example, in a matter of days.

End of Example.


A comprehensive Effective Privileged Access Audit will thus empower your organization to easily, efficiently and accurately determine the entirety of access that is currently provisioned/delegated in your Active Directory, i.e. it will span finding out who can do what concerning account management, group management, OU and Container management, SCP management, Directory Services management etc. and do so in a matter of hours, not months, and thus it will get you the data you need to adequately lockdown your Active Directory, and in doing so enable your organization to swiftly, measurably and demonstratably attain and maintain least privileged access in Active Directory.

Any organization or individual who needs additional information or clarity into this process may be feel free to contact us. Our technical specialists will be happy to help you adequately understand this process, our compliments (i.e. free of charge.)



So you see, this is all we need to do, and once we've done this, there will be no unauthorized access left in our Active Directory, no matter how large it is, and there will be no unknown privilege escalation paths left for perpetrators to find and exploit. None!

Let me repeat that. Once you've done this, there will be no unauthorized access left in your Active Directory. None... 

Zero!      нуль, nul, صفر , 零,Null, μηδέν, ʻole, אֶפֶס , शून्य, ゼロ,제로, nihil, sero !

This is all that organizations need to do to easily, efficiently and accurately identify and lockdown all unauthorized access in Active Directory. From that point on, you'll want to maintain this least privileged access state by performing regular audits.

So, what tooling is needed to perform an Active Directory Effective Privileged Access Audit?  You're going to need this & this.

In fairness, to be totally objective, strictly speaking you can use any tool that can help you accurately and adequately determine effective permissions in Active Directory, at a minimum on a per-object basis, and ideally domain-wide (unless you have years to solve this problem). I only mentioned those two tools because those are the only tools that I know of that can help do this.




In Summary

The potential exploitation of the vast amount of excessive/unauthorized access that exists in billions of Active Directory ACLs worldwide today is a serious challenge that 1000s of organizations face because it impacts their foundational cyber security.

Fortunately, with the right guidance, tooling and executive support, it can be quickly, efficiently and completely addressed.

Here's what we at Paramount Defenses believe -

"We at Paramount Defenses care deeply about cyber security and we understand that left unaddressed, this could pose a serious cyber security risk to organizations worldwide that operate on Active Directory. Be rest assured that Active Directory is a highly robust, trustworthy and securable technology, and here is exactly how organizations can easily, adequately and reliably identify and lock-down privileged access in their foundational Active Directory deployments, leaving no room for perpetrators to identify and exploit any weaknesses."

Lastly, I know that I make it sound so simple, but in reality, this is a very difficult problem to solve, and without the ability to be able to obtain accurate effective access insight, which in turn requires the right tooling, it really is almost impossible to solve.

As for the right tooling, building it requires vision, a deep understanding of the subject, and years to build, test and perfect.

Best wishes,

Sanjay

CEO, Paramount Defenses

Formerly, Program Manager,
Active Directory Security,
Microsoft Corporation


PS: I could've easily communicated all of this in just a simple Executive Summary, and we did - its called The Paramount Brief. In fact, last year, we had even FedEx overnighted it to the CEOs, CFOs and Chairmen of the Top-200 organizations worldwide, and FedEx tracking helped ensure that they all received it. They've all been informed. I even shared it with Microsoft (MSRC).

PS2: To my friends at Microsoft - "This only took a decade of vision, persistence, grit and laser-focused execution to address."

PS3: If you liked this post, you're likely going to love the next few posts.