Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Showing posts with label Defending Active Directory Against CyberAttacks. Show all posts
Showing posts with label Defending Active Directory Against CyberAttacks. Show all posts

Friday, July 7, 2017

A Most Important Microsoft Video on Defending Active Directory (Day-9)

Dear Microsoft,

Today is Day-9 of our Active Directory security school for Microsoft. I was finally going to talk about effective permissions today, but I figured I should first share an incredibly important video on AD Security from Microsoft, since it bridges the gap so well between Day-8 ("An Ocean of Access Privileges In Active Directory") and Day-10 ("Active Directory Effective Permissions".)



Defending Active Directory

Here's that incredibly important video from Microsoft (and you can watch it right here, or online at Microsoft's website here) -



(Please click the Start Lesson button to view the video. If it does not play, you can see it on Microsoft's website here.)


The summary of this video titled Defending the Directory is - "Do you know who your admins are? Learn why maintaining solid access control to sensitive directory objects is important for mitigating stealthy means of persistence & escalation of privilege."

By the way, I highly recommend all IT Professionals involved with Active Directory Security to see this entire video at least once.





 12 Very Important Points Made in this Video from Microsoft -

Today, I just wanted to highlight 12 incredibly important points made in this video, and I've quoted them directly from the video -


  1. "The first thing I want to discuss is admins that are a little bit less obvious, or you don't realize they're admins" 

  2. "Lots of customers I work with are laser focused on Domain Admins, Enterprise Admins, Builtin Admins and Schema Admins, and they think that if I know who is a member in any one of those groups, I know who my admins are, which isn't always necessarily the case, because with the way that Active Directory works, you can delegate access to different objects through access control lists"

  3. "If I had permissions to say link a GPO to the Domain Controllers OU, then I could use that to go from what appears to be an unprivileged account to having full control over Active Directory"

  4.  "I am able to do this (i.e. use Mimikatz DCSync to replicate everyone's hashes from Active Directory) using a plain domain user account because this account has been delegated some rights at the Domain level"

  5. "A lot of organizations have been using Active Directory since it was released back in 2000, and then they went to 2003 and then 2008 and now they're on 2012, and over that time period they've probably had a lot of turnover in the organization, so the guy that setup AD 10 years ago isn't with the company anymore, and the guy that's doing this now is inheriting a mess potentially from several previous administrators, and people could have delegated this for what they thought was a legitimate reason, and it leaves another attack vector that is less obvious."

  6. "Absolutely everything inside of Active Directory is an object, protected by ACLs and these things (ACLs) can be manipulated in a great number of ways depending on what permissions you have there"

  7. "You can be an admin through (deeply) nested groups. I have seen that quite a bit. It can get pretty messy."

  8. "Contest your delegates. Challenge them. Go and find out who has been delegated what privileges"

  9. "If I have write member permissions on a group, I can add myself to this group, and since this group via group nesting is a member of the Domain Admins group, I could easily and instantly escalate my privilege to that of a Domain Admin"

  10. "So effectively that is a means of escalation!"

  11. "If a group or account has been granted change reset password on an account, and that account is privileged, I can change the password on that account, and now I own it!"

  12. "We're getting pretty deep into the inner workings of Active Directory, but based on what you showed us in the demo, its super important. It is, it is VERY IMPORTANT because these are all different ways that I could use to escalate privilege, and they're not obvious because its controlled by the access control lists (ACLs)! "

Microsoft, great advice! Each one of them is worth is proverbial weight in Gold, and is exactly what we've been saying for years.

Now, that said...
Just 1 Question

Dear Microsoft, I just have one question for you, and I have asked this before as well, but nonetheless I will ask it again.


Possibly the most important message in this video is, and I quote - "Go and find out who has been delegated what privileges" because "everything in Active Directory is an object" "protected by access control lists" and "this is very, very important"

BUT, you completely forget to tell them the most important part, which is - "how to correctly assess who has actually been delegated what privileges in Active Directory i.e. who actually has what effective / resulting access in Active Directory?!"

So the simple question is -
Exactly what do organizations worldwide need to do to correctly find out who has been delegated what privileges in Active Directory? i.e. What is the ONE technical aspect that governs the accurate determination of who can actually do what in Active Directory that they need to know about to make this paramount determination?
HINT: The presenter completely missed it even though it was right in front of his eyes (from 0:21:50 - 0:22:05)


The simple answer, also the topic of our next post (Day-10), is - "Active Directory Effective Permissions / Effective Access.

Best wishes,
Sanjay


PS: By the way, see how "everything in AD is an object protected by ACLs" ties into Day-8, An Ocean of Access Privileges.

PS 2: Is it just us, or do you too find it so co-incidental that in May 2016, i.e. within 2 months of this, and for the first time in the 16 years that Active Directory has been around, Microsoft develops and releases a 7-part series of 12 videos titled "Defending Active Directory against Cyberattacks". The entire series can be found here. They even made a promo for it.

No comments:
Labels: , , , , ,

Saturday, April 1, 2017

Hey Microsoft - What Constitutes a Privileged User in Active Directory?

Dear Microsoft,

I was supposed to start your 30-Days of advanced Active Directory Security school for you today, but before I did so, I wanted to ask you arguably the most fundamental yet important (and might I add, paramount) question in all of Windows and Active Directory Security, because not a single* one of your customers can be secured without the answer to this ONE question.

Here's the Question - What constitutes a Privileged User in Active Directory?


You see, this is the #1 cyber security question that every organization in the world (including all cyber security companies) must have an answer to today, given that 85% of all organizations worldwide operate on Active Directory, and that 100% of all major recent cyber security breaches involved the compromise and misuse of a single Active Directory privileged user account.

I deeply value my time, and based on what I'm seeing, thanks to you, let alone most of your organizational customers across a 150+ countries, not even you seem to have a clue as to an adequate answer to this question, and I'm not inclined to waste my valuable time taking you or anyone to school yet, until I've seen at least a basic understanding of this paramount question.

[ Here is proof that you don't seem to have a clue: Quoting a Microsoft security expert from a huge 7-part series of videos titled "Defending Active Directory against Cyberattacks" developed and released by Microsoft in May 2016 - "We are working to identify which ACLs in Active Directory can lead to command and control of Active Directory." Seriously?! You, the $ 550 Billion Microsoft are just now (i.e. in 2016/17) working to identify this!?  If you want to know how to defend Active Directory, start here.

As such, based on what I've seen thus far, you've been predominantly focused on credential-theft attacks (Pass-the-Hash, Kerberos ticket meddling etc.), which you likely may have been compelled to do something about (likely based on pressure from your customers) and all you did is acquire a puny fledgling start-up to help detect ongoing activity against Active Directory. Now, detection is #3 in the list of protection measures - #1 is prevention, and #2 is avoidance. So, Microsoft ATA is at #3. To be fair, you're not alone in being clueless - from self-proclaimed SME's, gurus & experts, to others, no one seems to have the answer. ]

So, let me give you some time to think about and answer this question to the best of your ability, (and not so much for me, but primarily for the 1000s of organizations that are your customers) and based on your answer, we'll start your school. Alright?



 Everyone's Tuned In

BTW, you may not know this, so let me tell you that from your largest business customers to the most important of our 3-letter acronym government agencies & from the biggest cyber security companies to the Russians, everyone's tuned in here & here.


The world needs & looks forward to an answer. (You may not answer this question, so know that silence too speaks volumes.)

 Of course, we can most easily answer this question for them in 10 seconds, and I will in days to come, on day 1 of your school,  but I wanted to give you an opportunity to show some thought leadership. As for your school, I'll start it later this month...  

...once everyone's had some time to adequately reflect on the importance of this most fundamental of cyber security questions, because this impacts the foundational cyber security of 85% of all organizations worldwide, in both business and government.

Respectfully,
Sanjay


PS: If you want a head start, you're welcome to join our free global community of Active Directory security professionals from 1000s of organizations across 100+ countries worldwide, where we're already discussing this and other paramount questions. For instance, our members already know that accounts protected by AdminSDHolder in AD are merely the Tip of the Iceberg.

PS2: Since you haven't figured it out in over 10 years now (because if you had, I wouldn't have to ask you this question today), perhaps I should help you out with a hint: to answer this question, organizations worldwide need one simple capability - this.

PS3: When you've fathomed the depth (and impact on global security) of what I'm talking about, if you want to talk, have Satya (yes Mr. Nadella, your wonderful CEO) call me, as this is a conversation that an employee at his pay-grade should be having.

No comments:
Labels: , , , , ,

Tuesday, October 25, 2016

Best Practices for Securing Active Directory

Folks,

As you may know, given the foundational role of Active Directory in business, its security is paramount to organizational cyber security today, and it appears that organizations worldwide are finally starting to take Active Directory security seriously.

As former Microsoft Program Manager for Active Directory Security, to help Microsoft Corp better understand Active Directory security (and to help organizations worldwide measurably enhance Active Directory security), last week we released the Paramount Defenses deck on Active Directory Security, titled Defending Active Directory Against Cyber Attacks.
You can download it from here - http://www.paramountdefenses.com/defending-active-directory-against-cyberattacks.html


Rare, High-Value Active Directory Security Insight

With over 90+ insightful slides covering all relevant aspects of Active Directory security, of course, it could very well have been titled Best Practices for Securing Active Directory, so I thought I'd share a link to it here. Here's the Table of Contents -


1. Introduction: Active Directory - Importance, Impact of Compromise and Attack Surface
2. Top-5 Active Directory Security Risks, Attack Vectors and Methods
3. Top-5 Active Directory Threat Sources
4. Top-5 Active Directory Security Risks (The Details)
5. A Note on Credential Theft Vectors
6. Top-5 Active Directory Security Measures
7. An Ocean of Access Privileges in Active Directory + How to Limit Access Privileges in Active Directory
8. Five Examples of Limiting Access Privileges in Active Directory
9. Automated Privileged Access Audit in Active Directory
10. Five Examples of Impact of Compromise
11. Five Special Active Directory Security Topics
12. Summary, Helpful Pointers and Insights

If you're into Active Directory Security, you won't want to miss it - it's right here.

Best wishes,
Sanjay


PS: If you're looking for Microsoft's whitepaper, you can find it here. If you want to know what the most important topic in Active Directory Security is, and one that Microsoft's experts completely missed covering in that whitepaper, you'll want to read this.
No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)