Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Showing posts with label Domain Security Groups. Show all posts
Showing posts with label Domain Security Groups. Show all posts

Friday, September 8, 2017

How to Audit Who Can Change Group Memberships in Active Directory


Dear Microsoft,

Hello. Today is Day-16 of our Active Directory Security School for you. Today, I will answer the question I had asked you on Day-15, and in doing so, we will learn about how to correctly audit who can change group memberships in Active Directory.



 The Simple Trillion $ Question

Microsoft, in my previous post I had asked you a very simple Windows and Cyber Security 101 question, which was -


Who can modify the membership of a domain security group in Active Directory?


In case you're wondering why this might be an important question, as I've already explained, it is only so because today across 1000s of organizations worldwide, it is domain security groups that secure billions of organizational IT resources such as files, folders, email, data, SharePoint portals, Intranets, remote access etc. and thus they help protect trillions of dollars of wealth.


 So, without further adieu, lets find out
what the answer is, shall we?! ...




First, the Incorrect Answer

Before I answer it, let me take a moment to share what the incorrect answer is, and the only reason I'm doing so is because in all likelihood, at 1000s of organizations worldwide today, this is exactly how IT personnel may be answering the question -

The Incorrect Answer

Find out / audit "who has Write-Property - Member (attribute) permissions on the security group."

Many will suggest that you can simply use tools like dsacls or acldiag, or simply write-up a PowerShell Script to do so, and most vendors will suggest using their Active Directory Permissions Audit tools. Sadly, and unbeknownst to them, they'd all be wrong!

In fact, they'd not just be wrong, they'd unfortunately be substantially wrong, and yet (and sadly,) this is exactly how most IT personnel at most organizations worldwide may be answering this question at their multi-billion dollar organizations today!

If you've been attending school diligently, then you know why this is not only the incorrect way to audit who can change group memberships in Active Directory, but also that if you use this approach to do so, you're going to end up with vastly inaccurate results, acting upon which could leave thousands of IT resources inadequately protected and thus vulnerable to compromise.

Here's why...





 Now, the Correct Answer

If you've been attending school diligently, then by now you know that it is not "who has what permissions in Active Directory" that matters, but rather "who has what effective permissions in Active Directory" that matters. In fact, that is all that matters.

Thus, the correct answer is -

Find out / audit "who has Write-Property - Member (attribute) effective permissions on the security group."

Microsoft Effective Permissions Tab - Conceptually Correct Answer, But * Inaccurate and Inadequate

 *Now, BEFORE you assume (and mistakenly and falsely so) that the Microsoft Effective Permissions Tab is sufficient to make this determination, please know that unfortunately not only is Microsoft's Effective Permissions Tab inaccurate, it is also substantially inadequate, as are all basic tools like dsacls, acldiag, PowerShell scripts etc. as explained in detail here and here.


I have already shared a substantial amount about Active Directory Effective Permissions, including why they are all that matters and why they are so difficult to accurately determine, which is also why the Effective Permissions Tab and virtually all other tools including dsacls, acldiag, PowerShell etc. just cannot be relied upon to accurately determine effective permissions.


To help organizational IT personnel worldwide understand this, let me share with you the only way that I know of, as former Microsoft Program Manager for Active Directory Security, to accurately audit effective permissions in Active Directory -


The snapshot above is that of the Gold Finger Active Directory Effective Permissions Calculator, which is the only tool that I know of that can correctly (i.e. accurately), automatically and adequately determine effective permissions in Active Directory.

As you can see above, we performed an Active Directory Effective Permissions Audit on a single domain security group called Executives, and we can see exactly who has Write Property - Member attribute effective permissions granted on this object.

I must mention that the only reason I have shared info about this tool here is to help everyone see exactly what it is they should be performing an audit of, and exactly what the output of such an audit looks like. You can download sample output from here.

I would encourage all organizations and IT personnel worldwide to compare the results of whatever method they might currently be using to make this vital determination on their domain security groups, with the results of a true effective permissions audit on their domain security groups. In all likelihood, in most cases the difference will be substantial, surprising and eye-opening.






Finally, Domain-Wide Assessment

Microsoft, there's an old saying that "Talk is Cheap." If I might add, "Actions are Not." If I were merely shedding light on this problem (as so many often do) without also doing something to help solve it, then I'd say the former saying would apply to me.

However, because I have the onus of representing the very best of not just Paramount Defenses, but also that of Microsoft (having been one of you), the onus of ensuring that I'm not just talking, is on me, so without further adieu, let me show you just how SIMPLE we have made the determination of such an important yet fundamental determination for the entire world.

If you can click a button, and I do literally mean just ONE button, you can now instantly, automatically and (most importantly) accurately find out exactly who can change the group membership of every single domain security group in an entire Active Directory domain, irrespective of whether it has 100 domain security groups or 100,000+ domain security groups -

Gold Finger - Active Directory Administrative (Privileged) Access and Delegation Audit Tool

Imagine that an organization has thousands of domain security groups. Within minutes, this tool can accurately determine effective permissions/access on each one of these thousands of domain security groups to determine and reveal exactly who can change their memberships, AND how they can do so. (In contrast, it would several thousands of hours to do this manually.)

Microsoft, this quite simply is the state-of-the-art when it comes to true effective access entitlement assessment in Windows based networks, and this is what can empower organizations worldwide to instantly identify (audit), lock down, and then verify (and of course subsequently audit on demand 365-24-7) that on every single domain security group in their Active Directory domain, only those individuals who should actually be able to change group memberships (and no one else) can do so.

If you wish to see the complete output of the above domain-wide effective access assessment, you can download it from here.

At so many of our customers worldwide, there are thousands of domain security groups in their Active Directory domains. Within minutes, they can instantly and accurately find out exactly who can change the membership of each one of their thousands of domain security groups, as well as find out exactly how these individuals are entitled to do so, and within just days, they have been able to completely lock down (and maintain secure) access on every single domain security group in their Active Directory.

To say that this is an eye-opening experience for them, would be to substantially understate its profound value and impact.

Note: Microsoft, as you can imagine, in the wrong hands, the same power could be used to obtain and potentially misuse extremely valuable cyber security intel (e.g. exactly who can change the membership of Domain Admins, Enterprise Admins, Built-in Admins, Executives, Employees, Contractors, Project X Confidential Access Group, Litigation Y Access Group, Next Innovative Product Z Group etc. etc.) This is why we do not indiscriminately license this tool. In fact, we only license it to organizations and only for use within their own environments.  

Something to Think About

Microsoft, in light of what I've just shared above, I'd like for you to give some serious thought to the following -


The need to know exactly who can change a domain security group in Active Directory is so basic, essential and fundamental to cyber security, yet even today, 17+ years after Active Directory was shipped, most organizations do not even seem to know how to do so correctly, let alone having the ability to do so correctly (, adequately, efficiently and on-demand.) Further, neither you, nor a single vendor (of which there are 1000s) in your global partner ecosystem have a single solution that can help the world fulfill this most basic, essential and fundamental cyber security need.

I can't help but wonder Why, and like I said, only one plausible explanation makes sense - this one (see "Here's Why" section.)





Summary

In summary, the primary objective of asking this simple question was to shed light on something that although may seem so very simple, is actually (not only) very important (but also very difficult to do correctly,) because it could possibly provide the easiest avenue for perpetrators to most easily compromise a substantially large number of organizational IT resources.


You see, in an Active Directory deployment, just about everything (i.e. all files, folders, email, SharePoint portals, applications, services, Intranet sites, remote access, Cloud access, Internet access, etc.) is ultimately protected by domain security groups.


Thus, if someone could change the membership of a domain security group in Active Directory, he/she could immediately obtain authorized access to every single organizational IT resource to which that domain security group is currently granted access.

This is why it is imperative to know exactly who can change the membership of all domain security groups in Active Directory.
The secondary objective was to help organizations worldwide understand that in order to correctly make this determination (i.e. to correctly find out who can change domain security groups in Active Directory), what they need to do is audit "who has what effective permissions" (i.e. this) and not "who has what permissions" on each single one of their domain security groups.

Finally, because "talk (alone) is cheap", I also wanted to share how easy we've made solving this problem for the entire world.


That's all for today.

Best wishes,
Sanjay


PS: Microsoft, I've some good news for you. Perhaps you may feel that I 've been a bit hard on you, but the good news is that Day-22 or so onwards, I'm going to show you and your customers just how rock-solid and trustworthy Active Directory is, how the world can easily attain and maintain least privileged access, and operate a bullet-proof Active Directory, so hang in there.
No comments:
Labels: , , , , ,

Wednesday, September 6, 2017

A Trillion $ Question to Microsoft regarding Domain Security Groups


Dear Microsoft,

Today is Day-15 of our Active Directory Security School for you. Since you may still be trying to grasp and comprehend the depth and complexity of what I shared with you on Day 14, I'll keep today's post/lesson really simple, short and to the point.



 Domain Security Groups:  An All-Access Pass to 1000s of IT Resources

As you know, at the foundation of cyber security of most IT networks powered by Windows Server lies Active Directory.

As you may also know, in all such IT networks/infrastructures powered by Active Directory, one building block of cyber security in particular is extensively used to provision access to almost all IT resources in the network. Do you know which block it is?


Of course you do! In most IT networks powered by Active Directory, it is Domain Security Groups that are used to provision access to most organizational IT resources such as files, folders, SharePoint portals, Intranet sites etc. across the network!


In fact, in almost every Active Directory deployment in the world, today there exist 1000s of domain security groups within Active Directory that are used to provision secure access to almost the entirety of the organization's IT resources!



For anyone living on Mars, here are a few examples of such domain security groups -

  1. Domain Admins - A small but all-powerful group of privileged user that possess system-wide administrative access.

  2. All Employees - A large membership security group whose members include all organizational employees' accounts.

  3. Contractors - A medium-sized security group whose members may include the accounts of all existing contractors.

  4. Executives - A small security group whose members include all organizational executives' (e.g. C*Os) user accounts.

  5. <Resource-specific> Group - One of thousands of domain security groups that may be used to provision access on various IT resources for various business purposes. For example, Legal Team, R&D Team, Product X Group, etc.

In fact, today Active Directory domain security groups are used to aggregate (group) organizational users for the purpose of facilitating secure access to just about everything in a Microsoft Windows Server based network powered by Active Directory.

And by just about everything, I do mean just about everything - computers, files, folders, documents, emails, SharePoint portals, intranet sites, line-of-business applications, data, databases, VPN, remote access, web access ... <the list goes on and on.>

Thus, it is after all Active Directory domain security groups that help secure the entirety of the organization's IT resources!
Further, often a domain security group in Active Directory gates access to either a large or a highly-sensitive set of IT resources.

It thus logically follows that possibly the easiest way to obtain access to a specific IT resource (or 1000s thereof) that is(/are) protected by an Active Directory domain security group might be to literally just be a member of that domain security group!

Which Begs A Question

If by virtue of being a member of the a specific domain security group, one could instantly and automatically get access to all IT resources protected by the domain security group, then one cannot help but ask the simplest of cyber security questions i.e. -


Who can change the membership of a domain security group in Active Directory?

After all, if someone could modify the membership of a specific domain security group, such as All Employees, or Executives, or Secret Project "X" Staff , Project "Stratosphere" Source-Code Access Group etc., he/she could instantly obtain access to literally everything (i.e. all IT resources) that specific domain security group currently has access to, across the entire network!



A Simple Example

Perhaps this is best understood with a simple example, so here's a very simple one.

Consider that its Friday evening, and that a multi-billion dollar organization is going to announce their quarterly earnings on Monday at the close of the market. Further consider that this sensitive and highly confidential information (i.e. their Earnings) resides in a simple Microsoft Excel file titled Q3 2017 P&L, the only copy of which resides on a highly-protected server that's both physically located in their ultra secure data-center, and to which (server) all suspicious network access is monitored -


Now, consider that an intruder (funded by a wealthy nefarious entity) has been able to breach their perimeter and compromise a domain-joined machine and further has been able to ascertain that this specific file contains the information this entity has an interest in acquiring prior to Monday afternoon, because if they could access this information, they could possibly make $100M.

The intruder may not be able to obtain physical access to the server on which it resides, and he/she may not want to attempt trying to breach the security of the server over the network since all suspicious network activity is being monitored, (and for all Mimikatz fans, sadly no Domain Admin either has or is going to logon to the one machine you've compromised and now 0wn), so might there be an easier way for him/her to obtain access to this file?

Consider this! He/she may not be able to access the contents of the file but he/she can view its ACL, and thus he/she can see (as shown in the snapshot above) that the domain security group Executives has Full Control over this file. So, if he/she could somehow become a member of this domain security group (or compromise the user account of an existing member of this domain security group), he/she will be able to instantly (and in fact as far as the "System" is concerned, legitimately) access the contents of this high-value confidential file without any suspicion being raised anywhere or a single alarm going off anywhere!

In effect, his/her challenge has now been reduced to finding out exactly who can change the membership of the Executives domain security group, because if he/she can compromise the account of any one such individual, he/she would literally be a minute away from being able to change the membership of that group, and thus consequently obtaining access to that file!

In other words, the entire focus of attack just shifted from a highly secured IT resource to a single Active Directory object!

(In the interest of brevity, I'm not going to into further detail, but for those skilled in the art, the rest should be obvious.)


So, Microsoft, What's the Answer?

Dear Microsoft, you are a $550 Billion company today and one of the most important and valuable organizations in the world.


(You can take that as a compliment from the CEO of the most important and valuable cyber security company in the world.)


As you'll hopefully agree, since domain security groups help protect trillions of dollars in wealth worldwide today, the discussion and example above lead us back to and prompt one of the most simple and fundamental questions in cyber security -

Question: Who can change the membership of a domain security group in  Active Directory ? ( and ideally that of each domain security group in each one of 1000s of Active Directory domains of business and govt. organizations worldwide? )


Microsoft, you have now had 17+ years to demonstrate your deep expertise and thought leadership to the World in the vital Active Directory Security, Windows Security and the Cyber Security spaces, and you've spent Billions on it, so I ask you -

"Do YOU think this (i.e. the one above) is an important question for organizations to know the answer to, 
  and if so, can YOU please (at least) tell them HOW they can/should answer this question?!"



Oh, and since you're Microsoft, I have just one more question for you
(i.e. an opportunity for you to earn a few bonus points ;-) ) -

"Can YOU help them answer this question?"



That's it for today. The answer tomorrow on Day 16.

Best,
Sanjay


PS: See, I told you that today's would be a much simpler question than the previous one i.e. this one. Besides, if you've been attending your school regularly, by now you know that this is a rhetorical question that I've already answered many times over!


PS2: Microsoft, I may be a bit hard on you, but please know that I care deeply for you, and that you enjoy my goodwill. By the way, if I'm hard on you, its only because I feel that you had 17 years to educate your customers about this / this, yet you didn't, and likely as a result 1000s of organizations worldwide are blissfully operating in the dark, minutes away from compromise :-(


No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)