A Simple Question for all Self-Proclaimed Active Directory Security Experts

Folks,

As former Microsoft Program Manager for Active Directory Security, I find it amusing every time I come across some Active Directory vendor's or self-proclaimed AD security expert's website that claims that they know Active Directory Security well.

(You see, not one of these Active Directory Security vendors or self-proclaimed Active Directory security experts seem to have a CLUE as to the most important Active Directory Security Capability in the world, let alone possessing that paramount capability.)

So, I thought I'd  pose a very simple Active Directory Security question to all Active Directory Security vendors and experts -

Question: Do you know the answer to this ONE simple question?

Specifically, in that question, I have shared a simple non-default string, and I have indicated that is a cause for great concern.

What I would like to know is what it represents and why is it a great cause of concern for 85% of organizations worldwide?


On a scale of 1 to 10, 1 being easy and 10 being difficult, I'd rate this question as a 3, so if you're truly an Active Directory expert, this should be easy for you, and shouldn't take you a minute. You can leave your answer in a comment below.


Here's your chance to impress me (and the whole world.) Oh, and Microsoft employees too may feel free to take a shot ;-)

Best wishes,
Sanjay.

Its Time to Help Secure Active Directory Worldwide

Folks,

I trust this finds you all doing well. It has been a few months since I last blogged - pardon the absence. I had to focus my energies on helping the world get some perspective, getting 007G ready for launch, and dealing with a certain nuisance.

Having successfully accomplished all three objectives, it is now finally TIME to help thousands of organizations worldwide adequately secure and defend their foundational Active Directory deployments from the proverbial SKYFALL(ing on them).

I'm BLOWN away by just how little organizations (as well as AD/cyber security companies) worldwide seem to know and understand not just the paramount importance of, but also what it takes to adequately ensure Active Directory Security.


When you know as much as I do, care as much as I do, and possess as much capability as I do, you not only shoulder a great responsibility, you almost have an obligation to educate the whole world about cyber security risks that threaten their security.

So, even though I barely have any time to do this anymore, in the interest of foundational cyber security worldwide, I'm going to start sharing some valuable perspectives again, and do so, on three blogs - this one, that one, and the one below.


Speaking of which, earlier this week, I had the PRIVILEGE to launch the official PD blog -  https://blog.paramountdefenses.com


Stay tuned for high-value AD security insights right here from January 06, 2020 onwards,
and let me take your leave with a befitting (and one of my favorite) songs(s)  -

Best wishes,
Sanjay.


PS: Just a month ago, the $ Billion Czech cyber security company Avast was substantially compromised, and guess what the perpetrators used to compromise them? They used the EXACT  means I had clearly warned about TWO years ago, right here.

Did Anyone at Microsoft Ignite 2018 Know the Answer To This Question?

Folks,

Last week, thousands of IT professionals, managers, CISOs and CIOs were in Orlando, attending, well, Microsoft Ignite 2018 !

Image Courtesy Microsoft. Source: https://www.microsoft.com/en-us/ignite

Not surprisingly, the Microsoft Ignite Conference had SOLD OUT!  There were 900+ sessions, 100+ instructor-led technology workshops, 60+ Microsoft Immersion workshops, and 50+ hands-on labs with access to expert proctors! That's great!

Did I mention that likely hundreds of Microsoft's own experts were also there, and collectively, they covered numerous vital areas such as Securing the Enterprise, Simplified IT Management, Identity‚ Access & Compliance, Enterprise Security etc.


So, with over 1000 sessions, 1000s of attendees, access to "expert proctors", and 100s of Microsoft's very own IT experts, one would hope THERE MUST'VE BEEN AT LEAST ONE PERSON AT MICROSOFT IGNITE 2018 who could have answered A VERY SIMPLE QUESTION -

       Question: What's The World's Most Important Active Directory Security Capability?

( URL: http://www.active-directory-security.com/2018/07/the-worlds-most-important-active-directory-security-capability.html )

This is paramount, and here's why. In case you're wondering why anyone, and everyone who attended Microsoft Ignite 2018 should care about this question AND know the answer, its because in any Microsoft Windows Server based IT Infrastructure, NOT A SINGLE ONE of the many vital areas listed above i.e. Securing the Enterprise, Simplified IT Management, Identity‚ Access & Compliance, Enterprise Security etc. etc. can be adequately addressed without involving Active Directory Security.


In fact, here's proof - 

Not a single one of the following fundamental cyber security / Windows security questions can be answered without knowing the answer to the question above and possessing that capability -

1. Who can reset the passwords of any/every Domain Admin in an organization?


2. Who can disable two-factor authentication on privileged and other domain user accounts?


3. Who can change the membership of the Domain Admins group, or of any domain security group?


4. Who can use Mimikatz DCSync to completely compromise the credentials of all domain user accounts?


5. Who can delete an(y) Organizational Unit (OU) in a(ny) of the organization's Active Directory domains?


6. Who can link a malicious group policy to an OU to instantly compromise all domain computer accounts in that OU?


7. Who can modify the attributes of a mission-critical service's service connection points to instantly render it useless?


8. Who can set the "Trusted for Unconstrained Delegation" bit on a server's domain account to compromise security*?


9. Who can create, delete and manage domain user accounts, domain security groups, OUs etc. in Active Directory?


10. Who can control/change privileged access as well as delegated access within and across the entire Active Directory?

Each and every single organization whose IT personnel / CISOs attended Microsoft Ignite 2018 (including Microsoft itself) must have precise answers to each and every one of the above listed fundamental cyber security questions at all times.




So, if anyone who attended Microsoft Ignite 2018 (including Microsoft's own experts) knows the answer to this 1 question, please be my guest and answer the question by leaving a comment at the end of that blog post, and you'll earn my respect.

If you don't know the answer, I highly recommend reading, one, two and three, because without knowing the answer to this question (and without possessing this capability,) you cannot secure anything in an Active Directory based Windows network.

The last time I checked, virtually the whole world runs on Active Directory.

Best wishes,
Sanjay

Pardon the Absence, and Get Ready!

Folks,

Hello again. I trust this finds you all doing well. It has been a few weeks since I last blogged. I hope you'll pardon my absence.

Yes I was supposed to answer a rather important question, in fact, possibly the world's most important cyber security question, for the whole world, back in July, but I had to postpone doing so, for a few good reasons, which I may reveal in days to come.

Let's just say that amongst other things (e.g. a rather interesting trip across the Atlantic), I was working on finalising a project that directly impacts cyber security worldwide today, you know, the kind of stuff that even James Bond doesn't have yet!

By the way, speaking of Mr. Bond, as you probably know, I'm a huge fan, so thought I'd share a catchy tune with you -

Oh, that project I was working is almost over (i.e. RC1), so its time for me to get back to blogging, and...     … well, get ready!

Best wishes,
Sanjay

What's The World's Most Important Active Directory Security Capability?

Folks,

A few days ago, I had asked likely the most important Cyber Security question in the world today, one that today DIRECTLY impacts the foundational cyber security of 1000s of business and government organizations across 190 countries worldwide.

Here It Is -

What Is the 1 Essential Cyber Security Capability Without Which NOT a Single Active Directory object, domain, forest or deployment can be adequately secured?

[ Here's it is - www.cyber-security-blog.com/2018/06/active-directory-security-101-for-organizations-worldwide.html. ]

I had even provided a hint - it controls exactly who is denied and who is granted access to literally everything within Active Directory, and it comes into play every time anyone accesses anything in any Active Directory domain in any organization.

Thusfar, thousands of IT professionals from across the world, including some of the world's most famous/renowned Windows and Active Directory Security experts and CISOs, as well as Microsoft employees, have all seen the question on my blog.

Unfortunately, not ONE individual in the world (okay, except one) has answered this ONE most simple and basic question yet!



Why Not?

Do organizations worldwide NOT know the answer, OR are they afraid to answer it because they don't possess this capability?

Let's find out. To help organizations worldwide, including Microsoft, figure out the answer, I'm going to give a few more hints.



A Few More BIG Hints

Ladies and Gentlemen, NOT a single organization in the world whose IT infrastructure operates on Microsoft Active Directory, can fulfill even ONE of the following mission-critical IT and cyber security needs without possessing this ONE capability -

1. Adequately secure their foundational Active Directory


2. Adequately mitigate the risk posed by the use of Mimikatz DCSync


3. Adequately mitigate the risk posed by Active Directory Privilege Escalation


4. Accurately identify privileged users in their foundational Active Directory domains


5. Accurately discover stealthy admins in their foundational Active Directory domains


6. Adequately protect all organizational computers and user accounts (including C*O accounts)


7. Adequately secure mission-critical Active Directory integrated applications (e.g. Exchange, Centrify)


8. Securely integrate their on-premises Active Directory deployments with Microsoft Azure in the "Cloud"


9. Correctly demonstrate regulatory compliance of access privileged provisioned within their Active Directory


10. Reliably control the distribution and delegation of administrative authority in their foundational Active Directory

Let me repeat it again so there is NO ambiguity - not a single one of the above mission-critical IT and cyber security needs can be fulfilled without possessing this ONE capability, only because it is technically impossible to do so without this ONE capability.





I'll Make it Easy

Ladies and Gentlemen, Active Directory has been around for almost two decades now, and yet most organizations worldwide do not currently possess this ONE essential, fundamental and paramount cyber security capability yet. The reason they don't currently possess it is likely that they may not even know about it, and that sounds as unbelievable to me as it does to you!

If they haven't figured it out in almost TWO decades, they're not likely to figure it on their own, so let me make it easy for them.

It is ONE of the following five Active Directory Security Capabilities -

1. Active Directory Auditing
2. Active Directory Permissions/ACL Analysis
3. Active Directory Effective Permissions/Access
4. Microsoft Advanced Threat Analytics (aka ATA)
5. <You can throw in all the latest buzzwords here e.g. Privileged Identity/Account Management, Zero Trust, blah blah etc >

Here's one FINAL hint. If you possess this ONE capability (on the right object in Active Directory,) then you can also easily turn off i.e. deactivate, disable, and/or render useless, all of the other listed security capabilities in an Active Directory deployment!


So, which ONE is it ?





Make No Mistake + Only Two Kinds of Organizations

Make no mistake about it - one simply CANNOT adequately protect anything in any Active Directory WITHOUT possessing this ONE capability, and thus one simply cannot protect the very foundation of an organization's cyber security without possessing this ONE paramount cyber security capability. It unequivocally is as remarkably simple, elemental and fundamental as this.

Thus, today there are only two kinds of organizations worldwide - those that possess this paramount cyber security capability, and those that don't. Those that don't possess this essential capability do not have the means to, and thus cannot adequately protect, their foundational Active Directory deployments, and thus by logic are provably and demonstrably vastly insecure.




My Concern - This Impacts Organizational Security Worldwide

I hope that with the hints I've provided above, organizations worldwide will finally realize what this ONE essential capability is.

More importantly, I hope that at organizations worldwide, IT personnel, Domain Admins, CISOs and CIOs realize and recognize that without possessing this ONE essential and paramount Active Directory Security capability, their $ Billion organizations may currently be operating on a highly vulnerable foundation, which is a matter so serious that it should concern all stakeholders.



The Answer

February 24, 2020 Update: Here's the answer - THIS  is the world's most important Active Directory Security Capability.


Best,
Sanjay.

Hello Again

Folks,

Hello again! I hope this finds you doing well. Wow, its been 6 months since I blogged, and I'm sorry for the unintended absence.

Perhaps I should introduce ourselves again ;-)

Hello World, We are ...

I should mention that I've been missing blogging, especially considering that I penned 60+ posts in 2017, so starting Monday, June 18, 2018, I'm going to get back to blogging, because its time to help safeguard Microsoft's global ecosystem.


Until then, perhaps I should share with you a bit of what's kept me away during the last 6 months -

• In January, one of the world's top technology companies, one that likely impacts hundreds of millions of computers worldwide, had requested our help in accurately identifying privileged access in their foundational Active Directory, and considering that they had 50,000+ objects in their domain, and the ACL of each object had a whopping 600+ ACEs, we had to enhance Gold Finger so it could efficiently take into account 30 million ACEs to determine effective permissions across their domain, so as Gold Finger's lead architect, I had to get involved to enhance it a bit.


• In February, one of the world's most important national defense forces had reached out to us with a rather unique requirement within which they wanted Gold Finger to operate, and since it potentially impacted that country's national security, as one of Gold Finger's lead programmers, I had to help lead the effort to help them out.


• During March and April, we finished work on Gold Finger Mini 6.0, the world's only cyber security tool that democratizes and delivers the power of real cyber intelligence by empowering 500 million+ people worldwide to find out for free exactly who can compromise their Active Directory credentials. It shipped on time, on May 01.


• In May, amongst others, one of the world's largest insurance companies joined our global family of customers by licensing Gold Finger 007, and I personally got involved to ensure that everything went off smoothly for them. In addition, one of America's top defense contractors had specially requested our assistance in helping them verify least-privileged access (LPA) in their foundational Active Directory, and I decided to get involved to help them out. 

I just realized that almost half the year's over, and I hadn't blogged anything yet, so I've decided to get back to blogging.

Very well then, onward to June 18, 2018.  Stay tuned!

Best wishes,
Sanjay

Looking Back at 2017 - An Eventful Year for Active Directory Security

Folks,

As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.

This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!

I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.



Top-10 Notable Active Directory Security Events of 2017

Here are the Top-10 most notable events in Active Directory Security this year -

1. Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.
   


2. On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?"  From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.


3. On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.


4. On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!


5. On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access. 


6. On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.


7. Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.


8. On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.


9. On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.


10. From January 26, 2017 through December 27, 2017, Paramount Defenses' CEO conducted Active Directory Security School for Microsoft, so that in turn Microsoft could help not just every entity mentioned in points 1- 9 above, but the whole world realize that in fact the key and the only correct way to mitigate each one of the security risks and challenges identified in points 1 - 9  above, lies in Active Directory Effective Permissions and Active Directory Effective Access.

Helping Defend Microsoft's Global Customer Base
( i.e. 85% of Business and Govt. Organizations Worldwide )

Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...

...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctly secure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.

This year, I ( / we) ...

1. conducted 30-days of advanced Active Directory Security School for the $ 650+ Billion Microsoft Corporation
   
   
   Introduction, How Well Does Microsoft Understand Cyber Security, The Importance of Active Directory Security, The Impact of an Active Directory Security Breach, The Active Directory Attack Surface, The Top-5 Security Risks to Active Directory, Active Directory Privilege Escalation, An Ocean of Access Privileges, AdminSDHolder, Active Directory ACLs - Attack and Defense (Actual),  Active Directory Effective Permissions, and so many more ...



2. showed thousands of organizations worldwide How to Render Mimikatz DCSync Useless in their Active Directory


3. helped millions of pros (like Mr. Metcalf) worldwide learn How to Correctly Identify Privileged Users in Active Directory


4. helped the developers of BloodHound understand How to Easily Identify Sneaky Persistence in Active Directory


5. helped Microsoft's ATA Team learn advanced stuff About Active Directory ACLs - Actual Attack and Defense


6. showed CyberArk, trusted by 50% of Fortune 100 CISOs, How to Correctly Identify Shadow Admins in Active Directory


7. helped cyber security startup Preempt's experts learn How to Correctly Identify Stealthy Admins in Active Directory


8. helped the presenters of The Active Directory Botnet learn How to Easily Solve the Problem of Active Directory Botnets


9. helped millions of cyber security folks worldwide understand and illustrate Active Directory Privilege Escalation


10. Most importantly, I helped thousands of organizations worldwide, including Microsoft, understand the paramount importance of Active Directory Effective Permissions and Active Directory Effective Access to Active Directory Security

In fact, we're not just providing guidance, we're uniquely empowering organizations worldwide to easily solve these challenges.





Summary

All in all, its been quite an eventful year for Active Directory Security (, and one that I saw coming over ten years ago.)

In 2017, attackers, pen-testers and defenders finally seem to have realized the importance of Active Directory Security.

Perhaps, in 2018, they'll realize that the key to Active Directory Security lies in being able to accurately determine this.

Best wishes,
Sanjay.

PS: Why I do, What I do.

Active Directory Security is Paramount to Global Security Today (Day 2)

Folks,

Today is Day 2 of advanced Active Directory Security school for Microsoft. Today's post, albeit short and non-technical, is also very important, because the world needs to understand just how important Active Directory Security is to global security today.

From the White House to the British Houses of Parliament, and from Microsoft to the Fortune 1000, at the very foundation of IT, identity and access management, and cyber security at over 85% of all organizations worldwide today lies Active Directory.

In other words, the foundational security of thousands of government and business organizations depends on Active Directory.

To paint a picture - Governments, Militaries, Law Enforcement Agencies, Banks, Stock Exchanges, Energy Suppliers, Defense Contractors, Hospitals, Airlines, Airports, Hotels, Oil and Gas Companies, Internet, Tech and Cyber Security Companies, Manufacturing Companies, Pharmaceutical Companies, Retail Giants ... <the list is long> all run on Microsoft Active Directory.

Now imagine a scenario wherein someone is able to write and unleash malware designed to target and exploit weaknesses in and compromise foundational Active Directory deployments worldwide. Just how much damage do you think that could do?

If that's a stretch for your imagination, consider this and a much simpler scenario, wherein a perpetrator (e.g. a hacker, an APT, an insider) specifically targets and is able to compromise the Active Directory of even just a few of the world's top organizations.

Hopefully you can now see why Active Directory Security is paramount to global security today. What could be more important?


Now consider this - in almost every Active Directory deployment in the world, there exist thousands of exploitable unauthorized effective access grants, yet neither do most organizations seem to know this, nor do they possess the means to identify them.

Considering the above, one would think Microsoft would be aware of this problem, and if so, have a solution for it, for the world. Sadly, neither Microsoft nor any cyber security company on the planet has a(ny) solution to help these organizations adequately i.e. accurately and swiftly identify and eliminate the billions of unauthorized effective access grants that endanger foundational Active Directory deployments worldwide. Well, except one.

In light of the above, you may want to read Day 1's entry (a few times over, if needed) again - here.

That's all for today.

Good night,

Sanjay

PS: Responsible disclosure/picture-painting: I wouldn't have shed light on this if there was no solution. There is a solution today, and it can help the entire world address and eliminate this problem very quickly, but we can't help these organizations until they themselves first recognize, understand and acknowledge the problem, comprehend its magnitude, & then seek our assistance.