Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Showing posts with label Microsoft Ignite. Show all posts
Showing posts with label Microsoft Ignite. Show all posts

Monday, October 1, 2018

Did Anyone at Microsoft Ignite 2018 Know the Answer To This Question?


Folks,

Last week, thousands of IT professionals, managers, CISOs and CIOs were in Orlando, attending, well, Microsoft Ignite 2018 !

Image Courtesy Microsoft. Source: https://www.microsoft.com/en-us/ignite

Not surprisingly, the Microsoft Ignite Conference had SOLD OUT!  There were 900+ sessions, 100+ instructor-led technology workshops, 60+ Microsoft Immersion workshops, and 50+ hands-on labs with access to expert proctors! That's great!

Did I mention that likely hundreds of Microsoft's own experts were also there, and collectively, they covered numerous vital areas such as Securing the Enterprise, Simplified IT Management, Identity‚ Access & Compliance, Enterprise Security etc.


So, with over 1000 sessions, 1000s of attendees, access to "expert proctors", and 100s of Microsoft's very own IT experts, one would hope THERE MUST'VE BEEN AT LEAST ONE PERSON AT MICROSOFT IGNITE 2018 who could have answered A VERY SIMPLE QUESTION -




       Question: What's The World's Most Important Active Directory Security Capability?


This is paramount, and here's why. In case you're wondering why anyone, and everyone who attended Microsoft Ignite 2018 should care about this question AND know the answer, its because in any Microsoft Windows Server based IT Infrastructure, NOT A SINGLE ONE of the many vital areas listed above i.e. Securing the Enterprise, Simplified IT Management, Identity‚ Access & Compliance, Enterprise Security etc. etc. can be adequately addressed without involving Active Directory Security.


In fact, here's proof - 

Not a single one of the following fundamental cyber security / Windows security questions can be answered without knowing the answer to the question above and possessing that capability -


  1. Who can reset the passwords of any/every Domain Admin in an organization?

  2. Who can disable two-factor authentication on privileged and other domain user accounts?

  3. Who can change the membership of the Domain Admins group, or of any domain security group?

  4. Who can use Mimikatz DCSync to completely compromise the credentials of all domain user accounts?

  5. Who can delete an(y) Organizational Unit (OU) in a(ny) of the organization's Active Directory domains?

  6. Who can link a malicious group policy to an OU to instantly compromise all domain computer accounts in that OU?

  7. Who can modify the attributes of a mission-critical service's service connection points to instantly render it useless?

  8. Who can set the "Trusted for Unconstrained Delegation" bit on a server's domain account to compromise security*?

  9. Who can create, delete and manage domain user accounts, domain security groups, OUs etc. in Active Directory?

  10. Who can control/change privileged access as well as delegated access within and across the entire Active Directory?


Each and every single organization whose IT personnel / CISOs attended Microsoft Ignite 2018 (including Microsoft itself) must have precise answers to each and every one of the above listed fundamental cyber security questions at all times.




So, if anyone who attended Microsoft Ignite 2018 (including Microsoft's own experts) knows the answer to this 1 question, please be my guest and answer the question by leaving a comment at the end of that blog post, and you'll earn my respect.


If you don't know the answer, I highly recommend reading, one, two and three, because without knowing the answer to this question (and without possessing this capability,) you cannot secure anything in an Active Directory based Windows network.

The last time I checked, virtually the whole world runs on Active Directory.

Best wishes,
Sanjay
No comments:
Labels: , , ,

Wednesday, October 11, 2017

A Paramount Question for Microsoft Azure CTO : he said 'Ask me anything'


Dear Mark,

You Sir, are Mark Russinovich, Chief Technology Officer (CTO) of Microsoft Azure, and for you I have the greatest of respect.

A few days ago at Microsoft Ignite, you said - "Ask me anything!" -


By the way, I must compliment you for doing so, because when you do so, you really have to be ready for any/every question!

So, I'd like to ask 1 Question

Mark, on behalf of 1000s of Microsoft's organizational customers, I'd like to most respectfully ask you just one simple question -

Question: How can/should organizations find out exactly who actually has what privileged access in their Active Directory ?


Specifically, how can organizations determine exactly who can do what on the 1000s of domain user accounts, domain computer accounts, domain security groups, containers, OUs, SCPs etc., including of course all their privileged and executive domain user accounts and groups that reside in their foundational Active Directory?


I only ask this question because as you too will likely agree, this 1 simple question directly impacts and thus is paramount to the foundational cyber security of over 85% of all organizations worldwide, all of whom operate on Microsoft Active Directory.


I really do hope that on behalf of Microsoft, you'll answer this question, for organizations worldwide look forward to the answer.

Most respectfully,
Sanjay

CEO, Paramount Defenses


PS: Sir, if you've ever heard of AccessChk.exe and know what it does,
(and I believe you have), then you know the answer to this question.

PS2: As former Microsoft Program Manager for Active Directory Security, I'd like to offer a hint. The answer to this question is also the (premise for, and thus the same as the) key to the ten questions below, and in essence it involves just two words -
1. What Constitutes a Privileged User in Active Directory?

2. How to Correctly Audit Privileged Users/Access in Active Directory?

3. How to Render Mimikatz DCSync Useless in an Active Directory Environment?

4. How to Easily Identify and Thwart Sneaky Persistence in Active Directory?

5. How to Easily Solve The Difficult Problem of Active Directory Botnets?

6. Why are the World's Top Active Directory Permissions Analysis Tools Are Mostly Useless?

7. Why is the Need to Lockdown Access Privileges in Active Directory Paramount to its Defense?

8. How to Attain (Lockdown) and Maintain Least Privileged Access (LPA) in Active Directory?

9. How to Securely Delegate and Correctly Audit Administrative Access in Active Directory?

10. How to Easily Secure Active Directory and Operate a Bulletproof Active Directory deployment?

In short, the answer is (something like) this -
Ans: To do so, all that organizations need to do is to accurately and adequately determine e******** p**********/a***** on their Active Directory objects. That's it.

No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)