Buy

Tuesday, May 21, 2024

Introducing yet another $ Billion feature in Gold Finger - Single-User Mode


Folks,

Hello. I trust this finds you doing well. In our last post, we had announced our up to $ 100 million software giveaway. Today we'd like to announce an exciting and valuable new feature that we just added to Gold Finger - 'Single User Mode'.


Introducing 'Single-User Mode' in Gold Finger

Over the last many years, we've had the privilege to help secure some of the most important organizations in the world, e.g. the U.S. Treasury, the U.S. Dept of Defense, Berkshire Hathaway subsidiaries, $100 Billion+ F100 companies etc.

[ For those who may not yet know so, we uniquely help organizations attain and maintain least privileged access (LPA) in Active Directory, by empowering them to accurately assess and lockdown exactly who has what privileged access in AD. ]

Over the years, the unique cyber security needs of our customers have driven several valuable features in Gold Finger.

Probably, the ONE feature that most of our global customers have been requesting is the ability to be able to help them easily, instantly and accurately identify exactly WHAT effective access a SPECIFIC user has in/across Active Directory.

For e.g., assume that you have a specific user, John Doe, and you want to know exactly WHAT (effective) administrative access, if any, John has in your Active Directory, i.e. CAN he create, modify and/or delete domain user accounts, computer accounts, security groups, organizational units, group policies, SCPs etc. in Active Directory, and if so, WHERE and HOW.

Here are 6 simple examples that illustrate this need - 

  1. Can a specific user, John Doe, create user accounts in Active Directory?
  2. Can a specific user, Mark Smith, reset user account passwords in Active Directory?
  3. Can a specific user Jane Collins, create or delete organizational units (OUs) in Active Directory?
  4. Can a specific user Benjamin Thompson, replicate secrets (password hashes) from Active Directory?
  5. Can a specific user, James Smith, modify permissions on domain accounts, groups or OUs in Active Directory?
  6. What administrative tasks can a specific user, Tony Stark, perform (anywhere) in an Active Directory OU/domain? 


That is the ONE feature that virtually all of our customers have been requesting, and it is my privilege to share that this week, we finally delivered this ONE feature for our customers and the entire world, and it is NOW available in Gold Finger.

IF you can click a button, you can NOW instantly and accurately find out exactly WHAT effective access ANY specific user you specify, has in your Active Directory, WHERE and HOW, in minutes, via the 'Single-User' Mode in Gold Finger.


In the remainder of this post, I will technically illustrate this feature, but before I do so, two myths need to be debunked. 


Debunking 2 (Trillion $) Myths

I have about 25 years of experience in Active Directory Security, so I know the subject well enough to unequivocally state that it is very concerning to see just how LITTLE most organizations and vendors know about Active Directory security.   

So, before I shed light on this feature, I felt the need to debunk 2 popular myths -

  1. Is Active Directory even relevant anymore? - Over the last 20 years, Active Directory has been the foundation of IT and cyber security worldwide. With the advent of the Cloud (i.e. merely someone else's computer(s)), many an organization are (likely being misled to) considering transitioning their primary identities to a Cloud provider (e.g. Microsoft Azure.) LITTLE do these organizations realize that the DAY they transition over their PRIMARY identities to an IDP in the Cloud is the DAY they will relinquish ALL operational autonomy (control) and organizational privacy FOREVER, losing control over their future, and taking on a critical eternal dependency on a (foreign) third-party.

  2. In contrast, organizations that operate on Active Directory continue to maintain and retain independent control over their PRIMARY identities, and thus retain their operational autonomy, organizational privacy and self-reliance.

    In simple words, any organization that may be considering transitioning their primary identities from Active Directory to an(y) IDP in the Cloud should know exactly what it is they stand to LOSE if they do so, and act accordingly.


  3. What's the big deal? We can easily already do this. - Actually, you can't*, and it is a big deal. You see, if you think you can easily already do this, you're likely one of millions of amateurs who naively believe that finding out who has what access in Active Directory is merely the same as finding out who has what permissions in Active Directory, which any script can seemingly do, and which numerous amateur vendors also claim to be able to do.

    *If you know of any cyber security solution in the world that can do what Gold Finger's advanced tools can, you can have Gold Finger for free.

    In reality, if you're merely relying on finding out Who has what permissions in Active Directory, you have a LOT to learn, and THOUSANDS of hours before you can do this correctly. In short, what you need to do is find out who has what effective permissions in Active Directory first, and that alone is something even the $3 Trillion Microsoft does not possess the ability to accurately determine, let alone any organization, vendor or admin in the world. (We do.)

    In short, if you want to understand what the big deal is, you'll want to read the technical sections of this blog post, as well as read this and this (as many times as needed,) and then ask yourself if you have the ability to do so.


With these 2 myths debunked, now that we understand the profound value and paramount importance of Active Directory, and how difficult it is to accurately determine access in it, we can proceed to appreciate Gold Finger, and this new feature.



A Quick Technical Primer

To understand and appreciate this feature, one first needs to adequately understand the fundamentals of Active Directory Security, and towards that end, this section is possibly the most concise primer you'll find anywhere on the subject.

You see, simply put, what makes Active Directory so important and valuable is the fact that it is the heart of AAA, and it stores and protects all the building blocks of organizational cyber security i.e. all organizational user accounts and their credentials, all organizational computer accounts and their policies, and all organizational groups and their memberships.

Active Directory Security Permissions 

In other words, ultimately, the most valuable asset in Active Directory are its contents, each one of which is represented by an Active Directory object, that is protected by an access control list (ACL), in which reside multiple security permissions, each one of which allows or denies some type of access for some security principal, and ultimately it is the resultant set of all the security permissions in an object's ACL, aka effective permissions that determine who has what access to it.

Further, since it is infeasible for an organization to individually configure security permissions on thousands of objects, Active Directory lets admins specify inheritable security permissions, which can be specified on container objects (e.g. OUs,) and automatically flow down to all/specific child objects, making it easy to specify access on thousands of objects.

Lastly, a precedence order governs the resultant access arising from conflicting sets of allow and deny permissions. 

Consequently, in a nutshell, in every Active Directory domain, there exist hundreds of thousands of explicit and inherited security permissions, each one allowing or denying various combinations of access to various users, computers, groups etc., and ultimately it is the resulting access of ALL these permissions that actually determines who has what access.

It follows logically then that to secure the contents of Active Directory, one needs the ability to accurately assess who currently has what access i.e. effective permissions, on (thousands of) Active Directory objects, for one simply cannot secure (i.e. lockdown) access to any securable asset without first being able to assess who currently has what access.

In other words, it is impossible to secure Active Directory without possessing the ability to accurately determine effective permissions in Active Directory. In fact, one can't even secure a single object without possessing this fundamental ability.



5 Simple Examples

Finally, before we see Gold Finger's existing capabilities and those of this new feature, it is important to understand just how difficult and technically complex it is to accurately make access assessment determinations in Active Directory.

Here are five simple examples that illustrate the complexity involved in making these paramount determinations -

  1. Who can reset a domain user account's password? Consider an(y) account in Active Directory. There are likely over one hundred security permissions in its ACL, each one allowing or denying some access to some security principal, and each one being explicit or inherited. To make this determination, one will need to accurately take into account the collective impact of all of these hundred plus security permissions, with 100% accuracy, considering all factors that influence access, such as inheritance, precedence orders, group memberships, self-relative permissions, class applicability etc. In other words, one needs to determine the resulting effective permissions on the object. 

  2. Who can modify a domain group's membership? Consider any group in Active Directory. Akin to the example above, there are likely over a hundred security permissions in the ACL protecting this group's object in Active Directory, and likewise, to make this determination, one will need to accurately determine the collective impact of all the hundred plus security permissions in this object's ACL, i.e. determine the resulting effective permissions on this object.

  3. Who can replicate secrets from Active Directory? The enactment of this one single act can result in the instant and complete compromise of an entire organization. Consequently, making this paramount determination is absolutely essential for organizational cyber security. Assessing who can replicate secrets from Active Directory involves the accurate determination of not one but two special extended rights on the domain root, and consequently is twice as complicated as making a single effective-permission based assessment, such as those in the previous examples.

  4. Who can create a user account in Active Directory? This may seem like a simple assessment to those new to the subject, but a professional will tell you that this seemingly simple assessment involves a substantial amount of complexity i.e. the accurate determination of effective permissions on every organizational unit, almost* every container in Active Directory, and every object under which the Schema permits the creation of domain user accounts, and thus depending on an organization's OU structure/design, making this one simple determination could involve accurately determining effective permissions on possibly dozens of Active Directory objects.   

  5. Who can delete a large OU, such as the Corp OU? Consider an OU that contains hundreds/thousands of objects. The determination of who can delete this OU is possibly one of the hardest technical determinations in all of cyber security, because there are multiple ways in which an OU and its contents can be deleted, and thus one technically needs to determine the collective impact of thousands of security permissions, i.e. determine effective permissions on every object in the OU, as well as the impact of delete-child and delete-tree permissions on all non-leaf objects.


In short, as illustrated by these examples, to make these paramount access determinations accurately, one needs to be able to accurately determine effective permissions on Active Directory objects, and in fact, do so on thousands of objects.


Note - Today, no cyber security company on Earth, whether it be PANW, CRWD, ZS, OKTACYBR, NET, MSFT etc. possesses the capability to help organizations determine effective permissions in Active Directory. Well, except one.



Gold Finger - Standard Mode

Gold Finger is the world's only solution that can accurately determine effective permissions in Active Directory, and in fact do so on thousands of objects, to determine exactly who has what effective access, where and how in Active Directory.

Gold Finger for Active Directory

Technically, it is a suite of 8 Active Directory assessment tools that includes a Security Auditor, a Membership Auditor, an ACL Analyzer, an ACL Exporter, an Active Directory Permissions Analyzer, and the world's only accurate i) Active Directory Effective Permissions Calculator, ii) Effective Access Auditor, and iii) an unrivaled domain-wide Privileged Access Assessor.


For the purposes of this post, we'll focus on the Privileged Access Assessor, of which the following's the Standard Mode -

Active Directory Privileged Access Assessor

As can be seen above, the default mode in the Privileged Access Assessor, referred to from now on as the Standard Mode, enables organizations to instantly, accurately and automatically make over 100 paramount privileged access assessment determinations in Active Directory, such as -  

  1. Who can create user accounts, computer accounts, security groups, OUs etc. in Active Directory?
  2. Who can delete user accounts, computer accounts, security groups, OUs etc. in Active Directory?
  3. Who can reset account passwords, modify group memberships, disable two-factor auth etc. in Active Directory?
  4. Who can modify permissions on all objects, on OUs, on AdminSDHolder, the domain-root etc. in Active Directory?
  5. Who can link GPOs to OUs, delegate/modify administrative access, replicate secrets from Active Directory etc.?

It is the only cyber security tool in the world that can accurately make these paramount determinations in Active Directory.


In technical terms, the Standard Mode of Gold Finger delivers the capability to automatically analyze millions of security permissions in Active Directory, instantly and accurately determining effective permissions on thousands of objects, to ultimately determine and reveal exactly who has what privileged access in Active Directory, where and how, domain-wide.


As it pertains to this post, the Standard Mode of Gold Finger determines and reveals the identities of all users who have sufficient effective access in Active Directory to be able to perform one or more specified administrative tasks.

For instance, if it is the case that 100 users can create user accounts in Active Directory, it will list them all. Likewise, if you select 100 tasks to assess for, it will determine and then list the identities of all users who can enact each selected task.



Gold Finger - Single-User Mode

There are many scenarios in which an organization needs to be able to quickly determine whether or not a specific user has sufficient effective access in Active Directory to be able to enact a specific administrative task. Likewise, there are many scenarios in which an organization needs to know what all a specific user is able to do in their Active Directory.

For such scenarios, it can be very helpful if IT personnel can specify a specific user and have Gold Finger determine either whether that specific user can perform a specific task in Active Directory, or if he/she can perform all/specific admin tasks.

The Single-User Mode being introduced today delivers on this exact capability -

Gold Finger - Single-User Mode

It enables organizations to be able to specify a specific (single) user, and have Gold Finger instantly, accurately and automatically determine whether or not that user can perform one or more selected/specified tasks in Active Directory.   


To activate Single-User Mode, one simply uses the new Mode option in the application menu -



Once in Single-User Mode, to specify a specific (single) user, one simply clicks on the 'Specify a User' button -


This opens Gold Finger's inbuilt Search dialog that enables you to easily search for and specify a specific user -


Once a user has been selected, the next step is to select one or more privileged access reports you wish to assess for -


Once you have selected the access reports you wish to generate for the specified user, you click the Gold Finger button.

Gold Finger then automatically determines whether or not the specified user has sufficient effective access (i.e. effective permissions) in Active Directory (, on thousands of objects if needed,) to be able to enact the selected tasks, and if so, where all (scope-wide) and how, and displays results -


In the snapshot above, we can see that three access reports had been selected and that the assessment scope was set to be the entire domain. Gold Finger instantly, automatically and accurately determined effective permissions on thousands of Active Directory objects in the domain, and determined that the specified user can perform all the selected tasks (shown in the What dropdown) in the specified scope (i.e. entire domain), and for each selected administrative task, it also revealed exactly where this user can perform these tasks (shown in the Where pane), as well as how the specified user can do so (shown in the How pane) i.e. based on which underlying security permission in the ACL of the target object.

As seen above, in just seconds, Gold Finger assessed and confirmed that the specified user does indeed have sufficient effective access required to perform the specified tasks, as well as reveal exactly where he can enact them, and how.


In this manner, Gold Finger's new Single-User Mode lets organizations instantly determine whether a specific user can perform one or more (100+) administrative tasks anywhere in Active Directory, where and how, all at a button's touch!




Multi-Tool Availability

Single-User Mode is now also available in the Effective Permissions Calculator and the Effective Access Auditor.

The availability of Single-User Mode in Gold Finger's Active Directory Effective Permissions Calculator finally enables organizations to easily determine what effective permissions a specific user has on a specific Active Directory object -

Active Directory Effective Permissions Calculator


Likewise, the availability of Single-User Mode in Gold Finger's Active Directory Effective Access Auditor finally enables organizations to easily determine what administrative tasks a specific user can perform on a specific Active Directory object, such as on a specific domain user account, a domain security group, an organizational unit etc. -

Active Directory Effective Access Auditor


The availability of Single-User Mode in these three indispensable tools will enable and empower organizations worldwide to easily, quickly and efficiently fulfill numerous Active Directory focused privileged access assessment/verification needs.



Indispensable Tooling

It is my professional opinion as former Microsoft Program Manager for Active Directory Security that the following three unique effective-access assessment tools in Gold Finger are absolutely indispensable for Active Directory Security -
  1. Active Directory Effective Permissions Calculator - Calculate effective permissions on any object in Active Directory.
  2. Active Directory Effective Access Auditor - Audit effective access on accounts, groups, OUs etc. in Active Directory.
  3. Active Directory Privileged Access Assessor - Instantly assess privileged access domain-wide in Active Directory.

The simple reason they are indispensable for Active Directory Security is because they uniquely enable organizations to accurately assess and lockdown all access, including privileged access in Active Directory, i.e. to trustworthily attain and maintain Least Privileged Access (LPA) in Active Directory, which is a fundamental and cardinal tenet of Zero Trust.


At Paramount Defenses, we are confident that the general availability of Single-User Mode in Gold Finger, across all of these three indispensable tools, will make it even easier for our customers to attain and maintain LPA in Active Directory.


In closing, I will only add that Active Directory has been and remains the bedrock of organizational cyber security because it enables organizations worldwide to independently operate their foundational IT infrastructures, thereby preserving and retaining their autonomy, privacy, security and self-respect, and our commitment to helping secure AD remains ironclad.


Thank you very much, especially to our customers worldwide,
who are undoubtedly, true thought-leaders in cyber security.

Best wishes,
Sanjay.


PS: To those who may be new to cyber security and may be wondering why I titled the post "Yet another $ Billion Feature," if you consider the fact that from the entire U.S. Government to the global Fortune 1000, today thousands of organizations across over 150 countries worldwide operate on Active Directory, I think you'll find that I was actually being rather modest.

Friday, March 15, 2024

We're Giving Away up to $ 100 Million in Software

Folks,

Hello. Today is our eighteenth anniversary, and to celebrate this occasion, and help thousands of organizations worldwide that operate on Active Directory, today we announced our intent to give away up to $ 100 Million worth of Gold Finger licenses to all organizations that can affirmatively answer just one simply question concerning Active Directory security.

Details on our up to $100 Million software giveaway can be read in our press release - Paramount Defenses Celebrates Eighteen Years in Business, Announces Up To $100 Million Software Giveaway | Business Wire

We cordially invite all organizations worldwide to kindly take us up on our generous offer, and we hope that organizations worldwide will give a serious thought to the one question that we have asked. If you ask me, it's a really simple question and the answer is either a Yes, or a No. If it's a No, then they must ask themselves how secure they actually are today. 


Over the last eighteen years, we have pioneered, perfected and automated the incredibly difficult and sophisticated art of accurate access assessment, particularly in Active Directory and as pioneers and industry leaders in access assessment, we remain committed to helping organizations securely operate their foundational Active Directory infrastructures.

That's all for now. Thank you very much. I wish you well. I'll leave you with this.

Best wishes,
Sanjay 


Wednesday, March 6, 2024

World, Hello Again

Folks,

Hello. I hope this finds you doing well. It has been almost two years since we last penned a post here on our blog.

The silence was intentional, and now it is TIME to break our silence. We have been hard at work, quietly, working on two new products, GG and TB (, one of which targets the Cloud), and both of which, like GF (Gold Finger) could* easily substantially impact the foundational cyber security of thousands of organizations worldwide, including Microsoft's.

*If the need were to arise, as and when it does, we will unveil them.


For now though, our focus continues to be on Gold Finger, which remains unrivaled and indispensable for Active Directory Security. Today, amongst many organizations worldwide, Gold Finger helps secure and defend $100 Billion+ companies.

Speaking of which, today we announced the availability of Gold Finger Version 8.0 with support for Windows 11.



Active Directory remains Foundational

Microsoft Active Directory is a mature, time-tested and provably trustworthy technology that enables and empowers organizations to autonomously operate the lifeline of their business, their IT infrastructures. Those who claim that Active Directory is not secure, may not know enough about Active Directory security.

Active Directory is one of the most highly securable technologies in the world today, and its powerful security model enables organizations that possess the right capabilities to be able to easily attain and maintain least privileged access (LPA) and independently operate highly resilient foundational IT infrastructures.

In days to come, we will help the world understand how to easily attain and maintain LPA in Active Directory.



Helping Organizations Retain their Operational Autonomy, Privacy and Dignity

Today, we also reiterated our commitment to helping organizations worldwide securely operate Active Directory.

Thousands of organizations worldwide are realizing for themselves what we have been saying for years i.e. the day they relinquish control of their primary identities (such as to an IDP in the Cloud) is the day they will have relinquished their operational autonomy and privacy, forever, and taken on an eternal dependency on a third-party. 

Of course, should such an IDP be compromised, their organization could also instantly be at risk of compromise.

In contrast, organizations that retain control over their primary identities i.e. organizations whose primary identities reside in their Active Directory, will continue to enjoy operational autonomy, safeguard their privacy and preserve their dignity.

In days to come, we will also help organizations worldwide understand how to easily secure Active Directory.


That's all for now. There's a lot we have to share, and in coming days, you can expect us do so.

Best wishes,
Sanjay 


Wednesday, April 27, 2022

Active Directory - The World's Most TRUSTWORTHY Foundational Technology


Folks,

Today I'd like to share a few thoughts with you on one the most important topics in all of organizational security - i.e. which FOUNDATIONAL technology should organizations be operating upon today? I will make the case of Active Directory (🔺).


Microsoft Active Directory - The World's Most Trustworthy Foundational Technology

For the last twenty years, the entire world has successfully operated on a highly trustworthy foundation - Active Directory.

Indeed, from the entire United States Government to virtually the entire global Fortune 1000, today over twenty thousand government and business organizations in over one hundred and ninety countries operate on Microsoft Active Directory.

Active Directory has stood the test of time and is the most trustworthy foundation that organizations can operate on today.


While some may view Active Directory as merely an Identity Provider (IDP), in reality, it is substantially more than that. 


Active Directory is -

  1. An enterprise-grade multi-mastered directory service that offers unrivaled availability, fault-tolerance and resilience. 

  2. A Kerberos realm that enables enterprise-wide trustworthy network authentication and seamless single sign-on.

  3. The Foundation of Authentication, Authorization and Auditing (AAA) that empowers organizations to precisely control network user authentication, secure authorization to IT resources and auditing for all vital AA actions.

  4. The Heart of Identity and Access Management (IAM) considering that the entirety of an organization's identities (and their credentials) and security groups reside in and are secured and managed in Active Directory.   

  5. The Heart of Privileged Access and Enabler of Least Privileged Access (LPA) considering that the most powerful privileged accounts are stored, secured and managed in it -AND- that privileged access for all salient aspects of identity and access management can be precisely provisioned/delegated based on the principle of least privilege.    

  6. The Control Center for Centralized Host and Security Management that via Group Policy enables organizations to easily, efficiently and comprehensively control and manage all endpoints -AND- their security.

  7. The Foundation for Zero Trust considering that Zero Trust is fundamentally about ensuring that all access is provisioned based on the principle of least privilege (i.e. LPA), and in environments powered by Active Directory, access for all aspects of identity and access management is provisioned, controlled and audited in Active Directory.


In addition, Active Directory lets organizations easily enable seamless single sign-on to external systems via federation, and it can be synchronized with secondary IDPs like Microsoft Azure to facilitate SSO access to Cloud based services.


Finally, contrary to popular belief, Active Directory can* in fact be easily, efficiently and reliably operated and secured. 

However, the most important and overlooked strength of Active Directory is that enables and empowers organizations to be able to autonomously and independently operate their IT infrastructures, without any eternal external dependencies, without having to expose the entire organization to the Internet, and without having to incur a dime of additional cost.



Conclusion

In essence, today, an organization's Active Directory deployment is the very foundation of its cyber security, the heart of privileged access and the bedrock of organizational security, which makes it an extremely valuable organizational asset.

Above all, it lets organizations independently operate, highly trustworthy, self-reliant and fixed-cost IT infrastructures, in contrast to having to relinquish all control and transition to relatively new, constantly costing, third-party operated services.


In conclusion, when it comes to cyber security, technical maturity, operational excellence and autonomous operation, today, no technology can rival the trustworthiness, resilience and autonomy that Active Directory offers organizations.


Best wishes,
Sanjay Tandon

Formerly
Program Manager
Active Directory Security
Microsoft Corporation

Friday, April 8, 2022

How to CORRECTLY identify WHO can run DCSync against Active Directory


Folks,

Hello. Today, we'll share with you what the CORRECT procedure is for finding out who can successfully execute Mimikatz DCSync against your Active Directory, particularly because so many IT professionals errantly believe that they know how to accurately make this determination. 

As many know, Mimikatz DCSync is a hacking tool written by Benjamin Delpy that is often used by perpetrators to swiftly and substantially compromise organizations by letting them determine the passwords of all organizational AD accounts.

This is extremely important because DCSync is possibly the single biggest threat to all organizations operating on Active Directory, considering that even just a single successful enactment of DCSync instantly results in the compromise of the credentials of ALL domain user accounts, and thus, is in effect, tantamount to a colossal breach.


In fact, as recently shared by Microsoft Security, and I quote below, even LAPSUS$ i.e. DEV-0537 have been observed to use DCSync to substantially compromise several organizations, including most notably, Okta -
"The group compromised the servers running these applications to get the credentials of a privileged account or run in the context of the said account and dump credentials from there. The group used DCSync attacks and Mimikatz to perform privilege escalation routines. Once domain administrator access or its equivalent has been obtained, the group used the built-in ntdsutil utility to extract the AD database."

Now, it is very important to understand that LAPSUS$ were only able to successfully use DCSync because they were able to compromise an account that had sufficient ACCESS in their Active Directory domain so to be able to run DCSync.

In other words, if an account compromised by perpetrators does NOT have sufficient ACCESS to be able to successfully run DCSync, then the perpetrators will NOT actually be able to successfully run DCSync against Active Directory, so if we can correctly find out who has sufficient ACCESS to run DCSync against our Active Directory, we can lockdown all such exploitable access, minimizing the possibility of perpetrators being able to use DCSync against our Active Directory. 





The ACCESS required to DCSync

In order for organizations to be able to identity ALL accounts that possess sufficient ACCESS to be able to run DCSync, they first need to know exactly what ACCESS an account needs to to be able to run DCSync against Active Directory.


From a technical standpoint, any user that has (i.e. is granted) sufficient privileged access in Active Directory to be able to replicate secrets from Active Directory can request Active Directory to provide it a copy of the entire domain contents, including all secrets i.e. password hashes of all domain accounts.

It logically follows that a perpetrator can only successfully use Mimikatz DCSync against an Active Directory domain if the compromised domain account that he/she is using has sufficient privileged access in Active Directory to be able to request and obtain secrets (i.e. password hashes) from Active Directory.


Speaking of which, the exact privileged access required to obtain (replicate) secrets from Active Directory involves two Active Directory extended rights, and an attacker requires BOTH of these permissions to be effectively granted -

  1. Replicating Directory Changes
  2. Replicating Directory Changes All

To be specific, to be able to successfully execute DCSync, an account needs to have both of these Active Directory extended rights be effectively granted in the ACL of the domain root object of an organization's Active Directory.




The Mistake 99% of IT Pros Make 

Now, it is at this point that we must take a moment's pause and understand something extremely important.

The operative word in the previous sentence is "effectively" granted, and therein lies the answer to this question.

You see, most IT professionals errantly assume that all they need to do is find out "Who has these permissions in Active Directory" and to do so all they need to do is use any Active Directory ACL/Permissions Analysis tool, or write a few lines of PowerShell script to find out which users and groups are granted these permissions, and that's it!


Unfortunately, any IT professional that makes the above assumption is very likely going to end up with an inaccurate list of accounts that can run DCSync because what needs to be determined here is not "Who has these permissions in Active Directory" but in fact "Who has these effective permissions in Active Directory?"

In short, it is not "who has what permissions in Active Directory" but in fact "who has what effective permissions in Active Directory" that determines who actually has sufficient privileged access so as to be able to run Mimikatz DCSync!

Further, and as such, "effective permissions" not only determines who can actually run DCSync against Active Directory, it actually determines exactly who has what privileged access to do just about anything and everything in Active Directory.

This subtle yet profound difference can be very easy to get wrong, and yet is extremely important to understand, because it determines whether or not the results of one's analysis are accurate or not, and as you know, when it comes to privileged access, there is absolutely no room for error and accuracy is paramount.

Consequently, while it is relatively easy to find out "Who has these permissions in Active Directory" using PowerShell or any ACL/Permissions Analysis tool, it is extremely and far more difficult, if not almost impossible, to accurately find out "Who has these effective permissions in Active Directory" using PowerShell or such tools.
   



Effective Permissions

In this section, we will understand why it is not "Who has what permissions in Active Directory" that we need to determine, but in fact "Who has what effective permissions in Active Directory" that we need to determine if we care about accuracy.


Once you have understood this, you will also understand why no AD ACL/Permissions Analysis tooling and/or any PowerShell script that one may have written, no matter how complicated, can actually provide accurate results.


Let us consider what we need to determine to make this paramount determination. 

In essence, what we need to determine is in light of ALL the security permissions specified in the ACL protecting the domain root object, exactly who has BOTH the "Get Replication Changes" and "Get Replication Changes All" extended right effectively allowed.

By "effectively" what we mean is the following - consider that a user John Doe is a member of two groups, Group X and Group Y. Further consider that in the ACL of the domain root, the following permissions exist for Group X and Group Y -

Deny   Group X   All Extended Rights
Allow   Group Y    Full Control 

Note - As you may know, each of the above is an ACE (access control entry) in an ACL (access control list), and each ACE either allows or denies either a generic or a a specific type of permission to a specific security principal.


Consequently, one might rightly assume that for starters we need to consider ALL ACEs in the ACL that specify either one of the following permissions - "Get Replication Changes" extended right, "Get Replication Changes All" extended right, All Extended Rights and Full Control.

Note: Some pros like to include the impact of being able to modify permissions on the ACL at this stage, but that is strictly speaking, an entirely separate entitlement/administrative task, which is why, strictly speaking, it need not be taken into account at this stage. 


Now, based on the above, most PowerShell scripts would be programmed to find all permissions that grant either of the above four rights, and that is indeed the correct way to BEGIN to approach this analysis.

However, it is at this point that not only most PowerShell scripts, but also all AD ACL/Permissions analysis tools, and even tools like Bloodhound, meet their match and start falling substantially short.

Let me explain -

Based solely on an ACL that has the above two permissions, virtually all PowerShell scripts and tools like Bloodhound, will enumerate both permissions but make either of the two following errors - 

  1. Error 1 - They will errantly assume that since there is an ACE specifying the specified access for two groups, members of both these groups have the required access, at which point they will proceed to expand these group memberships and report that all the members of both these groups can in fact replicate secrets, whereas nothing could be further from the truth!

  2.  Error 2 - A more refined script looking merely for Allow permissions will partially rightly determine that only members of Group Y have the required access, at which point it will proceed to expand this group's membership and report that all its members can in fact replicate secrets, which too would unfortunately be inaccurate.

Here's why both of the above will lead to inaccurate results - you see, what such PowerShell scripts and tools like Bloodhound ACTUALLY need to be doing is determining that Group Y is allowed the required access -AND- Group X is denied the required access so they need to be identifying members of both these groups, then performing conflict resolution, which involves correctly identifying any and all individuals that may be members of both these groups, and eliminating those individuals that are on both lists, from the final list, since the deny permission will have precedence over the allow permission!



NOW, in theory, and especially when you are considering merely two ACEs, as we have above, being able to perform this conflict resolution may seem simple, BUT in practice and reality, the ACL of the domain root could easily have hundreds of ACEs/permissions, any theoretically each one of them could be in play, i.e. could influence such access, and be either allow or deny, so for any PowerShell script or a tool like Bloodhound to be able to deliver accurate results, it would have to have the automated ability to be able to accurately perform conflict resolution involving hundreds of ACEs (/permissions.)

Further, in the illustrative example shared above, John Doe was directly a member of these two groups. 

In the real world, thousands of accounts could also indirectly, i.e. via nested group memberships, some of which may be deeply nested, and others may possibly also be circularly nested, be members of hundreds of domain security groups for which permissions may be specified in the domain root's ACL, and the PowerShell script or a tool like Bloodhound will need to have the ability to be able to process even such substantial complexity with 100% accuracy.

In addition, theoretically speaking, Active Directory security permissions could also be specified for one or more well-known RIDs as well as well-known security principals, such as Domain Users, Authenticated Users, Everyone, etc. and so PowerShell scripts and tools like Bloodhound will also need to be able to accurately evaluate the impact of all such permissions on the resulting access.

Also, there are several other factors that influence the accurate determination of "who has what privileged access in Active Directory" and I'm not going to list them all out there.

Finally, the ACL on the domain root object is an exception in that it is possibly the only object (, other than those that have protected ACLs,) wherein there are no inherited permissions to deal with. In reality, 99% of objects in Active Directory also inherit hundreds of security permissions, and it is exponentially difficult to be able to accurately do conflict resolution when inherited permissions are also in play, because one has to be able to accurately determine resulting access in light of the precedence order involving both explicit and inherited allow and deny permissions.    

For anyone who wants to learn more, a more detailed explanation and example of just how difficult and complicated it is to accurately determine Active Directory Effective Permissions can be found here.

In short, it is extremely difficult, if not almost impossible, to write any amount of PowerShell that can take all of the above complexity into account and yet determine with 100% accuracy, exactly who has sufficient effective access so as to be able to enact a critical operation such as DCSync against Active Directory, or perform any one of over one hundred possible administrative tasks in Active Directory.

This is why it is almost impossible for any PowerShell script or a tool like Bloodhound to be able to accurately determine who can successfully execute DCSync against an organization's Active Directory.






An Actual, Step-by-Step Example

The best way to understand what I have shared above is for you to try it yourself in an Active Directory, and to facilitate exactly that, we have made available a real-world like lab AD of a fictional company in a free VM.


You can follow an entire step-by-step example of how to correctly identify who can run DCSync against Active Directory right here.




Your PowerShell Script is Woefully Inadequate

Once you've had an opportunity to understand the technical nuances I've shared above and follow the step-by-step example I've provided above, you'll know for yourself that it is extremely difficult, if not impossible, to find out exactly who can do what in Active Directory using PowerShell.


Specifically, there are over a dozen factors one needs to take into account, with 100% precision, and zero room for error, and no amount of PowerShell, even written by the world's best Active Directory Security practioners can make this paramount determination accurately.

The same is true of all well-intentioned but woefully deficient amateur tools like Bloodhound, which self-admittedly do not even take deny permissions into account. The sheer fact that they do not take one of the most important factors in the entire process into account renders them virtually useless from a professional standpoint.

Of course, if you don't care about accuracy, then by all means, even basic tools like acldiag can help you get "a list."  Of course, since you don't care about accuracy, you likely won't care about whether or not that list is accurate.





Click, Done

There is one and only way to accurately make these paramount determinations in Active Directory, and that is by accurately determining Active Directory Effective Permissions.

There is also one and only on solution in the whole world that can accurately determine effective permissions in Active Directory and that is our Microsoft-endorsed Gold Finger solution. Fortunately, to help everyone make this paramount determination for FREE, a subset of its unique capabilities are now also available in Gold Finger Mini.




The most important report in Gold Finger Mini is - "Who can replicate secrets (i.e. password hashes)) from the domain?" and that one report can instantly and accurately determine "Active Directory Effective Permissions" on the domain root and reveal exactly how many accounts possess sufficient access to be able to run DCSync against your Active Directory, and who they are.

The basic version of Gold Finger Mini is free, and it can help every organization instantly find out exactly how many accounts can successfully run DCSync against their Active Directory today.

Gold Finger Mini can be instantly download, and installed in under two-minutes, and at the click of a button, reveal this information, for free, using any domain user account. It is a 100% read-only tool and does not require any admin access.

In light of what Microsoft shared about LAPSUS$, if I were the CISO, an IT Manager, a Domain Admin, or an IT Auditor at an organization, I would not want to sleep without having determined how many accounts possess sufficient privileged access so as to be able to run DCSync against our Active Directory today. After all, what else could be more important?
 

 


Conclusion

The objective of today's post was to help everyone realize that trying to accurately find out can successfully execute DCSync against your Active Directory is not as easy as it may seem, and neither amateur tools like Bloodhound nor PowerShell scripting can accurately take all the factors involved in this determination.


As the breaches at Okta and Microsot by LAPSUS$ have shown the entire world, a single occurrence of this threat could result in a massive cyber security breach, that could cost the organization not just millions of dollars to recover from, but serious reputational damage as well, not to mention potentially substantial liability arising from the potential loss of all kinds of organizational data, such as customer PII, financials, trade secrets etc.

Consequently, all organizations that operate on Microsoft Active Directory today, must know at all times, exactly which accounts possess sufficient ACCESS to be able to run DCSync against their Active Directory, because having this paramount insight can help them ensure that ALL such accounts are on their radar and sufficiently protected.

In contrast, it takes almost nothing at all to mitigate this serious threat and minimize the possibility of its occurrence, and today from the CEO to the CISO to the Domain Admin, all stakeholders must know what Mimikatz DCSync is, and exactly who can run DCSync against their foundational Active Directory -

👉   Gold Finger Mini - Advanced Level - Report #1 - "Who can replicate secrets from the domain?"


I'll leave you with this thought - if your organization doesn't even know exactly which accounts can execute DCSync against your Active Directory, how can it be safe from a cyber security perspective, and what does it really know?


That's all for now.

Best wishes,
Sanjay.
Paramount Defenses Logo

© 2006 - 2024 Paramount Defenses.
All Rights Reserved.

Your Privacy

We use cookies to give you the best online experience. Please let us know if you accept these cookies.