Monday, May 25, 2020

In Remembrance, on Memorial Day 2020


Today, our entire team would like take a few solemn moments to pay our deepest and highest respect to, and honor the lives of those who have made the ultimate sacrifice in the defense of our great nation, the United States of America.

On this solemn Memorial Day in 2020, we also take a few moments to recognize that in the last ninety (90) days alone, a modern adversary, that warranted swift, earnest and decisive action, has taken ninety thousand (90,000) American lives.

In 2020, in the last 2020 hours alone, America has lost more citizens than it has across all wars it has fought since WW-II.

On this solemn day, we remember all those Americans that made the ultimate sacrifice in the defense of our great nation, and all those Americans that we have lost this year alone to a dangerous adversary that we still have no defense against.

We hope and pray that the scientific community worldwide is able to apply its collective best to swiftly develop sufficient and adequate measures to empower mankind to contain and defeat this dangerous adversary that threatens all nations.

God bless the United States of America, and God equally bless the entire world, and all of mankind.


Tuesday, May 12, 2020

Day 2 - Red Teamers, can you hack THIS Active Directory ? (I Doubt It)


Hello. I hope this finds you doing well. Welcome to Day-2 of "Active Directory Security for Cyber Security Experts."

Over the next 60 days, I'm going to be drawing upon two decades of experience in Active Directory Security to help thousands of organizations and millions of IT and cyber security personnel worldwide increase their knowledge.

Today, I'd like to pose a simple question / challenge to 1000s of Active Directory Red Teamers /Attackers worldwide -

Can YOU hack THIS Active Directory ?

(i.e. the one described below.)

(Before you arrive at any premature conclusions, please read the "What's the Point?" section that follows.)

An Active Directory Like Ours

Like most organizations worldwide, we (Paramount Defenses) too operate on Microsoft Active Directory, and most of our machines, including those on which reside our billion+ dollar cyber security algorithms, are joined to our Active Directory.

Unlike most organizations worldwide, we DO actually strive
to adequately protect our foundational Active Directory -

  1.  Domain Controller (DC) Security - All DCs are afforded the highest levels of system, network and physical security. I can't divulge details but know that let alone being able to logon to a DC, one couldn't even get physical access to them without multi-factor authN. The same level of security is afforded to all admin workstations and AD backups.

  2. Privileged Access in Active Directory - Privileged access for everything, including identity (user account) and access (group) management, computer and group policy management, access for AD-integrated apps etc. is all precisely and verifiably delegated/provisioned in Active Directory and locked-down based on the principle of least privilege.

  3.  Privileged Account Security - We don't have more than one active Domain Admin equivalent privileged user in Active Directory at any time, including across all default AD admin groups, and all such accounts (e.g. Enterprise Admin, Schema Admin etc.) that possess unrestricted admin access in Active Directory are disabled by default.

  4. Secure Administrative Practices - Every Domain Admin equivalent privileged account user is assigned a dedicated admin workstation exclusively for the purpose of performing activities that require Domain Admin level privileged access, and each such workstation is afforded the same level of security as are our DCs. Logging on to any other machine using Domain Admin credentials is strictly disallowed and could result in termination of employment.

  5. Service Accounts, esp. those require Domain-Admin Equivalent Access -  We only use managed service accounts across our network. Each one of them is AD managed, and has long (>25 character) passwords that are frequently rotated. We do not allow the use of any apps whose service accounts require Domain-Admin (DA) access, because if you understand Windows security, you know that almost nothing actually requires DA level access to accomplish. 

  6. Trustworthy Software - We do not deploy any 3rd-party software that we cannot impose the highest levels of trust in, especially Active Directory mgmt/security/auditing solutions. This is because so many popular AD management and auditing solutions available today are developed outside USA, and some prominent ones are developed in Russia. Also, use of any free* tools or scripts downloaded from the Internet could result in immediate termination.

  7. Empowerment and Accountability - Most importantly, because we understand just how paramount the security of our foundational Active Directory is to our company's security, we have a simple and clear chain of accountability, which is as follows:  CEO - CISO - Director, IT - Enterprise Admin. Finally, I personally ensure that our IT team has whatever it needs to secure our AD, and we only hire the most trustworthy and proficient personnel as AD Admins.

(By the way, none of this takes too much effort or cost to do so. All it really takes is an understanding of and respect for the role that Active Directory plays in our security, and the will to enact just enough simple measures to adequately protect it.)

Now, let me stop right there, for sharing that much is
enough to make a Trillion $ point, which follows.

So, What's the Point?

The point of sharing this with you was to help you understand that in such an environment, no matter how proficient an Active Directory Red Teamer or attacker you might be, you're likely not going to find success using popular credential-theft attack techniques such as Kerberoasting,  Mimikatz etc. or using Mimikatz DCSync, DCShadow, Bloodhound etc.

Perhaps I should elaborate and substantiate this -
  1. Kerberoasting - As you'll agree, given measure #5 above, Kerberoasting just isn't going to be technically possible.

  2. Silver Tickets and Golden Tickets - Given measure #1 above, you're not going to be able to logon to a single DC, so you're never going to be able to generate a Silver or a Golden ticket.

  3. Mimkatz (for password hash extraction and reuse) - Likewise, in light of measures #3, #4 and #6 above, you're not going to get an opportunity to logon to or compromise any computer on to which a single Domain Admin equivalent credential may have ever been entered/used, so you're not about to find success using credential theft techniques that involve extracting and replaying/using password hashes from memory.

  4. Mimikatz DCSync and Mimikatz DC Shadow - Given measure #2 above, we possess the ability to determine and control exactly who can replicate secrets from our Active Directory domain, and as a consequence, we can reduce that number down to virtually zero, leaving you no opportunity whatsoever to even have the sufficient effective permissions needed to run Mimikatz DCSync against our AD. Similarly, because we can determine and control exactly who can create NT-DSA objects in our Active Directory, Mimikatz DCShadow too won't be possible.

  5. Bloodhound - Given measure #2 above, you could run Bloodhound all you want, but you're not going to find a single privilege escalation path leading to anything, because WE found and eliminated ALL of them BEFORE you could.

NOW, in your defense, let me be the first to admit that ours isn't a typical Active Directory environment by any means. Most Active Directory deployments should be secured like so, but they're nowhere near so ; most of them are vastly vulnerable.

That said, I'll be the first to tell you that of the 7 simple Active Directory Security measures that we implement, TODAY, every organization in the world too can implement just about all these measures on their own, except MEASURE #2.

As to measure #2, unfortunately, there's just no way to implement it without having the capability to accurately determine this, and do so domain-wide; sadly, most organizations (likely including $T Microsoft) do not even seem to know that they require this essential capability, let alone having it, so they're very far away from being able to adequately secure their AD.

Now, Consider This

Consider an Active Directory environment in which all measures above, except #2, have been implemented. By the way, in their interest of their own security, all organizations should endeavor to attain at least this level of Active Directory Security.

In such an Active Directory environment, as shared above, what so many folks errantly refer to as common and prevalent "Active Directory attack techniques", i.e. Kerberoasting, Mimikatz, Golden Tickets etc. aren't going to get you anywhere.

In such environments, many may be inclined to think that there's not that much more left to try and attack/compromise.

Yet, if you think about it (, and now since you've heard of Bloodhound, you likely know that) there is still an OCEAN of opportunity left to go after (and for defenders to defend), and unlike credential-theft attack vectors, it actually involves "Active Directory Security."

  • Side-note: I had asked Delpy the same question back in 2016, likely even BEFORE Bloodhound was around.

Active Directory Security

As you'll hopefully agree, the most important and vital aspect of Active Directory security, is the security of its contents.

You know what I'm talking about. Every single one of the most powerful privileged user accounts and groups, the user accounts of all employees and executives, every single domain computer account (including those of DCs), every single domain security group used to protect most IT assets across the network, every single group policy used to secure and protect all domain-joined hosts etc. all have one thing in common - they constitute the very contents of Active Directory.

In essence, the most valuable assets of any organization operating on Active Directory are INSIDE their Active Directory.

Now, each one of these assets is represented as an Active Directory object, and protected by an access control list (ACL), within which reside numerous security permissions, each one of which allow or deny some form of access to some security principal, and together they collectively determine exactly who can do what on each one of these Active Directory objects.

In other words, there's a vast OCEAN of Active Directory security permissions in every organization's Active Directory.

Within this ocean lies a vast amount of privileged access, and sadly, because it is very difficult to accurately assess it, much of it is excessive (unauthorized), just waiting to be found and exploited, or found and eliminated (locked-down.)

Simply put, its a race, and whoever (i.e. the good or the bad guys) accurately identifies it first WINS (i.e. controls AD.)

  • Side-note: Incidentally, Bloodhound, a promising tool that so many Active Directory Red Teamers, attackers and perpetrators have come to like and use, is based on identifying privilege escalation paths in this very ocean of AD security permissions; its underlying theory can be found here. However, it barely scratches the surface, and sadly it is inaccurate because it makes the same classic mistake that 1000s of organizations have themselves been making for years - it too relies on determining "Who has what permissions in AD" which is virtually futile.

    Finally, as pointed above, even if it were accurate, implementing measure #2 above would render it useless.

In essence, if you could correctly analyze this vast ocean of Active Directory security permissions, you could instantly find thousands of privilege escalation paths leading to every object in Active Directory, from Domain Admin accounts to the CEO's account, and from the Domain Admins group to a group protecting high-value IT assets across the network.

From an organizational standpoint, you would then have the ability to lockdown all such identified, existent unauthorized privileged access and eliminate all such paths, securing your Active Directory. From an attacker's standpoint you would have identified thousands of easily exploitable privilege escalation paths leading to whatever you want to compromise.

The key to correctly analyzing this vast ocean of security permissions and privileged access in Active Directory, and thus the key to being able to identify who can do what, where and how, on any and every object in Active Directory lies in this, and in days to come, it is my intention to help everyone learn more about this vast ocean, and how to correctly analyze it.


Today's post was intended to convey that the attack methodologies that most Active Directory Red Teamers and Attackers use to attack Active Directory security, don't actually have much to do with Active Directory Security per se, and can be thwarted by implementing a few common sense measures (, which sadly most organizations have yet to implement.)

As a segue, the second point I wanted to make was that actual crux of and the innards of "Active Directory Security" reside inside the ocean of security permissions that exist in every organization's Active Directory, and in days to come, that's what I intend to help the world better understand, because collectively across the world, they secure Trillions of $ of real wealth.

To be continued on Day 3, May 18, 2020 (; will share VM then, and from which point on, it should be every alternate day.)

Best wishes,

PS: Regarding measure #2 above -

There's a little $1.4 Trillion company out there called Microsoft. They built Active Directory. You should ask them if they can help you do this accurately and adequately on even a single object in AD, let alone do so domain-wide. (They can't.)

(If you can't find them in the Security aisle, look for them in the Sales aisle; they've been quite busy pitching their Cloud offering to the world, and recently, offering free Teams meeting accounts during COVID-19 to increase their user-base.)

Then ask CrowdStrike, FireEye, Symantec, CyberArk, Tanium, Amazon, Google etc. if perhaps they can. (They too can't.)

Next, perhaps ask Quest, Centrify, BeyondTrust, Varonis, Netwrix, Preempt and other popular AD Security companies.

Finally, ask Gartner, those Magic Quadrant gurus, if they know of someone who could. (They may not have a clue.)

Thursday, May 7, 2020

Welcome to "Active Directory Security for Cyber Security Experts"


Hello. I hope this finds you doing well. Welcome to Day-1 of  Active Directory Security for Cyber Security Experts.

Over the next 60 days, I intend to share technical insights on the paramount subject of Active Directory Security, including providing an instantly usable, downloadable (on Day-2) hands-on lab in a VM for everyone to work along with and learn.

Today, I'd like to share a few salient thoughts/observations with you regarding certain aspects of Active Directory Security that I've observed over the last few years, and hopefully these thought-provoking thoughts will set the stage for this series.

But, before I do so, perhaps a quick introduction may be helpful.

Quick Background

I'm Sanjay Tandon, CEO of Paramount Defenses, and formerly Microsoft Program Manager for Active Directory Security.

As you may know, from the U.S. Government to the global Fortune 1000, 85+% of organizations worldwide operate on AD.

Prior to establishing Paramount Defenses, from 2001 through 2005, as Program Manager for Active Directory Security, on Microsoft's flagship Windows Server Development Team, I was Microsoft's technical subject matter expert on AD Security.

During my Microsoft years, I designed technical features, presented at industry conferences (e.g. Microsoft TechEds), researched and authored Microsoft's official 400-page whitepaper on "Best Practices for Delegating Administration in Active Directory," as well as provided technical guidance to Microsoft's biggest customers and to MCS, PSS etc.

Prior to leaving Microsoft, I went to work for Microsoft IT, where I proposed and conducted a risk assessment of Microsoft's own foundational Active Directory deployment, and my recommendations substantially enhanced Microsoft's AD security.

In 2006 I founded Paramount Defenses, and led the development and delivery of the world's only tool that can accurately assess/analyze/audit who actually has what privileged access in Active Directory, the Microsoft-endorsed Gold Finger.

Over the last decade, my work (embodied in Gold Finger) has directly helped some of the most important and valuable organizations in the world, including the U.S. Department of Defense, the U.S. Treasury, U.S. Dept. of Transportation etc., several national governments, including the British government, the governments of Canada, Australia, Saudi Arabia etc., the United Nations, as well as some of the world's biggest companies including British Petroleum (a Fortune 10 company), Microsoft, IBM, Nestle etc. (the list is long) secure and defend their foundational Active Directory.

In short, I've been doing this for a bit now, so I know a little bit about this subject.

(The only reason I've shared my background with you is so that you hopefully take what I'll be sharing with you, seriously.)

The Motivation

With the background out of the way, before I share today's salient thoughts and commence this series, the only other thing I felt the need to share with you is reiterating the motivation for conducting this series on Active Directory Security.

You see, from the entire U.S. Government to the global Fortune 1000, today over 85% of organizations worldwide operate on Active Directory, and as their foundation, the security of these foundational Active Directory deployments worldwide is absolutely paramount to cyber security worldwide. Let there be no mistake about that; none whatsoever.

Now, Active Directory has been around since 2000, so you'd expect most Active Directory deployments to be sufficiently secure by now. Unfortunately, I can tell you based on first-hand knowledge (as 1000s of orgs have knocked at our doors, unsolicited) that the Active Directory deployments of most organizations remain alarmingly vulnerable to compromise.

Thus, it is to help thousands of organizations worldwide adequately enhance their Active Directory security defenses, and to help millions of cyber security and IT personnel worldwide increase their knowledge, that I decided to put in this effort.

The list of the various subjects/topics that I intend to cover over the next 60-days can be found here.

Finally, A Few Thoughts

With those boring details out of the way, its time to share some actual substantive stuff on Active Directory, and so today I would like to share the following few high-level, thought-provoking thoughts/observations with you -

  • Note: More on each one of these points, in days to come.

  1. Active Directory is a highly secure(able) technology; it is secure by design and by default

    A few years ago, a certain company made the preposterous claim that "Active Directory is insecure by design and by default." They likely didn't know the first thing about Active Directory security, YET, likely because the folks in-charge at Microsoft at that time didn't seem to know better either, they ended up being acquired by Microsoft.

    In reality, nothing could be further from the truth. Active Directory is a highly trustworthy and securable technology that is secure by design and by default. You just need to know how to secure it, and over the next 60 days, I am going to show you how to most easily operate a secure and resilient Active Directory.

  2. Credential-theft attack vectors have nothing to do with Active Directory Security

    Over the last few years, I've seen many cyber security experts confound deficiencies in Microsoft's implementation of Kerberos with deficiencies in Active Directory, and in most material out there on "Active Directory Security", much of the focus is largely on credential-theft attacks (Pass-the-Hash, Pass-the-Ticket, Kerberoasting etc.)

    In reality, strictly and technically speaking, it is deficiencies in Microsoft's implementation of Kerberos that make these attacks possible. Active Directory is merely the database that the KDC uses as its account database. Yes, indeed the KDC Service runs on domain-controllers, but if you think hard about it, Active Directory has nothing to do with these attacks, barring the fact that these attacks could be used to compromise Active Directory accounts.

    Active Directory Security concerns the security of the "Active Directory" itself, and that involves AD content security, DC security, the security afforded to AD privileged user accounts and groups and that afforded to AD backups.

  3. The #1 reason AD deployments are vastly vulnerable is that people in-charge may not know/care enough

    Securing Active Directory is not difficult - it mostly requires basic know-how, but far more importantly, it requires an understanding and appreciation for the fact that Active Directory security is paramount and not to be taken lightly.

    Sadly, many many organizations do not seem to have this appreciation, and as a consequence, there's hardly any discipline or rigor involved in establishing, managing and securing their foundational Active Directory deployment.

    It is this lax attitude combined with the lack of sufficient know-how that results in a situation wherein even the most basic requirements for Active Directory security are not in place, resulting in a vastly vulnerable Active Directory.

    Here are just a few examples - an excessive and unknown number of privileged users (resulting in a large attack surface), insecure administrative practices (resulting in credential theft opportunities), use of untrustworthy tooling, negligent DC security policies (enabling perpetrators to logon to a DC), complete lack of insight into who actually has what admin access in Active Directory (making even use of inaccurate tools like Bloodhound, effective) etc.

    In contrast, many of our customers easily run highly secure Active Directory deployments, with zero DAs, precisely delegated admin access, secure DCs, secure service accounts, complete insight into who has access in AD etc.

    More on this too, in days to come.

  4. If any ONE of these FIVE components are compromised, its Game Over right then and there

    It should be common sense that if any ONE of these FIVE components are compromised, its already Game Over -

    1) A single AD privileged user account or group, 2) A single domain controller, 3) A single administrative workstation, 4) A single AD backup, and if you have two-factor auth, 5) your PKI infrastructure or your multi-factor auth provider.

    Sadly, as they say, Common sense is not so common, and at most organizations, today, no one even has a clue as to how many privileged users they have (, let alone adequately protecting them,) almost no one treats DCs like Fort-Knox, most organizations don't have dedicated admin workstations for AD privileged users, and least importantly, many organizations do not adequately secure AD backups, so how can one expect AD deployments to be secure?!

    Now, consider this - if you go by the above, then you know and agree that if a perpetrator has been able to logon to even a single Domain Controller, then its ALREADY Game Over, then you'll hopefully agree that if someone get to a position where they are able to create and use a Golden Ticket in your environment, it was ALREADY Game Over by then, because they could NOT have done so without having logged on to one of your Domain Controllers!

  5. Kerberoasting, Golden Tickets, Mimikatz DCSync and Bloodhound can actually all be easily defeated

    It is unfortunate that because for years now, so many self-proclaimed cyber security experts have confounded Kerberoasting, Golden Tickets etc. as weaknesses in Active Directory, that they have not even begun to actually focus on Active Directory Security. In that regard, Bloodhound is possibly the first tooling that may have actually focused on deficiencies/vulnerabilities that can be attributed to and in fact are a part of Active Directory Security.

    That said, in essence, here's how easy it is to defeat all of these threats (and details on all, in days to come) -

    Kerberoasting - Simply ensure that all your service accounts have long (>25 character) and complex passwords, that are rotated every month, and you should have this mitigated. Managed service accounts in AD are ideal for this. Additionally, put in some effort to minimize the number of these service accounts that actually need to be members of privileged AD groups, and you will have minimized the impact of one of them being compromised.

    Golden Tickets - This should be the easiest one. You should never be in a position where a perpetrator is able to logon to one of your Domain Controllers, because as I have said, if you get there, you've already lost your entire Active Directory to them. Thus, hardening your default Domain Controllers policy (in every domain) to ensure that only the most highly trustworthy AD privileged users can even logon to your DCs can easily mitigate this threat. After you've sufficiently tightened your Domain Controllers policy, reset the password of the krbtgt account twice.

    Mimikatz DCSync - All you have to do is accurately calculate effective permissions on the root object of every Active Directory domain to determine who actually has two extended rights, Get Replication Changes and Get Replication Changes All, effectively granted, and you will have determined exactly who can run Mimikatz DCSync against your domain. Next, for every account that is on this list but should not be on it, determine how they're entitled to these effective permissions, and tweak the ACL or group membership to revoke their access, re-verify, and you're done.

    Bloodhound -

    Bloodhound actually focuses on deficiencies in Active Directory security, i.e. trying to find privilege escalation paths leading to AD privileged user accounts and groups, and it does so by attempting to analyze the vast ocean of security permissions in Active Directory, with the intention of identifying who can enact administrative tasks like password resets and group membership changes, which can be used to escalate privilege in Active Directory.

    In most Active Directory deployments today, Bloodhound will likely uncover a dangerously large number of privilege escalation paths, because most organizations have neither a clue nor the capability to even assess who is actually delegated/provisioned what access where and how in their Active Directory, and they've been operating for years.

    Fortunately, all that organizations need to do to mitigate the risk posed by Bloodhound is to themselves correctly audit and lockdown all privileged access delegated/provisioned in Active Directory. You see, once they've done that, even if a thousand perpetrators run Bloodhound against their AD a thousand times, they won't find a single privilege escalation path to exploit, simply because the organization would have already found and eliminated all of them.

    (Now, if you're thinking that correctly auditing and locking down privileged access in Active Directory is difficult, you're absolutely right. It is not only extremely difficult, it is expertise-reliant, time-consuming and almost impossible. Fortunately, someone has made accomplishing this massive task as easy as touching a button for the entire world.)

    • Side-note 1 - It is paramount to correctly audit and lock-down access in Active Directory because all the building blocks of organizational cyber security are stored in Active Directory, and thus it is imperative that organizations swiftly attain and consistently maintain least privileged access in Active Directory.

    • Side-note 2 - There is ONLY ONE CORRECT WAY to accurately determine/audit who actually has what privileged access in Active Directory, and that involves determining effective permissions on Active Directory objects. Sadly, most IT personnel do not know this, and merely "analyze permissions" today, getting inaccurate results. Bloodhound has the same deficiency, and thus delivers inaccurate results.

  6. Active Directory Permissions Analysis is Mostly Futile

    We can all hopefully agree that its what is contained within Active Directory that is most vital to organizations.

    I'm referring to the domain user accounts (and credentials) of their entire workforce, including all their executive and privileged accounts, the domain computer accounts of virtually the entirety of their computers (i.e. all their laptops, desktops and servers) that are domain-joined to facilitate single-sign on and Kerberized access, and the thousands of domain security groups that are used to secure and control access to the entirety of their IT assets across their network, comprised of thousands of servers, databases, applications, desktops and just about everything else.

    Now, as you know, each one of these building blocks of organizational cyber security is an Active Directory object, protected by an access control list (ACL), within which reside numerous security permissions, each one of which allows or denies, a specific type of access to some security principal (user, group, FSP etc.)

    Today, at most organizations, in order to find out who has what access in Active Directory, IT personnel resort to trying to find out "Who has what permissions in Active Directory?" This happens across the world, has been happening for years, and these IT personnel use tools like dsacls or write their own PowerShell scripts to do so.

    Organizations may also license an "Active Directory Permissions Analyzer" from one of many AD security vendors.

    Sadly, unbeknownst to them, and even to many self-proclaimed experts on Microsoft TechNet and other forums who may ignorantly offer PowerShell scripts to do so, they would ALL be wrong. Substantially and dangerously wrong.

    Here's why -

    Simply put, in any Active Directory object's ACL, there are many permissions specified for many security principals, some of which may allow access while others may deny access, some of which may be explicitly set while others may be inherited, some of which may apply to the object while others may exist solely for inheritance, and it is their COLLECTIVE impact that determines the actual access that a specific user has on the object.

    In short, merely trying to find out "Who has what permissions in Active Directory" will NOT reveal the actual picture, and in fact it is very difficult to accurately determine the actual picture by just performing permissions analysis.

    You see, what actually governs who can do what in Active Directory and who actually has what access in AD is not "Who has what permissions in Active Directory" but "Who has what effective permissions in Active Directory".

    Specifically, it is the effective permissions (aka Effective Access in Windows Server 2016 and beyond) that a user has on an Active Directory object that governs what he/she can actually do on that Active Directory object.

    I'm not going to go into the details of Active Directory Effective Permissions today, but suffice it to know that even in Microsoft's own tooling (ADUC etc.), of the three tabs in the Advanced section of the Security tab, the first being for Permissions, and the second being for Auditing, the final one is for Effective Permissions (aka Effective Access).

    Sadly, Microsoft's Effective Permissions (aka Effective Access) Tab is woefully inadequate and inaccurate, as is this little piece of freeware, and you'll know why the first time you attempt to use either. (More on this in days to come.)

  7. Most Active Directory Risk Assessment programs/offerings fall short in ONE critical area

    Let me switch gears a little bit and share a few thoughts on various Active Directory risk assessment programs.

    For many organizations, a professional risk assessment may be a good starting point, so I felt they should know the limits of the various risk assessment programs out there, so they don't end up with a false sense of security.

    Several reputable cyber security companies (including Microsoft) offer Active Directory risk assessment offerings, and while most of them likely cover assessing risks to about 80% of the AD attack surface (at least a high-level), it is my professional opinion that none of them can trustworthily assess risk in the most important area of Active Directory security which is "accurately identifying who actually has what privileged access in Active Directory."

    (If you don't think that the accurate identification of privileged users in Active Directory is important, consider that the vast majority of all major recent cyber security breaches including JP Morgan, Sony Hack, Anthem, Target, the OPM Breach, Snowden, Avast, the U.N. Breach etc. all involved the compromise and misuse of a single Active Directory privileged user account. Just ONE Active Directory Privileged User account.)

    Here's why I believe so. You see, no one, including these vendors can make this determination accurately in any Active Directory deployment without possessing the ability to accurately determine effective permissions in Active Directory, and I know for a fact that not a single one of them possesses this paramount ability today.

    Now, even if one were to assume that they had the world's best Active Directory security experts who possessed the ability to accurately determine effective permissions in Active Directory manually or semi-manually, it would still take them weeks, if not months to make these determinations, domain-wide, and yet if you were to look closely at their glossy brochures, you'll see that the time frame of most of these offerings is a week or two.

    Having done this for two decades now, I can tell you that it is almost impossible for anyone, including myself, to manually determine effective permissions in any real-world Active Directory, with any degree of accuracy, in a week.

    So, if you're looking to get a professional Active Directory Risk Assessment done, you may want to ask the vendor as to whether or not they in fact do determine effective permissions to make this paramount determination. If they don't, you should know that you're not about to get the right picture vis-à-vis who has the Keys to your Kingdom.

    Please don't get me wrong. Most of these companies are great, well-intentioned companies, and can likely do a good job at assessing risks to most aspects of Active Directory. It is only in this ONE critical area that they remain unable to provide an adequately trustworthy picture, which in my opinion is vital for Active Directory Security, and I felt the need to share this with you just so you know the capabilities as well as limitations of such offerings.

  8. Most AD security solution vendors too may not know how to CORRECTLY Audit Privileged Access in AD

    Today there are several companies (vendors) that offer various solutions in the Active Directory Security space, and many of them claim to have solutions that can help organizations audit privileged access in Active Directory.

    I wish all such companies nothing but the best of success, BUT/AND solely in my technical capacity, I would like to point out that NOT a single solution by these vendors can accurately audit privileged access in Active Directory.

    The proof is very simple - there is one and only one way to accurately audit privileged access in Active Directory, and that involves accurately determining effective permissions on Active Directory objects, and I don't know of a single vendor that possesses this one simple, elemental and fundamental security capability.

    I will say that professionally speaking I find a little unsettling that some vendors would make grandiose claims on their websites, when in fact in essence, all that their solutions do is (simple) "Active Directory Permissions Analysis."

    In their defense, I should also mention that likely the only reason they may not be taking effective permissions into account is because like most organizations, they too may likely not even have known about effective permissions.

    The only reason I mentioned this is to make organizations aware that they should know what it takes to accurately audit privileged access, and what their existing solutions, or those under consideration, are actually capable of.

    (The subtle but profound difference between "Permissions Analysis" and "Effective Permissions Analysis" is akin to the difference between relying on the results of an X-Ray when in fact you need the depth and fidelity of an MRI.)

    Fortunately, this is simple to figure out. All you have to do is ask a vendor - "Does your Active Directory privileged access audit solution calculate effective permissions in Active Directory (, or does it only do permissions analysis)?"

  9. An organization is only as secure as is its foundational Active Directory, AND securing AD is NOT difficult

    Given Active Directory's foundational role in IT and in cyber security, it should not take a rocket scientist to figure out that if an organization's Active Directory is compromised, the entire organization could be compromised in minutes.

    Its actually quite simple - considering that literally everyone's accounts are in Active Directory, that all computers are joined to the Active Directory, that security policies for all computers are pushed out from Active Directory, and that all IT assets stored/hosted on thousands of computers are all protected using domain (Active Directory) security groups, it should be abundantly clear that should the Active Directory, or for that matter, should a single Active Directory privileged user's account be compromised, literally everything else could be compromised.

    Think of it this way. If your organization were a country, then its foundational Active Directory deployment would at a minimum be the country's Department of Defense (DoD), Department of State (DoS), Department of Transportation (DoT) and its Department of Homeland Security (DHS).

    The last I checked, the people and governments of just about every country on planet Earth know the paramount importance of these departments, and their budgets always ensure these departments are sufficiently funded.

    At every organization today, Active Directory Security must be the highest cyber security priority, the entire C-Suite of the organization must be cognizant of its paramount importance, and IT budgets for adequately securing and defending their Active Directory must be adequately funded.

    At every organization, Active Directory admins and the teams that are responsible for ensuring the security of the organization's foundational Active Directory must be adequately funded if they are to fulfill their responsibilities.

    (I could tell you a thousand stories about Active Directory admins from some of the most prestigious organizations in the world, many of which are multi-billion dollar companies, knocking at our doors for help, loving our solutions, wanting to deploy them, only to be told by their management that they have no budget to license any solutions.)

    You cannot expect them to get the job done without the proper tools/equipment, just like you cannot ask or expect TSA security personnel to perform a security check at the airport without proper screening equipment. If you do so, you run the risk of an explosive device (a massive cyber security breach) making it on to your plane (organization).

    Now, as to what it takes to secure Active Directory, contrary to popular belief, that isn't too hard, and that is the focus and purpose of this series, so in days to come, I'll share how every organization can easily do so.

  10. Do NOT get your eye OFF Active Directory Security, even if Microsoft may have

    I cannot say this lightly enough - your organization's foundational Active Directory is its lifeline, and you must not lose your focus on Active Directory Security. If you do so, your Active Directory could be easily compromised.

    Even though most high-profile cyber security breaches thus far have involved the compromise of Active Directory (and specifically an Active Directory privileged user account), thus far their impact has been (relatively) kid stuff.

    A proficient adversary who actually knows a thing or two about Active Directory Security could easily inflict colossal damage to ANY organization, making the $ 250 Million loss that Maersk recently incurred, look like petty change.

    Now, ideally Microsoft should be the one telling you this and helping all its organizational customers adequately and formidably bolster their Active Directory security defenses, (and no, I don't mean, it selling you Microsoft ATA.)

    (BTW, Microsoft Threat Analytics is merely a detection measure. In the list of security measures, detection comes third. The second is avoidance and the first is prevention. If all it can offer is detection, its conceding that it can't offer the first two measures, and detection cannot help protect an organization against a determined adversary.)

    Sadly, these days, Microsoft, a company I deeply love and care about, seems to be primarily focused on all things Cloud and as a result, they seem to have virtually forgotten about mission-critical stuff like Active Directory security.

    • Side-note: It amazes me how the NEW Microsoft (so machiavellianly) first changed Microsoft Office to require a Microsoft cloud account, then changed Windows 10 to almost require the same, and then used this requirement to leave organizations with no choice but to at least integrate with their Cloud offering.

    But I digress. Here's my point - I understand that Microsoft is an American Corporation driven by profits to maximize shareholder value, and thus its going full-steam trying to sell their Cloud offering, and primarily looking out for its own interests, but what concerns and disappoints me is that, in/while doing so, it clearly seems to have forgotten about mission-critical stuff like Active Directory Security, mostly leaving organizations to fend for themselves.

    Along with great power comes great responsibility, and I had expected that Microsoft would at least continue to not lose focus on helping its organizational customers attain and maintain a sound Active Directory security posture.

    Thus, in their own best interest, organizations too must not forget that no matter how rosy a picture Microsoft might paint to their C-Level suite about its Cloud offering, as we stand here today, right now, at this very moment, these organizations are STILL standing and operating on their foundational Active Directory deployments.

    As to the Cloud, all I can say is that it is no magic bullet from a security perspective; what it certainly appears to be is a means for profit-driven American corporations to substantially increase their revenues, and get organizations and citizens to be more dependent on them. Whether or not that's a good thing, time may be the best judge.

    May organizations not forget that should their foundational Active Directory deployment be compromised TODAY, in the worst case scenario, they may not have an organization left to transition to the Cloud tomorrow.

    Your Active Directory deployment is an extremely high-value target, for in it lies the Keys to your Kingdom, and in its compromise lies a tremendous amount of profit for perpetrators, and an equal amount of loss to your organization, its employees and shareholders, so if I were you, I would not get my eye OFF it for one second (but then that's just me, perhaps because I know just how much damage could be inflicted, how quickly and quietly so.)

    Protect your Active Directory. If your C-Suite doesn't understand the paramount importance of doing so, maybe one could accidentally lock their account for a few hours, and when they can't logon, access email, browse anything or communicate with anyone, let them know what powers that account (and those of thousands of employees.)

Alright then, that's all for now. I would encourage you to give what I've shared above some thought, and maybe discuss it internally with fellow colleagues. If you liked what I shared, feel free to share it with others, and/or leave a comment.

Today's was a long post, so that's all for today, and for this week. I'll post Day-2 on Monday, May 11, 2020.


PS: Always Be Humble and Kind. (I'm a Nobody.)
Paramount Defenses Logo

© 2006 - 2024 Paramount Defenses.
All Rights Reserved.

Your Privacy

We use cookies to give you the best online experience. Please let us know if you accept these cookies.