Buy

Thursday, May 7, 2020

Welcome to "Active Directory Security for Cyber Security Experts"

Folks,

Hello. I hope this finds you doing well. Welcome to Day-1 of  Active Directory Security for Cyber Security Experts.


Over the next 60 days, I intend to share technical insights on the paramount subject of Active Directory Security, including providing an instantly usable, downloadable (on Day-2) hands-on lab in a VM for everyone to work along with and learn.


Today, I'd like to share a few salient thoughts/observations with you regarding certain aspects of Active Directory Security that I've observed over the last few years, and hopefully these thought-provoking thoughts will set the stage for this series.

But, before I do so, perhaps a quick introduction may be helpful.



Quick Background

I'm Sanjay Tandon, CEO of Paramount Defenses, and formerly Microsoft Program Manager for Active Directory Security.

As you may know, from the U.S. Government to the global Fortune 1000, 85+% of organizations worldwide operate on AD.


Prior to establishing Paramount Defenses, from 2001 through 2005, as Program Manager for Active Directory Security, on Microsoft's flagship Windows Server Development Team, I was Microsoft's technical subject matter expert on AD Security.

During my Microsoft years, I designed technical features, presented at industry conferences (e.g. Microsoft TechEds), researched and authored Microsoft's official 400-page whitepaper on "Best Practices for Delegating Administration in Active Directory," as well as provided technical guidance to Microsoft's biggest customers and to MCS, PSS etc.

Prior to leaving Microsoft, I went to work for Microsoft IT, where I proposed and conducted a risk assessment of Microsoft's own foundational Active Directory deployment, and my recommendations substantially enhanced Microsoft's AD security.

In 2006 I founded Paramount Defenses, and led the development and delivery of the world's only tool that can accurately assess/analyze/audit who actually has what privileged access in Active Directory, the Microsoft-endorsed Gold Finger.

Over the last decade, my work (embodied in Gold Finger) has directly helped some of the most important and valuable organizations in the world, including the U.S. Department of Defense, the U.S. Treasury, U.S. Dept. of Transportation etc., several national governments, including the British government, the governments of Canada, Australia, Saudi Arabia etc., the United Nations, as well as some of the world's biggest companies including British Petroleum (a Fortune 10 company), Microsoft, IBM, Nestle etc. (the list is long) secure and defend their foundational Active Directory.

In short, I've been doing this for a bit now, so I know a little bit about this subject.

(The only reason I've shared my background with you is so that you hopefully take what I'll be sharing with you, seriously.)




The Motivation

With the background out of the way, before I share today's salient thoughts and commence this series, the only other thing I felt the need to share with you is reiterating the motivation for conducting this series on Active Directory Security.


You see, from the entire U.S. Government to the global Fortune 1000, today over 85% of organizations worldwide operate on Active Directory, and as their foundation, the security of these foundational Active Directory deployments worldwide is absolutely paramount to cyber security worldwide. Let there be no mistake about that; none whatsoever.

Now, Active Directory has been around since 2000, so you'd expect most Active Directory deployments to be sufficiently secure by now. Unfortunately, I can tell you based on first-hand knowledge (as 1000s of orgs have knocked at our doors, unsolicited) that the Active Directory deployments of most organizations remain alarmingly vulnerable to compromise.

Thus, it is to help thousands of organizations worldwide adequately enhance their Active Directory security defenses, and to help millions of cyber security and IT personnel worldwide increase their knowledge, that I decided to put in this effort.

The list of the various subjects/topics that I intend to cover over the next 60-days can be found here.



Finally, A Few Thoughts

With those boring details out of the way, its time to share some actual substantive stuff on Active Directory, and so today I would like to share the following few high-level, thought-provoking thoughts/observations with you -

  • Note: More on each one of these points, in days to come.

  1. Active Directory is a highly secure(able) technology; it is secure by design and by default

    A few years ago, a certain company made the preposterous claim that "Active Directory is insecure by design and by default." They likely didn't know the first thing about Active Directory security, YET, likely because the folks in-charge at Microsoft at that time didn't seem to know better either, they ended up being acquired by Microsoft.

    In reality, nothing could be further from the truth. Active Directory is a highly trustworthy and securable technology that is secure by design and by default. You just need to know how to secure it, and over the next 60 days, I am going to show you how to most easily operate a secure and resilient Active Directory.


  2. Credential-theft attack vectors have nothing to do with Active Directory Security

    Over the last few years, I've seen many cyber security experts confound deficiencies in Microsoft's implementation of Kerberos with deficiencies in Active Directory, and in most material out there on "Active Directory Security", much of the focus is largely on credential-theft attacks (Pass-the-Hash, Pass-the-Ticket, Kerberoasting etc.)

    In reality, strictly and technically speaking, it is deficiencies in Microsoft's implementation of Kerberos that make these attacks possible. Active Directory is merely the database that the KDC uses as its account database. Yes, indeed the KDC Service runs on domain-controllers, but if you think hard about it, Active Directory has nothing to do with these attacks, barring the fact that these attacks could be used to compromise Active Directory accounts.

    Active Directory Security concerns the security of the "Active Directory" itself, and that involves AD content security, DC security, the security afforded to AD privileged user accounts and groups and that afforded to AD backups.


  3. The #1 reason AD deployments are vastly vulnerable is that people in-charge may not know/care enough

    Securing Active Directory is not difficult - it mostly requires basic know-how, but far more importantly, it requires an understanding and appreciation for the fact that Active Directory security is paramount and not to be taken lightly.

    Sadly, many many organizations do not seem to have this appreciation, and as a consequence, there's hardly any discipline or rigor involved in establishing, managing and securing their foundational Active Directory deployment.

    It is this lax attitude combined with the lack of sufficient know-how that results in a situation wherein even the most basic requirements for Active Directory security are not in place, resulting in a vastly vulnerable Active Directory.

    Here are just a few examples - an excessive and unknown number of privileged users (resulting in a large attack surface), insecure administrative practices (resulting in credential theft opportunities), use of untrustworthy tooling, negligent DC security policies (enabling perpetrators to logon to a DC), complete lack of insight into who actually has what admin access in Active Directory (making even use of inaccurate tools like Bloodhound, effective) etc.

    In contrast, many of our customers easily run highly secure Active Directory deployments, with zero DAs, precisely delegated admin access, secure DCs, secure service accounts, complete insight into who has access in AD etc.

    More on this too, in days to come.


  4. If any ONE of these FIVE components are compromised, its Game Over right then and there

    It should be common sense that if any ONE of these FIVE components are compromised, its already Game Over -

    1) A single AD privileged user account or group, 2) A single domain controller, 3) A single administrative workstation, 4) A single AD backup, and if you have two-factor auth, 5) your PKI infrastructure or your multi-factor auth provider.

    Sadly, as they say, Common sense is not so common, and at most organizations, today, no one even has a clue as to how many privileged users they have (, let alone adequately protecting them,) almost no one treats DCs like Fort-Knox, most organizations don't have dedicated admin workstations for AD privileged users, and least importantly, many organizations do not adequately secure AD backups, so how can one expect AD deployments to be secure?!

    Now, consider this - if you go by the above, then you know and agree that if a perpetrator has been able to logon to even a single Domain Controller, then its ALREADY Game Over, then you'll hopefully agree that if someone get to a position where they are able to create and use a Golden Ticket in your environment, it was ALREADY Game Over by then, because they could NOT have done so without having logged on to one of your Domain Controllers!


  5. Kerberoasting, Golden Tickets, Mimikatz DCSync and Bloodhound can actually all be easily defeated

    It is unfortunate that because for years now, so many self-proclaimed cyber security experts have confounded Kerberoasting, Golden Tickets etc. as weaknesses in Active Directory, that they have not even begun to actually focus on Active Directory Security. In that regard, Bloodhound is possibly the first tooling that may have actually focused on deficiencies/vulnerabilities that can be attributed to and in fact are a part of Active Directory Security.

    That said, in essence, here's how easy it is to defeat all of these threats (and details on all, in days to come) -

    Kerberoasting - Simply ensure that all your service accounts have long (>25 character) and complex passwords, that are rotated every month, and you should have this mitigated. Managed service accounts in AD are ideal for this. Additionally, put in some effort to minimize the number of these service accounts that actually need to be members of privileged AD groups, and you will have minimized the impact of one of them being compromised.

    Golden Tickets - This should be the easiest one. You should never be in a position where a perpetrator is able to logon to one of your Domain Controllers, because as I have said, if you get there, you've already lost your entire Active Directory to them. Thus, hardening your default Domain Controllers policy (in every domain) to ensure that only the most highly trustworthy AD privileged users can even logon to your DCs can easily mitigate this threat. After you've sufficiently tightened your Domain Controllers policy, reset the password of the krbtgt account twice.

    Mimikatz DCSync - All you have to do is accurately calculate effective permissions on the root object of every Active Directory domain to determine who actually has two extended rights, Get Replication Changes and Get Replication Changes All, effectively granted, and you will have determined exactly who can run Mimikatz DCSync against your domain. Next, for every account that is on this list but should not be on it, determine how they're entitled to these effective permissions, and tweak the ACL or group membership to revoke their access, re-verify, and you're done.


    Bloodhound -

    Bloodhound actually focuses on deficiencies in Active Directory security, i.e. trying to find privilege escalation paths leading to AD privileged user accounts and groups, and it does so by attempting to analyze the vast ocean of security permissions in Active Directory, with the intention of identifying who can enact administrative tasks like password resets and group membership changes, which can be used to escalate privilege in Active Directory.

    In most Active Directory deployments today, Bloodhound will likely uncover a dangerously large number of privilege escalation paths, because most organizations have neither a clue nor the capability to even assess who is actually delegated/provisioned what access where and how in their Active Directory, and they've been operating for years.

    Fortunately, all that organizations need to do to mitigate the risk posed by Bloodhound is to themselves correctly audit and lockdown all privileged access delegated/provisioned in Active Directory. You see, once they've done that, even if a thousand perpetrators run Bloodhound against their AD a thousand times, they won't find a single privilege escalation path to exploit, simply because the organization would have already found and eliminated all of them.

    (Now, if you're thinking that correctly auditing and locking down privileged access in Active Directory is difficult, you're absolutely right. It is not only extremely difficult, it is expertise-reliant, time-consuming and almost impossible. Fortunately, someone has made accomplishing this massive task as easy as touching a button for the entire world.)

    • Side-note 1 - It is paramount to correctly audit and lock-down access in Active Directory because all the building blocks of organizational cyber security are stored in Active Directory, and thus it is imperative that organizations swiftly attain and consistently maintain least privileged access in Active Directory.

    • Side-note 2 - There is ONLY ONE CORRECT WAY to accurately determine/audit who actually has what privileged access in Active Directory, and that involves determining effective permissions on Active Directory objects. Sadly, most IT personnel do not know this, and merely "analyze permissions" today, getting inaccurate results. Bloodhound has the same deficiency, and thus delivers inaccurate results.



  6. Active Directory Permissions Analysis is Mostly Futile

    We can all hopefully agree that its what is contained within Active Directory that is most vital to organizations.

    I'm referring to the domain user accounts (and credentials) of their entire workforce, including all their executive and privileged accounts, the domain computer accounts of virtually the entirety of their computers (i.e. all their laptops, desktops and servers) that are domain-joined to facilitate single-sign on and Kerberized access, and the thousands of domain security groups that are used to secure and control access to the entirety of their IT assets across their network, comprised of thousands of servers, databases, applications, desktops and just about everything else.

    Now, as you know, each one of these building blocks of organizational cyber security is an Active Directory object, protected by an access control list (ACL), within which reside numerous security permissions, each one of which allows or denies, a specific type of access to some security principal (user, group, FSP etc.)

    Today, at most organizations, in order to find out who has what access in Active Directory, IT personnel resort to trying to find out "Who has what permissions in Active Directory?" This happens across the world, has been happening for years, and these IT personnel use tools like dsacls or write their own PowerShell scripts to do so.

    Organizations may also license an "Active Directory Permissions Analyzer" from one of many AD security vendors.

    Sadly, unbeknownst to them, and even to many self-proclaimed experts on Microsoft TechNet and other forums who may ignorantly offer PowerShell scripts to do so, they would ALL be wrong. Substantially and dangerously wrong.


    Here's why -

    Simply put, in any Active Directory object's ACL, there are many permissions specified for many security principals, some of which may allow access while others may deny access, some of which may be explicitly set while others may be inherited, some of which may apply to the object while others may exist solely for inheritance, and it is their COLLECTIVE impact that determines the actual access that a specific user has on the object.

    In short, merely trying to find out "Who has what permissions in Active Directory" will NOT reveal the actual picture, and in fact it is very difficult to accurately determine the actual picture by just performing permissions analysis.

    You see, what actually governs who can do what in Active Directory and who actually has what access in AD is not "Who has what permissions in Active Directory" but "Who has what effective permissions in Active Directory".

    Specifically, it is the effective permissions (aka Effective Access in Windows Server 2016 and beyond) that a user has on an Active Directory object that governs what he/she can actually do on that Active Directory object.

    I'm not going to go into the details of Active Directory Effective Permissions today, but suffice it to know that even in Microsoft's own tooling (ADUC etc.), of the three tabs in the Advanced section of the Security tab, the first being for Permissions, and the second being for Auditing, the final one is for Effective Permissions (aka Effective Access).

    Sadly, Microsoft's Effective Permissions (aka Effective Access) Tab is woefully inadequate and inaccurate, as is this little piece of freeware, and you'll know why the first time you attempt to use either. (More on this in days to come.)


  7. Most Active Directory Risk Assessment programs/offerings fall short in ONE critical area

    Let me switch gears a little bit and share a few thoughts on various Active Directory risk assessment programs.

    For many organizations, a professional risk assessment may be a good starting point, so I felt they should know the limits of the various risk assessment programs out there, so they don't end up with a false sense of security.

    Several reputable cyber security companies (including Microsoft) offer Active Directory risk assessment offerings, and while most of them likely cover assessing risks to about 80% of the AD attack surface (at least a high-level), it is my professional opinion that none of them can trustworthily assess risk in the most important area of Active Directory security which is "accurately identifying who actually has what privileged access in Active Directory."

    (If you don't think that the accurate identification of privileged users in Active Directory is important, consider that the vast majority of all major recent cyber security breaches including JP Morgan, Sony Hack, Anthem, Target, the OPM Breach, Snowden, Avast, the U.N. Breach etc. all involved the compromise and misuse of a single Active Directory privileged user account. Just ONE Active Directory Privileged User account.)

    Here's why I believe so. You see, no one, including these vendors can make this determination accurately in any Active Directory deployment without possessing the ability to accurately determine effective permissions in Active Directory, and I know for a fact that not a single one of them possesses this paramount ability today.

    Now, even if one were to assume that they had the world's best Active Directory security experts who possessed the ability to accurately determine effective permissions in Active Directory manually or semi-manually, it would still take them weeks, if not months to make these determinations, domain-wide, and yet if you were to look closely at their glossy brochures, you'll see that the time frame of most of these offerings is a week or two.

    Having done this for two decades now, I can tell you that it is almost impossible for anyone, including myself, to manually determine effective permissions in any real-world Active Directory, with any degree of accuracy, in a week.

    So, if you're looking to get a professional Active Directory Risk Assessment done, you may want to ask the vendor as to whether or not they in fact do determine effective permissions to make this paramount determination. If they don't, you should know that you're not about to get the right picture vis-à-vis who has the Keys to your Kingdom.

    Please don't get me wrong. Most of these companies are great, well-intentioned companies, and can likely do a good job at assessing risks to most aspects of Active Directory. It is only in this ONE critical area that they remain unable to provide an adequately trustworthy picture, which in my opinion is vital for Active Directory Security, and I felt the need to share this with you just so you know the capabilities as well as limitations of such offerings.


  8. Most AD security solution vendors too may not know how to CORRECTLY Audit Privileged Access in AD

    Today there are several companies (vendors) that offer various solutions in the Active Directory Security space, and many of them claim to have solutions that can help organizations audit privileged access in Active Directory.

    I wish all such companies nothing but the best of success, BUT/AND solely in my technical capacity, I would like to point out that NOT a single solution by these vendors can accurately audit privileged access in Active Directory.

    The proof is very simple - there is one and only one way to accurately audit privileged access in Active Directory, and that involves accurately determining effective permissions on Active Directory objects, and I don't know of a single vendor that possesses this one simple, elemental and fundamental security capability.

    I will say that professionally speaking I find a little unsettling that some vendors would make grandiose claims on their websites, when in fact in essence, all that their solutions do is (simple) "Active Directory Permissions Analysis."

    In their defense, I should also mention that likely the only reason they may not be taking effective permissions into account is because like most organizations, they too may likely not even have known about effective permissions.

    The only reason I mentioned this is to make organizations aware that they should know what it takes to accurately audit privileged access, and what their existing solutions, or those under consideration, are actually capable of.

    (The subtle but profound difference between "Permissions Analysis" and "Effective Permissions Analysis" is akin to the difference between relying on the results of an X-Ray when in fact you need the depth and fidelity of an MRI.)

    Fortunately, this is simple to figure out. All you have to do is ask a vendor - "Does your Active Directory privileged access audit solution calculate effective permissions in Active Directory (, or does it only do permissions analysis)?"


  9. An organization is only as secure as is its foundational Active Directory, AND securing AD is NOT difficult

    Given Active Directory's foundational role in IT and in cyber security, it should not take a rocket scientist to figure out that if an organization's Active Directory is compromised, the entire organization could be compromised in minutes.

    Its actually quite simple - considering that literally everyone's accounts are in Active Directory, that all computers are joined to the Active Directory, that security policies for all computers are pushed out from Active Directory, and that all IT assets stored/hosted on thousands of computers are all protected using domain (Active Directory) security groups, it should be abundantly clear that should the Active Directory, or for that matter, should a single Active Directory privileged user's account be compromised, literally everything else could be compromised.

    Think of it this way. If your organization were a country, then its foundational Active Directory deployment would at a minimum be the country's Department of Defense (DoD), Department of State (DoS), Department of Transportation (DoT) and its Department of Homeland Security (DHS).

    The last I checked, the people and governments of just about every country on planet Earth know the paramount importance of these departments, and their budgets always ensure these departments are sufficiently funded.

    At every organization today, Active Directory Security must be the highest cyber security priority, the entire C-Suite of the organization must be cognizant of its paramount importance, and IT budgets for adequately securing and defending their Active Directory must be adequately funded.

    At every organization, Active Directory admins and the teams that are responsible for ensuring the security of the organization's foundational Active Directory must be adequately funded if they are to fulfill their responsibilities.

    (I could tell you a thousand stories about Active Directory admins from some of the most prestigious organizations in the world, many of which are multi-billion dollar companies, knocking at our doors for help, loving our solutions, wanting to deploy them, only to be told by their management that they have no budget to license any solutions.)

    You cannot expect them to get the job done without the proper tools/equipment, just like you cannot ask or expect TSA security personnel to perform a security check at the airport without proper screening equipment. If you do so, you run the risk of an explosive device (a massive cyber security breach) making it on to your plane (organization).

    Now, as to what it takes to secure Active Directory, contrary to popular belief, that isn't too hard, and that is the focus and purpose of this series, so in days to come, I'll share how every organization can easily do so.


  10. Do NOT get your eye OFF Active Directory Security, even if Microsoft may have

    I cannot say this lightly enough - your organization's foundational Active Directory is its lifeline, and you must not lose your focus on Active Directory Security. If you do so, your Active Directory could be easily compromised.

    Even though most high-profile cyber security breaches thus far have involved the compromise of Active Directory (and specifically an Active Directory privileged user account), thus far their impact has been (relatively) kid stuff.

    A proficient adversary who actually knows a thing or two about Active Directory Security could easily inflict colossal damage to ANY organization, making the $ 250 Million loss that Maersk recently incurred, look like petty change.


    Now, ideally Microsoft should be the one telling you this and helping all its organizational customers adequately and formidably bolster their Active Directory security defenses, (and no, I don't mean, it selling you Microsoft ATA.)

    (BTW, Microsoft Threat Analytics is merely a detection measure. In the list of security measures, detection comes third. The second is avoidance and the first is prevention. If all it can offer is detection, its conceding that it can't offer the first two measures, and detection cannot help protect an organization against a determined adversary.)

    Sadly, these days, Microsoft, a company I deeply love and care about, seems to be primarily focused on all things Cloud and as a result, they seem to have virtually forgotten about mission-critical stuff like Active Directory security.

    • Side-note: It amazes me how the NEW Microsoft (so machiavellianly) first changed Microsoft Office to require a Microsoft cloud account, then changed Windows 10 to almost require the same, and then used this requirement to leave organizations with no choice but to at least integrate with their Cloud offering.

    But I digress. Here's my point - I understand that Microsoft is an American Corporation driven by profits to maximize shareholder value, and thus its going full-steam trying to sell their Cloud offering, and primarily looking out for its own interests, but what concerns and disappoints me is that, in/while doing so, it clearly seems to have forgotten about mission-critical stuff like Active Directory Security, mostly leaving organizations to fend for themselves.

    Along with great power comes great responsibility, and I had expected that Microsoft would at least continue to not lose focus on helping its organizational customers attain and maintain a sound Active Directory security posture.

    Thus, in their own best interest, organizations too must not forget that no matter how rosy a picture Microsoft might paint to their C-Level suite about its Cloud offering, as we stand here today, right now, at this very moment, these organizations are STILL standing and operating on their foundational Active Directory deployments.

    As to the Cloud, all I can say is that it is no magic bullet from a security perspective; what it certainly appears to be is a means for profit-driven American corporations to substantially increase their revenues, and get organizations and citizens to be more dependent on them. Whether or not that's a good thing, time may be the best judge.

    May organizations not forget that should their foundational Active Directory deployment be compromised TODAY, in the worst case scenario, they may not have an organization left to transition to the Cloud tomorrow.


    Your Active Directory deployment is an extremely high-value target, for in it lies the Keys to your Kingdom, and in its compromise lies a tremendous amount of profit for perpetrators, and an equal amount of loss to your organization, its employees and shareholders, so if I were you, I would not get my eye OFF it for one second (but then that's just me, perhaps because I know just how much damage could be inflicted, how quickly and quietly so.)

    Protect your Active Directory. If your C-Suite doesn't understand the paramount importance of doing so, maybe one could accidentally lock their account for a few hours, and when they can't logon, access email, browse anything or communicate with anyone, let them know what powers that account (and those of thousands of employees.)




Alright then, that's all for now. I would encourage you to give what I've shared above some thought, and maybe discuss it internally with fellow colleagues. If you liked what I shared, feel free to share it with others, and/or leave a comment.

Today's was a long post, so that's all for today, and for this week. I'll post Day-2 on Monday, May 11, 2020.

Thanks,
Sanjay.


PS: Always Be Humble and Kind. (I'm a Nobody.)

No comments:

Post a Comment

Paramount Defenses Logo

© 2006 - 2024 Paramount Defenses.
All Rights Reserved.

Your Privacy

We use cookies to give you the best online experience. Please let us know if you accept these cookies.