Buy

Monday, October 7, 2024

The American Defense Industrial Complex operates on Active Directory


Folks,

From the U.S. Department of Defense to the Israeli Defense Forces, Microsoft to Nvidia, and Lockheed Martin to Palantir, today virtually the entire American Defense Industrial Complex operates on Microsoft Active Directory.

In fact, the entire United States Government, as well as the Fortune 100 and Wall Street also operate on Active Directory.


For those who may not know, Active Directory is one of the most important and trustworthy foundational technologies ever built, and it provides two paramount imperatives that the Cloud cannot - operational autonomy and organizational privacy.

Consequently, Active Directory lies at the very foundation of national security, defense and corporate security worldwide.



The National Security Agency Agrees

The stated mission of NSA in cybersecurity is to prevent and eradicate threats to U.S. national security systems with a focus on the Defense Industrial Base and the improvement of its weapons’ security.


Active Directory Security is so important to global security, that just last fortnight, the National Security Agency (NSA) and the Australian Signals Directorate (ASD) issued joint guidance on how to mitigate Active Directory attacks, and I quote -


"Active Directory is the most widely used authentication and authorization solution in enterprise Information Technology (IT) networks globally.

"Like numerous other networks, Active Directory is used in many Department of Defense and Defense Industrial Base networks as a critical component for managing identities and access,” 

This makes it an attractive target for malicious actors to attempt to steal the proverbial ‘keys to the kingdom. Taking steps to properly defend AD from these common and advanced techniques will detect and prevent adversary activities and protect sensitive data from determined malicious cyber actors.


To state it as simply as one can, the National Security Agency (NSA) of the United States of America just confirmed not only what we've been saying for years, but also the paramount importance of what it is we do at Paramount Defenses

You see, the number one way to steal the proverbial Keys to the Kingdom that the NSA is referring to is Active Directory Privilege Escalation, and in fact we had released the underlying technical facts in The Paramount Brief way back (2014).

I wonder what took the NSA so long. We've been saying this for a decade - 2014, 2015, 2016, 2017, 2018, 2019, 2020.



This is Paramount

The accurate assessment of privileged access in Active Directory is absolutely paramount to organizational cyber security.

As every cyber security professional, Domain Admin and CISO worth his/her salt knows well, the most important (the #1) measure in all of organizational cyber security and in Active Directory security is the attainment of Least Privilege Access (LPA) in Active Directory, which involves accurately assessing and then locking-down privileged access in Active Directory, and one simply cannot do so without the ability to accurately assess privileged access in Active Directory




Decision Support (aka Proof)

At the heart of both the SolarWinds Breach and the Colonial Pipeline Hack lay privileged access in Active Directory.
Both these attacks could've been prevented if only organizations had attained and maintained LPA in Active Directory. 

Here's why / consider this - the Top-5 ways of escalating in privilege in Active Directory are i) DC Sync eff-perms / WD eff-perms on domain root, ii) WD eff-perms on AdminSDHolder, iii) CR-Reset Password eff-perms on any AD admin account, iv) WP-member eff-perms on any AD admin group, and v) WP - GP Link and GP Options eff-perms on the default DC OU.

Anyone who has any of these eff-perms in AD owns the organization, and can completely destroy it, should they so desire, so at an absolute minimum*, assessing and locking-down the above eff-perms domain-wide is absolutely paramount.

*Oh, and this is merely the tip of the iceberg. Consider the following - 
Anyone and everyone who has { CR-Reset Password or WD or WO } eff-perms on any AD user account in the domain can own that account in one second, anyone who has { WP-Member or WD or WO } eff-perms on any AD group in the domain can control that group in one second (and access everything it protects), anyone who has { WD or WO } eff-perms on an(y) OU in the domain can own every* object in that OU, easily escalate privilege and/or control and/or destroy everything in it.

Pro Tip for Amateurs - Count the number of times I've said eff perms above, because it is NOT perms, but eff-perms (aka Active Directory Effective Permissions) that control everything in AD. Permissions analysis is almost useless. 

Organizations that do not know who has what eff-perms in their AD are dangerously operating in the proverbial dark.




Extremely Difficult

The accurate determination of access entitlements, i.e. who has what privileged access where and how, in Active Directory is extremely difficult and error-prone, and likely one of the biggest challenges in organizational cyber security today.
It is extremely difficult because it involves analyzing millions of individual access control specifications that cumulatively impact resultant access, and thus is involves meticulously connecting millions of dots with absolutely zero room for error.

There is no room for error, because like performing heart surgery or screening baggage at airports, even a single error could result in an unmitigated privilege escalation path that could be used to completely destroy an entire organization.

The process is akin to finding a thousand unique needles in a haystack the size of One World Trade Center, New York, wherein in order to ensure security, it is paramount that each and every single needle in the entire haystack be found. 





Mission Accomplished

For anyone who may not yet know, there is one and only cyber security solution in the entire world that can accurately assess privileged access in Active Directory - our unique, unrivaled, all-American, Microsoft-endorsed Gold Finger.

Gold Finger is the only cyber security solution in the world that can accurately assess access entitlements i.e. who has what privileged access in Active Directory, based on the accurate determination of effective permissions in Active Directory.

Let there be no ambiguity about that cardinal technical fact, none whatsoever. Although there are over twenty solutions that claim to be able to assess privileged access in Active Directory, not even one of them can do so accurately, because there is one and only correct way to accurately assess privileged access in Active Directory and that involves the accurate determination of Active Directory Effective Permissions, which is extremely difficult, and none of those solutions do so.

Not a single one of them.

As such, the method and system for the accurate determination of who has what access entitlements in Active Directory, including of course privileged access, and privilege escalation paths, is governed by our patent, U.S. Patent 8429708.




The Bible of Access Assessment

I should also mention this is no ordinary patent. It is the Bible of how to accurately assess access in an IT system, wherein access is controlled using ACLs, and today, over 75 patents from many of the world's top cyber security companies cite it, including Microsoft, Amazon, IBM, VMWare, McAfee, CyberArk, FireEye, Dell, VMWare, Palantir and others.


Our patented, Microsoft-endorsed accurate effective access assessment capabilities are embodied in our Gold Finger, Gold Finger Mini and Gold Finger 007G solutions, are unique in their ability to enable organizations to fulfill this paramount objective and over the last decade, from the U.S. DoD to the United Nations and from the U.S. Treasury to several Fortune 100 companies, they have been instrumental in helping so many important organizations attain and maintain LPA in AD.



Simply Unrivaled  (F-35)

To give the world an idea of just how capable and superlative our access assessment technology is, consider this -

Gold Finger can accurately assess exactly who has what privileged access, where and how, domain-wide in any Active Directory domain in the world, comprised of thousands of objects, within just minutes, and at the touch of a button. 

To put that in perspective, in less time than the Generals in the U.S Military can brief the U.S. Secretary of Defense as to the state of cyber security of their respective forces, or for that matter in less time than the CEO of Microsoft has an hourly meeting with his top cyber security experts, Gold Finger can find out exactly who has not just the Keys to the Kingdom, but also who has the keys to every single door in the kingdom, in every Active Directory domain in the U.S. Dept. of Defense.

In fact, we recently offered to give away up to one hundred million dollars in software to any and every organization or professional who could provably show us even one tool in the world that can do what Gold Finger's privileged access assessment capabilities can, and guess how many organizations/professionals have taken us up on the offer thus far? 

Zero! Need one say more?



In Closing

In closing, I will only add that at Paramount Defenses we continue to be laser-focused on Active Directory security because it is absolutely paramount to the national security of the United States of America, and that of 100+ countries worldwide. 

You see, there can be no national security without a government having operational autonomy and organizational privacy, and only Active Directory makes these two imperatives possible. Fortunately, today every organization in the world that wishes to do so can easily attain and maintain least privilege access (LPA) in their foundational Active Directory domains, thereby measurably eliminating 99% of avenues of privilege escalation to the "Keys to the Kingdom" in Active Directory.


That's all for now.

Best wishes,
Sanjay.

Tuesday, September 24, 2024

Which is the most powerful country in the world today?

Folks,

In light of current geopolitical events, I'd like to ask a very simple question, one that the entire world ought to consider, posed above.

Is it -

A. The United States of America

B. The United Kingdom

C. Russia

D. China

E. Some other country (If so, which one?)


I'll leave you with a hint - based on current geopolitical events it appears it's not the country you think it is, and it's not the country that thinks it is the most powerful country in the world. (You see, another country's clout seems to be running it.)

To the wise, I needn't say more (, so I won't.)

Thanks,
Sanjay

Thursday, August 8, 2024

Iran COULD launch a cyber attack on Microsoft prior to an attack on Israel

Folks,

I hope this finds you doing well. Today's post will be short, because we strive not to comment on any geopolitical events, but out of an abundance of caution, I felt the need to state that which may/should already be obvious to the entire world.

It is a well-known fact that Israel, like many countries in the western world, is a highly digital nation, wherein thousands of its business and government organizations across all sectors e.g. financial, transport, medical, government, defense etc., have and thus operate a digital IT infrastructure.


For the last two decades, for the most part, most of these organizations have been operating on trustworthy, autonomously (independently) operable "on-premises" Microsoft technologies, primarily, Active Directory, Exchange and Office, which enabled and empowered these organizations to operate securely and autonomously without having to rely on anyone else.

However, over the past few years, under the guise of "modernization", Microsoft has been spending billions of dollars to convince/persuade organizations to transition over to its new subscription-based Cloud offerings, Azure and 365 (Office).

As a result, in all likelihood, today thousands of business and government organizations in Israel are now likely using, i.e. relying on, Microsoft 365 and Microsoft Azure for likely all organizational communications, access, mgmt and security.

To put it in layman terms for the world's populace, today, in all likelihood, communication, productivity and security at thousands of business and government organizations in Israel, today depends on Microsoft Azure and Microsoft 365.


In light of this elemental fact, it would appear that a successful attack on Microsoft Corporation's various Cloud Services could have a disruptive impact on the digital foundation of thousands of business and government organizations in Israel.

For instance, hypothetically speaking, a cyber attack that could result in a successful denial-of-service (DoS) attack on just Microsoft 365 services to thousands of Israeli organizations, could impact many mission-critical services across Israel.


In light of the above, if as is being widely reported, were Iran to launch a strike on Israel, it seems possible that it could try to also launch a cyber attack on Microsoft prior to doing so, to try and disrupt essential services/comms within Israel.



It must be mentioned that Microsoft is a successful American Corporation and likely has many cyber defenses in place. However, it must be noted that, unlike script-kiddies or lone-wolfs, when a nation state decides to wage a cyber attack, it has the financial and operational resources of an entire nation at its disposal, and you have to ask yourself whether the defenses of what is basically a for-profit business, may be adequate against a proficient, nation-state cyber adversary.

It must also be stated that there are many Israeli cyber security companies today, including several prominent publicly-held American Corporations, and there are many Israelis working in cyber security within Microsoft, and yet, logically speaking, no cyber security company can protect an organization from the impact of a successful denial-of-service attack launched against Microsoft 365 i.e. I mean, if there is no service, there is no service, period. (All email, access etc. comes to a halt.)


That's all I wanted to say today. This is all public knowledge, but I felt the need to state it out of an abundance of caution.

Sincerely,
Sanjay.


PS: Please note that the perspective shared above is not unique to Israel. Today, thousands of organizations worldwide have basically taken on a mission-critical dependency on Microsoft Cloud Services, having relinquished operational autonomy for a semblance of better security, and a formidable cyberattack on Microsoft could impact all of them.

Friday, July 12, 2024

Introducing a FREE Active Directory Privileged Access Assessment Service


Folks,

At Paramount Defenses, we care deeply about the foundational cyber security of all organizations worldwide, and we remain committed to helping organizations secure their foundational Active Directory deployments.

Towards that objective, it is my privilege to announce that today we are introducing a free service to help all organizations worldwide instantly obtain an accurate assessment of the state of privileged access in their foundational Active Directory.

Without further adieu, I'd like to introduce our 100% FREE Active Directory Privileged Access Assessment Service.



Unique and 100% Free

This service is 100% free, with no strings attached, and no obligation of any sort, and is intended to help organizations determine exactly how many individuals possess privileged access in their foundational Active Directory domains.

The most important and novel aspect of this service is that it is unlike any other in the world, because it is the only service that can deliver such paramount insights based on the accurate determination of Active Directory Effective Permissions.


Accurate and Instant Insights

This unique service is powered by our unique, unrivaled Microsoft-endorsed Gold Finger software tooling, which uniquely enables us to instantly deliver accurate Active Directory privileged access insights to organizations worldwide.

In less than an hour, every organization that wants to know, can now have the following determinations, for free - 

  1. How many users can create domain user accounts in Active Directory?
  2. How many users can delete domain user accounts in Active Directory?
  3. How many users can reset the passwords of domain user accounts in Active Directory?
  4. How many users can disable Smartcard use on domain user accounts in Active Directory?
  5. How many users can enable disabled domain user accounts in Active Directory?
  6. How many users can modify domain security groups memberships in Active Directory?
  7. How many users can link group policies to organizational units in Active Directory?
  8. How many users can modify security permissions domain-wide in Active Directory?
  9. How many users can modify the ACL protecting the AdminSDHolder object in Active Directory?
  10. How many users can launch replicate secrets (password hashes) from Active Directory?

These are merely a few of the many Active Directory privileged access insights that we can instantly deliver to any and every organization in the world. We can actually answer just about any question related to effective access in any AD, so if your organization has any specific/niche needs, just let us know, and we'll be happy to help you figure it out in minutes.

Of course, if you want to know the simple stuff like how many users have any kind of permissions in Active Directory, how many users own objects in Active Directory etc., that's 100 times easier to figure out, and we'll do that as well, all for free. 



A Limited Opportunity

At Paramount Defenses, we care deeply about the foundational cyber security of all organizations worldwide, and are happy to be able to offer this unique and valuable service free of cost to help organizations across the world.

Today, thousands of organizations in over a hundred and seventy countries worldwide operate on Active Directory (AD), and that makes it difficult for us to be able to offer this service to every single organization that may wish to avail of it. 

We have thus decided to offer this service to the first one thousand (1000) organizations that request it, from each country, at our discretion, and capacity permitting, we will strive to accommodate all additional requests on a best-efforts basis.



How to Sign-up

Organizations that wish to avail of this unique, free service can do by submitting their request on the service page here.

You can also find a list of helpful frequently asked questions (FAQ) related to the service at the bottom of the page.

Finally, to help you get some perspective, you may want to consider the above, in light of what I've shared here.


That wraps up the little announcement that we wanted to make today. Thank you very much.

Best wishes,
Sanjay

Thursday, July 11, 2024

Our Cloud/Modernization Strategy - We Impost ZERO TRUST in the Cloud

Folks,

Hello. I hope this finds you doing well. Let me begin by saying that we are slated to make a small announcement today or tomorrow, and this post is NOT that announcement. That should likely follow in a few hours, or tomorrow.


Our Cloud/Modernization Strategy - We Impose ZERO TRUST in the Cloud

In this post, I wanted to take a few moments to share our Cloud/Modernization strategy.

There appears to be a narrative in the world, likely funded by the world's many Cloud Computing companies, that every organization ought to consider and implement a Cloud/Modernization strategy, or risk getting left technologically behind.

At the core of this narrative appears to be a strong (but inaccurate) message that the Cloud is inherently more trustworthy and cost-effective to use than the traditional computing systems that most of the world's organizations operate on today.


A closer look reveals that such narratives/their core principles seem to emanate from and be delivered to a global audience via guidance from government organizations tasked with promoting "American innovation and industrial competitiveness", published in the form of high-level guidance, which American cloud computing companies seize the opportunity to quote.

It also seems that such narratives/initiatives seem to provide certain vendors of operating systems and hosting providers (, mostly American Corporations,) a golden opportunity to additionally have their entire global organizational customer base now also pay them, on a recurring basis, for a host of new computing and cyber security services built, marketed and labelled as the 'Cloud.'

To further worsen the situation, it appears that some of these vendors seem to invest billions of dollars in sophisticated marketing strategies, to not only get some of these initiatives to become part of American Government policy, but also to convince/persuade the "C-Suite" at their global organizational customer base, to transition assets over to their Cloud.

Little do these hapless organizational customers from across the world seem to realize that whilst embracing these new services marketed as the Cloud may sound rosy and secure, in reality, it requires (involves) them to basically relinquish* operational control (autonomy) and privacy, and take on an eternal dependency on an external third-party.

* The moment an organization transitions its primary identities into the Cloud is the moment it loses its operational autonomy.

The world's organizations and their shareholders may want to contrast this with the undeniable fact that the alternative, i.e. operating on traditional computing systems upon which the world has been successfully operating for years now, does NOT require organizations to relinquish their operational autonomy, privacy or security, i.e. give up their sovereignty.


It appears that this paramount fact, one that directly impacts the security, autonomy and sovereignty of every organization, and in the case of governments, also impacts national sovereignty and national security, is astonishingly overlooked!



The Cloud is a No-Starter for Us

It likely cannot be stated any simpler than someone already has - "The Cloud is just someone else's computer."

The world ought to understand, in no uncertain terms, that the moment you put your assets onto someone else's computer, they are no longer, either private OR solely yours. They can be accessed by, copied, modified and destroyed by ANYONE who has ADMINISTRATIVE or sufficient access to that computer, or anyone who could gain UNAUTHORIZED access to it, including 1000s of the Cloud provider's personnel (, whose identities/computers too could be compromised and misused.) 

Further, because these Cloud providers are starting to be used by thousands of organizations, they themselves are now MASSIVE targets for highly proficient, and often state-funded adversaries, and their compromise could easily cascade.

Finally, when you use an Identity Provider (IDP), you must understand that that IDP now knows exactly who you are, where you are, what you are logging on to, and what you are accessing. In other words, you have no privacy left. None.

For starters, for that reason to begin with, the Cloud is a no-starter for us.


Concluding Thoughts

My time is very valuable so I will not spend more time on this. Time permitting, I may pen another blog post in the future with sufficient (concrete) technical details, but for now, this is all I wish to say, and have time to say regarding the Cloud. 

Let me be very clear - we are perfectly capable of offering the most technologically advanced services in the Cloud as well, but since it is conceptually a no-starter for us, we do not invest time or resources to build and offer Cloud based services.


In short, at Paramount Defenses, we literally impose zero trust in the Cloud, and since we know how to operate a secure IT environment, we do NOT rely on anyone i.e. any Cloud provider to operate our internal organizational IT infrastructure.

As a result, we fully retain our operational autonomy, organizational privacy and cyber security. 


That's all I have to say about it. As a well-wisher, I encourage the entire world to consider the perspective shared above.

Thanks,
Sanjay


Wednesday, July 10, 2024

The World's Top Cyber Security Companies, including Microsoft (MSFT), Crowdstrike (CRWD), ZScaler (ZS), CyberArk (CYBR) etc. ALL Agree on ONE Fact


Folks,

There is 1 (ONE) simple paramount fact that impacts cyber security worldwide today that virtually ALL of the world's top cyber security companies, including Microsoft (MSFT), CrowdStrike (CRWD), Dell (DELL), Splunk (SPLK), ZScaler (ZS), CyberArk (CYBR) etc. etc. all agree on, and I quote -



"Microsoft Windows Server Active Directory is the foundation of an IT Infrastructure"

- Source: Splunk  Backup-Source (SPLK, acquired by Cisco  Market Cap: $28 Billion)




"Microsoft Active Directory is at the core of your business"

- Source: DellEMC (DELL,  Market Cap: $ 99 Billion)




"Active Directory and Entra ID are the lifeblood of your business"

- Source: Quest (Quest Software,  Valuation: ~ $ 5 Billion)




"When AD fails, either from ransomware, cyberattacks or catastrophes, the IT environment grinds to a halt"

- Source: Quest (Quest Software,  Valuation: ~ $ 5 Billion)



"Microsoft Active Directory is a collection of services that help you manage users and devices on a network."

- Source: Amazon AWS  (AMZN,  Market Cap: $ 2 Trillion.)



"Start with Active Directory, go everywhere"

- Source: Okta  (OKTA,  Market Cap: $ 15 Billion.)



"Configure GlobalProtect to use Active Directory Authentication profile"

- Source: Palo Alto Networks  (PANW,  Market Cap: $ 106 Billion.)



"A secure Active Directory environment can mitigate most attacks."

- Source: CrowdStrike  (CRWD,  Market Cap: $ 90 Billion.)




"At the heart of every network there are the Domain Controllers and the Active Directory instances that run on them."

- Source: CyberArk  (CYBR,  Market Cap: $ 7 Billion)




"Microsoft Active Directory is used extensively across global enterprises. Even with the migration to Azure Active Directory, companies continue to utilise Active Directory in a Hybrid environment where workstations may be joined solely to AD, or both AD joined and WorkPlace joined to AAD."

- Source: ZScaler  (ZS,  Market Cap: $ 30 Billion)




"Manually maintaining Google identities for each employee can add unnecessary management overhead when all employees already have an account in Active Directory. By federating user identities between Google Cloud and your existing identity management system, you can automate the maintenance of Google identities and tie their lifecycle to existing users in Active Directory."

- Source: Google  (GOOG,  Market Cap: $ 2 Trillion)





"Active Directory provides mission-critical authentication, authorization and configuration capabilities to manage users, computers, servers and applications throughout an organization’s IT infrastructure...

…[it] is critical to secure an organization’s systems and applications."

- Source: Microsoft  (MSFT,  Market Cap: $ 3 Trillion)



"From the White House to the entire U.S. Government, and from the $3T Microsoft (MSFT) to the global Fortune 1000, at the very foundation of cyber security of 85% of all organizations worldwide lies a single technology - Active Directory."

- Source: Paramount Defenses (Privately held)





A  $ 20 Trillion  Fact

Here are just a few corporations on the Standard & Poors 500 (S&P 500) at whose very foundation lies Active Directory   -


Alphabet (GOOGL), Amazon (AMZN), Advanced Micro Devices (AMD), American Airlines (AAL), American Express (AXP), AmerisourceBergen (ABC), AT&T (T),  Baker Hughes (BKR), Bank of America (BAC), Berkshire Hathaway (BRK.B) BlackRock (BLK), Capital One Financial (COF), Caterpillar (CAT), CBRE Group (CBRE), Cisco (CSCO), Citibank (C), Clorox (CLX), Coca-Cola Company (KO), Chevron (CVX), Cisco (CSCO), Comcast (CMCSA), CVS Health (CVS), Costco (COST), Delta Airlines (DAL), Dow Inc (DOW), Dupont de Nemours (DD), Equifax (EFX), Exxon Mobil (XOM), Facebook (FB), Ford Motor (F), Fortinet (FTNT), Fox Corporation (FOX), Gartner (IT), General Electric (GE), General Motors (GM), Gilead Sciences (GILD), Goldman Sachs (GS), Google (GOOG), Hewlett Packard Enterprise (HPE), Hilton Worldwide (HLT), Humana (HUM), IBM (IBM), Intel (INTC), JP Morgan Chase (JPM), Johnson and Johnson (JNJ), Kellogg Co (K), Kroger Co (KR), Lockheed Martin (LMT), Mastercard (MA), McDonalds (MCD), Merck (MRK), MetLife (MET), Microsoft (MSFT), Morgan Stanley (MS), Nasdaq (NASD), Netflix (NFLX), NewsCorp (NWS), Nike (NIKE), Northrop Grumman (NOC), Norwegian Cruise Line Holdings (NCLH), Nvidia (NVDA), Occidental Petroleum (OXY), Okta (OKTA) Oracle Corp (ORCL), PayPal (PYPL), PepsiCo Inc (PEP), Phillip Morris International (PM), Procter and Gamble (PG), Qualcomm (QCOM), Quest Diagnostics (DGX), Raytheon (RTX), Robert Half International (RHI), Royal Caribbean Cruises (RCL), S&P Global (SPG), Salesforce.com (CRM), Schlumberger (SLB), Southwest Airlines (LUV), Sysco Corp (SYY), Target Corp (TGT), Tesla (TSLA), Tyson Foods (TSN), Twitter (TWTR) United Airlines (UAL), UPS (UPS), Verizon (VZ), Walmart (WMT), Walt Disney (DIS), Wells Fargo (WFC), Yum! Brands (YUM) etc. etc.





This Sounds Very Important

If $ 20+ Trillion are riding on Active Directory today, one would have to assume that the security of these foundational Active Directory deployments ought to be one of the highest organizational cyber security priorities worldwide. It is.


In fact, it is paramount. However, there's just one small Trillion $ problem...




Microsoft's #1 Recommendation

As evidenced in the quote above, Microsoft has always highly and sufficiently recommended that every organization operating on Active Directory consider it mission-critical to business and adequately secure and defend it at all times.


In fact, Microsoft recommends that the 1st and most important (paramount) cyber security measure that organizations take to secure (defend) Active Directory is to correctly identify and reduce users who have privileged access in Active Directory:


 "Privileged accounts like administrators of Active Directory have direct or indirect access to most or all assets
in an IT organization, making a compromise of these accounts a significant business risk."


"Cyber-attackers focus on privileged access in Active Directory 
to rapidly gain access to all of an organizations data."


"Securing privileged access is (thus) a critical first step
to establishing security for business in a modern organization."



"Because it can be difficult or even impossible to properly secure every aspect of an organization's IT infrastructure,
you should focus efforts first on the accounts whose privilege create the greatest risk,
which are privileged accounts and groups in Active Directory."


"Implement least privilege. Limit the count of administrators
or members of privileged groups in Active Directory."



"Review administrative privileges each quarter to determine which personnel
still have a legitimate business need for administrative access (in Active Directory)"




"An ounce of prevention is worth a pound of detection"





There's Just A Small Trillion $ Problem

Shockingly, the means to implement Microsoft's number #1 recommendation to thousands of its organizational customers, i.e. the means to correctly (accurately) identify who has what privileged access in/across Active Directory just don't exist*.


That's right. The capability that organizations require to correctly identify who has what privileged access in their Active Directory, so they can limit the number of privileged users and review this number every quarter, doesn't exist* today.

As a result, thousands of organizations worldwide do not even have the means to be able to correctly identify, control, minimize or review exactly who has the "Keys to the Kingdom" in their foundational Active Directory deployments.



Here's evidence, from none other than Microsoft  (Source) -

"In assessing Active Directory installations, we (Microsoft) invariably find excessive numbers of accounts that have been granted rights and permissions far beyond those required to perform day-to-day work. Mid-sized directories may have dozens of accounts in the most highly privileged groups, while large installations may have hundreds or even thousands."



Simply stated, it means that in most large organizations, today there very likely are hundreds or even thousands of users who possess sufficient privileged access so as to be able to control, compromise or blow up the entire organization!

To put this context, consider the fact that almost all major recent cyber security breaches including JP Morgan, Sony Hack, Target, Snowden, OPM Breach, Anthem, Avast, the U.N. breach, SolarWinds Breach, Colonial Pipeline Hack, Microsoft Hack, Okta Hack etc. ALL involved the compromise and misuse of just ONE Active Directory Privileged User account!

(Recently, it cost shipping giant Maersk a staggering $ 250 Million to recover from a breach involving its Active Directory.)



In short, as it concerns having visibility into exactly who has the all-powerful "Keys to the Kingdom" in an organization, today most organizations are operating in the proverbial dark, and neither their IT groups nor their C-Suite have a clue.

(In fairness to all IT admins, IT managers and CISOs at thousands of organizations, this is a massive problem and a very sophisticated technical subject, so they alone should not be blamed for not sufficiently understanding its vast complexity.)

Unfortunately, with the advent of freely available hacking tools be specifically designed to identify and exploit exactly such excessive access related vulnerabilities in Active Directory, urgently addressing this problem has become paramount.


This should be a serious cause of concern for all stakeholders, including their employees, customers and shareholders.





*All of One

Note the use of  * when referring to the non-existence of the paramount capability that organizations require to adequately defend Active Directory i.e. the ability to correctly (accurately) identify who has what privileged access in Active Directory.


It so happens that there's all of ONE company on planet Earth that possesses this capability today, and its patented, Microsoft-endorsed capability can uniquely enable and empower every organization operating on Active Directory to be able to correctly, instantly and automatically identify exactly who has what privileged access in Active Directory.

Actually, there's a little more to it than "it so happens." Eighteen years ago, Microsoft's top cyber security expert on Active Directory Security established this company and for the last eighteen years, it has been laser-focused on solving just this one single $ 28 Trillion problem for the world, (oh, and $ 28 Trillion only accounts for companies in the United States.)

You've likely never heard of this company, but over the last decade, from the United States Treasury to the United States Department of Defense, many of the world's most important and valuable government and business organizations have used and depended on its solutions to correctly identify and minimize privileged access in their Active Directory.

Today, not a single cyber security or IT company on Earth, let alone those listed on the Nasdaq, can compete with it.

Today this company can uniquely enable and empower the entire world to instantly, effortlessly, and most importantly, accurately identify, minimize and lock-down all privileged access, i.e. the "Keys to the Kingdom", in foundational Active Directory deployments worldwide, thereby helping thousands of organizations worldwide trustworthily attain and maintain Least Privileged Access (LPA), which is not only a cyber security necessity but also a cardinal tenet of Zero Trust.

That ONE company is Paramount Defenses, and perhaps the simplest introduction to it can be found here.


We will be making a small announcement tomorrow or day after, that is likely to impact a Trillion+ $.

That's all for now.

Best wishes,
Sanjay Tandon

Formerly
Program Manager,
Active Directory Security,
Microsoft Corporation.


PS: Please Understand -
 
It is a LITTLE difficult to be humble when your work single-handedly impacts Trillions of $ worldwide, and you're trying to help thousands of organizations understand why they remain substantially vulnerable.

This isn't about petty stuff like money i.e. it isn't about a Million or a Billion or a 100B or a T. It's about doing what's right.

Four years ago, I personally demonstrated how hackers could unleash ransomware onto 1000s of organizational computers using Active Directory. For almost ten years now, I have also been personally warning about the use of Active Directory Privilege Escalation as a top attack vector, and sure enough, in almost every major breach, including the SolarWinds Breach, the Colonial Pipeline Hack and recently the Okta and Microsoft breaches, the defining/cardinal step employed by the perpetrators to gain unrestricted privilege was Active Directory Privilege Escalation. I have also been extensively warning about the use of DCSync, and sure enough, as observed and reported by Microsoft, it is DCSync that LAPSUS$ (DEV-0537) employed to obtain unrestricted access and inflict damage. Need I say more?

It remains my professional opinion as former Microsoft Program Manager for Active Directory Security that attaining and maintaining LPA in Active Directory is the single-most important and effective measure that organizations can take to substantially improve their cyber security posture, and technically, we can help the entire world do so, oh and we can technically do so in less than one day. (To appreciate that, consider that even Microsoft couldn't do so in one decade.)

It is also imperative that the world and Microsoft realize that Microsoft making the entire world signup for and rely on its (now twice hacked) Azure (, renamed to Entra after two hacks) Cloud is NOT the answer to solving such problems, because, simply put, the day that an organization transitions over its primary identity to a third-party Identity Provider (IDP) is the day that it relinquishes its operational autonomy, organizational privacy and dignity to a third-party, forever.

Cyber security isn't that difficult, but it does require basic common-sense. If you don't even know how many users have the "Keys to your Kingdomhow can you even begin to protect your organization? This isn't rocket science, its common sense.

Wednesday, June 5, 2024

A Two Trillion Dollar Company is Evaluating Gold Finger

 Folks,

I hope this finds you doing well. As many of you know, over the last eighteen years, thousands of organizations from across a hundred countries worldwide have requested Gold Finger evaluations, so/and we know them all rather well.

It is my privilege to share that a rather prominent two trillion dollar company is currently evaluating Gold Finger, the only cyber security tooling in the world that can accurately assess access in Microsoft Active Directory (AD) environments.

Their foundational Active Directory gives them the freedom to operate independently, and we can uniquely enable them to easily and accurately assess and lockdown access i.e. attain and maintain least privileged access (LPA) in their AD.

I feel I needn't say more (, so I won't.)

Best wishes,
Sanjay.

Tuesday, May 21, 2024

Introducing yet another unrivaled feature in Gold Finger - Single-User Mode


Folks,

Hello. I trust this finds you doing well. In our last post, we had announced our up to $ 100 million software giveaway. Today we'd like to announce an exciting and valuable new feature that we just added to Gold Finger - 'Single User Mode'.


Introducing 'Single-User Mode' in Gold Finger

Over the last many years, we've had the privilege to help secure some of the most important organizations in the world, e.g. the U.S. Treasury, the U.S. Dept of Defense, Berkshire Hathaway subsidiaries, $100 Billion+ F100 companies etc.

[ For those who may not yet know so, we uniquely help organizations attain and maintain least privileged access (LPA) in Active Directory, by empowering them to accurately assess and lockdown exactly who has what privileged access in AD. ]

Over the years, the unique cyber security needs of our customers have driven several valuable features in Gold Finger.

Probably, the ONE feature that most of our global customers have been requesting is the ability to be able to help them easily, instantly and accurately identify exactly WHAT effective access a SPECIFIC user has in/across Active Directory.

For e.g., assume that you have a specific user, John Doe, and you want to know exactly WHAT (effective) administrative access, if any, John has in your Active Directory, i.e. CAN he create, modify and/or delete domain user accounts, computer accounts, security groups, organizational units, group policies, SCPs etc. in Active Directory, and if so, WHERE and HOW.

Here are 6 simple examples that illustrate this need - 

  1. Can a specific user, John Doe, create user accounts in Active Directory?
  2. Can a specific user, Mark Smith, reset user account passwords in Active Directory?
  3. Can a specific user Jane Collins, create or delete organizational units (OUs) in Active Directory?
  4. Can a specific user Benjamin Thompson, replicate secrets (password hashes) from Active Directory?
  5. Can a specific user, James Smith, modify permissions on domain accounts, groups or OUs in Active Directory?
  6. What administrative tasks can a specific user, Tony Stark, perform (anywhere) in an Active Directory OU/domain? 


That is the ONE feature that virtually all of our customers have been requesting, and it is my privilege to share that this week, we finally delivered this ONE feature for our customers and the entire world, and it is NOW available in Gold Finger.

IF you can click a button, you can NOW instantly and accurately find out exactly WHAT effective access ANY specific user you specify, has in your Active Directory, WHERE and HOW, in minutes, via the 'Single-User' Mode in Gold Finger.


In the remainder of this post, I will technically illustrate this feature, but before I do so, two myths need to be debunked. 


Debunking 2 (Trillion $) Myths

I have about 25 years of experience in Active Directory Security, so I know the subject well enough to unequivocally state that it is very concerning to see just how LITTLE most organizations and vendors know about Active Directory security.   

So, before I shed light on this feature, I felt the need to debunk 2 popular myths -

  1. Is Active Directory even relevant anymore? - Over the last 20 years, Active Directory has been the foundation of IT and cyber security worldwide. With the advent of the Cloud (i.e. merely someone else's computer(s)), many an organization are (likely being misled to) considering transitioning their primary identities to a Cloud provider (e.g. Microsoft Azure.) LITTLE do these organizations realize that the DAY they transition over their PRIMARY identities to an IDP in the Cloud is the DAY they will relinquish ALL operational autonomy (control) and organizational privacy FOREVER, losing control over their future, and taking on a critical eternal dependency on a (foreign) third-party.

  2. In contrast, organizations that operate on Active Directory continue to maintain and retain independent control over their PRIMARY identities, and thus retain their operational autonomy, organizational privacy and self-reliance.

    In simple words, any organization that may be considering transitioning their primary identities from Active Directory to an(y) IDP in the Cloud should know exactly what it is they stand to LOSE if they do so, and act accordingly.


  3. What's the big deal? We can easily already do this. - Actually, you can't*, and it is a big deal. You see, if you think you can easily already do this, you're likely one of millions of amateurs who naively believe that finding out who has what access in Active Directory is merely the same as finding out who has what permissions in Active Directory, which any script can seemingly do, and which numerous amateur vendors also claim to be able to do.

    *If you know of any cyber security solution in the world that can do what Gold Finger's advanced tools can, you can have Gold Finger for free.

    In reality, if you're merely relying on finding out Who has what permissions in Active Directory, you have a LOT to learn, and THOUSANDS of hours before you can do this correctly. In short, what you need to do is find out who has what effective permissions in Active Directory first, and that alone is something even the $3 Trillion Microsoft does not possess the ability to accurately determine, let alone any organization, vendor or admin in the world. (We do.)

    In short, if you want to understand what the big deal is, you'll want to read the technical sections of this blog post, as well as read this and this (as many times as needed,) and then ask yourself if you have the ability to do so.


With these 2 myths debunked, now that we understand the profound value and paramount importance of Active Directory, and how difficult it is to accurately determine access in it, we can proceed to appreciate Gold Finger, and this new feature.



A Quick Technical Primer

To understand and appreciate this feature, one first needs to adequately understand the fundamentals of Active Directory Security, and towards that end, this section is possibly the most concise primer you'll find anywhere on the subject.

You see, simply put, what makes Active Directory so important and valuable is the fact that it is the heart of AAA, and it stores and protects all the building blocks of organizational cyber security i.e. all organizational user accounts and their credentials, all organizational computer accounts and their policies, and all organizational groups and their memberships.

Active Directory Security Permissions 

In other words, ultimately, the most valuable asset in Active Directory are its contents, each one of which is represented by an Active Directory object, that is protected by an access control list (ACL), in which reside multiple security permissions, each one of which allows or denies some type of access for some security principal, and ultimately it is the resultant set of all the security permissions in an object's ACL, aka effective permissions that determine who has what access to it.

Further, since it is infeasible for an organization to individually configure security permissions on thousands of objects, Active Directory lets admins specify inheritable security permissions, which can be specified on container objects (e.g. OUs,) and automatically flow down to all/specific child objects, making it easy to specify access on thousands of objects.

Lastly, a precedence order governs the resultant access arising from conflicting sets of allow and deny permissions. 

Consequently, in a nutshell, in every Active Directory domain, there exist hundreds of thousands of explicit and inherited security permissions, each one allowing or denying various combinations of access to various users, computers, groups etc., and ultimately it is the resulting access of ALL these permissions that actually determines who has what access.

It follows logically then that to secure the contents of Active Directory, one needs the ability to accurately assess who currently has what access i.e. effective permissions, on (thousands of) Active Directory objects, for one simply cannot secure (i.e. lockdown) access to any securable asset without first being able to assess who currently has what access.

In other words, it is impossible to secure Active Directory without possessing the ability to accurately determine effective permissions in Active Directory. In fact, one can't even secure a single object without possessing this fundamental ability.



5 Simple Examples

Finally, before we see Gold Finger's existing capabilities and those of this new feature, it is important to understand just how difficult and technically complex it is to accurately make access assessment determinations in Active Directory.

Here are five simple examples that illustrate the complexity involved in making these paramount determinations -

  1. Who can reset a domain user account's password? Consider an(y) account in Active Directory. There are likely over one hundred security permissions in its ACL, each one allowing or denying some access to some security principal, and each one being explicit or inherited. To make this determination, one will need to accurately take into account the collective impact of all of these hundred plus security permissions, with 100% accuracy, considering all factors that influence access, such as inheritance, precedence orders, group memberships, self-relative permissions, class applicability etc. In other words, one needs to determine the resulting effective permissions on the object. 

  2. Who can modify a domain group's membership? Consider any group in Active Directory. Akin to the example above, there are likely over a hundred security permissions in the ACL protecting this group's object in Active Directory, and likewise, to make this determination, one will need to accurately determine the collective impact of all the hundred plus security permissions in this object's ACL, i.e. determine the resulting effective permissions on this object.

  3. Who can replicate secrets from Active Directory? The enactment of this one single act can result in the instant and complete compromise of an entire organization. Consequently, making this paramount determination is absolutely essential for organizational cyber security. Assessing who can replicate secrets from Active Directory involves the accurate determination of not one but two special extended rights on the domain root, and consequently is twice as complicated as making a single effective-permission based assessment, such as those in the previous examples.

  4. Who can create a user account in Active Directory? This may seem like a simple assessment to those new to the subject, but a professional will tell you that this seemingly simple assessment involves a substantial amount of complexity i.e. the accurate determination of effective permissions on every organizational unit, almost* every container in Active Directory, and every object under which the Schema permits the creation of domain user accounts, and thus depending on an organization's OU structure/design, making this one simple determination could involve accurately determining effective permissions on possibly dozens of Active Directory objects.   

  5. Who can delete a large OU, such as the Corp OU? Consider an OU that contains hundreds/thousands of objects. The determination of who can delete this OU is possibly one of the hardest technical determinations in all of cyber security, because there are multiple ways in which an OU and its contents can be deleted, and thus one technically needs to determine the collective impact of thousands of security permissions, i.e. determine effective permissions on every object in the OU, as well as the impact of delete-child and delete-tree permissions on all non-leaf objects.


In short, as illustrated by these examples, to make these paramount access determinations accurately, one needs to be able to accurately determine effective permissions on Active Directory objects, and in fact, do so on thousands of objects.


Note - Today, no cyber security company on Earth, whether it be PANW, CRWD, ZS, OKTACYBR, NET, MSFT etc. possesses the capability to help organizations determine effective permissions in Active Directory. Well, except one.



Gold Finger - Standard Mode

Gold Finger is the world's only solution that can accurately determine effective permissions in Active Directory, and in fact do so on thousands of objects, to determine exactly who has what effective access, where and how in Active Directory.

Gold Finger for Active Directory

Technically, it is a suite of 8 Active Directory assessment tools that includes a Security Auditor, a Membership Auditor, an ACL Analyzer, an ACL Exporter, an Active Directory Permissions Analyzer, and the world's only accurate i) Active Directory Effective Permissions Calculator, ii) Effective Access Auditor, and iii) an unrivaled domain-wide Privileged Access Assessor.


For the purposes of this post, we'll focus on the Privileged Access Assessor, of which the following's the Standard Mode -

Active Directory Privileged Access Assessor

As can be seen above, the default mode in the Privileged Access Assessor, referred to from now on as the Standard Mode, enables organizations to instantly, accurately and automatically make over 100 paramount privileged access assessment determinations in Active Directory, such as -  

  1. Who can create user accounts, computer accounts, security groups, OUs etc. in Active Directory?
  2. Who can delete user accounts, computer accounts, security groups, OUs etc. in Active Directory?
  3. Who can reset account passwords, modify group memberships, disable two-factor auth etc. in Active Directory?
  4. Who can modify permissions on all objects, on OUs, on AdminSDHolder, the domain-root etc. in Active Directory?
  5. Who can link GPOs to OUs, delegate/modify administrative access, replicate secrets from Active Directory etc.?

It is the only cyber security tool in the world that can accurately make these paramount determinations in Active Directory.


In technical terms, the Standard Mode of Gold Finger delivers the capability to automatically analyze millions of security permissions in Active Directory, instantly and accurately determining effective permissions on thousands of objects, to ultimately determine and reveal exactly who has what privileged access in Active Directory, where and how, domain-wide.


As it pertains to this post, the Standard Mode of Gold Finger determines and reveals the identities of all users who have sufficient effective access in Active Directory to be able to perform one or more specified administrative tasks.

For instance, if it is the case that 100 users can create user accounts in Active Directory, it will list them all. Likewise, if you select 100 tasks to assess for, it will determine and then list the identities of all users who can enact each selected task.



Gold Finger - Single-User Mode

There are many scenarios in which an organization needs to be able to quickly determine whether or not a specific user has sufficient effective access in Active Directory to be able to enact a specific administrative task. Likewise, there are many scenarios in which an organization needs to know what all a specific user is able to do in their Active Directory.

For such scenarios, it can be very helpful if IT personnel can specify a specific user and have Gold Finger determine either whether that specific user can perform a specific task in Active Directory, or if he/she can perform all/specific admin tasks.

The Single-User Mode being introduced today delivers on this exact capability -

Gold Finger - Single-User Mode

It enables organizations to be able to specify a specific (single) user, and have Gold Finger instantly, accurately and automatically determine whether or not that user can perform one or more selected/specified tasks in Active Directory.   


To activate Single-User Mode, one simply uses the new Mode option in the application menu -



Once in Single-User Mode, to specify a specific (single) user, one simply clicks on the 'Specify a User' button -


This opens Gold Finger's inbuilt Search dialog that enables you to easily search for and specify a specific user -


Once a user has been selected, the next step is to select one or more privileged access reports you wish to assess for -


Once you have selected the access reports you wish to generate for the specified user, you click the Gold Finger button.

Gold Finger then automatically determines whether or not the specified user has sufficient effective access (i.e. effective permissions) in Active Directory (, on thousands of objects if needed,) to be able to enact the selected tasks, and if so, where all (scope-wide) and how, and displays results -


In the snapshot above, we can see that three access reports had been selected and that the assessment scope was set to be the entire domain. Gold Finger instantly, automatically and accurately determined effective permissions on thousands of Active Directory objects in the domain, and determined that the specified user can perform all the selected tasks (shown in the What dropdown) in the specified scope (i.e. entire domain), and for each selected administrative task, it also revealed exactly where this user can perform these tasks (shown in the Where pane), as well as how the specified user can do so (shown in the How pane) i.e. based on which underlying security permission in the ACL of the target object.

As seen above, in just seconds, Gold Finger assessed and confirmed that the specified user does indeed have sufficient effective access required to perform the specified tasks, as well as reveal exactly where he can enact them, and how.


In this manner, Gold Finger's new Single-User Mode lets organizations instantly determine whether a specific user can perform one or more (100+) administrative tasks anywhere in Active Directory, where and how, all at a button's touch!




Multi-Tool Availability

Single-User Mode is now also available in the Effective Permissions Calculator and the Effective Access Auditor.

The availability of Single-User Mode in Gold Finger's Active Directory Effective Permissions Calculator finally enables organizations to easily determine what effective permissions a specific user has on a specific Active Directory object -

Active Directory Effective Permissions Calculator


Likewise, the availability of Single-User Mode in Gold Finger's Active Directory Effective Access Auditor finally enables organizations to easily determine what administrative tasks a specific user can perform on a specific Active Directory object, such as on a specific domain user account, a domain security group, an organizational unit etc. -

Active Directory Effective Access Auditor


The availability of Single-User Mode in these three indispensable tools will enable and empower organizations worldwide to easily, quickly and efficiently fulfill numerous Active Directory focused privileged access assessment/verification needs.



Indispensable Tooling

It is my professional opinion as former Microsoft Program Manager for Active Directory Security that the following three unique effective-access assessment tools in Gold Finger are absolutely indispensable for Active Directory Security -
  1. Active Directory Effective Permissions Calculator - Calculate effective permissions on any object in Active Directory.
  2. Active Directory Effective Access Auditor - Audit effective access on accounts, groups, OUs etc. in Active Directory.
  3. Active Directory Privileged Access Assessor - Instantly assess privileged access domain-wide in Active Directory.

The simple reason they are indispensable for Active Directory Security is because they uniquely enable organizations to accurately assess and lockdown all access, including privileged access in Active Directory, i.e. to trustworthily attain and maintain Least Privileged Access (LPA) in Active Directory, which is a fundamental and cardinal tenet of Zero Trust.


At Paramount Defenses, we are confident that the general availability of Single-User Mode in Gold Finger, across all of these three indispensable tools, will make it even easier for our customers to attain and maintain LPA in Active Directory.


In closing, I will only add that Active Directory has been and remains the bedrock of organizational cyber security because it enables organizations worldwide to independently operate their foundational IT infrastructures, thereby preserving and retaining their autonomy, privacy, security and self-respect, and our commitment to helping secure AD remains ironclad.


Thank you very much, especially to our customers worldwide,
who are undoubtedly, true thought-leaders in cyber security.

Best wishes,
Sanjay.
Paramount Defenses Logo

© 2006 - 2024 Paramount Defenses.
All Rights Reserved.

Your Privacy

We use cookies to give you the best online experience. Please let us know if you accept these cookies.