Folks,
Hello. I trust this finds you doing well. In our last post, we had announced our up to $ 100 million software giveaway. Today we'd like to announce an exciting and valuable new feature that we just added to Gold Finger - 'Single User Mode'.
Introducing 'Single-User Mode' in Gold Finger
Over the last many years, we've had the privilege to help secure some of the most important organizations in the world, e.g. the U.S. Treasury, the U.S. Dept of Defense, Berkshire Hathaway subsidiaries, $100 Billion+ F100 companies etc.
[ For those who may not yet know so, we uniquely help organizations attain and maintain least privileged access (LPA) in Active Directory, by empowering them to accurately assess and lockdown exactly who has what privileged access in AD. ]
Over the years, the unique cyber security needs of our customers have driven several valuable features in Gold Finger.
Probably, the ONE feature that most of our global customers have been requesting is the ability to be able to help them easily, instantly and accurately identify exactly WHAT effective access a SPECIFIC user has in/across Active Directory.
For e.g., assume that you have a specific user, John Doe, and you want to know exactly WHAT (effective) administrative access, if any, John has in your Active Directory, i.e. CAN he create, modify and/or delete domain user accounts, computer accounts, security groups, organizational units, group policies, SCPs etc. in Active Directory, and if so, WHERE and HOW.
Here are 6 simple examples that illustrate this need -
- Can a specific user, John Doe, create user accounts in Active Directory?
- Can a specific user, Mark Smith, reset user account passwords in Active Directory?
- Can a specific user Jane Collins, create or delete organizational units (OUs) in Active Directory?
- Can a specific user Benjamin Thompson, replicate secrets (password hashes) from Active Directory?
- Can a specific user, James Smith, modify permissions on domain accounts, groups or OUs in Active Directory?
- What administrative tasks can a specific user, Tony Stark, perform (anywhere) in an Active Directory OU/domain?
That is the ONE feature that virtually all of our customers have been requesting, and it is my privilege to share that this week, we finally delivered this ONE feature for our customers and the entire world, and it is NOW available in Gold Finger.
IF you can click a button, you can NOW instantly and accurately find out exactly WHAT effective access ANY specific user you specify, has in your Active Directory, WHERE and HOW, in minutes, via the 'Single-User' Mode in Gold Finger.
In the remainder of this post, I will technically illustrate this feature, but before I do so, two myths need to be debunked.
Debunking 2 (Trillion $) Myths
I have about 25 years of experience in Active Directory Security, so I know the subject well enough to unequivocally state that it is very concerning to see just how LITTLE most organizations and vendors know about Active Directory security.
So, before I shed light on this feature, I felt the need to debunk 2 popular myths -
- Is Active Directory even relevant anymore? - Over the last 20 years, Active Directory has been the foundation of IT and cyber security worldwide. With the advent of the Cloud (i.e. merely someone else's computer(s)), many an organization are (likely being misled to) considering transitioning their primary identities to a Cloud provider (e.g. Microsoft Azure.) LITTLE do these organizations realize that the DAY they transition over their PRIMARY identities to an IDP in the Cloud is the DAY they will relinquish ALL operational autonomy (control) and organizational privacy FOREVER, losing control over their future, and taking on a critical eternal dependency on a (foreign) third-party.
- What's the big deal? We can easily already do this. - Actually, you can't*, and it is a big deal. You see, if you think you can easily already do this, you're likely one of millions of amateurs who naively believe that finding out who has what access in Active Directory is merely the same as finding out who has what permissions in Active Directory, which any script can seemingly do, and which numerous amateur vendors also claim to be able to do.
*If you know of any cyber security solution in the world that can do what Gold Finger's advanced tools can, you can have Gold Finger for free.
In reality, if you're merely relying on finding out Who has what permissions in Active Directory, you have a LOT to learn, and THOUSANDS of hours before you can do this correctly. In short, what you need to do is find out who has what effective permissions in Active Directory first, and that alone is something even the $3 Trillion Microsoft does not possess the ability to accurately determine, let alone any organization, vendor or admin in the world. (We do.)
In short, if you want to understand what the big deal is, you'll want to read the technical sections of this blog post, as well as read this and this (as many times as needed,) and then ask yourself if you have the ability to do so.
In contrast, organizations that operate on Active Directory continue to maintain and retain independent control over their PRIMARY identities, and thus retain their operational autonomy, organizational privacy and self-reliance.
In simple words, any organization that may be considering transitioning their primary identities from Active Directory to an(y) IDP in the Cloud should know exactly what it is they stand to LOSE if they do so, and act accordingly.
With these 2 myths debunked, now that we understand the profound value and paramount importance of Active Directory, and how difficult it is to accurately determine access in it, we can proceed to appreciate Gold Finger, and this new feature.
A Quick Technical Primer
To understand and appreciate this feature, one first needs to adequately understand the fundamentals of Active Directory Security, and towards that end, this section is possibly the most concise primer you'll find anywhere on the subject.
You see, simply put, what makes Active Directory so important and valuable is the fact that it is the heart of AAA, and it stores and protects all the building blocks of organizational cyber security i.e. all organizational user accounts and their credentials, all organizational computer accounts and their policies, and all organizational groups and their memberships.
Active Directory Security Permissions |
In other words, ultimately, the most valuable asset in Active Directory are its contents, each one of which is represented by an Active Directory object, that is protected by an access control list (ACL), in which reside multiple security permissions, each one of which allows or denies some type of access for some security principal, and ultimately it is the resultant set of all the security permissions in an object's ACL, aka effective permissions that determine who has what access to it.
Further, since it is infeasible for an organization to individually configure security permissions on thousands of objects, Active Directory lets admins specify inheritable security permissions, which can be specified on container objects (e.g. OUs,) and automatically flow down to all/specific child objects, making it easy to specify access on thousands of objects.
Lastly, a precedence order governs the resultant access arising from conflicting sets of allow and deny permissions.
Consequently, in a nutshell, in every Active Directory domain, there exist hundreds of thousands of explicit and inherited security permissions, each one allowing or denying various combinations of access to various users, computers, groups etc., and ultimately it is the resulting access of ALL these permissions that actually determines who has what access.
It follows logically then that to secure the contents of Active Directory, one needs the ability to accurately assess who currently has what access i.e. effective permissions, on (thousands of) Active Directory objects, for one simply cannot secure (i.e. lockdown) access to any securable asset without first being able to assess who currently has what access.
In other words, it is impossible to secure Active Directory without possessing the ability to accurately determine effective permissions in Active Directory. In fact, one can't even secure a single object without possessing this fundamental ability.
5 Simple Examples
Finally, before we see Gold Finger's existing capabilities and those of this new feature, it is important to understand just how difficult and technically complex it is to accurately make access assessment determinations in Active Directory.
Here are five simple examples that illustrate the complexity involved in making these paramount determinations -
- Who can reset a domain user account's password? Consider an(y) account in Active Directory. There are likely over one hundred security permissions in its ACL, each one allowing or denying some access to some security principal, and each one being explicit or inherited. To make this determination, one will need to accurately take into account the collective impact of all of these hundred plus security permissions, with 100% accuracy, considering all factors that influence access, such as inheritance, precedence orders, group memberships, self-relative permissions, class applicability etc. In other words, one needs to determine the resulting effective permissions on the object.
- Who can modify a domain group's membership? Consider any group in Active Directory. Akin to the example above, there are likely over a hundred security permissions in the ACL protecting this group's object in Active Directory, and likewise, to make this determination, one will need to accurately determine the collective impact of all the hundred plus security permissions in this object's ACL, i.e. determine the resulting effective permissions on this object.
- Who can replicate secrets from Active Directory? The enactment of this one single act can result in the instant and complete compromise of an entire organization. Consequently, making this paramount determination is absolutely essential for organizational cyber security. Assessing who can replicate secrets from Active Directory involves the accurate determination of not one but two special extended rights on the domain root, and consequently is twice as complicated as making a single effective-permission based assessment, such as those in the previous examples.
- Who can create a user account in Active Directory? This may seem like a simple assessment to those new to the subject, but a professional will tell you that this seemingly simple assessment involves a substantial amount of complexity i.e. the accurate determination of effective permissions on every organizational unit, almost* every container in Active Directory, and every object under which the Schema permits the creation of domain user accounts, and thus depending on an organization's OU structure/design, making this one simple determination could involve accurately determining effective permissions on possibly dozens of Active Directory objects.
- Who can delete a large OU, such as the Corp OU? Consider an OU that contains hundreds/thousands of objects. The determination of who can delete this OU is possibly one of the hardest technical determinations in all of cyber security, because there are multiple ways in which an OU and its contents can be deleted, and thus one technically needs to determine the collective impact of thousands of security permissions, i.e. determine effective permissions on every object in the OU, as well as the impact of delete-child and delete-tree permissions on all non-leaf objects.
In short, as illustrated by these examples, to make these paramount access determinations accurately, one needs to be able to accurately determine effective permissions on Active Directory objects, and in fact, do so on thousands of objects.
Note - Today, no cyber security company on Earth, whether it be PANW, CRWD, ZS, OKTA, CYBR, NET, MSFT etc. possesses the capability to help organizations determine effective permissions in Active Directory. Well, except one.
Gold Finger - Standard Mode
Gold Finger is the world's only solution that can accurately determine effective permissions in Active Directory, and in fact do so on thousands of objects, to determine exactly who has what effective access, where and how in Active Directory.
Gold Finger for Active Directory |
Technically, it is a suite of 8 Active Directory assessment tools that includes a Security Auditor, a Membership Auditor, an ACL Analyzer, an ACL Exporter, an Active Directory Permissions Analyzer, and the world's only accurate i) Active Directory Effective Permissions Calculator, ii) Effective Access Auditor, and iii) an unrivaled domain-wide Privileged Access Assessor.
For the purposes of this post, we'll focus on the Privileged Access Assessor, of which the following's the Standard Mode -
Active Directory Privileged Access Assessor |
As can be seen above, the default mode in the Privileged Access Assessor, referred to from now on as the Standard Mode, enables organizations to instantly, accurately and automatically make over 100 paramount privileged access assessment determinations in Active Directory, such as -
- Who can create user accounts, computer accounts, security groups, OUs etc. in Active Directory?
- Who can delete user accounts, computer accounts, security groups, OUs etc. in Active Directory?
- Who can reset account passwords, modify group memberships, disable two-factor auth etc. in Active Directory?
- Who can modify permissions on all objects, on OUs, on AdminSDHolder, the domain-root etc. in Active Directory?
- Who can link GPOs to OUs, delegate/modify administrative access, replicate secrets from Active Directory etc.?
It is the only cyber security tool in the world that can accurately make these paramount determinations in Active Directory.
In technical terms, the Standard Mode of Gold Finger delivers the capability to automatically analyze millions of security permissions in Active Directory, instantly and accurately determining effective permissions on thousands of objects, to ultimately determine and reveal exactly who has what privileged access in Active Directory, where and how, domain-wide.
As it pertains to this post, the Standard Mode of Gold Finger determines and reveals the identities of all users who have sufficient effective access in Active Directory to be able to perform one or more specified administrative tasks.
For instance, if it is the case that 100 users can create user accounts in Active Directory, it will list them all. Likewise, if you select 100 tasks to assess for, it will determine and then list the identities of all users who can enact each selected task.
Gold Finger - Single-User Mode
There are many scenarios in which an organization needs to be able to quickly determine whether or not a specific user has sufficient effective access in Active Directory to be able to enact a specific administrative task. Likewise, there are many scenarios in which an organization needs to know what all a specific user is able to do in their Active Directory.
For such scenarios, it can be very helpful if IT personnel can specify a specific user and have Gold Finger determine either whether that specific user can perform a specific task in Active Directory, or if he/she can perform all/specific admin tasks.
The Single-User Mode being introduced today delivers on this exact capability -
Gold Finger - Single-User Mode |
It enables organizations to be able to specify a specific (single) user, and have Gold Finger instantly, accurately and automatically determine whether or not that user can perform one or more selected/specified tasks in Active Directory.
To activate Single-User Mode, one simply uses the new Mode option in the application menu -
Once in Single-User Mode, to specify a specific (single) user, one simply clicks on the 'Specify a User' button -
This opens Gold Finger's inbuilt Search dialog that enables you to easily search for and specify a specific user -
Once a user has been selected, the next step is to select one or more privileged access reports you wish to assess for -
Once you have selected the access reports you wish to generate for the specified user, you click the Gold Finger button.
Gold Finger then automatically determines whether or not the specified user has sufficient effective access (i.e. effective permissions) in Active Directory (, on thousands of objects if needed,) to be able to enact the selected tasks, and if so, where all (scope-wide) and how, and displays results -
Active Directory Effective Permissions Calculator |
Active Directory Effective Access Auditor |
- Active Directory Effective Permissions Calculator - Calculate effective permissions on any object in Active Directory.
- Active Directory Effective Access Auditor - Audit effective access on accounts, groups, OUs etc. in Active Directory.
- Active Directory Privileged Access Assessor - Instantly assess privileged access domain-wide in Active Directory.
At Paramount Defenses, we are confident that the general availability of Single-User Mode in Gold Finger, across all of these three indispensable tools, will make it even easier for our customers to attain and maintain LPA in Active Directory.