Buy
Showing posts with label Active Directory Security. Show all posts
Showing posts with label Active Directory Security. Show all posts

Monday, October 7, 2024

The American Defense Industrial Complex operates on Active Directory


Folks,

From the U.S. Department of Defense to the Israeli Defense Forces, Microsoft to Nvidia, and Lockheed Martin to Palantir, today virtually the entire American Defense Industrial Complex operates on Microsoft Active Directory.

In fact, the entire United States Government, as well as the Fortune 100 and Wall Street also operate on Active Directory.


For those who may not know, Active Directory is one of the most important and trustworthy foundational technologies ever built, and it provides two paramount imperatives that the Cloud cannot - operational autonomy and organizational privacy.

Consequently, Active Directory lies at the very foundation of national security, defense and corporate security worldwide.



The National Security Agency Agrees

The stated mission of NSA in cybersecurity is to prevent and eradicate threats to U.S. national security systems with a focus on the Defense Industrial Base and the improvement of its weapons’ security.


Active Directory Security is so important to global security, that just last fortnight, the National Security Agency (NSA) and the Australian Signals Directorate (ASD) issued joint guidance on how to mitigate Active Directory attacks, and I quote -


"Active Directory is the most widely used authentication and authorization solution in enterprise Information Technology (IT) networks globally.

"Like numerous other networks, Active Directory is used in many Department of Defense and Defense Industrial Base networks as a critical component for managing identities and access,” 

This makes it an attractive target for malicious actors to attempt to steal the proverbial ‘keys to the kingdom. Taking steps to properly defend AD from these common and advanced techniques will detect and prevent adversary activities and protect sensitive data from determined malicious cyber actors.


To state it as simply as one can, the National Security Agency (NSA) of the United States of America just confirmed not only what we've been saying for years, but also the paramount importance of what it is we do at Paramount Defenses

You see, the number one way to steal the proverbial Keys to the Kingdom that the NSA is referring to is Active Directory Privilege Escalation, and in fact we had released the underlying technical facts in The Paramount Brief way back (2014).

I wonder what took the NSA so long. We've been saying this for a decade - 2014, 2015, 2016, 2017, 2018, 2019, 2020.



This is Paramount

The accurate assessment of privileged access in Active Directory is absolutely paramount to organizational cyber security.

As every cyber security professional, Domain Admin and CISO worth his/her salt knows well, the most important (the #1) measure in all of organizational cyber security and in Active Directory security is the attainment of Least Privilege Access (LPA) in Active Directory, which involves accurately assessing and then locking-down privileged access in Active Directory, and one simply cannot do so without the ability to accurately assess privileged access in Active Directory




Decision Support (aka Proof)

At the heart of both the SolarWinds Breach and the Colonial Pipeline Hack lay privileged access in Active Directory.
Both these attacks could've been prevented if only organizations had attained and maintained LPA in Active Directory. 

Here's why / consider this - the Top-5 ways of escalating in privilege in Active Directory are i) DC Sync eff-perms / WD eff-perms on domain root, ii) WD eff-perms on AdminSDHolder, iii) CR-Reset Password eff-perms on any AD admin account, iv) WP-member eff-perms on any AD admin group, and v) WP - GP Link and GP Options eff-perms on the default DC OU.

Anyone who has any of these eff-perms in AD owns the organization, and can completely destroy it, should they so desire, so at an absolute minimum*, assessing and locking-down the above eff-perms domain-wide is absolutely paramount.

*Oh, and this is merely the tip of the iceberg. Consider the following - 
Anyone and everyone who has { CR-Reset Password or WD or WO } eff-perms on any AD user account in the domain can own that account in one second, anyone who has { WP-Member or WD or WO } eff-perms on any AD group in the domain can control that group in one second (and access everything it protects), anyone who has { WD or WO } eff-perms on an(y) OU in the domain can own every* object in that OU, easily escalate privilege and/or control and/or destroy everything in it.

Pro Tip for Amateurs - Count the number of times I've said eff perms above, because it is NOT perms, but eff-perms (aka Active Directory Effective Permissions) that control everything in AD. Permissions analysis is almost useless. 

Organizations that do not know who has what eff-perms in their AD are dangerously operating in the proverbial dark.




Extremely Difficult

The accurate determination of access entitlements, i.e. who has what privileged access where and how, in Active Directory is extremely difficult and error-prone, and likely one of the biggest challenges in organizational cyber security today.
It is extremely difficult because it involves analyzing millions of individual access control specifications that cumulatively impact resultant access, and thus is involves meticulously connecting millions of dots with absolutely zero room for error.

There is no room for error, because like performing heart surgery or screening baggage at airports, even a single error could result in an unmitigated privilege escalation path that could be used to completely destroy an entire organization.

The process is akin to finding a thousand unique needles in a haystack the size of One World Trade Center, New York, wherein in order to ensure security, it is paramount that each and every single needle in the entire haystack be found. 





Mission Accomplished

For anyone who may not yet know, there is one and only cyber security solution in the entire world that can accurately assess privileged access in Active Directory - our unique, unrivaled, all-American, Microsoft-endorsed Gold Finger.

Gold Finger is the only cyber security solution in the world that can accurately assess access entitlements i.e. who has what privileged access in Active Directory, based on the accurate determination of effective permissions in Active Directory.

Let there be no ambiguity about that cardinal technical fact, none whatsoever. Although there are over twenty solutions that claim to be able to assess privileged access in Active Directory, not even one of them can do so accurately, because there is one and only correct way to accurately assess privileged access in Active Directory and that involves the accurate determination of Active Directory Effective Permissions, which is extremely difficult, and none of those solutions do so.

Not a single one of them.

As such, the method and system for the accurate determination of who has what access entitlements in Active Directory, including of course privileged access, and privilege escalation paths, is governed by our patent, U.S. Patent 8429708.




The Bible of Access Assessment

I should also mention this is no ordinary patent. It is the Bible of how to accurately assess access in an IT system, wherein access is controlled using ACLs, and today, over 75 patents from many of the world's top cyber security companies cite it, including Microsoft, Amazon, IBM, VMWare, McAfee, CyberArk, FireEye, Dell, VMWare, Palantir and others.


Our patented, Microsoft-endorsed accurate effective access assessment capabilities are embodied in our Gold Finger, Gold Finger Mini and Gold Finger 007G solutions, are unique in their ability to enable organizations to fulfill this paramount objective and over the last decade, from the U.S. DoD to the United Nations and from the U.S. Treasury to several Fortune 100 companies, they have been instrumental in helping so many important organizations attain and maintain LPA in AD.



Simply Unrivaled  (F-35)

To give the world an idea of just how capable and superlative our access assessment technology is, consider this -

Gold Finger can accurately assess exactly who has what privileged access, where and how, domain-wide in any Active Directory domain in the world, comprised of thousands of objects, within just minutes, and at the touch of a button. 

To put that in perspective, in less time than the Generals in the U.S Military can brief the U.S. Secretary of Defense as to the state of cyber security of their respective forces, or for that matter in less time than the CEO of Microsoft has an hourly meeting with his top cyber security experts, Gold Finger can find out exactly who has not just the Keys to the Kingdom, but also who has the keys to every single door in the kingdom, in every Active Directory domain in the U.S. Dept. of Defense.

In fact, we recently offered to give away up to one hundred million dollars in software to any and every organization or professional who could provably show us even one tool in the world that can do what Gold Finger's privileged access assessment capabilities can, and guess how many organizations/professionals have taken us up on the offer thus far? 

Zero! Need one say more?



In Closing

In closing, I will only add that at Paramount Defenses we continue to be laser-focused on Active Directory security because it is absolutely paramount to the national security of the United States of America, and that of 100+ countries worldwide. 

You see, there can be no national security without a government having operational autonomy and organizational privacy, and only Active Directory makes these two imperatives possible. Fortunately, today every organization in the world that wishes to do so can easily attain and maintain least privilege access (LPA) in their foundational Active Directory domains, thereby measurably eliminating 99% of avenues of privilege escalation to the "Keys to the Kingdom" in Active Directory.


That's all for now.

Best wishes,
Sanjay.

No comments:
Labels: , , , , , , ,

Tuesday, May 18, 2021

What's common between the Colonial Pipeline Hack and SolarWinds Breach?


Folks,

From the entire U.S. Government to the Fortune 1000, including almost all cyber security and cloud computing companies, today, at the foundation of IT, cyber security and privileged access at 85% of organizations worldwide lies Active Directory.

I'm Sanjay Tandon, formerly Program Manager for Active Directory Security on Microsoft Corporation's Windows Server Development Team, and today, CEO of Paramount Defenses.


Today, I'll share with you what is common between the Colonial Pipeline Hack and the SolarWinds Breach, and day after tomorrow onwards, I'll also provide sufficient technical details, but before I do so, I would like to share a few observations. 

 

Note - The only reason you may want to listen to what I have to say, is because, by virtue of my years at Microsoft and PD, I possess sufficient expertise, IP and capability to be able to help substantially enhance (and if requested, also demo how one could compromise) the foundational cyber security of any/every organization in the world.



Five Observations

I would like to share a few salient observations on the current(ly dismal) state of cyber security at organizations worldwide, because it is my professional opinion that until certain basic deficiencies are addressed, unfortunately, we will continue to witness many more such breaches - 


  1. The Current State of Affairs

    It is really sad to see the current state of cyber security at organizations worldwide. Not a month seems to go by without there being yet another high-impact cyber security breach at some prominent organization or the other.

    That said, considering how inadequate the actual state of cyber security preparedness, defenses and proficiency are at most organizations, it is hardly surprising to see so many organizations get breached, ransomware'd etc.

    For instance, consider this - Active Directory (AD) is the very foundation of cyber security at organizations, and a Domain Controller (i.e. the machine on which AD is hosted) is technically the most valuable asset an organization has, yet, at most organizations, DCs remain vastly inadequately protected, and thus vulnerable to compromise.

    If this is the state of DC security at thousands of organizations worldwide, how can there be any security?

    Likewise, the compromise of a single Active Directory Privileged User account is tantamount to a complete Active Directory forest-wide breach, so such accounts must be minimal in number and highly protected. Yet, at most organizations, today there exist an excessively large and unknown number of Active Directory privileged accounts.

    If this is the state of AD privileged accounts at most organizations worldwide, how can there be any security? 



  2. Three Fundamental Deficiencies

    It is my professional opinion that most organizations suffer from three key deficiencies, that ultimately result in inadequate cyber security defenses, leading to breaches - understanding, accountability and empowerment.     

    1. Understanding - Given a vast and dynamic attack surface, and sophisticated threats, it is imperative that all organizations possess a sufficient understanding of how to adequately protect themselves, yet most don't.

    2. Accountability - Security requires a clear chain of ownership and accountability:  Shareholders, customers, partners > CEO > CISO > Director(s) > Domain (and IT) Admins. Yet at most organizations, none exists.

    3. Empowerment - Organizational IT teams need to be adequately empowered to acquire and deploy security measures needed to adequately defend an organization, yet at most organizations, budgets are inadequate.


    For instance, IT personnel and Domain Admins from thousands of organizations have requested our help, found our unique products (e.g. 1, 2, 3) to be essential, yet so many end up conveying that they just do not have the budget.

    In reality, it is not that they do not have the budget; it is primarily that their executive management simply does not yet possess the required understanding i.e. Active Directory Security directly impacts foundational security and business continuity, and is thus paramount, and consequently their IT personnel are simply not empowered. 



  3. The World is Mostly Reacting

    Sadly, at most organizations, cyber security is only taken sufficiently seriously after they have been breached, and in most instances, the response is similar - the breach is disclosed, then FireEye is called in to investigate, and ultimately, promises are made to enhance security. In the case of govts., broad directives/EOs may be issued.

    FireEye does a thorough investigation and in most cases, the findings are similar i.e. the perpetrators used the same set of well-known techniques and in almost every case, compromised and misused an Active Directory privileged user account to obtain Domain Admin level access, which was then used to achieve their objective. 

    Subsequent to FireEye's investigation, this is priority #1, budget is no longer a problem, a new CISO is hired, half a dozen new cyber security solutions are deployed, millions are spent etc. but the damage has already been done.



  4. Lack of Specifics in Public Discourse

    After every breach, the CNNs and ABCs of the world will extensively cover it, you'll hear interviews from prominent Senators, Congressmen and cyber-security experts, all of whom will speak about the serious impact, the role in national security, the influence of a foreign power etc., yet not one of them mention one piece of specific detail.

    In the absence of details in the public discourse, the actual problem, and the solution that it requires, will largely remain unaddressed, and most cyber security companies out there will likely use this opportunity to convince organizations to deploy their latest cyber security solutions, whether or not they actually make a difference. 

    As a result, in all the noise, and due to the lack of focus on details, the actual specific deficiency/weakness that was exploited, and the attack vector that was used in a specific breach, will often likely continue to remain unaddressed at thousands of other organizations worldwide, paving the way for the next breach and the one after it, and so on.

    For instance, in virtually every major cyber security breach to date, the most damaging part of the breach was made possible by the perpetrator compromising and misusing a single Active Directory privileged user account to fulfill his/her objective, whether it be exfiltrating data, unleashing malware etc. and yet to date, at most organizations worldwide, no one has any idea as to exactly how many users have privileged access in Active Directory because the elephant in the room, i.e. "Active Directory", was not mentioned even once in the public discourse.



  5. The Basics - Secure the Foundation and Deny them the Opportunity

    At its simplest, all security is fundamentally about access control. In order to compromise anything, perpetrators require access - if we reliably deny them the required access, we will have won half the cyber security battle.

    Most importantly, if perpetrators are unable to obtain privileged access, specifically Domain Admin equivalent access, they will almost never able to inflict colossal damage i.e. no widespread ransomware, data exfiltration, etc.

    Towards that end, the most important proactive measure organizations can take to adequately defend themselves is to adequately secure and defend their foundational Active Directory deployments, the two most important parts of which are to 1) secure all DCs (and admin workstations), and 2) accurately identify and minimize the number of accounts that possess privileged access in Active Directory, then fiercely protect every AD privileged account.

    Here's why - An attacker only needs to compromise one DC or one AD privileged user account. That's it. Just ONE.

    Real-world Evidence - If the perpetrators of the Colonial Pipeline attack had not been able to compromise a DC, they would likely not have been able to unleash ransomware. Likewise, if the perpetrators in the SolarWinds Breach had not been able to compromise an Active Directory privileged user account, they would not have been able to gain access to and exfiltrate vast amounts of data on-prem and in the Cloud, at thousands of organizations. 



  • Note - If you find this to be high-level and light on technical details, it is so by intent, given its purpose. For those who may wish to judge my competency based on details - one, two, three, four, five, sixetc..

    I've also written an innocuous production-level ransomware example to show it could be AD deployed.




What is common between the Colonial Pipeline Hack and the Solar Winds Breach?

In the last few months, two major cyber security incidents, the SolarWinds Breach and the Colonial Pipeline Hack have had a notable impact on the world, the former having impacted the security of thousands of organizations worldwide, and the latter having caused a week long shutdown of the largest oil pipeline operator in the eastern United States.

The one thing that both these attacks had in common was that in each of these cyber security incidents, the perpetrators specifically targeted and successfully compromised the foundational Active Directory deployments of organizations.


Note - The compromise of a single Domain Controller and/or a single Active Directory privileged user account is tantamount to the compromise of an organization's entire foundational Active Directory deployment.


It can be stated with a high degree of certainty that had the perpetrators not been able to compromise the foundational Active Directory deployments of these organizations, in all likelihood, these attacks would not have been successful.

I'll share the relevant technical details of both of these attacks, on this blog, starting day after tomorrow, as stated below.  



Trillion $ Insights

Over the next few days, starting day after tomorrow, I'll share ten specific high-value details that have a direct bearing on the foundational cyber security of every organization operating on Active Directory today; you may wish to tune in.

Day after tomorrow, I'll share the details of what enabled the most impactful part of the SolarWinds Breach right here, and in days to come, I'll also share what enabled the most impactful part of the Colonial Pipeline Hack here.

Sincerely,
Sanjay.

Founder and CEO, 



PS: I am often asked for advice on how to secure Active Directory. 
It being an ocean of a subject, here's the essence of it -

In the hierarchy of security measures, prevention is #1, avoidance is #2, detection is #3 and remediation is #4.

I. Prevention - The most effective measure is prevention; the most effective way of preventing an AD breach is as follows: 
  1. Adequately secure and defend every single domain controller (and if used, privileged admin workstations (PAWs))
  2. Accurately identify and minimize the number of privileged accounts in Active Directory, then protect all of them.
  3. Always follow secure admin practices e.g. do NOT logon to any machine except PAWs using Domain Admin creds.

II. Detection - You may wish to consider using an AD Security Monitoring /Threat Intelligence solution to gain visibility and detect enactment of attacks. It is important to keep in mind that such solutions usually monitor replication so they provide quick but "after-the-fact" insights. In general, the efficacy of such solutions is a function of the timeliness of your response.

III. Remediation - You may wish to consider using an AD Backup and Restore solution, in the event of an incident. An AD restore is an extremely complicated and expensive operation, not to be taken lightly, and only to be used as a last resort.

No comments:
Labels: , , , , , ,

Wednesday, May 5, 2021

The $ 25,000 Gold Finger Mini Challenge

Folks,

I hope this finds you doing well. Today, we are announcing our second global Gold Finger Mini Challenge for US $ 25,000.



The $ 25,000 Gold Finger Mini Challenge


We are excited to announce an award of US $ 25,000/- to the first individual who can identify any solution in the world, other than Gold Finger, that can demonstrably do what the Advanced level of Gold Finger Mini can. Details below -



Here are the Top 7 Active Directory Privileged Access Audit that the Advanced level of Gold Finger Mini can provide -   
  1. Who can replicate secrets (password hashes) from an Active Directory domain? 
  2. Who can reset the password of an Active Directory domain user's account?
  3. Who can disable the use of Smartcards on an Active Directory account?
  4. Who can change an Active Directory security group's membership?
  5. Who can change security permissions on an Active Directory OU?
  6. Who can link a group policy (GPO) to an Active Directory OU?
  7. Who can create an Active Directory user account in an OU? 

The need to know exactly who can enact these privileged tasks is absolutely paramount.



Paramount Privileged Access Insights

The unauthorized, accidental or coerced enactment of virtually all administrative tasks listed above could instantly result in a colossal breach far greater (damaging) in impact than even the recent SolarWinds Hack.


Consider this -
  1. Anyone who could replicate secrets from Active Directory, effortlessly enactable via the use of Mimikatz DCSync, could instantly compromise the credentials of all (thousands) of organizational domain user accounts resulting in a colossal breach bigger than the Solar Winds Hack.

  2. Anyone who could reset the password of a domain user account would in effect have instantly compromised the identity of that account, such as that of a C-Level Executive, a Software Developer etc. He/she could then login as that account and instantly obtain access to everything that account has access to. If the target were an Active Directory privileged user account, it would be tantamount to a colossal, system-wide breach.

  3. Anyone who could disable the use of Smartcards for interactive logon, would in effect have downgraded security on that account, forcing authentication to being password based, and a simple password reset of that domain user account could be used to instantly compromise it.

  4. Anyone who could change the membership of a domain security group could instantly obtain domain-wide access to all IT resources that the compromised group has access to, such as All Employees, Source-Code Access, AccountingCloud Global Admins etc. If the target were an Active Directory privileged group, such as Domain Admins, it would be tantamount to a colossal, system-wide breach.

  5. Anyone who could modify the security permissions on an Active Directory OU could easily gain privileged access on all Active Directory objects e.g. user accounts, computers, security groups, service connection points etc. that reside in that OU. In numerous ways, this could easily be used to elevate/escalate privilege and gain Domain Admin equivalent access, resulting in a colossal breach.

  6. Anyone who could link a GPO to an Active Directory OU could instantly control the security of all computers whose domain computer accounts reside in that OU. This could be used to easily circumvent all endpoint-protection controls, deliver malicious payloads or instantly unleash malware on thousands of domain-joined computers.

  7. Anyone who could create a domain user account in Active Directory could then use that account to engage in nefarious activities that couldn't be traced back to a uniquely identifiable individual, thereby enabling the perpetrator to evade accountability while engaging in nefarious recon or attack activities.  

Consequently, the need to know exactly who can enact these administrative tasks in an organization's foundational Active Directory deployment is absolutely paramount to organizational cyber security today. 




The $ 25,000 Challenge

Our challenge is simple. All you need to do is -
  1. Try the Advanced level of Gold Finger Mini, downloadable from here, to experience its unique capabilities.

  2. Identify any solution in the world, other than Gold Finger, that you believe can do what Gold Finger Mini can.

    Specifically - Identify any solution in the world that can accurately deliver the 7 paramount insights listed above.

  3. Compare and verify the results of the identified solution with Gold Finger Mini's results in the same AD domain. For your convenience, a ready to use lab AD domain with Gold Finger Mini pre-installed, can be downloaded from here.

If you believe you have found a solution, email its name to us at challenge[@]paramountdefenses.com. If you don't find a solution, but wish to be eligible for our next challenge (see below), email us and let us know that you didn't find a solution.  




List of Popular Active Directory Security Solutions

To help make it easy for you to find other solutions that you could compare Gold Finger Mini with, here is a list of various Active Directory Security Solutions available today, listed in alphabetical order -
  1. Acldiag (Microsoft)
  2. Aclight (CyberArk)
  3. Active Directory ACL Analyzer* (Paramount Defenses)
  4. Active Directory ACL Exporter* (Paramount Defenses)
  5. Active Directory Effective Permissions Calculator* (Paramount Defenses)
  6. Active Directory Effective Access Auditor* (Paramount Defenses)
  7. Active Directory Membership Auditor* (Paramount Defenses)
  8. Active Directory Permissions Analyzer* (Paramount Defenses)
  9. Active Directory Permissions Reporting Tool (ManageEngine)
  10. Active Directory Privileged Access Auditor* (Paramount Defenses)

  11. Active Directory Security Auditor* (Paramount Defenses)
  12. AD ACL Scanner (Robin Granberg ?)
  13. AD Permissions Reporter (CJWDev)
  14. AD Secure (Attivo Networks)
  15. AD Assessor (Attivo Networks)
  16. Alsid for AD (Alsid)
  17. BeyondTrust Auditor (BeyondTrust)
  18. Bloodhound (SpectreOps)
  19. CrowdStrike Falcon Identity Protection (CrowdStrike)
  20. Dsacls (Microsoft)

  21. Directory Service Protector (Semperis)
  22. Effective Permissions Reporting Tool (Netwrix)
  23. Enterprise Reporter for Active Directory (Quest)
  24. Hyena (Systemtools)
  25. LepideAuditor (Lepide)
  26. Permissions Analyzer for Active Directory (SolarWinds)
  27. Ping Castle (Ping Castle)
  28. PowerShell for Active Directory (Microsoft)
  29. Purple Knight (Semperis)
  30. StealthAUDIT Active Directory Permissions Analyzer (Stealthbits)
  • * These tools are a part of the Gold Finger Suite and are thus not eligible for consideration

If there are any tools that are not on this list but should be, simply leave a comment below, and we will add them to the list.




Submission Deadline

The deadline for submitting an entry for our second challenge is May 16, 2021 i.e. all entries received by 23:59:59 U.S. PST on May 16, 2021 will be eligible for participation. The winner will be announced on May 20, 2021 on this blog.

The timestamp at which your email is received will determine the order of submissions. The first submission that identifies a solution other than Gold Finger, that can accurately do what Gold Finger Mini can i.e. deliver the 7 paramount insights listed above, will be the winner. If no submission is able to demonstrably identify such a solution, there will be no winner.




The Next Challenge

We will be issue our next challenge on May 21, 2021. The reward for the next challenge will be US $ 50,000/-.
However, only those individuals who participate in this challenge will be eligible to participate in the next challenge.  




Summary

Almost all major breaches in the last decade, including the SolarWinds Hack, involved the compromise and misuse of just one Active Directory privileged user account. Of note, the SolarWinds hackers only targeted Active Directory environments.
The objective of this challenge is to help organizations as well as IT and cyber security personnel worldwide become aware of the paramount importance of knowing exactly who has what privileged access in Active Directory, and to help organizations realize just how substantially inadequate their existing Active Directory audit toolsets are today.

We hope that this will be an educational challenge for all IT and cyber security professionals worldwide, and we look forward to hearing from everyone who understands the paramount importance of Active Directory Security.


Thank you.

Kindest regards,
Sanjay Tandon.

Chairman and CEO,
Paramount Defenses


Your participation is subject to the Terms of Use of our website and our Privacy Policy.
No comments:
Labels: , , , , , ,

Wednesday, April 21, 2021

Introducing the $ 10,000 Gold Finger Mini Challenge

Folks,

I hope this finds you doing well. Today, we are announcing our first $ 10,000 global Gold Finger Mini Challenge.



The $ 10,000 Gold Finger Mini Challenge


We are excited to announce an award of US $ 10,000/- to the first individual who can identify any solution in the world, other than Gold Finger, that can demonstrably do what Gold Finger Mini can, i.e. instantly and accurately determine exactly who can enact the most critical privileged administrative tasks in an Active Directory domain.


Here are the Top 5 Active Directory Privileged Access Audit Insights that Gold Finger Mini can uniquely provide -   
  1. Who can replicate secrets (password hashes) from an Active Directory domain? 
  2. Who can change security permissions on the AdminSDHolder object?
  3. Who can change the membership of the Domain Admins security group?
  4. Who can reset an Active Directory privileged user account's password?
  5. Who can disable the use of Smartcards on an Active Directory user account?

The need to know exactly who can enact these privileged tasks is absolutely essential to securing Active Directory.   



The Challenge

The challenge is simple. All you need to do is -
  1. Try the free version of Gold Finger Mini, downloadable from here, to become familiar with its unique capabilities.

  2. Identify any solution in the world, other than Gold Finger, that you believe can do what Gold Finger Mini can.
    Specifically, identify any solution in the world that can accurately deliver the 5 paramount insights listed above.

  3. Compare and verify the results of the identified solution with Gold Finger Mini's results in the same AD domain. For your convenience, a ready to use lab AD domain with Gold Finger Mini pre-installed, can be downloaded from here.

If you believe you have found a solution, email its name to us at challenge[@]paramountdefenses.com. If you don't find a solution, but wish to be eligible for our next challenge (see below), email us and let us know that you didn't find a solution.  

That's it!



List of Active Directory Security Solutions

The following is a list of various Active Directory Security Solutions available today, listed in alphabetical order -
  1. Acldiag (Microsoft)
  2. Aclight (CyberArk)
  3. Active Directory ACL Analyzer* (Paramount Defenses)
  4. Active Directory ACL Exporter* (Paramount Defenses)
  5. Active Directory Effective Permissions Calculator* (Paramount Defenses)
  6. Active Directory Effective Access Auditor* (Paramount Defenses)
  7. Active Directory Membership Auditor* (Paramount Defenses)
  8. Active Directory Permissions Analyzer* (Paramount Defenses)
  9. Active Directory Permissions Reporting Tool (ManageEngine)
  10. Active Directory Privileged Access Auditor* (Paramount Defenses)
  11. Active Directory Security Auditor* (Paramount Defenses)
  12. AD ACL Scanner (Robin Granberg ?)
  13. AD Permissions Reporter (CJWDev)
  14. AD Secure (Attivo Networks)
  15. AD Assessor (Attivo Networks)
  16. Alsid for AD (Alsid)
  17. BeyondTrust Auditor (BeyondTrust)
  18. Bloodhound (SpectreOps)
  19. CrowdStrike Falcon Identity Protection (CrowdStrike)
  20. Dsacls (Microsoft)
  21. Directory Service Protector (Semperis)
  22. Effective Permissions Reporting Tool (Netwrix)
  23. Enterprise Reporter for Active Directory (Quest)
  24. Hyena (Systemtools)
  25. LepideAuditor (Lepide)
  26. Permissions Analyzer for Active Directory (SolarWinds)
  27. Ping Castle (Ping Castle)
  28. PowerShell for Active Directory (Microsoft)
  29. Purple Knight (Semperis)
  30. StealthAUDIT Active Directory Permissions Analyzer (Stealthbits)
  • * These tools are a part of the Gold Finger Suite and are thus not eligible for consideration

If there are any tools that are not on this list but should be, simply leave a comment below, and we will add them to the list.




Submission Deadline

The deadline for submitting an entry is May 16, 2021 i.e. all entries received by 23:59:59 U.S. Pacific Standard Time (PST) on May 16, 2021 will be eligible for participation. The winner will be announced on May 20, 2021 on this blog.

The timestamp at which your email is received will determine the order of submissions. The first submission that identifies a solution other than Gold Finger, that can accurately do what Gold Finger Mini can i.e. deliver the 5 paramount insights listed above, will be the winner. If no submission is able to demonstrably identify such a solution, there will be no winner.




The Next Challenge

We will be issuing our next challenge on May 21, 2021. The reward for the next challenge will be US $ 25,000/-. However, only those individuals who participate in this challenge will be eligible to participate in the next challenge.  




We hope that this will be a fun, rewarding and educational challenge for all IT and cyber security professionals worldwide, and we look forward to hearing from everyone who understands the paramount importance of Active Directory Security.

Thank you.

Kindest regards,
Sanjay Tandon.

CEO,
Paramount Defenses


Your participation is subject to the Terms of Use of our website and our Privacy Policy. No purchase is necessary to participate in this challenge. This challenge is open to citizens of all nations except Cuba, Iran, North Korea, Syria, Yemen and those against which the U.S. Government may have imposed sanctions.
No comments:
Labels: , , ,

Wednesday, February 10, 2021

Introducing the Advanced Level of Gold Finger Mini

Folks, 

Today, I'd like to introduce you to the Advanced Level of Gold Finger Mini, quite possibly the world's most capable and powerful cyber security solution -
Gold Finger Mini is the world's only cyber security solution (other than Gold Finger) that can accurately and instantly find out and reveal exactly who has the most powerful privileged access in Active Directory and its Advanced Level offers eight unrivaled fully-automated Active Directory Privileged Access reports that instantly determine and reveal who can enact the most powerful administrative tasks in Active Directory.



Unrivaled Privileged Access Insight

The reports in the Advanced Level of Gold Finger Mini were designed to empower IT personnel, Cyber Security Auditors, Penetration Testers, Ethical Hackers and CISOs at organizations worldwide instantly and accurately determine exactly -

  1. Who can replicate secrets (password hashes) from an Active Directory domain?

  2. Who can reset any Active Directory domain user account's password?

  3. Who can disable the use of Smartcards on any Active Directory account?

  4. Who can change any Active Directory security group's membership?

  5. Who can change permissions on any Active Directory OU (Organizational Unit) ?

  6. Who can change any Active Directory computer account's SPNs (Service Principal Names)?

  7. Who can link a group policy (GPO) to any Active Directory OU?

  8. Who can create an Active Directory user account in any OU?

The cyber security intelligence that these reports uniquely deliver are absolutely essential for securing Active Directory.

However, what you may not know is that, contrary to popular belief, it is very difficult to accurately find out who can enact these privileged tasks in Active Directory, because to do so, one needs to determine Active Directory effective permissions.

Gold Finger Mini is simply the world's only cyber security solution (other than Gold Finger) that can accurately determine effective permissions in Active Directory and accurately make these paramount determinations, at the touch of a button, so now everyone can instantly find out exactly who has the most powerful privileged access in any Active Directory. 




Instant, Unrivaled High-Value Intelligence

As you know, such critical information can be very valuable if you're performing an Active Directory Privileged Access Audit or an Active Directory Security Assessment or if you're trying to pen-test/ethically hack an organization's Active Directory.


If you could find out exactly who can replicate secrets (password hashes) from an Active Directory domain (e.g. by using Mimikatz DCSync), or who can change the membership of any Active Directory security group, such as Domain Admins, or who can reset the password of any domain user account, such as the Administrator account, or who can modify the ACL protecting an organizational unit (OU) that contains thousands of domain user and computer accounts etc. you'd be just one step away from being able to obtain Domain Admin level privileged access in an organization.

The Advanced Level of Gold Finger Mini empowers organizations to be able to instantly and accurately assess who has sufficient privileged access in Active Directory so as to be able to enact the most highly sensitive/powerful administrative tasks that could used to escalate privilege and consequently gain access to just about any IT resource in an organization.


If you were on the defending side, you could instantly lock down privileged access in Active Directory to remove any and all such critical unauthorized access that could instantly result in a massive breach.

If you were on the attacking side (as an ethical hacker or a penetration tester), you could instantly identify the quickest and shortest privilege escalation path leading to any object of interest in Active Directory, whether it be the Administrator account or the CEO's domain user account, the Domain Admins security group or a security group that controls access to a specific organizational IT resource (e.g. Source code Access), any Smartcard enabled account, any organizational unit (OU) containing thousands of Active Directory objects, or the credentials of all domain user accounts in an organization.

With Gold Finger Mini, you can instantly make these paramount determinations at the touch of a button, in seconds, without requiring any admin access or having to do complex Active Directory permissions analysis. Click and done!



Summary

Gold Finger Mini democratizes the unique, high-value, unrivaled cyber security intelligence that our flagship Gold Finger tooling can deliver, and in doing so, it empowers thousands of organizations and millions of IT professionals worldwide to easily, cost-effectively and instantly obtain mission-critical Active Directory privileged access insights.

The Advanced Level of Gold Finger Mini empowers everyone to be able to instantly find out i.e. assess/audit exactly who has the most sensitive/powerful privileged access on virtually any object in any Active Directory domain in the world.

There's simply nothing in the world that compares to it, and to find out why, you just have to try it for yourself.

To learn more and to download the free version, please visit - www.paramountdefenses.com/products/goldfinger-mini
 

Best wishes,
Sanjay
No comments:
Labels: , , , , ,

Tuesday, July 14, 2020

What Lies at the Foundation of Cyber Security of Microsoft, Amazon, Google and Facebook, the Tech Giants of the World?

Folks,

Today, I wanted to take a moment to share a simple fact that concerns the foundational security of the world's tech giants.


At the foundation of cyber security of Microsoft, Amazon, Google and Facebook lies a single technology - Active Directory.

Each one of these technology behemoths operates on Active Directory, and today, collectively hundreds of millions of Active Directory security permissions specified in the access control lists (ACLs) of millions of Active Directory objects in their foundational Active Directory domains collectively serve to secure and protect these organizations.

To give you some perspective, the collectively net worth of these four companies alone exceeds a Trillion dollars.

Today, literally the entire world operates on Active Directory, and today in the foundational Active Directory deployments of these organizations lie billions of Active Directory security permissions that today collectively determine exactly who has the Keys to the Kingdom in these organizations; in other words they control the foundational security of the entire world.

That's all for today.

Best wishes,
Sanjay.
No comments:
Labels: , , , , ,

Wednesday, July 8, 2020

How Active Directory Security Permissions Control Privileged Access


Folks,

Hello. I hope this finds you doing well. This post is Day-5 of Active Directory Security for Cyber Security Experts.


In today's post, I wanted to make the essence of Active Directory Security super simple for everyone to understand, because this is necessary before we dive into analyzing the many specific examples in the accompanying demo VM.



 Active Directory Security, Distilled

Perhaps the best way to understand Active Directory is by distilling it down to ten simple points -


  1. Every thing inside Active Directory is an Active Directory object

  2. Every object in Active Directory is protected by an access control list (ACL)
  3. Every ACL protecting every object contains zero or more access control entries (ACEs)
  4. Every ACE allows or denies one or more security permissions for a specific security principal (SP)
  5. Every security principal (account, group, well-known/F SP) is uniquely identified by its security identifier (SID)
  6. Every account has an access token that contains its SID and the SIDs of all security groups* to which it belongs

  7. Every security permission specified in an ACE is either explicit (set on the object) or inherited (from the parent)
  8. Every security permission is either a standard Active Directory permission, an extended right or a validate write

  9. Every ACE in the ACL is placed in accordance with a precedence order that governs how ACEs impact the resulting (i.e. effective) access for a user, which is:  Explicit Deny > Explicit Allow > Inherited Deny > Inherited Allow

  10. When a user requests access to an AD object, the system performs an access check that examines the ACEs in the object's ACL to determine a) whether or not any SID in the requestor's access token is denied any of the requested access in any of the ACEs in the ACL, and b) whether or not one or more ACEs in the ACL allow all of the requested access rights, and the outcome of this access check governs whether or not the requested access is granted.

    Consequently, the actual (i.e. effective) access that a user has on an AD object is determined by the impact of all ACEs in its ACL that allow or deny some form of access for the user, or for any group* to which the user belongs.



Active Directory Security Permissions

If everything in Active Directory is an AD object protected by an ACL in which lie ACEs that grant various Active Directory security permissions, then we must possess a very good understanding of these Active Directory security permissions.


There are thirteen types of Active Directory Security Permissions -
  1. Read Control (RC) - These permissions control who can read security permissions specified in AD object ACLs.

  2. List Child (LC) - These permissions control who can view the child objects of a specific object in AD.

  3. List Object (LO) - These permissions only come into play in a special mode in Active Directory called the List Object mode, and in that mode they provide more granular control on who can view individual child objects of an object.

  4. Read Property (RP) - These permissions control who can read the properties of an AD object. The Object Type field can be used to specify that they only control read access to a specific property (or a property set) on the object.

  5. Write Property (WP) - These permissions control who can modify the properties of an object. The Object Type field can be used to specify that they only control write access to a specific property (or a property set) on the object.

  6. Create Child (CC) - These permissions control who can create an object under an object in AD. The Object Type field can be used to specify that they only control the creation of objects of a specified object class e.g. user.

  7. Standard Delete (SD) - These permissions controls who can delete an object via a standard delete operation.

  8. Delete Child (DC) - These permissions control who can delete child objects of an object. The Object Type field can be used to specify that they only control the deletion of objects of a specified object class e.g. user.

  9. Delete Tree (DT) - These permissions control who can delete a tree of objects in AD via a delete-tree operation.

  10. Modify Permissions (WD) - These permissions control who can modify permissions protecting an AD object

  11. Modify Owner (WO) - These permissions* control who can modify the owner of an AD object

  12. Extended Right (CR) - These permissions control who can enact special operations in AD. The Object Type field can be used to specify that they only control a specific special operation on an object (e.g. Reset Password etc.)

  13. Validated Write (SW) - These permissions control who can enact certain special writes (that require validation) on certain AD objects. The Object Type field can be used to specify that they only control a specific validated write on an object.

    14. SDDL: The two-letter abbreviations (e.g. RC, LC, LO, RP, WP, CC, SD, DC, DT, WD, WO, CR and SW) that follow the names of these various permissions are the SDDL mnemonics used to specify these permissions.

The above is a simplified explanation of AD security permissions. For details, please refer to Microsoft's documentation.

Once you have a good understanding of these thirteen Active Directory Security Permissions and how they work, it is easy and straightforward to understand how they impact and govern exactly who has what privileged access in Active Directory.



How Active Directory Security Permissions
Control Privileged Access in Active Directory

In light of the above, every privileged action that can be enacted in Active Directory boils down to a user requesting, and the resulting access check permitting, the ability to perform a simple modify operation on an Active Directory object.


Here are the Top-10 administrative (i.e. privileged) tasks in Active Directory AND the modify access they involve -

  1. Create a user account - Requires "Create Child User-object" effective permissions on target object

  2. Enable an account - Requires "Write Property userAccountControl attribute" effective permissions on user object

  3. Reset an account's password - Requires "Extended Right Reset-password" effective permissions on user object

  4. Change a group membership - Requires "Write Property member attribute" effective permissions on group object

  5. Change a user's membership - Requires "Write Property member attribute" effective permissions on group object

  6. Modify an object's ACL - Requires "Modify Permissions" effective permissions on target object

  7. Link a GPO to an OU - Requires "Write Property gpLink attribute" effective permissions on OU object

  8. Change a computer's DNS name: Requires "Validated Write Change DNS Host Name" on computer object

  9. Delete an Organizational Unit (OU) - Requires "Standard-Delete" effective permissions on OU object, or "Delete-Child" effective permissions on parent* object, or "Delete Tree" effective permissions on any ancestor object

  10. Replicate secrets from domain - Requires two extended rights, "Extended Right Get Replication Changes" and "Extended Right Get Replication Changes All" effective permissions on the domain root object

In short, enacting a privileged action in Active Directory requires a specific type of access on specific target AD objects, and anyone who has sufficient required effective permissions on these target objects can enact these privileged actions.

Thus, once you know exactly which security permissions entitle a user to a specific privileged action in AD, you can find out exactly who was what privileged access where and how in AD, by determining who has those effective permissions.



Top-10 Examples of Privileged Access in Active Directory

Here are ten simple, common examples of administrative tasks that require/involve privileged access in Active Directory, and as we have seen above, it is Active Directory security permissions that control exactly who can enact these tasks -

  1. Create a new domain user account for legitimate or nefarious use

  2. Delete an existing account or group, or an OU containing thousands of accounts and groups

  3. Enable a currently disabled domain user account, or unexpired an expired domain user account

  4. Reset a domain user account's password, such as that of the CEO or the default Administrator account

  5. Modify a domain security group's membership, such as that of the all-powerful Domain Admins security group

  6. Modify security permissions on an AD object, such as on the domain root, an OU or the AdminSDHolder object

  7. Link a group policy (GPO) to an OU, for legitimate or nefarious (e.g. unleashing ransomware domain-wide) use

  8. Modify a domain-joined computer's account in AD, such as by setting it to be Trusted for Unconstrained Delegation

  9. Modify the keywords associated with a critical service connection point, such as one used to integrate with Azure.

  10.  Replicate secrets from Active Directory (the enactment of which is almost always for nefarious reasons)

Thus, as you can, virtually every privileged action that somone could enact in any Active Directory deployment worldwide, is controlled and governed by the various Active Directory security permissions that reside in Active Directory object ACLs.



Specifically, if you connect the three dots above (i.e. the three aspects of AD Security described above), then you'll know that ALL privileged access in Active Directory is governed by "who has what effective permissions in Active Directory" because multiple ACEs in an object's ACL could impact whether or not the access requested by a user is granted.




 Summary

That'll be all for today. Today, I just wanted to share with you three essential technical aspects of Active Directory Security that today govern and control exactly who has what privileged access at 85% of all organizations across the world today.


Speaking of which, did you know that for years IT professionals at organizations have errantly believed that to find out who has what privileged access in Active Directory, they just need to analyze permissions in Active Directory, whereas in reality, it is not "who has what permissions in Active Directory" but in fact "who has what effective permissions in Active Directory" that governs who has what privileged access in Active Directory.

Consequently, today most organizations do not even possess the means to audit effective permissions in Active Directory; they only possess the means (tools) to find out "who has what permissions" which is vastly insufficient and mostly futile, and as a result, most of them have no idea as to exactly who has what privileged access in their Active Directory today.



That's it for now. There's only one more theory lesson remaining before we can dive into over a dozen exciting examples that exist in the accompanying demo VM, and in the next lesson i.e. Day 6's lesson, I will cover that theory lesson by shedding light into the most important technical aspect of Active Security - Active Directory Effective Permissions.


Best wishes,
Sanjay.



PS: Answers to the 3 simple questions I had asked in my previous post -
  • Number of ACEs domain-wide: 177396 (excluding objects in the System container.)
  • Number of members in Domain Admins security group: 13
  • Number of ACEs that directly/indirectly impact Write Property Member in ACL of the Domain Admins group: 9*
  • Amount of time it took me to make these determinations: Less than 1 minute (each.)
No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)

Corporate Headquarters

620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.


Telephone: 001-949-468-5770

Terms of Use

© 2006 - 2025 Paramount Defenses. All Rights Reserved.

Privacy Policy

Your Privacy

We use cookies to give you the best online experience. Please let us know if you accept these cookies.