The World's Top Cyber Security Companies, including Microsoft (MSFT), Crowdstrike (CRWD), ZScaler (ZS), CyberArk (CYBR) etc. ALL Agree on ONE Fact

Folks,

There is 1 (ONE) simple paramount fact that impacts cyber security worldwide today that virtually ALL of the world's top cyber security companies, including Microsoft (MSFT), CrowdStrike (CRWD), Dell (DELL), Splunk (SPLK), ZScaler (ZS), CyberArk (CYBR) etc. etc. all agree on, and I quote -

"Microsoft Windows Server Active Directory is the foundation of an IT Infrastructure"

- Source: Splunk  Backup-Source (SPLK, acquired by Cisco  Market Cap: $28 Billion)

"Microsoft Active Directory is at the core of your business"

- Source: DellEMC (DELL,  Market Cap: $ 99 Billion)

"Active Directory and Entra ID are the lifeblood of your business"

- Source: Quest (Quest Software,  Valuation: ~ $ 5 Billion)

"When AD fails, either from ransomware, cyberattacks or catastrophes, the IT environment grinds to a halt"

- Source: Quest (Quest Software,  Valuation: ~ $ 5 Billion)

"Microsoft Active Directory is a collection of services that help you manage users and devices on a network."

- Source: Amazon AWS  (AMZN,  Market Cap: $ 2 Trillion.)

"Start with Active Directory, go everywhere"

- Source: Okta  (OKTA,  Market Cap: $ 15 Billion.)

"Configure GlobalProtect to use Active Directory Authentication profile"

- Source: Palo Alto Networks  (PANW,  Market Cap: $ 106 Billion.)

"A secure Active Directory environment can mitigate most attacks."

- Source: CrowdStrike  (CRWD,  Market Cap: $ 90 Billion.)

"At the heart of every network there are the Domain Controllers and the Active Directory instances that run on them."

- Source: CyberArk  (CYBR,  Market Cap: $ 7 Billion)

"Microsoft Active Directory is used extensively across global enterprises. Even with the migration to Azure Active Directory, companies continue to utilise Active Directory in a Hybrid environment where workstations may be joined solely to AD, or both AD joined and WorkPlace joined to AAD."

- Source: ZScaler  (ZS,  Market Cap: $ 30 Billion)

"Manually maintaining Google identities for each employee can add unnecessary management overhead when all employees already have an account in Active Directory. By federating user identities between Google Cloud and your existing identity management system, you can automate the maintenance of Google identities and tie their lifecycle to existing users in Active Directory."

- Source: Google  (GOOG,  Market Cap: $ 2 Trillion)

"Active Directory provides mission-critical authentication, authorization and configuration capabilities to manage users, computers, servers and applications throughout an organization’s IT infrastructure...

…[it] is critical to secure an organization’s systems and applications."

- Source: Microsoft  (MSFT,  Market Cap: $ 3 Trillion)

"From the White House to the entire U.S. Government, and from the $3T Microsoft (MSFT) to the global Fortune 1000, at the very foundation of cyber security of 85% of all organizations worldwide lies a single technology - Active Directory."

- Source: Paramount Defenses (Privately held)

A  $ 20 Trillion  Fact

Here are just a few corporations on the Standard & Poors 500 (S&P 500) at whose very foundation lies Active Directory   -

Alphabet (GOOGL), Amazon (AMZN), Advanced Micro Devices (AMD), American Airlines (AAL), American Express (AXP), AmerisourceBergen (ABC), AT&T (T),  Baker Hughes (BKR), Bank of America (BAC), Berkshire Hathaway (BRK.B) BlackRock (BLK), Capital One Financial (COF), Caterpillar (CAT), CBRE Group (CBRE), Cisco (CSCO), Citibank (C), Clorox (CLX), Coca-Cola Company (KO), Chevron (CVX), Cisco (CSCO), Comcast (CMCSA), CVS Health (CVS), Costco (COST), Delta Airlines (DAL), Dow Inc (DOW), Dupont de Nemours (DD), Equifax (EFX), Exxon Mobil (XOM), Facebook (FB), Ford Motor (F), Fortinet (FTNT), Fox Corporation (FOX), Gartner (IT), General Electric (GE), General Motors (GM), Gilead Sciences (GILD), Goldman Sachs (GS), Google (GOOG), Hewlett Packard Enterprise (HPE), Hilton Worldwide (HLT), Humana (HUM), IBM (IBM), Intel (INTC), JP Morgan Chase (JPM), Johnson and Johnson (JNJ), Kellogg Co (K), Kroger Co (KR), Lockheed Martin (LMT), Mastercard (MA), McDonalds (MCD), Merck (MRK), MetLife (MET), Microsoft (MSFT), Morgan Stanley (MS), Nasdaq (NASD), Netflix (NFLX), NewsCorp (NWS), Nike (NIKE), Northrop Grumman (NOC), Norwegian Cruise Line Holdings (NCLH), Nvidia (NVDA), Occidental Petroleum (OXY), Okta (OKTA) Oracle Corp (ORCL), PayPal (PYPL), PepsiCo Inc (PEP), Phillip Morris International (PM), Procter and Gamble (PG), Qualcomm (QCOM), Quest Diagnostics (DGX), Raytheon (RTX), Robert Half International (RHI), Royal Caribbean Cruises (RCL), S&P Global (SPG), Salesforce.com (CRM), Schlumberger (SLB), Southwest Airlines (LUV), Sysco Corp (SYY), Target Corp (TGT), Tesla (TSLA), Tyson Foods (TSN), Twitter (TWTR) United Airlines (UAL), UPS (UPS), Verizon (VZ), Walmart (WMT), Walt Disney (DIS), Wells Fargo (WFC), Yum! Brands (YUM) etc. etc.

This Sounds Very Important

If $ 20+ Trillion are riding on Active Directory today, one would have to assume that the security of these foundational Active Directory deployments ought to be one of the highest organizational cyber security priorities worldwide. It is.

In fact, it is paramount. However, there's just one small Trillion $ problem...




Microsoft's #1 Recommendation

As evidenced in the quote above, Microsoft has always highly and sufficiently recommended that every organization operating on Active Directory consider it mission-critical to business and adequately secure and defend it at all times.

In fact, Microsoft recommends that the 1st and most important (paramount) cyber security measure that organizations take to secure (defend) Active Directory is to correctly identify and reduce users who have privileged access in Active Directory:

 "Privileged accounts like administrators of Active Directory have direct or indirect access to most or all assets

in an IT organization, making a compromise of these accounts a significant business risk."

Source

"Cyber-attackers focus on privileged access in Active Directory 

to rapidly gain access to all of an organizations data."

Source

"Securing privileged access is (thus) a critical first step
to establishing security for business in a modern organization."

Source

"Because it can be difficult or even impossible to properly secure every aspect of an organization's IT infrastructure,
you should focus efforts first on the accounts whose privilege create the greatest risk,
which are privileged accounts and groups in Active Directory."

Source

"Implement least privilege. Limit the count of administrators
or members of privileged groups in Active Directory."

Source 1 , Source 2

"Review administrative privileges each quarter to determine which personnel
still have a legitimate business need for administrative access (in Active Directory)"

Source

"An ounce of prevention is worth a pound of detection"

Source

There's Just A Small Trillion $ Problem

Shockingly, the means to implement Microsoft's number #1 recommendation to thousands of its organizational customers, i.e. the means to correctly (accurately) identify who has what privileged access in/across Active Directory just don't exist*.

That's right. The capability that organizations require to correctly identify who has what privileged access in their Active Directory, so they can limit the number of privileged users and review this number every quarter, doesn't exist* today.

As a result, thousands of organizations worldwide do not even have the means to be able to correctly identify, control, minimize or review exactly who has the "Keys to the Kingdom" in their foundational Active Directory deployments.



Here's evidence, from none other than Microsoft  (Source) -

"In assessing Active Directory installations, we (Microsoft) invariably find excessive numbers of accounts that have been granted rights and permissions far beyond those required to perform day-to-day work. Mid-sized directories may have dozens of accounts in the most highly privileged groups, while large installations may have hundreds or even thousands."

Simply stated, it means that in most large organizations, today there very likely are hundreds or even thousands of users who possess sufficient privileged access so as to be able to control, compromise or blow up the entire organization!

To put this context, consider the fact that almost all major recent cyber security breaches including JP Morgan, Sony Hack, Target, Snowden, OPM Breach, Anthem, Avast, the U.N. breach, SolarWinds Breach, Colonial Pipeline Hack, Microsoft Hack, Okta Hack etc. ALL involved the compromise and misuse of just ONE Active Directory Privileged User account!

(Recently, it cost shipping giant Maersk a staggering $ 250 Million to recover from a breach involving its Active Directory.)



In short, as it concerns having visibility into exactly who has the all-powerful "Keys to the Kingdom" in an organization, today most organizations are operating in the proverbial dark, and neither their IT groups nor their C-Suite have a clue.

(In fairness to all IT admins, IT managers and CISOs at thousands of organizations, this is a massive problem and a very sophisticated technical subject, so they alone should not be blamed for not sufficiently understanding its vast complexity.)

Unfortunately, with the advent of freely available hacking tools be specifically designed to identify and exploit exactly such excessive access related vulnerabilities in Active Directory, urgently addressing this problem has become paramount.


This should be a serious cause of concern for all stakeholders, including their employees, customers and shareholders.





*All of One

Note the use of  * when referring to the non-existence of the paramount capability that organizations require to adequately defend Active Directory i.e. the ability to correctly (accurately) identify who has what privileged access in Active Directory.

It so happens that there's all of ONE company on planet Earth that possesses this capability today, and its patented, Microsoft-endorsed capability can uniquely enable and empower every organization operating on Active Directory to be able to correctly, instantly and automatically identify exactly who has what privileged access in Active Directory.

Actually, there's a little more to it than "it so happens." Eighteen years ago, Microsoft's top cyber security expert on Active Directory Security established this company and for the last eighteen years, it has been laser-focused on solving just this one single $ 28 Trillion problem for the world, (oh, and $ 28 Trillion only accounts for companies in the United States.)

You've likely never heard of this company, but over the last decade, from the United States Treasury to the United States Department of Defense, many of the world's most important and valuable government and business organizations have used and depended on its solutions to correctly identify and minimize privileged access in their Active Directory.

Today, not a single cyber security or IT company on Earth, let alone those listed on the Nasdaq, can compete with it.

Today this company can uniquely enable and empower the entire world to instantly, effortlessly, and most importantly, accurately identify, minimize and lock-down all privileged access, i.e. the "Keys to the Kingdom", in foundational Active Directory deployments worldwide, thereby helping thousands of organizations worldwide trustworthily attain and maintain Least Privileged Access (LPA), which is not only a cyber security necessity but also a cardinal tenet of Zero Trust.

That ONE company is Paramount Defenses, and perhaps the simplest introduction to it can be found here.


We will be making a small announcement tomorrow or day after, that is likely to impact a Trillion+ $.

That's all for now.

Best wishes,
Sanjay Tandon

Formerly
Program Manager,
Active Directory Security,
Microsoft Corporation.


PS: Please Understand -

 

It is a LITTLE difficult to be humble when your work single-handedly impacts Trillions of $ worldwide, and you're trying to help thousands of organizations understand why they remain substantially vulnerable.

This isn't about petty stuff like money i.e. it isn't about a Million or a Billion or a 100B or a T. It's about doing what's right.

Four years ago, I personally demonstrated how hackers could unleash ransomware onto 1000s of organizational computers using Active Directory. For almost ten years now, I have also been personally warning about the use of Active Directory Privilege Escalation as a top attack vector, and sure enough, in almost every major breach, including the SolarWinds Breach, the Colonial Pipeline Hack and recently the Okta and Microsoft breaches, the defining/cardinal step employed by the perpetrators to gain unrestricted privilege was Active Directory Privilege Escalation. I have also been extensively warning about the use of DCSync, and sure enough, as observed and reported by Microsoft, it is DCSync that LAPSUS$ (DEV-0537) employed to obtain unrestricted access and inflict damage. Need I say more?

It remains my professional opinion as former Microsoft Program Manager for Active Directory Security that attaining and maintaining LPA in Active Directory is the single-most important and effective measure that organizations can take to substantially improve their cyber security posture, and technically, we can help the entire world do so, oh and we can technically do so in less than one day. (To appreciate that, consider that even Microsoft couldn't do so in one decade.)

It is also imperative that the world and Microsoft realize that Microsoft making the entire world signup for and rely on its (now twice hacked) Azure (, renamed to Entra after two hacks) Cloud is NOT the answer to solving such problems, because, simply put, the day that an organization transitions over its primary identity to a third-party Identity Provider (IDP) is the day that it relinquishes its operational autonomy, organizational privacy and dignity to a third-party, forever.

Cyber security isn't that difficult, but it does require basic common-sense. If you don't even know how many users have the "Keys to your Kingdom" how can you even begin to protect your organization? This isn't rocket science, its common sense.

What's common between the Colonial Pipeline Hack and SolarWinds Breach?

Folks,

From the entire U.S. Government to the Fortune 1000, including almost all cyber security and cloud computing companies, today, at the foundation of IT, cyber security and privileged access at 85% of organizations worldwide lies Active Directory.

I'm Sanjay Tandon, formerly Program Manager for Active Directory Security on Microsoft Corporation's Windows Server Development Team, and today, CEO of Paramount Defenses.

Today, I'll share with you what is common between the Colonial Pipeline Hack and the SolarWinds Breach, and day after tomorrow onwards, I'll also provide sufficient technical details, but before I do so, I would like to share a few observations. 

 

Note - The only reason you may want to listen to what I have to say, is because, by virtue of my years at Microsoft and PD, I possess sufficient expertise, IP and capability to be able to help substantially enhance (and if requested, also demo how one could compromise) the foundational cyber security of any/every organization in the world.

Five Observations

I would like to share a few salient observations on the current(ly dismal) state of cyber security at organizations worldwide, because it is my professional opinion that until certain basic deficiencies are addressed, unfortunately, we will continue to witness many more such breaches - 

1. The Current State of Affairs

   It is really sad to see the current state of cyber security at organizations worldwide. Not a month seems to go by without there being yet another high-impact cyber security breach at some prominent organization or the other.

   That said, considering how inadequate the actual state of cyber security preparedness, defenses and proficiency are at most organizations, it is hardly surprising to see so many organizations get breached, ransomware'd etc.

   For instance, consider this - Active Directory (AD) is the very foundation of cyber security at organizations, and a Domain Controller (i.e. the machine on which AD is hosted) is technically the most valuable asset an organization has, yet, at most organizations, DCs remain vastly inadequately protected, and thus vulnerable to compromise.

   If this is the state of DC security at thousands of organizations worldwide, how can there be any security?

   Likewise, the compromise of a single Active Directory Privileged User account is tantamount to a complete Active Directory forest-wide breach, so such accounts must be minimal in number and highly protected. Yet, at most organizations, today there exist an excessively large and unknown number of Active Directory privileged accounts.

   If this is the state of AD privileged accounts at most organizations worldwide, how can there be any security? 

   
   




2. Three Fundamental Deficiencies

   It is my professional opinion that most organizations suffer from three key deficiencies, that ultimately result in inadequate cyber security defenses, leading to breaches - understanding, accountability and empowerment.     

   1. Understanding - Given a vast and dynamic attack surface, and sophisticated threats, it is imperative that all organizations possess a sufficient understanding of how to adequately protect themselves, yet most don't.

   2. Accountability - Security requires a clear chain of ownership and accountability:  Shareholders, customers, partners > CEO > CISO > Director(s) > Domain (and IT) Admins. Yet at most organizations, none exists.

   3. Empowerment - Organizational IT teams need to be adequately empowered to acquire and deploy security measures needed to adequately defend an organization, yet at most organizations, budgets are inadequate.

   
   

   For instance, IT personnel and Domain Admins from thousands of organizations have requested our help, found our unique products (e.g. 1, 2, 3) to be essential, yet so many end up conveying that they just do not have the budget.

   In reality, it is not that they do not have the budget; it is primarily that their executive management simply does not yet possess the required understanding i.e. Active Directory Security directly impacts foundational security and business continuity, and is thus paramount, and consequently their IT personnel are simply not empowered. 

   
   



3. The World is Mostly Reacting

   Sadly, at most organizations, cyber security is only taken sufficiently seriously after they have been breached, and in most instances, the response is similar - the breach is disclosed, then FireEye is called in to investigate, and ultimately, promises are made to enhance security. In the case of govts., broad directives/EOs may be issued.

   FireEye does a thorough investigation and in most cases, the findings are similar i.e. the perpetrators used the same set of well-known techniques and in almost every case, compromised and misused an Active Directory privileged user account to obtain Domain Admin level access, which was then used to achieve their objective. 

   Subsequent to FireEye's investigation, this is priority #1, budget is no longer a problem, a new CISO is hired, half a dozen new cyber security solutions are deployed, millions are spent etc. but the damage has already been done.

   
   



4. Lack of Specifics in Public Discourse

   After every breach, the CNNs and ABCs of the world will extensively cover it, you'll hear interviews from prominent Senators, Congressmen and cyber-security experts, all of whom will speak about the serious impact, the role in national security, the influence of a foreign power etc., yet not one of them mention one piece of specific detail.

   In the absence of details in the public discourse, the actual problem, and the solution that it requires, will largely remain unaddressed, and most cyber security companies out there will likely use this opportunity to convince organizations to deploy their latest cyber security solutions, whether or not they actually make a difference. 

   As a result, in all the noise, and due to the lack of focus on details, the actual specific deficiency/weakness that was exploited, and the attack vector that was used in a specific breach, will often likely continue to remain unaddressed at thousands of other organizations worldwide, paving the way for the next breach and the one after it, and so on.

   For instance, in virtually every major cyber security breach to date, the most damaging part of the breach was made possible by the perpetrator compromising and misusing a single Active Directory privileged user account to fulfill his/her objective, whether it be exfiltrating data, unleashing malware etc. and yet to date, at most organizations worldwide, no one has any idea as to exactly how many users have privileged access in Active Directory because the elephant in the room, i.e. "Active Directory", was not mentioned even once in the public discourse.

   
   



5. The Basics - Secure the Foundation and Deny them the Opportunity

   At its simplest, all security is fundamentally about access control. In order to compromise anything, perpetrators require access - if we reliably deny them the required access, we will have won half the cyber security battle.

   Most importantly, if perpetrators are unable to obtain privileged access, specifically Domain Admin equivalent access, they will almost never able to inflict colossal damage i.e. no widespread ransomware, data exfiltration, etc.

   Towards that end, the most important proactive measure organizations can take to adequately defend themselves is to adequately secure and defend their foundational Active Directory deployments, the two most important parts of which are to 1) secure all DCs (and admin workstations), and 2) accurately identify and minimize the number of accounts that possess privileged access in Active Directory, then fiercely protect every AD privileged account.

   Here's why - An attacker only needs to compromise one DC or one AD privileged user account. That's it. Just ONE.

   Real-world Evidence - If the perpetrators of the Colonial Pipeline attack had not been able to compromise a DC, they would likely not have been able to unleash ransomware. Likewise, if the perpetrators in the SolarWinds Breach had not been able to compromise an Active Directory privileged user account, they would not have been able to gain access to and exfiltrate vast amounts of data on-prem and in the Cloud, at thousands of organizations. 

• Note - If you find this to be high-level and light on technical details, it is so by intent, given its purpose. For those who may wish to judge my competency based on details - one, two, three, four, five, six, etc..
  
  I've also written an innocuous production-level ransomware example to show it could be AD deployed.

What is common between the Colonial Pipeline Hack and the Solar Winds Breach?

In the last few months, two major cyber security incidents, the SolarWinds Breach and the Colonial Pipeline Hack have had a notable impact on the world, the former having impacted the security of thousands of organizations worldwide, and the latter having caused a week long shutdown of the largest oil pipeline operator in the eastern United States.

The one thing that both these attacks had in common was that in each of these cyber security incidents, the perpetrators specifically targeted and successfully compromised the foundational Active Directory deployments of organizations.

Note - The compromise of a single Domain Controller and/or a single Active Directory privileged user account is tantamount to the compromise of an organization's entire foundational Active Directory deployment.

It can be stated with a high degree of certainty that had the perpetrators not been able to compromise the foundational Active Directory deployments of these organizations, in all likelihood, these attacks would not have been successful.

I'll share the relevant technical details of both of these attacks, on this blog, starting day after tomorrow, as stated below.  

Trillion $ Insights

Over the next few days, starting day after tomorrow, I'll share ten specific high-value details that have a direct bearing on the foundational cyber security of every organization operating on Active Directory today; you may wish to tune in.

Day after tomorrow, I'll share the details of what enabled the most impactful part of the SolarWinds Breach right here, and in days to come, I'll also share what enabled the most impactful part of the Colonial Pipeline Hack here.

Sincerely,
Sanjay.

Founder and CEO, 

Paramount Defenses

PS: I am often asked for advice on how to secure Active Directory. 

It being an ocean of a subject, here's the essence of it -

In the hierarchy of security measures, prevention is #1, avoidance is #2, detection is #3 and remediation is #4.

I. Prevention - The most effective measure is prevention; the most effective way of preventing an AD breach is as follows: 

1. Adequately secure and defend every single domain controller (and if used, privileged admin workstations (PAWs))
2. Accurately identify and minimize the number of privileged accounts in Active Directory, then protect all of them.
3. Always follow secure admin practices e.g. do NOT logon to any machine except PAWs using Domain Admin creds.

II. Detection - You may wish to consider using an AD Security Monitoring /Threat Intelligence solution to gain visibility and detect enactment of attacks. It is important to keep in mind that such solutions usually monitor replication so they provide quick but "after-the-fact" insights. In general, the efficacy of such solutions is a function of the timeliness of your response.

III. Remediation - You may wish to consider using an AD Backup and Restore solution, in the event of an incident. An AD restore is an extremely complicated and expensive operation, not to be taken lightly, and only to be used as a last resort.

Introducing the Advanced Level of Gold Finger Mini

Folks, 

Today, I'd like to introduce you to the Advanced Level of Gold Finger Mini, quite possibly the world's most capable and powerful cyber security solution -

Gold Finger Mini is the world's only cyber security solution (other than Gold Finger) that can accurately and instantly find out and reveal exactly who has the most powerful privileged access in Active Directory and its Advanced Level offers eight unrivaled fully-automated Active Directory Privileged Access reports that instantly determine and reveal who can enact the most powerful administrative tasks in Active Directory.

Unrivaled Privileged Access Insight

The reports in the Advanced Level of Gold Finger Mini were designed to empower IT personnel, Cyber Security Auditors, Penetration Testers, Ethical Hackers and CISOs at organizations worldwide instantly and accurately determine exactly -

1. Who can replicate secrets (password hashes) from an Active Directory domain?


2. Who can reset any Active Directory domain user account's password?


3. Who can disable the use of Smartcards on any Active Directory account?


4. Who can change any Active Directory security group's membership?


5. Who can change permissions on any Active Directory OU (Organizational Unit) ?


6. Who can change any Active Directory computer account's SPNs (Service Principal Names)?


7. Who can link a group policy (GPO) to any Active Directory OU?


8. Who can create an Active Directory user account in any OU?

The cyber security intelligence that these reports uniquely deliver are absolutely essential for securing Active Directory.

However, what you may not know is that, contrary to popular belief, it is very difficult to accurately find out who can enact these privileged tasks in Active Directory, because to do so, one needs to determine Active Directory effective permissions.

Gold Finger Mini is simply the world's only cyber security solution (other than Gold Finger) that can accurately determine effective permissions in Active Directory and accurately make these paramount determinations, at the touch of a button, so now everyone can instantly find out exactly who has the most powerful privileged access in any Active Directory. 

Instant, Unrivaled High-Value Intelligence

As you know, such critical information can be very valuable if you're performing an Active Directory Privileged Access Audit or an Active Directory Security Assessment or if you're trying to pen-test/ethically hack an organization's Active Directory.

If you could find out exactly who can replicate secrets (password hashes) from an Active Directory domain (e.g. by using Mimikatz DCSync), or who can change the membership of any Active Directory security group, such as Domain Admins, or who can reset the password of any domain user account, such as the Administrator account, or who can modify the ACL protecting an organizational unit (OU) that contains thousands of domain user and computer accounts etc. you'd be just one step away from being able to obtain Domain Admin level privileged access in an organization.

The Advanced Level of Gold Finger Mini empowers organizations to be able to instantly and accurately assess who has sufficient privileged access in Active Directory so as to be able to enact the most highly sensitive/powerful administrative tasks that could used to escalate privilege and consequently gain access to just about any IT resource in an organization.

If you were on the defending side, you could instantly lock down privileged access in Active Directory to remove any and all such critical unauthorized access that could instantly result in a massive breach.

If you were on the attacking side (as an ethical hacker or a penetration tester), you could instantly identify the quickest and shortest privilege escalation path leading to any object of interest in Active Directory, whether it be the Administrator account or the CEO's domain user account, the Domain Admins security group or a security group that controls access to a specific organizational IT resource (e.g. Source code Access), any Smartcard enabled account, any organizational unit (OU) containing thousands of Active Directory objects, or the credentials of all domain user accounts in an organization.

With Gold Finger Mini, you can instantly make these paramount determinations at the touch of a button, in seconds, without requiring any admin access or having to do complex Active Directory permissions analysis. Click and done!

Summary

Gold Finger Mini democratizes the unique, high-value, unrivaled cyber security intelligence that our flagship Gold Finger tooling can deliver, and in doing so, it empowers thousands of organizations and millions of IT professionals worldwide to easily, cost-effectively and instantly obtain mission-critical Active Directory privileged access insights.

The Advanced Level of Gold Finger Mini empowers everyone to be able to instantly find out i.e. assess/audit exactly who has the most sensitive/powerful privileged access on virtually any object in any Active Directory domain in the world.

There's simply nothing in the world that compares to it, and to find out why, you just have to try it for yourself.

To learn more and to download the free version, please visit - www.paramountdefenses.com/products/goldfinger-mini

 

Best wishes,

Sanjay

How to Audit Who Can Change Domain Admins' Group Membership?

Folks,

Hello. I hope this finds you all doing well. This post is Day-8 of Active Directory Security for Cyber Security Experts.


Today, I will help you learn how organizations that operate on Active Directory can easily and accurately answer an absolutely essential and paramount cyber security question that impacts their foundational cyber security -

Exactly who can change the membership of the Domain Admins group?

It is extremely important to know how to do so correctly because a single incident involving the unauthorized change of the membership of the Domain Admins privileged security group could instantly result in a massive cyber security breach.





This is Paramount

The Domain Admins privileged group in Active Directory holds the proverbial Keys to the Kingdom and anyone who could change the membership of the Domain Admins group could instantly cause a massive cyber security breach.

Unfortunately, today, most organizations only audit the membership of the Domain Admins group; they do not audit who can change its membership, and those that do usually do so incorrectly, leaving themselves vulnerable to compromise.




How to Correctly Make This 
Paramount Determination -

From a technical perspective, there is only one correct way to find out exactly who can change the membership of the Domain Admins security group and that involves accuratley determining Active Directory Effective Permissions on it.

Specifically, technically speaking, all that one needs to determine is exactly who has Write Property effective permissions to modify the Member attribute on the Domain Admins object, cn=Domain Admins,cn=Users,dc=… in Active Directory.




A Step-by-Step Walkthrough

This is perhaps best illustrated with a simple example, so let us see how to find out who can change the membership of the Domain Admins security group in the lab Active Directory Security VM that everyone can freely download and use.

Consider the Domain Admins security group in the lab VM domain, corp.local -

As one can see, the all-powerful Domain Admins security group contains 3 members, including the default Administrator account, the IT Directory Services Management Team security group and the Privileged Service Accounts security group.

Let us proceed to determine the complete nested membership of the Domain Admins security group in the corp domain -

As seen above, there are a total of 13 accounts that are member of the Domain Admins security group in this domain.

• Note - Today, at most organizations, security audits are limited to enumerating the membership of the Domain Admins security group. Most organizations do not perform the extra measure of additionally also determining exactly who can change the membership of this group, even though knowing that is equally important.

As indicated above, to find out exactly who can change the membership of the all-powerful Domain Admins security group, we need to find out exactly who has Write Property effective permissions to modify the group's Member attribute.


To do so, let us begin by examining the ACL (access control list) protecting the Domain Admins security group -

As one can see above, there are numerous security permissions granted to numerous security principals in this ACL, and unfortunately it does not appear easy to examine the object's ACL easily using Microsoft's native ACL editor in ADUC.



To help make ACL analysis easier, perhaps we should view the object's ACL using an Active Directory ACL Analyzer -

As seen above, the detailed, easily sortable high-fidelity view makes it so much easier to analyze this object's ACL. We can now easily see that there are a total of 20 security permissions specified in the ACL, including 4 Deny permissions.


A simple examination of the CSV export of this ACL from the tool helps us clearly identify just what we need to analyze -

Specifically, we can now easily see that of the 20 permissions in the ACL, there are only 10 permissions that impact Write Property access on the object, of which 9 grant blanket writes and 1 grants write-property only to the Member attribute.


Equally importantly, notice that of these 10 permissions, 6 allow access and 4 deny access, and as a result, not only will we have to expand the group memberships that are allowed access, but also expand the group memberships that are denied access, and strike off (i.e. remove from) the Allowed list, any accounts that are also on the Denied list.

Here are the 6 security groups/principals that are allowed blanket/member Write Property access -

1. IT Cyber Security Team - Membership: 5 individual user accounts 
2. Domain Admins - Membership: 3 nested security groups 
3. Enterprise Admins - Membership: 3 nested security groups
4. IT Admin Support Team - Membership: 5 individual user accounts and 1 nested security group
5. Administrators - Membership: 1 individual user account and 2 nested security groups
6. System

Similarly, here are the 4 security groups/principals that are denied blanket/member Write Property access -

1. Spartacus Program - Membership: 6 individual user accounts
2. IT Local Admin Teams - Membership: 3 nested security groups
3. IT Help Desk Team - Membership: 10 individual user accounts and 1 nested security group
4. IT Contractors - Membership: 30 individual user accounts

Thus, in order to accurately make this determination, we will first need to completely expand 13 nested security groups, take into account the direct membership of 50 user accounts, and then meticulously ensure that any user that is both on the Allowed list and on the Denied list is struck off the Allowed list.


In this simple fictional domain, there were only 10 such relevant permissions. In most real-world Active Directory domains, there will easily be many more relevant permissions, and many more groups to expand and conflict resolutions to perform, making this process really difficult, error-prone and time-consuming to perform, and do so with 100% accuracy, each time.


By way of example, if you proceed to meticulously perform all of the security group expansions above in the lab corp.local domain, you will find that there is at least one user, Simon Baker, who is on both, the Allowed and the Denied lists.

Specifically, the IT Admin Support Team, which is allowed the relevant write-property access contains a nested group, IT Admin Support Backup Team, and Simon Baker is a member of this group, so via a nested group membership he does make it on to the Allowed list. However, it turns out that Simon Baker is also a direct member of the IT Help Desk Team, which as one can see above, is denied the relevant write-property access, and so he is also on the Denied list. In effect, the deny will take precedence over the allow, and as a result, even though he is on the Allowed list, Simon Baker will not be able to change the membership of the Domain Admins group!


As clearly illustrated above, the process involved in trying to manually make this determination is substantially complex, error-prone and time-consuming, even when it is essential that there be no mistake, because accuracy is paramount.


It is also worth noting that if we had simply performed Active Directory permissions analysis, even by using a highly capable Active Directory Permissions Analyzer, we would have been making incorrect conclusions, as seen below -

As one can see above, even an advanced Active Directory Permissions Analyzer will report that there are 31 individuals who have been allowed relevant Write Property permissions, including blanket and specific (to the member attribute), and in particular they will report that Simon Baker is also on this list, when in fact Simon Baker is also denied the same access, so he will in fact not actually have the allow access reported by an Active Directory permissions analyzer!


The above example also clearly illustrates why it is not sufficient to merely analyze "Who has what (allow) permissions?" (which incidentally is what most commonly used tools do), because one also needs to correctly intersect deny permissions.

Finally, it is also worth noting that in this specific example, there were no inherited permissions because the ACL protecting the Domain Admins group is a protected ACL. In contrast, the ACLs of most Active Directory objects are not protected, and so there could easily exist both explicit as well as inherited permissions, making the conflict resolution even more complex, because not all deny permissions will negate/override allow permissions. There is a specific order that one needs to know about and take into consideration to correctly perform conflict resolution, and in production domains, this is very difficult.


Now, many folks may point out that there is an Effective Access Tab, accessible via Advanced Security Settings in Active Directory's native tooling that is designed to help calculate effective access/permissions in Active Directory. Yes, there is -

However, if you have ever tried to use it, you know that it is almost useless because of 3 simple reasons - 1) it is not 100% accurate, 2) it can at best calculate an approximation of effective permissions ONE USER AT A TIME, and 3) it cannot pinpoint which underlying security permission in the object's ACL entitles a user to a specific effective permission.

For instance, if you had a 1000 user accounts and a 1000 computer accounts in your Active Directory forest, you would have to use the tab at least 2000 times just to make this one determination, and that too would not be 100% accurate!

• Note: For the details of these limitations in Microsoft's Effective Access Tab, you may wish to read this post.

So, how are organizations supposed to make this
paramount determination accurately and easily?



We value our time so we use an automated tool that automates the entire process of making this determination for us, reducing the amount of effort involved down to touching a button, and the amount of time required down to seconds -

As seen above, in less than 30 seconds, we were able to accurately determine that there are a total of 30 individuals (i.e. accounts) that in effective have Write Property Member effective permissions on the Domain Admins security group.

[ Solely by way of background, this tool is the world's only accurate Active Directory Effective Permissions Calculator and it can instantly and accurately determine the complete set of effective permissions entitled on any Active Directory object. ]



Now, not everyone tasked with making these paramount determinations (e.g. an IT Auditor, an IT manager etc.) may be proficient in Active Directory, so they may not know how to perform this audit using an effective permissions calculator.

Individuals who may not be proficient in Active Directory could use the following tool to make this determination in simple English without having to know anything about Active Directory (e.g. attributes, permissions, effective permissions etc.) -

As one can see above, this tool, an Active Directory Effective Access Auditor, delivers the same information but in very simple to understand non-technical parlance, making it very easy for non-technical individuals, such as IT auditors, IT managers and IT executives to easily make this determination without knowing anything about Active Directory.



Finally, lets say you wished to find out who can change the membership of not just the Domain Admins security group, but of all security groups that reside in the Users container, such as and not limited to Enterprise Admins, Schema Admins etc.

To fulfill this paramount need, some of the world's top organizations rely on the Active Directory Privileged Access Auditor to make this determination, and do so in minutes. Simply point the tool to the Users container and click a button -

This tool automatically identifies all domain security groups in the specified scope, then automatically determines effective permissions on each one of them, and reveals exactly who can change the membership of every group in the set scope.



Of course, organizations can also make these determinations manually, without using any of the above mentioned tools, by simply having their IT personnel engage in the process outlined above, whenever required. The manual process may be substantially more time-consuming, expertise-reliant and error-prone, but it doesn't require procuring any tools.

Over the last decade some of the most important and valuable organizations in the world, including the U.S. Treasury, have used the tools mentioned above because they save their IT teams a mountain of effort and thousands of hours in time, and because they happen to be the only way to accurately make such determinations without investing a substantial amount of time and effort.



In essence, today organizations can make this paramount
determination both manually, as well as automatically.




Conclusion

The objective of today's post was to help thousands of organizations, their IT personnel, IT Auditors and CISOs learn how to correctly make a paramount determination in their foundational Active Directory deployments.

As we saw above, technically speaking, all that one needs to determine is exactly who has what sufficient Write Property Member effective permissions on the Domain Admins security group.

As we also saw above, in any real-world Active Directory domain, it is not at all easy to manually make this determination with accuracy, even though accuracy us paramount because a single unauthorized user who could enact this task could take over the entire organization in minutes.

Most importantly, as we saw above, albeit there were only 13 accounts that were members of the Domain Admins security group, we were able to identify that there were a total of 30 accounts that could actually change the group's membership!

Thus, organizations that may only be relying on performing basic group membership audits are very likely operating on a dangerously false sense of security today, because as seen above, the number of accounts that can change the membership of the Domain Admins group are far greater than the number of members in the group!

Organizations that do not know exactly how many individuals (employees, contractors, service accounts etc.) can actually change the membership of their all-powerful Domain Admins security group may be at a substantial risk of compromise.


I will conclude this post here. I'll share the next question in a day or so, and answer it on Monday, August 17, 2020.

Thanks,
Sanjay.

Who can change the membership of the Domain Admins group?

Folks,

Hello. Today, I thought I would ask yet another very simple, fundamental and paramount cyber security question that impacts the foundational cyber security of over 85% of all business and government organizations worldwide.

Exactly who can change the membership of the Domain Admins group?

Today, at most organizations worldwide, most IT Teams, CISOs and IT Auditors may know exactly who the members of the Domain Admins group are, BUT very few of them know exactly who can change the membership of this all powerful group.





This is Paramount

The Domain Admins group in Active Directory holds the proverbial Keys to the Kingdom and anyone who could change the membership of the Domain Admins group could instantly cause a massive cyber security breach.

Here are 3 simple scenarios that could be instantly enacted
by anyone who could change this group's membership -

1. Add any account to membership of this group - Anyone who could add any account that they have control over to this group's membership would instantly have escalated their privilege to that of an all-powerful domain admin.


2. Add Everyone to the membership of this group - Anyone who could add the Everyone well-known security principal to this group would instantly have made all organizational user and computer accounts Domain Admins!


3. Remove all existing members from this group - Anyone who could remove all existing members could easily and instantly render an organization's existing Domain Admin accounts powerless.

Thus it is paramount that IT Teams, the CISO and IT Auditors at every organization that operates on Active Directory, know at all times, not just who is a member of this group today, but also exactly who can change the membership of this group.




The Answer (and a Simple Challenge)

In my next post on August 10, 2020, I'll share with you exactly how organizations can make this paramount determination.

Until then, here's a simple challenge - here is a simple ready-to-use Active Directory fictional deployment. Can you find out exactly how many accounts can change the membership of the Domain Admins group in this fictional AD deployment ?!

Best wishes,
Sanjay.


PS: Strictly speaking, Domain Admins is merely one of numerous such groups in Active Directory that possess all-powerful organization-wide privileged access. However, in the interest of simplicity, I've focused on the Domain Admins group here.