Active Directory Security - World’s Top Cyber Security ... · PDF filePrivileged Access,

Active Directory Security

Copyright Paramount Defenses Inc, 2006 - 2016. All Rights Reserved. 1

Paramount to Organizational Cyber Security Worldwide

v1

2 Copyright Paramount Defenses Inc, 2006 - 2016. All Rights Reserved.

00% of all major recent cyber security

breaches (Snowden, Target, JP Morgan, Anthem, Sony, OPM) involved the compromise and misuse of just 1 Active Directory privileged user account

unauthorized access privilege in Active Directory is all that a perpetrator needs to compromise the security of an entire organization today

billion+ unauthorized access privileges exist in Active Directory deployments worldwide today, just waiting to be found and exploited

Contents


Introduction

1. Top-5 Active Directory Security Risks, Attack Vectors and Methods

2. Top-5 Active Directory Threat Sources

3. Top-5 Active Directory Security Risks (The Details)

4. A Note on Credential Theft Vectors

5. Top-5 Active Directory Security Measures

6. An Ocean of Access Privileges in Active Directory

+ How to Limit Access Privileges in Active Directory

7. 5 Examples of Limiting Access Privileges in Active Directory

8. Automated Privileged Access Audit in Active Directory

9. 5 Examples of Impact of Compromise

10. 5 Essential Active Directory Access Privilege Audit Tools

11. 5 Special Active Directory Security Topics

Summary + Helpful Pointers and Insights

Active Directory


The very foundation of organizational cyber security

Active Directory – The Very Foundation


• Active Directory is the very bedrock and foundation of cyber security in a Microsoft Windows Server based network, as it enables and provides –

1. User Authentication 2. Network-wide Authorization 3. Security Auditing for Identity and Access Management 4. Delegation and Management of Administrative (Privileged) Access 5. Centralized Network-wide Host and Security Policy Management

• It also stores, secures and enables the management of the entirety of all building blocks of cyber security – all accounts, credentials, groups and policies

• Many critical aspects of IT, such as email (Microsoft Exchange), rely on Active Directory

• It is also the very core and foundation of privileged access in a Microsoft Windows Server based network, including that of system-wide unrestricted privileged access

• An organization’s foundational Active Directory deployment is thus its highest-value IT asset, and a high-value business asset, and it must always be protected as such

Active Directory – Impact of Compromise


• The compromise of an organization’s foundational Active Directory is tantamount to a complete system-wide compromise -

1. The “Keys to the Kingdom” would be compromised

2. The credentials of all users could then be compromised

3. The membership of all security groups could be modified to obtain access to all IT resources protected by these groups

4. The security policies protecting all domain-joined hosts could be modified to obtain access privileges needed to tamper and divulge all data stored on all domain-joined hosts i.e. laptops, desktops, servers etc.

5. As a consequence, the entirety of an organization’s IT resources could be exposed to and vulnerable to the risk of compromise

• The only way to re-establish a trustworthy and provably secure state would be to completely rebuild a new Active Directory deployment i.e. completely rebuild the entire IT infrastructure

1. Domain Controllers 2. Privileged Accounts & Security Groups

Active Directory – The Attack Surface


• The Active Directory attack surface is vast, but defendable –

1. Domain Controllers (DCs)

2. Active Directory Administrative (Privileged) Accounts and Groups

3. Thousands of Access Privileges (Security Permissions) and Administrative Delegations within Active Directory

4. Active Directory Backups

5. Active Directory Administrative User Workstations

3. Access Privileges (Permissions) & Administrative Delegations on Active Directory content

4. Active Directory Backups

5. Administrative User Workstations

Top-5 Active Directory Security Risks, Attack Methods and Attack Vectors


Active Directory – Top-5 Security Risks


• The following are the Top-5 Active Directory security risks today –

1. Instant compromise of the credentials of all domain user accounts (i.e. non-privileged as well as privileged users) in Active Directory

2. Instant compromise of all default Active Directory administrative (privileged) domain user accounts and security groups

3. Instant compromise of all IT assets stored in Active Directory (i.e. all user and computer accounts, security groups, OUs etc.)

4. Compromise of a Domain Controller

5. Targeted compromise of specific IT assets stored in Active Directory (i.e. a specific user or computer account, security group, OU etc.)

Basis: Collective consideration of 1) Ease of Enactment , 2) Likelihood/Probability of Occurrence and 3) Impact of Compromise

Active Directory – Top-5 Attack Methods


• The following are the Top-5 Active Directory attack methods –

1. Active Directory Privilege Escalation based on the identification and exploitation of unauthorized/excessive access privileges (i.e. effective permissions/access) and administrative delegations in Active Directory

Note – The attack method involving the retrieval of credentials from Active Directory via replication, as embodied in the use of mimikatz DCSync, also requires the use of unauthorized/elevated Active Directory access privileges

1. Active Directory Privilege Escalation based on various credential theft techniques, such as Pass-the-Hash, Pass-the-Ticket, Golden Tickets etc.

2. Compromise of an Active Directory administrator’s workstation using any one of various well-known host compromise techniques

3. Extraction of credentials from an Active Directory backup

4. Compromise of a Domain Controller using any one of various well-known host compromise techniques

Listed in decreasing order of Ease of Enactment

Active Directory – Top-5 Attack Vectors


• The following are the Top-5 Active Directory attack vectors –

1. Use the DCSync feature of Mimikatz to obtain and compromise the credentials of all domain user accounts in Active Directory

2. Modify the AdminSDHolder object’s access control list (ACL) in Active Directory to obtain control of all administrative accounts and groups

3. Modify the domain root object’s ACL in Active Directory to obtain control over all Active Directory content in the domain

4. Modify the default Domain Controllers Organizational Unit object’s ACL in Active Directory to obtain control over all Domain Controllers

5. Find and exploit excessive or unauthorized effective permissions/effective access in Active Directory to escalate privilege via password resets and group membership/ACL changes to compromise any IT asset in Active Directory


Active Directory – Attack Vectors 6 - 11


• The following are Active Directory attack vectors 6 to 11 –

6. Modify critical Active Directory configuration settings to compromise security or launch a denial of service attack against Active Directory

7. Steal and use the credentials (hashes/tickets) of an Active Directory administrative (privileged access) domain user account holder

8. Use unconstrained delegation to impersonate an Active Directory administrative (privileged access) domain user account holder

9. Compromise the workstation of an Active Directory administrative (privileged access) user to gain and misuse administrative privilege

10. Obtain physical access to an Active Directory backup to obtain access to the credentials of all domain user accounts in the domain

11. Compromise a domain controller to obtain complete control over the entire Active Directory domain, and by extension the entire forest


Top-5 Active Directory Threat Sources


It could be any insider, or an outsider

Active Directory – Top-5 Threat Sources


1. A Disgruntled, Rogue, Compromised, Bribed or Coerced Insider with Privileged Access

Any privileged user with unrestricted or delegated admin access in Active Directory who may have become disgruntled, turned rogue, or be bribed or coerced into misusing privilege, or whose account may have been compromised by an intruder

2. A Disgruntled, Rogue, Compromised, Bribed or Coerced Insider with no Privileged Access

Any non-privileged or limited-privilege access user (e.g. an employee or a contractor) who may have become disgruntled, been compromised, turned rogue, or be bribed or coerced into misusing their existing access level to escalate privilege to that of a privileged user

3. An intruder driven by financial, political or other motivations

An intruder, such as a lone-hacker, cyber criminals or an advanced persistent threat (APT) that is able to penetrate the network, gain a foothold and escalate privilege

4. An intentional automated attack employing use of sophisticated, targeted malware

5. The unintentional or accidental misuse of Active Directory privileged access Details

http://www.paramountdefenses.com/cyber-security/threat-sources.html

Top-5 Active Directory Security Risks (The Details)


Active Directory – Top Security Risk #1


• Risk: Instant compromise of the credentials of all domain user accounts (i.e. all non-privileged as well as privileged users) in Active Directory

• Attack Vector > Use the DCSync feature of the Mimikatz tool to obtain and compromise the credentials of all domain user accounts in Active Directory

1. Asset at Risk – Credentials of all user accounts in Active Directory domain

2. Enabler – Perpetrator requires Get-Replication-Changes-All effective permissions on the domain root

3. Exploitation Procedure – Run Mimikatz DCSync on any host in the network to easily replicate secrets and determine all user’s credentials

4. Attack Surface – Domain root object

5. Difficulty – Low

6. Impact/Severity – High

7. Probability of Occurrence – High

8. Mitigation/Prevention – Audit and lockdown effective permissions on the domain root object regularly to ensure that only authorized and highly trustworthy personnel have Get-Replication-Changes-All effective permissions on the object



• Risk: Instant compromise of all default Active Directory administrative (privileged) domain user accounts and security groups

• Attack Vector > Modify the AdminSDHolder object’s access control list in Active Directory to obtain control of all administrative accounts and groups

1. Asset at Risk – All default Active Directory admin accounts and groups

2. Enabler – Perpetrator requires Modify-Permissions effective permissions on the AdminSDHolder object

3. Exploitation Procedure – Modify the AdminSDHolder object’s ACL to grant oneself sufficient permissions to control all admin accounts and groups

4. Attack Surface – AdminSDHolder




8. Mitigation/Prevention – Audit and lockdown effective permissions on the AdminSDHolder object regularly to ensure that only authorized and highly trustworthy personnel have Modify Permissions effective permissions on the object



• Risk: Instant compromise of all IT assets stored in Active Directory (i.e. all user and computer accounts, security groups, OUs etc.)

• Attack Vector > Modify the domain root object’s ACL in Active Directory to obtain control over all Active Directory content in the domain

1. Asset at Risk – All Active Directory content (all accounts, groups etc.)

2. Enabler – Perpetrator requires Modify-Permissions effective permissions on the domain root

3. Exploitation Procedure – Modify the domain root object’s ACL to grant oneself a single Full Control permission that will be inherited by all* objects

4. Attack Surface – Domain Root




8. Mitigation/Prevention – Audit and lockdown effective permissions on the domain root object regularly to ensure that only authorized and highly trustworthy personnel have Modify Permissions effective permissions on the object

* All objects whose ACL is not marked Protected



• Risk: Compromise of all Domain Controllers (DCs)

• Attack Vector > Modify the default Domain Controllers Organizational Unit object’s ACL in Active Directory to be able to obtain control over all DCs

1. Asset at Risk – Domain Controllers

2. Enabler – Perpetrator requires effective permissions to link GPOs or modify permissions on the default Domain Controllers OU

3. Exploitation Procedure – Modify the default DC OU’s ACL to grant oneself sufficient permissions to link Group Policies, then link a weak GPO

4. Attack Surface – Domain Controllers OU




8. Mitigation/Prevention – Audit and lockdown effective permissions on the default Domain Controllers OU to ensure that only authorized and highly trustworthy personnel have sufficient effective permissions to link GPOs or modify permissions



• Risk: Targeted compromise of specific IT assets stored in Active Directory (i.e. a specific user or computer account, security group, OU etc.)

• Attack Vector > Find and exploit excessive or unauthorized effective permissions /effective access in Active Directory to compromise any specific IT asset of choice

1. Asset at Risk – All Active Directory content (e.g. CEO’s user account)

2. Enabler – Excessive or unauthorized effective permissions on 1000s of objects within Active Directory

3. Exploitation Procedure – Find, then exploit excessive permissions / effective access in Active Directory to compromise the security of any IT asset

4. Attack Surface – Entire domain




8. Mitigation/Prevention – Perform a domain-wide Active Directory effective privileged access audit to ensure that only authorized personnel have sufficient, least privileged effective access on Active Directory content

A Note on Credential Theft Attack Vectors


A Note on Credential Theft Vectors


• Several recent high-profile attack vectors such as Pass-the-Hash, Pass-the-Ticket, Golden Tickets etc. have been attributed to Active Directory security

• However, contrary to popular belief, these credential theft attack vectors are not technically related to weaknesses in Active Directory Security at all. Here’s why -

1. These vectors arise from deficiencies in Microsoft’s implementation of authentication protocols, predominantly Kerberos, not from weaknesses in Active Directory security

2. Their only relation to Active Directory is that Microsoft’s implementation of Kerberos happens to be integrated with Active Directory, i.e. a DC is also a Kerberos KDC and Kerberos uses Active Directory as its account database

3. Unfortunately, these vectors just happen to also be often used to compromise Active Directory administrative accounts since these accounts are the most powerful accounts

4. Finally, each one of them requires either that a victim logon to a machine owned by the perpetrator, or that the perpetrator logon to a DC. In contrast not a single one of the top-5 attack vectors listed in this presentation require either of these pre-conditions

• Since they are not caused by weaknesses in Active Directory, they have not been covered here

Top-5 Active Directory Security Measures


Active Directory – Top-5 Security Measures


• The following are the Top-5 security measures that organizations can enact to enhance Active Directory security –

1. Provide the highest level of physical, system and network security for all Domain Controllers and Active Directory backups

2. Minimize the number of all-powerful administrative accounts in Active Directory by delegating all non-sensitive (common) administrative tasks

3. Limit access privileges in Active Directory by performing an ‘effective privileged access audit’ to ensure that all access privileges/delegations provisioned in Active Directory adhere to the principle of least privilege

4. Frequently audit ‘effective permissions’ on all critical Active Directory objects such as AdminSDHolder, the domain root object, the Domain Controllers OU etc. to mitigate the top 4 Active Directory security risks

5. Establish, implement and enforce secure administrative practices and audit privileged access use by implementing Active Directory auditing

Active Directory – Security Measure #1


• Provide the highest level of physical, system and network security for all Domain Controllers (DCs) and Active Directory backups –

1. Ensure that all DCs and Active Directory backups are located in highly secure physical locations, ideally requiring 3-factor authentication

2. Ensure that all system-level controls (e.g. User Rights, Privileges, Services etc.) on all DCs are configured to provide the highest level of security

3. Unless absolutely required, do not install any 3rd party software on any DC. Evaluate source and trustworthiness of all installed software

4. Ensure that all DCs are fully patched at all times

5. Implement adequate controls to protect DCs against known attack methodologies that could be used to compromise Windows systems



• Minimize the number of all-powerful admin accounts in Active Directory by delegating all non-sensitive administrative tasks –

1. Begin by identifying all Active Directory as well as identity and access management administrative tasks that cannot/must not be delegated

2. Assign those responsibilities to default admin groups (e.g. Domain Admins) or custom groups and minimize membership in these groups

3. Next, develop a simple administrative delegation model for delegating responsibilities for all remaining admin tasks within Active Directory

4. Then, implement your delegation model by provisioning the required access in Active Directory based on the principle of least privilege access (LPA)

5. Periodically review your administrative delegations by performing an ‘effective privileged access audit’ to ensure their adherence to LPA

Active Directory – Security Measure #2b


• Minimize the number of privileged access users that possess unrestricted or vast privileged access in Active Directory –

1. Begin by identifying all security groups* in Active Directory that possess administrative access, either by default or based on provisioned access

2. Assess the membership of each one of these security groups and reduce membership in these groups to an absolute bare minimum

3. Next, identify all individuals who are sufficiently privileged (i.e. have sufficient effective permissions / effective access) to enact the following tasks –

Change the membership of any one of these admin groups Reset the password of any user that belongs to these admin groups Modify the permissions protecting these groups or member users

4. Treat all individuals identified in step 3 as unrestricted privileged access users as well, then and as appropriate, consider reducing their number

* Individual users may also possess administrative access in Active Directory based on security permissions that are directly specified for them. All such users must also be taken into consideration. An ‘effective privileged access audit’ in Active Directory can instantly identify all such users, as well as the underlying permissions.



• Limit access privileges in Active Directory to ensure that all access privileges and delegations adhere to the principle of least privilege –

1. Begin by understanding that it is who has what effective permissions, not who has what permissions, that controls (limits) who can actually do what

2. In light of the above, proceed to determine effective permissions on every object in Active Directory to find out who can actually do what

3. Alternatively, perform an ‘effective privileged access audit’ in Active Directory, which is the only definitive way to accurately and efficiently assess effective privileged access across an entire Active Directory

The results of an ‘effective privileged access audit’ will uncover who can actually do what, where they can do so, and how they can do so

Use the results of the ‘effective privileged access audit’ to lockdown access privileges in Active Directory. To verify the lockdown, repeat the ‘effective privileged access audit’ to re-assess resulting effective access



• Frequently audit ‘effective permissions’ on all critical Active Directory objects to mitigate the top 4 Active Directory risks –

1. Begin by understanding that effective permissions, not permissions control who effectively (i.e. actually) has what access in Active Directory

2. In light of the above, frequently audit effective permissions on all critical objects in Active Directory to ensure that only the most highly trustworthy users possess sufficient effective permissions to be able to enact highly sensitive operations in Active Directory

3. Examples of such critical objects include the Domain, Configuration and Schema partition root objects, AdminSDHolder, the default Domain Controllers OU, the Quotas container and numerous objects in the Configuration partition. In addition, you may also want to include all sensitive accounts (e.g. executive accounts) and groups, and large OUs



• Establish, implement and enforce secure administrative practices and audit the enactment of privileged administrative tasks –

1. Establish, implement and enforce secure administrative practices for all users that possess privileged access in Active Directory

2. Provide adequate coverage for all vital areas of security, such as –

Policies and procedures clearly specifying secure administrative practices

Policies requiring the use of dedicated administrative workstations

Policies governing the security of dedicated administrative workstations

Policies restricting privileged user logons to assigned workstations

Policies requiring enhanced protection of administrative user accounts

3. To the extent possible, the policies and procedures should ideally be enforceable and their violations detectable and consequential

4. Implement Active Directory auditing to audit enactment of privileged tasks

A Vast Ocean within Active Directory


Within Active Directory lies a vast ocean of access privileges that today directly impacts the cyber security of the entire organization

Active Directory – Foundational Contents


• Active Directory stores and protects the entirety of all building blocks of organizational cyber security –

1. User Accounts – All organizational user accounts including all privileged user, executive, employee and contractor accounts

2. Computer Accounts – All organizational computer accounts including those of all PCs and laptops, and all file, database, app and web servers

3. Security Groups – All organizational security groups including all privileged groups and all security groups used to provision access to the entirety of the organization’s IT resources across the network

4. Security Policies – All account, host security and remote-access policies

5. Other vital content – All vital IT resources such as service connection points, network printers, DNS records and critical configuration data

Active Directory – An Ocean of Access Privileges


• An ocean of access privileges exists within Active Directory to protect the entirety of its contents –

1. Every object in Active Directory is protected by an access control list (ACL)

2. Every ACL in Active Directory specifies who has what access privileges to that object, in the form of Active Directory access control entries (ACEs)

3. Every ACE allows or denies a specific security principal (i.e. user, group or well-known principal) specific Active Directory security permissions

4. On average there exist approximately 100 ACEs in each Active Directory ACL

5. Consequently in an Active Directory comprised of 1000s of objects, there exist millions of access privileges within Active Directory

• Together, this ocean of access privileges in Active Directory protects the entirety of the organization’s building blocks of cyber security

Active Directory – A Snapshot of Access Privileges


• There are millions of access privileges (security permissions) in Active Directory that collectively protect the entirety of all Active Directory content –

• Each access privilege allows or denies a specific security principal a specific type of

access and together they determine the resulting (effective) access in Active Directory

There are 1000s of objects in every Active Directory domain

Each object is protected by an access control list (ACL) that specifies access privileges (security permissions) protecting that object

Active Directory – Sources of Access Privileges


• There are five sources of access privileges (i.e. security permissions) in Active Directory –

1. A set of default security permissions is applied when Active Directory is installed

2. Then, when an object is created in Active Directory, default security settings specified in the object’s Schema class definition (defaultSecurityDescriptor) become the object’s default security settings (nTSecurityDescriptor)

3. In addition, all Active Directory objects inherit all security permissions marked inheritable from their parent objects, unless an object’s ACL is marked Protected

4. Subsequently, as and when IT personnel delegate administrative tasks in various parts of Active Directory, various security permissions are added/ modified on numerous objects to represent these administrative delegations

5. Finally, security permissions are added/modified on Active Directory objects as and when IT personnel directly provision specific access to fulfill business needs

• In this manner, over time, a large number of access privileges (i.e. security permissions) are introduced and changed in Active Directory

Active Directory – The Need to Limit Access Privileges


• The need to limit (control) access privileges within Active Directory is paramount to organizational cyber security because –

1. Active Directory is the foundation and core of an ‘information system’ (i.e. an IT infrastructure) powered by Microsoft’s Windows Server platform

2. It stores and protects all the building blocks of cyber security and enables secure access to all of the organization’s IT resources

3. Excessive privileges in Active Directory could easily and quickly grant a perpetrator vast network-wide access, including privileged access

4. In most cases such access could be used to gain unauthorized access and compromise the security of specific and/or numerous IT assets

5. In many cases such access could be used to easily and quickly gain system-wide unauthorized privileged access and compromise the security of most IT assets, resulting in a massive cyber security breach

Active Directory – Top-5 Access Privileges to Limit


• The following are the Top-5 access privileges in Active Directory that all organizations must consider limiting without delay –

1. Limit access privileges on all critical Active Directory objects such as (and not limited to) the domain, Configuration and Schema partition roots, the System container, AdminSDHolder, the default Domain Controllers OU etc.

2. Limit access privileges that control who can create, manage and delete all Active Directory administrative (privileged) user accounts and groups

3. Limit access privileges that control who can create, manage (reset passwords, enable disabled accounts, unlock locked accounts, change UAC and Kerberos delegation settings etc.) and delete all domain user and computer accounts

4. Limit access privileges that control who can create, manage (change group membership, group type etc.) and delete all domain security groups

5. Limit access privileges that control who can create, manage (delegate control, link GPOs etc.) and delete all Organizational units

Active Directory – How to Limit Access Privileges


• Organizations can limit access privileges in Active Directory in 3 simple steps –

1. First, assess* the actual i.e. effective state of access privileges currently provisioned on all objects in Active Directory

2. Next, limit access privileges in Active Directory based on the principle of least privilege, in line with the organization’s current access needs

3. Finally, verify the lockdown (i.e. limiting) of access privileges in Active Directory by re-assessing the resulting effective state of locked-down access

From this point on, to maintain a secure state, periodically assess the actual (i.e. effective) state of access privileges in Active Directory:

Weekly on critical objects e.g. Domain root, AdminSDHolder, Exec accounts

Monthly on all other objects e.g. all OUs, accounts, security groups

• The capability to assess the actual i.e. effective state of access privileges in Active Directory is essential to limiting access privileges Active Directory

* Slide 41 titled ‘Active Directory - How to Assess Access Privileges’ covers how to correctly assess access privileges in Active Directory

• Consider the ACL protecting the domain root object. There are many security permissions specified in it for various security principals –

• How does one assess who actually has what access privileges on the domain root?

Active Directory – A Simple $Billion Question


Security permissions in the object’s ACL

They can be –

1. Allowed or Denied 2. For a User or a Group 3. Specific or Special 4. Explicit or Inherited

• To determine who actually has what access privileges in Active Directory, one needs to determine effective permissions on Active Directory objects –

Active Directory – The Answer: Effective Permissions


Active Directory – How to Assess Access Privileges


• The following 4 technical facts can help organizations correctly assess access privileges in Active Directory –

1. It is imperative to understand that what determines the actual access is who has what effective permissions*, not who has what permissions

2. Consequently, in order to assess access privileges in Active Directory, one (only) needs to analyze effective permissions*, not permissions

3. Three data points are needed to assess and lockdown access privileges –

The complete set of effective permissions* allowed on an object The complete list of users that have each such effective permission The underlying permissions that grant users these effective permissions

4. With these 3 data points, one can correctly assess and lockdown exactly who actually has what access privileges where in Active Directory and how

* In lieu of effective permissions, one may determine and use effective access (i.e. access in terms of enactable administrative tasks)

Active Directory – Effective Permissions


• Active Directory Effective Permissions are possibly the most critical and essential, yet largely ignored aspect of organizational cyber security –

1. It is effective permissions, not permissions that determine the actual access privileges that users have on an Active Directory object

2. This is because a user may directly/indirectly (via group memberships) be explicitly/via inheritance allowed/denied any combination of 60+ permissions

3. In fact effective permissions / effective access are so important that Microsoft’s Active Directory tooling provides an entire tab for them

4. Unfortunately Microsoft’s Effective Permissions Calculator/Tab, acldiag tool, PowerShell scripts etc. are all neither 100% accurate nor adequate –

They do not consider all factors thus delivering inaccurate results They can only determine effective permissions one user at a time They cannot identify permissions underlying an effective permission

5. Accurately determining effective permissions in Active Directory is very difficult

• Effective Permissions are so important that Microsoft has dedicated an entire tab in its Active Directory tooling to determine effective permissions –

• Unfortunately, Microsoft’s Effective Permissions Tab is neither accurate nor adequate

Active Directory – The Effective Permissions Tab


The Effective Permissions Tab

2. Further, it can only determine effective permissions one user at a time

1. Unfortunately, it does not take all factors into account, and thus it is not 100% accurate

3. Finally, it cannot identify underlying permissions that entitle a user to a specific effective permission

• An example of an Active Directory Effective Permissions Calculator that is both accurate and adequate –

Active Directory – An Effective Permissions Tool


1. It accurately determines the complete set of all effective permissions granted on an object

2. For each granted effective permission, it also determines the complete list of all users who have that effective permission

3. For each user who has a specific effective permission granted, it also determines the underlying security permission that entitles that user to that specific effective permission

It can instantly and accurately determine effective permissions on any object in any Active Directory partition

The Gold Finger Active Directory Effective Permissions Tool

Active Directory – Beware of Inaccurate Tooling


• In the interest of the security of all organizations, we wish to make the world aware that there are at least two tools available online that are being marketed by their respective vendors as a free ‘Active Directory Effective Permissions Tool’

• Our testing has found that one of these tools is not even designed for use in Active Directory, and that the second tool is dangerously inaccurate

• Organizations are advised to exercise great caution when considering the use of and reliance on any such Active Directory Effective Permissions tools

Any organization that wishes to evaluate the accuracy of any such tool can do so by comparing that tool’s results with the results of Gold Finger, the world’s only accurate Active Directory Effective Permissions Tool.

http://www.paramountdefenses.com/active-directory-effective-permissions-tool.html

5 Examples of Limiting Privileges in Active Directory


Active Directory – Limiting Privileges: Example 1


• Limiting access privileges on the domain root object in Active Directory –

1. Objective: Limit access privileges on Active Directory domain root object to mitigate risk of complete credential compromise by mimikatz DCSync

2. Methodology:\

1. Audit effective permissions on the domain root object to identify all individuals who currently have the Get-Replication-Changes-All effective permissions granted

2. List all individuals who should not have these effective permissions

3. Use the effective permissions audit data to identify how they have these effective permissions i.e. identify the underlying security permissions in the object’s ACL that grant them these effective permissions, then lockdown those permissions

4. Re-assess effective permissions on the object to verify access lockdown

Active Directory – Limiting Privileges: Example 1 Illustrated


• The following is an illustration of how to enact this recommendation –

2. Select the Replicating Directory Changes All effective permission

1. Determine effective permissions on the domain root object

3. Identify all users who currently have this effective permission

5. For each user who currently has this effective permission but should not have it, identify the underlying security permissions that entitle that user to this effective permission, and lock that permission down

4. Identify all users who currently have this effective permission but who should not actually have this effective permission

Gold Finger Active Directory Effective Permissions Calculator



• Limiting access privileges on all default administrative (privileged access) users and groups in Active Directory –

1. Objective: Limit access privileges on the AdminSDHolder object in Active Directory to mitigate risk of compromise of all privileged users and groups

2. Methodology:\

1. Audit effective permissions on the AdminSDHolder object* to identify all individuals who currently have either of Reset Password, Change-Member or Modify Permissions effective permissions granted



4. Re-assess effective permissions on the object to verify access lockdown *Note: Strictly speaking, to account for the impact for any Self permissions, ideally effective permissions should be determined on each account and group protected by AdminSDHolder



• Limiting access privileges on a high-value domain user account (e.g. the CEO’s account) in Active Directory – 1. Objective: Limit access privileges on a high-value domain user account to

mitigate risk of its compromise via unauthorized admin task enactment

2. Methodology:\

1. Audit effective permissions on the target domain user account to identify all individuals who currently have the Reset Password* or Modify Permissions effective permissions granted



4. Re-assess effective permissions on the object to verify access lockdown *Note: If the account is Smart-card enabled, simply additionally identify who has sufficient effective permissions to disable the use of Smart-cards on the target domain user account



• Limiting access privileges on a high-value domain security group (e.g. Board of Directors, Executives etc.) in Active Directory –

1. Objective: Limit access privileges on a high-value domain security group to mitigate risk of its compromise via unauthorized admin task enactment

2. Methodology:\

1. Audit effective permissions on the target domain security group to identify all individuals who currently have the Write Property - Member or Modify Permissions effective permissions granted


3. Use the effective permissions audit data to identify how they have these effective permissions i.e. identify the underlying security permissions in the object’s ACL that are granting them these effective permissions, then lockdown those permissions

4. Re-assess effective permissions on the object to verify access lockdown



• Limiting access privileges on all valuable IT assets stored in Active Directory (e.g. domain user accounts, security groups, OUs etc.) –

1. Objective: Limit access privileges on valuable Active Directory content to mitigate risk of compromise of specific IT assets in Active Directory

2. Methodology:\

1. Audit effective permissions on all objects in Active Directory to identify all individuals who currently have relevant effective permissions granted


3. Use the effective permissions audit data to identify how they have these effective permissions i.e. identify the underlying security permissions in respective object ACLs that are granting them these effective permissions, then lockdown those permissions

4. Re-assess effective permissions on all objects to verify access lockdown

Automating Privileged Access Audit in Active Directory


Active Directory – The Paramount Need for Automating Privileged Access Audits


• The need to automate effective privileged access audits in Active Directory is paramount to organizational cyber security because –

1. Active Directory is the foundation and core of every ‘information system’ (i.e. an IT infrastructure) powered by Microsoft Windows Server platform

2. It stores and protects all building blocks of cyber security (including ‘Keys to the Kingdom’) and enables secure access to all organizational IT resources

3. Excessive privileges in Active Directory could easily grant perpetrators network-wide privileged access, so organizations need to be in the know of, and limit access privileges in Active Directory, at all times

4. Limiting access privileges in Active Directory requires organizations to assess effective permissions on Active Directory objects. However, assessing effective permissions on 1000s of objects in Active Directory one object at a time could take a considerable amount of time/effort

5. The need for efficiency and efficacy thus necessitate an automated approach for performing effective permissions/access audits in Active Directory

Active Directory – Two Illustrative Examples


• The following two simple examples illustrate the need to automate Active Directory effective privileged access audits –

1. Objective: Find out who can create user accounts in Active Directory

Methodology: 1) Identify all objects in Active Directory under which a domain user account

can be created: Domain Root, 100 OUs and 25 Containers identified

2) Determine effective permissions one object at a time on domain root, 100 OUs and 25 containers: Determined; time-taken 126 minutes*

2. Objective: Find out who can reset user account passwords in Active Directory

Methodology: 1) Identify user accounts in Active Directory: 5000 accounts identified

2) Determine effective permissions one object at a time on 5000 domain user accounts: Determined; time-taken 5000 minutes*

* This assumes that an accurate automated Active Directory Effective Permissions Calculator, such as this one, was used to determine effective permissions. A non-automated (i.e. manual or semi-manual) approach would increase this time 60x i.e. it could take up to 1 hour per object, each time this needs to be done.


Active Directory – 5 Desirable Attributes of an Automated Privileged Access Audit Solution


• Any solution designed to automate the audit of effective privileged access in Active Directory should ideally be able to –

1. Automatically perform accurate effective permissions / effective access audits across a large number of objects, such as across an Active Directory domain

2. Deliver actionable insight by identifying exactly who effectively has what privileged access where in Active Directory, and how

3. Assess and report effective privileged access entitlements provisioned in Active Directory in terms of enactable administrative tasks

4. Assess specific access privileges (entitlements) i.e. audit who can enact a specific administrative task, e.g. assess Who can create user accounts

5. Efficiently audit effective access on 1000s of Active Directory objects i.e. do so in a reasonable amount of time, and ideally in a single assessment

• An example of an automated Active Directory Administrative

(Privileged) Access and Delegation Audit solution –

Active Directory – Automated Solution Example


1. Instantly audit who can perform 100+ administrative tasks

2. For each administrative task, find out who can perform that task

3. For each user who can perform a task, identify all objects on which they can perform that task

Target any Active Directory container, OU or an entire Active Directory domain

The Gold Finger Active Directory Administrative Access and Delegation Audit Tool

4. For each user who can perform a task on a specific object, find out how they can perform that task on that object

Active Directory – The Gold Finger Audit Tool


• Gold Finger is the world’s only accurate and automated Active Directory Administrative (Privileged) Access and Delegation Audit Solution –

1. It can automatically audit effective permissions / effective access across an entire Active Directory domain at the touch of a button

2. It can instantly find out exactly who has what administrative (privileged) effective access in Active Directory, where and how

3. It can swiftly, efficiently and accurately analyze millions of Active Directory security permissions to determine effective access on 100s of 1000s of objects in Active Directory within minutes

4. It can be installed on any machine in less than 2 minutes

5. It does not require any Active Directory knowledge to use and it does not require any administrative/privileged access to run

5 Examples of Impact of Compromise


Active Directory – Impact of Compromise #1


• Consider the impact of compromise of a single domain user account in Active Directory (e.g. CEO’s account, a Domain Admin’s account etc.) –

• The compromise of a domain user account could give the perpetrator access to all IT

resources (email, files, folders, apps, databases etc.) the user currently has access to

Note: Visual demonstrates simple 1-step Active Directory privilege escalation. Note that if the perpetrator already has sufficient effective permissions/access to reset the target user’s password, he can instantly reset the password (Step 1d) and logon as target user (Step 2)



• Consider the impact of compromise of a single domain security group in Active Directory (e.g. All Employees, Top Secret Access, Domain Admins etc.) –

• The compromise of a domain security group could give the perpetrator access to all IT

resources (email, files, folders, apps, databases etc.) currently protected by that group

Note: Visual demonstrates simple 1-step Active Directory privilege escalation. Note that if the perpetrator already has sufficient effective permissions/access to change the target group’s membership, he can instantly do so (Step 1d) & logon with target group in token (Step 2)



• Consider the impact of compromise of a single domain computer account in Active Directory (e.g. an Admin/Executive’s Laptop, an HBI File Server etc.) –

• The compromise of a domain computer account could give the perpetrator access to

all IT resources (files, folders, apps, databases etc.) stored/hosted on that computer



• Consider the impact of compromise of a single Organizational Unit (OU) in Active Directory (e.g. an OU containing 1000s of accounts and groups) –

• The compromise of an OU could give the perpetrator complete control over all

domain user accounts, security groups and other vital content stored in that OU

Note: Visual demonstrates simple 1-step Active Directory privilege escalation. Note that if the perpetrator already has sufficient effective permissions/access to modify permissions on target OU, he can instantly do so (Step 1d) & proceed to control entire target OU (Step 2)



• Consider the impact of compromise of a single critical Active Directory object, such as the AdminSDHolder object in Active Directory –

• The compromise of the AdminSDHolder object could give the perpetrator complete

control over all default administrative accounts and groups in Active Directory

Note: Visual demonstrates simple 1-step Active Directory privilege escalation. Note that if the perpetrator already has sufficient effective permissions/access to modify permissions on AdminSDHolder, he can instantly do so (Step 1d) & proceed to gain privileged access (Step 2)

5 Essential Active Directory Access Privilege Audit Tools


• Gold Finger Mini

World’s Only Active Directory Password Reset Analysis Tool –

Active Directory – Essential Audit Tool #5


Find out who can reset your or anyone’s (e.g. the CEOs or a Domain Admin’s) domain user account’s password (Free, for a limited time) This valuable insight can be used to quickly identify 1000s of password-reset based privilege escalation paths in any Active Directory domain in the world

Gold Finger Mini

To learn more, online, click here

http://www.paramountdefenses.com/goldfinger-mini.html

• Gold Finger Active Directory ACL Viewer and Exporter

World’s Most Capable Active Directory ACL Analysis and Dump Tool –



View and export (both per-object and tree-wide) Active Directory ACLs and SACLs

Easily view and analyze Active Directory ACLs in complete detail

Target any Active Directory object, tree or partition. Use custom LDAP filters, control both scope and depth

Gold Finger Active Directory ACL / Security Permissions Viewer and Exporter

Easily export results


http://www.paramountdefenses.com/active-directory-acl-permissions-viewer.html

• Gold Finger Active Directory Permissions Analyzer

World’s Most Capable Active Directory Permissions Analysis Tool –



Analyze permissions (both per-object and tree-wide) in Active Directory

Find out who has the specified permissions

Target any Active Directory object, tree or partition. Use custom LDAP filters, control both scope and depth

Gold Finger Active Directory Permissions Analyzer



Easily specify rich analysis criteria

Find out where they have the specified permissions

View the exact permissions they have

http://www.paramountdefenses.com/active-directory-permissions-analyzer.html

• Gold Finger Active Directory Effective Permissions Calculator

World’s Only* Accurate Active Directory Effective Permissions Audit Tool –



Instantly and accurately determine the complete set of effective permissions on an Active Directory object

Target any Active Directory object in any partition

Gold Finger Active Directory Effective Permissions Calculator



For each individual effective permission, find out who has that effective permission entitled on the object Find out how a specific

individual is entitled to a specific effective permission (i.e. which underlying permissions grant him/her this effective permission)


• Gold Finger Active Directory Admin Access and Delegation Audit Tool

World’s Only Accurate and Automated Active Directory Privileged Access Audit Tool –



1. Instantly and accurately audit effective privileged access across an entire Active Directory domain (in terms of enactable administrative tasks)

Target any Active Directory object tree (container, OU or an entire domain)

Gold Finger Active Directory Administrative Access and Delegation Audit Tool



3. For each administrative task that a specific individual can perform, find out where in Active Directory he/she can perform that task

2. For each enactable administrative task, find out who can perform that task

4. For each administrative task that a specific individual can perform on a specific Active Directory object, find out exactly how he/she can perform that task

http://www.paramountdefenses.com/active-directory-administrative-access-and-delegation-audit-tool.html

• Gold Finger Security Audit Tool (Free Version)

Finally, a Trustworthy Free Active Directory Audit Tool –

Also, a Trustworthy Free Active Directory Audit Tool


100+ Active Directory security audit reports

Instantly and easily view and analyze results

Target any Active Directory object, container, OU or domain. Use custom LDAP filters, control both scope and depth

The Gold Finger Active Directory Security Audit Tool (Free Version) To learn more, online, click here

http://www.paramountdefenses.com/goldfinger-trustworthiness.html

http://www.paramountdefenses.com/free-active-directory-audit-tool.html

5 Special Active Directory Security Topics



00% of all major recent cyber security breaches

(Snowden, Target, JP Morgan, Anthem, Sony, OPM) involved the compromise and misuse of just one Active Directory privileged user account

Active Directory privileged user account is all that a perpetrator needs to gain system-wide unrestricted privileged access

unauthorized access privilege in Active Directory is all that a perpetrator needs to become an Active Directory privileged user

Two of 100+ examples: Anyone who has Get-Replication-Changes-All effective permissions on the domain root, or Modify-Permissions effective permissions granted on the AdminSDHolder object, could instantly elevate privilege and become an Active Directory privileged user

such incident could result in a massive cyber security breach


Active Directory

Privilege Escalation Active Directory Privilege Escalation based on the identification and exploitation of unauthorized access grants in Active Directory poses the #1 cyber security risk to organizations worldwide today –

• Today there exist 1000s of unauthorized/excessive access privileges in most Active Directory deployments worldwide due to which there exist 1000s of privilege escalation paths in most Active Directory deployments

• Anyone who can identify these unauthorized/excessive access privileges in Active Directory could find these paths and exploit them to escalate privilege

• All insiders already have sufficient access to be able to view and analyze access privileges in Active Directory. They only lack the know-how or tooling to determine effective permissions and find these privilege escalation paths

• This risk is 100% mitigatable. By correctly limiting access privileges in Active Directory, organizations can eliminate almost all privilege escalation paths

Unlike credential theft attack vectors, privilege escalation based on identification and exploitation of unauthorized access grants in Active Directory does not require a victim to logon to a machine owned by a perpetrator –

In fact, the perpetrator can easily identify privilege escalation paths using any account/machine, then swiftly exploit them at any time of choice (e.g. 3:00 am)


Active Directory

Privilege Escalation continued


The $ Billion Difference between Who has what permissions? AND Who has what effective permissions?

could be the difference between compromise and security. Here’s why –

• A user could be a member of numerous security groups (directly or via nested

groups), some of which may be granted access while others may be denied the same access, either explicitly or via inheritance etc. and thus simply analyzing Who has what permissions cannot provide accurate insight

User: Larry Page

Member of:

1. IT Global Admins 2. IT Helpdesk Backup Team 3. IT Managers 4. IT Security Analysts

…

25. IT Staff



continued

In reality, the only factor that determines who actually has what access privileges in Active Directory is Who has what effective permissions –

• Effective permissions correctly take the entirety of a user’s security affiliations (group memberships etc.) and all relevant factors (permissions precedence, conflict resolution etc.) that influence the actual (resulting) access granted on an Active Directory object, and provide accurate insight



continued

Unfortunately most organizations mistakenly continue to focus their Active Directory access privilege audit efforts on Who has what permissions

• In doing so, they end up making substantially incorrect access control decisions and as a result vast amounts of exploitable unauthorized access continues to exist

• Sadly, most vendors don’t seem to know better either, so they too end up providing incorrect guidance to market their permissions analysis solutions


The $ Billion Difference between Reactive Auditing AND Proactive Effective Privileged Access Audit

could also be the difference between compromise and security. Here’s why –

1. Active Directory Auditing can help detect a potentially unauthorized change, but since it is a reactive measure i.e. occurs after-the-fact, it may already be too late as the damage may already have been done

2. An Effective Privileged Access Audit is a proactive measure that can help find out exactly who can enact an authorized change before-the-fact, thus helping ensure that only authorized individuals can enact changes

3. Organizations that solely rely on Active Directory auditing operate in the dark, at elevated risk levels, as they do not know a priori as to exactly who can enact what tasks in Active Directory. An excessive and unknown number of individuals could possess sufficient effective access to enact unauthorized changes, and the best the organization could do is rely on auditing to detect such changes

In contrast, organizations that perform effective privileged access audits operate in the know, at substantially lower risk levels, as they know a priori as to exactly who can enact what tasks in their Active Directory


The $ Billion Difference between Reactive Auditing AND Proactive Effective Privileged Access Audit

continued

is best illustrated with an example –

Example: It’s 3:00 am on a Saturday morning. An audit log event indicates that a temporary contractor (who was not even supposed to have sufficient access to be able to do so) just reset a Domain Admin’s password. Now:

1. At an organization that relies solely on Active Directory Auditing, this already constitutes a major security incident, because even though it has been detected, it is already too late as the damage has already been done i.e. an unauthorized user just logged in as a Domain Admin

2. In contrast, at an organization that also performs Effective Privileged Access Audits, this would not even have occurred, as the organization would have already identified the contractor’s accidental unauthorized effective access during the audit and locked it down, eliminating any possibility of him/her being able to make this (or any other) unauthorized change in Active Directory

7 Common Misconceptions


• Many organizations mistakenly assume that the presence of one or more of the following privileged access security solutions obviates the need to limit access privileges in their foundational Active Directory –

1. Active Directory Auditing

2. Enterprise Random Password Manager

3. Enterprise Password Vault

4. Advanced Threat Analytics / Privileged Threat Analytics

5. Privileged Session Manager

6. On-Demand Privilege Manager

7. Smart cards for two-factor authentication

• Here’s why these misconceptions seriously endanger their security – 7 Common Misconceptions about Privileged Access Solutions

Note: Link above points to this URL – http://www.paramountdefenses.com/privileged-account-security-solution-misconceptions.html

http://www.paramountdefenses.com/privileged-account-security-solution-misconceptions.html

10 Elemental Questions


• Organizations that operate on Microsoft Active Directory must at a minimum have answers to the following 10 elemental cyber security questions –

1. Do we know how secure our foundational Active Directory is today? 2. Who is responsible for the security of our foundational Active Directory? 3. Is Active Directory security a top/high organizational cyber security priority?

4. Is our Executive Management team aware of the implications of a cyber security breach of the organization’s foundational Active Directory?

5. How secure are our domain controllers, backups and admin workstations? 6. Exactly how many Active Directory privileged users do we have? 7. Who can manage our Active Directory privileged accounts and groups? 8. Who can replicate secrets (account credentials) from our domains? 9. Who can manage sensitive Active Directory configuration settings? 10. Who can manage our Active Directory content, such as all vital domain

user and computer accounts, security groups and organizational units ?

• An Accountability Chain is vital for providing and ensuring the cyber security of an organization’s foundational Active Directory –

• The merits of an accountability chain shall be self-evident to organizations

Accountability


Enterprise Admin

Director/VP, Mission-Critical Infrastructure Operations

CISO

CIO

CEO

The Paramount Brief


• The Paramount Brief is an executive summary that describes the business impact to an organization of not knowing who has what effective access privileges in their foundational Active Directory –

• It applies to all organizations that run (operate) on Active Directory

The very simple question: Who runs on Active Directory today?

is best answered with another simple question: Who doesn’t?

To download click here

http://www.paramountdefenses.com/company/insight.html

http://www.paramountdefenses.com/company/insight.html

Summary


Active Directory Security – Summary


• The following are the key takeaways from this presentation –

1. Active Directory is the very foundation of organizational cyber security, thus its security must be the organization’s top cyber security priority

2. Securing Active Directory involves protecting all DCs and backups, admin (privileged) users and workstations, and equally importantly its contents

3. At the heart of Active Directory security lie millions of access privileges inside Active Directory that protect its contents i.e. all building blocks of cyber security

Limiting access privileges that lie inside Active Directory is thus paramount

4. It is ‘who has what effective permissions’, not ‘who has what permissions’ that determines the actual access privileges provisioned in Active Directory

Limiting access privileges in Active Directory thus involves accurately assessing and locking down ‘effective permissions/access’ on Active Directory content

Organizations that need to swiftly/efficiently assess effective permissions/ access in Active Directory can perform an ‘effective privileged access audit’

5. Accountability is vital and organizations are only as secure as is their Active Directory

Just one more thing…


Some say “Privilege is Everywhere”


Of course it is, but not all privilege is equal!

There is a Privileged Access Hierarchy:

1. Active Directory Unrestricted Privileged Access Users

These users have unrestricted system-wide privileged access

2. Active Directory Restricted (Delegated) Privileged Access Users

These users have limited system-wide privileged access

3. Machine-Local Privileged Access Users

These users only have machine-wide privileged access

So you see, the majority of all high-impact (system-wide) privilege resides inside Active Directory, and it is Active Directory effective permissions/effective access that govern who actually has what level of privilege across the network / in the information system.


Thank You

http://www.paramountdefenses.com/

Active Directory Security – Helpful Pointers


• The following are some helpful Active Directory security related pointers –

1. A simple contextual perspective on the role of Microsoft Active Directory in cyber security worldwide

2. Active Directory Privileged Access Insight – Valuable insight on a. Privileged Access, b. Impact of Compromise, c. Attack Surface, d. Active Directory Privilege Escalation, e. Attack Vectors, f. Threat Sources and g. Risk Mitigation

3. Cyber Security Requirements for Financial Services Companies

In information systems (i.e. IT infrastructures/networks) that operate on Microsoft Windows Server, Section 500.07 of this regulation (Access Privileges) applies to access privileges within Active Directory

4. How to Assess Access Privileges in an Information System

In information systems (i.e. IT infrastructures/networks) that operate on Microsoft Windows Server, this patent governs the assessment of access privileges in Microsoft Windows and Active Directory

5. Microsoft’s Official Active Directory Delegation Whitepaper and Active Directory Security Whitepaper

6. A helpful Active Directory Security Resource Center and three helpful Active Directory Security Checklists

7. A list of Active Directory Security Permissions and an illustration of Active Directory Effective Permissions

8. A list of valuable Active Directory Audit Tools and some of Microsoft’s free Active Directory Audit Tooling

9. An overview of and three options on how to perform an Active Directory Effective Privileged Access Audit

10. A community of Active Directory security professionals- Active Directory Professionals Security Group

Note: Since Microsoft has retired Windows Server 2003 related content, this documentation is now only available as a single downloadable PDF from Microsoft

http://www.paramountdefenses.com/active-directory.html

http://www.paramountdefenses.com/privileged-access-insight.html

http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf

http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&co1=AND&d=PTXT&s1=8429708.PN.&OS=PN/8429708&RS=PN/8429708

http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&co1=AND&d=PTXT&s1=8429708.PN.&OS=PN/8429708&RS=PN/8429708

https://www.microsoft.com/en-US/download/details.aspx?id=53314

https://www.microsoft.com/en-US/download/details.aspx?id=53314

http://www.paramountdefenses.com/active-directory-security.html

http://www.paramountdefenses.com/active-directory-security/checklists.html

http://www.paramountdefenses.com/active-directory-security/permissions.html

http://www.paramountdefenses.com/active-directory-security/effective-permissions.html

http://www.paramountdefenses.com/products.html

http://www.paramountdefenses.com/active-directory-security/tools.html

http://www.paramountdefenses.com/effective-privileged-access-audit.html

http://www.paramountdefenses.com/leadership/global-community.html

Active Directory Security – Helpful Insights


• The following are some helpful insights on Active Directory security –

From the Cyber Security Blog –

1. A Simple $ 100 Billion Question to Microsoft

2. A Letter to Benjamin Delpy Regarding Mimikatz & Active Directory Security

3. Paramount Defenses to Donate Up To $50 Million in Microsoft Active Directory Audit Software

4. The Paramount Brief and The Paramount Brief – Declassified and Substantiated

5. OPM Data Security Hack : Trillion $ Privileged Access Insight

6. Sony Hack: Too Easy and Predicted by the Paramount Brief 5 Years Ago

7. Claim by Aorato "Critical Design Flaw in Microsoft Active Directory Could Allow Password Change" is Incorrect

8. Active Directory Privilege Escalation

From the Active Directory Security Blog –

1. How to Prevent the Use of Mimikatz DCSync feature to perform Credential Theft from Active Directory

2. Active Directory Beyond the MCSE for the Black Hat Conference 2016

3. Active Directory Security 101 for the World and the Black Hat Conference 2016

4. How to Identify and Minimize Privileged Users/Accounts in Active Directory

5. How an APT Could Compromise any Active Directory Within Minutes

6. The Active Directory Permissions and Effective Permissions Analysis Challenge - Solved

7. The Difference Between a Password Change and a Password Reset

8. Kerberos Token Bloat – Details, Examples, Token Size Calculation Tools and Security Implications

http://www.cyber-security-blog.com/

http://www.cyber-security-blog.com/2016/07/a-simple-100b-active-directory-security-question-for-alex-simons-at-microsoft.html

http://www.cyber-security-blog.com/2016/07/a-letter-to-benjamin-delpy-re-mimikatz-and-active-directory-security.html

http://www.cyber-security-blog.com/2016/05/paramount-defenses-to-donate-up-to-50-million.html

http://www.cyber-security-blog.com/2015/12/the-paramount-brief.html

http://www.cyber-security-blog.com/2016/03/the-paramount-brief-declassified.html




http://www.cyber-security-blog.com/2015/07/opm-data-breach-cyber-security-hack-apt-privileged-access-insight.html

http://www.cyber-security-blog.com/2014/12/sony-hack-act-of-cyber-vandalism-is-the-whole-world-sitting-on-a-ticking-bomb.html

http://www.cyber-security-blog.com/2014/07/critical-design-flaw-in-Microsoft-Active-Directory-could-allow-password-change-claim-incorrect.html

http://www.cyber-security-blog.com/2013/09/Worlds-Top-Cyber-Security-Risk-Active-Directory-Privilege-Escalation.html

http://www.active-directory-security.com/

http://www.active-directory-security.com/2016/08/active-directory-credential-theft-mimikatz-dcsync-mitigation.html

http://www.active-directory-security.com/2016/07/active-directory-beyond-the-mcse-for-black-hat-conference-2016.html

http://www.active-directory-security.com/2016/07/praise-for-sean-metcalf-active-directory.html

http://www.active-directory-security.com/2015/07/how-to-search-identify-and-minimize-privileged-users-accounts-in-active-directory.html

http://www.active-directory-security.com/2014/07/demo-showing-how-a-trusted-insider-could-easily-compromise-Active-Directory.html

http://www.active-directory-security.com/2014/06/The-Active-Directory-Permissions-and-Effective-Permissions-Analysis-Challenge-Solved.html




http://www.active-directory-security.com/2014/06/Active-Directory-Account-Password-Security-101-For-Regulatory-Compliance-Auditors-The-Difference-Between-Change-Password-and-Reset-Password.html

http://www.active-directory-security.com/2014/05/An-Automated-Kerberos-Token-Size-Calculation-Tool.html




About the Author

Copyright Paramount Defenses Inc, 2006 - 2016. All Rights Reserved.

Sanjay Tandon is the Founder and CEO of Paramount Defenses,

one of the world’s top cyber security companies today.

Prior to Paramount Defenses, Mr. Tandon was Program Manager

for Active Directory Security on Microsoft’s Windows Server

Development Team at Microsoft Corporation (2001 – 2005.)

Mr. Tandon is also the author of Microsoft’s official whitepaper

‘Best Practices for Delegating Administration in Active Directory’.

While at Microsoft Mr. Tandon helped improve the cyber security

posture of numerous Fortune 100 companies and government

agencies around the world.

Mr. Tandon is also the architect of Gold Finger, the world’s most

capable suite of Active Directory Audit Tools, & Gold Finger 007G,

the world’s most powerful and valuable cyber security solution.

Online at - http://www.paramountdefenses.com/leadership.html

92

http://www.paramountdefenses.com/leadership.html

About Paramount Defenses

Copyright Paramount Defenses Inc, 2006 - 2016. All Rights Reserved.

Paramount Defenses is one of the world’s most innovative,

important and valuable cyber security companies.

Established in 2006, it was founded by and is led by former

Microsoft Program Manager for Active Directory Security.

It uniquely empowers organizations in 6 continents worldwide to

secure and defend the very foundation of their cyber security,

their foundational Active Directory deployments,

It develops the world’s most capable suite of Active Directory

security, access and effective access audit tools. Its innovative

patented intellectual property governs the precise assessment

of access privileges in information systems worldwide.

From the United States Government to numerous Fortune 10 and

Fortune 100 companies, today its global customers include the

world’s most important and valuable organizations worldwide.

Online at - http://www.paramountdefenses.com

93

http://www.paramountdefenses.com/

Documents

Active Directory Security - World’s Top Cyber Security ... · PDF filePrivileged Access,