Gold Finger Mini
In any IT infrastructure, the security of every individual's user account, from the CEO to the Domain Admin, & from every employee to every contractor, is protected by that user account's password.
Passwords are often complex and people can sometimes forget their passwords, so the system provides IT personnel the ability to reset a user's password, so that they can help users log back in.
The ability to reset a user's password is governed by a special permission, known as the Reset Password extended right, which can be granted to specific IT users/groups on a user's account.
Active Directory provides the ability to precisely delegate administrative access for operations such as Password Resets, but it lacks the ability to help IT groups precisely assess delegated administrative access, & as a result, IT groups can precisely grant specific users the Reset Password extended right, but they cannot precisely assess who is granted this right on any user account.
Over time, as business needs change, so does the state of provisioned access and administrative delegations in Active Directory, and consequently the actual state of access changes dramatically.
As a result, today in most Active Directory environments, many more individuals than intended (i.e. than should be able to), can reset the passwords of most Active Directory user accounts.
Malicious perpetrators know that the easiest way to compromise any user's account, and instantly get access to everything that account has access to, is by resetting that user account's password.
For instance, as illustrated above, if someone could reset the password of the CEO's account, he could instantly login as the CEO and obtain access to everything the CEO currently has access to.
Since it only takes seconds to reset a password, all that a perpetrator needs to do to compromise an account is to find out who can reset that account's password and target that person's account.
In fact, it is this simple premise that when iterated, forms the basis of Active Directory Privilege Escalation, the world's #1 cyber security risk that endangers over 85% of all organizations today.
It turns out that the process of finding out who can reset the password of which domain user account is very difficult and time-consuming today, because it requires deep security expertise. Technically speaking, it requires the ability to be able to accurately determine effective permissions/access on Active Directory domain user accounts, which is very difficult to accomplish with 100% accuracy.
Active Directory's inbuilt Effective Permissions/Access calculator is self-admittedly inaccurate, & at best it can show an approximation of what effective permissions a specified user has on an Active Directory object. Thus, if an organization had 1,000 user accounts, one would have to manually enter 1,000 user account names to approximately determine who can reset 1 account's password.
If it were possible to easily find out exactly who can reset whose password in Active Directory, anyone could very easily and quickly compromise virtually anyone's domain user account.
Gold Finger Mini makes it possible for anyone to instantly find out exactly who can reset any domain user account's password in any Active Directory domain, within seconds, at a button's touch.
Gold Finger Mini embodies our unique, patented effective access assessment technology & empowers organizational IT personnel and IT security penetration testers to instantly uncover exactly –
- Who can reset the password of their own domain user accounts?
- Who can reset the password of the domain user account of any other user, including those of contractors, administrators and executives?
In addition, to help IT personnel and pen testers prove their findings, it also includes a built-in password reset capability which can be used to reset the password of any* domain user account.
Unmatched Ease of Use
If you can touch a button, you can instantly find out exactly who can reset whose password...
...it's really as simple as that.
You can now instantly deploy and use Gold Finger Mini in any
Active Directory deployment in the world, within 2 minutes –
(Gold Finger Mini may not run on a Windows 10 PC)