Company  |  Vision  |  Leadership  |  Products  |  Services | Resources  |  News | Careers | Contact

The power of knowledge, at the touch of one button...

Overview Problem Addressed Audience Features Benefits Microsoft's Testimonial Editions Downloads Sales Risk Mitigated FAQ

Gold Finger is an IT security analysis software solution that automates the accurate assessment of resultant access in Active Directory and empowers organizations to attain and maintain least–privileged access to to vital Active Directory content.


Its patent–pending security analysis abilities deliver an essential risk management capability called access assessment, that empowers organizations to precisely determine who is provisioned / delegated what access to organizational IT resources.




Quick Overview


An Innovative Solution to an Urgent Problem

Organizations running on Microsoft's Windows Server are at a serious risk of compromise today, stemming from the pervasive presence of unauthorized administrative delegation grants in Active Directory that are easily discoverable and exploitable.

Gold Finger, architected by former Microsoft Program Manager for Active Directory security, completely automates the accurate assessment of provisioned access in Active Directory and instantly determines and reveals the identities of everyone who can perform vital identity and access management related administrative tasks, all at the touch of a single button.

It gives IT administrators an opportunity to swiftly and efficiently identify and eliminate unauthorized delegation grants in their Active Directory, before they can be discovered and exploited by malicious entities to gain complete control and inflict damage.

Gold Finger thus automates and delivers an essential risk management capability that allows organizations to efficiently attain and maintain least–privileged access to vital Active Directory content, saving them valuable time and signficant effort and cost.


To download a brochure, please click here (pdf).




Detailed Overview



A Fundamental Question

Today organizations employ user accounts to uniquely identify and authenticate users, security groups to authorize access to IT resources and security policies to protect computing devices.

In essence organizations rely on these fundamental security building blocks (user accounts, security groups and security policies) to protect the entirety of their information and IT assets.

What if these very security building blocks are compromised? What if someone could –

  1. Compromise a user account by resetting its password?
  2. Turn off the need to have smartcard authentication for user accounts?
  3. Compromise all user accounts by weakening password protection policies?
  4. Modify a security group protecting confidential high business impact files or folders?
  5. Modify a security policy protecting mission–critical laptops, desktops or servers?

The need to know exactly who has what access to which IT resources is thus paramount to security. Without it, there can be no assurance of security, and without assurance, there can be no security.





A Paramount Need

Accordingly, the need to know precisely who all can enact the following sensitive identity and access management tasks is paramount to operating a secure IT infrastructure and to demonstrating regulatory compliance –

1.  Create and delete user accounts

2.  Reset user account passwords

3.  Disable and unlock user accounts

4.  Control domain security policies 		5.  Create, delete or modify security groups

6.  Manage Kerberos trust relationships

7.  Delegate these administrative tasks

8.  Manage high–value user accounts

Organizations that do not know precisely who all can perform these tasks are not only vulnerable to compromise, but may also be furnishing inaccurate evidence to demonstrate regulatory compliance.





A Global Problem

Over 85% of all IT infrastructures worldwide run on Microsoft's powerful Windows Server OS.

At the foundation of identity and access management in Windows Server based IT infrastructures lies Active Directory, Microsoft's enterprise directory service, that enables and delivers mission-critical enterprise-wide security, policy and IT management.

In Windows based IT infrastructures, vital IT assets such as user and computer accounts, security groups and policies are all stored and secured in Active Directory, and administrative responsibilities for their management (including account management, password resets, access provisioning, email, remote access and helpdesk support) are all delegated in Active Directory.

Today, the means to determine, to a trustworthy degree, who has access to what IT resources, including vital IT assets (such as user accounts and security groups) that are stored in Active Directory, is completely non–existent, leaving the very building blocks of security, insecure.

Consequently, organizations worldwide today are exposed to the real risk of real compromise.





Elemental Causes

While Active Directory provides a powerful security model, four elemental factors make it a challenge to precisely determine who is delegated what administrative responsibilities and who is provisioned what access –

  1. Constantly changing access requirements, driven by constantly changing business needs
  2. Distributed access management responsibilities, a necessity at large organizations,
  3. Continued presence of previously delegated access grants, that are no longer required, and
  4. The complete non–existence of any accurate (and thus reliable) access assessment tools.

Consequently, today, at most organizations, an alarmingly large number of individuals, possess unauthorized administrative privileges and entitlements (such as the ability to reset passwords) and no one (not even IT admins) knows precisely as to who is delegated what administrative access.

As a result, today there exist thousands of security privilege escalation paths in organizations running on Windows Server, that could be easily exploited to compromise the security of all organizational IT and information assets protected using Active Directory accounts, groups and policies.





Innovative Solution

Gold Finger, architected by former Microsoft Program Manager for Active Directory security, completely automates the accurate assessment of provisioned access in Active Directory.

Its patent–pending access assessment capabilities accurately assess all pertinent security permissions and access rights and generate simple, accurate and archivable reports that document who is provisioned (i.e. delegated) what access, not just in terms of the resultant set of permissions, but rather in terms of the resultant set of administrative tasks delegated/allowed.

By completely automating the precise determination of resultant access grants in Active Directory, the Gold Finger completely obviates the need for IT organizations to manually determine resultant access on thousands of vital IT assets stored in Active Directory, thereby saving them thousands of hours of valuable time and providing them with vital access information in a timely fashion.

Today, Gold Finger empowers organizations to reliably assess access on, and consequently secure IT assets stored in their Active Directory. Tomorrow it will empower them to reliably secure additional IT assets across the enterprise.





Powerful Capabilities

At the touch of a single button, and within minutes, the Gold Finger can precisely determine and reveal (via generated reports) who all in the organization can perform the following identity and access management related tasks –

  1. Change mission-critical domain security policies (e.g. Account Lockout Duration)
  2. Modify the membership of a vital security group (e.g. Domain Admin group)
  3. Disable the requirement of smartcard authentication for user accounts
  4. Alter vital group policies linked to organizational units or domain
  5. Modify service principal names (SPNs) associated with a service
  6. Create user accounts, security groups and security policies
  7. Reset user account passwords (e.g. CEO's password)
  8. Disable requirement for Smartcard authentication
  9. Disable and unlock user and service accounts
  10. Sub-delegate administrative authority





Valuable Benefits

The patent–pending capabilities of the Gold Finger empower organizations to –

  1. Instantly and precisely determine who is delegated / provisioned what access on vital IT assets (user accounts, security groups and policies etc.) stored in their Active Directory,

  2. Reliably assess, lockdown, provision & maintain least–privileged access to these vital IT assets that constitute the foundational elements of organizational information security

  3. Effortlessly generate and furnish accurate access assessment reports to demonstrate regulatory compliance, mitigating the risk of being liable for furnishing false evidence.





Global Recognition

Gold Finger is quite simply the world's first access entitlement assessment solution.

Its innovative patent–pending access assessment capabilities set a new standard in the security analysis space and have been recognized globally, both, by Microsoft Corporation, and by the RSA Conference, the world's premier information security conference.

In recognition of Gold Finger's innovative capabilities, Paramount Defenses was recently recognized as one of the world's Top-10 Most Innovative Security Companies at the RSA Conference, 2007, which was keynoted by Bill Gates and former U.S. Secretary of State, General Colin Powell.

In recognition of the value delivered by Gold Finger to its customers, Microsoft recognizes Paramount Defenses as a valued Microsoft partner in the Identity and Access (Id&A) management space.





Brochure

To download a brochure, please click here (pdf).



Copyright Paramount Defenses Inc. 2006 – 2008. All Rights Reserved.