-
What types of reports can Gold Finger generate?
Gold Finger can generate two essential types of reports for organizations – security reports and access reports.
Security reports provide basic insight into the security state of IT resources stored in Active Directory, such as user accounts, security groups and service connection points.
Access reports provide essential insight into who can do what (i.e. perform what tasks) on IT resources stored in Active Directory, such as identifying who all can reset user account passwords or delete existing accounts.
An example of an access report is The list of all individuals who can enable currently disabled user accounts.
-
How long does Gold Finger take to generate reports?
Gold Finger can generate all 400 security reports and all 25 access reports in an entire Active Directory domain within minutes, and at the touch of a single button.
-
How does an access report differ from a security report?
A security report provides an overview of a certain aspect of operational security, while an access report provides specific insight into who can change the security state of a specific IT asset, or a set of IT assets.
An example of a security report would be "List of all disabled user accounts" which could help an organization identify all user accounts that are usable but currently disabled, and thus out-of-commission.
An example of an access report would be "Individuals who can enable disabled user accounts" which could help an organization identify all individuals who are currently sufficiently privileged to be able to enable one or more disabled user accounts, resulting in these accounts being re-commissioned for use.
-
Why is it so important to generate accurate access reports?
The ability to generate accurate access reports is paramount to security, because, at every point in time, organizations absolutely need to know who is entitled to performing which security-sensitive administrative tasks in their environments.
For example, at the very least, it is absolutely essential to know precisely how many individuals (and who) can reset the passwords of executive and IT admin user accounts, such as that of the CEO, CFO, CIO, and all Domain, Enterprise and delegated administrators.
Similarly, it is equally essential to know precisely how many individuals (and who they are) can enact privileged administrative tasks such as creating and deleting user accounts, modifying security group memberships and modifying security policies that may be protecting organizational computers etc.
All organizations, including those that operate on a shared trust model, should always know precisely who can do what in their IT infrastructure, and must audit all-powerful administrative grants on a regular basis.
-
Why might an organization's shared trust administrative model be insufficient from a security perspective?
Many organizations operate on a trust basis, wherein only a handful of highly trusted IT admins are granted all-powerful administrative privileges, providing a semblance of security in regards to administrative access.
Unfortunately, it is not sufficient to operate on a trust basis because the threat of potential misuse of authority is most often not from these IT admins but rather from individuals who could assess administrative entitlements to find just ONE unauthorized administrative entitlement to exploit.
For example, anyone with a domain user account could (with some skill or the right tools) assess security permissions in Active Directory and easily determine the identities of all individuals who could reset a Domain Admin's password, then proceed to determine who could reset these individual's passwords etc.
In just a few minutes, one could plausibly uncover an unauthorized administrative entitlement that exists and that is exploitable. Once discovered, it would take just a few minutes to enact a few administrative tasks and instantly elevate privilege to that of a Domain Admin.
What makes this threat really worrisome is that by default anyone with a valid Active Directory domain user account has all the permissions needed to assess permissions in Active Directory, and that such assessments only involve read access and thus are almost never audited, so they are very hard to detect.
In effect, with the right skills or tools, any organizational user could easily assess, uncover and potentially exploit unauthorized administrative access grants to compromise security. This is why an organization's shared trust administrative model is almost always insufficient from a security perspective, and provides a false sense of security.
