-
What IT security risk does Gold Finger help organizations mitigate?
Gold Finger helps organizations mitigate the security risk of unauthorized privilege escalation and its subsequent misuse, which is made possible by the presence of unauthorized administrative access grants in Active Directory.
Specifically, in most Active Directory deployments, there is a very high likelihood of the existence of powerful delegated administrative access grants that should not exist but that do nonetheless exist, because, over time numerous individuals are delegated and undelegated access but because it is inherently difficult to precisely specify and assess delegated access in Active Directory, delegated access grants are seldom completely or reliably revoked, and thus remain largely undetected, for months or years.
The presence of these unauthorized delegated administrative access grants poses a clear and present danger to organizational security, because it provides malicious entities an easy avenue to obtain and subsequently misuse administrative power, whether over a small or a large set of Active Directory objects.
-
How serious is this security risk?
This is a very serious risk because the potential for inflicting damage to the organization is colossal, the attack surface is vast, the effort required to enact the threat is minimal, and one of the only two technical requirements needed to enact the threat is already satisfied. An attacker needs to find just ONE security privilege escalation path to completely compromise organizational security.
For details or a demonstration, please contact Paramount Defenses Inc.
-
How easy is it to identify and exploit unauthorized administrative access grants?
These unauthorized delegated administrative access grants are not very difficult to identify because all that is technically required to identify these grants is access to Active Directory security permissions, and in Active Directory this access is granted by default to everyone with a domain user account.
With read access to Active Directory security permissions available, the identification of unauthorized access grants simply requires the application of moderate Active Directory security expertise, or the use of a tool which partially or completely (e.g. Gold Finger) automates the identification of provisioned access grants.
Once identified, the exploitation of an unauthorized access grant is a relatively simple operation that only requires the enactment of a common administrative task, such as resetting a user account's password.
-
What is the likelihood of someone identifying and exploiting unauthorized administrative access grants?
With the entire user population of an Active Directory deployment having sufficient read access to Active Directory security permissions by default, potentially any individual with a domain user account could attempt to identify and exploit unauthorized administrative grants.
With the potential of being rewarded with administrative access, the motivation, and thus likelihood, for attempting to identify and exploit unauthorized administrative access seems plausibly high.
-
How does Gold Finger help organizations mitigate this security risk?
This security risk is posed by the existence of unauthorized delegated / provisioned administrative access grants that are hard to identify by the naked eye and /or by a simple assessment of Active Directory security permissions.
The most difficult part in mitigating this unique security risk is identifying these unauthorized access grants, for once identified, these grants can be instantly revoked by IT admins with relatively substantial ease.
Gold Finger makes the identification of these unauthorized administrative access grants as easy as touching a single button, thereby empowering organizations to instantly identify all unauthorized access grants, and enabling organizational IT admins to then effortlessly eliminate these grants before they can be identified and potentially exploited by malicious entities seeking to inflict damage or compromise security.
