Privileged Access is the new holy grail for perpetrators for in it lie the proverbial Keys to the Kingdom, and the compromise of a single privileged user account could jeopardize the security of the entire organization and cause a massive breach.
Privileged Access - The Keys to the Kingdom
Obtaining privileged access in an organization is the new holy grail for malicious perpetrators, because once someone has privileged access, they have the "Keys to the Kingdom".
They can then circumvent or disable any security control and easily, access, copy, tamper, steal and/or divulge virtually any and every organizational IT asset, and do so very quickly.
Given that the compromise of a single privileged account could easily result in colossal damage, accurate identification and adequate protection of privileged users is paramount to organizational cyber security, and must be priority #1.
Accurate Identification of Privileged Users is Paramount
The adequate protection of privileged users is paramount.
However, before an organization can adequately protect its privileged users, it must be able to accurately identify them.
After all, one cannot protect what one cannot identify, and even just one unidentified and thus unprotected account would be sufficient for perpetrators to compromise Active Directory.
Thus, to adequately protect privileged users, organizations must first adequately understand what constitutes a privileged user.
Today, unfortunately, most organizations do not yet sufficiently understand what constitutes a privileged user, and for many, privileged users begin and end with Domain Admins.
Domain Admins are just the tip of the iceberg ; there exist far many more equally privileged users inside Active Directory.
Three Types of Privileged User Accounts
There are three (3) types of privileged user accounts in every Windows Server based network, and they are not equal -
Domain Unrestricted Admin Accounts - These accounts are all-powerful Active Directory domain accounts that by default can access all resources on all computers in an Active Directory domain. E.g. Domain Admins
Domain Delegated Admin Accounts - These accounts are Active Directory domain accounts that have been delegated all sorts of privileged access on thousands of users, computers and groups inside Active Directory.
Machine Local Admin Accounts - These accounts are local accounts that exist on every Windows computer and their scope is limited to being able to access resources on that computer, thus they have the least amount of privilege.
Of these, the scope and impact of the first and third types are well understood. However, the vast majority of all privileged access is of the second type, and needs understanding.
Domain Admins -
The Tip of the Iceberg
When performing "privileged access audits" in Active Directory, most organizations merely enumerate the members of default Active Directory privileged groups like Domain Admins.
Consider this – What about someone who could change the membership of the Domain Admins group, or reset a Domain Admin's password. Isn't such an individual equally privileged?
Or, consider this – What about someone who has been granted full-control domain-wide in Active Directory, via an inheritable security permission. Isn't such an individual equally privileged?
After all, in addition to having full control over almost all Active Directory content, this person would now also have the ability to instantly gain local admin access on any domain-joined machine.
In Active Directory deployments worldwide, today there exists an ocean of such privileged access that has been delegated, and Domain Admins are just the tip of the iceberg.
Active Directory - The Heart of Privileged Access
From Domain Admins to hundreds of delegated admins, today, at 85% of all organizations worldwide, the vast majority of all powerful privileged access resides in Active Directory.
In fact, the entirety of all organizational domain user accounts, computer accounts, passwords, security groups and policies reside within Active Directory, all protected by an ocean of privileged access inside Active Directory.
In order to accurately identify all privileged users, organizations need to understand what constitutes a privileged user, and know how to correctly identify privileged users in Active Directory.
Active Directory - The Privileged Access Iceberg
From Domain Admins to all domain user accounts, and from all domain controller accounts to all domain computer accounts, the entirety of an organization's IT assets are in Active Directory.
In addition, access to just about every file, folder, application and database is controlled using Active Directory security groups.
In order to secure all this vital Active Directory content, and to distribute responsibilities for their management, organizations delegate privileged access in their foundational Active Directory.
Thus, if Domain Admins are the proverbial Tip of the Iceberg, the vast amount of provisioned/privileged access provisioned within Active Directory is the proverbial Privileged Access Iceberg.
A "Privileged Access Audit" that does not take into account the vast amount of provisioned/delegated privileged access within an organization's Active Directory, cannot be considered complete.
Organizations that have delegated any level of access in their Active Directory must ensure that all such delegated privileged access is accurately* assessed in a "Privileged Access Audit".* An accurate assessment involves determining effective permissions.
Default Active Directory Privileged Groups
The following are the default Active Directory privileged groups -
Read-only Domain Controllers
Delegated AD Admins
AD Delegated Admins are powerful privileged users who have been delegated all sorts of privileged access in Active Directory.
They can be almost as powerful as Domain Admins, such as -
A delegated admin that can manage domain user accounts (e.g. the CEO's account) can reset any account's password and access everything the account can access.
A delegated admin that can manage domain security groups (e.g. Execs) can change any group's membership and access everything that group has access to.
A delegated admin that can manage domain computer accounts (e.g. HBI Server) can control any computer's security and access everything on those computers.
A delegated admin that can manage an OU can do all of the above on 1000s of accounts, computers and groups.
Thus delegated admins in Active Directory can be almost as powerful as Domain Admins, and must be accurately identified.
Privileged Access Hierarchy
In every Active Directory forest worldwide, there is a clear privileged access hierarchy, beginning with the most powerful users and ending with the least powerful users, as follows -
All users that belong to default Active Directory privileged access groups in the forest root domain and all users who can manage these accounts and group memberships.
All users that belong to default Active Directory privileged access groups in every child domain as well as all users who can manage these accounts and group memberships.
All users who can perform any of the ten (10) Domain Admin Equivalent Tasks listed below in Active Directory.
All users that have been delegated any kind of privileged access, whether OU- or domain-wide, in Active Directory.
All users and service accounts that are members of the local Administrators group on domain-joined computers, and all services running as System on these computers.
NOTE: The first three categories of users possess equivalent privileged access, and include users who may have been delegated such privileged access in AD.
Domain Admin Equivalent Tasks
Anyone who can perform the following AD management tasks must be considered to possess Domain Admin equivalent privilege -
- Promote a machine to a domain controller (DC) or manage DCs.
- Create or manage an inbound forest or external trust relationship.
- Replicate secrets from the domain or manage the domain root object.
- Manage the Schema or Configuration partitions, including their contents.
- Modify the Default Domain Controllers Policy or the Default Domain Policy.
- Manage the default Users container, Built-in container and System container.
- Manage the Domain Controllers OU, as well as any Domain Controller's domain computer account.
- Link a GPO to the domain root, the Domain Controllers OU, or any site or OU that contains a large number of computer accounts.
- Manage all top-level OUs, as well as any OUs containing a large number of user accounts, computer accounts or security groups.
- Manage any default administrative accounts and groups, and/or any users or groups that have been delegated privileged access.
* Manage includes the ability to modify the security permissions on the AD object, as well as the ability to change its ownership.
Finally, any user who can modify the local Administrators group on a large number of domain-joined computers must also be considered privileged, as ideally should be all computers whose domain computer accounts are Trusted for unconstrained delegation.
Domain Admin Equivalent Privileged Users in AD
In Active Directory, the following users must be considered highly and equally privileged in nature -
All members of default Active Directory privileged groups.
Anyone who can change membership or ownership of, or permissions on any of these default AD privileged groups.
Anyone who can reset password of, change ownership of or permissions on any member of any AD privileged group
Anyone who can perform any of the administrative tasks listed in the Domain-Admin Equivalent Tasks list above.
Effective Permissions - The Keys to Privileged Access
From AdminSDHolder to Domain Admins, and from the default Administrators account to the CEO's domain user account, literally everything in Active Directory is an AD object.
Every AD object is protected by an access control list (ACL) that specifies who has what security permissions on the object, and it is the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.
Thus, what provides accurate insight into privileged access is not an audit of Who has what permissions in Active Directory but an audit of Who has what effective permissions in Active Directory.
As a result, to correctly find out who has what privileged access in Active Directory, and to determine who can enact each one of the above listed Domain Admin Equivalent Tasks, organizations need to audit effective permissions in Active Directory.
How to Correctly Audit Privileged Access in AD
Every organization that is operating on Active Directory today must know how to correctly audit privileged access in Active Directory because this is paramount to their cyber security.
Unfortunately and alarmingly, most organizations do not know how to correctly audit privileged access in Active Directory.
All organizations worldwide are strongly encouraged to learn how to do so, because the compromise of a single inadequately protected Active Directory privileged user account can result in a massive cyber security breach.
History is witness that virtually all major recent cyber security breaches, including Snowden, JP Morgan, Target, the OPM Breach, the Sony Hack, the Anthem Breach and others, all involved the compromise and subsequent misuse of a single Active Directory privileged user account - just one account.
Every organization operating on Active Directory must know how to correctly audit privileged access in Active Directory.
Our Global Customers