At the foundation of cyber security and privileged access of 85% of all organizations worldwide lies Active Directory, and at most of these organizations no one has a clue as to exactly who has what privileged access in their Active Directory.
Microsoft Active Directory is the bedrock and foundation of cyber security and IT at 85% of all organizations worldwide.
Within Active Directory deployments worldwide lie all their employee user accounts and passwords, all privileged user accounts, all computer accounts and their security policies, and all security groups that protect all their IT resources.
To facilitate their management and protection, over the years, organizations have provisioned a vast ocean of privileged access in their Active Directory, yet no one really knows exactly who has what privileged access in Active Directory.
The reason for this alarming situation is that while Active Directory lets organizations accurately provision access, it lacks the fundamental ability required by organizations to accurately assess/audit provisioned access in Active Directory.
Consequently, organizations have been provisioning access in Active Directory for years, without any accurate insight, resulting in an ocean of excessive/unauthorized access that can today be easily exploited to compromise their security.
The Paramount Brief is an executive summary of the cyber security risk caused by this dangerously alarming situation.
The World's #1 Cyber Security Risk
The ocean of excessive/unauthorized privileged access that exists in foundational Active Directory deployments worldwide paves thousands of privilege escalation paths in Active Directory, which can be easily exploited today.
A single sufficient privilege escalation path can be easily exploited to compromise the security of virtually everything in Active Directory, including their entirety of all-powerful Active Directory privileged user accounts and security groups.
Should someone be able to compromise even a single Active Directory privileged user account of security group, he/she could instantly gain complete control over the entire Active Directory, and soon thereafter over the entire IT infrastructure.
Since Active Directory Privilege Escalation can be used to easily gain complete command and control of 85% of organizations worldwide, it poses a clear and present danger, and remains the world's #1 cyber security risk.
100% of all major recent cyber security breaches involved the compromise of just one Active Directory privileged user account.
Anyone who could compromise a single Active Directory privileged user account and subsequently enact any one of the following tasks
could instantly and substantially compromise the entire organization, resulting in a massive cyber security breach -
- Run Mimikatz DCSync against an Active Directory domain
- Change the membership of the Domain Admins security group
- Reset the password of any/every privileged user in Active Directory
- Change the permissions specified in the AdminSDHolder object's ACL
- Create a new inbound trust relationship or modify any existing trust relationship
- Link a malicious GPO to instantly take over any or every administrative workstation
- Modify the Active Directory Schema to make crippling irreversible changes to Active Directory
- Change administrative control in Active Directory to instantly obtain access to all organizational IT resources
- Launch a denial-of-service attack against any Active Directory integrated application/service (e.g. Azure Connect)
- Link a malicious GPO to any OU to instantly gain command and control over thousands of domain-joined computers
Organizations that do not know exactly who is delegated what administrative access in their foundational Active Directory
are vulnerable to Active Directory Privilege Escalation today, and could potentially be compromised within minutes.
This cyber security risk is 100% mitigatable.
The key to mitigating this risk lies in a simple, fundamental Active Directory security capability.
The cyber security risk to organizational security worldwide that is described in The Paramount Brief is 100% mitigatable.
To mitigate this risk, organizations just need to accurately audit and then lockdown privileged access in Active Directory, which fundamentally involves and requires accurately determining effective permissions in and across Active Directory.
From that point on, they can easily maintain least privileged access in Active Directory, eliminating this risk.
Subsequently, even if thousands of perpetrators were to query a locked-down Active Directory domain to analyze Active Directory permissions, they will likely not be able to find a single exploitable privilege escalation path in Active Directory.
Cardinally, the key to mitigating this risk lies in possessing the capability to accurately determine "who has what effective permissions in Active Directory", which is not the same as "who has what permissions in Active Directory."
Our Global Customers