Active Directory is Foundational.
Active Directory is the lifeline and foundation of IT and cyber security in a Windows Server powered IT infrastructure.
The entirety of an organization's user accounts and passwords, including those of all their privileged users and executives, are stored, protected and managed in Active Directory.
In addition, the entirety of an organization's computers, whether they be laptops, desktops, workstations or servers, are joined to, secured by and managed from Active Directory.
Finally, access to the entirety of an organization's IT assets (files, folders, applications, portals, email etc.) are all protected using domain security groups, which too are stored in Active Directory.
Thus, an organization's foundational Active Directory deployment is it's most valuable and it's most targeted asset.
Active Directory Security is Paramount
The compromise of Active Directory is tantamount to a system-wide compromise.
Active Directory Security is paramount to organizational cyber security because an Active Directory compromise or breach is tantamount to a catastrophic system-wide compromise.
It is catastrophic because once a perpetrator has compromised an organization's foundational Active Directory, he/she now has complete and unrestricted command and control over it.
Once a perpetrator has command and control of Active Directory, he/she can access, tamper, copy, divulge, exfliltrate and destroy virtually any and practically every organizational IT resource.
In summary, an Active Directory compromise is tantamount to a compromise of the very foundation of cyber security.
Active Directory is Target #1
Active Directory is the target #1 for perpetrators today.
Active Directory is the #1 target for perpetrators today.
History is witness that in virtually all major cyber security breaches in the last few years, including Snowden, JP Morgan, Target, the OPM Breach, the Sony Hack, the Anthem Breach and others, the perpetrators targeted Active Directory.
It's no wonder that most popular hacking tools used today, such as Mimikatz and Bloodhound, target Active Directory.
None of this is surprising though, because as we have seen, the compromise of Active Directory gives perpetrators complete command and control over the entire IT infrastructure.
Active Directory is target #1, and any organization whose Active Directory is not adequately protected, could be next.
The Active Directory Attack Surface
The Active Directory attack surface is vast but defendable.
Active Directory is inherently highly stable, robust and securable, but it does require organizations to adequately secure it and its contents, and actively defend it from compromise at all times.
The adequate protection of Active Directory and its contents requires that organizations identify and then sufficiently secure and protect its attack surface, which is -
Active Directory Privileged Users* and Groups
Active Directory Contents and Configuration Data
Active Directory Logical Structure
Active Directory Backups and Administrative Workstations
* In most Active Directory domains exist a large and unknown number of users with delegated privileged access, which too need to be identified.
Think about this for a moment.
For an attacker, what's easier? -
Compromising a Domain Controller, or resetting a Domain Admin's password?
Compromising a Trust relationship, or changing the Domain Admin's group membership?
Compromising an admin's workstation, or linking a malicious GPO to the OU in which it resides?
Compromising an AD backup, or using Mimikatz DCSync to compromise everyone's passwords?
In each case, the easier (latter) option merely involves making a simple change on the Active Directory object representing the target i.e. an AD account, AD group, an OU or the domain root.
Active Directory Attack Vector #1 - Privileged Access
Easiest way to compromise AD is by gaining privileged access.
What do the components that comprise 99% of Active Directory's attack surface, i.e. DCs, AD privileged accounts and groups, AD contents, config data and admin workstations, have in common?.
They are all represented by an object in Active Directory.
You see, literally everything inside Active Directory is an object, protected by an access control list (ACL), and in each AD, in thousands of ACLs lie millions of security permissions that govern and control exactly who has what access in AD.
These permissions control everything, from who can change the Domain Admins group membership to who can reset a Domain Admin's password to who can link a malicious GPO, to who can control every single privileged user and group.
Anyone who can correctly* analyze this ocean of permissions in Active Directory, could find a thousand ways to compromise any component of the attack surface, and gain control over AD.* The correct analysis involves determining effective permissions.
Effective Permissions - The Keys to AD Security
Effective Permissions are the key to correctly identifying who has what privileged access in Active Directory.
From Domain Admins to every privileged account and group, and from the Domain Controllers OU to every DC's and admin workstation's computer account, as well as the domain root, literally everything in Active Directory is an AD object.
Every AD object is protected by an access control list (ACL) that specifies who has what permissions on the object, and its the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.
It is not Who has what permissions in Active Directory but Who has what effective permissions in Active Directory that ultimately governs the security of all Active Directory content, including all privileged users and groups, content and DCs.
Thus, effective permissions are the key to correctly identifying who has what privileged access in any Active Directory, and consequently the key to all of Active Directory Security.
Our Unique Insights
Here are some paramount Active Directory Security insights that only our solutions can deliver -
- Who can run Mimikatz DCSync against an Active Directory domain?
- Who can change the membership of the Domain Admins security group?
- Who can reset the password of any/every privileged user in Active Directory?
- Who can change the permissions specified in the AdminSDHolder object's ACL?
- Who can create a new inbound trust relationship or modify any existing trust relationship?
- Who can link a malicious GPO to instantly take over any or every administrative workstation?
- Who can modify the Active Directory Schema to make crippling irreversible changes to Active Directory?
- Who can change administrative control in Active Directory to instantly obtain access to all organizational IT resources?
- Who can launch a denial-of-service attack against any Active Directory integrated application/service? (e.g. Azure Connect)
- Who can link a malicious GPO to any OU to instantly gain command and control over thousands of domain-joined computers?
The World's Only Solution
Not a single Active Directory object (and thus not a single Active Directory deployment) can be adequately secured without being able to accurately determine effective permissions on(/in) it.
Gold Finger, our innovative Microsoft-endorsed Active Directory Audit Tool is the world's only solution that can accurately calculate effective permissions in Active Directory.
It can also automatically and accurately determine effective permissions /access on thousands of Active Directory objects, within minutes, and at the touch of a button.
The insight that Gold Finger delivers is absolutely essential for Active Directory Security , and without such insight, not a single Active Directory domain in the world can be adequately secured.
Gold Finger is architected by former Microsoft Program Manager for Active Directory Security and endorsed by Microsoft.
Here's a quick overview of our three unique Active Directory Effective Permissions and Effective Access Audit Tools –
Instantly calculate effective permissions on any Active Directory object
Instantly assess privileged access on individual Active Directory objects
Instantly audit privileged access domain-wide in Active Directory
Our Global Customers