Active Directory - The Heart of Privileged Access
At 85% of organizations worldwide, all organizational domain user accounts, computers, passwords, security groups and policies are stored and protected in Active Directory, and a mountain of privileged access is delegated/provisioned to facilitate and distribute their management.
Active Directory is thus the heart of privileged access worldwide.
Active Directory's security model lets organizations provision access precisely to attain least privileged access (LPA).
Unfortunately, Active Directory lacks the fundamental capability required by organizations to accurately and adequately audit and verify provisioned access in Active Directory, making it difficult for organizations to attain and maintain LPA in Active Directory.
Privileged Access Audit - The Key to LPA
Today there exists a vast and unknown amount of excessive privileged access within Active Directory deployments.
It does so because Active Directory unfortunately lacks the fundamental capability to accurately audit privileged access.
In fact, this is the reason that while organizations have been delegating and provisioning privileged access in AD for years, they have no idea exactly who is delegated what access in AD.
If organizations could accurately audit privileged access in Active Directory, they could easily identify and eliminate all excessive / unauthorized access in their AD and thus be able to attain and maintain LPA in AD, and eliminate the risk of privilege escalation.
The key to attaining and maintaining LPA in Active Directory thus lies in being able to accurately audit privileged access in AD.
Accurate Privileged Access Audits
Today, in most Active Directory deployments, there exist millions of permissions within the ACLs of thousands of objects.
Most organizations, vendors and experts errantly believe that to accurately audit privileged access in Active Directory, they simply need to find out "Who has what permissions in Active Directory."
The fact however is that there is only one way to accurately audit privileged access in Active Directory, and that involves finding out "Who has what effective permissions in Active Directory.".
Accurate Privileged Access Audits thus involve the accurate determination of effective permissions in Active Directory.
Effective Permissions - The Keys to Privileged Access
From AdminSDHolder to Domain Admins, and from the default Administrators account to the CEO's domain user account, literally everything in Active Directory is an AD object.
Every AD object is protected by an access control list (ACL) that specifies who has what security permissions on the object, and it is the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.
Thus, what provides accurate insight into privileged access is not an audit of Who has what permissions in Active Directory but an audit of Who has what effective permissions in Active Directory.
Consequently, to accurately audit privileged access in Active Directory, organizations need to be able to accurately audit effective permissions in Active Directory.
Our Unique Insights
Here are some paramount Active Directory Privileged Access Insights that only* our solutions can accurately deliver -
- Who can create, delete and manage domain user accounts in Active Directory?
- Who can create, delete and manage Active Directory security groups?
- Who can reset the password of any/every domain user account in Active Directory?
- Who can change the permissions specified in the critical AdminSDHolder object's ACL?
- Who can create, delete, manage and delegate control of Organizational Units in Active Directory?
- Who can modify the Active Directory Schema to make crippling irreversible changes to Active Directory?
- Who can link a GPO or change the precedence of GPOs linked to any/every site, domain and OU in Active Directory?
- Who can change administrative control in Active Directory to instantly obtain access to all organizational IT resources?
- Who can launch a denial-of-service attack against any Active Directory integrated application/service? (e.g. Azure Connect)
- Who can delete any/every domain account, security group, OU etc. even with the Prevent Accidental Deletion feature turned on?
* Our solutions are unique in their ability to accurately determine effective permissions in Active Directory.
Our Unique Solution
Gold Finger, our unique Microsoft-endorsed Active Directory Privileged Access Audit solution fully automates the accurate determination of effective permissions, both per-object and domain-wide, thus empowering organizations to be able to perform accurate Privileged Access Audits.
The ability to perform accurate Privileged Access Audits in Active Directory lets organizations accurately audit and easily verify privileged access, thus uniquely enabling them to attain and maintain least privilege access in Active Directory.
Gold Finger is architected by former Microsoft Program Manager for Active Directory Security.
Here's a quick overview of how our unique Active Directory Audit Tools help organizations attain least privileged access in Active Directory –
Accurately assess effective permissions on any Active Directory object
Accurately assess privileged access on any Active Directory object
Automatically and accurately assess privileged access domain-wide
Our Global Customers