Privileged Access is the holy grail for perpetrators, for in it lie the proverbial Keys to the Kingdom, and the compromise of a single privileged user account could jeopardize the security of the entire organization and cause a massive breach.
At 85% of all organizations worldwide, the most powerful privileged access as well as the vast majority of all powerful privileged access lie within millions of security permissions inside foundational Active Directory deployments worldwide.
Privileged Access - The Keys to the Kingdom
Obtaining privileged access in an organization is the holy grail for malicious perpetrators, because once someone has privileged access, they have the "Keys to the Kingdom".
They can then circumvent or disable any security control and easily, access, copy, tamper, steal and/or divulge virtually any and every organizational IT asset, and do so very quickly.
Given that the compromise of a single privileged account could easily result in colossal damage, accurate identification and adequate protection of privileged users is paramount to organizational cyber security, and must be priority #1.
Active Directory - The Heart of Privileged Access
From Domain Admins to hundreds of delegated admins, today, at 85% of all organizations worldwide, the vast majority of all powerful privileged access resides in Active Directory.
In fact, the entirety of all organizational domain user accounts, computer accounts, passwords, security groups and policies reside within Active Directory, all protected by an ocean of privileged access inside Active Directory.
In order to accurately identify all privileged users, organizations need to understand what constitutes a privileged user, and know how to correctly identify privileged users in Active Directory.
Accurate Identification of
Privileged Users is Paramount
The adequate protection of an organization's privileged users is absolutely paramount to organizational cyber security.
However, before an organization can adequately protect its privileged users, it must be able to accurately identify them.
After all, one cannot protect what one cannot identify, and even just one unidentified and thus unprotected account would be sufficient for perpetrators to compromise Active Directory, and by extension, compromise the entire organization.
Consequently, to adequately protect privileged users, organizations must first be able to accurately identify all privileged users, and to be able to do so, they need to first adequately understand exactly what constitutes a privileged user.
Today, unfortunately, IT personnel at most organizations do not yet sufficiently seem to understand what constitutes a privileged user, and at many organizations, the identification of privileged users begins and ends with Domain Admins.
Domain Admins are just the tip of the iceberg ; there exist far many more equally privileged users inside Active Directory.
Three Types of Privileged User Accounts
There are three (3) types of privileged user accounts in every Windows Server based network, and they are not equal -
Domain Unrestricted Admin Accounts - These accounts are all-powerful Active Directory domain accounts that by default can access all resources on all computers in an Active Directory domain. E.g. Domain Admins
Domain Delegated Admin Accounts - These accounts are Active Directory domain accounts that have been delegated any kind of privileged access on thousands of users, computers and groups inside Active Directory.
Machine Local Admin Accounts - These accounts are local accounts that exist on every Windows computer and their scope is limited to being able to access resources on that computer, thus they have the least amount of privilege.
Of these, the scope and impact of the first and third types are well understood and easily identifiable. However, the vast majority of powerful privileged access in Microsoft Windows networks is of the second type, and requires understanding.
Domain Admins -
The Tip of the Iceberg
Even today, when assessing privileged access in Active Directory, at most organizations, the extent of this assessment merely involves enumerating the members of various default Active Directory privileged groups like Domain Admins.
Now, consider this – What about someone who could change the membership of the Domain Admins group, or reset a Domain Admin's password. Isn't such an individual equally privileged?
Or, consider this – What about someone who could easily obtain privileged access over all domain-joined machines, or access everyone's credentials, or reset everyone's passwords, or change the membership of all domain security groups that collectively protect all organizational IT assets? Isn't such an individual equally privileged?
In most Active Directory deployments, today there exists an ocean of such powerful privileged access that has either been delegated or custom provisioned, or provisioned accidentally, so Domain Admins are just the tip of the iceberg.
The Iceberg -
in AD
The entirety of an organization's domain user accounts, computer accounts, passwords and security groups reside in Active Directory, and consequently today there exists an ocean of privileged access in Active Directory to protect all these accounts and groups and to facilitate the distribution and delegation of responsibilities for their management.
This vast ocean of privileged access in Active Directory exists in the form of millions of security permissions that reside inside thousands of Active Directory access control lists (ACLs) that exist to protect Active Directory's valuable contents.
A predominant portion of this ocean of access is actually delegated and custom provisioned access that exists inside Active Directory ACLs to enable the distribution/delegation of administrative tasks for identity and access management.
It is this vast amount of delegated/custom access that constitutes the proverbial iceberg of access in Active Directory.
This delegated/custom access could intentionally or accidentally be equivalent to Domain-Admin level access, and thus no privileged access assessment can be complete without taking into account this iceberg of access in Active Directory.
Default Active Directory Privileged Groups
The following is a list of the default Active Directory privileged groups that exist in Windows Server deployments -
Administrators
Enterprise Admins
Schema Admins
Domain Admins
Domain Controllers
Server Operators
Account Operators
Backup Operators
Print Operators
Read-only Domain Controllers
Replicator
Key Admins
Enterprise Key Admins
A Simple Question
Think about this for a moment.
Members of default Active Directory administrative groups are certainly privileged users by virtue of group membership.
But what about ordinary domain accounts that may have been intentionally or accidentially, directly or indirectly, delegated or provisioned the following access? -
An account that only has sufficient effective permissions to run Mimikatz DCsync against the domain
An account that only has sufficient effective permissions to modify the ACL of the domain root object
An account that only has sufficient effective permissions to change the membership of the Domain Admins group
An account that only has sufficient effective permissions to reset the password of a Domain Admin account
Question - Shouldn't these accounts also be considered as privileged accounts?
After all, they do possess sufficient access to be able to take over existing privileged accounts in Active Directory.
Administrative Delegation in Active Directory
Delegation of Administrative is a powerful capability in Active Directory that enables organizations to distribute and delegate administrative access for common IT management tasks to/amongst lesser privileged IT personnel.
The following are some administrative tasks that are commonly delegated at most organizations -
The ability to create and delete domain user accounts.
The ability to reset the passwords of domain user accounts.
The ability to unlock locked domain user accounts.
The ability to enable disabled domain user accounts.
The ability to create and delete domain security groups.
The ability to change the membership of domain security groups.
The ability to create and delete domain computer accounts.
The ability to create and delete organizational units (OUs).
The ability to modify security permissions on accounts, groups or OUs.
The ability to sub-delegate administrative tasks in one or more OUs.
Delegated Administrators
Delegated Administrators are privileged users who have been delegated custom privileged access in Active Directory.
Based on the nature of access delegated to them, they can often be almost as powerful as Domain Admins -
A delegated admin that can manage domain user accounts (e.g. the CEO's account) can reset any account's password and access everything the account can access.
A delegated admin that can manage domain security groups (e.g. Execs) can change any group's membership and access everything that group has access to.
A delegated admin that can manage domain computer accounts (e.g. HBI Server) can control any computer's security and access everything on those computers.
A delegated admin that can manage an OU can do all of the above on all accounts, computers and groups in it.
Since delegated administrators in Active Directory could be as powerful as Domain Admins, they too must be accurately identified, and thus any privileged access assessment cannot be consider complete without taking them into account.
Privileged Access Hierarchy
In every Active Directory forest worldwide, there is a clear privileged access hierarchy, beginning with the most powerful users and ending with the least powerful users, as follows -
All users that belong to default Active Directory privileged access groups in the forest root domain and all users who can manage these accounts and group memberships.
All users that belong to default Active Directory privileged access groups in every child domain as well as all users who can manage these accounts and group memberships.
All users who can perform any of the ten (10) Domain Admin Equivalent Tasks listed below in Active Directory.
All users that have been delegated any kind of privileged access, whether OU- or domain-wide, in Active Directory.
All users and service accounts that are members of the local Administrators group on domain-joined computers, and all services running as System on these computers.
NOTE: The first three categories of users possess equivalent privileged access, and include users who may have been delegated such privileged access in AD.
Domain Admin Equivalent Tasks
Anyone who can perform the following AD management tasks must be considered to possess Domain Admin equivalent privilege -
- Promote a machine to a domain controller (DC) or manage DCs.
- Create or manage an inbound forest or external trust relationship.
- Replicate secrets from the domain or manage the domain root object.
- Manage the Schema or Configuration partitions, including their contents.
- Modify the Default Domain Controllers Policy or the Default Domain Policy.
- Manage the default Users container, Built-in container and System container.
- Manage the Domain Controllers OU, as well as any Domain Controller's domain computer account.
- Link a GPO to the domain root, the Domain Controllers OU, or any site or OU that contains a large number of computer accounts.
- Manage all top-level OUs, as well as any OUs containing a large number of user accounts, computer accounts or security groups.
- Manage any default administrative accounts and groups, and/or any users or groups that have been delegated privileged access.
* Manage includes the ability to modify the security permissions on the AD object, as well as the ability to change its ownership.
Finally, any user who can modify the local Administrators group on a large number of domain-joined computers must also be considered privileged, as ideally should be all computers whose domain computer accounts are Trusted for unconstrained delegation.
Users with Unrestricted Privileged Access
In Active Directory, the following users must be considered highly and equally privileged in nature -
All domain accounts that may directly/indirectly be members of any default Active Directory administrative groups.
Anyone who can perform any of the administrative tasks listed in the Domain-Admin Equivalent Tasks list above.
Anyone who may have sufficient effective permissions to be able to change the membership or ownership of, or permissions on all domain security groups identified in step 1 above.
Anyone who may have sufficient effective permissions to be able to reset the password of, or change the ownership of or permissions on all domain accounts identified in steps 1, 2 and 3 above.
It is easy to enumerate the members of default Active Diretory administrative groups but it is difficult and challenging to accurately identify the identities of all accounts that can enact measures 3 and 4 above, and yet it is very important and in fact paramount to make these determinations, and do so accurately, i.e. based on effective permissions analysis.
Effective Permissions - The Keys to Privileged Access
From AdminSDHolder to Domain Admins, and from the default Administrator's account to the CEO's domain user account, literally everything in Active Directory is an AD object.
Every AD object is protected by an access control list (ACL) that specifies who has what security permissions on the object, and it is the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.
Thus, what provides accurate insight into privileged access is not an assessment of Who has what permissions in Active Directory but an assessment of Who has what effective permissions in Active Directory.
Consequently, to correctly find out who has what privileged access in Active Directory, and to determine who can enact each one of the above listed Domain Admin Equivalent Tasks, organizations need to assess effective permissions in Active Directory.
How to Correctly Assess Privileged Access in AD
All organizations operating on Active Directory, and specifcially their Domain Admins, IT personnel and IT auditors must know how to correctly assess privileged access in Active Directory because this is paramount to their cyber security.
Unfortunately, many organizations still do not know how to correctly assess privileged access in Active Directory.
All organizations worldwide are highly encouraged to learn how to do so, because the compromise of a single inadequately protected Active Directory privileged user account could result in a massive breach.
History is witness that virtually all major cyber security breaches, including the Colonial Pipeline Hack, the SolarWinds Breach, Snowden, JP Morgan, Target Breach, the OPM Breach, the Sony Hack, the Microsoft breach and several other breaches, have all involved the compromise and subsequent misuse of a single Active Directory privileged user account, just one account.
Every organization operating on Active Directory must know how to correctly assess privileged access in Active Directory.
Our Global Customers
Corporate Headquarters
620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.
Telephone: 001-949-468-5770
