Consider This
What secures access to every single asset and controls every privileged action in Active Directory?
Each one of the following involves a privileged action on a securable asset in Active Directory -
Escalate privilege in Active Directory
Run Mimikatz DCSync against an Active Directory domain
Change the membership of any/all Active Directory security groups
Reset the passwords of any/all Active Directory user and computer accounts
Modify the ACLs protecting any/all Active Directory objects, e.g. AdminSDHolder
Change the ownership of any/all Active Directory objects, e.g. Enterprise Admins
Link a GPO to any/all OUs, e.g. the default Domain Controllers OU, or to the domain root
Create, manage, modify or delete domain user accounts, computer accounts and security groups
Create, manage, modify or severe trust relationships and connections to the Cloud e.g. Microsoft Azure
Modify critical Active Directory operational data in the Active Directory Configuration and Schema partitions
One and only one thing secures access to every asset, and controls every privileged action in Active Directory - this.
Consequently, the #1 challenge in Active Directory Security is...
Accurate Access Assessment in Active Directory
Microsoft Active Directory is the foundation of cyber security and privileged access at 85% of organizations worldwide.
At these organizations, all primary identities (domain user accounts), hosts (domain-joined computers), security groups, and the most powerful privileged accounts and groups, are stored, managed and secured in Active Directory
Each one of these accounts and groups, and in fact everything in Active Directory, is represented as an object in Active Directory, and is secured by an access control list (ACL) that specifies who has what security permissions on the object.
There exist many security permissions in the ACL of each Active Directory object, and each one allows or denies, either explicitly or via inheritance, generic or specific access to a specific user, computer or security group, and access allowed in one permission to a specific account or group could simultaneously also be denied to the same account or group in another permission, either directly or via group membership, either explicitly or via inheritance.
Consequently, what ultimately determines the acutal access a user has on an Active Directory object are the resulting set of permissions the user is actually granted (i.e. effectively allowed) on the object, in light of accurately considering the collective impact of all the security permissions specified in the access control list (ACL) of that Active Directory object.
This actual resulting set of permissions on an Active Directory object is called Active Directory Effective Permissions.
They are paramount to Active Directory security because not a single Active Directory object, and thus not a single Active Directory domain, can be adequately secured without being able to accurately determine effective permissions on(/in) it.
The accurate determination of Active Directory Effective Permissions is the biggest challenge in Active Directory security because there are hundreds of complicated security permissions (e.g. explicit, inherited, allow, deny, object-specfic etc.) involved, and it is very difficult to accurately assess their collective impact on who has what access in Active Directory.
This is absolutely fundamental and paramount to Active Directory security because it is impossible to accurately lockdown access in Active Directory without being able to accurately assess who has what effective permissions in Active Directory.
We develop the world's most advanced Active Directory access assessment products, powered by accurate Active Directory Effective Permissions analysis, and they enable organizations to accurately assess and lockdown access in Active Directory.
Our Global Customers
Corporate Headquarters
620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.
Telephone: 001-949-468-5770
