Buy

Home > Products > Gold Finger > Active Directory Privileged Access Assessor

❮ ❯

Active Directory Privileged Access Assessor

The world's only cyber security solution that can accurately assess privileged access in Active Directory.

"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."

Charles Coates, Senior Product Manager
Identity and Security Business Group

Overview

Organizations have a paramount cyber security need to be able to accurately assess access inside their Active Directory to identify exactly who has what privileged access, where and how in Active Directory, driven by the need to -

Secure Active Directory
Identify Privileged Access in Active Directory
Attain and Maintain Least Privilege Access
Acquire Active Directory Threat Intelligence
Implement Privileged Access Management

Perform Privileged Account Discovery
Manage Identities and Access in Active Directory
Perform Active Directory Security Assessments
Perform Active Directory Audits
Demonstrate Regulatory Compliance

Active Directory Privileged Access Assessor is a one-of-a-kind tool designed by former Microsoft Program Manager for Active Directory Security that uniquely empowers IT personnel to easily, instantly and trustworthily fulfill this need.

Unrivaled Active Directory Privilege Access Assessment Capability

Instant, Accurate
Privileged Access Assessment

There is one and only one way to accurately assess privileged access in Active Directory and that involves accurately determining effective permissions on Active Directory objects. Unfortunately, doing so accurately is extremely difficult.

Our Active Directory Privileged Access Assessor is the world's only tool that can automatically accurately determine effective permissions on thousands of Active Directory objects, and map them into enactable administrative tasks, to ultimately determine who actually has what privileged access, both unrestricted and delegated, in Active Directory.

It also identifies the underlying security permissions and security group memberships that enable all such identified privileged access, empowering organizations to quickly and easily lockdown privileged access in Active Directory.

Our Active Directory Privileged Access Assessor can thus deliver instant, accurate privileged access insights and uniquely empower you to find out exactly who has what privileged access in Active Directory, where and how.

Privileged Access Assessment in Active Directory

Fulfills a Paramount
Cyber Securuity Need

Privileged Access is the new holy grail for perpetrators and the #1 target in organizational cyber security worldwide.

At 85% of organizations worldwide, the proverbial Keys to the Kingdom, i.e. the most powerful Domain Admin level privileged access, as well as the vast majority of all privileged access, resides inside their Active Directory.

From the SolarWinds Breach to the Microsoft breach, and almost every major breach in the last decade, the perpetrators targeted and compromised just one account that had privileged access in Active Directory, then used it to inflict damage.

The single most important and effective cyber security measure organizations can take to prevent getting breached is to accurately assess (i.e. identify) and lock-down (minimize) the number of users with privileged access in Active Directory.

Our Microsoft-endorsed Active Directory Privileged Access Assessor uniquely enables organizations worldwide to instantly and accurately assess (i.e. identify) and then lock-down (minimize) privileged access in Active Directory.

Paramount Privileged Access Insights

Active Directory Privileged Access Assessor can accurately assess exactly who has what privileged access, where and how, on and across thousands of objects domain-wide in Active Directory, thereby helping organizations identify exactly -

Who can create and/or delete user accounts, computer accounts, security groups and OUs in Active Directory?
Who can reset the passwords of, disable/enable, unlock, unexpire, etc. all domain user accounts in a domain?
Who can change the group membership, type or scope of all domain security groups in Active Directory?
Who can enact various security sensitive tasks on all domain accounts and security groups in Active Directory?
Who can change security permissions on or ownership of all domain user accounts, domain computer accounts, domain security groups, containers and OUs in Active Directory?

It can make all these privileged access assessments in Active Directory accurately and instantly at the touch of a button.

Unique in Capability

Only Gold Finger Can accurately assess privileged access in Active Directory

Active Directory's security model lets organizations precisely delegate privileged access (i.e. administrative privileges), but it makes it very difficult to accurately assess privileged access, especially delegated administrative privileges.

In every AD, there are thousands of allow, deny, explicit and inherited security permissions, granted to users and groups, and together they impact the actual (effective) access, making it very difficult to accurately assess privileged access.

Most organizations and solutions do not know this fact, and determine "Who has what permissions in Active Directory," which is incorrect and delivers vastly inaccurate results, reliance upon which leaves them substantially vulnerable.

There is one and only one correct way to accurately assess privileged access in Active Directory, and that is by accurately determining "Who has what effective permissions in Active Directory?"

Only Gold Finger's Microsoft-endorsed effective access assessment capabilities can accurately determine effective permissions in Active Directory, and thus only Gold Finger can accurately assess privileged access in Active Directory.

Easily Attain and Maintain
Least Privilege Access in Active Directory

All the building blocks of organizational cyber security i.e. accounts, credentials and groups reside in Active Directory, so attaining and maintaining least privilege access (LPA) in Active Directory is paramount to organizational cyber security.

To attain and maintain LPA in Active Directory (AD), organizations, first and foremost, need to be able to accurately assess who has what access in AD, because to lock-down access, one first needs to know who has what access.

Unfortunately, there exist thousands of complicated security permissions (e.g. explicit, inherited, allow, deny, object-specfic, special rights etc.) in every Active Directory and they make it very difficult to accurately assess who currently has what access, in turn making it very difficult to lock-down access, and thus to attain and maintain LPA in Active Directory.

Our Active Directory Privileged Access Assessor can instantly, automatically and accurately determine who currently has what access, domain-wide, on all (thousands of) Active Directory objects, based on the accurate determination of effective permissions, thereby solving the problem of determining who actually has what access in Active Directory.

It also identifies and pinpoints the exact underlying permissions and group memberships that enable all identified access.

Thus, by automating the accurate assessment of who has what access, where and how, domain-wide in Active Directory, it lets organizations easily assess and lockdown access, and thus easily attain and maintain LPA in Active Directory.

Standard Mode

The Standard Mode (default mode) of Active Directory Privileged Access Assessor enables organizations to instantly, accurately and automatically determine exactly who has what access, where and how, domain-wide in Active Directory.

For example -

Who can create and/or delete domain user accounts, security groups, OUs, etc. in Active Directory?
Who can modify the membership of thousands of domain security groups in Active Directory?
Who can modify permissions on any/all accounts, groups, OUs etc. in Active Directory?
Who can reset the passwords of any/all domain user accounts in Active Directory?
Who can replicate secrets (password-hashes) from Active Directory?

Single-User Mode

The Single-User Mode of Active Directory Privileged Access Assessor empowers organizations to instantly, accurately and automatically assess whether a specific user has any access in Active Directory, where and how.

For example -

Can a specific user, James Campbell, create and/or delete accounts, security groups, OUs, etc. in Active Directory?
Can a specfic user, John Doe, modify the membership of any domain security groups in Active Directory?
Can a specific contractor user modify permissions on any accounts, groups, OUs etc. in Active Directory?
Can a specific delegated user reset the passwords of any domain user accounts in Active Directory?
Can a specific user, Stuart Chan, replicate secrets (password-hashes) from Active Directory?

Features

Accurate Domain-wide
Privileged Access Assessment

Accurately assess privileged access domain-wide at a button's touch

Enterprise-Grade
Scalability

Automatically determine privileged access on thousands of objects

Privileged Access
Source Identification

Pinpoint permissions that entitle a user to specific privileged access

Instant, Real-time Assessment

Instantly assess effective privileged access domain-wide in real-time

Unrivaled Efficiency

Accomplish in minutes what could otherwise take months to do

Technical Summary

The accurate determination of privileged access in and across Active Directory is extremely difficult and challenging.

There is only one way to accurately assess privileged access in Active Directory and that involves determining effective permissions on Active Directory objects. Active Directory Privileged Access Assessor is the world's only tool that actually calculates effective permissions to accurately determine who has what privileged access in Active Directory.

Specifically, Active Directory Privileged Access Assessor accomplishes the remarkable technical feat of automating the accurate determination of effective permissions/access on thousands of Active Directory objects, in a process that involves correctly determining the collective impact of millions of security permissions, all done within minutes and in a single assessment, to identify exactly who has what privileged access in and across an entire Active Directory domain.

Benefits

Accurately Assess Privileged Access in Active Directory

Accurately assess privileged access domain-wide in Active Directory

Assess Privileged Access Domain-wide

Automatically assess privileged access on thousands of AD objects

Attain Least Privilege Access in Active Directory

Reliably attain and maintain least privilege access in Active Directory

Complete Steps 1, 2 and 3
of your PAM Journey

Accurately identify privileged users in AD, secure them and control access

Demonstrate
Regulatory Compliance

Correctly demonstrate compliance concerning privileged access in AD

Paramount Active Directory Privileged Access Insights

Active Directory Privileged Access Assessor can instantly and accurately identify -

Who can run Mimikatz DCSync against your Active Directory?
Who can modify the ACL protecting any and every object in Active Directory?
Who can change the membership of any and all security groups in Active Directory?
Who can link a malicious GPO to any and all OUs in Active Directory to unleash ransomware?
Who can reset the passwords of any and all regular and privileged user accounts in Active Directory?
Who can disable the use of Smartcards for interactive logon on all domain user accounts in Active Directory?
Who can create, manage/control and delete accounts, groups and organizational units (OUs) in Active Directory?
Who can change the membership of any and all security groups (e.g. Confidential Access Group) in Active Directory?
Who can change privileged access in Active Directory to instantly obtain access to millions of organizational IT resources?
Who can compromise Active Directory integrated apps/services (e.g. Azure Connect) by modifying Active Directory contents?

* If your existing tools merely rely on determining "Who has what permissions in Active Directory," you're likely operating on dangerously inaccurate insights.

Example Reports

The following real-world examples illustrate the Active Directory Privileged Access Assessor's unique capabilities -

Instantly find out exactly who has what privileged access, where and how in and across Active Directory.
Instantly identify who has unrestricted and delegated administrative privileges domain-wide in Active Directory.
Find out exactly who can reset the passwords of all privileged domain user accounts (e.g. Administrator ) in Active Directory.
Discover exactly who can create domain user accounts, where (i.e. under which OUs), and how anywhere in Active Directory.
Identify exactly who can reset the passwords of thousands of domain user accounts (e.g. CEO's account ) in Active Directory.
Uncover exactly who can change the membership of thousands of domain security groups (e.g. Enterprise Admins ) in Active Directory.
Find out exactly who can delete which domain user and computer accounts, security groups, OUs etc., and how in Active Directory.
Identify exactly who can disable the requirement to have Smart-card authentication for all domain user accounts in Active Directory.
Find out exactly who can change security permissions on the domain-root and on all OUs, domain accounts and security groups in Active Directory
Identify exactly who can change the ownership of the domain-root and that of all OUs, domain accounts and security groups in Active Directory

In addition, our new Active Directory Privilege Escalation Path Identifier also lets you accurately identify privilege escalation paths in Active Directory.

Eliminate The World's #1 Attack Vector

Active Directory Privilege Escalation based on the exploitation of a sea of excessive unidentified privileged access in Active Directory is the world's #1 attack vector because it threatens the foundational security of 85% of organizations.

It can be exploited to compromise the security of virtually everything in Active Directory, including any (and every) domain user account, computer account, group, OU etc., and particularly all-powerful Active Directory privileged accounts and groups, and high-value targets such as AzureADConnect that enable Cloud integration.

Fact - In virtually ever major cyber security breach, including the SolarWinds Breach, Colonial Pipeline Hack, Okta Breach and most others, perpetrators targeted, exploited and misused privileged access in Active Directory to gain unrestricted system-wide access and swiftly inflict colossal damage.

One of the most effective security measures organizations can take is to assess (identify) and lockdown privileged access in Active Directory. Unfortunately, accurately assessing privileged access in Active Directory is very difficult.

Our Active Directory Privileged Access Assessor uniquely empowers organizations to accurately, quickly and easily assess (identify) and lockdown all privileged access in their Active Directory, including all excessive privileged access, virtually eliminating the #1 attack vector.

Finally, our latest addition to the Gold Finger suite, the new unrivaled Active Directory Privilege Escalation Path Identifier also lets you accurately identify privilege escalation paths in Active Directory.

Requirements and Licensing

Active Directory Privileged Access Assessor can be instantly downloaded, installed and run on any Windows computer. Its use does not require any administrative privileges, any changes to or any knowledge of Active Directory.

The tool is licensed on a subscription model, and can be licensed on an annual basis.

"We use the Gold Finger from Paramount Defenses to fulfill our Active Directory Audit needs. It saves us a lot of time and effort and we would recommend it to anyone who needs to perform Active Directory audits trustworthily and cost-effectively. Great product, great support."

Sean Seeliger, Architect