"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."
Charles Coates, Senior Product Manager
Identity and Security Business Group
Active Directory
Active Directory Security is Paramount.
Active Directory Security is paramount to organizational cyber security because Active Directory is the foundation of IT, cyber security and privileged access at 85% of all organizations.
At 85% of organizations worldwide, the entirety of an organization's user accounts and passwords are stored, protected and managed in Active Directory and the majority of organizational computers are joined to, secured by and managed from Active Directory. Further, access to the entirety of an organization's IT assets (files, folders, applications, portals, email etc.) is controlled using domain security groups, which too are stored, secured and managed in Active Directory.
As such, at such organizations, all the three essential A's of cyber security i.e. Authentication, Authorization and Auditing are completely integrated with and depend on Active Directory, and the most powerful privileged accounts and groups, and the majority of all privileged access lies in Active Directory.
An organization's foundational Active Directory is thus undoubtedly one of its most valuable and most targeted assets, and consequently Active Directory Security must be every organization's highest organizational cyber security priority.
Active Directory Attack Surface
Understanding the Active Directory Attack Surface is vital to its defense.
The adequate protection of Active Directory and its contents requires that organizations identify, understand and then sufficiently secure and defend its attack surface, comprised of -
Domain Controllers and Admin Workstations
Active Directory Privileged User Accounts and Groups
Active Directory Contents and Configuration Data
Active Directory Logical Structure (Trust Relationships)
Active Directory Backups
Saliently, a considerable portion of its attack surface resides within Active Directory and is actually comprised of its contents, which includes all organizatonal user accounts, computer accounts, credentials and security groups.
Securing Active Directory
Active Directory can be adequately secured using nominal resources - a small team of trustworthy and proficient IT personnel, a few essential cyber capabilities (1, 2 and 3), trustworthy guidance and secure computing practices.
Adequately securing Active Directory requires five (5) security measures -
Protecting Domain Controllers and Admin Workstations
a) Accurately Identifying and then b) Securing Active Directory Privileged Users and Groups
Securing Active Directory Contents and Configuration Data
Ensuring a Sound Active Directory Logical Structure
Adequately Securing Active Directory Backups
Organizations need only enact these measures to secure Active Directory, and of these security measures, measures, 1, 4 and 5 are easy and straightforward to accomplish and Microsoft offers guidance on how organizations can do so.
It is security measures 2 and 3 that have been challenging to accomplish, but now these too can be easily accomplished as they only require the ability to accurately assess and lockdown access in Active Directory.
Assessing Active Directory Security
Securing and defending Active Directory requires periodically performing an Active Directory Security Assessment, which is a simple, methodical process that involves a security assessment of all components of its attack surface -
Domain Controllers and Administrative Workstations
Active Directory Privileged Users and Groups
Active Directory Contents and Configuration Data
Active Directory Logical Structure
Active Directory Backups
Of these five components, a security assessment of the first component i.e. Domain Controllers and Admin Workstations falls under Systems security, a mature and well-understood area with various automated assessment solutions available.
A security assessment of the fourth component i.e. Active Directory Logical Structure primarily involves a logical review of its logical structure, i.e. all trust relationships, and an assessment of the fifth component i.e. Active Directory Backups involves assessing backup procedures, policies and the physical security afforded to Active Directory backups.
A security assessment of the second and third components i.e. Active Directory Privileged Users and Groups and Active Directory Contents and Configuration Data, is the most challenging of all because it involves accurately analyzing an ocean of access provisioned in Active Directory - millions of security permissions in thousands of Active Directory ACLs.
Automating
Active Directory
Security Assessment
A substantial portion of Active Directory Security Assessments involves sophisticated access analysis in Active Directory.
For instance, to begin with, the accurate identification of privileged users and groups in Active Directory involves and requires the accurate determination of effective permissions on numerous objects in an Active Directory domain.
Similarly, accurately assessing the security (access) afforded to the entirety of Active Directory's valuable contents, which include all domain user accounts, computer accounts and security groups, also involves the accurate determination of effective permissions on thousands of objects in an Active Directory domain.
The accurate determination of effective permissions in Active Directory is unfortunately a highly sophisticated and a very difficult, arduous and time-consuming process that not only requires proficient expertise but also has no room for error.
Consequently, the manual performance of such sophisticated access assessments on thousands of Active Directory objects can not only take a considerable amount of time and effort, but is also inherently exposed to risk of human error.
When it comes to security, accuracy is paramount, which is why such sophisticated assessments are best automated as automation delivers signficant time and cost efficiencies and eliminates risk of human error, delivering trustworthy results.
Our unique Microsoft-endorsed Active Directory Security Assessment Tools automate this highly sophisticated and complex access assessment process, empowering organizations to accurately, efficiently and reliably fulfill this need.
Effective Permissions
- The Keys to Privileged Access
From AdminSDHolder to Domain Admins, and from the default Administrator's account to every delegated administrator's domain user account, literally everything in Active Directory is an AD object.
Every Active Directory object is protected by an access control list (ACL) that specifies who has what security permissions on the object, and it is the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.
Thus, what provides accurate insight into privileged access is not an audit of Who has what permissions in Active Directory but an audit of Who has what effective permissions in Active Directory.
Consequently, to accurately perform privileged account discovery in Active Directory, organizations need to be able to accurately audit effective permissions in their Active Directory.
Our Solution
How our solution helps fulfill multiple Active Directory security assessment needs.
Gold Finger, our unique, innovative Microsoft-endorsed Active Directory Access Assessment Suite, architected by former Microsoft Program Manager for Active Directory Security, is the world's most versatile solution for performing Active Directory security assessments.
Specifically, Gold Finger can instantly, automatically and accurately perform Active Directory security assessments involving the accurate identification of privileged users in Active Directory as well as the accurate assessment of exactly who has what access, where and how, on Active Directory contents, domain-wide, in minutes and at a button's touch.
In essence, it enables organizations to accurately, efficiently and automatically assess virtually all aspects of Active Directory Security that require the analysis of access (including privileged access) on Active Directory contents based on the accurate determination of effective permissions in Active Directory on thousands of objects in Active Directory.
An overview of each of its various Active Directory Security Assessment capabilities is provided below.
Automated Assessment ofPrivileged Access in Active Directory
Our solution uniquely automates the assessment of privileged access in Active Directory.
Gold Finger's unique, innovative Active Directory Privileged Access Assessor tooling is purpose-built to enable and empower organizations to be able to effortlessly assess exactly who has what privileged access, where and how in Active Directory, based on an accurate assessment of Active Directory Effective Permissions on thousands of objects.
It can accurately assess and reveal exactly who has what privileged access, where and how, domain-wide -
Who can create and/or delete user accounts, computer accounts, security groups and OUs in Active Directory?
Who can reset the passwords of, disable/enable, unlock, unexpire, etc. all domain user accounts in a domain?
Who can change the group membership, type or scope of all domain security groups in Active Directory?
Who can enact various security sensitive tasks on all domain accounts and security groups in Active Directory?
Who can change security permissions on or ownership of all domain user accounts, domain computer accounts, domain security groups, containers and OUs in Active Directory?
It can make all these privileged access assessments in Active Directory accurately and instantly at the touch of a button, helping organizations accomplish in minutes what would otherwise take months to do, delivering substantial efficiencies.
Automated Assessment ofPrivilege Escalation Paths in Active Directory
Our solution uniquely automates the assessment of privilege escalation paths in Active Directory.
Gold Finger's unique, innovative Active Directory Privilege Escalation Path Identifier tooling is purpose-built to enable organizations to be able to accurately assess exactly who has what privilege escalation paths to any Active Directory object, and how, based on an accurate assessment of Active Directory Effective Permissions.
It can accurately make the most valuable privileged access assessments in organizational security -
Who can escalate privilege to a(ny) domain account, security group, OU or the domain-root in Active Directory?
What escalation paths does an account have to a specific domain user account, computer account, security group, OU or the domain-root in Active Directory?
Which administrative task(s) can a specific account enact to escalate privilege to a specific Active Directory object?
Which security permissions in an Active Directory object's ACL enable a specific account to escalate privilege to it?
Gold Finger is the only tooling in the world that can accurately identify privilege escalation paths in Active Directory and only it can make these paramount escalation path identifications in Active Directory accurately, and at a button's touch.
Additional Assessment Capabilities
Our solution also automates additional easier Active Directory Security assessment capabilities.
Gold Finger's is unique in its ability to be able to accurately perform the two paramount determinations listed above - Active Directory Privilege Access Assessment and Active Directory Privilege Escalation Path Identification.
In addition, it can also help trustworthily perform far, far easier aspects of an Active Directory Security Assessment i.e. -
It can instantly perform a basic Active Directory Inventory/Security Assessment, listing the entire contents of Active Directory, i.e. all domain user and computer accounts (and their states), security groups, containers and OUs.
It can instantly perform an Active Directory Membership Assessment, enumerating security group memberships, identifying all members of security groups, as well as all security groups to which an account currently belongs.
It can also instantly perform an Active Directory Permissions Assessment, analyzing Active Directory security permissions domain-wide, i.e. who has what security permissions, where and which ones in Active Directory.
In essence, our unique Microsoft-endorsed Gold Finger can help organizations accomplish the vast majority of Active Directory content and access focused security assessments, and do so instantly and accurately, all at a button's touch.
Our Unique Security Assessment Insights
Here are some paramount Active Directory Security Assessment insights that our solutions uniquely deliver -
- Who can escalate privilege in Active Directory?
- Who can run Mimikatz DCSync against an Active Directory domain?
- Who can change the membership of any/all Active Directory security groups?
- Who can reset the password of any/all domain user accounts in Active Directory?
- Who can change the permissions specified in the ACL of any/all Active Directory objects?
- Who can create a new inbound trust relationship or modify any/all existing trust relationships?
- Who can link a malicious GPO to instantly take over any/all secure administrative workstations (SAWs)?
- Who can change administrative control in Active Directory to instantly obtain access to all organizational IT resources?
- Who can launch a denial-of-service attack against any/all Active Directory integrated application/service? (e.g. Azure Connect)
- Who can link a malicious GPO to any OU to instantly gain command and control over thousands of domain-joined computers?
Our Global Customers
Corporate Headquarters
620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.
Telephone: 001-949-468-5770
