"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."
Charles Coates, Senior Product Manager
Identity and Security Business Group
Active Directory
Active Directory is Foundational.
Active Directory is the lifeline and foundation of IT and cyber security in IT infrastructures powered by Windows Server.
At 85% of organizations worldwide, all organizational user accounts and passwords are stored, protected and managed in Active Directory and almost all organizational computers are joined to, secured by and managed from Active Directory.
Further, access to the entirety of an organization's IT assets (files, folders, applications, portals, email etc.) is controlled using domain security groups, which too are stored in Active Directory.
As such, in Windows based networks, all three A's of cyber security i.e. Authentication, Authorization and Auditing are completely integrated with and depend on Active Directory, and the most powerful privileged accounts and groups, and the majority of all privileged access lies in Active Directory.
Most importantly, Active Directory enables organizations to operate autonomously, i.e. without having to relinquish control of their primary identities, their security and their organizational privacy to an external entity (e.g. a Cloud IDP provider.)
An organization's foundational Active Directory is thus undoubtedly one of its most valuable and most targeted assets.
Active Directory Security is Paramount
The compromise of Active Directory would be tantamount to a system-wide compromise.
Active Directory Security is paramount to organizational cyber security because an Active Directory compromise or breach is tantamount to a catastrophic system-wide compromise.
It is catastrophic because once a perpetrator has compromised an organization's Active Directory, he/she would have compromised its very foundation of security, and obtained command and control (C2) over it.
This would allow the perpetrator the ability to access, tamper, copy, divulge, exfliltrate and/or destroy just about any and practically every organizational IT resource.
An Active Directory compromise is thus tantamount to a compromise of the foundation of organizational cyber security.
Consequently, the adequate protection of an organization's foundational Active Directory and its contents must be the #1 cyber security and corporate priority for every organization.
The Princple of Adequate Protection states that "An asset must be protected to a degree consistent with its value". Given Active Directory's foundational role, it's security must be the highest cyber security priority.
Active Directory is Target #1
Active Directory is the #1 target for perpetrators today.
Active Directory is the #1 target for perpetrators today.
History is witness that in virtually all major breaches in the last decade, including the SolarWinds Breach, the Colonial Pipeline Hack, Snowden, JP Morgan, Target, the OPM Breach, the Sony Hack, the Anthem Breach, the Microsoft breach and others, the perpetrators targeted Active Directory.
It's no wonder that most popular hacking tools used today, such as Mimikatz and Bloodhound, target Active Directory.
None of this is surprising though, because as shared above, and as the world has witnessed, the compromise of Active Directory gives perpetrators complete command and control over the entire IT infrastructure.
Active Directory is target #1, and any organization whose Active Directory is not adequately protected, could be next.
The Active Directory Attack Surface
The Active Directory attack surface is vast but defendable.
Active Directory is extremely stable, robust and highly securable, but it does require organizations to adequately secure it and its contents i.e. attain and maintain least privilege access, and adequately protect it.
The adequate protection of Active Directory and its contents requires that organizations identify, understand and then sufficiently secure and defend its attack surface, comprised of -
Domain Controllers and Admin Workstations
Active Directory Privileged User Accounts and Groups
Active Directory Contents and Configuration Data
Active Directory Logical Structure (Trust Relationships)
Active Directory Backups
Saliently, a considerable portion of its attack surface resides within Active Directory and is actually comprised of its contents, which includes all organizatonal user accounts, computer accounts, credentials and security groups.
Securing Active Directory
Active Directory can be adequately secured using nominal resources - a small team of trustworthy and proficient IT personnel, a few essential cyber capabilities (1, 2 and 3), trustworthy guidance and secure computing practices.
Adequately securing Active Directory requires five (5) security measures -
Protecting Domain Controllers and Admin Workstations
a) Accurately Identifying and then b) Securing Active Directory Privileged Users and Groups
Securing Active Directory Contents and Configuration Data
Ensuring a Sound Active Directory Logical Structure
Adequately Securing Active Directory Backups
Organizations need only enact these measures to secure Active Directory, and of these security measures, measures 1, 4 and 5 are easy and straightforward to accomplish and Microsoft offers guidance on how organizations can do so.
It is security measures 2 and 3 that have been challenging to accomplish, but now these too can be easily accomplished as they only require the ability to accurately assess and lockdown access in Active Directory.
Accomplishing Security Measures #1,4 and 5
Basic Active Directory Security Measures.
The accomplishment of security measures 1, 4 and 5 is rather straigthforward and easy and Microsoft Corporation provides sufficient prescriptive guidance on how to implement these basic Active Directory security measures.
Security measure #1. Protecting Domain Controllers and Admin Workstations is a very important security measure, one that involves adequately protecting Domain Controllers and dedicated Secure Administrative Workstations (SAWs), but is one that is by now a substantially well-understood, documented and adequately implementable security measure.
Active Directory Security actually begins with security measure #4. Establishing a Sound Logical Structure and consequently, at most organizations, this measure is already accomplished even before Active Directory is installed.
Security measure #5. Adequately Securing Active Directory Backups is also a relatively simple process measure to implement, and essentialy involves ensuring the highest levels of physical security for Active Directory Backups.
That leaves Security Measure #2 and Security Measure #3 and it is these two measures that are challenging for organizations to implement. It is these two measures that our solutions substantially address, as described below.
Accomplishing Security Measure #2A
Accurately Identifying Active Directory Privileged User Accounts and Groups
The accurate identification and adequate protection of all Active Directory privileged user accounts and groups is paramount to organizational cyber security because it involves protecting the proverbial "Keys to the Kingdom".
The accurate identification of Active Directory privileged accounts and groups is the very first step in securing privileged access because it is vital to correctly identify every account and group that has privileged access in Active Directory.
In fact, this first step is also cardinal to several organizational cyber security areas including Privileged Account Discovery (PAD), Privileged Access/User Audit, Least Privilege Access (LPA) and Privileged Access Management (PAM).
The accurate identification of privileged user accounts and groups in Active Directory involves correctly identifying every single account and group that has Domain Admin equivalent (i.e. unrestricted) privileged access in Active Directory.
The key to implementing this measure lies in knowing how to accurately assess privileged access in Active Directory and subsequently applying that knowledge to correctly identify all privileged user accounts and groups in Active Directory.
Accomplishing Security Measure #2B
Securing Active Directory Privileged User Accounts and Groups
The accurate identification and adequate protection of all Active Directory privileged user accounts and groups is paramount to organizational cyber security because it involves protecting the "Keys to the Kingdom".
The securing of Active Directory privileged accounts and groups is the second step in securing privileged access, and it is a cardinal aspect of Privileged Access Management (PAM) and Least Privilege Access (LPA).
It is imperative to understand that the vast majority (99%) of all privileged user accounts and groups in Active Directory are all actually Active Directory objects residing in Active Directory (AD) and protected by AD access control lists (ACLs).
Consequently, the security afforded to all Active Directory privileged user accounts and groups is actually controlled by the actual access that is effectively granted on each of these Active Directory privileged user accounts and groups.
This actual access that is effectively granted on these accounts/groups is called Active Directory Effective Permissions.
Active Directory Effective Permissions control everything, including who can can create, secure, manage, modify and delete every single privileged account and group in Active Directory, and thus the key to securing Active Directory privileged accounts and groups lies in being able to accurately assess effective permissions in Active Directory.
Accomplishing Security Measure #3
Securing Active Directory Contents and Configuration Data
The mission-critical contents of Active Directory are the raison d'etre that Active Directory security is paramount.
After all, the contents of Active Directory are comprised of the entirety of an organization's primary identities (user accounts), hosts (computer accounts), security groups, policies, privileged accounts and groups.
The entirety of these building blocks of organizational cyber security are represented by an object in Active Directory.
In fact, everything in Active Directory, including its configuration data, is an object, protected by an access control list (ACL), and in thousands of ACLs lie thousands of security permissions that govern who has what access.
These permissions control everything, from who can create, manage and delete accounts, computers and groups to who can modify configuration data, to who can control and access everything domain-wide.
The security afforded to the entirety of Active Directory's contents is controlled by the actual access effectively granted on each of these Active Directory objects, also known as Active Directory Effective Permissions.
Active Directory Effective Permissions control everything, including who can can create, secure, manage, modify and delete every single user account, computer account, group and all configuration data in Active Directory, and thus the key to securing Active Directory contents also lies in being able to accurately assess effective permissions in Active Directory.
The key to implementing this measure thus lies in being able to accurately assess and lockdown access in Active Directory, domain-wide, based on the accurate determination of Active Directory effective permissions on all objects.
The Keys to Securing Active Directory
Active Directory is highly securable and trustworthy.
Microsoft Active Directory is one of the most highly securable and trustworthy foundational technologies ever built.
Thousands of organizations worldwide have been securely operating on Active Directory for over two decades.
Active Directory's security model actually makes it possible to completely secure and lockdown its entire contents.
The one essential capability needed to adequately secure Active Directory is the ability to accurately assess access in it, because once you can accurately assess access, you can easily precisely configure and lock down access, AD-wide.
The way to accurately assess access in Active Directory is by calculating Active Directory Effective Permissions.
Only those who do not possess the ability to accurately assess access in Active Directory find it hard to secure it.
Those who possess the ability to accurately assess access in Active Directory can easily secure and bulletproof it.
They keys to securing Active Directory thus lie in being able to accurately assess access in Active Directory.
V
Effective Permissions
The Keys to AD Security
Effective Permissions are the key to correctly identifying and locking down access in Active Directory.
From Domain Admins to every privileged account and group, and from the Domain Controllers OU to every DC's and admin workstation's computer account, as well as the domain root, literally everything in Active Directory is an AD object.
Every AD object is protected by an access control list (ACL) that specifies who has what permissions on the object, and its the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.
It is not Who has what permissions in Active Directory but Who has what effective permissions in Active Directory that ultimately governs the security of all Active Directory content, including all privileged users and groups, content and DCs.
Thus, effective permissions are the key to correctly identifying who has what access, including privileged access, in any Active Directory, and consequently the key to all of Active Directory Security.
Our Solution
How our solution uniquely helps accomplish measures 2A, 2B and 3 above.
Gold Finger, our unique, innovative Microsoft-endorsed Active Directory Access Assessment tooling, architected by former Microsoft Program Manager for Active Directory Security, is the world's only cyber security solution that can accurately calculate effective permissions in Active Directory.
It delivers on a paramount need because not a single Active Directory object, and thus not a single Active Directory deployment, can be adequately secured without being able to accurately determine effective permissions on(/in) it.
Gold Finger can automatically and accurately determine exactly who has what effective permissions in Active Directory, and based on it also accurately determine exactly who has what privileged access, where and how, domain-wide in Active Directory, and accurately identify privilege escalation paths in Active Directory, in minutes, and at a button's touch.
The insights that Gold Finger delivers are absolutely essential for Active Directory Security and they can empower organizations to easily and quickly identify and lockdown all access, including privileged access, in Active Directory.
It thus uniquely enables organizations to accurately identify and adequately secure privileged accounts and groups, as well as accurately assess and lockdown access to the entirety of Active Directory's contents and configuration data.
Our Global Customers
Corporate Headquarters
620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.
Telephone: 001-949-468-5770
