"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."
Charles Coates, Senior Product Manager
Identity and Security Business Group
Active Directory - The Focal Point
of Audit and Regulatory Compliance
The vast majority of organizatons worldwide operate on Active Directory.
At such organizations, the entirety of an organization's primary identities (domain user accounts) and credentials, hosts (domain computer accounts) and security groups reside in, and are managed and secured in Active Directory, and for their management and security, a vast amount of privileged access is provisioned and delegated in Active Directory.
In addition, the "Keys to the Kingdom", i.e. the most powerful privileged accounts and groups reside in Active Directory.
Consequently, Active Directory is the focal point for governance, risk and compliance driven cyber security audits, and at most organizations worldwide, the vast majority of cyber security and privileged access audits involve Active Directory.
A Cardinal Requirement -
Privileged Access Assessment
Today there exist several regulations such as SOX, FISMA, PCI, ISO 27002, HIPAA and others to bolster organizational resiliency against cyber attacks, and if there's one cardinal cyber security assessment requirement common to them, it is "accurate visibility into privileged access."
Specifically, the accurate identification of privileged accounts in Active Directory is paramount for organizational security.
It is paramount because should even one such privileged account be left unidentified and thus inadequately protected, it could be the weakest link in organizational security and its compromise could result in a massive system-wide breach.
Given the vast amount of default and provisioned privileged access that exists in Active Directory deployments, accurate privileged access visibility requires a formal, fail-proof and systematic approach to accurately auditing privileged access.
An accurate privileged access assessment provides organizations accurate visibility into privileged access in Active Directory, and it is the only correct way to trustworthily fulfill such audit and regulatory compliance driven requirements.
Accurate Privileged Access
Assessment in Active Directory
The correct way to accurately identify privileged accounts in Active Directory
There is an ocean of privileged access that exists in every Active Directory, both by default as well as based on any administrative delegations and custom access provisioning that may have been done in Active Directory over time.
To accurately identify all privileged users in Active Directory, organizations need to correctly analyze this ocean of access inside Active Directory and identify all accounts that effectively possess Domain-Admin equivalent privileged access.
The accurate identification of privileged accounts in Active Directory thus begins with and requires an understanding of what constitutes a privileged user in Active Directory and how to correctly assess privileged access in Active Directory.
It requires the fundamental capability to accurately determine Active Directory Effective Permissions, and based on it, the capability to be able to accurately and efficiently assess who has what privileged access in Active Directory domain-wide.
An accurate privileged access assessment thus involves an accurate assessment of effective permissions on all objects in Active Directory to determine who actually has what access, including privileged access, and where in Active Directory.
Effective Permissions -The Keys to Privileged Access
From AdminSDHolder to Domain Admins, and from the default Administrator account to the entirety of all domain user accounts in Active Directory, literally everything in Active Directory is an AD object.
Every AD object is protected by an access control list (ACL) that specifies who has what security permissions on the object, and it is the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.
Thus, what provides accurate insight into privileged access is not an analysis of Who has what permissions in Active Directory but an analysis of Who has what effective permissions in Active Directory.
Consequently, to correctly determine who has what privileged access in Active Directory, organizations and auditors need to be able to accurately determine effective permissions in Active Directory.
Our Solution
How our solution helps fulfill multiple audit and regulator compliance needs in Active Directory.
Gold Finger, our unique, innovative Active Directory Privileged Access Assessment solution fully automates the accurate determination of effective permissions domain-wide in Active Directory, thereby enabling and empowering organizations to effortlessly perform accurate Privileged Access Assessments.
The ability to perform accurate Privileged Access Assessments in Active Directory provides organizations trustworthy (accurate) visibility into the state of privileged access in Active Directory.
In this manner, our solution enables auditors and organizations to accurately assess privileged access in Active Directory and helps them correctly fulfill vital Active Directory focused and governance, risk and compliance driven audit needs.
Gold Finger is architected by former Microsoft Program Manager for Active Directory Security and endorsed by Microsoft.
An overview of its Active Directory focused security and privileged access assessment capabilities is provided below.
Automated Privileged Access
Assessment in Active Directory
Our solution uniquely automates the assessment of privileged access in Active Directory.
Gold Finger's unique, innovative Active Directory Privileged Access Assessor tooling is purpose-built to enable and empower organizations to be able to effortlessly assess exactly who has what privileged access, where and how in Active Directory, based on an accurate assessment of Active Directory Effective Permissions on thousands of objects.
It can accurately assess exactly who has what privileged access, where and how, domain-wide -
Who can create and/or delete user accounts, computer accounts, security groups and OUs in Active Directory?
Who can reset the passwords of, disable/enable, unlock, unexpire, etc. all domain user accounts in a domain?
Who can change the group membership, type or scope of all domain security groups in Active Directory?
Who can enact various security sensitive tasks on all domain accounts and security groups in Active Directory?
Who can change security permissions on or ownership of all domain user accounts, domain computer accounts, domain security groups, containers and OUs in Active Directory?
It can make all these privileged access assessments in Active Directory accurately and instantly at the touch of a button, helping organizations accomplish in minutes what would otherwise take months to do, delivering substantial efficiencies.
Automated Privilege Escalation
Path Identification in Active Directory
Our solution uniquely fully automates the identification of privilege escalation paths in Active Directory.
Gold Finger's unique, innovative Active Directory Privilege Escalation Path Identifier tooling is purpose-built to enable organizations to be able to accurately identify exactly who has what privilege escalation paths to any Active Directory object, and how, based on an accurate assessment of Active Directory Effective Permissions.
It can instantly and accurately make the most valuable privileged access determinations in organizational cyber security -
Who can escalate privilege to a(ny) domain account, security group, OU or the domain-root in Active Directory?
What escalation paths does an account have to a specific domain user account, computer account, security group, OU or the domain-root in Active Directory?
Which administrative task(s) can a specific account enact to escalate privilege to a specific Active Directory object?
Which security permissions in an Active Directory object's ACL enable a specific account to escalate privilege to it?
Gold Finger is the only tooling in the world that can accurately identify privilege escalation paths in Active Directory and only it can make these paramount escalation path identifications in Active Directory accurately, and at a button's touch.
Additional Audit Capabilities
Our solution also automates additional easier Active Directory audit capabilities.
Gold Finger's is unique in its ability to be able to accurately perform the two paramount determinations listed above - Active Directory Privilege Access Assessment and Active Directory Privilege Escalation Path Identification.
In addition, it can also help trustworthily perform far, far easier aspects of an Active Directory Audit i.e. -
It can instantly perform a basic Active Directory Inventory/Security Audit, involving an audit of the entire contents of Active Directory, i.e. all domain user and computer accounts (and their states), all security groups and all OUs.
It can instantly perform an Active Directory Membership Audit, involving the enumeration of domain security group memberships, identifying all members of security groups, and all security groups to which an account belongs.
It can instantly perform an Active Directory Permissions Audit, involving a comprehensive audit of all security permissions in Active Directory, identfying who has what permissions, where and which ones, domain-wide.
In essence, our unique Microsoft-endorsed Gold Finger can help organizations accomplish numerous Active Directory focused regulatory compliance driven audit needs, and do so instantly and accurately, all at the touch of a button.
Our Unique Audit and Compliance Reports
Here are some paramount Active Directory Audit and Compliance Reports that only* our solutions can generate -
- List of all users who can create and/or delete domain user accounts in Active Directory
- List of all users who can create and/or delete domain computer accounts in Active Directory
- List of all users who can create and/or delete domain security groups accounts in Active Directory
- List of all users who can reset the passwords of domain user accounts in Active Directory
- List of all users who can disable the use of smartcards for interactive logon in Active Directory
- List of all users who can have domain computer accounts be 'Trusted for Unconstrained Delegation' in Active Directory
- List of all users who can change the group membership of domain security groups in Active Directory
- List of all users who can enable disabled domain user accounts or unlock locked domain user accounts in Active Directory
- List of all users who can delegate administrative/privileged access or change existing administrative delegations in Active Directory
- List of all users who have privileged access in Active Directory, including what access they have, where they have it, and how they have it
Note: Only our Active Directory access assessment solutions can make these determinations based on an accurate assessment of
Our Global Customers
Corporate Headquarters
620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.
Telephone: 001-949-468-5770
