"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."
Charles Coates, Senior Product Manager
Identity and Security Business Group
Active Directory - The Foundation of Identity and Access Management
Microsoft Active Directory is the foundation of identity and access management at 85% of organizations worldwide
It is so because at organizations that operate on Active Directory, the entirety of an organization's primary identities (domain user accounts), and all essential components of access (computer accounts, security groups, passwords etc.) are stored, protected and managed in Active Directory.
Consequently, the management of identites and components that facilitate secure access is all done in Active Directory.
The management of identities and components that facilitate secure access is often distributed amongst various teams, and this distribution of management responsbilities is accomplished via administrative delegation or access provisioning.
Active Directory makes it easy for organizations to delegate administrative access with substantial precision, thus making it easy for organizations to securely delegate administrative responsibilites for identity and access management.
However, the sophistication of Active Directory's security model makes it challenging to accurately assess and verify administrative delegations and provisioned access, and to securely manage identities and access in Active Directory.
Identity Management in Active Directory
Active Directory is the heart and foundation of identity management
At organizations that operate on Windows Server, the entirety of an organization's primary identities (domain user accounts) reside in Active Directory in the form of securable Active Directory objects of class User.
Consequently, each one of these primary identities i.e. domain user accounts, are protected by Active Directory's security model, and all administrative tasks involved in the lifecycle managment of identities are enacted in Active Directory.
Common identity management administrative tasks include the creation and deletion of domain user accounts, the setting and resetting of passwords, unlocking of locked accounts, enabling of disabled accounts and the modification of various attributes on domain user accounts, such as organizational title, email-addresses, UPNs, profile paths etc.
Each one of these identity management administrative tasks corresponds to performing a specific securable action on the Active Directory object representing the identity, and is thus controllable via Active Directory's security model.
The ability to control who can enact these identity management administrative tasks via Active Directory's security model lets organizations delegate administrative access for distributing identity management responsibilities amongst teams.
As a result, organizations can trustworthily delegate administrative access for identity management in Active Directory, thereby being able to securely, natively and autonomously manage all their primary identities in Active Directory.
Trustworthy Identity Management
Secure organizations know exactly who can manage their identities
Identity management (IdM) plays a vital role in organizational cyber security, and thus it is imperative to ensure that only authorized personnel can enact various critical identity management related administrative tasks.
Organizations must be able to ensure and verify that only authorized personnel can enact various IdM tasks, such as -
Create (provision) and delete (deprovision) domain user accounts
Reset domain user account passwords and enable/disable the use of Smartcards
Unlock locked accounts, unexpire expired accounts and enable disabled accounts
Change the expiration date of domain user accounts
Change sensitive security settings on domain user accounts (e.g. Trusted for unconstrained delegation)
The unauthorized enactment of any of these tasks could result in a security incident. Consequently, it is imperative that organizations delegate/provision administrative access for all identity management tasks based on the principle of least privilege, and that they be able to assess and verify exactly who can enact these tasks at any point in time.
It is easy to precisely delegate/provision access for IdM tasks in Active Directory, but it remains a challenge to accurately assess, audit and verify who is delegated/provisioned what access in Active Directory. Our solution solves this challenge.
Access Management in Active Directory
Active Directory is the heart and foundation of access management
At organizations that operate on Windows Server, Active Directory is at the heart and foundation of access management because all domain security groups reside in Active Directory, and because an ocean of privileged access is provisioned in Active Directory to facilitate the secure distribution of responsibilities for identity and access management.
Consequently, there are two aspects of access management at work in Active Directory -
The management of domain security groups that are used to provision access to all organizational IT resources.
The management of the access provisioned within Active Directory itself for identity and access management, as well as the management of an ocean of default and custom privileged access provisioned in Active Directory.
The specifics of both these areas of access management in Active Directory are examined below in sufficient detail.
Access Management in Active Directory
Part I - Management of domain security groups
At organizations that operate on Windows Server, all domain security groups reside in Active Directory, in the form of securable Active Directory objects of class Group, each protected by Active Directory's security model, and all administrative tasks involved in the lifecycle management of these groups are enacted in Active Directory.
Common access management administrative tasks include the creation and deletion of domain security groups and the changing of group memberships, and they correspond to performing specific securable actions on the Active Directory object representing the group, and is thus controllable via Active Directory's security model.
The ability to control who can enact these access management administrative tasks via Active Directory's security model lets organizations delegate administrative access for distributing access management responsibilities amongst teams.
As a result, organizations can trustworthily delegate administrative access for access management in Active Directory, thereby being able to securely, natively and autonomously manage all their domain security groups in Active Directory.
Access Management in Active Directory
Part II - Management of access provisioned in Active Directory
At organizations that operate on Windows Server, an ocean of access is delegated and provisioned inside Active Directory to facilitate the secure delegation and distribution of responsibilities for identity and access management.
This ocean of default, delegated and provisioned access exists inside the access control lists (ACLs) that protect the various securable objects in Active Directory, and it collectively controls who can enact which administrative tasks for identity and access management in Active Directory, i.e. creation, deletion and management of accounts and groups.
This access is usually provisioned by granting security permissions to various security principals in the ACLs of Active Directory objects, such as Organizational Units (OUs) if using inheritance, or directly on domain accounts and groups.
The management of access in Active Directory thus primarily involves a single but vital administrative task -
The configuration (changing) of access (security permissions and/or principals) specified in Active Directory ACLs
Finally, because even a single unauthorized access grant can result in thousands of domain accounts and groups being left inadequately protected, it is equally important for trustworthy access management to accurately assess and verify all administrative delegations and provisioned access in Active Directory.
Trustworthy Access Management
Secure organizations know exactly who has what access in Active Directory
Access management (AcM) plays a paramount role in organizational cyber security, and thus it is absolutely imperative to ensure that only authorized personnel can enact various critical access management related administrative tasks.
Organizations must be able to ensure and verify that only authorized personnel can enact various AcM tasks, such as -
Create and delete domain security groups
Change membership, type or scope of domain security groups, including ability to add/remove oneself from a group
Change security permissions on the domain root, organizational units, domain user accounts and security groups
Change the ownership of the domain root, organizational units, domain user accounts and security groups
Create and delete organizational units (, in which domain accounts and groups could then be created or moved)
The unauthorized enactment of any of these tasks could result in a security incident. Consequently, it is imperative that organizations delegate/provision administrative access for all access management tasks based on the principle of least privilege, and that they be able to assess and verify exactly who can enact these tasks at any point in time.
It is easy to precisely delegate/provision access for AcM tasks in Active Directory, but it remains a challenge to accurately assess, audit and verify who is delegated/provisioned what access in Active Directory. Our solution solves this challenge.
Accurate Assessment ofAccess in Active Directory
Organizations need to know exactly who has what access in Active Directory
As we have seen above, Active Directory is the foundation of identity and access management at most organizations worldwide, and there exists an ocean of access inside Active Directory to facilitate identity and access management.
The ocean of access that exists in Active Directory serves to secure and protect the entirety of an organization's primary identities (domain user accounts) and all domain security groups that protect the organization, from unauthorized access.
It is thus imperative for organizational cyber security to ensure that all access delegated/provisioned in Active Directory is adherent to the principle of least privilege, and this requires organizations to be able to assess and verify all such access.
It is easy to delegate/provision access for identity and access management tasks in Active Directory with precision, but it remains a challenge to accurately assess, audit and verify who is delegated/provisioned what access in Active Directory.
It is and remains a daunting challenge because, in most Active Directory deployments, there exist millions of permissions within the ACLs of thousands of objects, and the sheer size and scale of the access data and technical complexity involved makes it very difficult to accurately assess and verify exactly who has what access in Active Directory.
The solution to this challenge lies in automating the accurate determination of who has what access in Active Directory.
Effective Permissions- The Keys to Accurate Access Determination
From the Administrator's domain user account to the CEO's domain user account, and from the Domain Admins security group to every domain security group, all identities and security groups in Active Directory, and in fact literally everything in Active Directory, is an Active Directory object.
Each and every Active Directory object is protected by an access control list (ACL) that specifies who has what security permissions on the object, and it is the net cumulative resulting set of "effective permissions" that ultimately determines who actually has what access on the object.
Thus, what provides accurate insight into who has what access in Active Directory is not an assessment of Who has what permissions in Active Directory but an assessment of Who has what effective permissions in Active Directory.
Consequently, to correctly assess and determine who has what access in Active Directory, organizations need to be able to assess effective permissions in their Active Directory, and do so accurately and domain-wide in their Active Directory.
Our Solution
How our solution uniquely helps trustworthily manage identities and access in Active Directory.
Gold Finger, our unique, innovative Microsoft-endorsed Active Directory Access Assessment tooling, architected by former Microsoft Program Manager for Active Directory Security, is the world's only cyber security solution that can accurately calculate effective permissions in Active Directory.
Gold Finger can automatically and accurately determine exactly who has what effective permissions in Active Directory, and based on it, it can accurately assess exactly who has what access, where and how, domain-wide in Active Directory, within minutes, and at a button's touch.
The access insights that Gold Finger uniquely delivers, empower organizations to easily and quickly identify exactly who has what access, where and how, in Active Directory, and this valuable information enables them to easily and precisely assess, verify and lockdown all access in Active Directory, and thereby trustworthily manage identities and access in Active Directory.
Our Unique Access Insights
Here are some paramount Identity and Access Management specific access insights that our Gold Finger solution can accurately deliver -
- Who can create and delete domain user accounts in Active Directory?
- Who can reset the password of domain user accounts in Active Directory, and/or disable the use of smartcards?
- Who can change all sensitive account, logon and security settings on domain user accounts in Active Directory?
- Who can create and delete domain security groups in Active Directory?
- Who can change the membership of domain security groups in Active Directory?
- Who can change the scope and type of domain security groupsin Active Directory?
- Who can change security permissions on the domain root, on OUs, on accounts and groups in Active Directory?
- Who can change the ownership of the domain root, of OUs, of accounts and groups in Active Directory?
(management of domain user accounts in Active Directory) -
(management of domain security groups in Active Directory) -
(management of access provisioned in Active Directory) -
Our Global Customers
Corporate Headquarters
620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.
Telephone: 001-949-468-5770
