"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."
Charles Coates, Senior Product Manager
Identity and Security Business Group
Active Directory - The Heart of Privileged Access
At 85% of organizations worldwide, all organizational primary identities (domain user accounts), computer accounts, credentials, security groups and policies are stored and protected in Active Directory, and there exists an ocean of access in Active Directory, whether default, provisioned or delegated, to facilitate and distribute their management.
Specifically, there exist hundreds of thousands of security permissions in every Active Directory deployment, and these collectively determine who has what access on the entirety of an organization's accounts and groups in Active Directory.
Active Directory is thus the heart and center of every such organization's least privilege access (LPA) initiatives, and at all such organizations, attaining and maintaining LPA in Active Directory is amongst the top cyber security objectives.
That said, today most organizations find it challenging to attain and maintain Least Privilege Access in Active Directory, and organizational IT personnel struggle to adequately fulfill this important organizational cyber security initiative.
The Challenge in Attaining
Least Privilege Access in Active Directory
Most organizations find it challenging to attain and maintain Least Privilege Access in Active Directory because of the sheer amount of access specified in Active Directory and the complexity involved in accurately assessing access.
Specifically, there exist thousands of complicated security permissions (e.g. explicit, inherited, allow, deny, object-specfic, special rights etc.) in every Active Directory and they make it very difficult to accurately assess who currently has what access, in turn making it very difficult to lock-down access, and thus to attain and maintain LPA in Active Directory.
To attain and maintain LPA in Active Directory (AD), organizations, first and foremost, need to be able to accurately assess who has what access in AD, because to lock-down access, one first needs to know who has what access.
Unfortunately it is very difficult to accurately assess who has what access in Active Directory deployments, and consequently it is very difficult for organizations to attain and maintain least privilege access in Active Directory.
A Real-World Example
The challenge in attaining least privilege access in Active Directory is perhaps best illustrated with a simple example.
Assume that the following is the complete ACL protecting the CEO's domain user account in Active Directory -
Explicit Deny IT Contractors Special
Explicit Allow Domain Admins Full Control
...
Inherited Deny Helpdesk Team All Extended Rights
Inherited Allow Global Admins Reset Password
Consider This: There are 50 different permissions, some Allow and some Deny, some Inherited and some Explicit, each granting some group some permissions and ultimately, they collectively determine who has what access to the account.
Conclusion: To attain least privileged access to the CEO's user account, one will first need to accurately determine the collective impact that all of these 50 permissions have on ultimately governing exactly who has access to the account, and how, and only then will one be able to lockdown access specified in its ACL and attain least privilege access on it.
How to Attain and Maintain
Least Privilege Access in Active Directory
To attain and maintain LPA in Active Directory, organizations, first and foremost, need to be able to accurately assess who has what access in Active Directory, because to lock-down access, one first needs to know who has what access.
In essence, organizations need to be able to easily and yet accurately make sense of the thousands of complicated security permissions that currently exist in Active Directory and that make it difficult to accomplish this objective.
Simply stated, to attain and maintain least privilege access in Active Directory, organizations need to be able to easily and accurately determine who currently has what access in Active Directory, based on the accurate determination of effective permissions, because once they know exactly who has what access, they can easily lockdown such access.
Further, if one can pinpoint the exact underlying permissions and group memberships that enable all access that currently exists in Active Directory, then one can easily review and lockdown all access found to be excessive.
Accurate Access Assessment
The Key to Attaining and Maintaining Least Privileged Access in Active Directory
They key to attaining and maintaining least privilege access in Active Directory lies in being able to accurately assess access in Active Directory to determine who actually has what access, where and how in Active Directory.
Knowing who actually has what access and where in Active Directory enables organizations to identify excessive access, and knowing how someone has such access empowers them to be able to lockdown such identified excessive access.
The process of assessing access in Active Directory is called an access assessment, and what organizations need to attain and maintain least privilege access in Active Directory is the ability to perform an accurate access assessment.
An accurate access assessment is one that that can correctly automate the determination of who actually has what access where and how in Active Directory, based on an accurate assessment of Active Directory Effective Permissions.
Effective Permissions
The Keys to Least Privilege Access
From AdminSDHolder to Domain Admins, and from the default Administrator's account to the CEO's domain user account, literally everything in Active Directory is an AD object.
Every AD object is protected by an access control list (ACL) that specifies who has what security permissions on the object, and it is the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.
Consequently, what provides accurate insight into who has what access is not an assessment of Who has what permissions in Active Directory but an assessment of Who has what effective permissions in Active Directory.
Consequently, to accurately assess and subsequently lockdown access in Active Directory to attain and maintain LPA in Active Directory, organizations need to be able to accurately assess effective permissions in Active Directory.
Our Solution
Our solution uniquely helps attain and maintain least privilege access in Active Directory.
Gold Finger, our unique, innovative Microsoft-endorsed Active Directory Access Assessment tooling, architected by former Microsoft Program Manager for Active Directory Security, is the world's only cyber security solution that can accurately calculate effective permissions in Active Directory.
Gold Finger can automatically and accurately determine exactly who has what effective permissions in Active Directory, and based on it, it can accurately assess exactly who has what access, where and how, domain-wide in Active Directory, within minutes, and at a button's touch.
The access insights that Gold Finger can uniquely provide, empowers organizations to easily and quickly identify exactly who has what access, where and how, in Active Directory, and armed with such valuable access insights, they can then easily and precisely lockdown all access in Active Directory, and easily attain and maintain LPA in Active Directory.
Our Global Customers
Corporate Headquarters
620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.
Telephone: 001-949-468-5770
Your Privacy
We use cookies to provide you the best online experience. Please let us know if you accept these cookies.
