"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."
Charles Coates, Senior Product Manager
Identity and Security Business Group
Privileged Access Assessment
Privileged access is the eternal holy grail for perpetrators, and privileged accounts and groups are the "Crown Jewels" of cyber security because they hold the proverbial "Keys to the Kingdom."
Today, 85% of organizations worldwide operate on Microsoft's Windows Server platform, and at these organizations, Active Directory is the heart of privileged access because the most powerful privileged accounts and groups reside in it.
The compromise of even a single privileged account could result in a massive cyber security breach, which is why the accurate identification and adequate protection of all privileged accounts in Active Directory is absolutely paramount.
The process by which privileged accounts are identified in Active Directory is called a "Privileged Access Assessment", and it involves accurately identifying exactly who has what privileged access, where and how in Active Directory.
An accurate Privileged Access Assessment in Active Directory is paramount for cyber security and vital and essential for Active Directory Security, Least Privilege Access, Privileged Access Management and Identity and Access Management.
Our solutions uniquely enable organizations to perform accurate privileged access assessments in Active Directory.
Active Directory - The Heart of Privileged Access
Microsoft Active Directory is the heart of privileged access at 85% of organizations worldwide
It is so because at these organizations, the entirety of an organization's domain user and computer accounts, passwords, security groups as well as all privileged user accounts and groups reside in Active Directory, and consequently today there exists an ocean of privileged access in Active Directory to protect the totality of these accounts and groups.
In fact, from the all-powerful Administrator account to the all-powerful Domain Admins group and from all delegated administrators to all domain security groups, the vast majority of all privileged access resides in Active Directory.
To accurately identify all privileged users in Active Directory, organizations need to analyze this vast ocean of access that exists in Active Directory and identify all accounts that effectively possess Domain-Admin equivalent privileged access.
In summary, the most powerful privileged access and the vast majority of all privileged access at an organization resides in Active Directory, and a privileged access assessment involves an accurate assessment of access in Active Directory.
Assessing Privileged Access in Active Directory
A Privileged Access Assessment primarily involves the precise identification of privileged accounts in Active Directory.
To the uninitiated, this step seems the simplest and most straightforward, and is unfortunately widely believed to be comprised of merely enumerating members of default Active Directory administrative groups.
Professionals however know that this seemingly simple step is actually the most challenging and most difficult of all the steps because it involves far more than merely enumerating members of default Active Directory administrative groups.
Here's why -
Membership in a default Active Directory administrative group is merely the simplest way of possessing privileged access. Technically speaking, any and every domain user account in Active Directory could indirectly possess the same exact level of privilege depending on the access that user account actually has domain-wide in Active Directory.
It is extremely important to understand this intricate detail, and it is perhaps best conveyed with the question below.
A Simple Question
Think about this for a moment.
Members of default Active Directory administrative groups are certainly privileged users by virtue of group membership.
But what about ordinary domain accounts that may have been intentionally or accidentially, directly or indirectly, delegated or provisioned the following access? -
An account that only has sufficient effective permissions to run Mimikatz DCsync against the domain
An account that only has sufficient effective permissions to modify the ACL of the domain root object
An account that only has sufficient effective permissions to change the membership of the Domain Admins group
An account that only has sufficient effective permissions to reset the password of a Domain Admin account
Question - Shouldn't these accounts also be considered as privileged accounts?
After all, they do possess sufficient access to be able to take over existing privileged accounts in Active Directory.
Domain Admins -
The Tip of the Iceberg
Even today, at most organizations, the extent of a "privileged access assessment" in Active Directory involves enumerating the members of various default Active Directory privileged groups like Domain Admins.
Now, consider this – What about someone who could change the membership of the Domain Admins group, or reset a Domain Admin's password. Isn't such an individual equally privileged?
Or, consider this – What about someone who could easily obtain privileged access over all domain-joined machines, or access everyone's credentials, or reset everyone's passwords, or change the membership of all domain security groups that collectively protect all organizational IT assets? Isn't such an individual equally privileged?
In most Active Directory deployments, today there exists an ocean of such powerful privileged access that has either been delegated or custom provisioned, or provisioned accidentally, so Domain Admins are just the tip of the iceberg.
The Iceberg -
in AD
The entirety of an organization's domain user accounts, computer accounts, passwords and security groups reside in Active Directory, and consequently today there exists an ocean of privileged access in Active Directory to protect all these accounts and groups and to facilitate the distribution and delegation of responsibilities for their management.
This vast ocean of privileged access in Active Directory exists in the form of millions of security permissions that reside inside thousands of Active Directory access control lists (ACLs) that exist to protect Active Directory's valuable contents.
A predominant portion of this ocean of access is actually delegated and custom provisioned access that exists inside Active Directory ACLs to enable the distribution/delegation of administrative tasks for identity and access management.
It is this vast amount of delegated/custom access that constitutes the proverbial iceberg of access in Active Directory.
This delegated/custom access could intentionally or accidentally be equivalent to Domain-Admin level access, and thus no Privileged Access Assessment can be complete without taking into account this iceberg of access in Active Directory.
What Constitutes Privileged
Access in Active Directory
An understanding of what constitutes privileged access in Active Directory is essential for performing an accurate Privileged Access Assessment.
The following 2 levels of access in Active Directory constitute privileged access in Active Directory -
Unrestricted (Domain Admin Level) Privileged Access - This is the highest level of access in the privileged access hierarchy, and it constitutes unrestricted domain-wide privileged access, usually gained via membership in one or more default Active Directory administrative groups, but also as a result of custom access provisioning.
Delegated Privileged Access - This is the second highest level of access in the privileged access hierarchy, and it constitutes restricted domain-wide, organizational unit (OU) -wide or per-object privileged access, usually obtained by administrative delegation or business need driven access provisioning.
Delegated privileged access could be equivalent to unrestricted privileged access, thus it's accurate identification is vital.
How to Identify Users with
Unrestricted Privileged Access
In Active Directory, the following users must be considered highly and equally privileged in nature -
All domain accounts that may directly/indirectly be members of any default Active Directory administrative groups.
Anyone who can perform any of the administrative tasks listed in the Domain-Admin Equivalent Tasks list here.
Anyone who may have sufficient effective permissions to be able to change the membership or ownership of, or permissions on all domain security groups identified in step 1 above.
Anyone who may have sufficient effective permissions to be able to reset the password of, or change the ownership of or permissions on all domain accounts identified in steps 1, 2 and 3 above.
It is easy to enumerate the members of default Active Diretory administrative groups but it is very difficult and challenging to accurately identify the identities of all accounts that can enact measures 3 and 4 above, and yet it is very important and in fact paramount to make these determinations, and do so accurately.
To make these paramount determinations, i.e. to identify the identities of all accounts that can enact measures 3 and 4 above, one needs to accurately determine effective permissions on numerous relevant objects in Active Directory.
How to Identify Users with
Delegated Privileged Access
in Active Directory
An essential aspect of a Privileged Access Assessment in Active Directory is the accurate identification of all users /accounts that currently possess any level of delegated administrative (privileged) access anywhere in Active Directory.
To identify all such users/accounts, organizations need to accurately identify -
All users who can create domain user accounts, computer accounts, security groups and OUs in the domain.
All users who can manage domain user accounts, computer accounts, security groups and OUs across the domain i.e., all users who can reset user account passwords, enable disabled accounts, change group memberships, delegate access on OUs or link GPOs to OUs etc.
All users who can delete domain user accounts, computer accounts, security groups and OUs in the domain.
When performing a privileged access assessment to identify accounts/users with delegated access, to obtain accurate results, it is vital to ensure that you correctly evaluate effective permissions on all Active Directory objects in the domain.
How to Perform An Accurate
Privileged Access Assessment
in Active Directory
An accurate Privileged Access Assessment in Active Directory is absolutely paramount for organizational security.
It is paramount because should even one privileged account be left unidentified and thus left inadequately protected, it could be the weakest link in organizational security and its compromise could result in a massive system-wide breach.
As seen above, there is an ocean of privileged access that exists in every Active Directory domain, and it includes both unrestricted access as well as an iceberg of delegated access that together protect Active Directory's entire contents.
To accurately identify all privileged users in Active Directory, organizations need to analyze this vast ocean of access that exists in Active Directory and identify all accounts that effectively possess Domain-Admin equivalent privileged access.
The accurate identification of privileged accounts in Active Directory thus begins with and requires an understanding of what constitutes a privileged user in Active Directory and how to correctly assess privileged access in Active Directory.
It requires the fundamental capability to accurately determine Active Directory Effective Permissions, and based on it, the capability to be able to accurately and efficiently assess who has what privileged access in Active Directory domain-wide.
Effective Permissions - The Keys to Privileged Access
From AdminSDHolder to Domain Admins, and from the default Administrator's account to every single default and custom privileged account and group in Active Directory, literally everything in Active Directory is an AD object.
Every Active Directory object is protected by an access control list (ACL) that specifies who has what security permissions on the object, and it is the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.
Thus, what provides accurate insight into privileged access is not an assessment of Who has what permissions in Active Directory but an assessment of Who has what effective permissions in Active Directory.
Consequently, to correctly perform a privileged access assessment, i.e. to accurately determine exactly who has what privileged access in Active Directory, organizations need to determine effective permissions in Active Directory.
Our Solution
How our solution empowers organizations to perform accurate Privileged Access Assessments in Active Directory.
Gold Finger, our unique, innovative Microsoft-endorsed Active Directory Access Assessment tooling, architected by former Microsoft Program Manager for Active Directory Security, is the world's only cyber security solution that can accurately calculate effective permissions in Active Directory.
Gold Finger can automatically and accurately determine exactly who has what effective permissions in Active Directory, and based on it, it can accurately assess exactly who has what privileged access, both unrestricted as well as delegated, where and how, on thousands of objects domain-wide in Active Directory, within minutes, and at a button's touch.
Gold Finger can instantly and accurately assess and discover both, default privileged access as well as any/all custom provisioned and delegated administrative (privileged) access in Active Directory, and thereby empower organizations to easily and quickly assess and lockdown all privileged access in Active Directory.
An overview of its Active Directory privileged access assessment capabilities is provided below.
Accurate Assessment ofPrivileged Access in Active Directory
Our solution can uniquely accurately assess privileged access in Active Directory.
Gold Finger's unique Active Directory Privileged Access Assessor tooling is purpose-built to enable organizations to be able to assess exactly who has what privileged access, where and how in Active Directory, based on an accurate assessment of Active Directory Effective Permissions on all objects.
It can accurately and instantly assess and reveal exactly who has what privileged access, where and how, domain-wide -
Who can create and/or delete user accounts, computer accounts, security groups and OUs in Active Directory?
Who can reset the passwords of, disable/enable, unlock, unexpire, etc. all domain user accounts in a domain?
Who can change the group membership, type or scope of all domain security groups in Active Directory?
Who can enact various security sensitive tasks on all domain accounts and security groups in Active Directory?
Who can change security permissions on or ownership of all domain user accounts, domain computer accounts, domain security groups, containers and OUs in Active Directory?
It can make all these privileged access assessments in Active Directory accurately and instantly at the touch of a button, helping organizations accomplish in minutes what would otherwise take months to do, delivering substantial efficiencies.
Accurate Assessment ofPrivilege Escalation Paths in Active Directory
Our solution can uniquely accurately identify privilege escalation paths in Active Directory.
Gold Finger's unique Active Directory Privilege Escalation Path Identifier tooling is purpose-built to enable organizations to be able to accurately assess exactly who has what privilege escalation paths to Active Directory objects, based on accurate assessment of Active Directory Effective Permissions.
It can instantly and accurately make the most valuable privileged access determinations in organizational cyber security -
Who can escalate privilege to a(ny) domain account, security group, OU or the domain-root in Active Directory?
What escalation paths does an account have to a specific domain user account, computer account, security group, OU or the domain-root in Active Directory?
Which administrative task(s) can a specific account enact to escalate privilege to a specific Active Directory object?
Which security permissions in an Active Directory object's ACL enable a specific account to escalate privilege to it?
Gold Finger is the only tooling in the world that can accurately identify privilege escalation paths in Active Directory and only it can make these paramount escalation path identifications in Active Directory accurately, and at a button's touch.
Our Unique Privileged Access Insights
Here are some paramount Privileged Access Assessment related insights that only* our solutions can accurately deliver -
- Which accounts in Active Directory are privileged in nature?
- What access do these privileged accounts have in Active Directory?
- Which accounts have unrestricted privileged access in Active Directory?
- Which accounts have delegated administrative access in Active Directory?
- Which of these privileged user accounts in Active Directory is most powerful, and why?
- What is the scope of delegation for delegated privileged access accounts Active Directory?
- Who controls the access provisioned on all such privileged user accounts in Active Directory?
- Who can modify the access provisioned on all such privileged user accounts in Active Directory?
- Which of these privileged user accounts in Active Directory have the widest scope of administrative authority?
- Who has privilege escalation paths leading to these privileged user accounts in Active Directory?
* Our solutions are unique in their ability to accurately determine effective permissions in Active Directory.
Our Global Customers
Corporate Headquarters
620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.
Telephone: 001-949-468-5770
