"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."
Charles Coates, Senior Product Manager
Identity and Security Business Group
Privileged Access Management
Privileged access is the eternal holy grail for perpetrators, and privileged accounts and groups are the "Crown Jewels" of cyber security because they hold the proverbial "Keys to the Kingdom."
Today, 85% of organizations worldwide operate on Microsoft's Windows Server platform, and at these organizations, Active Directory is at the heart of privileged access management because the most powerful privileged accounts and groups reside in Active Directory.
Privileged Access Management (PAM) fundamentally involves securing and defending organizational privileged accounts and groups from the risk of compromise, and it is a cardinal corporate and organizational cyber security priority today.
Trustworthily managing privileged access in Active Directory presents certain unique challenges and our innovative Microsoft-endorsed solution uniquely help organizations easily address these challenges.
Active Directory - The Heart of Privileged Access
Microsoft Active Directory is the foundation of identity and access management at 85% of organizations worldwide
Consequently, the most powerful privileged accounts and groups all reside in and are secured in Active Directory.
In addition to all default Active Directory privileged accounts and groups, all organizational domain user accounts, computer accounts, security groups and security policies reside in Active Directory, and there exists an ocean of privileged access in Active Directory that serves to protect the totality of these accounts, groups and policies.
An organization's foundational Active Directory is thus not only the focal point for the adequate protection of privileged accounts and groups, but also the focal point for accurate initial and continuous privileged account discovery.
This puts Active Directory at the heart of both privileged access management and identity and access management.
Privileged Access Management in 5 Steps
The implementation of Privileged Access Management at organizations involves a simple, sequential five step process.
The very first step in Privileged Access Management involves the precise identification (discovery) of privileged access accounts. This is fundamental, essential and paramount, because one simply cannot protect what one cannot identify.
Once organizations have precisely identified all privileged accounts, they can proceed to enact the second and third steps, which involve securing all identified privileged access accounts, and controlling access to them, respectively.
The penultimate step in Privileged Access Management concerns and involves auditing the use of privileged access.
A final optional fifth step involves operationalizing privileged tasks.
First 3 Steps of Privileged Access Management
The first three steps of Privileged Access Management are the most important steps in Privileged Access Management.
The very first, the accurate identification of privileged accounts, is absolutely paramount because the compromise of even one unprotected privileged account could result in a massive system-wide breach.
The second step, securing privileged accounts, is equally important because privileged accounts need to be secured.
Finally, having adequately secured all privileged accounts, it is also important to control access to privileged accounts, because if someone could gain access to a single such account, they could cause a substantial amount of damage.
Let us now take a look at how organizations can adequately implement these three measures in Active Directory.
1. Identify Privileged Accounts in Active Directory
The very first step in Privileged Access Management involves the precise identification of privileged access accounts and is known as Privileged Account Discovery.
To the uninitiated, this step seems the simplest and most straightforward, and is unfortunately widely believed to be comprised of merely enumerating members of default Active Directory administrative groups.
Professionals however know that this seemingly simple step is actually the most challenging and most difficult of all the steps because it involves far more than merely enumerating members of default Active Directory administrative groups.
Here's why -
Membership in a default Active Directory administrative group is merely the simplest way of possessing privileged access. Technically speaking, any and every domain user account in Active Directory could indirectly possess the same exact level of privilege depending on the access that user account actually has domain-wide in Active Directory.
It is extremely important to understand this intricate detail, and it is perhaps best conveyed with the question below.
A Simple Question
Think about this for a moment.
Members of default Active Directory administrative groups are certainly privileged users by virtue of group membership.
But what about the following ordinary users? -
A user that only has sufficient effective permissions to run Mimikatz DCsync against the domain
A user that only has sufficient effective permissions to modify the ACL of the domain root object
A user that only has sufficient effective permissions to change the membership of the Domain Admins group
A user that only has sufficient effective permissions to reset the password of a Domain Admin account
Question - Should these users also be considered as privileged users? (, and thus also be identified in Step 1?)
After all, they do possess sufficient access to be able to take over existing privileged accounts in Active Directory.
The Accurate Identification of
Privileged Accounts in Active Directory
The accurate identification of privileged accounts in Active Directory is absolutely paramount for organizational security and it is not only the very first step but also the most important step in Privileged Access Management.
It is paramount because should even one such privileged account be left unidentified and thus inadequately protected, it could be the weakest link in organizational security and its compromise could result in a massive system-wide breach.
There is an ocean of privileged access that exists in every Active Directory, both by default as well as based on any administrative delegations and custom access provisioning that may have been done in Active Directory over time.
To accurately identify all privileged users in Active Directory, organizations need to analyze this vast ocean of access that exists in Active Directory and identify all accounts that effectively possess Domain-Admin equivalent privileged access.
The accurate identification of privileged accounts in Active Directory thus begins with and requires an understanding of what constitutes a privileged user in Active Directory and how to correctly assess privileged access in Active Directory.
It requires the fundamental capability to accurately determine Active Directory Effective Permissions, and based on it, the capability to be able to accurately and efficiently assess who has what privileged access in Active Directory domain-wide.
2. Secure Privileged Accounts in Active Directory
The second step in Privileged Access Management involves securing all privileged accounts in Active Directory.
All privileged accounts in Active Directory are represented as Active Directory objects, and thus are ultimately secured by the access allowed on/to them based on the resulting effective permissions on their respective Active Directory objects.
For instance, even if an organization deploys a Password Vault, these accounts continue to be Active Directory accounts, and their password can always be reset by anyone with sufficient effective permissions to do so in Active Directory.
Thus, securing privileged accounts in Active Directory requires controlling who can enact the following actions on them -
Reset the password of a privileged account
Set the Password not Required bit on a privilege user account (, and/or, if in use, disable the use of Smartcards)
Enable a disabled privileged account
Modify various security-sensitive attributes (e.g. useraccountcontrol) on a privileged account
Change the security permissions and/or ownership of a privileged user account
To reiterate, it is Active Directory Effective Permissions that control exactly who can enact these actions on all privileged accounts in Active Directory, so organizations must possess the capability to make these paramount determinations.
3. Control Access to Privileged Accounts
The third step in Privileged Access Management involves controlling access to privileged accounts in Active Directory.
By default, access to the use of all privileged accounts in Active Directory is protected by a single-factor - it's password.
Many organizations strive to enhance the security of privileged user accounts by deploying two-factor authentication solutions to protect privileged accounts in Active Directory. These could involve the use of Smartcards for authentication or the use of certain third-party solutions that essentially add an additional authentication layer for enhanced security.
In each case, i.e whether access to the use of privileged accounts relies on passwords or on Smartcards or some third-party integrated authentication, all such measures are integrated with the actual Active Directory user account, and consequently their use is ultimately governed by and thus can be controlled by access to the Active Directory account.
Thus, it is essential to control and know who can enact the following actions on privileged accounts in Active Directory -
Reset the password of a privileged account
Disable the use of Smartcards for logon
Disable/severe the integration of a third-party authentication solution on privileged accounts in Active Directory
It is Active Directory Effective Permissions again that control exactly who can enact these actions on all privileged accounts in Active Directory, so organizations must possess the capability to make these paramount determinations.
Active Directory-Integrated PAM Solution Security
In light of the fact that the vast majority of organizations worldwide operate on Active Directory, and consequently that the vast majority of all privileged accounts reside in Active Diretory, today several cyber security vendors offer various PAM solutions that integrate with Active Directory.
Often, such cyber security solutions, such as a leading Zero-Trust Security Solution, are integrated with Active Directory, and thus their proper functioning and the security their solutions provide ultimately relies on Active Directory Security.
For instance, any cyber security solution that relies on publishing service connection points (SCPs) in Active Directory, could be rendered useless if someone were to be able to modify its SCP's keywords attribute in Active Directory.
Thus, every security conscious organization must also ensure that any and all Active Directory objects that any of their Active Directory-integrated PAM or cyber security solutions/applications rely on for functioning, are adequately secure.
As is the case with everything else in Active Directory security, it is Active Directory Effective Permissions that control exactly who can modify any/all such integration points such as specific custom application attributes in Active Directory, so organizations must ideally also possess the capability to make these security determinations.
Effective Permissions
- The Keys to Privileged Access
Each and every single privileged account in Active Directory is an Active Directory object.
Each and every Active Directory object is protected by an access control list (ACL) that specifies who has what security permissions on the object, and it is the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.
Thus, what provides accurate insight into privileged access is not an assessment of Who has what permissions in Active Directory but an assessment of Who has what effective permissions in Active Directory.
Not a single object in Active Directory can be adequately secured without possessing the ability to accurately determine effective permissions on it, and thus no Active Directory can be adequately secured without this paramount capability.
To correctly perform privileged account discovery in Active Directory, and to adequately secure and control access to all privileged accounts in Active Directory, organizations need to be able to assess effective permissions in Active Directory.
Our Solution
How our solution helps trustworthily implement Privileged Access Management in Active Directory.
Gold Finger, our innovative Microsoft-endorsed Active Directory Access Assessment Solution Suite uniquely empowers organizations to implement Privileged Access Management in the following ways -
Accurately Perform Privileged Account Discovery in Active Directory, step #1 in Privileged Access Management.
Accurately assess, secure and control access on all privileged accounts (and groups) in Active Directory, which constitute steps #2 and #3 in the implementation of PAM.
Assess security and access provisioned on all objects in Active Directory that belong to any AD-integrated 3rd party PAM or cyber security solution, needed to maintain security of all relied upon PAM and cyber security solutions.
Gold Finger is architected by former Microsoft Program Manager for Active Directory Security and is the world's only solution that can accurately determine effective permissions in Active Directory, and based on it, also accurately assess privileged access in and accurately identify privilege escalation paths in Active Directory.
Our Unique Privileged Access Insights
Here are some paramount Privileged Access Management related insights that only* our solutions can accurately deliver -
- Who can escalate privilege privileged accounts and groups in Active Directory?
- Who has what privileged access, where and how, domain-wide in Active Directory?
- How secure are privileged user accounts and groups in Active Directory?
- Who controls the access provisioned on privileged user accounts and groups in Active Directory?
- Who can modify the access provisioned on privileged user accounts and groups in Active Directory?
- Who can modify critical or custom attributes on privileged user accounts and groups in Active Directory?
- Who can reset the password of privileged domain user accounts in Active Directory?
- Who can disable the use of Smartcards on privileged domain user accounts in Active Directory?
- Who can modify the group membership of privileged security groups in Active Directory?
- Who can replicate secrets (i.e. encrypted passwords of all accounts) from Active Directory?
* Our solutions are unique in their ability to accurately determine effective permissions in Active Directory.
Our Global Customers
Corporate Headquarters
620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.
Telephone: 001-949-468-5770
