"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."
Charles Coates, Senior Product Manager
Identity and Security Business Group
Privileged Account Discovery
Privileged access is the eternal holy grail for perpetrators, and privileged accounts and groups are the "Crown Jewels" of cyber security because they hold the proverbial "Keys to the Kingdom."
Today, 85% of organizations worldwide operate on Microsoft's Windows Server platform, and at these organizations, Active Directory is at the heart of privileged account discovery and privileged access management because the most powerful privileged accounts and groups reside in Active Directory.
Privileged Account Discovery involves accurately identifying all privileged accounts in an organization, and is the very first step of Privileged Access Management, because one simply cannot protect what one cannot identify.
When it comes to Privileged Account Discovery, precision is key and paramount, because the compromise of even one insufficiently protected privileged account could result in a massive system-wide breach.
Our solutions uniquely enable organizations to perform precise privileged account discovery in Active Directory.
Active Directory - The Home of Privileged Accounts
Microsoft Active Directory is the foundation of identity and access management at 85% of organizations worldwide
All default Active Directory privileged accounts and groups as well as all organizational domain user accounts, computer accounts, security groups and security policies reside in Active Directory, and there exists an ocean of privileged access in Active Directory to protect the totality of these accounts and groups.
Consequently, from the all-powerful Domain Admins group to all delegated administrators and from all domain computer accounts to all non-local service accounts, the vast majority of all privileged access resides in Active Directory.
An organization's foundational Active Directory is thus not only the focal point for the adequate protection of privileged accounts and groups, but also the focal point for accurate initial and continuous privileged account discovery.
To perform Privileged Account Discovery in Active Directory, it is essential to accurately discover not just members of default Active Directory privileged groups, but all privileged accounts, including all such accounts to whom any level of privileged access may have been delegated or provisioned in Active Directory.
Privileged Account Discovery in AD
In a Microsoft Windows Server based IT infrastructure, the entirety of an organization's domain user accounts, domain computer accounts, credentials and domain security groups, are stored, secured and managed in Active Directory.
Consequently, to enable and facilitate their management and security, organizations delegate varying levels of privileged access on thousands of accounts, groups and organizational units in Active Directory, to various IT teams and personnel.
Thus, in addition to default Active Directory privileged accounts, there also exist accounts to whom privileged access has been delegated or for whom access has been provisioned in Active Directory, for identity and access management.
The accounts of users that have been delegated any level of privileged access in Active Directory are also privileged in nature, and often, the level of access they possess could be almost as much as that possessed by Domain Admins.
Consequently, Privileged Access Management cannot be implemented until a comprehensive and accurate discovery of all accounts that possess any kind of privileged access in Active Directory, not just those that possess Domain-admin equivalent privileges, has been completed.
Identifying Privileged Accounts in Active Directory
Privileged Account Discovery primarily involves the precise identification of privileged accounts in Active Directory.
To the uninitiated, this step seems the simplest and most straightforward, and is unfortunately widely believed to be comprised of merely enumerating members of default Active Directory administrative groups.
Professionals however know that this seemingly simple step is actually the most challenging and most difficult of all the steps because it involves far more than merely enumerating members of default Active Directory administrative groups.
Here's why -
Membership in a default Active Directory administrative group is merely the simplest way of possessing privileged access. Technically speaking, any and every domain user account in Active Directory could indirectly possess the same exact level of privilege depending on the access that user account actually has domain-wide in Active Directory.
It is extremely important to understand this intricate detail, and it is perhaps best conveyed with the question below.
A Simple Question
Think about this for a moment.
Members of default Active Directory administrative groups are certainly privileged users by virtue of group membership.
But what about the following ordinary users? -
A user that only has sufficient effective permissions to run Mimikatz DCsync against the domain
A user that only has sufficient effective permissions to modify the ACL of the domain root object
A user that only has sufficient effective permissions to change the membership of the Domain Admins group
A user that only has sufficient effective permissions to reset the password of a Domain Admin account
Question - Should these users also be considered as privileged users? (, and thus also be identified in Step 1?)
After all, they do possess sufficient access to be able to take over existing privileged accounts in Active Directory.
The Accurate Identification of
Privileged Accounts in Active Directory
The accurate identification of privileged accounts in Active Directory is absolutely paramount for organizational security.
It is paramount because should even one such privileged account be left unidentified and thus inadequately protected, it could be the weakest link in organizational security and its compromise could result in a massive system-wide breach.
There is an ocean of privileged access that exists in every Active Directory, both by default as well as based on any administrative delegations and custom access provisioning that may have been done in Active Directory over time.
To accurately identify all privileged users in Active Directory, organizations need to analyze this vast ocean of access that exists in Active Directory and identify all accounts that effectively possess Domain-Admin equivalent privileged access.
The accurate identification of privileged accounts in Active Directory thus begins with and requires an understanding of what constitutes a privileged user in Active Directory and how to correctly assess privileged access in Active Directory.
It requires the fundamental capability to accurately determine Active Directory Effective Permissions, and based on it, the capability to be able to accurately and efficiently assess who has what privileged access in Active Directory domain-wide.
What Constitutes a Privileged User in Active Directory
The vast majority of privileged access resides in Active Directory, so an understanding of what constitutes a privileged user in Active Directory is essential for performing accurate Privileged Account Discovery.
Any user who has either of following 2 levels of privileged access in Active Directory, constitutes a privileged user in Active Directory -
Unrestricted (Domain Admin Level) Privileged Access - This is the highest level of access in the privileged access hierarchy, and it constitutes unrestricted domain-wide privileged access, usually gained via membership in one or more default Active Directory administrative groups, but also as a result of custom access provisioning.
Delegated Privileged Access - This is the second highest level of access in the privileged access hierarchy, and it constitutes restricted domain-wide, organizational unit (OU) -wide or per-object privileged access, usually obtained by administrative delegation or business need driven access provisioning.
It is imperative to understand that users with delegated privileged access could also possess as much privilege as Domain Admin equivalent privileged users, thus it is equally important to accurately identify them.
How to Identify Users with
Unrestricted Privileged Access
In Active Directory, the following users must be considered highly and equally privileged in nature -
All domain accounts that may directly/indirectly be members of any default Active Directory administrative groups.
Anyone who can perform any of the administrative tasks listed in the Domain-Admin Equivalent Tasks list here.
Anyone who may have sufficient effective permissions to be able to change the membership or ownership of, or permissions on all domain security groups identified in step 1 above.
Anyone who may have sufficient effective permissions to be able to reset the password of, or change the ownership of or permissions on all domain accounts identified in steps 1, 2 and 3 above.
It is easy and straight-forward to enumerate the members of default Active Diretory administrative groups but it is difficult and challenging to accurately identify the identities of all accounts that can enact measures 3 and 4 above, and yet it is very important and in fact paramount to make these determinations, and do so accurately.
To make these paramount determinations, i.e. to identify the identities of all accounts that can enact measures 3 and 4 above, one needs to accurately determine effective permissions on numerous objects in Active Directory.
Delegated Privileged Access
In a Microsoft Windows Server based IT infrastructure, the entirety of an organization's domain user accounts, domain computer accounts, credentials and domain security groups, are stored, secured and managed in Active Directory.
It is not feasible for a small group of administrators to manage the entirety of Active Directory's contents, so to enable and facilitate their management and security, Active Directory lets organizations delegate administrative (privileged) access to various IT teams and IT personnel, a process commonly referred to as Delegation of Administration.
Thus, delegated administrators in Active Directory are users to whom administrative responsibilities for enacting various identity and access management tasks have been delegated, by granting them access in and across Active Directory.
They can often be almost as powerful as Domain Admins because -
A delegated admin that can manage domain user accounts in Active Directory (e.g. the CEO's account) can reset any account's password and access everything the account can access.
A delegated admin that can manage domain security groups in Active Directory (e.g. Execs) can change any group's membership and access everything that group has access to.
A delegated admin that can manage domain computer accounts in Active Directory (e.g. HBI Server) can control any computer's security and access everything on those computers.
A delegated admin that can manage an OU/domain can do the above on all accounts, computers and groups in it.
Since delegated admins in Active Directory could be as powerful as Domain Admins, they must be accurately identified.
How to Identify Users with
Delegated Privileged Access in Active Directory
An essential part of Privileged Account Discovery in Active Directory is the discovery of accounts that possess delegated privileged access in Active Directory, because such accounts could possess Domain Admin equivalent privileged access.
To identify users that possess delegated (restricted) privileged access in Active Directory, organizations need to perform a domain-wide delegation audit / privileged access assessment that can accurately identify -
All users who can create domain user accounts, computer accounts, security groups and OUs in the domain.
All users who can manage domain user accounts, computer accounts, security groups and OUs across the domain i.e., all users who can reset user account passwords, enable disabled accounts, change group memberships, delegate access on OUs or link GPOs to OUs etc.
All users who can delete domain user accounts, computer accounts, security groups and OUs in the domain.
When performing a privileged access assessment to identify users with delegated access, to obtain accurate results, it is vital to ensure that you correctly evaluate effective permissions on every Active Directory object in the domain.
Effective Permissions
- The Keys to Privileged Access
From AdminSDHolder to Domain Admins, and from the default Administrator's account to every delegated administrator's domain user account, literally everything in Active Directory is an AD object.
Every Active Directory object is protected by an access control list (ACL) that specifies who has what security permissions on the object, and it is the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.
Thus, what provides accurate insight into privileged access is not an audit of Who has what permissions in Active Directory but an audit of Who has what effective permissions in Active Directory.
Consequently, to accurately perform privileged account discovery in Active Directory, organizations need to be able to accurately audit effective permissions in their Active Directory.
Our Solution
How our solution helps trustworthily perform Privileged Account Discovery in Active Directory.
Gold Finger, our unique, innovative Microsoft-endorsed Active Directory Access Assessment tooling, architected by former Microsoft Program Manager for Active Directory Security, is the world's only cyber security solution that can accurately calculate effective permissions in Active Directory.
Gold Finger can automatically and accurately determine exactly who has what effective permissions in Active Directory, and based on it, it can accurately assess exactly who has what privileged access, both unrestricted as well as delegated, where and how, domain-wide in Active Directory, within minutes, and at a button's touch.
Gold Finger can instantly and accurately assess and discover both, default privileged access as well as any/all custom provisioned and delegated administrative (privileged) access in Active Directory, and thereby empower organizations to easily and quickly identify all privileged accounts in Active Directory.
Our Unique Insights
Here are some paramount Privileged Account Discovery related insights that only* our solutions can accurately deliver -
- Which accounts in Active Directory are privileged in nature?
- What access do these privileged accounts have in Active Directory?
- Which accounts have unrestricted privileged access in Active Directory?
- Which accounts have delegated administrative access in Active Directory?
- Which of these privileged user accounts in Active Directory is most powerful, and why?
- What is the scope of delegation for delegated privileged access accounts Active Directory?
- Who controls the access provisioned on all such privileged user accounts in Active Directory?
- Who can modify the access provisioned on all such privileged user accounts in Active Directory?
- Which of these privileged user accounts in Active Directory have the widest scope of administrative authority?
- Who has privilege escalation paths leading to these privileged user accounts in Active Directory?
* Our solutions are unique in their ability to accurately determine effective permissions in Active Directory.
Our Global Customers
Corporate Headquarters
620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.
Telephone: 001-949-468-5770
