Active Directory Privileged Access Assessor

User's Guide

2. Getting Started

Getting started with Gold Finger takes just a few minutes and involves three simple steps -

1. Download and install Gold Finger

   Navigate to your custom license download URL, locate the Gold Finger download link and click on it to download the Gold-Finger.zip package onto the computer on which you wish to install the application.

   Next, unzip the package, verify the digital signature on the unzipped Gold-Finger.msi installer file and then double-click it to launch the installer. The installer will ask a few basic questions and then proceed to install Gold Finger.




2. Download and install your Gold Finger License

   Navigate to your custom license download URL, locate the Gold Finger License download link and click on it to download the Gold_Finger_License.zip package onto the computer on which you wish to install the application.

   Next, unzip the downloaded package, and locate the GFLic.dll file within the unzipped Gold_Finger_License folder. Verify the digital signature on the GFLic.dll file, and then copy it into the Gold Finger installation directory.

   Note - In a default installation, the Gold Finger installation directory is C:\Program Files (x86)\Paramount Defenses\Gold Finger.

   
   

3. Launch Gold Finger

   Click the Start menu, locate the Paramount Defenses folder, then locate the Gold Finger application link and click on it. Please give it a few moments whilst Gold Finger performs a few basic security checks before it opens.

   Note - Should you wish to use alternate credentials or target a specific domain controller, you can do so via Basic Options.

3. Exploring the User Interface

Gold Finger's sheer simplicity is reflected in its minimalist user interface, comprised of the following elements -

1. Tool Selector - The tool selector is used to select a specific tool.

2. Reports Pane - The reports pane lists all the reports available in the selected tool.

3. Scope Field - The scope field is used to specify the report's scope/target.

4. Search Utility - The inbuilt search utility is used to locate and specify targets.

5. Run Button - The run button, also known as the Gold Finger button, is used to generate a report.

6. Results Panes - The results are displayed in the results panes, comprised of the Who, Where and How panes.

7. Status Indicator - The status indicator provides an indication of the report's status.

8. Export and PDF Buttons - The Export and PDF buttons are used to export a report's results and generate PDFs.

9. Task Selector- The task selector, also known as the What dropdown, is used to view the results of a specific report.

10. Mode button - This button is used to switch between single [S] and multiple [M] reporting modes.

4. Assessing Privileged Access

To assess privileged access in an Active Directory domain, organizational unit (OU) or container, or on any specific object in a domain, select the Privileged Access Assessor from the Tool Selector, then enact the following three steps -

1. Select a report

   In the Reports pane, locate the privileged access report you wish to generate, then select it by clicking on it.

   Note - You can filter the list of reports by Type and/or by Category by using the respective drop-downs embedded in the Reports pane.

   Also, in the Single Reporting Mode [S] (default mode), you can select a single report. In the Multiple Reporting Mode [M], you can select multiple reports, all of which will be generated in the same assessment. Use the Mode toggle button to switch between the two modes.




2. Specify a scope

   In the Scope field, enter the distinguished name (DN) of the AD domain, OU, container or object you wish to target.

   Note - You can use Gold Finger's inbuilt search utility to instantly and easily locate and determine the DN of any Active Directory object.

   
   

3. Click a button

   Click the Gold Finger (Run) button, and the tool will proceed to generate the selected privileged access report(s).

5. Analyzing Results

Once Gold Finger has successfuly completed generating the report(s), it presents the results intuitively using four user-inteface elements, the What drop-down and the Who, Where and How panes, to be be analyzed as described below -

1. Identifying Who can do What

   The administrative task(s) / privileged access report(s) selected is(/are) listed in the What dropdown.

   Begin with the administrative task you are interested in analyzing by selecting it in the What dropdown.

   When you do so, the list of all domain user/computer accounts that have been determined to be entitled to being able to perform the selected administrative task in the specified scope, will be displayed in the Who pane.




2. Identifying Where and How

   Next, to find out where a specific account (that is listed in the Who pane) can perform the selected administrative task in the specified scope, i.e. on which objects the account can perform the selected task, click on the account.

   When you do so, the list of all objects in the specified scope on which the selected account can enact the selected administrative task, will be displayed in the Where pane.

   Finally, to find out how that selected account is entitled to performing the selected administrative task on a specific object (that is listed in the Where pane), i.e. which security permission in the ACL of that specific object is entitling the account to be able to do so, click on that specific object (that is listed and visible) in the Where pane.

   When you do so, the entitling security permission in that specific object's ACL will be displayed in the How pane.

6. Exporting Results

Gold Finger also makes exporting the complete set of results, i.e. the What, the Who, the Where and the How, as easy as touching a button, as described below -

1. Exporting Results

   To export the results of a report, simply click the Export button once. When you do so, Gold Finger will generate a CSV file containing the entire data set, and prompt you to specify a location at which to save the file.

   The data in the CSV file is logically compartmentalized into the aforementioned four sections, and is fully sortable.

   In addition, the contents of each pane, i.e. the Who, Where and How panes, can also be individually exported. To export the contents of a specific pane, simply right-click anywhere in the pane, and select the Export option.




2. Generating PDFs

   Gold Finger can also generate professional-grade, fully-customizable PDF files with a custom title, header, footer description, organizational logo, page-numbers, password-protection and custom attributes, at a button's touch.

   To generate a PDF report, simply click the PDF button once. When you do so, Gold Finger will generate a PDF file based on options specified in PDF Report Options, and prompt you to specify a location at which to save the file.

   The PDF reports can contain either a summary of results or the complete set of results, and this can be customized by configuring various options available in PDF Report Options, which can be accessed from the Options menu.

7. Using Single-User Mode

Gold Finger's unique Single-User mode lets organizations easily assess whether a specific user of interest has any specific privileged access in Active Directory, and if so, where and how.

To use Single-User mode, activate it by using the Mode option in the application menu, then enact the following steps -

1. Select a User

   Click the Select a User button (, located in the top-left corner of the Reports pane) to locate and select a user.




2. Select a Report and Specify a Scope

   Select the report(s) you wish to generate, then specify the target of your asessment by using the Scope field.

   Note - You can use Gold Finger's inbuilt search utility to instantly and easily locate and determine the DN of any Active Directory object.




3. Click a button

   Click the Gold Finger button to generate the report.

Upon the completion of the report, results will be displayed in the Results pane. The steps involved in analyzing results and exporting results are identical to those for the default (Multi-User) mode, with the exception that the only security principal listed in the Who pane will be the specified user.

Note - To return to the Multi-User mode, use the Mode option in the Application menu.

8. Using Basic Options

Gold Finger offers two options that can be used to target specific domain controllers and/or use alternate credentials, (and a third basic option that impacts the aesthetics of the Run button, traditionally known as the Gold Finger button,) accessible via the Options > Basic Options application menu -

1. Target a specific Domain Controller

   Gold Finger can be configured to target a specific domain controller (DC). If this option is checked, Gold Finger will only target the DC specified in the DC Name field. The specified name of a DC must be its NetBIOS name.

   Note - The only requirement is that the specified DC must belong to the target domain and it must also be a Global Catalog.




2. Use specific Alternate Credentials

   Gold Finger can also be configured to use alternate credentials. If this option is checked, Gold Finger will use the specified alternate credentials. The specified username must be in the form a UPN e.g. administrator@corp.local.

   Note - By default, Gold Finger uses the security context of the (logged-on) user account that is currently using Gold Finger.

   
   

3. Use contemporary 'Run' Button

   This option controls the aesthetics of the Run button. If this option is checked (default), the Run button sports a contemporary look. If it is unchecked, the Run button retains its traditional look i.e. the iconic Gold Finger button.

9. Using Advanced Options

Gold Finger offers seven advanced options for the Privileged Access Assessor tool, accessible via the Options > Advanced Options application menu -

1. Use 'Display Names' for user accounts - This option controls whether Gold Finger should retrieve and display the Display Name of domain user accounts in the Name field. If checked, it will display the Display Name instead.

2. Include 'System Container' contents - This option controls whether Gold Finger should include the contents of the System container when assessing privileged access. If checked, it will include objects in the System container.

   [ Also include DNS data ] - This sub-option is used to control whether Gold Finger should also include DNS data that resides in the System container when assessing privileged access. If checked, it will also include DNS contents in the System container.

3. Include 'Anonymous' in 'Everyone' - If checked, Gold Finger will include the Anonymous well-known security principal when dynamically evaluating the membership of the Everyone well-known security principal.

4. Include impact of object ownership - This option controls whether Gold Finger should include the impact of an object's owner having implicit Modify Permissions on the object. If checked, it will include the impact of ownership.

5. Include impact of 'Delete-Tree' permissions on deletion tasks - If checked, Gold Finger will additionally include the impact of Delete-Tree permissions on all target objects and all their ancestor objects up to the domain root.

6. Exclude data processing for CSV output - If checked, Gold Finger will skip processing data for CSV exports, likely considerably reducing assessment time. However the ability to export data to CSV files will become unavailable.

7. Generate a separate CSV file for each report - If checked, when in Multiple Reports mode [M], when the Export button is clicked, the resulting CSV file will only contain results for the task that is currently selected in the What drop-down. This enables the creation of separate reasonably sized CSV files for each selected administrative task.