Category Archives: Active Directory

The ONE Question NO ONE knows the Answer to at RSA Conference 2020

Hello,

On Monday, the RSA Conference 2020 will begin, where almost a thousand cyber security companies will showcase their greatest cyber security solutions to thousands of attendees, and where supposedly "The World Talks Security!"

If that's the case, let's talk security -  I'd like to ask the entire RSA Conference just 1 simple cyber security question -

Question: Do the companies whose CISOs and cyber security personnel are attending the RSA Conference '20 have any idea exactly who has what privileged access in their foundational Active Directory deployments today?


If they don't, then perhaps instead of making the time to attend cyber security conferences, they should first focus on making this paramount determination, because without it, not ONE thing, let alone their entire organization, can be adequately secured.



Unequivocal Clarity

If this one simple question posed above isn't clear, here are 5 simple specific cyber security 101 questions to help gain clarity:

    Does our organization know exactly -
  • Q 1.  Who can run Mimikatz DCSync against our Active Directory to instantly compromise everyone's credentials?
  • Q 2.  Who can change the Domain Admins group's membership to instantly gain privileged access company wide?
  • Q 3.  Who can reset passwords of /disable use of Smartcards on all Domain Admin equivalent privileged accounts?
  • Q 4.  Who can link a malicious GPO to an(y) OU in Active Directory to instantly unleash ransomware system-wide?
  • Q 5.  Who can change or control who has what privileged access in our Active Directory?

If an organization does not have exact answers to these 5 simple questions today, it has absolutely no idea as to exactly who has what privileged access in its foundational Active Directory, and thus, it has absolutely no control over cyber security.




This is Paramount

If you don't think that having exact answers to these questions is paramount, then you don't know a thing about cyber security.


Just ask the world famous and globally trusted $10 Billion cyber security company CrowdStrike, and here's a quote from them - "A secure Active Directory environment can mitigate most attacks."




Zero out of 1000

There are almost 1000 cyber security companies exhibiting at the RSA Conference 2020, but guess how many of those 1000 companies could help you accurately determine the answers to 5 simple questions asked above? The answer is 0.


Not Microsoft, not EMC, not CrowdStrike, not FireEye, not Cisco, not IBM, not Symantec, not McAfee, not Palantir, not Tanium, not CyberArk, not Centrify, not Quest, not ZScaler, not BeyondTrust, not Thycotic, not Varonis, not Netwrix, not even HP, in fact no company exhibiting at RSA Conference 2020 has any solution that could help accurately answer these simple questions.

That's right - not a single cyber security company in the world (barring one), let alone the entirety of all cyber security companies exhibiting at or sponsoring the RSA Conference 2020 can help organizations accurately answer these simple questions.




The Key

The key to being able to answer the leading question above, as well as the five simple cyber security questions posed above lies in having just 1 simple, fundamental cyber security capability - Active Directory Effective Permissions.


There's only 1 company on planet Earth that possesses this key, and its not going to be at the RSA Conference 2020 - this one.



Thanks,
Sanjay.

Who Needs WMDs (Weapons of Mass Destruction) Today ?

Folks,

Today, yet again, I'd like to share with you a simple Trillion $ question, one that I had originally asked more that 10 years ago, and recently asked again just about two years ago. Today it continues to be exponentially more relevant to the whole world.

In fact, it is more relevant today than ever given the paramount role that cyber security plays in business and national security.


So without further adieu, here it is - Who needs WMDs (Weapons of Mass Destruction) Today?


Ans: Only those who don't know that we live in a digital world, one wherein virtually everything runs on (networked) computers.


Why would an entity bother trying to acquire or use a WMD (or for that matter even a conventional weapon) when (if you're smart) you could metaphorically stop the motor of entire organizations (or nations) with just a few lines of code designed to exploit arcane but highly potent misconfigured security settings (ACLs) in the underlying systems on which governments, militaries and thousands of business organizations of the world operate?

Today, all you need is two WDs in the same (pl)ACE and its Game Over.


Puzzled? Allow me to give you a HINT:.

Here’s a simple question: What does the following non-default string represent and why should it be a great cause of concern?
(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (A;CI;RPWDLCLO;;;WD)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

Today, this one little question and the technicality I have shared above directly impacts the cyber security of the entire world.


If you read my words very carefully, as you always should, then you'll find that it shouldn't take an astute cyber security professional more than a minute to figure it out, given that I’ve actually already provided the answer above.


Today, the CISO of every organization in the world, whether it be a government, a military or a billion dollar company (of which there are dime a dozen, and in fact thousands worldwide) or a trillion dollar company MUST know the answer to this question.


They must know the answer because it directly impacts and threatens the foundational cyber security of their organizations.

If they don't, (in my opinion) they likely shouldn't be the organization's CISO because what I have shared above could possibly be the single biggest threat to 85% of organizations worldwide, and it could be used to completely compromise them within minutes (and any organization that would like a demo in their real-world environment may feel free to request one.)

Some of you will have figured it out. For the others, I'll finally shed light on the answer soon.

Best wishes,
Sanjay


PS: If you need to know right away, perhaps you should give your Microsoft contact a call and ask them. If they too need some help (they likely will ;-)), tell them it has to do with a certain security descriptor in Active Directory. (There, now that's a HINT the size of a domain, and it could get an intruder who's been able to breach an organization's network perimeter to root in seconds.)

PS2: If this intrigues you, and you wish to learn more, you may want to read this - Hello World :-)

What is Active Directory? (Cyber Security 101 for the Entire World)

Folks,

Today is January 06, 2020, and as promised, here I am getting back to sharing perspectives on cyber security.


Cyber Security 101

Perhaps a good topic to kick off the year is by seeking to ask and answer a simple yet vital question - What is Active Directory?

You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies the key to organizational cyber security worldwide.

The simple reason for this is that if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and while its true that at its simplest, it is a directory of all organizational accounts and computers, it is this shallow view that leads organizations to greatly diminish the real value of Active Directory to the point of sheer irresponsible cyber negligence because  "Who really cares about just a phone book?"

In fact, for two decades now, this has been the predominant view held by most CISOs and IT personnel worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that are likely the reason that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.

Again, after all, who cares about a phone book?!




Active Directory - The Very Foundation of Organizational Cyber Security Worldwide

If as they say, a "A Picture is Worth a Thousand Words", perhaps I should paint you a very simple Trillion $ picture -


An organization's Active Directory deployment is its single most valuable IT and corporate asset, worthy of the highest protection at all times, because it is the very foundation of an organization's cyber security.

The entirety of an organization's very building blocks of cyber security i.e. all the organizational user accounts and passwords used to authenticate their people, all the security groups used to aggregate and authorize access to all their IT resources, all their privileged user accounts, all the accounts of all their computers, including all laptops, desktops and servers are all stored, managed and secured in (i.e. inside) the organization's foundational Active Directory, and all actions on them audited in it.

In other words, should an organization's foundational Active Directory, or a single Active Directory privileged user account, be compromised, the entirety of the organization could be exposed to the  risk of complete, swift and colossal compromise.



Active Directory Security Must Be Organizational Cyber Security Priority #1

Today, ensuring the highest protection of an organization's foundational Active Directory deployment must undoubtedly be the #1 priority of every organization that cares about cyber security, protecting shareholder value and business continuity.


Here's why - A deeper, detailed look into What is Active Directory ?


For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)



In essence, today every organization in the world is only as secure as is its foundational Active Directory deployment, and from the CEO to the CISO to an organization's shareholders, employees and customers, everyone should know this cardinal fact.

Best wishes,
Sanjay.

Its Time to Help Defend Organizations Worldwide

Folks,

I trust this finds you all doing well. It has been a few months since I last blogged - pardon the absence. I had to focus my energies on helping the world get some perspective, getting 007G ready for launch, and dealing with a certain nuisance.

Having successfully accomplished all three objectives, it is TIME to help defend organizations worldwide from the SPECTRE of potentially colossal compromise, which is a real cyber security risk that looms over 85% of organizations worldwide.


When you know as much as I do, care as much as I do, and possess as much capability as I do, you not only shoulder a great responsibility, you almost have an obligation to educate the whole world about cyber security risks that threaten their security.

So, even though I barely have any time to do this, in the interest of foundational cyber security worldwide, I'm going to start sharing a few valuable perspectives again, and do so, on this blog, that blog and the official PD blog (;see below.)


Speaking of which, earlier this week, I had the PRIVILEGE to launch the official PD blog -  https://blog.paramountdefenses.com


Stay tuned for some valuable cyber security insights right here from January 06, 2020
and let me take your leave with a befitting (and one of my favorite) song(s) -



Best wishes,
Sanjay.


PS: Just a month ago, the $ Billion Czech cyber security company Avast was substantially compromised, and guess what the perpetrators used to compromise them? They used the EXACT means I had clearly warned about TWO years ago, right here.


A Simple Trillion$ Cyber Security Question for the Entire RSA Conference

Folks,

This week, the famous RSA Conference 2019 is underway, where supposedly "The World Talks Security" -



If that's the case, let's talk -  I'd like to respectfully ask the entire RSA Conference just 1 simple cyber security question -

Question: What lies at the very foundation of cyber security and privileged access of not just the RSAs, EMCs, Dells, CyberArks, Gartners, Googles, Amazons, Facebooks and Microsofts of the world, but also at the foundation of virtually all cyber security and cloud companies and at the foundation of over 85% of organizations worldwide?

For those who may not know the answer to this ONE simple cyber security question, the answer's in line 1 here.



For those who may know the answer, and I sincerely hope that most of the world's CIOs, CISOs, Domain Admins, Cyber Security Analysts, Penetration Testers and Ethical Hackers know the answer, here are 4 simple follow-up questions -


  • Q 1.  Should your organization's foundational Active Directory be compromised, what could be its impact?
  • Q 2.  Would you agree that the (unintentional, intentional or coerced) compromise of a single Active Directory privileged user could result in the compromise of your organization's entire foundational Active Directory?
  • Q 3.  If so, then do you know that there is only one correct way to accurately identify/audit privileged users in your organization's foundational Active Directory, and do you possess the capability to correctly be able to do so?
  • Q 4.  If you don't, then how could you possibly know exactly how many privileged users there are in your organization's foundational Active Directory deployment today, and if you don't know so, ...OMG... ?!

You see, if even the world's top cyber security and cloud computing companies themselves don't know the answers to such simple, fundamental Kindergarten-level cyber security questions, how can we expect 85% of the world's organizations to know the answer, AND MORE IMPORTANTLY, what's the point of all this fancy peripheral cyber security talk at such conferences when organizations don't even know how many (hundreds if not thousands of) people have the Keys to their Kingdom(s) ?!


Today Active Directory is at the very heart of Cyber Security and Privileged Access at over 85% of organizations worldwide, and if you can find me even ONE company at the prestigious RSA Conference 2019 that can help organizations accurately identify privileged users/access in 1000s of foundational Active Directory deployments worldwide, you'll have impressed me.


Those who truly understand Windows Security know that organizations can neither adequately secure their foundational Active Directory deployments nor accomplish any of these recent buzzword initiatives like Privileged Access Management, Privileged Account Discovery, Zero-Trust etc. without first being able to accurately identify privileged users in Active Directory.

Best wishes,
Sanjay


PS: Pardon the delay. I've been busy and haven't much time to blog since my last post on Cyber Security 101 for the C-Suite.

PS2: Microsoft, when were you planning to start educating the world about what's actually paramount to their cyber security?

Some Help & Good News for Microsoft regarding Active Directory Security


Folks,

You'll want to read this short blog post very carefully because it not only impacts Microsoft, it likely impacts you, as well as the foundational security of 85% of all business and government organizations worldwide, and it does so in a positive way.



A Quick and Short Background

From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.


Active Directory is the Foundation of Cyber Security Worldwide

The entirety of an organization's building blocks of cyber security, including the user accounts used by the entirety its workforce, as well as the user accounts of all its privileged users, the computer accounts of the entirety of its computers, and the security groups used to provision access to the entirety of its IT resources, are stored, managed and protected in Active Directory.

During the past few years, credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins) have resulted in a substantial number of reported and unreported breaches at numerous organizations worldwide. In response, to help organizations combat the menace of these credential-theft attacks, Microsoft has had to make substantial enhancements to its Windows Operating Systems as well as acquire and introduce a technology called Microsoft ATA.

These enhancements have made it harder for perpetrators to find success with traditional credential-theft attacks, so they've started focusing their efforts on trying to find ways to attack the Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.

Make no mistake about it. There's no dearth of opportunity to find ways to exploit weaknesses in Active Directory deployments because there exists an ocean of access within Active Directory, and sadly due to an almost total lack of awareness, education, understanding and tooling, organizations have no idea as to exactly what lies within their Active Directory, particularly in regards to privileged access entitlements, and thus today there likely are 1000s of privilege escalation paths in most Active Directory deployments, waiting to be identified and exploited. All that perpetrators seem to lack today is the know-how and the tooling.

Unfortunately, since the cat's out of the bag, perpetrators seem to be learning fast, and building rapidly, so unless organizations act swiftly and decisively to adequately lock-down vast amount of access that currently exists in their foundational Active Directory deployments, sadly the next big wave of cyber breaches could involve compromise of Active Directory deployments.





Clearly, Microsoft Has No Answers

It gives me absolutely no pleasure to share with you that unfortunately, and sadly as always, Microsoft yet again seems to be playing catch-up, and in fact, it has no clue or any real answers, ideas or solutions to help organizations in this vital regard.


Here's Proof - Last week, on September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team posted this -



If and when you read it, it will likely be unequivocally clear to you as to just how little Microsoft understands about not just the sheer depth and breadth of this monumental challenge, but about the sheer impact it could have on organizations worldwide!

You see, if you understand the subject of Active Directory Security well enough, then you know that Active Directory access control lists (ACLs) today don't just impact organizational security worldwide, they likely impact national and global security!

That said, in that post, the best Microsoft could do is concede that this could be a problem, wonder why organizations might ever need to change AdminSDHolder, falsely assume that it may not impact privileged users, praise a massively inaccurate tool for shedding light on this attack vector, and end by saying - "if you find a path with no obstacles, it probably leads somewhere."

Oh, and the very last thing they tell you that is their nascent ATA technology can detect AD multiple recon methods.


In contrast, here's what they should have said - "We care deeply about cyber security and we understand that left unaddressed, this could pose a serious cyber security risk to our customers. Be rest assured that Microsoft Active Directory is a highly robust and securable technology, and here's exactly how organizations can adequately and reliably identify and lock-down privileged access in their Active Directory deployments, leaving no room for perpetrators to identify and exploit any weaknesses."

The reason I say that should've been the response is because if you know enough about this problem, then you also know that it can actually be completely and sufficiently addressed, and that you don't need to rely on detection as a security measure.

BTW, to appreciate how little Microsoft seems to understand about this huge cyber security challenge, you'll want a yardstick to compare Microsoft's response with, so here it is (; you'll want to read the posts) - Active Directory Security School for Microsoft.



Er, I'm really sorry but you are Microsoft, a US$ 550 Billion corporation, not a kid in college. If the best you can do concerning such a profoundly important cyber security challenge is show how little you seem to know about and understand this problem, and only have detection to offer as a solution, frankly, that's not just disappointing, that's deeply concerning, to say the least.

Further, if this is how little you seem to understand about such a profoundly important cyber security challenge concerning your own technology, I cannot help but wonder how well your customers might actually be protected in your recent Cloud offering.





Fortunately There's Help and Good News For Microsoft

I may appear to be critical of Microsoft, and I do still believe that they ought to at least have educated their customers about this and this huge cyber security challenge, but I also love Microsoft, because I've been (at) Microsoft, so I'm going to help them.


To my former colleagues at Microsoft I say - "Each one of us at Microsoft are passionate, care deeply and always strive to do and be the best we can, and even though I may no longer be at Microsoft, (and I still can't believe how you missed this one), luckily and fortunately for you, we've got this covered, and we're going to help you out."

So, over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.

Specifically, in days to come, as a part of our 30-Day Active Directory Security School, you can expect the following posts -


  1. What Constitutes a Privileged User in Active Directory

  2. How to Correctly Audit Privileged Users/Access in Active Directory

  3. How to Render Mimikatz DCSync Useless in an Active Directory Environment

  4. How to Easily Identify and Thwart Sneaky Persistence in Active Directory

  5. How to Easily Solve The Difficult Problem of Active Directory Botnets

  6. The World's Top Active Directory Permissions Analysis Tools (and Why They're Mostly Useless)

  7. The Paramount Need to Lockdown Access Privileges in Active Directory

  8. How to Attain and Maintain Least Privileged Access (LPA) in Active Directory

  9. How to Securely Delegate and Correctly Audit Administrative Access in Active Directory

  10. How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment

You see, each one of these Active Directory security focused objectives can be easily accomplished, but and in order to do so, what is required is the capability to accurately audit effective access in Active Directory. Sadly, let alone possessing this paramount cyber security capability, Microsoft doesn't even seem to have a clue about it.

Each one of these posts is absolutely essential for organizational cyber security worldwide, and if you know of even one other entity (e.g. individual, company etc.) on the planet that can help the world address each one of these today, do let me know.

So, over the next few days, I'll pen the above, and you'll be able to access them at the Active Directory Security Blog.

Until then, you may want to go through each one of the 20 days of posts that I've already shared there, as well as review this.



In fact, this cannot wait, so let us begin with the "actual" insight on Active Directory ACLs that all organizations worldwide must have today -


Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.


Best wishes,
Sanjay

CEO, Paramount Defenses

Formerly Program Manager,
Active Directory Security,
Microsoft Corporation


PS: Microsoft, you're welcome. Also, I don't need anything from you, except a Thank you note.