Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including the World's Top Cyber Security Risk, Advanced Persistent Threats (APT), Cyber Warfare, Corporate Espionage, Insider Threats and other topics.


Gold Finger The Paramount Brief Gold Finger Mini World Peace

Friday, July 22, 2016

Clarity for Self-Proclaimed Cyber Security Experts who Churp on Twitter

Folks,

When someone doesn't know or understand something, often their first reaction is to make fun of it. Sadly, these days, to their own detriment, they do so publicly on social media. Little do they realize that everything they utter can be seen by the whole world, and by sharing their ignorance on social media with the world, they show the whole world how little they actually know.


For example, consider this individual. Perhaps he knows just enough English to see our homepage, but not to be able to go beyond it, to say this one, or this one, so he publicly and slightingly wonders who we are and asks if anyone's heard of us. I wonder if it might have ever occurred to this individual that perhaps our low-profile until now, may have been by intent. For this individual, and anyone else on Twitter etc., if you want to know who we are, please call Scott Charney at Microsoft.



One of Many Examples

Or this individual, who said regarding The Paramount Brief - "That's it? Make sure your delegation is tight and...no big deal."
 
Wow. Great advice!  Since you make it sound so simple, now why don't you (i.e. this individual) also tell them (i.e. the world) HOW to do so i.e. how to tighten their delegation(s) in their Active Directory domains easily comprised of 1000s of objects?!

You see, this individual likely has no idea HOW to actually do so. If he did, he'd know just how extremely difficult it is to do so, and I doubt would've said - "no big deal!" In fact, I wonder if he even knows that because it is so difficult to do so, hardly any organization in the world (including his past employers, or Microsoft for that matter) may have ever actually accurately done it?

So let me give him, his friends, and the whole world a hint - the very first thing you need to do to tighten your delegation(s) is to assess your current delegations across Active Directory, and to do so you need to be able to determine effective privileged access across the entire Active Directory domain, i.e. on thousands of objects in Active Directory, accurately.

Even the $450 Billion Microsoft Corporation may not know how to do this. But for this individual, its "no big deal."

If he knew this, I'm not sure he might have publicly said - "no big deal!"

In fact, if he, or anyone in the world, can accurately determine effective permissions / effective access across an Active Directory domain, please go ahead, show us and the entire world how you would do so. Please. Be my guest. I insist!



Unequivocal Clarity

For anyone on Twitter who wishes to slight us without substance, let's just make this really simple for you once and for all.

Please know that if you slight us, and there's no substance to it, we too MAY share your ignorance with the WHOLE world.

By the way, if you haven't heard about us yet, its only because for the longest time, we kept a low-profile. Please know that in the last 10 years, 10,000+ organizations from 150+ countries have knocked at our doors, unsolicited, and know who we are. Today our reach is global, and in minutes, we too can have 1000s of folks across 150+ countries learn about you ignorance.

So, to the 1% who may do so, if there's no substance, please don't embarrass yourself by making childish comments. (It's a free world and you're welcome to, but know that the whole world's watching, and they'll know just how much (or little) you know.)

Talk is cheap, actions are not.

Best wishes,
Sanjay

Friday, July 15, 2016

A Letter to Benjamin Delpy regarding Mimikatz & Active Directory Security

Dear Mr. Delpy,

Hello. I hope this finds you doing well. Although we don't personally know each other, I've heard about your work, and the impact it's had on improvements in Windows Security, so thank you for your contributions to the field of Windows Security.

  (Note: To the kids on Twitter who seem to have no idea what this is about, you'll want to read this post (& PS3 below) twice ;-)

To begin with, I'd like to apologize for not having been able to tune sooner into the incredible circus caused by your interesting hobbies over these past few years :-), as I was away, silently working on the world's most powerful cyber security weapon ...

Gold Finger 007G
 
... you know, one that can be used to go from breach to 0wned (AD) in about 5 minutes in any Active Directory deployment in the world, even and particularly in environments (such as the one described below) wherein an intruder couldn't accomplish much with Mimikatz. We've built it for the good guys though, so that they can prevent such scenarios from occurring.


By the way, like you, I too am a programmer. I personally wrote half the code for Gold Finger 007 and 007G.


However, given its sheer power, I'm not too big a fan of releasing my work in the wild, because I believe in an old saying - "Along with great power, comes great responsibility." (As for this, it is merely temporary and controlled.)


(Oh I digress. I have a bad habit of digressing often, so my apologies. End of digression.)


I did however briefly hear about Microsoft scrambling to try and save its face by buying a little start-up whose founder (, and you too might find this funny,) not too long ago, one day, sat thinking for two hours (as to) how to build an attack path, and then realized that everyone has access to Active Directory! (Hilarious! - that video's here (2:10 onwards.))

Oh, by the way, I forgot to introduce myself. I'm the one who did a risk assessment of Microsoft Corporation's global Active Directory more than a decade ago and showed them...


 ...well, I'm not about to reveal what I showed them. They know it, and that's all that matters.

Oh, I'm also the one who amongst other things, wrote Microsoft's 400-page whitepaper on how to delegate privileged access in Active Directory, only about 10 years before the world had heard of Mimikatz or an Aorato.


Speaking of privileged access in Active Directory, as you probably know, that cool little recent DCSync feature of yours, would be rendered completely USELESS if the perpetrator didn't have sufficient rights to replicate secrets out of Active Directory.

Replicating Directory Changes All Extended Right on Domain root in Active Directory

And while that feature may wow some, to us it very simply boils down to this - if you already possess sufficient privilege to be able to replicate secrets out of Active Directory, you're already virtually God in that environment any way. But thank you nonetheless for showing the world just how easy it can be. (Actually its not that super easy too, so I respect your work.)

Interesting side note question - Do you think anyone in the world knows exactly who has the Get Replication Changes All extended right effectively granted to whom in any production Active Directory environment, wherein the domain root ACL has been changed even once? (I don't think so.)

Oh, and by the way, as you may well know, you can't generate a Kerberos Golden Ticket without having the NTLM hash for the krbtgt account, and if you don't have the Get-Replication-Changes-All extended right to request secrets from a DC, you can't have that hash until you can log on as an Admin on a Domain Controller, BUT, if you can log in as an Admin on a Domain Controller, buddy, its ALREADY GAME OVER RIGHT THERE!


So, why bother going a step or five forward (LSASS dump, hash extraction etc.), when its already game over! Just use the task scheduler to launch a cmd prompt as System, and you're playing God in no time ;-)


I mean, seriously, if you're telling me that its that easy for a perpetrator to be able to logon as Admin on a Domain Controller at hundreds or thousands of organizations worldwide, then I must say, the $400+ Billion Microsoft hasn't done enough to educate its customers about the importance of protecting its Domain Controllers, and probably ought to spend a petty $100 million to do so right away (because if that's that easy, forget ATA, nothing's going to be able to protect these organizations from getting 0wned in minutes.)


[Again, a (not so) small digression...


Active Directory / Cyber Security 101 for the World

If your Domain Controller has been compromised, you're DONE. Period.

Domain Controllers in a Data Center

From the AD Admin to the CEO, it's time to pack up, go home, and find another job, because believe you me, until you completely re-build the forest from scratch, he who knows what to do will have you for ETERNITY without needing any ticket, let alone a Golden Ticket, at all! (To whose who would like to see a demo of this, please let us know.)

Let me repeat that. If an unauthorized individual can login to a Domain Controller as Admin, you are done! D-O-N-E! 

Only ignorant organizations will continue to operate that Active Directory forest, because you'd be operating on a compromised foundation, and if you do, those who truly understand Active Directory security, will know (and could divulge) everything there is to know about you, tamper with anything, destroy anything at will etc. etc. And yes, even Microsoft's latest toy won't be able to stop them.

... end of digression.]



Mr. Delpy, if you'll allow me, I'd like to most respectfully paint a very simple picture for you, one wherein, one could possibly grow old and maybe even have grand-children, and yet not succeed with Mimikatz. For brevity, I'll keep it simple.


Consider a forest with one or more domains wherein -
1. Domain Controllers: All physically secured in data-centers, requiring triple-factor authentication to physically access. Interactive logon denied to everyone except an empty AD security group. Of course, fully patched (so no low-hanging fruit etc.), plus all default User Rights and Privilege assignments severely locked-down. Soldered USB drives and keyboards i.e. no chance of applying a keystroke logger or USB-anything. No 3rd party software of any kind on these machines. Etc. etc.
2. Get Replication Changes All Extended Right: Only granted to Domain Controllers.
3. Domain Admins: None. All responsibilities for Active Directory service and data management (i.e. account and group management) natively delegated in Active Directory. In fact, the Domain Admins group SID has been removed from across Active Directory by a simple execution of a baby of a tool called dsrevoke.
4. Active Directory Admins and Designated Workstations: Less than 5 AD admins, each one with alt accounts, and separate workstations for every day use and admin use. Admin use workstations are as secure as the DCs, and interactive and network logons only allowed to the designated admin. Soldered USB drives and keyboards i.e. no chance of applying a keystroke logger or USB-anything. No 3rd party software of any kind on these machines. Minimum 25-character passwords, changed frequently, never written or stored anywhere.
5. Active Directory Backups: Stored encrypted in a physical bank vault, physical access to which requires the CISO to escort you to them. Only the CISO can get into bank vault.
6. An Educated Active Directory Admin Team: These aren't you ordinary admins. They know NEVER to logon to any system they do not OWN and CONTROL. They're also bound by a simple policy - you logon to any other system and you will be instantly terminated. Besides, Group Policy prevents them from logging on anywhere else.
7. Zero Services Using Domain Admin Creds: Not a single service in the enterprise uses Domain Admin creds, because if you know how to do security, you know that nothing strictly requires running as Domain Admin.
8. No DCs in the Cloud: Yes, you heard it right. I don't care how iron-clad the SLA is, we're not putting a single DC in the cloud with any provider yet. Not just yet. (More on that in days to come.)
9. Microsoft ATA:  Microsoft ATA is NOT deployed just yet, because if you think about it, its still just some rudimentary technology acquired from a start-up, and rolled out in just months. Not sure how robust and reliable it is in code and its art to protect multi-$ Billion companies.

I could go on and on, but you get the drift. (BTW, if you want to make it harder, throw in 2-factor authentication, at least for all admin accounts at a minimum, and a bunch of other latest Band-aids, none of which can stop a knowledgeable perpetrator.)

In such an environment, you might be able to compromise a domain-joined machine, but you're likely not going to get anywhere close to getting Domain Admin type credentials, because a Domain Admin type account will NEVER logon to a system 0wned by an intruder, and the intruder will almost NEVER be able to logon to an admin workstation or on to a DC as admin. Period.

In such a situation, I doubt an intruder's going to have a field day harvesting or reusing credentials to gain administrative access to Active Directory. In all likelihood, he/she'd sit and wait, and wait and wait, and wait, and grow old, and still not get anywhere.

Disgruntled intruder not getting any success with Mimikatz :-(

Hmm. Not a fun day with Mimikatz anymore, is it :-( 

NOW, I'll be the first to admit that the environment described above is a rarity, but not an impossibility by any stretch. In fact, in time, the world will get there, and we already are there. For instance, our Active Directory environment is only about 50 times tighter than I have described above, so at least one such environment exists, and we operate it most easily. But in reality (, and 8,000+ organizations from 160+ countries have knocked at our doors, completely unsolicited of course, so) we know just how bad the situation is out there.

End of digression. Back on track...

Hmm. I wonder if there might be a way for an intruder to compromise a relatively more secure Active Directory environment, specifically, such as the one described above? Well, it doesn't seem very likely, at least not using credential theft based attack vectors, since no Active Directory admins seem to want to give the bad guys even a chance at getting them.




Duh!

But wait, if this is all about Active Directory Security, then it doesn't take a brilliant mind to figure out the following - hey let me actually look INTO Active Directory, and I mean it literally! Look INTO it! -

Inside Active Directory

Wow, now that I'm looking in, it is an ocean in there!

And since we're talking about security here, perhaps its worth looking at something called an Access Control List (ACL), you know, that little thing that protects each object in Active Directory, including every administrative account, administrative group, domain user account, domain computer account (and of course the domain controller's domain computer account), the domain root, AdminSDHolder, the System Container, the entire Configuration container, the Schema container, every GPO, etc. etc.-

Active Directory ACL on some random user, say an Alex Simon's domain user account.

Hmm. I wonder why nobody has looked INTO the Active Directory that much? And by that, I don't mean looking at basic kid-stuff enumeration of accounts, groups, GPOs, DCs etc. I mean looking a little deeper, and a little more intelligently.


You know, like trying to figure out who can actually reset a Domain Admin account's password, or who can change the Domain Admins group membership, or perhaps who can change the ACL on the AdminSDHolder object, etc. such as and/or ...


... speaking of say, Mimikatz, you know who can modify the ACL protecting the Domain root to grant someone or themselves the Get Replication Changes All extended right so they could replicate secrets (password hashes) out from Active Directory, or say, grant themselves Full Control over the entire Active Directory domain. (You see, intelligent and (very) powerful stuff.)

[Quick Digression -  
Now, some kid might say - "You don't need an effective permissions tool to assess REPL perms on NC." Well, if no one has ever changed the ACL on the NC head, and you're just dealing with default permissions, then its his lucky day and a simple group enumeration should do it, BUT, if the permissions on the NC head have changed even once, and there's even ONE deny permission there (e.g. Deny All extended rights to Group X), well, then tough luck kid, because if you really want an accurate picture, you're going to have to determine effective permissions on the NC head ;-)"
End of Digression]


Hmm. I wonder. Let me see. Well, to begin with, what could I figure out by looking into these ACLs?

Not much, other than exactly who has the keys to every door in the kingdom, and the Keys to the Kingdom of course!

Hmm. Wonder how I do it? Yes, I know! I could use a tool like dsacls from Microsoft or I could pick up several amateur scripts from TechNet which claim to help find out who has what permissions -

dsacls

But wait, I see all kinds of permissions :-( > Allow permissions, Deny permissions, Explicit permissions, Inherited permissions, over a dozen basic permissions, five dozen plus special permissions (Extended rights), Validated writes, permissions with IO flags, etc. etc.

Whoa! Where do I even begin?

And does "who has what permissions" even equal "who actually has what permissions"?

Well, maybe I should read Microsoft's bible on all this Active Directory permissions stuff, and perhaps in a year or so, get my head around all this, and could possibly get somewhere. Perhaps, that's when I'll realize that what matters is who has what effective permissions, not who has what permissions!

Oh wait, yes, I've seen an Effective Permissions Tab in Active Directory Users and Computers, but I never did give it much thought! Hmm, its one out of four tabs in there, so it must be important -



Why don't I just use that to figure out who can do what within the Active Directory?

Sure, go ahead ... ...consider an environment consisting of thousands of users and you'll know why it is almost virtually useless.

Oh, and if you come across this, RUN, because its dangerously inaccurate. Same is true for the advice on TechNet forums.

Well, perhaps, if I had something like this, I could actually answer that question accurately and quickly -



Then ask yourself a simple question - what if I wanted to find out who can create a user account in Active Directory? Hmm - would I even know where to begin? Hey, this Active Directory has 100s of OUs, 100s of containers, etc. etc. - how many objects am I going to have to analyze effective access on to answer this one simple question. It'll be 100s if not 1000s.

Again, you could try for a year, or be done in seconds ...

An Effective Privileged Access Audit in Active Directory

But, you should absolutely try it yourself first, so you can get a sense of just how monumentally difficult it is do so. I insist!

Years may go by, but you'll eventually gain the knowledge to comprehend the profoundness of this, this, this and this.

When you're there, please let me know, because then you too will have learnt how the (really) smart guys find ways to the Keys to the Kingdom, or to any door they want in to, in minutes, without having to wait for someone to logon to a machine you 0wn!


When you get there, please let me know...

 

... I'm already there.


Until then, I wish you well, and hope you continue to enjoy hashes and tickets! Oh, and if the intriguing world of Active Directory Security (which literally lies within every Active Directory) has piqued your curiosity, here's some recommended 101 reading.

Personally though, as a fellow programmer who too has spent 1000s of hours on an ocean of technical detail that most would never get into, my humble unsolicited advice to you would be to also enjoy life because there's a lot more to it than just work. You've already proven how incredibly smart you are, and made a big (enough) difference, so thank you also for helping make Windows more secure for the world.

Sir, for your valued contributions to the field of cyber security, you have my respect, and that of the world.

I most sincerely wish you well.

Thank you.

Best wishes,
ST aka TS.

PS: For those who churp on Twitter, in your own best interest you'll want to read this - http://www.cyber-security-blog.com/2016/07/clarity-for-cyber-security-experts-on-twitter.html

PS2 To those who may not yet understand the depth of what I just shared above, you may want to take a shot at answering any 1 of the 10 simple questions concerning Active Directory Security that I've posed to Sean Metcalf and Microsoft here, since one path is all it takes. If you're a cyber security guru, I imagine it shouldn't be too hard for you. Seriously... answer any one of those 10 simple questions. I'm not saying all 10. Any oneAnyone?

PS3: To the kids on Twitter (and you (and we all) know who you are) who may not have particularly enjoyed this (for obvious reasons) or understood it, instead of using childish adjectives to describe me, why don't you FOCUS on the technical aspects of what I'm saying? You know, instead of instantaneously blabbering childishly, perhaps reflect on this stuff for a night. Besides, when you use such adjectives, the only thing you demonstrate (to the world) is your own lack of knowledge. If you're that super smart, instead of using childish adjectives, why don't you try to "get it", and when you have, try and utter some intelligent words, not childish adjectives, just so we all know how smart you actually are (and believe you me, the whole world's watching ;-)) If this is too esoteric for you, perhaps start here. (Oh, and if you don't understand the word esoteric, Google "define esoteric" ;-)

PS4: Like I said, we're just getting started. If you're into AD/Cyber Security, you may want to tune in here every few days.

Thursday, July 7, 2016

User-Force-Change-Password

Folks,

As I have said, starting July 04th 11th, 2016, I'm going to start addressing vital matters of global cyber security.

Today, I just wanted share a picture with you, because as they, "A picture is worth a 1000 words" -

Password Reset Analysis on a random user, say Satya Nadella.

Well, this one's worth a proverbial $ Billion. (You may not yet understand why I say so, but in days to come, you will.)

Stay tuned...

Best wishes,
Sanjay

PS: Today's post was on an Active Directory extended right called Reset Password, the CN for which is User-Force-Change-Password and its Rights-GUID is 00299570-246d-11d0-a768-00aa006e0529. To some its just an extended right, to others it could be the key(s) to the Kingdom.

PS2: If you know how to press a mouse button, and want to know who can reset your password today, or that of any colleague (such as a Domain Admin or your CEO), you can now do so, our compliments (i.e. free), using this tool. On that note, the astute mind will also profoundly appreciate the importance and value of this.

Monday, July 4, 2016

Its Almost Time

Folks,

Due to certain recent global events, it appears I'm going to have to postpone sharing what I had in mind, by about a week.
 
 
I apologize for the slight delay... we'll start on July 11, 2016.

Best,
Sanjay

Saturday, July 2, 2016

Kerberos Token Bloat, MaxTokenSize and Tokensz

Folks,

Starting July 04, 2016, we're going to start addressing certain matters of cyber security that today have a global impact on the security of a majority of business and government organizations worldwide.


Until then, over the next few days, I just wanted to very briefly cover a few technical aspects.


Kerberos Token Bloat

Today, I wanted to briefly talk about Kerberos Token Bloat, a decade old system technical limitation based issue that continues to linger and distract Microsoft's business and government customers from substantially more important cyber security issues.

[ Begin digression...

By the way, In case you're wondering why this topic merited a mention on a blog to do with Cyber Security, its because not many non-IT folks know that this very topic impacts the cyber security of 85% of all organizations worldwide, and that 1000s of organizations today still struggle to address it.

It is only when they can move on from such basic issues that they can even begin to think about addressing far more important cyber security challenges. Until then, they remain vulnerable, and we remain worried.

...end digression. ]


Speaking of Kerberos Token Bloat, here's a simply picture that conveys its impact -

Kerberos Token Bloat

Given the paucity of time, in this blog entry I'm not going to expound upon the issue of Kerberos Token Bloat, as I've already described it, and 3 helpful tools/scripts in substantial detail over here.

The first time I spent some time on it was way back in 2002 during my Microsoft years.

The short of it is that Kerberos Token Bloat is an issue that can result in users being denied access to corporate systems (i.e. a Windows logon) simply by virtue of the fact that they belong to a large (enough)  number of Active Directory security groups.

For example, consider a random user, say Satya Nadella. When he uses his Active Directory domain user account, such as corp\snadella to logon to his domain-joined Windows Surface device, he could be denied access to the system (i.e. denied a logon) if he is a member of a large enough number of domain security groups.


Logon Denied due to Kerberos Token Bloat


In case the snapshot above isn't clear, here's the message he'll see -
Logon Message
The system cannot log you on due to the following error: 
During a logon attempt, the user's security context accumulated too many security IDs.
Please try again or consult your system administrator.

In many medium and large sized organizations worldwide, this can easily be a major and unwelcome IT problem because many users could be in a situation wherein over the years they been made members of a large number of security groups, and thus potentially run the risk of being denied a logon if their group membership count were to continue to increase.

Domain Admin

To minimize the possibility of users being denied access to the system, IT personnel try to proactively determine Kerberos token sizes of their users, so that they can identify at-risk users and enact adequate mitigation measures.

Over the years, Microsoft has issued guidance, introduced basic tooling, made some enhancements and even made it easier to estimate Kerberos token sizes (via auditing). Still, organizations continue to search for tooling to help them easily determine Kerberos token sizes for all their users, and this problem continues to be unaddressed at so many organizations worldwide.




Its High Time

This issue's been around for over a decade now, and you'd think that by now most organizations would have it under control. After all, there are far greater cyber security challenges (that may very well be in their blind spot) as illustrated here that these organizations need to be addressing today. After all, its 2016, not 2006.


Yet, we find that to this day, every week, IT personnel from so many prominent organizations in the world still continue to search for tooling that can help them estimate Kerberos Token Sizes for all their users. We're not about to disclose their names, but if you too knew, you'd possibly fall of your chair.



Click, Done. (Can we please move on now?)

In the interest of organizations worldwide that are potentially impacted by Kerberos Token Bloat, we'd like to humbly suggest that these organizations kindly address this issue once and for all, and then move beyond it, so that they can address issues that today pose a far greater cyber security threat to them, than the (relatively petty and puny) issue of Kerberos Token Bloat.


Incidentally, here are some terms that IT personnel from these organizations continue to extensively search for in their quest to address this problem - tokenszKerberos Token Size Tool, maxTokenSize, CheckMaxTokenSize, Get-TokenSizeReport, tokensz for another user, whoami for another user, TokenSize = 1200 + 40d+ 8s, Warning events for large Kerberos tickets, etc.

So that organizations need not waste anymore precious time trying to dabble with insufficient tooling, half-baked inaccurate solutions or unreliable amateur scripts, we built the world's only professional-grade Kerberos Token Size Tool for them -

Fully-automated, multiple-user Kerberos Token Size Calculator

In essence, with our tooling, if you know how to click a mouse button, you can now instantly and automatically determine the Kerberos token-size of every domain user account in your domain, within hours. By the way, that's only about 1% of what we do, and we only built this because we had a very prominent Swiss Bank request us to build this for them. (More on it here.)




An Associated Denial-of-Service Attack (Just Waiting to Happen)

For most organizations, the scenario of primary concern and the one they wish to address and avoid is one wherein a user ends up being a member of a large enough number of groups, and eventually is unable to logon.

Unfortunately, in most organizations, a malicious perpetrator could actually exploit this very issue to launch a organization-wide denial-of-service attack wherein come Monday morning 9:00 am, no one (including IT personnel) is able to logon, and you have a situation where business comes to a halt.

You can imagine the potential hourly cost to an organization when its business comes to a halt.


When 10,000 employees can't logon, every minute matters, and costs a lot.

So, just how easy is it for a skilled malicious perpetrator to launch a Kerberos Token Bloat based denial-of-service attack?

Turns out, its not difficult at all.

To do so, all the malicious perpetrator would have to do is create a large enough number of security groups in Active Directory, make one a member of just one more group (about 1015 times), and then add a group like Domain Users to the last group (or say in a targeted attack, add a group such as "Executive Users".)

Hacker
Some might suggest out that Active Directory quotas could help prevent this situation. To which, the response would simply be, that coupled with the ability to create just a few domain user accounts, even quotas could be easily bypassed.

Further and actually, the malicious perpetrator need not even possess sufficient effective permissions in Active Directory to be able to create a large number of security groups; if he/she simply had sufficient effective permissions to be able to modify the membership of a sufficient number of existing domain security groups in Active Directory, he/she could use the power of scripting to accomplish the same objective within minutes.

It also pays to keep in mind that unlike ordinary users, a skilled malicious perpetrator would typically use automation (e.g. scripting) to accomplish his/her objectives, and thus could make his/her move very quickly. (A decently skilled perpetrator could accomplish this feat within a matter of minutes.)

Thus, at the very least, to mitigate the risk posed by a Kerberos Token Bloat based denial-of-service attack, today, all organizations operating on Active Directory should ideally, at a bare minimum, be able to answer the following questions -
1. Exactly who can create security groups in our Active Directory?
2. Exactly who can modify the membership of all existing security groups in our Active Directory?
3. Exactly who can create domain user accounts in our Active Directory?
4. Exactly who can modify the default quota settings in our Active Directory?

Incidentally, it used to be that you'd have to be an Active Directory rocket scientist to answer these fundamental questions. Thankfully, today, man has finally landed on this moon too, and such questions can now be answered at the touch of a button.

Today, ideally, every organization operating on Active Directory should, at a minimum, be able to answer each of the following elemental cyber security related privileged user access questions listed in this document.

Alright, time almost up so this will have to end soon.


In Summary

Kerberos Token Bloat is a decade old issue that most organizations should already have dealt with. Unfortunately, to this day, thousands of prominent organizations worldwide still continue to search for basic tooling in their attempts to deal with it.

I suggest they quickly identify at-risk accounts, take adequate mitigation measures, and, at a bare minimum, answer the 4 questions enumerated above, then swiftly shift and elevate their focus on substantially far greater cyber security issues, the business impact of which is described here.

More on which in days to come.

Thanks,
Sanjay

PS: If you found this interesting, you might like reading this too - Our Trillion $ Insight on the OPM Breach

Thursday, June 23, 2016

The Need for a Trustworthy Free Active Directory Audit Tool

Folks,

Starting July 04, 2016, we're going to start addressing certain matters of cyber security that today have a global impact on the security of a majority of business and government organizations worldwide.


Until then, over the next few days, I just wanted to very briefly cover a few technical aspects.


Today, I wanted to briefly provide some clarity on the need for a trustworthy free Active Directory Audit Tool -

Free Active Directory Audit Tool

Now you might be wondering why a free Active Directory Audit Tool deserves any mention on a blog on cyber security.

There's a very good reason for that, as elucidated below.



Cyber Security 101

"Law #1 of the 10 Immutable Laws of Security states that if a bad guy can persuade you to run his program on your computer, it's not your computer anymore."

A corollary of this law is that if you yourself download and run a program possibly written by a bad guy, on your computer, it may not be your computer anymore, and if you’re a privileged user, your network may no longer be your network anymore too.

To make a long story short, if a privileged user, such as an Active Directory Domain Admin were to download and run software from the Internet that happened to be malicious in nature, since that software would be running in Domain Admin context in that organization, it could cause substantial damage and result in a major cyber security breach.

In fact, depending on the expertise of the author of that malicious software, its execution could not only enable the perpetrator to exfiltrate large amounts of data, it could also possibly cause massive automated destruction of organizational IT assets.



A Worrisome Situation

For months now, our cyber intelligence has indicated that to this day thousands of IT personnel from thousands of organizations worldwide continue to search for a free Active Directory Audit Tool.


(Its worth pausing for a moment to) think about that!

A majority of these IT personnel are administrative personnel at prominent business and government organizations worldwide. They often serve in capacities such as System Admins, Domain Admins etc. and by virtue of their responsibilities typically possess vast and usually unrestricted privileged access in their foundational Active Directory deployments.




One. (Just One.)

Imagine an individual in such a capacity searching for and downloading a free tool from the Wild Wild Web, and then running it, even if once, to fulfill a need. In all likelihood, that tool will run in a privileged security context, typically Domain Admin or the like, because in essence, that individual will be logged in using their administrative account when running such a tool.

Now imagine a scenario wherein the tool that this individual downloaded and run (even if only once), happened to be malicious in nature, written and uploaded by a malicious entity, such as a professional hacker or an Advanced Persistent Threat (APT).

Hacker
You don't need to a PhD. in Cyber Security to conclude that in such a scenario, even if that administrative individual were to run such a tool ONCE, it could result in a security compromise, and possibly grant the perpetrator a door into, and possibly vast control, if not full control, over the organization's IT infrastructure.

In short, just one IT admin need download and execute just one malicious piece of software in their corporate environment just one time, and its effectively GAME OVER.



They Know

In addition to various nefarious entities (e.g. professional hackers. organized crime syndicates etc.) in the Western world, many others, including the Russians and Chinese, not only possess deep Windows and Active Directory technical expertise, they also know that many IT personnel actively seek and download a variety of free tooling, so it would not be unreasonable to assume that they could exploit this knowledge to their malicious gain.

APT
I'll let you infer where I'm going with this; the astute mind should have no problem connecting the dots.



A Trustworthy Alternative

In light of the above, the fact that our cyber intelligence indicates that to this day thousands of IT personnel from thousands of organizations worldwide continue to search for free a Active Directory Audit Tool was quite unsettling and concerning.

Ideally, today no organization should allow the use of free tooling of any kind in their environments.

CISO

Ideally, the CISOs of all organizations should immediately establish and enforce a cyber security policy prohibiting the use of free tooling of any kind in their IT environments by all IT personnel, whether employees or contractors.

Unfortunately, our cyber intelligence indicates that even this basic cyber security 101 measure today largely remains just an ideal, and in most organizations worldwide, IT personnel still seek and rely on free tooling to fulfill various needs.

In other words, the reality on the ground is FAR from ideal.

In light of this reality, we felt that it was imperative to provide organizations worldwide a trustworthy alternative when it comes to free Active Directory audit tooling.


Thus, about two months ago we released a limited free version of our flagship Gold Finger Active Directory Audit Tool.

This limited free version shares the same code-base as does our flagship Gold Finger Active Directory Audit Tool, which today is not only the Gold Standard for Active Directory Audit Tooling, but also the world's most trustworthy Active Directory Audit Tool, trusted by the world's most powerful business and government organizations and deployed in 6 continents worldwide.

It is my privilege to share with you that in less than 50 days of its release, our novel free Active Directory Audit Tool has been downloaded in 50+ countries worldwide and is being used by many of the world's top business and government organizations.



In Summary

If organizations must rely on free Active Directory Audit Tooling, it is our hope that at the very least they exercise sound judgment when choosing such tooling, because a poor choice could mean the difference security and compromise.

As idealists, we hope that the day is not far where no organization allows the use of free tooling of any kind in their environments. As you'll hopefully agree, in today's world, there is simply no reason to rely on free tooling of any sort.

Unfortunately, based on the reality on the ground, that day seems far away, so until such a day arrives, the least we can do is to raise awareness about the inherent dangers in using untrustworthy free tooling, and provide them with a trustworthy free option.

The details on our free tool are over at - http://www.active-directory-security.com/2016/06/free-active-directory-audit-tool.html


Alright, my time's up. Thanks, and stay tuned.

Best wishes,
Sanjay

Tuesday, June 21, 2016

LDP.exe

Folks,

Starting July 04, 2016, we're going to start addressing certain matters of cyber security that today have a global impact on the security of a majority of business and government organizations worldwide.


Until then, over the next few days, I just wanted to very briefly cover a few technical aspects.


Today, I wanted to briefly cover a relatively little-known free Microsoft Active Directory analysis tool known as LDP.exe -

LDP.exe

LDP.exe is a free Microsoft utility that can help instantly obtain vast amounts of technical Active Directory configuration data.

Specifically, if you know what to look for and where to look for it, then LDP can help you find it within seconds. Of course, it also has substantial limitations, and that's where advanced tooling comes to the rescue, but there's still a lot of basic reconnaissance that a trusted insider or intruder could perform without detection using LDP.

So, why does a simple utility like LDP.exe deserve any real-estate on this blog?

Our online cyber security intelligence indicates that IT personnel from most organizations to whose Executive Leadership (Chief Executive Officers) we had sent The Paramount Brief a few weeks ago, are today starting to search for LDP.exe.


Is this a coincidence? Most likely, not.

In all likelihood, the right questions are finally being asked at the right levels, and as a consequence, the IT departments of these organizations are (finally) just starting to take a closer and deeper look at their foundational Active Directory deployments. (And, its high time they did so.)

So, again, what does all this have to do LDP.exe being covered on a blog focused on Cyber Security?

We anticipate that in months to come, 1000s of IT professionals and Cyber Security professionals from 1000s of organizations worldwide are going to be searching for LDP.exe, perhaps because that's possibly the (novice) advice they're likely getting from Microsoft, so they can start digging deeper into the current security state of their foundational Active Directory deployments.


We wanted to help them hit the ground running with LDP.exe because if you know as much as we do about Active Directory security, then you'll know that these organizations undeniably need to know the basic stuff, and more importantly a lot more, not just yesterday, but in fact ten years ago, so we put together a quick primer on LDP for them, a link to which can be found below.

We also wanted to advise them NOT to download LDP.exe from any source except from Microsoft's official download point on Microsoft's website, to minimize the possibility of downloading a potentially malicious version of LDP.exe that may have been built and put up by an Advanced Persistent Threat (APT) for reasons you can infer. (To the astute mind: YES, sadly Microsoft has not digitally signed LDP, thus necessitating this advice.)

So here's everything you need to know to download and get started with LDP - LDP.exe for Active Directory - Official Download Source, Usage, Tutorial and Examples.

Stay tuned.

Best wishes,
Sanjay

Tuesday, May 31, 2016

Paramount Defenses to Donate Up To $50 Million in Microsoft Active Directory Audit Software

Folks,

Last month we announced our intention to donate up to $50 Million of our Microsoft Active Directory Audit Tool Software to non-profit and other organizations such as K-12, public universities, hospitals & government agencies in 100+ countries worldwide.

Today, I just wanted to take a few moments to share some relevant details concerning this announcement.


ACTIVE DIRECTORY ON-PREMISES

It is a well-known fact that Microsoft Active Directory On-Premises is the bedrock of organizational cyber security worldwide.


Specifically, over 85% of all business and government organizations worldwide operate on Microsoft Active Directory today.



ACTIVE DIRECTORY IN THE CLOUD

In addition, Microsoft’s recent foray into Cloud Computing and its introduction of Microsoft Azure Active Directory, its multi-tenant cloud based directory and identity management service, as well as Amazon now offering organizations the ability to run Active Directory as a managed service via Amazon Web Services (AWS) Cloud, will further increase the use of Active Directory.


As the world’s use of and reliance on Microsoft Active Directory increases, so does the need to obtain both basic as well as advanced cyber security insight (e.g. the ability to precisely audit privileged users in Active Directory) into Active Directory.




THE NEED FOR TRUSTWORTHY BASIC ACTIVE DIRECTORY CYBER SECURITY INSIGHT

All organizations that operate on Microsoft Active Directory, at a minimum, need to be able to perform basic Active Directory security audits, such as to be able to assess the state of all domain user accounts and security groups in Active Directory.
 
 
Over the years we have found that a large number of organizations have yet to fulfill even these basic needs, and in their attempts to fulfill these basic needs, every day IT personnel from across the world, including from many of the world’s most prominent business and government organizations, continue to seek free tooling in their attempts to fulfill these needs.
 
Unfortunately the concern with most free tooling out there is that there is little to no assurance of it being trustworthy or reliable, and thus, any reliance on it, and especially its use by privileged IT users could seriously jeopardize organizational security.
 
For instance, one such example of a free but highly inaccurate Active Directory Audit Tool can be found here.
 
Similarly, a malicious entity such as a hacking group or an APT could make available a seemingly useful yet covertly malicious tool for free online, which when downloaded and run by an unsuspecting user, could instantly grant them instant unauthorized access privileged access in the organization’s IT network.
 
 
Unfortunately, even though the use of potentially untrustworthy free tooling could substantially endanger organizational security, thousands of IT personnel continue to seek, download and use potentially untrustworthy free Active Directory audit software, thus exposing their organizations to risk. 
 
To help all organizations worldwide trustworthily fulfill their basic Active Directory security audit needs, we have decided to donate $50 Million worth of our entry-level Active Directory Security Audit Software to non-profit organizations, as well as make available a limited version of our trustworthy entry-level Gold Finger Active Directory Security Audit Tool, completely free.

Of course, we primarily help organizations fulfill their advanced Active Directory Audit needs, such as privileged access audit, attack surface reduction, insider threat protection and regulatory audit and compliance, so this is the least we can do for them.





DONATING UP TO $50 MILLION IN ACTIVE DIRECTORY AUDIT TOOLING

To help non-profit and other needy organizations worldwide, we have decided to donate up to $50 Million of our trustworthy  Microsoft Active Directory Security Audit Tool Software, measured at fair market value, to non-profit and other organizations such as K-12 schools, public universities, hospitals and government agencies across over 100 countries worldwide.
 
 
The average donation should be in the vicinity of $10,000 per organization, and we intend to donate our software to approximately 5,000 organizations across 100+ countries. In effect, each such organization will receive an unlimited annual user license of our commercially licensable Active Directory Security Audit Tool, thus empowering all their IT personnel to be able to easily and trustworthily perform basic Active Directory Audits.





OUR FREE ACTIVE DIRECTORY AUDIT TOOL 

In addition to the donation of our entry-level Active Directory Security Audit software, we also made available a free version of the tool, so that all organizations worldwide can trustworthily fulfill their basic Active Directory security audit needs.
 
Free Active Directory Audit Tool
 
Our free Active Directory Audit Tool is a limited version of our licensable Active Directory Security Audit Tool. It lets IT personnel worldwide audit the basic security state of any Active Directory deployment in the world trustworthily and at a button's touch.
 
 
 
Our $50M donation represents a small fraction of the annual potential for our globally deployed Gold Finger product. As the world's top cyber security company, and possibly the world's most security conscious company, this is the least we can do.
 
Best wishes,
Sanjay

Wednesday, May 25, 2016

Its Time to Provide Thought Leadership to the Cyber Security Space

Folks,

Ten years ago, after doing my bit, I had moved on from Microsoft Corporation to help organizations worldwide adequately secure and defend the very foundation of their cyber security and their very lifeline, their foundational Active Directory.


Given my years at MSFT, I had a lot to share with the world back then as well, but as someone once said, mere talk is cheap.



So I silently went to work for an entire decade (2006 - 2016) to address arguably the world's biggest cyber security challenge.


Ten years later, not only have we uniquely addressed it for the entire world, we've made it as easy as touching one button.



Today, my work  speaks for itself, and it uniquely helps secure and defend the world's most powerful organizations worldwide.


Today, what we do at Paramount Defenses is imperative for and mission-critical to the cyber security of Microsoft's ecosystem.



We have much to say, and now that its no longer mere talk, we're going to talk a little.


Starting July 04, 2016, its time to provide thought leadership to the Cyber Security space.


Best wishes,
Sanjay


PS: Between now and July 04, 2016, I'll also cover a few low-key items on this blog because they need to be addressed.