Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including the World's Top Cyber Security Risk, Advanced Persistent Threats (APT), Cyber Warfare, Corporate Espionage, Insider Threats and other topics.

Gold Finger The Paramount Brief Gold Finger Mini World Peace

Friday, October 21, 2016

Defending Active Directory Against CyberAttacks


One week ago I had announced that I will be respectfully taking Microsoft to Active Directory Security School. I had also posed a Trillion $ question to Microsoft. As promised, today, in this post, I will do so. Sometimes less is more, so today I'll keep it short.

It is my privilege to share with you a presentation on Active Directory Security that I built for Microsoft and the world -

Defending Active Directory Against Active Directory Attacks

Here is a snapshot of a few sections from this 90+ slide deck -

Active Directory Security Presentation

I suggest that Microsoft and organizations worldwide, go through this deck, and absorb it like a sponge absorbs water, because in this deck lies the key to organizational cyber security worldwide and the answer to the Trillion $ question I posed to Microsoft.

If you find yourself wondering "What's the big deal?", please go through the entire deck, then consider the following:

       Here are the top 3 sources of guidance from Microsoft on the paramount subject of Active Directory Security -
1. Microsoft's original 100+ page official Best Practice Guide for Securing Active Directory (Part I) and Part II
2. Microsoft's latest official Best Practices for Securing Active Directory guidance, introduced by Microsoft's CISO
3. Microsoft's latest 5+ hour series of 12+ videos on Defending Active Directory Against Cyber Attacks

       If you can find even one mention of the Trillion $ phrase "Effective Permissions" in any of the above, let me know.

We've found that due to a complete decade+ lack of guidance from Microsoft on the most important technical aspect of Active Directory Security i.e. "Effective Permissions", 99% of the 1000s of IT personnel (Domain Admins, IT Auditors, IT Managers, CISOs etc.) from 1000s of organizations that have knocked at our doors do not even know what "Effective Permissions" are !

I'll let the $ 500 Billion Microsoft, and organizations worldwide, reflect on and absorb a) this fact, b) these questions and c) this deck, for a week, then continue sharing thoughts starting Nov 01, both on this blog and at -

Best wishes,

Wednesday, October 19, 2016

10 Essential Cyber Security Questions for All Organizations Worldwide


Today, I'd like to share 10 elemental, essential and in fact paramount cyber security questions that every organization in the world should have answers to. They are directly related to the Trillion $ question I posed to Microsoft earlier this week.

(Quick Note: As I indicated last week, sometime this week, I will be respectfully taking Microsoft to Active Directory Security School. This post is not the one that takes them to school. Along the lines of yesterday's Trillion $ Q post, this post also helps set the stage for that post. That post will be titled "Defending Active Directory Against Cyberattacks", and will be out this week.)

Here they are -
1. Exactly who has the Replication Get Changes All extended right effectively granted in the domain root's ACL?

2. Exactly who can change the security permissions in the ACL on the domain root object?

3. Exactly who can reset the password* of all default and custom administrative (privileged) user accounts?

4. Exactly who can modify the membership of all default and custom administrative (privileged) security groups?

5. Exactly who can manage the contents of the Systems container and the Configuration and Schema partitions?

6. Exactly who can change the security permissions in the ACL of the AdminSDHolder object?

7. Exactly who can modify the default Domain Controllers Policy or link a GPO to the Domain Controllers OU?

8. Exactly who can establish and/or manage cross forest trusts, or trusts to external domains?

9. Exactly who can reset the password* of all executive accounts (e.g. Chairman, CEO, CIO, CFO, CISO etc.)?

10. Exactly who can create, control (i.e. manage and/or delegate management of) and delete vital Active Directory       content, such as all (valuable) domain user and computer accounts, security groups, organizational units etc.?

      * If Smart cards are in use, exactly who can disable the use of Smart cards on these domain user accounts?

Not only are these 10 elemental cyber security questions directly related to Active Directory security, they directly impact and are imperative to foundational cyber security of 1000s of business and government organizations in 150+ countries worldwide.

They are imperative to foundational cyber security because anyone who can enact these tasks could instantly gain command and control over the entire organization's security. For details, after Nov 01, please visit -

Incidentally, to be able to answer any and each of these 10 elemental and essential cyber security 101 questions, organizations require the ability to perform just one technical process. So, here's another trillion $ question - What is that one process?

The answer to this trillion question is coming soon, right here on this blog, later this week. (Stay tuned.)

Oh, and if any cyber security company on the planet (including but not limited to Microsoft, Amazon, IBM, Google, Cisco, EMC, Dell, HP, CA, Centrify, Palo Alto Networks, FireEye, CyberArk, BeyondTrust, Leiberman Software, Checkpoint Software, root9b, Palantir Technologies, Kasperky Labs, Tripwire, EY, PwC, DarkTrace, Lockheed Martin, BAE Systems, Tanium, BAH etc. etc.) has a clue as to the answer AND can help the world accurately answer these 10 basic and essential questions, I'd like to know.

Organizations that do NOT have answers to these basic 10 cyber security 101 questions CANNOT be considered secure today.

Best wishes,

Monday, October 17, 2016

A Simple Trillion $ Cyber Security Question for Microsoft (MSFT) regarding Defending Active Directory Against Cyberattacks


Ask any good security practioner or hacker and they'll tell you that security is in the details so this is a slightly detailed post.  This blog post is also worth a proverbial Trillion $, so if you're into cyber security, you'll want to read it in its entirety.

First things first - As I indicated last week, sometime this week, I will be respectfully and publicly taking Microsoft to Active Directory Security School. This post is not the one that takes them to school; this post is merely a curtain raiser and sets the stage for that post. That post will be titled "Defending Active Directory Against Cyberattacks", and it will be sometime this week.

Today I respectfully pose a simple trillion $ cyber security question to Microsoft regarding the contents of the following video that Microsoft released in May 2016 -  

(Please click the Play button to view the video. If it does not play, you can see it on Microsoft's website here.)

First, the context -
  • In May 2016, i.e. within 2 months of this, and for the first time in the 16 years that Active Directory has been around, Microsoft developed and released a 7-part series of 12 videos titled "Defending Active Directory against Cyberattacks". The entire series can be found here. They even made a promo for it, which can be found here.

Next, the summary of the video above titled "Defending the Directory", quoted verbatim -
  • "Do you know who your admins are? Learn why maintaining solid access control to sensitive directory objects is important for mitigating stealthy means of persistence and escalation of privilege."

Then, a few quick thoughts -
  • I'd like to publicly commend Microsoft for producing this video series on Active Directory Security. It was high time that Microsoft voiced and stressed the importance and urgency of defending Active Directory deployments.
  • I strongly encourage IT personnel at all organizations to watch the above video. It is a 29 minute video, but its worth your time, because it concerns a lesser known but highly potent attack vector that most organizations are likely not aware about, and wherein the attack surface is the size of the Atlantic ocean, and one that could easily grant an intruder or an insider complete command and control of the organization's foundational Active Directory in minutes.

Finally, before I pose the question, for those who may not have the time to view it, some important quotes from this video -
  1. "The first thing I want to discuss is admins that are a little bit less obvious, or you don't realize they're admins" 
  2. "Lots of customers I work with are laser focused on Domain Admins, Enterprise Admins, Builtin Admins and Schema Admins, and they think that if I know who is a member in any one of those groups, I know who my admins are, which isn't always necessarily the case, because with the way that Active Directory works, you can delegate access to different objects through access control lists"
  3. "If I had permissions to say link a GPO to the Domain Controllers OU, then I could use that to go from what appears to be an unprivileged account to having full control over Active Directory"
  4.  "I am able to do this (i.e. use Mimikatz DCSync to replicate everyone's hashes from Active Directory) using a plain domain user account because this account has been delegated some rights at the Domain level"
  5. "A lot of organizations have been using Active Directory since it was released back in 2000, and then they went to 2003 and then 2008 and now they're on 2012, and over that time period they've probably had a lot of turnover in the organization, so the guy that setup AD 10 years ago isn't with the company anymore, and the guy that's doing this now is inheriting a mess potentially from several previous administrators, and people could have delegated this for what they thought was a legitimate reason, and it leaves another attack vector that is less obvious."
  6. "Absolutely everything inside of Active Directory is an object, protected by ACLs and these things (ACLs) can be manipulated in a great number of ways depending on what permissions you have there"
  7. "You can be an admin through (deeply) nested groups. I have seen that quite a bit. It can get pretty messy. That is why you want to keep a clean directory."
  8. "Contest your delegates. Challenge them. Go and find out who has been delegated what privileges"
  9. "Somebody, either possibly legitimately, or illegitimately, was granted rights that gave them a lot of power. They could grab the hash of any account, and become that account, simply by having been delegated the Get Replication Changes All rights on that object"
  10. "If I have write member permissions on a group, I can add myself to this group, and since this group via group nesting is a member of the Domain Admins group, I could easily and instantly escalate my privilege to that of a Domain Admin"
  11. "So effectively that is a means of escalation!"
  12. "If a group or account has been granted change password on an account, and that account is privileged, I can change the password on that account, and now I own it!" (See corrections below.)
  13. "We're getting pretty deep into the inner workings of Active Directory, but based on what you showed us in the demo, its super important. It is, it is VERY IMPORTANT because these are all different ways that I could use to escalate privilege, and they're not obvious because its controlled by the access control lists (ACLs)! "
  14. "We are working to identify which ACLs in Active Directory can lead to command and control of Active Directory"

Oh, and a few relevant (i.e. not all) corrections  -
  • "If a group or account has been granted change password on an account, and that account is privileged, I can change the password on that account, and now I own it!" is technically incorrect. It should have been "If a group or account has been granted RESET password on an account, and that account is privileged, I can RESET the password on that account, and now I own it!" It is incorrect because in order to change a user's password, you need to know his/her existing password. Details here or here.
  • "You can use the Get-ACL cmdlet in PowerShell with Active Directory and you can view who has the rights on the object that I am looking at, what rights they have." Who has what rights/permissions granted in the ACL of an Active Directory object is NOT the same as who actually has what rights in Active Directory! There's a world of a difference.
  • "If I have that permission, I can link that GPO" should be "If I effectively have that permission, then I can link that GPO." Having the permission listed in the ACL is by no means sufficient. Similarly, simply viewing the ACL to see who has Get Replication Changes All is neither sufficient nor the accurate way to find out who can actually replicate secrets from Active Directory. (You need to know who effectively has that permission granted.) More on that later this week.

The Trillion $ Question

Finally, the Trillion $ Question is -

  • The Context

    Microsoft, its 2016 and you're (only) a $500 Billion company today because virtually the entire world is your customer. Today, across your global organizational customer base, from the Fortune 1000 to entire federal, state and local governments, there exist billions of Active Directory security permissions (aka access privileges) protecting hundreds of millions of Active Directory objects across thousands of Active Directory deployments worldwide.

    Its 2016, and so it is 16 years after Active Directory shipped (and so interestingly coincidentally, just 2 months after we, Paramount Defenses, declassified the Paramount Brief) that you're just now and finally stressing the paramount importance of Active Directory Security to your customers, and you finally and rightly tell the world (and I quote from the video above titled "Defending the Directory") - "Go and find out who has been delegated what privileges" because "everything in Active Directory is an object" "protected by access control lists" and "this is very, very important"   BUT when you do so, you completely forget to tell them the one most important technical fact about how to correctly assess who has actually been delegated what privileges in Active Directory i.e. the one technical fact that governs the actual resulting access and delegations in Active Directory.

    This, even though it was right in front of the presenter's eyes during one of the methods demonstrated in the video!

    (By the way, in the video, the methods demonstrated by the presenter on how to assess these rights/permissions and delegations are substantially inadequate and incorrect. However, the presenter is not to blame because he is merely presenting what has consistently been (inaccurate) official guidance from Microsoft in its whitepapers etc.)

    The Question

     In light of the context above, my simple question to you is - Can you please tell the world WHAT is the one cardinal (paramount) technical fact that governs the determination of who can actually do what in Active Directory?

    By the way, HOW in the world could you forget to cover it, when you know that in all likelihood, millions of IT folks from 1000s of organizations across 150+ countries worldwide are going to view these videos and based on the guidance presented, enact measures to enhance the foundational cyber security of their organizations?!

Make not mistake about it. In the answer to this question lies the key to organizational cyber security globally. It's that simple.

Here's why - If organizations do not swiftly and correctly identify and eliminate the ocean of unauthorized access privileges that exists in their Active Directory deployments today, it is only a matter of time before intruders or insiders exploit this ocean of vulnerabilities to obtain complete command and control over foundational Active Directory deployments worldwide.

Oh, and, by the way, no cyber security company on the planet (neither the McAfees nor the CyberArks of the world, neither the FireEyes nor the CrowdStrikes of the world, neither the Centrifys nor the BeyondTrusts of the world) seems to have a clue as to the answer, or for that matter seems to know how to help organizations correctly identify the ocean of unauthorized access privileges that exist in 1000s of Active Directory deployments worldwide, just waiting to be found and exploited.

Substantiating the Trillion $

In case you're wondering why I say its a Trillion $ cyber security question, that's because if you were to add up the market cap of the 20,000+ organizations across 150+ countries, not to mention or include the 1000s of local, state and federal/national governments at whose very foundation lies Microsoft Active Directory, you'll find the sum will handily be in the trillions of $.

Also, in case you find yourself wondering as to how this 1 simple question could possibly impact organizational cyber security globally, for now just consider the colossal impact of even a single (i.e. just one) successful execution of mimikatz DCSync in an organization's network, i.e. the colossal damage a proficient adversary could subsequently, swiftly inflict - it'd be Game Over.

Oh, and by the way, mimikatz DCSync is just the Tip of the Iceberg.  (More (i.e. an ocean to be precise) on that later this week.)

Looking Forward to an Answer

So, to my incredibly talented, hard-working and respected colleagues and friends at Microsoft, I (and the world) look forward to your answer. Also, in case you don't really like that this question is being asked publicly, my sincerest apologies. It is 2016 after all, not 2006, and as you too likely know 100% of all major recent cyber security breaches (e.g. Snowden (at NSA), Target, JP Morgan, Sony, Anthem, OPM) have involved the compromise and misuse of just one Active Directory privileged user account.

If for any reason, you can't answer this question, no worries, I'll answer it for you, later this week, right here on this blog.

Best wishes,

PS: This blog is read by 1000s of prominent folks (CEOs, CIOs, CISOs,  IT Directors, Domain Admins, Security Analysts and Pen Testers at Fortune 100 and 1000 companies, institutional and individual shareholders, cyber security personnel and leadership at 3-letter government agencies worldwide, nation states (e.g. UK, the EU, Australia, Russia, China etc.) and it being a public blog, unfortunately even folks on the dark side) from 150+ countries worldwide. In other words, everyone's tuned in.

Friday, October 14, 2016

Time to Respectfully Take Microsoft to Active Directory Security School


My apologies for the month-long absence. About a month ago, something was brought to my attention and it made me realize that in the interest of the foundational organizational cyber security of organizations worldwide, we need to help Microsoft better understand Active Directory Security. I've thus been at work building something, and I think its time we share it with the world.

So, in the coming week, i.e. sometime between Monday, Oct 17, 2016 and Friday, Oct 21, 2016 I will be most respectfully and publicly taking Microsoft to Active Directory Security school, right here on this cyber blog, in a blog post befittingly titled "Defending Active Directory against Cyberattacks"

Please know that it is only in the interest of organizational cyber security worldwide that we'll be doing so publicly i.e. so that 20,000+ organizations across 150+ countries worldwide can also instantly have access to valuable, effective and immediately actionable Active Directory security insight and guidance, which is the need of the proverbial hour.

Please also know that as a deeply passionate ex-Microsoftie, I have great respect for Microsoft, and in fact have spent the last 15 years working to help make 1000s of Microsoft's customers across the world more secure, so it is only in Microsoft's best interest and in the best interest of 1000s of the world's biggest organizations that today operate on Microsoft Active Directory, that I have decided to do so.

If you're familiar with my background and some of my previous blog entries, then you'll want to tune in right here on Monday morning.

Best wishes,

PS: October 21, 2016 update - Here's the post Defending Active Directory Against CyberAttacks

Thursday, August 4, 2016

Satya Nadella on the Most Valuable Thing in Life


After a few days of sharing thoughts on heavy stuff, such as this, this and this, I though it might be nice to take a break and talk about lighter things too. Today's post is about a headline I came across this morning that made me wonder why it's a headline.

That interesting headline "Microsoft CEO Satya Nadella talks about the most valuable thing in life" can be found here.

He was talking about Time.

Aha! I could see how it could make a headline in a world where most business leaders are focused on valuing and pursuing the creation of Wealth, even if for their shareholders. In fairness to them, it's what their jobs require & what they're incentivized for.


Unfortunately, sometimes when you're at the helm of gigantic financial ships that are headed full-steam in the pursuit of Wealth, you can often end up not having enough Time. Perhaps that's when you realize that Time may be the most valuable thing in life.

Satya, Time is actually the 2nd most valuable thing in life. The 1st one's a little deeper; perhaps I'll tell you about it someday.

You were close though. Well said!


PS: As someone who profoundly values time, I've spent a decade solving arguably one of the biggest cyber security challenges facing the world & Microsoft today. Interestingly, Microsoft may not yet realize the magnitude of this problem. They may, in time.

PS2: Well said, Satya - keep up the good work! BTW, if I may offer some unsolicited advice - "Its always better for a company to give the world (i.e. their customers) what they (the customers) want, or at least a choice, in contrast to (border-line) imposing a paradigm shift on them just because it might be better for its own bottom-line. And while its great to focus on the promise of Cloud Computing, it might also be worth letting them know about the risks (for your customers that is) associated with it."

Monday, August 1, 2016

How to Lockdown Active Directory to Thwart the Use of Mimikatz DCSync


I'm going to keep this post short, because some brilliant folks feel that my blog posts are longer than their source code.

This is Very Important

On a (very) serious note, today, thanks to the DCSync feature of Mimikatz, the creation of the brilliant Mr. Benjamin Delpy, we have a situation wherein organizational security worldwide boils down to this - if you assume a breached network, then your foundational Active Directory is only as secure as the number of individuals that have the Get Replication Changes All extended right effectively granted in the access control list (ACL) that protects the domain's root object.

A perpetrator using Mimikatz DCSync feature to obtain the credentials of all domain accounts in Active Directory
Here's why - if the perpetrator can compromise the account of even a single user who has the Get Replication Changes All extended right effectively granted on the domain root, he/she could login as using that account, request and obtain secrets from Active Directory, and use Mimikatz to in effect determine the credentials of the entirety of your user populace, within minutes!

This is Preventable -  Deny them the Access they Need

As serious as this is, it is easily preventable. You can deny perpetrators the access they need to leverage the DCSync feature.

Thus, in your own best interest, you'll want to immediately minimize (i.e. reduce down to a bare absolute minimum) the number of users who effectively have this right granted, and from that point on not only afford those accounts the highest protection, but also verify and ensure that at all times (365-24-7), not a single individual more than is absolutely required to have this extended right, has this extended right effectively granted to him/her.

The only ability you need to deny perpetrators the access they need to use the DCSync feature of Mimikatz is the ability to accurately determine effective permissions in Active Directory, so that you can accurately assess, audit and verify exactly who has the Get Replication Changes All extended right effectively granted on the domain root object at all times.

Here's how you can lockdown Active Directory in 5 simple steps, to deny perpetrators the opportunity they need to leverage the DCSync feature of Mimikatz -
1. Identify all users who currently have the Get Replication Changes All extended right granted today on the domain root by determining effective permissions on the domain root. 
2. Analyze this list of users to identify all users who should not be on this list.
3. For every user that should not be on this list, identify how he/she is being entitled to this effective permission.
4. For each such user, based on the above identification, proceed to lockdown the identified security permissions, such as by restricting access or modifying a group membership etc.
5. Finally, determine effective permissions on the domain root object again to verify the lockdown, and ensure that only authorized individuals effectively possess this right.

Using these steps, organizations worldwide can quickly lockdown Active Directory to deny perpetrators the opportunity required to leverage the DCSync Feature of Mimikatz to engage in domain-wide credential theft, thus thwarting its use.

Required Tooling

In order to enact the 5 steps outlined above, you can use any Active Directory effective permissions tool that can help you -
1. Accurately determine effective permissions in Active Directory
2. Identify all users that have a specific effective permission granted on an Active Directory object
3. Identify how a specific user has a specific effective permission granted on that Active Directory object

Here's why - Accuracy is essential. We need to identify all such users, and we need to know the how to lockdown their access.

One tool that I know of that meets these criteria is this one. I know so because I architected it. In fact, so many of the world's top business and government organizations worldwide use it to audit privileged access in Active Directory. However, I do NOT want my advice to sound biased so you do NOT have to take my word. Please feel free to do your own research. I will only say this much, and you can validate it yourself - stay away from this tool and scripts on TechNet, as they are dangerously inaccurate.

In the interest of fairness and objectivity, I will repeat this again - you can use any Active Directory effective permissions tool you want that can help you fulfill the above 3 essential needs. I've also provided the reasons as to why these 3 needs are essential.


It is critical to ensure that only the absolutely minimum possible number (0/1) of users have this right effectively granted to them.

If even one additional user is effectively granted this critical right, and the perpetrators can identify them and compromise their account(s) (credentials), then they will simply be minutes away from being able to steal the credentials of every user in the Active Directory domain, including all privileged users such as all Domain Admins, Enterprise Admins, Built-in Admins etc.

So, in a way, today, the security of an entire Active Directory domain (and thus forest) depends on exactly who effectively has sufficient enough rights to be able to replicate secrets out of Active Directory!

In other words, to put it simply, if this security grant is not fully locked down at all times, it could be Game Over very quickly.

Finally, to demonstrate just how deeply we care about cyber security globally, any* organization that wishes to find out exactly how many individuals effectively have this right granted today, can now do so completely free (i.e. via the free Try Now option.)

Complete Details

I wanted to keep this post short but perhaps you want more details. Complete details, including an example/illustration of the above 5 steps provided above, as well as the deficiencies in Microsoft's Effective Permissions Tab, and other relevant details can be found on my second blog at - Here's the url to the post that has the details -
How to Prevent a Perpetrator from Using Mimikatz DCSync feature to perform Credential Theft from Active Directory

In your own organization's best interest, it is imperative to understand just how important this is to Active Directory security.

Best wishes,

PS: Ideally, I could have conveyed this in one sentence - "Simply minimize the number of individuals who effectively possess the Get Replication Changes All on the domain root. Done!"   The keyword here is "effectively" i.e. "effective permissions"

PS2: By the way, detection (see PS3 of this post) isn't sufficient, because by the time you detect and respond to an intruder replicating secrets out, it will have been too late because they will already have been replicated out. As such, when you can easily prevent something bad from happening, why merely rely on being able to detect it, especially when this is so critical?

PS3: By the way, where is Microsoft when it comes to providing some thought-leadership, as well as real-world advice and help on such critical cyber security issues? Also, what if solutions to such fundamental cyber security challenges didn't exist today?

Wednesday, July 27, 2016

A Simple $100B Active Directory Security Question for Alex Simons at Microsoft

Dear Mr. Simons,

I believe you are the Active Directory Czar at Microsoft these days, so I have a simple but very important question for you.

Incidentally, do you know who came up with that ludicrous title, Czar? (By the way, that's not the question I wanted to ask.)

The Question -

With the introduction of the DCSync feature in Mimikatz, the security of an entire Active Directory deployment boils down to this:
Anyone who effectively has the Get Replication Changes All extended right granted to them in the access control list (ACL) protecting the domain root object can now easily compromise the credentials of all Active Directory domain accounts, including those of all Active Directory privileged user accounts!
Although by default, only administrative personnel have this right effectively granted, since most Active Directory deployments have been around for many years, in almost all of them, the ACL protecting the domain root may have been modified several times, and as a consequence the default access may have changed substantially, resulting in a situation wherein no one may really know exactly who effectively has the Get Replication Changes All extended right granted to whom today.

Thus today it is imperative and in fact paramount for every organization in the world to know exactly who effectively has the Get Replication Changes All extended right granted in the ACL of their domain root object, and how they have it. (The need to know how is essential for being able to lock-down access for all those who currently have this critical access, but should not have it.)

So the simple $100B question is -
"Precisely what does Microsoft recommend that customers do to make this paramount determination in their foundational Active Directory deployments?"  i.e. how do they find out exactly who effectively has the Get Replication Changes All extended right granted in the ACL of their domain root object, and how they have it?

Microsoft may or may not realize this but thanks to the technical brilliance of a certain Mr. Benjamin Delpy, this is the 2nd most important Active Directory Security question facing organizations worldwide today. (In a few days, I'll let you know the 1st one.)

I (and the world) look forward to your answer.  (We hope you have one.)

Most respectfully,

PS 1: I imagine it shouldn't be too hard for the $450 Billion Microsoft to answer this simple question.

PS 2: Here's some Q&A that I can envisage happening, between Microsoft and its customers -
Answer: We recommend that organizations use the Effective Permissions Tab provided in our native Active Directory management tools, or our acldiag tool, to find out exactly who effectively has this right granted.

Follow-up Question (from customers): Thank you. We tried that recommendation. These tools don't seem to be very accurate and it appears can only determine effective permissions one user at a time. We have 1000s of users in our Active Directory. Do you expect our IT personnel to enter 1000s of names one-by-one manually?!
Answer: <Silence>

Follow-up Question 2 (from customers) a few weeks later: We (somehow) were able to figure out the identities of everyone who has this right effectively granted in the ACL of the domain root object. Its a long list i.e. much longer than it should be. We need to lock-down it down. Can you recommend how we could go about locking it down?
Answer: We recommend that organizations determine how these individuals have this right effectively granted to them, then use that information to tweak the underlying security permissions or modify involved security groups.

Follow-up Question 2 (from customers): Okay, but how do we determine how these individuals have this right effectively granted to them?
Answer: <Silence>

PS 3:  I sincerely hope your answer isn't one of the following, including why (because there is an easy answer to this question) -
Poor Answer 1: "We recommend that our customers use Microsoft ATA to monitor such activity.
Reason: Microsoft ATA is basically a detection measure. In the list of protection measures, detection comes third. The first is prevention, the second is avoidance. By suggesting detection, you're conceding that you don't have the ability to provide the first two measures. And the world expects better than that from a $450 Billion company. 

Poor Answer 2: "We encourage our customers to transition to Microsoft Azure.
Reason: It seems like Microsoft will do almost anything (including conceding defeat) to get their customers on its Cloud. I hope you realize that the degree to which you can help protect customers that are not in the Cloud, and the thought leadership (or lack thereof) Microsoft may have displayed thus far in cyber security, are a few factors that organizations consider when deciding on whether or not to bet (the security of) their business on your Cloud.  
(Besides, thousands of organizations still run Active Directory on-premises and may not want to get on the Cloud. As such, billions have been spent worldwide integrating so many applications with Active Directory and its ACLs.)

PS 4:  If you're wondering who I am, just ask Microsoft's top cyber security brass. (I'm a former blue-badger who cares deeply about the foundational cyber security of Microsoft's ecosystem.) If you're wondering why I am asking this question publicly, its because its 2016, not 2006, and we the world simply cannot afford to not have adequate solutions to address such fundamental cyber security challenges. Today foundational cyber security is a matter of paramount defenses. Before you respond, kindly also do consider a what-if scenario wherein such critical cyber security challenges, and the threats they pose, would still exist, but adequate solutions to address them did not. (Fortunately, they do exist today, and they are paramount to global security.)

Tuesday, July 26, 2016

The Importance of Active Directory Security: It Impacts Global Security


Today, as the very foundation of identity, security and access management at 90% of business and government organizations worldwide, Microsoft Active Directory is the very foundation of cyber security worldwide. Today, it helps protect Trillions.

To understand how this relates to all of us, perhaps it may help to internalize that at the very foundation of cyber security of virtually every organization that directly impacts billions of people worldwide, from our employers to our financial institutions, from the companies we invest in to our governments, from our educational institutions to our hospitals, from companies that build and sell all that the world needs to companies that provide the world's utilities (energy, transportation, security etc.) lies Microsoft Active Directory.

The security of Active Directory deployments worldwide is thus critical to global security and a matter of paramount defenses.

Unfortunately, the executive and IT leadership of most organizations do not seem to clearly understand this profound fact yet, so a few weeks ago we directly brought this fact to the attention of the executive leaders of the world's Top-100 companies. In weeks to follow, we learnt just how little organizations worldwide know about the top cyber security risks to Active Directory.

It appears that in part, at the root of global lack of gravitas on this most important subject, and the lack of adequate awareness, guidance and solutions on/for Active Directory security, may lie the lack of gravitas of one particular organization, so, starting tomorrow, July 27, 2016, and in days to follow, we will ask a few questions and share a few insights right here on this blog.

Best wishes,

PS: I'll ask a $100B question tomorrow. Technically, given the above, it could be a Trillion $ question, but we'll leave it at 100B.

Monday, July 25, 2016

Clarity and Closure (re comments on Twitter)


I'll keep this short. There were some interesting comments on Twitter, which are worthy of a (befitting) response, so here goes -

A. In response to - "If you really don't understand the purpose of mimikatz DCSync, don't write angry posts insulting the author."

Oh, I understand the purpose of ALL of mimikatz's features, not just DCSync, so don't assume that I don't. In fact, you'll want to tune in shortly (12 - 36 hours) for more on that feature, because I think the world needs some help dealing with it.

Most importantly, no one's angry and no one's insulting its author. In fact, I've not only praised him for his work, but referred to him as Sir. I doubt anyone else ex-Microsoft may have referred to him as Sir. I've also unequivocally stated - "You've already proven how incredibly smart you are, and made a big (enough) difference, so thank you also for helping make Windows more secure for the world."

Finally, perhaps you didn't read the whole thing. I ended with - "Sir, for your valued contributions to the field of cyber security, you have my respect, and that of the world."

I just wanted to make a simple point, which was that when it comes to Active Directory Security, in a hardened environment, of which I had given a concrete example, wherein an intruder couldn't likely get to being a Domain Admin (or equivalent) using mimikatz, by simply possessing the ability to be able to accurately and quickly determine effective permissions in the ocean of ACLs within Active Directory, he/she (in the same hardened environment) could find 1000s of privilege escalation paths leading to virtually any IT resource. It was as simple as that! You may not get it now, but you eventually will.

B. In response to - "All his criticism of mimikatz could be directed right back at him."

Like I said, I didn't criticize mimikatz. I think mimikatz has done a lot to improve Windows Security for the world, and for that the world should be thankful to Mr. Delpy.

Further, the illustrative examples that we have provided are of how an intruder/perpetrator could exploit pervasive excessive access in Active Directory to exploit virtually any IT resource of choice, that is directly or indirectly protected by Active Directory i.e. any domain user account, any domain computer account (and thus any domain-joined computer), any IT resources that are stored on domain-joined computers, any domain security groups, as well as any IT resource protected by domain security groups. In other words, just about everything there is to protect in a Windows Server environment powered by Active Directory.

C. In response to - "His first attack is: an admin account that can create domain user accounts and gain "Authenticated Users" access. Uh ...ok"

Hey, when you're teaching someone how to do something difficult, you start with the easiest possible lesson. By the way, just to be clear, it's not attack, its "impact of compromise" which can be found here. You shared the first (simplest) one, but didn't care to mention the 9 others that followed?

For example, you didn't share the last one - "Impact of compromise of any account that can modify the security permissions on the AdminSDHolder object." Uh ...why?! It's impact is GAME OVER!

By the way, more on this below, in response to your follow-up comment.

D. In response to - "Its hard for me to imagine any plausible scenario where they wouldn't already have that access. And so it goes on."

Aha! Have you considered a scenario wherein access to a honey-pot server was being audited to lure and catch a perpetrator?

In such a scenario, assuming they suspected that John Doe's account had been compromised, if you were simply to use John Doe's account to access that honey-pot server, you'd show up on their radar immediately, and likely have someone knocking at your door very quickly. However, if you could create another account, say Jane Doe, then you could access the same server but the likelihood of your access being red-flagged would be much lower. That's just one scenario.

Here's another scenario. A disgruntled local IT admin would like to perform a network-wide scan to enumerate the list of all files and folders across the network. However he/she doesn't want to show up doing so on any radar. If he/she could create another identity (i.e. another domain user account), then he/she could perform the same scan using an alternate identity, which even if showed up on a radar, and was investigated, couldn't be traced back to him. That's another. (I could give you many more.)

So, just because something is hard for you to imagine, doesn't mean you slight it. Perhaps someone with a little more experience may have given it a little more thought prior to putting it out there.

E. Finally, (and this is my favorite one, so thank you for this) in response to - "I've been reading the whole site. Its just like he just discovered AD ACLs and now that is the "only thing in the world"

Actually I discovered AD ACLs in the year 2001. Perhaps you may have been in high-school then. I also wrote Microsoft's 400-page bible on the subject back in 2003, but nonetheless allow me to substantiate a trillion $ point -

An Active Directory ACL

You may not realize it yet that although AD ACLs are not the "only thing in the world", they are very close to being the "most important thing in the cyber security world."

Since I'm not sure if you'll "get that", allow me substantiate it for you with some concrete examples -
1. Let's start with something right up your alley. With mimikatz DCSync, you could compromise an entire organization within minutes. However, if you merely tightened a single AD ACL, you could render the DCSync feature completely useless, thus eliminating a critical attack-vector to the security of that organization.
2. If you could change the ACL on AdminSDHolder object, you could instantly control every single administrative account and group in Active Directory.
3. If you could change a single ACL in the Configuration Partition, and you know what to change, you could disrupt the very operation of Active Directory, and possibly render it inoperable.
4. If you could change the ACL protecting the Domain Controllers OU, you could take over any Domain Controller within minutes.
5. If you could change the ACL protecting the domain root, it would be game over in 5 minutes.
6. If you could change the ACL protecting a security group that is being used to protect 1000s of IT resources, you could instantly and legitimately obtain access to the entirety of these resources.

I could go on and on, but hopefully you're smart enough to get the drift. Literally everything in an Active Directory deployment, from all Domain Controllers to all privileged access accounts, and from all employee accounts to all domain-joined hosts, is ultimately protected by an Active Directory ACL.

The world of AD ACLs and the ability to be able to precisely assess effective permissions on them is equally and likely far more important than the world of machine-based credential theft of accounts that may happen to logon to an 0wned machine.

By the way it is not the ACLs in themselves that matter, it is the vast universe of unauthorized effective access that they end up effectively granting to individuals that matters, and if you possess the ability to correctly determine effective access (effective permissions) based on these ACLs, you'll find 1000s of privilege escalation paths leading to just about everything within minutes in almost any Active Directory deployment in the world.

Now, as your acquaintance Sean Metcalf says, let's begin by assuming breach. Well, if you begin there, and you can do what I just shared with you above, you can likely own the kingdom within minutes, without having to compromise a single credential (hash/ticket).

Good night,

PS: I've said what I had to. In general, before you question what I'm saying, please consider where I came from. No more time to waste on this stuff. There's far more important stuff to talk about, right here on this blog, in the next few days.

Friday, July 22, 2016

Clarity for Self-Proclaimed Cyber Security Experts who Churp on Twitter


When someone doesn't know or understand something, often their first reaction is to make fun of it. Sadly, these days, to their own detriment, they do so publicly on social media. Little do they realize that everything they utter can be seen by the whole world, and by sharing their ignorance on social media with the world, they show the whole world how little they actually know.

For example, consider this individual. Perhaps he knows just enough English to see our homepage, but not to be able to go beyond it, to say this one, or this one, so he publicly and slightingly wonders who we are and asks if anyone's heard of us. I wonder if it might have ever occurred to this individual that perhaps our low-profile until now, may have been by intent. For this individual, and anyone else on Twitter etc., if you want to know who we are, please call Scott Charney at Microsoft.

One of Many Examples

Or for example, this individual, who said regarding Active Directory Privilege Escalation - "That's it? Make sure your delegation is tight big deal."
Wow. Great advice!  Since you make it sound so simple, now why don't you (i.e. this individual) also tell them (i.e. the world) HOW to do so i.e. how to tighten their delegation(s) in their Active Directory domains easily comprised of 1000s of objects?!

You see, this individual likely has no idea HOW to actually do so. If he did, he'd know just how extremely difficult it is to do so, and I doubt would've said - "no big deal!" In fact, I wonder if he even knows that because it is so difficult to do so, hardly any organization in the world (including his past employers, or Microsoft for that matter) may have ever actually accurately done it?

So let me give him, his friends, and the whole world a hint - the very first thing you need to do to tighten your delegation(s) is to assess your current delegations across Active Directory, and to do so you need to be able to determine effective privileged access across the entire Active Directory domain, i.e. on thousands of objects in Active Directory, accurately.

Even the $450 Billion Microsoft Corporation may not know how to do this. But for this individual, its "no big deal."

If he knew this, I'm not sure he might have publicly said - "no big deal!"

In fact, if he, or anyone in the world, can accurately determine effective permissions / effective access across an Active Directory domain, please go ahead, show us and the entire world how you would do so. Please. Be my guest. I insist!

Unequivocal Clarity

For anyone on Twitter who wishes to slight us without substance, let's just make this really simple for you once and for all.

Please know that if you slight us, and there's no substance to it, we too MAY share your ignorance with the WHOLE world.

By the way, if you haven't heard about us yet, its only because for the longest time, we kept a low-profile. Please know that in the last 10 years, 10,000+ organizations from 150+ countries have knocked at our doors, unsolicited, and know who we are. Today our reach is global, and in minutes, we too can have 1000s of folks across 150+ countries learn about you ignorance.

So, to the 1% who may do so, if there's no substance, please don't embarrass yourself by making childish comments. (It's a free world and you're welcome to, but know that the whole world's watching, and they'll know just how much (or little) you know.)

Talk is cheap, actions are not.

Best wishes,

PS: It would be refreshing to actually see someone say something intelligent on the subject. Unfortunately, I've only heard noise. No matter how much, noise is just noise. My time is valuable so I'll tune back in when I've heard something intelligent. Perhaps its time to stop talking for a bit and start reading.

Friday, July 15, 2016

A Letter to Benjamin Delpy regarding Mimikatz & Active Directory Security

Dear Mr. Delpy,

Hello. I hope this finds you doing well. Although we don't personally know each other, I've heard about your work, and the impact it's had on improvements in Windows Security, so thank you for your contributions to the field of Windows Security.

To begin with, I'd like to apologize for not having been able to tune sooner into the incredible circus caused by your interesting hobbies over these past few years :-), as I was away, silently working on the world's most powerful cyber security weapon ...

Gold Finger 007G
... you know, one that can be used to go from breach to 0wned (AD) in about 5 minutes in any Active Directory deployment in the world, even and particularly in environments (such as the one described below) wherein an intruder couldn't accomplish much with Mimikatz. We've built it for the good guys though, so that they can prevent such scenarios from occurring.

By the way, like you, I too am a programmer. I personally wrote about 10% of the code for all of Gold Finger and 007G.
(The rest of it was written and tested by a team of < ~ 50 software dev and QA engineers, all of whom are ex-Microsoft.)

However, given its sheer power, I'm not too big a fan of releasing our work in the wild, because I believe in an old saying - "Along with great power, comes great responsibility." (As for this, it is merely temporary and controlled.)

(Oh I digress. I have a bad habit of digressing often, so my apologies. End of digression.)

I did however briefly hear about Microsoft scrambling to try and save its face by buying a little start-up whose founder (, and you too might find this funny,) not too long ago, one day, sat thinking for two hours (as to) how to build an attack path, and then realized that everyone has access to Active Directory! (Hilarious! - that video's here (2:10 onwards.))

Oh, by the way, I forgot to introduce myself. I'm the one who did a risk assessment of Microsoft Corporation's global Active Directory more than a decade ago and showed them...

 ...well, I'm not about to reveal what I showed them. They know it, and that's all that matters.

Oh, I'm also the one who amongst other things, wrote Microsoft's 400-page whitepaper on how to delegate privileged access in Active Directory, only about 10 years before the world had heard of Mimikatz or an Aorato.

Speaking of privileged access in Active Directory, as you probably know, that cool little recent DCSync feature of yours, would be rendered completely USELESS if the perpetrator didn't have sufficient rights to replicate secrets out of Active Directory.

Replicating Directory Changes All Extended Right on Domain root in Active Directory

And while that feature may wow some, to us it very simply boils down to this - if you already possess sufficient privilege to be able to replicate secrets out of Active Directory, you're already virtually God in that environment any way. But thank you nonetheless for showing the world just how easy it can be. (Actually its not that super easy too, so I respect your work.)

Interesting side note question - Do you think anyone in the world knows exactly who has the Get Replication Changes All extended right effectively granted to whom in any production Active Directory environment, wherein the domain root ACL has been changed even once? (I don't think so.)

Oh, and by the way, as you may well know, you can't generate a Kerberos Golden Ticket without having the NTLM hash for the krbtgt account, and if you don't have the Get-Replication-Changes-All extended right to request secrets from a DC, you can't have that hash until you can log on as an Admin on a Domain Controller, BUT, if you can log in as an Admin on a Domain Controller, buddy, its ALREADY GAME OVER RIGHT THERE!

So, why bother going a step or five forward (LSASS dump, hash extraction etc.), when its already game over! Just use the task scheduler to launch a cmd prompt as System, and you're playing God in no time ;-)

I mean, seriously, if you're telling me that its that easy for a perpetrator to be able to logon as Admin on a Domain Controller at hundreds or thousands of organizations worldwide, then I must say, the $400+ Billion Microsoft hasn't done enough to educate its customers about the importance of protecting its Domain Controllers, and probably ought to spend a petty $100 million to do so right away (because if that's that easy, forget ATA, nothing's going to be able to protect these organizations from getting 0wned in minutes.)

[Again, a (not so) small digression...

Active Directory / Cyber Security 101 for the World

If your Domain Controller has been compromised, you're DONE. Period.

Domain Controllers in a Data Center

From the AD Admin to the CEO, it's time to pack up, go home, and find another job, because believe you me, until you completely re-build the forest from scratch, he who knows what to do will have you for ETERNITY without needing any ticket, let alone a Golden Ticket, at all! (To whose who would like to see a demo of this, please let us know.)

Let me repeat that. If an unauthorized individual can login to a Domain Controller as Admin, you are done! D-O-N-E! 

Only ignorant organizations will continue to operate that Active Directory forest, because you'd be operating on a compromised foundation, and if you do, those who truly understand Active Directory security, will know (and could divulge) everything there is to know about you, tamper with anything, destroy anything at will etc. etc. And yes, even Microsoft's latest toy won't be able to stop them.

... end of digression.]

Mr. Delpy, if you'll allow me, I'd like to most respectfully paint a very simple picture for you, one wherein, one could possibly grow old and maybe even have grand-children, and yet not succeed with Mimikatz. For brevity, I'll keep it simple.

Consider a forest with one or more domains wherein -
1. Domain Controllers: All physically secured in data-centers, requiring triple-factor authentication to physically access. Interactive logon denied to everyone except an empty AD security group. Of course, fully patched (so no low-hanging fruit etc.), plus all default User Rights and Privilege assignments severely locked-down. Soldered USB drives and keyboards i.e. no chance of applying a keystroke logger or USB-anything. No 3rd party software of any kind on these machines. Etc. etc.
2. Get Replication Changes All Extended Right: Only granted to Domain Controllers.
3. Domain Admins: None. All responsibilities for Active Directory service and data management (i.e. account and group management) natively delegated in Active Directory. In fact, the Domain Admins group SID has been removed from across Active Directory by a simple execution of a baby of a tool called dsrevoke.
4. Active Directory Admins and Designated Workstations: Less than 5 AD admins, each one with alt accounts, and separate workstations for every day use and admin use. Admin use workstations are as secure as the DCs, and interactive and network logons only allowed to the designated admin. Soldered USB drives and keyboards i.e. no chance of applying a keystroke logger or USB-anything. No 3rd party software of any kind on these machines. Minimum 25-character passwords, changed frequently, never written or stored anywhere.
5. Active Directory Backups: Stored encrypted in a physical bank vault, physical access to which requires the CISO to escort you to them. Only the CISO can get into bank vault.
6. An Educated Active Directory Admin Team: These aren't you ordinary admins. They know NEVER to logon to any system they do not OWN and CONTROL. They're also bound by a simple policy - you logon to any other system and you will be instantly terminated. Besides, Group Policy prevents them from logging on anywhere else.
7. Zero Services Using Domain Admin Creds: Not a single service in the enterprise uses Domain Admin creds, because if you know how to do security, you know that nothing strictly requires running as Domain Admin.
8. No DCs in the Cloud: Yes, you heard it right. I don't care how iron-clad the SLA is, we're not putting a single DC in the cloud with any provider yet. Not just yet. (More on that in days to come.)
9. Microsoft ATA:  Microsoft ATA is NOT deployed just yet, because if you think about it, its still just some rudimentary technology acquired from a start-up, and rolled out in just months. Not sure how robust and reliable it is in code and its art to protect multi-$ Billion companies.

I could go on and on, but you get the drift. (BTW, if you want to make it harder, throw in 2-factor authentication, at least for all admin accounts at a minimum, and a bunch of other latest Band-aids, none of which can stop a knowledgeable perpetrator.)

In such an environment, you might be able to compromise a domain-joined machine, but you're likely not going to get anywhere close to getting Domain Admin type credentials, because a Domain Admin type account will NEVER logon to a system 0wned by an intruder, and the intruder will almost NEVER be able to logon to an admin workstation or on to a DC as admin. Period.

In such a situation, I doubt an intruder's going to have a field day harvesting or reusing credentials to gain administrative access to Active Directory. In all likelihood, he/she'd sit and wait, and wait and wait, and wait, and grow old, and still not get anywhere.

Disgruntled intruder not getting any success with Mimikatz :-(

Hmm. Not a fun day with Mimikatz anymore, is it :-( 

NOW, I'll be the first to admit that the environment described above is a rarity, but not an impossibility by any stretch. In fact, in time, the world will get there, and we already are there. For instance, our Active Directory environment is only about 50 times tighter than I have described above, so at least one such environment exists, and we operate it most easily. But in reality (, and 8,000+ organizations from 160+ countries have knocked at our doors, completely unsolicited of course, so) we know just how bad the situation is out there.

End of digression. Back on track...

Hmm. I wonder if there might be a way for an intruder to compromise a relatively more secure Active Directory environment, specifically, such as the one described above? Well, it doesn't seem very likely, at least not using credential theft based attack vectors, since no Active Directory admins seem to want to give the bad guys even a chance at getting them.


But wait, if this is all about Active Directory Security, then it doesn't take a brilliant mind to figure out the following - hey let me actually look INTO Active Directory, and I mean it literally! Look INTO it! -

Inside Active Directory

Wow, now that I'm looking in, it is an ocean in there!

And since we're talking about security here, perhaps its worth looking at something called an Access Control List (ACL), you know, that little thing that protects each object in Active Directory, including every administrative account, administrative group, domain user account, domain computer account (and of course the domain controller's domain computer account), the domain root, AdminSDHolder, the System Container, the entire Configuration container, the Schema container, every GPO, etc. etc.-

Active Directory ACL on some random user, say an Alex Simon's domain user account.

Hmm. I wonder why nobody has looked INTO the Active Directory that much? And by that, I don't mean looking at basic kid-stuff enumeration of accounts, groups, GPOs, DCs etc. I mean looking a little deeper, and a little more intelligently.

You know, like trying to figure out who can actually reset a Domain Admin account's password, or who can change the Domain Admins group membership, or perhaps who can change the ACL on the AdminSDHolder object, etc. such as and/or ...

... speaking of say, Mimikatz, you know who can modify the ACL protecting the Domain root to grant someone or themselves the Get Replication Changes All extended right so they could replicate secrets (password hashes) out from Active Directory, or say, grant themselves Full Control over the entire Active Directory domain. (You see, intelligent and (very) powerful stuff.)

[Quick Digression -  
Now, a novice might say - "You don't need an effective permissions tool to assess REPL perms on NC." Well, if no one has ever changed the ACL on the NC head, and you're just dealing with default permissions, then its his lucky day and a simple group enumeration should do it, BUT, if the permissions on the NC head have changed even once, and there's even ONE deny permission there (e.g. Deny All extended rights to Group X), well, then tough luck, because if you really want an accurate picture, you're going to have to determine effective permissions on the NC head ;-)"
End of Digression]

Hmm. I wonder. Let me see. Well, to begin with, what could I figure out by looking into these ACLs?

Not much, other than exactly who has the keys to every door in the kingdom, and the Keys to the Kingdom of course!

Hmm. Wonder how I do it? Yes, I know! I could use a tool like dsacls from Microsoft or I could pick up several amateur scripts from TechNet which claim to help find out who has what permissions -


But wait, I see all kinds of permissions :-( > Allow permissions, Deny permissions, Explicit permissions, Inherited permissions, over a dozen basic permissions, five dozen plus special permissions (Extended rights), Validated writes, permissions with IO flags, etc. etc.

Whoa! Where do I even begin?

And does "who has what permissions" even equal "who actually has what permissions"?

Well, maybe I should read Microsoft's bible on all this Active Directory permissions stuff, and perhaps in a year or so, get my head around all this, and could possibly get somewhere. Perhaps, that's when I'll realize that what matters is who has what effective permissions, not who has what permissions!

Oh wait, yes, I've seen an Effective Permissions Tab in Active Directory Users and Computers, but I never did give it much thought! Hmm, its one out of four tabs in there, so it must be important -

Why don't I just use that to figure out who can do what within the Active Directory?

Sure, go ahead ... ...consider an environment consisting of thousands of users and you'll know why it is almost virtually useless.

Oh, and if you come across this, RUN, because its dangerously inaccurate. Same is true for the advice on TechNet forums.

Well, perhaps, if I had something like this, I could actually answer that question accurately and quickly -

Then ask yourself a simple question - what if I wanted to find out who can create a user account in Active Directory? Hmm - would I even know where to begin? Hey, this Active Directory has 100s of OUs, 100s of containers, etc. etc. - how many objects am I going to have to analyze effective access on to answer this one simple question. It'll be 100s if not 1000s.

Again, you could try for a year, or be done in seconds ...

An Effective Privileged Access Audit in Active Directory

But, you should absolutely try it yourself first, so you can get a sense of just how monumentally difficult it is do so. I insist!

Years may go by, but you'll eventually gain the knowledge to comprehend the profoundness of this, this, this and this.

When you're there, please let me know, because then you too will have learnt how the (really) smart guys find ways to the Keys to the Kingdom, or to any door they want in to, in minutes, without having to wait for someone to logon to a machine you 0wn!

When you get there, please let me know...


... I'm already there.

Until then, I wish you well, and hope you continue to enjoy hashes and tickets! Oh, and if the intriguing world of Active Directory Security (which literally lies within every Active Directory) has piqued your curiosity, here's some recommended 101 reading.

Personally though, as a fellow programmer who too has spent 1000s of hours on an ocean of technical detail that most would never get into, my humble unsolicited advice to you would be to also enjoy life because there's a lot more to it than just work. You've already proven how incredibly smart you are, and made a big (enough) difference, so thank you also for helping make Windows more secure for the world.

Sir, for your valued contributions to the field of cyber security, you have my respect, and that of the world.

I most sincerely wish you well.

Thank you.

Best wishes,
ST aka TS.

PS: Some RESPECK for you in a simple ($100B) question posed to Alex Simons at Microsoft -

PS2: For those who may be new to the subject, and may wish to share your thoughts on Twitter-

PS3 For those who may not yet understand the depth of what I just shared above, you may want to take a shot at answering any 1 of the 10 simple questions concerning Active Directory Security that I've posed to Sean Metcalf and Microsoft -

PS4: Closure and Clarity.