Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.


September 13, 2013

The World's #1 Cyber Security Risk - Active Directory Privilege Escalation

Folks,

The #1 cyber security risk to organizations worldwide i.e. one that today critically impacts 1000s of business and government organizations in almost every country, is Active Directory Privilege Escalation (downloadable Executive Summary below), as evidenced here.


It is SO powerful that one who knows how to exploit it can, with the help of appropriate tooling, use it to instantly take over virtually any Microsoft Windows Server based IT infrastructure in the world.

With sufficient effort, it can also be used to develop an exploit that can then be packaged into a malicious payload that can automate the disruption / destruction of any Active Directory deployment of choice within hours to days, making StuxNet look like child's play, considering the fact that 85% of the world's organizations are powered by Active Directory.



Executive Summary

The following Executive Summary describes this risk. To access it, simply click on the image below -
 
Active Directory Privilege Escalation based on Exploitation of Unauthorized Grants in Active Directory

Why Did We Declassify This?

Strictly speaking, there's nothing to declassify here, because this is common sense. However, in our experience, we have found that hardly any organizations are aware of this. More about that later.

The reason we have declassified it is that we have reason to believe that at least one advanced persistent threat may have figured this out, and given their abundant resources, could potentially, easily build a payload to exploit this threat worldwide.


By the way, the Chinese aren't the only ones who may have potentially figured this out. There are numerous Active Directory and Windows Security Experts in countries like Russia, who are highly capable of figuring this out (, and some of them, of potentially exploiting it as well.)

(If you don't believe that the Russians are good at Active Directory Security, just ask Quest Software (now a part of Dell) how many Project Managers and Software Developers it has in Russia, where I'm told it builds/supports some of its flagship identity and access management solutions, which today are also deployed at departments in the U.S. Government. But I digress.)

One would ordinarily expect organizations to have figured this out on their own, but in our vast experience of having dealt with 1000s of organizations over the last 7 years, we have found that very few organizations in the world actually have any clue about this. (Most of them are still merely looking for how they can enumerate stale accounts in their Active Directory deployments.)

Then, when we saw Microsoft IT release a whopping 328 page white paper on Active Directory Security, and barely even touch upon this subject, it was clear to us that, apparently even Microsoft IT did not understand just how serious this risk was to Active Directory deployments worldwide.

We care deeply about Microsoft's ecosystem, so we decided to shed light on this risk. We decided to share it in the public domain because it would have been too much to try to individually reach out to 20,000+ organizations worldwide.

(By the way, we have been giving hints for a very long time from all the way back in 2006, (here's an example - Who needs WMDs today?) but I suppose these hints were not enough, and until something is said most plainly, it isn't clearly understood.)

That said, I'll now address the technicalities of this risk, and provide some commentary.


Technical Summary

From a pure risk management/assessment standpoint, here is a technical summary of this risk -
  • Asset at Risk – Administrative Delegations, Admin Accounts and Groups
  • Threat Source – Malicious Entity (Could be Outsider or Insider)
  • Attack Surface – Vast (All Active Directory Content)
  • Exploitation Procedure – Detect and exploit unauthorized access grants in Active Directory using freely available tools like dsacls and acldiag. Malicious use of advanced tools like an Active Directory Permissions Analyzer or an Active Directory Password Reset Analysis Tool can speed up the detection process. The free availability of Active Directory management tools like ADUC can be used to enact the exploitations (e.g. perform a password reset to escalate privilege, etc.)
  • Difficulty – Minimal (Authenticated Users have read access by default.)
    Unlike the Pass-The-Hash (PTH) technique, this technique does not require admin access on a server, or the requirement for an admin to logon to that server. It only requires read access to Active Directory (AD) content (which Authenticated Users have by default), the ability to analyze AD ACLs to find excessive rights (which can be easily done using available tools), and the ability to enact administrative tasks (which can be easily done using any Active Directory management tool, such as Microsoft Active Directory Users and Computers.)
  • Impact – Very high (Once gained, administrative access can be used to very quickly cause widespread damage across the IT infrastructure.)

 Risk Overview

There are 3 main components that make this risk critical -





  1. There exist large numbers (1000s) of excessive / unauthorized access grants in most Active Directory deployments worldwide, which effectively grant numerous individuals (that should not technically be provisioned) powerful administrative access.
  1. The identities of these individuals and the excessive access they currently have (, unbeknownst to them, or to the IT groups,) can, be determined by anyone with a domain user account. Once determined, this information can be easily used to perform single/multi step privilege escalations and ultimately gain varying levels of, and usually complete, administrative access within minutes, and performing these privilege escalations only requires enacting simple admin tasks (e.g. Password Resets) for which tooling is freely available.
  1. The attack surface is vast, and the prize is the coveted "keys to the kingdom". The attack surface is vast because it consists of the entirety of all IT resources stored in the Active Directory, and virtually any authenticated user, can with minimal/moderate Active Directory expertise, find these excessive access grants and identify privilege escalation paths which can then be exploited to gain complete administrative control over the Active Directory.

The need for any Active Directory expertise is eliminated if sufficient tooling (e.g. an Active Directory Permissions Analyzer or an Active Directory Password Reset Analysis Tool) exists that makes it possible for someone to make such determinations without requiring any subject matter expertise.


What makes this Risk Possible?

This risk is made possible by the fact that in any Active Directory deployment, at any given moment, there are 1000s of security permissions that specify varying levels of access for various individuals and groups, and that together control who has what effective access to which IT resources in the Active Directory, BUT that are very difficult to correctly assess/verify/audit, because there are numerous factors involved in how the system determines effective access, as a result of which there is no easy way to know who has what effective access at any point in time in Active Directory.


In fact, today, in most organizations worldwide, no one really knows who exactly who can do what in Active Directory.

In regards to these permissions, they control vital administrative actions like who can create user accounts, modify security group memberships, link/unlink GPOs from OUs, delete accounts, groups or entire OUs, as well as perform numerous other administrative tasks on the most vital of IT resources, i.e. user accounts, computer accounts, security groups and GPOs, which are the very building blocks of security in any IT infrastructure.

In regards to the factors that influence effective access, there are numerous factors, such as and not limited to inheritance of permissions, precedence orders, applicability of permissions, individuals and blanket permissions, general and special permissions, group membership evaluations, nested group membership evaluations, circular group membership detection, well-known group memberships, multiple permissions influencing an action, permissions on multiple permissions influencing an action, etc.

As you can imagine, given the complexity involved, and the scale of the problem (i.e. entire Active Directory content), as well as the dynamic (frequently changing) nature of access, it is almost impossible to find out who has what effective access on a single object, let alone an entire OU or domain of objects.

Consequently, without being able to accurately assess who has what effective access, IT personnel have no way of knowing exactly who currently has what effective access, so they continue to provision access (to fulfill dynamic business requirements) based on intentions and approximations, but they have no way to know for sure whether they in fact provisioned access based on the principle of least privilege, or whether they accidentally / inadvertently might have ended up granting access to more individuals than they should have.

As a result, in most Active Directory deployments in the world, there are 1000s of excessive permissions granted, and there is no easy way to find out who really has what effective access in these deployments.


What does it take to Mitigate this Risk?

Objectively speaking, in order to mitigate this risk, 3 abilities are essential -


  1. Minimially, the ability to be able to easily and reliably determine accurate effective access on individual Active Directory objects
  1. Ideally, the ability to do so on a large number of objects in a reasonable amount of time, as well as
  1. The ability to determine HOW someone is getting provisioned specific effective access, so corrective action can be taken.

Finding out Who has what Permissions is NOT the answer

Over the last few years, we have seen 1000s of organizations looking for ways to find out "Who has what permissions in Active Directory" because they believe that in order to solve this problem, they need to find out who has what permissions.

These organizations are not alone. There are also numerous prominent audit organizations (i.e. whose auditors certify companies for compliance of various sorts) that demand that companies furnish reports of who has what permissions in their Active Directory on various objects, such as the CEOs account and that of all Domain Admins.

With all due respect to all of them, knowing who has what permissions in Active Directory is NOT going to help them solve any useful problem, and certainly not help mitigate this risk.

Here's why -

Consider this ACL protecting the CEO's user account. Just because a group such as Help Desk Tier I is granted a specific permission such as Reset Password in the ACL of an object does not mean that all members of that group effectively have that permission on that object.



For instance, just because John Doe is a member of the group Help Desk Tier I and this group has the Allow Reset Password permission on the CEO's user account, does not mean that John Doe can in fact reset the CEO's password.

That's because there could be a Deny permission denying the Outsourced Password Reset Admins group overlapping permissions such as Full Control or Reset Password on the same object, and if John Doe were a member of that group, whether directly, or via a deeply nested group membership, he wouldn't effectively have the ability to reset the CEO's password.

To complicate things, if the Deny permission was inherited and the Allow was Explicit, he would be allowed access. By the same token, there could be numerous other permissions specified in various other ACEs in the ACL of that object that could influence, whether directly or indirectly, what permissions he/she had on the CEO's account.

So you see, finding out Who has what Permissions in Active Directory is not what is needed to solve this problem, or make any meaningful assessment upon which any reliable security action can be taken.

What is needed is the ability to determine who has what Effective Permissions in Active Directory, because that is the only piece of data that would instantly and accurately reveal exactly what access John Doe actually has on a given object, or on any set of objects in the Active Directory.

I'll say this again - the only way to determine who really has what access in Active Directory is to find out who has what (true) effective permissions / effective access in Active Directory.


The Attack Vector

Now getting back to the risk, in case you're wondering what the attack vector is, it is very simple.

All a malicious entity has to do is analyze the ocean of security permissions in Active Directory to find weaknesses that can be exploited, and then exploit them to gain administrative access in Active Directory.

Let me give you an example -

The two easiest ways of becoming a Domain Admin are a) reset a Domain Admin's password and b) modify the membership of the Domain Admins group to add your own account, or that of another user, to the group.




(The PtH attack vector is not the easiest by any means because it REQUIRES that you have Admin level access on a host ON TO WHICH a Domain Admin LOGS ON. If a Domain Admin NEVER logs to your machine, you can sit there and get old, and yet not gain anything (malicious.))

With this attack vector, all a malicious entity has to do is apply some basic knowledge of Active Directory Security to try to determine effective permissions on either a Domain Admin's user account, or the Domain Admins group membership, and figure out a) exactly who can effectively reset the Domain Admin's password, and/or b) figure out who can effectively change the Domain Admins group membership.

Once that's done, you now have a list of lesser protected targets that if compromised can be used to become a Domain Admin.

For example, if the Domain Admins only sit in the Data Centers and never get out of there or logon to any machine other than theirs, the PtH attack vector is completely useless.

However, if John Doe is a delegated admin who sits in a cubicle down the hall from you, and you have been able to figure out that he/she can effecitvely reset a Domain Admin's password, or change the Domain Admin's group membership, all you have to do is compromise the account of the delegated admin John Doe, and you're a minute away from logging on as him and resetting a Domain Admin's password, or adding your own account to the Domain Admin's group membership.

Now, if you have unrestricted physical access to this delegated admin's machine (desktop/laptop), its super easy. There are a gazillion (proverbial) ways to own a machine with unrestricted physical access. In fact you could even use the PtH attack vector in combination to lure this delegated admin to your machine using Social Engineering, and once you have compromised his account, you're a minute away from owning the kingdom.

This approach can also be iterated, meaning you can find who can reset the password of a delegated admin who can reset the password of another delegated admin who can reset the password of a Domain Admin etc. etc..

Please UNDERSTAND that performing the analysis of who has what effective access ONLY involves READ ACCESS to Active Directory, which a) everyone with a Domain user account already has and b) is not/cannot be realistically "audited" because if you started auditing read access to Active Directory, your logs would be rolling over every 30 minutes.

As a consequence, an attacker could take his/her sweet time (hours/weeks/months) to quietly determine effective access on one or more of your Active Directory objects, and eventually determine numerous privilege escalation paths, which could, at a time of his choice, be used within minutes to perform single/multi-step privilege escalations in Active Directory.

Once an attacker has gained Domain Admin access in your environment, he could do whatever he/she wants. Of course the first thing a smart attacker would do is disable all other admin accounts so no one can stop him, then he would disable auditing, and then he could obtain access to, tamper, destroy or divulge whatever IT resource he/she wants. (A devious attacker could also use Group Policy to destroy the entire IT infrastructure within minutes, but I'm not about to talk about that.)

I'll say this again - technically ANYONE with a Domain User account could take HOURS/DAYS/WEEKS to determine effective access in your environment, and find privilege escalation paths, and when he has, at a time of his choice, he could make his move i.e. WITHIN MINUTES, exploit the identified privilege escalation paths to take over the entire IT infrastructure.

(With appropriate tooling, the amount of time involved for the attacker to determine effective access in Active Directory could be reduced down to minutes from hours/days/weeks.)


A Vast Attack Surface

Now let me speak to another very important aspect of this risk; its attack surface is VAST.

By attack surface, we can refer to two things here - one is the set of assets that are at risk, and the second is the set of all entities that can potentially carry out a related attack.

In terms of the assets that are at risk, every user account, every computer account, every security group, every GPO and every OU is at risk. The attacker could select any asset of his choice and determine who has what effective acccess on that object to find weaknesses, then exploit those weaknesses to compromise security.

For example, let's assume that a highly confidential document was residing on a file server, and that a malicious individual wished to gain access to it. The easiest way to access it is not to try to compromise that highly protected file server, but merely examine the ACL of that document to determine which Active Directory domain security group is being used to protect that document. Once you have figured that out, all you need to do is determine effective access on that security group's object in Active Directory, and find out who can change the membership of that group.

That's the weakest link. If you iterate, you can then find out who can reset the password of the individual who can modify the group membership, to find an even easier target to compromise. Once that's done, all you have to do is compromise any one account in the chain, then perform a few password resets (which take 30 seconds) and you can then add your  account to that group. Once you're a member of the group, you can just access that file without compromising any security control on that file server.

Similarly, a malicious user could find out who can delete an entire OU full of resources to instantly cause an internal DOS attack that would take days (and a proverbial $ million) to recover from.

By the same token, if you wanted to disrupt a line-of-business (LOB) application whose clients rely on querying Active Directory for service connection points whose keywords are used to locate specific instances of the service, all you have to do is modify the keyword on the service connection point, and in effect you could DOS that service. In order to modify the keyword, you only need to determine effective permissions on the service connection point to find and exploit weaknesses.

So you see, virtually every IT resource in the Active Directory is a potential target.

Lastly, in regards to the second aspect of the attack surface, virtually anyone with a domain user account has complete and unrestricted read access to the Active Directory, so virtually everyone can examine all the permissions protecting all the IT resources stored in Active Directory.

In other words, literally everyone can examine your Active Directory and look for unauthorized access grants, whenever they want, form whichever computer they want, and on whichever resource they want.


Active Directory Effective Access/Permissions - A Trillion Dollar Phrase

At the heart of this risk lies a single trillion dollar phrase - Active Directory Effective Access/Permissions. If I might add, the correct phrase actually is Accurate Active Directory Effective Access/Permissions.

You see, effective access/permissions are so important to Active Directory Security that along with Auditing, there's an entire Tab for Effective Permissions on the Advanced Security Settings dialog box, which can be accessed by the Active Directory Users and Computers Snap-In as well as Administrative Center -



One unfortunate problem is that this Active Directory Effective Permissions Tab is not accurate and thus is not reliable, and thus is virtually of no practical use.

Furthermore, strictly speaking, even if it were accurate, it's neither user-friendly nor can it assess effective access on more than one object at a time. If your Active Directory has a 1000 objects, even if it were accurate, you'd end up spending months to just determine effective access on those 1000 objects.

What is strictly needed to solve this problem is the ability to determine effective access, not just on a single object, but on entire trees of Active Directory objects at a time, quickly, reliably and ideally in a single shot, as well as having the information delivered in a meaningful way that can be acted upon to identify and lock down unauthorized access grants, and for which, of course, the need to know HOW someone currently has specific effective access is also essential.

For example, something like this.

And by the way, the reason I say this is a TRILLION dollar phrase is because if you take into account the net worth of even the top 1% of organizations that may be exposed to this risk, it'll handily cross a $ Trillion.



So you can imagine my surprise when there was not a SINGLE mention of the phrase "Effective Permissions" in the 300+ page Active Directory Security Guide that Microsoft IT recently released! (Yes, you're welcome to verify this fact; you can download that guide from here.)


IS this Risk Mitigatable?

Absolutely. Like most technical risks, this risk too can be mitigated. The most important thing needed to mitigate this risk, is the will to do so, because the process is (relatively) simple.

Objectively speaking, all that is needed to mitigate this risk is the ability to swiftly and reliably perform an audit of  effective delegated/provisioned access in Active Directory.

Once that is done, organizations should instantly know who currently has what effective access and can review the findings to determine all policy violations i.e. the list of all individuals who should not be able to perform a specific task, but who can today, and HOW.




Then the HOW part can be used to identify the underlying permissions that are causing the excessive / unauthorized access to exist, and this information can be used to determine which security permissions and/or group memberships need to be tweaked to eliminate the unintended access grants from being in the system.

When performed with sufficient diligence, such a process can result in 99% risk reduction in a matter of days to weeks, depending on the resources allocated to the project. The hardest part is to accurately identify the ocean of unauthorized grants across the Active Directory (because fixing them is relatively easy.)

In this regard, the biggest challenge is posed by the effort involved in swiftly and reliably performing an audit of effective delegated / provisioned access in Active Directory. While it is possible to do so manually, doing so could take months. Automation can help reduce the amount of time taken to do this down to hours or days, thereby making the process substantially faster and more economical.

In short, the hardest part to fixing this problem is correctly finding the unauthorized access, not fixing it. Once you know what to fix, fixing it is relatively easy. Its the finding part that's very difficult.


How about a little help from Active Directory Security Solution Vendors?

There are many 3rd party vendors today that offer a host of valuable Active Directory security solutions ranging from valuable professional services to valuable auditing solutions, such as -
  1. Hewlett Packard
  2. Quest Software (now Dell)
  3. Centrify
  4. ManageEngine
  5. Beyond Trust
  6. Netwrix
  7. SolarWinds
  8. Net IQ
  9. Varonis
  10. etc.

Based on my professional opinion as former Microsoft Program Manager for Active Directory Security, I am not aware of any solution from any of the above listed respectable vendors that can solve this specific problem.

(Please don't get me wrong. I'm sure they're all good at what they do, predominantly Auditing (which relatively speaking, is a much simpler problem to solve, because it only (again, relatively speaking) involves collecting and rolling up audit events from DCs into a single database and onward to a dashboard. But I digress again.))

That's because this is a VERY difficult problem to solve.

Let me give you just ONE example -

Let's assume you needed to find out who can effectively delete an OU? (Yes, just a single small OU with a 100 objects in it.)



Here's what it takes to correctly make this effective access determination -

You need to determine who has what effective delete access on the OU which involves considering the influence of the Standard Delete, Delete Child and Delete Tree permissions on the OU, and if the OU is not empty, you further need to determine who all can delete ALL the children in that OU, either by virtue of Standard Delete permissions or Delete Child permissions or Delete Tree permissions, as only he/she who has sufficient effective rights to delete all the children in the OU as well, can delete the OU. (Now, if one had Delete Tree on the OU, it would be sufficient, but if not, then you'd have to evaluate effective access on all the child objects as well.)

If ANYONE in the world, can write a script or make a tool that can accurately determine just this much, on a single non-empty OU (with say just a 100 objects in it,) correctly, taking into account all the factors involved, let alone doing so across an entire Active Directory domain consisting of 100s of 1000s of objects, in a single shot, I'll bow to this individual/entity.

Now, getting back to the risk.


Where's the Proof?

So, if this is so difficult that it virtually impossible to do, why should one worry about this being a threat, and where's the proof that something like this can be automated, such that it could give someone the ability to instantly find out who can reset whose passwords, or for that matter instantly find out who has what effective access across an entire Active Directory?

Here you go -

If you can touch a button, you can use this to instantly find out exactly how many people can reset your password as well as that of any colleague, and of course, of your CEO as well.



(The choices of fictitous names and their fictitous designations in the snapshot above are intentional.)

NOW, we only designed this for use by authorized organizational IT personnel, but the point is that if we can do it (with less than 100 full-time developers, testers and engineers), imagine what a foreign government can do with 1000s of personnel devoted to building something like this, especially if you consider what is at stake, and what can be had.

Besides, there are enough people out there who know enough about Active Directory Security, who can use simplistic tools like this, to figure out a rough approximation of effective access on a single object in about 20 minutes per object. (Keep in mind that all it takes is read access, so you can't detect them doing it.) That particularly tool cannot accurately determine effective permissions, but it can be used to view and analyze AD ACLs instantly.

By the way, if this isn't enough proof, here's some more - if you can touch a button, you can use this to instantly find out who has what effective access across an entire Active Directory, within minutes, at the touch of a button.


Getting to a Bullet Proof State

If you have an Active Directory wherein access grants are always (verifiably and provably) provisioned based on the principle of least privilege, you have no reason to worry.



That's because even if the entire user population were to determine effective access on your Active Directory, all they would find is tightly least-privileged basis provisioned access, wherein only authorized individuals are granted the access they need, so there would be 0 escalation paths for them to exploit.

Is this doable? Absolutely. Our Active Directory deployment is bullet-proof in that regard.

What does it take to do it? More than anything else, it takes the support of executive management (C*Os), and a proficient team of Active Directory Security professionals who are equipped with the resources they need to maintain a solid and secure Active Directory.


How about a Proxy Solution? (Tread with care)

There are some organizations that use a proxy solution to facilitate the delegation of administration in their environments. While there are some benefits to it, generally, there is also an accompanying risk you undertake when you deploy any such solution, because that solution basically has complete and unrestricted access to your Active Directory, and thus a single vulnerability in it, whether accidental or malicious, could instantly jeopardize the security of your entire Active Directory.

The other downside of a proxy solution is that it becomes a very attractive target for malicious entities because if they know that the compromise of that one solution can be used to instantly gain complete and unrestricted administrative access, their efforts to compromise such a solution will substantially increase because there's only one layer to peel there, and a single point of failure.

In contrast, thanks to the multi-mastered nature of Active Directory, i.e. no single point of failure, most attacks can be controlled, if you know how to do so. (Hint: multiple-DCs and replication to the rescue.)

Anyway, AFAIK, there aren't many such solutions, and I'm not sure if they're even built/supported from within the United States. I'm told that at least one (a popular one) is built in/supported from Russia.

I don't know about you, but if I were responsible for leading an IT department in the U.S. Government, or that of a Fortune 500 Company I'm not so sure I'd be inclined to (or even be allowed to) deploy anything built in/supported from Russia, especially in light of the recent Edward Snowden affair. (But that's just me.)

The only other thing I will add is that even if one were to use a proxy solution, the problem still remains, because you'll always have the computer objects representing all the domain-joined machines in the Active Directory, and there will undoubtedly be a need for access to be provisioned on them as well, whether to control aspects like the Trusted for Delegation bit or to allow services running on those computers to modify the service connection points published under the computer objects, etc.

Finally, there are so many Active Directory integrated applications these days, and most of them rely on direct access to the Active Directory, whether it be read access or modify access. In cases where modify access is required, it will still be direct access, and not via the proxy, and so the need to be able to audit and control such direct access will always exist.

In essence, irrespective of whether you're using a proxy solution, the risk described above remains.


About The Chinese

Let me address one penultimate issue.

As you may know, a little company called Mandiant recently because famous because its CEO published a report that essentially showed the extent to which the Chinese were engaging in cyber security compromises.

One of the salient aspects of that report involved a description of HOW the Chinese were doing this, and if you see this Wikipedia page, you'll find, in the APT life cycle section, that the defining act that helped the intruders to gain administrative access was in fact Privilege of Escalation.

Specifically, if you scroll down the Wikipedia page on Advanced Persistent Threats to the APT life cycle section, you'll find the following excerpt: "In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT methodology between 2004 and 2013 that followed similar lifecycle:
  1. Initial compromise — performed by ...
  2. Establish Foothold — plant ...
  3. Escalate Privileges — use exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.
  4. Internal Reconnaissance — collect ...
  5. Move Laterally — expand ...
  6. Complete Mission — exfiltrate stolen data from victim's network."
The 3rd step, Escalate Privileges is the defining step that gives a perpetrator administrative access in target IT infrastructures, by virtue of which substantial willful damage can be inflicted.

Thus far intruders have been using age-old techniques like password guessing, but our cyber intelligence data indicates that the Chinese have been actively researching Active Directory Privilege Escalation involving password resets, which is why I chose to declassify this today.

So you see, nothing I have stated here is far fetched at all.


Oh, and this too is VERY important.

Do you know what is one of the easiest ways for the Chinese, or the Russians, or others to deliver a malicious payload into an organization?

Allow me to tell you. Craft and offer a malicious payload as a a Free Active Directory Reporting Tool online, and you will be surprised at just how many 1000s of personnel will download it and execute it. We recently conducted an experiment to test this, (and it is still online) and we were shocked to see the results. (Of course the dummy tool was digitally self-signed and harmless, but you get the point.)

It takes just ONE execution of ONE malicious payload, especially when done in the context of an Active Directory Admin, to potentially automate the compromise/disruption/destruction of an entire Active Directory deployment.

Just ONE.

And we have seen SO many organization search for Free Active Directory Reporting Tools, including organizations, whose names, if I was to reveal to you, you would be shocked!

So, in your best interest, PLEASE do NOT download and run anything FREE from the Internet, UNLESS you have sufficient reason to believe that it is TRUSTWORTHY. Not even ONCE.


A Word about Auditing

This discussion would not have been complete without the mention of auditing.

Auditing is helpful, because it can help detect the occurrence of this attack, but its use is largely limited to just that - detection. It is vastly more important to be able to prevent the occurrence of such an attack, than it is to try and detect it, and then try and stop it, because in all likelihood, if you're up against an advanced perpetrator, he will not give you the opportunity to stop him, and by the time you try to react, he may already have disabled all your domain admin accounts.

So, auditing is good to have, but is not going to help you mitigate this risk. Detect, yes, Mitigate no.



Not Just Domain Admin Accounts, All Active Directory Content is At Risk of Compromise

By the way, lest you be under the impression that only Domain Admin accounts are at risk, if you haven't gotten the drift yet, let me state it clearly - every delegated administrative account and group, as well as every domain security group that is being used to protect access anywhere across the forest, every OU, every GPO and every SCP is a potential target and at risk of compromise.


If you haven't figured out the serious impact of this yet (i.e. not just Domain Admin accounts but virtually all Active Directory content is at a potential risk of instant and wsift compromise), I doubt anything else I say will drive home the point any better.

The point about Domain Admins was just made to convey the mechanics of this risk.



Responsibly Declassified this Risk

As you will hopefully agree, it would be highly irresponsible to shed light on any risk without there also being an adequate risk mitigation measure to mitigate this risk. We have known about this for years now (evidence) but it is today, after 7 years of knowing about this, that we have finally shed light on this risk, only because today there are solutions that can adequately mitigate this risk.

So I hope you'll agree that we have responsibly declassified this critical risk to Active Directory deployments. (Also, perhaps in light of this, this old blog post from 2006 will make some sense.)

By the way, if you were expecting that I will be declassifying a bug/code vulnerability in Active Directory, I'm sorry to have disappointed you. You see, if that was the case, I would have reported it to Microsoft, and not blogged about it. This risk does not stem from any such bug/code vulnerability, but in fact it stems from a capability deficiency in a product, and I had already informed Microsoft about this way back in 2007 (; yes, they were the first to know.)


But We don't worry about Insider Threats

This also happens to be the #1 insider threat to organizations worldwide. Here's why.

Organizations that do not worry about insider threats need only be reminded of one name - Edward Snowden, the classic Trusted Insider, who may not only have caused monumental damage, but also great embarrassment, to arguably the world's most powerful and clandestine national security agency, the U.S. NSA.


In Summary

I know I've touched upon quite a few points today, and I hopefully didn't distract you from the core risk here, which is real, imminent and very serious. If addressed in time and properly, it can easily be mitigated and in a reasonable time-frame.

Unaddressed though, it is a ticking time-bomb...  

... because a malicious entity only needs to find and exploit ONE privilege escalation path to potentially completely compromise an organization's entire Active Directory deployment.

Just ONE.

Best wishes,
Sanjay


PS: What I am also almost certain of is that the Symantecs, McAfees, EMCs, RSAs, TripWires, Mandiants and Booz Allen Hamiltons of the world most certainly have neither a clue about this risk, nor the ability to help organizations worldwide mitigate it.


[ December 07, 2015 update: If you liked this, you may also like my 2c on the OPM Breach, as well as our Privileged Access Insight, particularly the Attack Vectors and Attack Surface sections. ]


PS2: October 21, 2016 Update - Defending Active Directory Against CyberAttacks

PS3: July 01, 2017 Update - A Simple Trillion Dollar Active Directory Privilege Escalation Example


September 2, 2013

An Increase in Cyber Security Attacks from the Syrian Electronic Army

Folks,

As we were getting ready to declassify the #1 Active Directory Security Risk to organizations worldwide, we received a request to consider delaying its declassification, in light of the possibility of more cyber attacks from the Syrian Electronic Army (SEA), as Washington mulls possible military action against Syria.


Who is the Syrian Electronic Army

According to Wikipedia the Syrian Electronic Army is a collection of pro-government computer hackers aligned with the Syrian President -

"The Syrian Electronic Army (SEA), also known as the Syrian Electronic Soldiers, is a collection of pro-government computer hackers aligned with Syrian President Bashar al-Assad. Using denial of service attacks, defacement, and other methods, it mainly targets political opposition groups and western websites, including news organizations and human rights groups. The Syrian Electronic Army is the first public, virtual army in the Arab world to openly launch cyber attacks on its opponents, though the precise nature of its relationship with the Syrian government is debated."


In recent months, the Syrian Electronic Army has taken credit for Web attacks on media targets that it sees as sympathetic to Syria's rebels, including prior attacks at the New York Times, along with the Washington Post, Agence France-Press, 60 Minutes, CBS News, National Public Radio, The Associated Press, Al-Jazeera English and the BBC.

Although their attacks have been thus far been simplistic (DDOS), one of the latest ones was a sophisticated spear phishing attack, they thus do seem capable of attempting sophisticated attacks, especially if they might be receiving technical assistance from the Russians, the Iranians, or others.


An Increase in Cyber Security Attacks from the Syrian Electronic Army

Quoting, Helmi Noman, a senior researcher at the Citizen Lab, Munk School of Global Affairs at the University of Toronto, who has been tracking the Syrian Electronic Army since May 2011-  "They said they are determined to escalate attacks on websites belonging to the United States, European countries and all the countries preparing a possible military action against Syria," Noman said. He also said that "This suggests that the group will try to carry out more serious attacks."

Over the last few days, the Syrian Electronic Army has increased cyber security attacks and disrupted major media websites, including that of the New York Times and earlier today, the Syrian Electronic Army hacked the website of Marines.com.


As Washington mulls possible military action in Syria, the next few few days are sensitive, and the Syrian Electronic Army could potentially try to increase cyber security attacks on the American media and other organization.


Abundance of Caution

The entity that made this request has expressed concern that the Syrian Electronic Army, or their allies, could potentially misuse such new information to develop and deploy exploits possibly aimed at attacking corporate infrastructures of major media outlets as well as military agencies and business organizations (, both that of the US, and those of its partners, notably England, France, Australia and others.)



We doubt that the Syrian Electronic Army has the technical expertise needed to use advanced attack vectors (, the simplest of which is the Pass-the-Hash attack vector,) involving intimate details of Windows Security and Active Directory Security. Their attacks thus far seem to be simplistic DDOS attacks, as well as social engineering attacks to accomplish phishing.

However, we do believe that other malicious entities out there might have the technical sophistication needed to swiftly use such advanced attack vectors. In fact, the only reason we are making this public is because we have reason to believe that at least one prominent advanced persistent threat may have already figured this out.

On the other hand, if the SEA is getting technical assistance from the Russians or the Chinese, then they could very well potentially acquire the capability to use advanced attack vectors to cause harm.

Thus, out of an abundance of caution, we decided to honor the request, and thus have postponed the declassification of this risk until September 12, 2013.  Details can be found here.

Best wishes,
Sanjay.

August 29, 2013

Bootstrapping Trust – A Billion Dollar Cyber Security Problem (Responding to a Domain Admin Account Compromise)

Folks,

A few days ago I posed a seemingly simple question to the world's foremost global community of Active Directory Security Professionals How does one respond to a Domain Admin Account compromise?


 
I say "seemingly simple" because in fact it is a "very difficult" question. (Strictly speaking, it is not the answer that is difficult, but rather the implementation of the measures suggested by the "right" answer that is "very difficult".) 
 
Before I can answer the question, perhaps I should establish context.


Establishing Context - What does a Domain Account Compromise have to do with Cyber Security?
 
You see, at the very foundation of cyber security at 85+% of all organizations worldwide lies Microsoft’s Active Directory.

 
Consequently, in these organization, the entirety of their IT resources are ultimately protected by Active Directory. 
 
I think Microsoft's CISO, Bret Arsenault stated this most eloquently in a recently released white paper titled Best Practices for Securing Active Directory. Quoting Bret - "Active Directory plays a critical role in the IT infrastructure, and ensures the harmony and security of different network resources in a global, interconnected environment.
 
In other words, Active Directory plays a critical role in ensuring the proper functioning of and the security afforded to every account, group, laptop, desktop, server, application, etc. deployed in the IT infrastructure.

Consequently, it also follows that the compromise of an organization's Active Directory could potentially be used to compromise any account, group, laptop, desktop, server, any file stored on any server, any application, LOB server etc.

(By the way, given the substantially high potential impact of an Active Directory compromise, it is increasingly becoming a very lucrative target for malicious entities. This point too is made in that white paper.)
 
NOW, in every organization's Active Directory deployment, there are designated Domain Admin accounts that are all-powerful and have virtually complete and unrestricted access to Active Directory and by extension to all computers joined to the Active Directory, and thus realistically, by extension to the entire IT infrastructure.

 

By default, a Domain Admin account holder has complete unrestricted access to all resources in the entire IT infrastructure. This is because every system needs at least one admin account for administration purposes.
 
A consequence of this is that a rogue / coerced Domain Admin could also access, tamper, divulge and destroy virtually any organizational IT resource (i.e. he/she can also subvert virtually any existing security policy as well as disable / control / destroy auditing evidence of virtually any action on any domain-joined machine/system, directly / indirectly.) 
 
In other words Domain Admins hold the proverbial "Keys to the Kingdom" and thus control the very foundation of cyber security in the IT infrastructures of their respective organizations.

 

Impact of a Domain Admin Account Compromise
 
In light of the above, its worth considering the scenario wherein a Domain Admin account was either compromised, or a Domain Admin turned rogue, or whether his/her account was hijacked without his/her knowledge.


In such a situation, as indicated above, the Domain Admin account could basically be used to access, tamper, divulge and destroy virtually any organizational IT resource. His/her account could be used to create any number of accounts and grant them administrative access on any resource in the Active Directory, such as on OUs, admin accounts/groups, GPOs etc.

ONE MORE THING. A Domain Admin's account could also be used to potentially place time-bombed malicious software on ANY domain-joined machine (i.e. any laptop, desktop or server) that could do anything from letting the perpetrator back in from the outside, to automating the destruction of  large parts of the IT infrastructure from the inside, or allowing him/her to easily regain administrative control in the Active Directory itself at a later point in time.

As a result, ONCE a Domain Admin account has been compromised, the entire fabric of TRUST across the IT infrastructure is potentially compromised.

Again, I'm not the only one saying this. Here's a snippet from Microsoft IT's white paper -

"It is generally well-accepted that if an attacker has obtained SYSTEM, Administrator, root, or equivalent access to a computer, regardless of operating system, that computer can no longer be considered trustworthy, no matter how many efforts are made to “clean” the system. Active Directory is no different. If an attacker has obtained privileged access to a domain controller or a highly privileged account in Active Directory, unless you have a record of every modification the attacker makes or a known good backup, you can never restore the directory to a completely trustworthy state."

It continues to read -

"Even if you reinstall every domain controller in the forest, you are simply reinstalling the hosts on which the AD DS database resides. Malicious modifications to Active Directory will replicate to freshly installed domain controllers as easily as they will replicate to domain controllers that have been running for years."

In other words, a Domain Admin account compromise is potentially tantamount to a system-wide compromise.



Responding to a Domain Admin Account Compromise

In light of the above, you'll hopefully see that the ONLY WAY to re-establish TRUST, which is PARAMOUNT to cyber security is to completely re-build the entire IT infrastructure, because that is the only way to ensure that any and every potential machine where the malicious Domain Admin could have potentially left a back door has been wiped clean.


Anything less than a complete re-build will not GUARANTEE the elimination of that risk.

As you can imagine completely re-building an entire IT infrastructure costs a proverbial BILLION DOLLARS. Meaning it is VERY expensive and virtually impossible to do so, even in medium organizations let alone large ones. Not to mention that most organizations will not be able to afford the downtime involved in rebuilding an entire IT infrastructure.


Bootstrapping Trust – A Billion Dollar Cyber Security Problem

Bootstrapping trust, both proverbially and realistically, is thus a billion dollar cyber security problem today. (Hypothetically speaking, just the cost of organization-wide downtime to rebuild the IT infrastructure of a large organization could be a $B.)


The scenario painted above applies to over 85% of all organizations worldwide today, including to almost a 100% of business and government organizations that are household names today. This is a very real global challenge today.



Is There a Million Dollar Fix to this Issue?

As I indicated, although a complete re-build is the only guaranteed way to bootstrap trust a 100%, realistically speaking, it is simply not possible/feasible (without it considerably impacting organization wide business operation).

The following snippet from the same Microsoft IT white paper corroborates this -

"A compromise to the degree described earlier is effectively irreparable, and the standard advice to “flatten and rebuild” every compromised system is simply not feasible or even possible if Active Directory has been compromised or destroyed. Even restoring to a known good state does not eliminate the flaws that allowed the environment to be compromised in the first place."

If the ONLY way to re-establish a 100% TRUST is to rebuild the entire IT infrastructure, which costs a proverbial BILLION dollars, and is not really feasible, is there a proverbial MILLION dollar (i.e cheaper) way to address this challenge?

Yes, and No.

The No part first. Technically, if you're looking to establish a 100% trust, that is the only way to go. I mean you can establish 99% trust for a proverbial MILLION dollars, but NOT 100%. But for many organizations, 99% may be sufficient, especially given where they're at today. (You'd be surprised if I told you just how many organizations have 100s of Domain Admin accounts holders that they don't even know of.)

The Yes part now. There's an old saying - "Prevention is better than cure". Every organization will always need a handful of Domain Admins, because every system needs an Administrator. But NO organization needs or should have more than a handful of Domain Admins, because as indicated above, with each additional Domain Admin you have, you increase the likelihood of the compromise of a very high value IT asset.




So, the Yes in essence relies on prevention, and involves the following -
  1. Immediately, REDUCE the number of Domain Admin accounts to a bare minimum
  2. Ensure that you can impose the HIGHEST levels of trust in the few Domain Admin accounts
  3. Disable their use. Enable them on a need basis, and when used ensure that 2 PAIRS of eyes are involved
  4. Establish policies that communicate in no uncertain terms, that should a willful or abetted misuse of administrative authority be found, there will undoubtedly be legal repercussions for the perpetrator
  5. Proactively audit administrative access in Active Directory on a weekly/fortnightly basis
  6. Implement 24-7 Active Directory Auditing to monitor the management and use of Domain Admin accounts 
(This assumes, of course, that one does not have already a compromised Domain Admin account, today.)

The Yes, is thus not strictly a Yes, but is an approach that can be used to substantially reduce risk realistically. Protecting 3 Domain Admin accounts is far easier (and has a higher likelihood of success) than protecting 30 or 300 Domain Admin accounts.


Why do Organizations have so many Domain Admin Accounts?

Like Microsoft, in our collective experience at Paramount Defenses, over the last half decade, we have had the opportunity to help 1000s of organizations worldwide, and we often come across organizations that have an alarming large number of Domain Admin accounts.

In my humble opinion, the root of this problem has to do with a lack of consistent diligence by IT groups in establishing and enforcing a stringent policy that ensures that access is ALWAYS provisioned based on the principle of least privilege, even when it may be inconvenient to do so.


Most organizations end up trading off comfort for security in this regard, by giving away Domain Admin access to so many individuals just because it is an easy way to not have to deal with the hardship of determining and provisioning least privileged access.

I will also add that many times, IT groups are under-staffed because they just don't have sufficient budget, so they often end up taking the convenient road. It is thus equally important for Executive Management to make this a priority, and adequately fund their IT groups to address this challenge.

Lastly, let me also state unequivocally there there is no shortcoming in Active Directory in regards to being able to precisely authorize/specify access. In fact, Active Directory offers arguably the world's most highly securable security model, wherein access can be very precisely specified based on the principle of least privilege.



Reducing the Number of Domain Admin Accounts

In regards to reducing the number of Domain Admins to facilitate access to resources stored on files servers, and/or to LOB applications etc, there is absolutely NO need to have Domain Admin access. A combination of least privileged local machine-specific access and least privileged network access to the appropriate resources should be sufficient.

As it pertains to reducing the number of Domain Admins to facilitate access to resources within the Active Directory, I'd recommend IT groups to seriously consider leveraging the Delegation of Administration capability to its fullest potential.



Properly implemented, Delegation of Administration, based on the principle of least privilege can be used to reliably delegate all administrative responsibilities (tasks) that do not require Domain Admin access, and virtually eliminate the need for requiring Domain Admin access for all but the most critical of all admin activities (e.g. DCPROMOing a new DC.)

In fact, by leveraging secure (verifiable) least-privilege, role-based delegation in Active Directory, most organizations should be able to reduce their number of Domain Admin accounts by at least 90%, thus substantially reducing risk.


A Word of Caution

Some organizations choose to deploy 3rd party solutions for identity and access management delegation. This approach is an alternative to directly delegating control in Active Directory, and while it may appear to be a secure/efficient alternate, it may actually potentially be laden with high security risks.

For instance, such a proxy solution, may have a requirement that it needs to be run on a Domain Controller, or that it itself needs complete unrestricted access to Active Directory to create and manage objects.




Before deploying ANY solution on a Domain Controller, or ANY Solution that requires UNRESTRICTED access to the Active Directory, organizations must (in their own best interest) ensure that any such solution is at least as TRUSTWORTHY as is the Active Directory itself, because otherwise, it could easily become their weakest link.

When evaluating the TRUSTWORTHINESS of any such solution, one should think about factors like -
  1. Is the vendor offering this solution at least as trustworthy as Microsoft?
  2. Is this solution developed by highly proficient developers?
  3. Is it developed in a trustworthy country, or in some foreign country, where hackers or other malicious entities could easily (physically or via network security compromise) obtain access to its code-base?
  4.  
Why is this important? It is important, because this solution will most likely either be running on a DC or require complete admin access to your Active Directory, so ensuring its utmost TRUSTWORTHINESS is paramount.

(I'm told that there is at least one 3rd party "Active Directory Delegation Solution" which is developed in / supported from Russia. In light of the Snowden affair, when it comes to cyber security, a Russian solution may or may not be a wise choice. In contrast, Active Directory's trustworthiness is unparalleled, which is why so many organizations worldwide choose to natively delegate administrative access in Active Directory.)



Time's Up

My 10 minute timer just rang, so I will have to end this here. I hope you now see why Bootstrapping Trust is a Billion Dollar Cyber Security Problem today, and why organizations MUST make it a high priority to reduce the number of Domain Admin accounts.  Using secure (verifiable) least-privilege, role-based delegation in Active Directory is one of the easiest ways in which organizations can reduce their number of Domain Admin accounts by at least 90%, thus substantially reducing risk.

Best wishes,
Sanjay



PS: 2016 Update: If you liked this post, perhaps you'll like this too - Defending Active Directory Against Cyberattacks