Shadow Admins - The Stealthy Accounts That You Should Fear The Most, but Needn't Anymore
Folks,
Today's post concerns 
CyberArk's guidance on 
Privileged Account Security, a subject that is 
paramount to cyber security today, and it likely 
impacts Trillions of $, as it impacts the foundational cyber security of 
85% of all organizations worldwide. I pen this as former Microsoft Program Manager for Active Directory Security, and thus as the world's top expert in privileged access.
An Intro to CyberArk
I shouldn't have to provide an intro to CyberArk (CYBR), a $ Billion+ cyber security company, because according to its website, CyberArk is the (self-proclaimed) leader in 
Privileged Account Security, with more than 3450 global companies, including more than 50% of the Fortune 100 companies, relying on its solutions to protect their most critical and high-value assets.
|  | 
| 
Image Attribution: CyberArk's Website | 
According to CyberArk's 
website - 
HALF OF FORTUNE 100 CISOs RELY ON CYBERARK.
If that is the case, then recent guidance provided by CyberArk's experts on a very important topic is 
a bit concerning. 
Specifically, on June 08, 2017 CyberArk's researchers penned a blog post on their 
Threat Research Blog, which is presumably read by thousands, titled 
Shadow Admins - The Stealthy Accounts that You Should Fear The Most. In it, they've shed light on a category of privileged accounts they called Shadow Admin accounts, and introduced and recommended tooling that they have developed, and that according to them, could help organizations discover these Shadow Accounts in their networks.
It is concerning because as a subject matter expert, i.e. as former Microsoft Program Manager for Active Directory Security, it is my professional opinion that though its premise is accurate, the guidance and tooling provided in that post are 
inaccurate, and consequently any reliance upon it by organizations could result in a false sense of security, and leave them vulnerable.
Note: The specific details of the various inaccuracies are provided below in the section titled The Inaccuracy and a link to two demos that illustrate these inaccuracies is also provided in the section titled Accurate Guidance.
The remainder of this well-intentioned blog post is meant to help CyberArk and organizations worldwide understand this esoteric yet paramount aspect of organizational cyber security i.e. the so-called "Shadow Admins" and how to correctly discover them.
Privileged Account Security
Before I share why CyberArk's guidance may be inaccurate, its important to say a few words on 
Privileged Account Security.
The importance and value of Privileged Accounts is perhaps best summarized in line #1 of CyberArk's 
data-sheet -
"Privileged accounts represent the largest security vulnerability an organization faces today. These powerful accounts are used in nearly every cyber-attack, and they allow anyone who gains possession of them to control organization(al) resources, disable security systems, and access vast amounts of sensitive data."
CyberArk is 100% right. The compromise of even just 
1 (i.e. ONE) such privileged account could easily grant perpetrators complete command and control over the entire IT infrastructure and empower them to swiftly enact a devastating cyber attack.
In fact, 100% of all major recent high-impact cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and subsequent misuse of a single, i.e. just ONE Active Directory Privileged User Account.
In that regard, CyberArk's focus on helping organizations adequately protect privileged accounts is spot-on and appreciated.
That said, and as you'll hopefully agree, "
one can't protect what one can't identify" which is why the 
accurate discovery of all privileged accounts in an organization's network, especially of all 
Active Directory Privileged Access Accounts, is paramount.
In fact, it is exactly these privileged access accounts in Active Directory that CyberArk's well-intentioned blog sought to shed light on. Further, they likely felt this was very important (and they're right), which is why they even proceeded to develop tooling to help organizations identify 
all such accounts. Its just that perhaps CyberArk's experts too may not yet understand the intricate details of Active Directory Security well enough, and thus their well-intentioned guidance may have turned out to be inaccurate.
Speaking of which, this makes for a perfect segue, so please allow me to shed light on where CyberArk's well-intentioned guidance is inaccurate, and how organizations can correctly discover all such "Shadow Accounts" in Active Directory.
The so-called 
Shadow Admin Accounts
CyberArk's famous post on Shadow Admins, titled 
Shadow Admins - The Stealthy Accounts that You Should Fear The Most begins by describing what these so-called "Shadow Admin Accounts" are, and I quote -
"Shadow Admin accounts are accounts in your network that have sensitive privileges and are typically overlooked because they are not members of a privileged Active Directory (AD) group. Instead, Shadow Admin accounts were granted their privileges through the direct assignment of permissions (using ACLs on AD Objects)"
I've been working on Active Directory Security for almost two-decades know and may have personally clocked over 30,000 hours on the subject, and yet the first time I came across the term "
Shadow Admins" was when I read CyberArk's blog post.
If you Google/Bing "
Shadow Admins" you're likely not going to find many references to it, other than to CyberArk's post on their blog, and then all the places wherein numerous people who may have read their blog have shared this across the Web.
Ah! What CyberArk's researchers are referring to as "
Shadow Admin" accounts are actually Active Directory user accounts that may not belong to any privileged Active Directory groups, yet may have been directly granted various security permissions at various locations (i.e. on various Active Directory objects) within Active Directory, SUCH THAT the permissions they've been granted effectively provide them with access that is tantamount to possessing privileged access in Active Directory.
The rest of us, who have been doing Active Directory Security for years, and by that I also mean and include thousands of Active Directory admins at organizations worldwide, typically refer to such accounts as "
Delegated Admins" in Active Directory.
By the way, I only know this because while at Microsoft, I wrote the Bible on Privileged Account Security in Windows - i.e. back in 2004, I authored Microsoft's official 400-page whitepaper titled "
Best Practices for Delegating Active Directory Administration."
For instance, here are 3 quick examples -
- James has Write-Property Member permissions specified in the ACL of the Domain Admins group.
- Emily has Reset Password permissions specified in the ACL of a Domain Admin's user account.
- John has Get-Replication Changes All permissions granted in the ACL of the domain root.
In each case above, even though Emily, James and John may not be a member of any one of the many default Active Directory admins groups, their access is
*  tantamount to Domain-Admin equivalent access; this discovery might be startling for novices.
Like other accomplished cyber security folks who may have recently taken a keen interest in Active Directory Security (e.g. 
one, 
two, 
three, etc.), CyberArk's experts too may be new to Active Directory Security, and may have come to realize that indeed there likely possibly exist hundreds of such "
Delegated Admin" accounts in Active Directory, many of whom may have what is tantamount to unrestricted privileged access in Active Directory, yet neither these account holders nor the organization's privileged users may know about them, BECAUSE it is very difficult to accurately identify/discover/audit these accounts.
Speaking of which, therein lies the inaccuracy in CyberArk's guidance and tooling, as explained below.
The 
Inaccuracy
Let me first acknowledge that CyberArk's general recommendation on Privileged Account Security are correct, and I 
quote -
"To maintain a strong security posture, CyberArk Labs highly recommends that organizations get to know all of the privileged accounts in the network, including those Shadow Admins." 
That said, if you read their entire blog post, which I highly recommend every IT and Cyber Security professional and CISO to do, you'll find that CyberArk's experts seem to be making the same classic mistake that so many other have been making for years.
Specifically, here's that classic mistake, and again I 
quote from their post -
"Searching and analyzing the ACL permissions granted to each account is a more comprehensive method."
You see, searching and analyzing the permissions granted to each account in Active Directory ACLs is 
NOT the right way to find out exactly what level of access that account holder may actually (i.e. effectively) have in Active Directory.
Here's why - the ONLY CORRECT WAY to find out exactly who actually has what access in Active Directory, including of course any/all privileged access, is by determining "
Active Directory Effective Permissions / 
Active Directory Effective Access."
This cardinal technical fact may be confirmed by contacting Microsoft .
Not only is there a HUGE difference between merely "
searching and analyzing the ACL permissions granted to each account" and "
determining effective permissions in Active Directory," more importantly the latter is a thousand times more difficult.
Incidentally, for reasons best known to Microsoft, for an entire decade, Microsoft 
apparently forgot to educate the world about the paramount importance of effective permissions/access in (and to the security of) Active Directory, which is also likely why even the authors of 
An ACE Up the Sleeve - Designing Active Directory ACL Backdoors, which likely was what prompted CyberArk's experts to look into and pen this post, also seem to have made the same mistake in their approach and tooling.
I find it amazing that based on this limited (and inaccurate) knowledge, CyberArk's experts even procceded to develop tooling, and I say so because unlike the developers of (the inaccurate) Bloodhound, CyberArk is a respected Billion $ company -
"...we have developed a special tool that scans and discovers privileged accounts based on account permissions. The tool, ACLight, is available for free on GitHub and can be used to discover these Shadow Admin acocunts on your network today...
We 
tested their 
ACLight tooling and unfortunately it failed even the most basic of tests that one could put such a tool through.
Consequently, it is in light of the above (i.e. their guidance seems to be based on incorrect technical facts and relies upon the use of tooling which too may be based on the same incorrect technical facts, and thus may likely be vastly inaccurate) that my professional opinion leads me to believe that the following guidance from CyberArk's experts is most likely inaccurate -
"...We encourage you to use our Shadow Admins scanning tool, ACLight, to start uncovering these accounts."
To help everyone clearly understand this, I've illustrated this in 2 DEMOS which can be accessed 
here.
Accurate Guidance
To help CyberArk's experts and the entire world better understand why the naïve approach of "
searching and analyzing the ACL permissions granted to each account" is fundamentally flawed, and why it is effective permissions that matter, as well as how to CORRECTLY identify all such Shadow Admins in Active Directory, I've penned a separate blog post on my technical blog, and here's the URL -
I highly recommend that every IT and Cyber Security professional and every CISO, including the CISOs of half of the Fortune 100 that rely on CyberArk today as well as the half that don't rely on CyberArk yet, READ that insightful technical blog post.
Fear, No More
Those who truly understand Active Directory Security, and thus those who truly understand Privileged Account Security in Windows networks know that the 
ONLY CORRECT WAY to accurately identify all such Delegated Admins (or as CyberArk calls them, "Shadow Admins") in Active Directory is by determining 
effective permissions / 
effective access in Active Directory.
As former Microsoft Program Manager for Active Directory Security, let me be the first to tell you that accurately determining effective permissions in Active Directory, on even a single Active Directory object, is very difficult. To then be able to do so on thousands of objects in an Active Directory is almost a herculean task on par with scaling Mount Everest.
That said, if you can click a button, you needn't fear "
Shadow Accounts" anymore because 
this tool can uniquely, instantly and accurately identify all such "
Delegated Admins" (or if you prefer to call them "
Shadow Admins") accounts in Active Directory -
It is the only tool in the world that can accomplish the herculean feat of being able to accurately identify all such "
Delegated Admin" / "
Shadow Admin" accounts in Active Directory, and it took over half a decade to build, thoroughly test and deliver.
Today, the world's 
most powerful government and business organizations across 6 continents worldwide rely on it.
We care deeply about all organizations, including all cyber security companies so I'll also be the first to tell you that it does 
NOT obviate the need for various privileged account security solutions that respectable companies like CyberArk and others provide.
It ONLY helps accurately discover/identify/audit all such accounts, but as CyberArk too has emphasized in their blog, that in itself is 
PARAMOUNT because "
you cannot protect what you cannot identify" and 
just ONE such privileged account (of which at most organizations, there likely are hundreds today) is all that perpetrators need to discover and compromise to then be able to easily 0wn the Kingdom.
Ladies and Gentlemen, in closing, Privileged Account Security is paramount to organizational cyber security, and please don't just take my word for it, for 
here's CyberArk communicating in effect the same fact -
"Privileged accounts represent the largest security vulnerability an organization faces today. These powerful accounts are used in nearly every cyber-attack, and they allow anyone who gains possession of them to control organization(al) resources, disable security systems, and access vast amounts of sensitive data."
As I've said above, CyberArk is 100% right. The compromise of even just 
1 (i.e. ONE) such privileged account could easily grant perpetrators complete command and control over your entire network and empower them to swiftly take over everything.
In fact, 
100% of all major recent high-impact cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and subsequent misuse of a single, i.e. just ONE Active Directory Privileged User Account.
CyberArk is also 100% right that in most Active Directory deployments worldwide, today there likely exist a 
dangerously and 
excessively large
 number of such "Shadow Admin" accounts, that for all practical reasons possess the same level of privileged access as do members of default Active Directory administrative / privileged access groups, yet because they're not members of these default privileged access groups, these accounts are in fact very difficult to accurately identify.
Consequently, their presence may possibly post 
a FAR greater risk to organizational cyber security, which is why it is so very important for organizations to be able to accurately discover/identify all such accounts i.e. 
each and every single one of them.
We also appreciate CyberArk's well-intentioned efforts to offer guidance that could help organizations identify all such accounts. Unfortunately, because this is a rather esoteric subject, and Microsoft has apparently not provided any guidance on how to correctly identify such accounts, CyberArk's experts may not have known how to correctly identify all such accounts.
Thus, we were happy to have shed light on this paramount subject to help them and organizations worldwide better understand how to accurately identify all such "Shadow Admin" accounts. Towards the same, I also shared a 
pointer to a technical blog wherein we're illustrated the inaccuracy and classic mistake that most organizations make, as well as the correct approach.
Finally, for all such organizations that wish to be able to efficiently and accurately identify all such "
Shadow Admin" accounts, I've also shared with you above how the world's most powerful government and business organizations easily do so today.
I hope you've found this to be helpful, and I wish you all, including CyberArk, all the very best. 
We're 
all in this together.
Best wishes,
Sanjay
PS: (Highly) Recommended Reading -
- The Entire World runs on Active Directory
- Defending Active Directory Against CyberAttacks (Slide 88 alludes to CyberArk)
- Active Directory Effective Permissions
- Active Directory Privilege Escalation - A Trillion Dollar Example
- How to Thwart Sneaky Persistence in Active Directory
- How to Discover Stealthy Admins in Active Directory
- A Letter to Benjamin Delpy, a Letter to Microsoft, and a Letter to President Donald Trump