Active Directory Security dot com

Complete Coverage of Delegation, Security Audit & Compliance Reporting in Active Directory

Brought to you by former Microsoft Program Manager for Active Directory Security
REFERENCE GUIDANCE REPORTING
Reference | Top-20 D | Risks | FAQ Delegate | Verify | Assess | Audit | Report | Comply Reports Free Tools
| Overview | Top-20 Risks | Attack Vectors | Privilege Escalation |




Security Privilege Escalation based Risks to Active Directory




Did you know that a single insecure delegation grant could seriously threaten the security of your entire IT infrastructure?



The risk of privilege escalation in Active Directory is dangerously high, the attack surface very large and the probability of occurrence very likely, given what's at stake.


Consider the security impact of a few common administrative tasks, when performed with malicious intent –

  1. Create a new user account – Use new account to engage in malicious activity that cannot be traced to perpetrator.
  2. Reset a user's password – Logon as that user and instantly access every IT asset to which that user has access.
  3. Modify a group membership – Instantly gain access to every IT asset to which that group has been granted access
    NOTE: For the security impact of other administrative tasks, please see the Top-20 Risks page.


Consider this – if John Doe could reset your Domain Admin's password, and Jane Doe could reset John Doe's password, then Jane Doe could instantly reset John Doe's password, then reset your Domain Admin's password and control over your AD.


In effect, a single insecure delegation grant is all that a malicious perpetrator might need to very quickly take over a domain admin account, modify a domain security policy, or a vital security group membership and possibly control your AD.


As you know, permissions in Active Directory can change very quickly because multiple individuals could have the ability to modify security permissions on OUs, accounts, groups, etc. and because permissions can automatically be inherited down.


To make matters worse, by default, all authenticated users have read access to Active Directory ACLs, so anyone with a valid user account could attempt to determine resultant access, uncover insecure delegations and quickly elevate privilege.


Thus, it is of utmost importance to ensure that there are no insecure delegation grants in your Active Directory. Organizations are urged to take this threat very seriously and advised to assess delegated access in their Active Directory on a daily basis.
                 What if you could instantly uncover unauthorized delegation grants in your Active Directory?

You can, with the Gold Finger Active Directory Reporting Tool           Download your Free copy          
< About Copyright ActiveDirSec.Com 2008 – 2010. All Rights Reserved Disclaimer >