Active Directory Effective Access Auditor

Buy

"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."

Charles Coates, Senior Product Manager
Identity and Security Business Group

Active Directory Effective Access Auditor

Overview

Organizations have an essential cyber security need to be able to accurately* assess effective access on Active Directory objects to identify, secure and lockdown privileged accounts and groups in Active Directory, secure Active Directory and demonstrate compliance.

Specifically, they need to be able to -

Assess privileged access on numerous high-value Active Directory objects, such as the Domain Admins group
Secure all Active Directory privileged accounts and groups, and continuously assess and control access to them
Audit privileged access on specific Active Directory objects such as the CFO's account, to demonstrate compliance
Identify which security permissions entitle individuals to possessing specific privileged access in Active Directory
Lockdown security permissions in Active Directory to lockdown excessive privileged access in Active Directory

Learn More

Active Directory Effective Access Auditor is a specialized audit tool designed by former Microsoft Program Manager for Active Directory Security to help IT groups and personnel easily, instantly and trustworthily fulfill this need.

* Based on accurate effective permissions analysis

Instant Accurate Effective Access Assessment

There is one and only one way to accurately assess effective access in Active Directory and that involves accurately determining effective permissions on Active Directory objects. Unfortunately, doing so accurately is extremely difficult.

Our Active Directory Effective Access Auditor is the world's only tool that can automatically accurately determine effective permissions on individual Active Directory objects, and uniquely map them into enactable administrative tasks, to ultimately determine and reveal who actually has what effective access, in terms of enactable administrative tasks, on a(ny) specific Active Directory object.

For example, it can instantly determine and reveal exactly who can enact which administrative tasks on the CEO's domain user account, or the Domain Admins group membership, or on a large top-level organizational unit (OU) etc.

It also identifies the underlying security permissions and security group memberships that enable all such identified effective access, empowering organizations to quickly and easily lockdown access on specific Active Directory objects.

Our Active Directory Effective Access Auditor can thus deliver instant, accurate effective access insights and uniquely empower you to find out exactly who has what effective access on specific Active Directory objects, including how so.

Unrivaled in Capability

The need to know who has what access in Active Directory is absolutely paramount to organizational cyber security.

Our unique, unrivaled Microsoft-endorsed Gold Finger is the world's only tool that can instantly, accurately and automatically find out exactly who can enact what administrative tasks, and how, on individual Active Directory objects.

It can also instantly determine and reveal exactly what tasks a specific user can enact on an Active Directory object.

It accomplishes in mere minutes, what otherwise takes days,
and it does all this, and more, at the touch of a button.

Standard Mode

The Standard Mode (default mode) of Active Directory Effective Access Auditor enables organizations to instantly, accurately and automatically determine exactly who has what access on individual Active Directory domain objects, including how.

For example -

Who can create and/or delete domain accounts, security groups, OUs, etc. in a specific Active Directory OU?
Who can modify the membership of a specific domain security group in Active Directory?
Who can modify permissions on a specific account, group, OU etc. in Active Directory?
Who can reset the password of a specific domain user account in Active Directory?
Who can replicate secrets (password-hashes) from an Active Directory domain?

Single-User Mode

The Single-User Mode of Active Directory Effective Access Auditor empowers organizations to instantly, accurately and automatically assess whether a specific user has any access on a specific Active Directory object, and how.

For example -

Can a specific user, John Doe, create and/or delete accounts, security groups, OUs, etc. in the Americas OU?
Can a specfic user, Jane Doe, modify the membership of or permissions on the Domain Admins security group?
Can a specific contractor modify permissions on or delete a specific account, group, OU etc. in Active Directory?
Can a specific delegated user reset the password of a specific domain user account in Active Directory?
Can a specific user, Stuart Chan, replicate secrets (password-hashes) from an Active Directory domain?

Features

Accurate Effective Access Audit

Accurately audit effective access on Active Directory objects

Active Directory Privileged Access Audit

Accurately audit privileged access on AD privileged accounts and groups

Automated Active Directory Effective Access Audit

Instant, Real-time, Fully-Automated Audit

Automatically determine privileged access on Active Directory objects

Actionable Intelligence

Identify how someone has privileged access on an Active Directory object

One-Button Exports

Easily export audit results for analysis, comparison and archival

Technical Summary

Active Directory Effective Access Auditor automates the accurate determination of effective access on individual Active Directory objects, to help identify exactly who has what privileged access on individual Active Directory objects such as the domain root, the AdminSDHolder object, the Domain Admins security group, the CEO's user account etc.

Benefits

Accurately Audit Effective Access in AD

Accurately audit effective access on Active Directory objects

Audit Privileged Access in Active Directory

Audit Privileged Access on an AD object

Find out who has what privileged access on an Active Directory object

Lock-down Privileged Access in Active Directory

Lock-down Privileged Access in AD

Lock-down access by identifying how a user has privileged access in AD

Complete Steps 1, 2 and 3 of your PAM Journey

Accurately identify privileged users in AD, secure them and control access

Demonstrate Regulatory Compliance

Correctly demonstrate compliance concerning privileged access in AD

Mission-critical Active Directory Privileged Access Insights

Active Directory Effective Access Auditor can instantly and accurately identify -

Who can run Mimikatz DCSync against your Active Directory?
Who can modify the ACL protecting the AdminSDHolder object in Active Directory?
Who can change the membership of any Domain Admins equivalent privileged security group?
Who can link a malicious GPO to an OU in Active Directory to unleash ransomware domain-wide?
Who can reset the passwords of privileged, executive and high-value user accounts in Active Directory?
Who can disable the use of Smartcards for interactive logon on any domain user account in Active Directory?
Who can create, manage/control and delete accounts, groups and organizational units (OUs) in Active Directory?
Who can change the membership of any domain security group (e.g. Confidential Access Group) in Active Directory?
Who can change privileged access in Active Directory to instantly obtain access to millions of organizational IT resources?
Who can compromise Active Directory integrated applications/services (e.g. Azure Connect) by modifying Active Directory contents?

* If your existing tools merely rely on determining "Who has what permissions in Active Directory," you're likely operating on dangerously inaccurate insights.

Example Reports

The following real-world examples illustrate the Active Directory Effective Access Auditor's unique capabilities -

Find out exactly who can modify the AdminSDHolder ACL .
Determine exactly who can reset the password of a Domain Admin's account.
Find out exactly who can disable the use of Smartcards on domain user accounts, including those of privileged users.
Find out exactly who can change the membership of the Domain Admins privileged security group in Active Directory.
Find out exactly who can delete a specific Active Directory privileged user account, computer account or security group.
Find out exactly who can change the permissions protecting a specific Active Directory privileged user account or group .
Identify exactly who can delegate or change administrative access on a specific organizational unit in Active Directory.
Determine exactly who can link/unlink GPOs to a specific OU in Active Directory, such as the Domain Controllers OU.
Determine exactly who can change the logon hours of a specific Active Directory privileged or executive user's account.
Determine exactly who modify the keywords on an Active Directory integrated application's service connection points.

Requirements and Licensing

Active Directory Effective Access Auditor can be instantly downloaded, installed and run on any Windows computer. Its use does not require any admin privileges, any changes to or any knowledge of Active Directory.

The tool is licensed on a subscription model, and can be licensed on an annual basis. Its capabilities can also be availed of as a service, and its Top-10 reports are also available in our unique Gold Finger Mini solution.

"We use the Gold Finger from Paramount Defenses to fulfill our Active Directory Audit needs. It saves us a lot of time and effort and we would recommend it to anyone who needs to perform Active Directory audits trustworthily and cost-effectively. Great product, great support."

Sean Seeliger, Architect