Active Directory Privileged Access Assessor
Instantly, accurately and automatically assess privileged access, domain-wide, on thousands of objects in Active Directory, at a button's touch.
Active Directory Privileged Access Assessor
Overview
Organizations have a paramount cyber security need to be able to accurately* assess access in Active Directory and identify exactly who actually has what privileged access, where and how in their foundational Active Directory, to -
Attain Zero Trust
Secure Active Directory
Perform Privileged Account Discovery
Implement Privileged Access Management
Attain and Maintain Least Privilege Access
Gain High-Value Active Directory Threat Intelligence
Manage Risk and Demonstrate Regulatory Compliance
Active Directory Privileged Access Assessor is a one-of-a-kind tool designed by former Microsoft Program Manager for Active Directory Security that uniquely empowers IT personnel to easily, instantly and trustworthily fulfill this need.
* Based on accurate effective permissions analysis
Easily Attain and Maintain
Least Privilege Access in Active Directory
All building blocks of organizational cyber security i.e. accounts, credentials and groups are stored in Active Directory, so attaining and maintaining least privilege access (LPA) in Active Directory is paramount to organizational cyber security.
To attain and maintain LPA in Active Directory (AD), organizations, first and foremost, need to be able to accurately assess who has what access in AD, because to lock-down access, one first needs to know who has what access.
Unfortunately, there exist thousands of complicated security permissions (e.g. explicit, inherited, allow, deny, object-specfic, special rights etc.) in every Active Directory and they make it very difficult to accurately assess who currently has what access, in turn making it very difficult to lock-down access, and thus to attain and maintain LPA in Active Directory.
Our Active Directory Privileged Access Assessor can instantly, automatically and accurately determine who currently has what access, domain-wide, on all (thousands of) Active Directory objects, based on the accurate determination of effective permissions, thereby solving the problem of determining who actually has what access in Active Directory.
It also identifies and pinpoints the exact underlying permissions and group memberships that enable all identified access.
Thus, by automating the accurate assessment of who has what access, where and how, domain-wide in Active Directory, it lets organizations easily assess and lockdown access, and thus easily attain and maintain LPA in Active Directory.
Instant, Accurate Active Directory
Privileged Access Assessment
Privileged Access is the new holy grail for perpetrators and the #1 target in organizational cyber security worldwide.
At 85% of organizations worldwide, the proverbial Keys to the Kingdom, i.e. the most powerful Domain Admin level privileged access, as well as the vast majority of all privileged access, resides inside their Active Directory.
From the SolarWinds Breach to the Colonial Pipeline Hack, and every major breach in the last decade, the perpetrators targeted and compromised just one account that had privileged access in Active Directory, then used it to inflict damage.
The single most important and effective cyber security measure organizations can take to prevent getting breached is to accurately assess (i.e. identify) and lock-down (minimize) the number of users with privileged access in Active Directory.
Our unrivaled Microsoft-endorsed Active Directory Privileged Access Assessor uniquely enable organizations to instantly and accurately assess (i.e. identify) and then lock-down (minimize) privileged access in Active Directory.
Instant, Accurate Privileged Access Assessment
There is one and only one way to accurately assess privileged access in Active Directory and that involves accurately determining effective permissions on Active Directory objects. Unfortunately, doing so accurately is extremely difficult.
Our Active Directory Privileged Access Assessor is the world's only tool that can automatically accurately determine effective permissions on thousands of Active Directory objects, and map them into enactable administrative tasks, to ultimately determine who actually has what privileged access, both unrestricted and delegated, in Active Directory.
It also identifies the underlying security permissions and security group memberships that enable all such identified privileged access, empowering organizations to quickly and easily lockdown privileged access in Active Directory.
Our Active Directory Privileged Access Assessor can thus deliver instant, accurate privileged access insights and uniquely empower you to find out exactly who has what privileged access in Active Directory, where and how.
Only Gold Finger Can Accurately Assess
Privileged Access in Active Directory
Active Directory's security model lets organizations precisely delegate privileged access (i.e. administrative privileges), but it makes it very difficult to accurately assess privileged access, especially delegated administrative privileges.
In every AD, there are thousands of allow, deny, explicit and inherited security permissions, granted to users and groups, and together they impact the actual (effective) access, making it very difficult to accurately assess privileged access.
Most organizations and solutions do not know this fact, and determine "Who has what permissions in Active Directory," which is incorrect and delivers vastly inaccurate results, reliance upon which leaves them substantially vulnerable.
There is one and only one correct way to accurately assess privileged access in Active Directory, and that is by accurately determining "Who has what effective permissions in Active Directory?"
Only Gold Finger's Microsoft-endorsed effective access assessment capabilities can accurately determine effective permissions in Active Directory, and thus only Gold Finger can accurately assess privileged access in Active Directory.
Unrivaled in Capability
The need to know who has what access in Active Directory is absolutely paramount to organizational cyber security.
Our unique, unrivaled Microsoft-endorsed Gold Finger is the world's only tool that can instantly, accurately and automatically find out exactly who has what access, including where and how, domain-wide in Active Directory.
It can also instantly determine and reveal exactly what access a specific user has in Active Directory.
It accomplishes in mere minutes, what otherwise takes months,
and it does all this, and more, at the touch of a button.
Standard Mode
The Standard Mode (default mode) of Active Directory Privileged Access Assessor enables organizations to instantly, accurately and automatically determine exactly who has what access, where and how, domain-wide in Active Directory.
For example -
Who can create and/or delete domain user accounts, security groups, OUs, etc. in Active Directory?
Who can modify the membership of thousands of domain security groups in Active Directory?
Who can modify permissions on any/all accounts, groups, OUs etc. in Active Directory?
Who can reset the passwords of any/all domain user accounts in Active Directory?
Who can replicate secrets (password-hashes) from Active Directory?
Single-User Mode
The Single-User Mode of Active Directory Privileged Access Assessor empowers organizations to instantly, accurately and automatically assess whether a specific user has any access in Active Directory, where and how.
For example -
Can a specific user, John Doe, create and/or delete accounts, security groups, OUs, etc. in Active Directory?
Can a specfic user, Jane Doe, modify the membership of any domain security groups in Active Directory?
Can a specific contractor user modify permissions on any accounts, groups, OUs etc. in Active Directory?
Can a specific delegated user reset the passwords of any domain user accounts in Active Directory?
Can a specific user, Stuart Chan, replicate secrets (password-hashes) from Active Directory?
Features
Accurate Domain-wide
Privileged Access Assessment
Accurately assess privileged access domain-wide at a button's touch
Enterprise-Grade
Scalability
Automatically determine privileged access on thousands of objects
Privileged Access
Source Identification
Pinpoint permissions that entitle a user to specific privileged access
Instant, Real-time Assessment
Instantly assess effective privileged access domain-wide in real-time
Unrivaled Efficiency
Accomplish in minutes what could otherwise take months to do
Technical Summary
The accurate determination of privileged access in and across Active Directory is extremely difficult and challenging.
There is only one way to accurately assess privileged access in Active Directory and that involves determining effective permissions on Active Directory objects. Active Directory Privileged Access Assessor is the world's only tool that actually calculates effective permissions to accurately determine who has what privileged access in Active Directory.
Specifically, Active Directory Privileged Access Assessor accomplishes the remarkable technical feat of automating the accurate determination of effective permissions/access on thousands of Active Directory objects, in a process that involves correctly determining the collective impact of millions of security permissions, all done within minutes and in a single assessment, to identify exactly who has what privileged access in and across an entire Active Directory domain.
Benefits
Accurately Assess Privileged Access in Active Directory
Accurately assess privileged access domain-wide in Active Directory
Assess Privileged Access Domain-wide
Automatically assess privileged access on thousands of AD objects
Attain Least Privilege Access in Active Directory
Reliably attain and maintain least privilege access in Active Directory
Complete Steps 1, 2 and 3
of your PAM Journey
Accurately identify privileged users in AD, secure them and control access
Demonstrate
Regulatory Compliance
Correctly demonstrate compliance concerning privileged access in AD
Mission-critical Active Directory Privileged Access Insights
Active Directory Privileged Access Assessor can instantly and accurately identify -
- Who can run Mimikatz DCSync against your Active Directory?
- Who can modify the ACL protecting any and every object in Active Directory?
- Who can change the membership of any and all security groups in Active Directory?
- Who can link a malicious GPO to any and all OUs in Active Directory to unleash ransomware?
- Who can reset the passwords of any and all regular and privileged user accounts in Active Directory?
- Who can disable the use of Smartcards for interactive logon on all domain user accounts in Active Directory?
- Who can create, manage/control and delete accounts, groups and organizational units (OUs) in Active Directory?
- Who can change the membership of any and all security groups (e.g. Confidential Access Group) in Active Directory?
- Who can change privileged access in Active Directory to instantly obtain access to millions of organizational IT resources?
- Who can compromise Active Directory integrated apps/services (e.g. Azure Connect) by modifying Active Directory contents?
* If your existing tools merely rely on determining "Who has what permissions in Active Directory," you're likely operating on dangerously inaccurate insights.
Example Reports
The following real-world examples illustrate the Active Directory Privileged Access Assessor's unique capabilities -
- Instantly find out exactly who has what privileged access, where and how in and across Active Directory.
- Instantly identify who has unrestricted and delegated administrative privileges domain-wide in Active Directory.
- Uncover exactly who can change the membership of all privileged security groups (e.g. Domain Admins) in Active Directory.
- Find out exactly who can reset the passwords of all privileged domain user accounts (e.g. Administrator ) in Active Directory.
- Discover exactly who can create domain user accounts, where (i.e. under which OUs), and how anywhere in Active Directory.
- Identify exactly who can reset the passwords of thousands of domain user accounts (e.g. CEO's account ) in Active Directory.
- Learn exactly who can change the membership of thousands of domain security groups (e.g. Enterprise Admins ) in Active Directory.
- Find out exactly who can delete which domain user and computer accounts, security groups, OUs etc., and how in Active Directory.
- Identify exactly who can disable the requirement to have Smart-card authentication for all domain user accounts in Active Directory.
- Uncover and eliminate thousands of privilege escalation paths leading to privileged access in an across your entire Active Directory.
Eliminate The World's #1 Attack Vector
Active Directory Privilege Escalation based on the exploitation of a sea of excessive unidentified privileged access in Active Directory is the world's #1 attack vector because it threatens the foundational security of 85% of organizations.
It can be exploited to compromise the security of virtually everything in Active Directory, including any (and every) domain user account, computer account, group, OU etc., and particularly all-powerful Active Directory privileged accounts and groups, and high-value targets such as AzureADConnect that enable Cloud integration.
Fact - In virtually ever major cyber security breach, including the SolarWinds Breach, Colonial Pipeline Hack, Okta Breach and most others, perpetrators targeted, exploited and misused privileged access in Active Directory to gain unrestricted system-wide access and swiftly inflict colossal damage.
The most effective security measure organizations can take is to assess (identify) and lockdown privileged access in Active Directory. Unfortunately, accurately assessing privileged access in Active Directory is extremely difficult.
Our Active Directory Privileged Access Assessor uniquely empowers organizations to accurately, quickly and easily assess (identify) and lockdown all privileged access in their Active Directory, including all excessive privileged access, virtually eliminating the #1 attack vector.
Requirements and Licensing
Active Directory Privileged Access Assessor can be instantly downloaded, installed and run on any Windows computer. Its use does not require any admin privileges, any changes to or any knowledge of Active Directory.
The tool is licensed on a subscription model, and can be licensed on an annual basis. Its access assessment capabilities can also be availed of as a service, and its Top-10 reports are also available in our unique Gold Finger Mini solution.
In addition, its unique capabilities are now also offered as a free Active Directory Privileged Access Assessment Service.
Our Global Customers