Buy

Least Privilege Access

Our Microsoft-endorsed Active Directory Access Assessment solutions uniquely empower organizations to attain and maintain least privilege access (LPA) in Active Directory.

"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."

Charles Coates, Senior Product Manager      
Identity and Security Business Group

Microsoft Logo
Active Directory

Active Directory - The Heart of Privileged Access

At 85% of organizations worldwide, all organizational domain user accounts, computers, passwords, security groups and policies are stored and protected in Active Directory, and a mountain of privileged access is delegated/provisioned to facilitate and distribute their management.

Active Directory is thus the heart of privileged access worldwide.


Active Directory's security model lets organizations provision access precisely to attain least privilege access (LPA).

Unfortunately, Active Directory lacks the fundamental capability required by organizations to accurately and adequately assess and verify provisioned access in Active Directory, making it difficult for organizations to attain and maintain LPA in Active Directory.

Privileged Access Assessment in Active Directory

Privileged Access Assessment - The Key to LPA

Today there exists a vast and unknown amount of excessive privileged access within Active Directory deployments.

It does so because Active Directory lacks the fundamental capability to help accurately assess privileged access.

In fact, this is the reason that while organizations have been delegating and provisioning privileged access in Active Directory for years, they have no idea exactly who is provisioned/delegated what access in Active Directory.

If organizations could accurately assess privileged access in Active Directory, they could easily identify and eliminate all excessive / unauthorized access in their Active Directory and thus be able to attain and maintain LPA in Active Directory, and eliminate the risk of privilege escalation.

The key to attaining and maintaining LPA in Active Directory thus lies in being able to accurately assess privileged access (and based upon which to subsequently lockdown privileged access) in Active Directory.

Accurate privileged access assessment in Active Directory

Accurate Privileged Access Assessment

Today, in most Active Directory deployments, there exist millions of permissions within the ACLs of thousands of objects.

Most organizations, vendors and experts errantly believe that to accurately assess privileged access in Active Directory, they simply need to find out "Who has what permissions in Active Directory."

The fact however is that there is only one way to accurately assess privileged access in Active Directory, and that involves finding out "Who has what effective permissions in Active Directory.".

Accurate Privileged Access Assessments require the accurate determination of effective permissions in Active Directory.

Active Directory Effective Permissions

Effective Permissions - The Keys to Privileged Access

From AdminSDHolder to Domain Admins, and from the default Administrators account to the CEO's domain user account, literally everything in Active Directory is an AD object.

Every AD object is protected by an access control list (ACL) that specifies who has what security permissions on the object, and it is the net cumulative resulting set of "effective permissions" that determines who actually has what access on the object.

Thus, what provides accurate insight into privileged access is not an assessment of Who has what permissions in Active Directory but an assessment of Who has what effective permissions in Active Directory.

Consequently, to accurately assess (and subsequently lockdown) privileged access in Active Directory, organizations need to be able to accurately assess effective permissions in Active Directory.


Our Unique Insights

Here are some paramount Active Directory Privileged Access Insights that only* our solutions can accurately deliver -

  • Who can create, delete and manage domain user accounts in Active Directory?
  • Who can create, delete and manage Active Directory security groups?
  • Who can reset the password of any/every domain user account in Active Directory?
  • Who can change the permissions specified in the critical AdminSDHolder object's ACL?
  • Who can create, delete, manage and delegate control of Organizational Units in Active Directory?
  • Who can modify the Active Directory Schema to make crippling irreversible changes to Active Directory?
  • Who can link a GPO or change the precedence of GPOs linked to any/every site, domain and OU in Active Directory?
  • Who can change administrative control in Active Directory to instantly obtain access to all organizational IT resources?
  • Who can launch a denial-of-service attack against any Active Directory integrated application/service? (e.g. Azure Connect)
  • Who can delete any/every domain account, security group, OU etc. even with the Prevent Accidental Deletion feature turned on?

        * Our solutions are unique in their ability to accurately determine effective permissions in Active Directory.

Our Unique Solution

Our Unique Solution

Gold Finger, our unique Microsoft-endorsed Active Directory Privileged Access Assessment solution fully automates the accurate determination of effective permissions, both per-object and domain-wide, thus empowering organizations to be able to perform accurate Privileged Access Assessments.

The ability to perform accurate Privileged Access Assessments in Active Directory enables organizations to accurately assess and easily verify privileged access, enabling them to attain and maintain least privilege access in Active Directory.

Gold Finger is architected by former Microsoft Program Manager for Active Directory Security.



Here's a quick overview of how our unique Active Directory Assessment Tools help organizations attain least privilege access in Active Directory –

Active Directory Effective Permissions Calculator
Active Directory Effective Permissions Calculator

Accurately assess effective permissions on any Active Directory object

Active Directory Effective Access Auditor
Active Directory Effective Access Auditor

Accurately assess privileged access on any Active Directory object

Active Directory Privileged Access Assessor
Active Directory Privileged Access Assessor

Automatically and accurately assess privileged access domain-wide

Gold Finger Mini
Gold Finger Mini (Advanced)

Our Global Customers

  • Australian Government
  • United States Treasury
  • British Government
  • Government of Canada
  • British Petroleum
  • Ernst and Young
  • Saudi Arabian Monetary Agency
  • Juniper Networks
  • U.S. Department of Defense
  • Microsoft Corporation
  • United Nations
  • Quantium
  • Nestle
  • IBM Corporation
  • U.S. Federal Aviation Administration
  • Columbia University

Your Privacy

We use cookies to provide you the best online experience. Please let us know if you accept these cookies.