This past March we announced Preempt Inspector, a free app for password strength assessment. The App provided administrators with a better understanding of their AD configuration, especially difficult to estimate parameters, such as duplicate and weak passwords. We analyzed the anonymous data we received from the app, and found some worrying trends, like that 1 in 5 enterprise passwords can be easily compromised.
The original goal of Preempt Inspector was to provide a free tool to any organization that would allow them to quickly identify areas where they could proactively reduce their risk, and reduce their attack surface. With the success of Preempt Inspector, we wanted to continue to provide even more value.
So we started investigating - What other AD configurations are hard for administrators to manage?
What’s New In Preempt Inspector
We added 3 new assessments which, unlike password strength assessment, do not require administrator privileges. These new assessments can be executed by any domain user, on a domain joined machine.
While bringing immediate value and visibility, it also demonstrates how easy it is to access Active Directory in order to learn about its weak points.
Password Policy Assessment
Preempt Inspector examines the domain password policy settings. The password policy is critical for the organization’s security, and password complexity can be set as either high, medium or low (as discussed here).
The App provides a password policy assessment on complexity of passwords giving actionable data for security teams to make adjustments to reduce risk. The default setting can be overridden by fine grained password policies, which are factored in when assessing the policy’s strength. A good security measure would be to use fine grained password policies to make sure that administrative groups within the domain are required to have strong passwords.
Exposed Password Scanner
Group policy object (GPOs) may require executing a script with a constant user’s permissions. This is commonly used when setting a scheduled task on all machines for some deployment activity or maintenance check (e.g, updating local AV software configuration, setting local administrator password, etc.). When such a task is set with a user’s privileges, the password for that user is stored within the GPO (obfuscated, with key in reach). This is a major security risk, as any user in the domain can access the GPO, and extract the password.
Preempt Inspector reviews the GPOs, looks for exposed user passwords, and reports back on which GPO contained the exposed password, supplying a list of exposed password GPOs.
More about about exposed GPO passwords is available here.
Stealthy Admins Scanner
When looking at the users and groups in any domain, it is easy to identify users with administrative privileges just by looking into every user under the “Administrators” group (or any other privileged group such as “Schema Admins”). But, some users have effective admin privileges which are given by delegation, and will not show up in that picture.
Consider a user, which is not a member of any administrative group, but has the permissions to add members to that group. Or, that user might have permissions to reset the password of just a single administrator user. That user is a de facto domain administrator, because it has the means to perform any administrative task. These accounts are sometimes called “de facto administrators”, “shadow administrators” or “stealthy admins” - all synonyms of the same problem.
Preempt Inspector scans the domain, starting from the actual administrative users, and looks for stealthy admins. If found, the complete chain that allows the stealthy admin to perform an administrative task will be presented which helps you make the discovery process actionable.
In addition to the old and new security assessment capabilities, we gave Preempt Inspector a new look and feel, and added social network share buttons (of course, it does not post your data!).
We believe this new addition to the App will be worth your time - eliminating the threats, once detected, will be an easy job. We recommend executing the tool periodically, since Active Directory is dynamic, and constantly changes.