Giving Active Directory The FingerGiving Active Directory The Finger

Do you know who has permission to reset passwords, create accounts, and elevate permissions in your organization? Sanjay Tandon, a former Microsoft program manager of Active Directory, bets the answer will surprise -- and dismay -- your security and compliance officers.Tandon's startup, Paramount Defenses, recently launched a new software product, called Gold Finger, to help IT identify users and administrators with excessive access and permissions rights.

When high-level administrators delegate operations such as password resets and account creation to lower-level employees, it's easy to lose track of who has permission to do what, particularly in large organizations.

The result is hundreds or thousands of potential paths for a malicious user, whether internal or external, to escalate their privileges. Attackers could use these privileges to steal or alter information, compromise other systems and cover their tracks.

The software analyzes the accounts inside Active Directory and provides reports based on administrator-defined parameters.

"Let's say you want to find out how many people can reset Bill Gates'' password," says Tandon. "You deploy [Gold Finger] on any computer, and point it to the account. Press one button and it will do everything under the hood and say 'Here's Bill Gate's account, here's the tasks that can be performed on the account, and it will show a list of all the people authorized to perform actions on that account.'"

As you'd expect with a 1.0 product, there are some key pieces missing. First is a workflow. Presumably if IT finds permission levels it wants to change, it would help if the product could issue tickets, or tie into a ticketing system, and verify that the changes have been made. So far, it's still a manual process.

Also, the product shares some of the drawbacks of a vulnerability assessment system. For instance, assessments only enumerate access permissions at the time of analysis. But permissions are changed and new accounts granted as part of the daily business of an enterprise, which affects the relevance of the assessment over time. There's also the possibility to overwhelm users with a mountain of results that need to be sifted through.

Tandon is aware of these issues. He says several potential customers have tested the product and requested a list of desired features.

Gold Finger launched in September 2007. Tandon has yet to land his first customer, but says he is close to signing several big names in high tech, finance and the government. Karen Worstell, Microsoft's former CISO, is a member of Paramount's advisory board.

Paramount Defenses is self-funded. Tandon is exploring options with several venture capital firms, but he declined to name them.

The potential for the product is stunning. Active Directory's market share means an almost unlimited customer base, especially among large organizations. In addition, managing authorization and access control is a security best practice as well as a requirement of many regulations. This looks like a company to keep an eye on.