Indicators of Exposure

NameDescriptionSeverity
Dangerous SYSVOL Replication Configuration

Checks that the "Distributed File System Replication" (DFS-R) mechanism replaced the "File Replication Service" (FRS).

medium
Detection of Password Weaknesses

Verifies for weaknesses in passwords that may heighten the vulnerability of Active Directory accounts.

high
Insufficient hardening against ransomware

Ensure hardening measures against ransomware have been deployed on the domain

medium
ADCS Dangerous Misconfigurations

List dangerous permissions and misconfigured parameters related to the Windows Public Key Infrastructure (PKI).

critical
GPO Execution Sanity

Verifies that the Group Policy Objects (GPOs) applied to domain computers are sane.

high
Logon Restrictions for Privileged Users

Checks for privileged users who can connect to less privileged machines leading to a risk of credential theft.

high
Unsecured configuration of Netlogon protocol

CVE-2020-1472 ("Zerologon") affects Netlogon protocol and allows elevation of privilege

critical
Vulnerable credential roaming related attributes

Credential roaming attributes are vulnerable, making the related user protected secrets readable by an attacker.

low
Potential Clear-Text Password

Checks for objects containing potential clear-text passwords in attributes readable by domain users.

high
Dangerous sensitive privileges

Misconfigured sensitive privilege rights decrease the security of a directory infrastructure.

high
Mapped certificates on accounts

Ensure that no mapped certificate is set on privileged objects

critical
Domain without computer-hardening GPOs

Checks hardening GPOs have been deployed on the domain

medium
Protected Users group not used

Some privileged users are not members of the Protected Users group.

high
Account that might have an empty password

Check the absence of user accounts whose password could be empty.

high
Users allowed to join computers to the domain

Verify that regular users cannot join external computers to the domain.

medium
Last Change of the Microsoft Entra SSO Account Password

Ensures regular changes to the Microsoft Entra SSO account password.

high
Dangerous rights in AD's schema

List the abnormal entries in the schema that can provide a persistence mechanism.

high
User account using old password

User account passwords must be changed regularly

medium
Verify Permissions Related to AAD Connect Accounts

Ensure the permissions set on AAD Connect accounts are sane

critical
Domain controllers managed by illegitimate users

Some domain controllers can be managed by non-administrative users due to dangerous access rights.

critical
Weak password policies are applied on users

Some password policies applied on specific user accounts are not strong enough and can lead to credentials theft.

critical
Verify sensitive GPO objects and files permissions

Ensure the permissions set on the GPO objects and files that are linked to sensitive containers (like the Domain Controllers OU) are sane

critical
Domain using a dangerous backward-compatibility configuration

The dSHeuristics attribute can modify AD behavior and have security impacts

low
Domains have an outdated functional level

A low functional level prevents the use of advanced functionalities or improvements

medium
Local administrative account management

Ensure local administrative accounts are managed centrally and securely using LAPS

medium
Kerberos configuration on user account

Some accounts are using weak Kerberos configuration

medium
Root objects permissions allowing DCSync-like attacks

The permissions set on root objects could allow illegitimate users to steal authentication secrets

critical
Accounts using a Pre-Windows 2000 Compatible Access control

Account member of the Pre-Windows 2000 Compatible Access Group can bypass specific security measures.

high
Disabled accounts in privileged groups

Accounts that are not used anymore should not stay in privileged groups

low
Computers running an obsolete OS

Obsolete systems are not supported by the vendor anymore and greatly increase the infrastructure vulnerability

high
Accounts having a dangerous SID History attribute

Check user or computer accounts using a privileged SID in SID history attribute.

high
Use of Weak Cryptography Algorithms in Active Directory PKI

Identifies weak cryptographic algorithms used in root certificates deployed on an internal Active Directory PKI.

critical
Recent use of the default administrator account

Built-in administrator account have been used recently

medium
User Primary Group

Verify users' Primary Group has not been changed

critical
Dangerous Kerberos delegation

Check that no dangerous Kerberos delegation (unconstrained, protocol transition, etc.) is authorized, and that privileged users are protected against such delegation

critical
Reversible Passwords

Verifies that the option to store passwords in a reversible format does not get enabled.

medium
Reversible passwords in GPO

Verify that no GPO contain passwords stored in a reversible format

medium
Ensure SDProp consistency

Control that the adminSDHolder object is in a clean state

critical
KDC password last change

KDC account password must be changed regularly

high
Native administrative group members

Abnormal accounts in the native administrative groups of Active Directory

critical
Privileged accounts running Kerberos services

List highly privileged, brute-forceable accounts with a Service Principal Name

critical
AdminCount attribute set on standard users

Some decommissioned administrative accounts are not globally manageable

medium
Sleeping accounts

Unused sleeping accounts are still activated

medium
Dangerous trust relationship

Misconfigured trust relationship attributes decrease the security of a directory infrastructure.

high
Accounts with never expiring passwords

Accounts with the DONT_EXPIRE property are not affected by password renewal policy

medium
Unlinked, disabled or orphan GPO

Having unlinked, disabled or orphan GPOs can lead to administrative errors

low