Name | Description | Severity |
---|---|---|
Dangerous SYSVOL Replication Configuration | Checks that the "Distributed File System Replication" (DFS-R) mechanism replaced the "File Replication Service" (FRS). | medium |
Detection of Password Weaknesses | Verifies for weaknesses in passwords that may heighten the vulnerability of Active Directory accounts. | high |
Insufficient hardening against ransomware | Ensure hardening measures against ransomware have been deployed on the domain | medium |
ADCS Dangerous Misconfigurations | List dangerous permissions and misconfigured parameters related to the Windows Public Key Infrastructure (PKI). | critical |
GPO Execution Sanity | Verifies that the Group Policy Objects (GPOs) applied to domain computers are sane. | high |
Logon Restrictions for Privileged Users | Checks for privileged users who can connect to less privileged machines leading to a risk of credential theft. | high |
Unsecured configuration of Netlogon protocol | CVE-2020-1472 ("Zerologon") affects Netlogon protocol and allows elevation of privilege | critical |
Vulnerable credential roaming related attributes | Credential roaming attributes are vulnerable, making the related user protected secrets readable by an attacker. | low |
Potential Clear-Text Password | Checks for objects containing potential clear-text passwords in attributes readable by domain users. | high |
Dangerous sensitive privileges | Misconfigured sensitive privilege rights decrease the security of a directory infrastructure. | high |
Mapped certificates on accounts | Ensure that no mapped certificate is set on privileged objects | critical |
Domain without computer-hardening GPOs | Checks hardening GPOs have been deployed on the domain | medium |
Protected Users group not used | Some privileged users are not members of the Protected Users group. | high |
Account that might have an empty password | Check the absence of user accounts whose password could be empty. | high |
Users allowed to join computers to the domain | Verify that regular users cannot join external computers to the domain. | medium |
Last Change of the Microsoft Entra SSO Account Password | Ensures regular changes to the Microsoft Entra SSO account password. | high |
Dangerous rights in AD's schema | List the abnormal entries in the schema that can provide a persistence mechanism. | high |
User account using old password | User account passwords must be changed regularly | medium |
Verify Permissions Related to AAD Connect Accounts | Ensure the permissions set on AAD Connect accounts are sane | critical |
Domain controllers managed by illegitimate users | Some domain controllers can be managed by non-administrative users due to dangerous access rights. | critical |
Weak password policies are applied on users | Some password policies applied on specific user accounts are not strong enough and can lead to credentials theft. | critical |
Verify sensitive GPO objects and files permissions | Ensure the permissions set on the GPO objects and files that are linked to sensitive containers (like the Domain Controllers OU) are sane | critical |
Domain using a dangerous backward-compatibility configuration | The dSHeuristics attribute can modify AD behavior and have security impacts | low |
Domains have an outdated functional level | A low functional level prevents the use of advanced functionalities or improvements | medium |
Local administrative account management | Ensure local administrative accounts are managed centrally and securely using LAPS | medium |
Kerberos configuration on user account | Some accounts are using weak Kerberos configuration | medium |
Root objects permissions allowing DCSync-like attacks | The permissions set on root objects could allow illegitimate users to steal authentication secrets | critical |
Accounts using a Pre-Windows 2000 Compatible Access control | Account member of the Pre-Windows 2000 Compatible Access Group can bypass specific security measures. | high |
Disabled accounts in privileged groups | Accounts that are not used anymore should not stay in privileged groups | low |
Computers running an obsolete OS | Obsolete systems are not supported by the vendor anymore and greatly increase the infrastructure vulnerability | high |
Accounts having a dangerous SID History attribute | Check user or computer accounts using a privileged SID in SID history attribute. | high |
Use of Weak Cryptography Algorithms in Active Directory PKI | Identifies weak cryptographic algorithms used in root certificates deployed on an internal Active Directory PKI. | critical |
Recent use of the default administrator account | Built-in administrator account have been used recently | medium |
User Primary Group | Verify users' Primary Group has not been changed | critical |
Dangerous Kerberos delegation | Check that no dangerous Kerberos delegation (unconstrained, protocol transition, etc.) is authorized, and that privileged users are protected against such delegation | critical |
Reversible Passwords | Verifies that the option to store passwords in a reversible format does not get enabled. | medium |
Reversible passwords in GPO | Verify that no GPO contain passwords stored in a reversible format | medium |
Ensure SDProp consistency | Control that the adminSDHolder object is in a clean state | critical |
KDC password last change | KDC account password must be changed regularly | high |
Native administrative group members | Abnormal accounts in the native administrative groups of Active Directory | critical |
Privileged accounts running Kerberos services | List highly privileged, brute-forceable accounts with a Service Principal Name | critical |
AdminCount attribute set on standard users | Some decommissioned administrative accounts are not globally manageable | medium |
Sleeping accounts | Unused sleeping accounts are still activated | medium |
Dangerous trust relationship | Misconfigured trust relationship attributes decrease the security of a directory infrastructure. | high |
Accounts with never expiring passwords | Accounts with the DONT_EXPIRE property are not affected by password renewal policy | medium |
Unlinked, disabled or orphan GPO | Having unlinked, disabled or orphan GPOs can lead to administrative errors | low |