+ 
+ 
+ 
+ 
+ 
+
+
+
This section focuses on the core security indicators.
Locate the sub-process determining the score and fix some rules in that area to get a score improvement.
Domain Risk Level: 60 / 100
+It is the maximum score of the 4 indicators and one score cannot be higher than 100. The lower the better
+Stale Object : 25 /100
+It is about operations related to user or computer objects
+3 rules matched
+Trusts : 0 /100
+It is about links between two Active Directories
+0 rules matched
+Privileged Accounts : 60 /100
+It is about administrators of the Active Directory
+4 rules matched
+Anomalies : 50 /100
+It is about specific security control points
+9 rules matched
+| Stale Objects | Privileged accounts | Trusts | Anomalies | |
|---|---|---|---|---|
Inactive user or computer | Account take over | Old trust protocol | Audit | |
Network topography | ACL Check | SID Filtering | Backup | |
Object configuration | Admin control | SIDHistory | Certificate take over | |
Obsolete OS | Control paths | Trust impermeability | Golden ticket | |
Old authentication protocols | Delegation Check | Trust inactive | Local group vulnerability | |
Provisioning | Irreversible change | Trust with Azure | Network sniffing | |
Replication | Privilege control | Pass-the-credential | ||
Vulnerability management | Read-Only Domain Controllers | Password retrieval | ||
Reconnaissance | ||||
Temporary admins | ||||
Weak password |
This section represents the maturity score (inspired from ANSSI).
This feature is reserved for customers who have purchased a license
Stale Objects : 25 /100
+It is about operations related to user or computer objects
+S-SMB-v1
+Description:The purpose is to verify if Domain Controller(s) are vulnerable to the SMB v1 vulnerability
+Technical explanation:The SMB downgrade attack is used to obtain credentials or executing commands on behalf of a user by using SMB v1 as protocol. Indeed, because SMB v1 supports old authentication protocol, the integrity can be bypassed
+Advised solution:It is highly recommended by Microsoft to disable SMB v1 whenever it is possible on both client and server side. Do note that if you are still not following best practices regarding the usage of deprecated OS (Windows 2000, 2003, XP, CE), regarding Network printer using SMBv1 scan2shares functionalities, or regarding software accessing Windows share with a custom implementation relying on SMB v1, you should consider fixing this issues before disabling SMB v1, as it will generates additional errors.
+Points:10 points if present
+Documentation:https://github.com/lgandx/Responder-Windows
+https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect
+https://docs.microsoft.com/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
+[FR]ANSSI CERTFR-2017-ACT-019
+[FR]ANSSI CERTFR-2016-ACT-039
The detail can be found in Domain controllers
| Domain controller |
|---|
| WIN-GH3R6KE1P1Q |
S-ADRegistration
+Description:The purpose is to ensure that basic users cannot register extra computers in the domain
+Technical explanation:By default, a basic user can register up to 10 computers within the domain. This default configuration represents a security issue as basic users shouldn't be able to create such accounts and this task should be handled by administrators.
+Advised solution:To solve the issue limit the number of extra computers that can be registered by a basic user. It can be reduced by modifying the value of ms-DS-MachineAccountQuota to zero (0). Another solution can be to remove altogether the authenticated users group in the domain controllers policy. Do note that if you need to set delegation to an account so it can add computers to the domain, it can be done through 2 methods: Delegation in the OU or by assigning the SeMachineAccountPrivilege to a special group
+Points:10 points if present
+Documentation:https://docs.microsoft.com/troubleshoot/windows-server/identity/default-workstation-numbers-join-domain
+http://prajwaldesai.com/allow-domain-user-to-add-computer-to-domain/
+http://blog.backslasher.net/preventing-users-from-adding-computers-to-a-domain.html
S-DC-SubnetMissing
+Description:The purpose is to ensure that the minimum set of subnet(s) has been configured in the domain
+Technical explanation:When multiple sites are created in a domain, networks should be declared in the domain in order to optimize processes such as DC attribution. In addition, PingCastle can collect the information to be able to build a network map. This rule has been triggered because at least one domain controller has an IP address which was not found in subnet declaration. These IP addresses have been collected by querying the DC FQDN IP address in both IPv6 and IPv4 format.
+Advised solution:Locate the IP address which was found as not being part of declared subnet then add this subnet to the "Active Directory Sites" tool. If you have found IPv6 addresses and it was not expected, you should disable the IPv6 protocol on the network card.
+Points:5 points if present
+Details:The detail can be found in Domain controllers
| Domain controller | ip |
|---|---|
| WIN-GH3R6KE1P1Q | 10.0.2.15 |
Privileged Accounts : 60 /100
+It is about administrators of the Active Directory
+P-Delegated
+Description:The purpose is to ensure that all Administrator Accounts have the configuration flag "this account is sensitive and cannot be delegated" (and are not member of the built-in group "Protected Users" when your domain functional level is at least Windows Server 2012 R2).
+Technical explanation:Without the flag "This account is sensitive and cannot be delegated" any account can be impersonated by some service account. It is a best practice to enforce this flag on administrators accounts.
+Advised solution:To correct the situation, you should make sure that all your Administrator Accounts has the check-box "This account is sensitive and cannot be delegated" active or add your Administrator Accounts to the built-in group "Protected Users" if your domain functional level is at least Windows Server 2012 R2 (some functionalities may not work properly afterwards, you should check the official documentation). Please note that there is a section bellow in this report named "Admin Groups" which give more information.
+Points:20 points if present
+Documentation:[US]STIG V-36435 - Delegation of privileged accounts must be prohibited.
Details:The detail can be found in Admin Groups
+P-AdminLogin
+Description:The purpose is to verify if the Native Administrator account is used.
+Technical explanation:The Native Administrator account is the main administrator account, and it is sharing its password with Directory Services Restore Mode password. Since it is the same password, it can be used to take control of the domain even if the account is disabled, notably through a DSync attack. The last login date is retrieved through the LastLogonTimestamp LDAP attribute retrieved from the Active Directory. There is an exception for 35 days to avoid this rule to be triggered at the domain creation.
+Advised solution:To mitigate the security risk, a good practice is to use the Native Administrator account only for emergency, while the daily work is performed through other accounts.
+ It is indeed strongly recommended to not use this account but to use nominative account for administrators and dedicated account for services.
+ Do note that the anomaly will be removed 35 days after the last native administrator login.
+
+ To track where the administrator account has been used for the last time, we recommend to extract the attribute LastLogon of the administrator account on ALL domain controllers.
+ It can be done with tools such as ADSIEdit or ADExplorer.
+ Then, for each domain controller, extract the events 4624 at the date matching the LastLogon date. You will identify the computer and the process at the origin of the logon event.
+
+ Please note that PingCastle relies on the attribute LastLogonTimestamp to perform this check. The LastLogonTimestamp attribute is replicated but has a latency of a maximum of 14 days, while LastLogon is updated at each logon and is more accurate but not replicated.
+
20 points if the occurence is strictly lower than 35
+Documentation: +P-SchemaAdmin
+Description:The purpose is to ensure that no account can make unexpected modifications to the schema
+Technical explanation:The group "Schema Admins" is used to give permissions to alter the schema. Once a modification is performed on the schema such as new objects, it cannot be undone. This can result in a rebuild of the domain. The best practice is to have this group empty and to add an administrator when a schema update is required then to remove this group membership.
+Advised solution:Remove the accounts or groups belonging to the "schema administrators" group.
+Points:10 points if present
+Documentation:[US]STIG V-72835 - Membership to the Schema Admins group must be limited
+[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R13 [subsection.3.2]
The detail can be found in Admin Groups
+P-RecycleBin
+Description:The purpose is to ensure that the Recycle Bin feature is enabled
+Technical explanation:The Recycle Bin avoids immediate deletion of objects (which can still be partially recovered by its tombstone). This lowers the administration work needed to restore. It also extends the period where traces are available when an investigation is needed.
+Advised solution:First, be sure that the forest level is at least Windows 2008 R2.
+ You can check it with Get-ADForest or in the Domain Information section.
+ Then you can enable it using the powershell command:
+Enable-ADOptionalFeature -identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=test,DC=mysmartlogon,DC=com' -Scope ForestOrConfigurationSet -Target 'test.mysmartlogon.com'
10 points if present
+Documentation:https://enterinit.com/powershell-enable-active-directory-recycle-bin
Details:The detail can be found in Domain Information
+Trusts : 0 /100
+It is about links between two Active Directories
+No rule matched
+Anomalies : 50 /100
+It is about specific security control points
+A-LAPS-Not-Installed
+Description:The purpose is to make sure that there is a proper password policy in place for the native local administrator account.
+Technical explanation:LAPS (Local Administrator Password Solution) is the advised solution to handle passwords for the native local administrator account on all workstations, as it is a simple way to handle most of the subject.
+Advised solution:If you don't have any provisioning process or password solution to manage local administrators, you should install the LAPS solution. If you mitigate the risk differently, you should add this rule as an exception, as the risk is covered.
+Points:15 points if present
+Documentation:https://www.microsoft.com/en-us/download/details.aspx?id=46899
+[US]STIG V-36438 - Local administrator accounts on domain systems must not share the same password.
+[FR]ANSSI CERTFR-2015-ACT-046
The detail can be found in LAPS
+A-AuditDC
+Description:The purpose is to ensure that the audit policy on domain controllers collect the right set of events.
+Technical explanation:To detect and mitigate an attack, the right set of events need to be collected.
+ The audit policy is a compromise between too much and too few events to collect.
+ To solve this problem, the suggested audit policy from adsecurity.org is checked against the audit policy in place.
+
Identify the Audit settings to apply and fix them.
+ Be aware that there are two places for audit settings.
+ For "Simple" audit configuration:
+ in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies
+ For "Advanced" audit configuration:
+ in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration
+ Also be sure that the audit GPO is applied to all domain controllers, as the underlying object may be in a OU where the GPO is not applied.
+
10 points if present
+Documentation:https://adsecurity.org/?p=3299
Details:The detail can be found in Audit settings
+
+ The table below shows the settings that were not found as configured in GPO for a given domain controller.
| Type | Audit | Problem | Rationale | Domain controller |
|---|---|---|---|---|
| Advanced | Policy Change / Authentication Policy Change | No GPO check for audit success | Collect events 4713, 4716, 4739, 4867, to track trust modifications | WIN-GH3R6KE1P1Q |
| Advanced | Account Management / Computer Account Management | No GPO check for audit success | Collect events 4741, 4742 to track computer changes | WIN-GH3R6KE1P1Q |
| Advanced | Detailed Tracking / DPAPI Activity | No GPO check for audit success | Collect event 4692 to track the export of DPAPI backup key | WIN-GH3R6KE1P1Q |
| Advanced | Account Logon / Kerberos Authentication Service | No GPO check for audit success | Collect events 4768, 4771 for kerberos authentication | WIN-GH3R6KE1P1Q |
| Advanced | Account Logon / Kerberos Service Ticket Operations | No GPO check for audit success | Collect events 4769 for kerberos authentication | WIN-GH3R6KE1P1Q |
| Advanced | Logon/Logoff / Logoff | No GPO check for audit success | Collect events 4634 for account logoff | WIN-GH3R6KE1P1Q |
| Advanced | Logon/Logoff / Logon | No GPO check for audit success | Collect events 4624, 4625, 4648 for account logon | WIN-GH3R6KE1P1Q |
| Advanced | Detailed Tracking / Process Creation | No GPO check for audit success | Collect event 4688 to get the history of executed programs | WIN-GH3R6KE1P1Q |
| Advanced | Account Management / Security Group Management | No GPO check for audit success | Collect events 4728, 4732, 4756 for group membership change | WIN-GH3R6KE1P1Q |
| Advanced | System / Security System Extension | No GPO check for audit success | Collect events 4610, 4697 to track lsass security packages and services | WIN-GH3R6KE1P1Q |
| Advanced | Privilege Use / Sensitive Privilege Use | No GPO check for audit success | Collect events 4672, 4673, 4674 for privileges tracking such as the debug one | WIN-GH3R6KE1P1Q |
| Advanced | Logon/Logoff / Special Logon | No GPO check for audit success | Collect event 4964 for special group attributed at logon | WIN-GH3R6KE1P1Q |
| Advanced | Account Management / User Account Management | No GPO check for audit success | Collect events 4720,22,23,38,65,66,80,94 for user account mamangement | WIN-GH3R6KE1P1Q |
A-MinPwdLen
+Description:The purpose is to verify if the password policy of the domain enforces users to have at least 8 characters in their password
+Technical explanation:A check is performed to identify if the GPO regarding password policy allows less than 8 characters password. Short passwords represents a high risk because they can fairly easily be brute-forced. Most CERT and agencies advises for at least 8 characters (and often this number goes up to 12)
+Advised solution:To solve the issue, the best way is to either remove the GPO enabling short password, or to modify it in order to increase the password length to at least 8 characters
+Points:10 points if present
+Documentation:https://www.microsoft.com/en-us/research/publication/password-guidance/
+[FR]ANSSI - Privileged group members with weak password policy (vuln2_privileged_members_password)2
The detail can be found in Password policies
| GPO |
|---|
| Default Domain Policy |
A-DC-Spooler
+Description:The purpose is to ensure that credentials cannot be extracted from the DC via its printer spooler
+Technical explanation:When there’s an account with unconstrained delegation configured (which is fairly common) and the Print Spooler service running on a computer, you can get that computers credentials sent to the system with unconstrained delegation as a user. With a domain controller, the TGT of the DC can be extracted allowing an attacker to reuse it with a DCSync attack and obtain all user hashes and impersonate them.
+Advised solution:The spooler service should be deactivated on domain controllers. Please note as a consequence that the Printer Pruning functionality (rarely used) will be unavailable.
+Points:10 points if present
+Documentation:https://adsecurity.org/?p=4056
+https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory
The detail can be found in Domain controllers
| Domain controller |
|---|
| WIN-GH3R6KE1P1Q |
A-NotEnoughDC
+Description:The purpose is to ensure the failure of one domain controller will not stop the domain.
+Technical explanation:A single domain controller failure can lead to a lack of availability of the domain if the number of servers is too low. To have a minimum redundancy, the number of DC should be at least 2. For Labs, this rule can be ignored and you can add this rule into the exception list.
+Advised solution:Increase the number of domain controllers by installing new ones.
+Points:5 points if the occurence is strictly lower than 2
+Documentation:Details:The detail can be found in Domain controllers
+A-NoServicePolicy
+Description:The purpose is to give information regarding a best practice for the Service Account password policy. Indeed, having a 20+ characters password for this account greatly helps reducing the risk behind Kerberoast attack (offline crack of the TGS tickets)
+Note: PSO (Password Settings Objects) will be visible only if the user which collected the information has the permission to view it.
The rule is purely informative, as it gives insights regarding a best practice. It verifies if there is a GPO or PSO enforcing a 20+ characters password for the Service Account.
+Advised solution: The recommended way to handle service accounts is to use "Managed service accounts" introduced since Windows 2008 R2 (search for "msDS-ManagedServiceAccount").
+To solve the anomaly, you should implement a PSO or GPO password guarantying a 20+ length password.
Informative rule (0 point)
+Documentation:https://www.microsoft.com/en-us/research/publication/password-guidance/
Details:The detail can be found in Password Policies
+A-NoGPOLLMNR
+Description:The purpose is to ensure that local name resolution protocol (LLMNR) cannot be used to collect credentials by performing a network attack
+Technical explanation:LLMNR is a protocol which translates names such as foo.bar.com into an ip address. LLMNR has been designed to translate name locally in case the default protocol DNS is not available.
+ Regarding Active Directory, DNS is mandatory which makes LLMNR useless.
+ LLMNR exploits typo mistakes or faster response time to redirect users to a specially designed share, server or website.
+ Being trusted, this service will trigger the single sign on procedure which can be abused to retrieve the user credentials.
+
+ LLMNR is enabled by default on all OS except starting from Windows 10 v1903 and Windows Server v1903 where it is disabled.
+
Enable the GPO Turn off multicast name resolution and check that no GPO override this setting.
+ (if it is the case, the policy involved will be displayed below)
Informative rule (0 point)
+Documentation:Details:The detail can be found in Security settings
+A-NoNetSessionHardening
+Description:The purpose is to ensure that mitigations are in place against the Bloodhound tool
+Technical explanation:By default, Windows computers allow any authenticated user to enumerate network sessions to it.
+This means an attacker could enumerate network sessions to a file share hosting home directories or a Domain Controller to see who’s connected to SYSVOL (to apply Group Policy) and determine which workstations each user and admin account is logged into.
+Bloodhound uses this capability extensively to map out credentials in the network.
+
+Disabling Net Session Enumeration removes the capability for any user to enumerate net session info (Recon).
If this mitigation is not part of the computer image, apply the following recommandations:
+Run the NetCease PowerShell script (referenced below) on a reference workstation.
+Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit .
+In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
+Right-click the Registry node, point to New, and select Registry Wizard.
+Select the reference workstation on which the desired registry settings exist, then click Next .
+Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\
+and select the check box for “SrvsvcSessionInfo” from which you want to create a Registry preference item. Select the check box for a key only if you want to create a Registry item for the key rather than for a value within the key.
+Click Finish.
+The settings that you selected appear as preference items in the Registry Wizard Values collection
Informative rule (0 point)
+Documentation:https://github.com/p0w3rsh3ll/NetCease
+https://adsecurity.org/?p=3299
The detail can be found in Security settings
+A-AuditPowershell
+Description:The purpose is to ensure that Powershell logging is enabled.
+Technical explanation:Powershell is a powerful language, also used by hackers because of this quality. Hackers are able to run programs such as mimikatz in memory using obfuscated commands such as Invoke-Mimikatz.
+ Because there is no artefact on the disk, the incident response task is difficult for the forensic analysts.
+ For this reason, we recommend to enable Powershell logging via a group policy, despite the fact that these security settings may be part of the workstation or server images.
+
Go to Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell
+And enable "Turn on Module logging" and "Turn on Powershell Script Block logging"
+We recommend to set "*" as the module list.
+
Informative rule (0 point)
+Documentation:https://adsecurity.org/?p=2604
+https://docs.microsoft.com/en-us/powershell/scripting/wmf/whats-new/script-logging?view=powershell-6
+[US]STIG V-68819 - PowerShell script block logging must be enabled
The detail can be found in Security settings
+This section shows the main technical characteristics of the domain.
| Domain | Netbios Name | Domain Functional Level | Forest Functional Level | Creation date | DC count | Schema version | Recycle Bin enabled |
|---|---|---|---|---|---|---|---|
| test.domain.com | TEST | Windows Server 2012 R2 | Windows Server 2012 R2 | 2021-08-04 19:42:19Z | 1 | Windows Server 2012 R2 | FALSE |
This section gives information about the user accounts stored in the Active Directory
| Nb User Accounts | Nb Enabled ? | Nb Disabled ? | Nb Active ? | Nb Inactive ? | Nb Locked ? | Nb pwd never Expire ? | Nb SidHistory ? | Nb Bad PrimaryGroup ? | Nb Password not Req. ? | Nb Des enabled. ? | Nb unconstrained delegations ? | Nb Reversible password ? |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2 | 1 | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
This feature is reserved for customers who have purchased a license
This section gives information about the computer accounts stored in the Active Directory
| Nb Computer Accounts | Nb Enabled ? | Nb Disabled ? | Nb Active ? | Nb Inactive ? | Nb SidHistory ? | Nb Bad PrimaryGroup ? | Nb unconstrained delegations ? | Nb Reversible password ? |
|---|---|---|---|---|---|---|---|---|
| 1 | 1 | 0 | 1 | 0 | 0 | 0 | 1 | 0 |
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| WIN-GH3R6KE1P1Q$ | 2021-08-04 19:43:56Z | 2021-08-04 12:44:37Z | CN=WIN-GH3R6KE1P1Q,OU=Domain Controllers,DC=test,DC=testuser,DC=com |
| Operating System | Nb OS | Nb Enabled ? | Nb Disabled ? | Nb Active ? | Nb Inactive ? | Nb SidHistory ? | Nb Bad PrimaryGroup ? | Nb unconstrained delegations ? | Nb Reversible password ? |
|---|---|---|---|---|---|---|---|---|---|
| Windows 2012 | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 1 | 0 |
Here is a specific zoom related to the Active Directory servers: the domain controllers.
| Domain controller | Operating System | Creation Date ? | Startup Time | Uptime | Owner ? | Null sessions ? | SMB v1 ? | Remote spooler ? | FSMO role ? |
|---|---|---|---|---|---|---|---|---|---|
| WIN-GH3R6KE1P1Q | Windows 2012 | 2021-08-04 19:43:56Z | 2021-08-04 05:36:41Z | 0 days | TEST\Domain Admins | NO | YES | YES | PDC, RID pool manager, Infrastructure master, Schema master, Domain naming Master |
This section is focused on the groups which are critical for admin activities. If the report has been saved which the full details, each group can be zoomed with its members. If it is not the case, for privacy reasons, only general statictics are available.
| Group Name | Nb Admins ? | Nb Enabled ? | Nb Disabled ? | Nb Inactive ? | Nb PWd never expire ? | Nb Smart Card required ? | Nb Service accounts ? | Nb can be delegated ? | Nb external users ? | Nb protected users ? |
|---|---|---|---|---|---|---|---|---|---|---|
| Account Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Administrators | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 |
| Backup Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Certificate Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Certificate Publishers | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Dns Admins | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Domain Administrators | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 |
| Enterprise Administrators | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 |
| Print Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Replicator | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Schema Administrators | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 |
| Server Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| SamAccountName ? | Enabled ? | Active ? | Pwd never Expired ? | Locked ? | Smart Card required ? | Service account ? | Flag Cannot be delegated present ? | Creation date ? | Last login ? | Password last set ? | In Protected Users ? | Distinguished name ? |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Administrator | YES | YES | NO | NO | NO | NO | NO | 2021-08-04 19:42:31Z | 2021-08-04 12:49:50Z | 2021-08-04 11:20:33Z | NO | CN=Administrator,CN=Users,DC=test,DC=testuser,DC=com |
This feature is reserved for customers who have purchased a license
Each specific rights defined for Organizational Unit (OU) are listed below.
| DistinguishedName | Account | Right |
|---|---|---|
| DC=test | TEST\Domain Controllers | EXT_RIGHT_REPLICATION_GET_CHANGES_ALL |
| CN=MicrosoftDNS,CN=System | NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS | GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=MicrosoftDNS,CN=System | TEST\DnsAdmins | GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=RAS and IAS Servers Access Check,CN=System | TEST\RAS and IAS Servers | GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=WMIPolicy,CN=System | TEST\Group Policy Creator Owners | GenericWrite, DSSelf, Write all prop |
| CN=SOM,CN=WMIPolicy,CN=System | TEST\Group Policy Creator Owners | GenericWrite, DSSelf, Write all prop |
This section focuses on permissions issues that can be exploited to take control of the domain.
This is an advanced section that should be examined after having looked at the Admin Groups section.
This analysis focuses on accounts found in control path and located in other domains.
No operative link with other domains has been found.
This part tries to summarize in a single table if major issues have been found.
Focus on finding critical objects such as the Everyone group then try to decrease the number of objects having indirect access.
The detail is displayed below.
| Priority to remediate ? | Critical Object Found ? | Number of objects with Indirect ? | Max number of indirect numbers ? | Max ratio ? |
|---|---|---|---|---|
| Critical | NO | 0 | 0 | 0 |
| High | NO | 0 | 0 | 0 |
| Medium | NO | 0 | 0 | 0 |
| Other | NO | 0 | 0 | 0 |
If the report has been saved which the full details, each object can be zoomed with its full detail. If it is not the case, for privacy reasons, only general statictics are available.
| Group or user account ? | Priority ? | Number of users member of the group ? | Number of computer member of the group ? | Number of object having indirect control ? | Number of unresolved members (removed?) ? | Link with other domains | Detail |
|---|---|---|---|---|---|---|---|
| Account Operators | High | 0 | 0 | 0 | 0 | None | Analysis |
| Administrator | Critical | 0 | 0 | None | Analysis | ||
| Administrators | Critical | 1 (Details) | 0 | 0 | 0 | None | Analysis |
| Backup Operators | High | 0 | 0 | 0 | 0 | None | Analysis |
| Certificate Operators | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Certificate Publishers | Other | 0 | 0 | 0 | 0 | None | Analysis |
| Dns Admins | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Domain Administrators | Critical | 1 (Details) | 0 | 0 | 0 | None | Analysis |
| Enterprise Administrators | Critical | 1 (Details) | 0 | 0 | 0 | None | Analysis |
| Print Operators | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Replicator | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Schema Administrators | Critical | 1 (Details) | 0 | 0 | 0 | None | Analysis |
| Server Operators | High | 0 | 0 | 0 | 0 | None | Analysis |
If the report has been saved which the full details, each object can be zoomed with its full detail. If it is not the case, for privacy reasons, only general statictics are available.
| Group or user account ? | Priority ? | Number of users member of the group ? | Number of computer member of the group ? | Number of object having indirect control ? | Number of unresolved members (removed?) ? | Link with other domains | Detail |
|---|---|---|---|---|---|---|---|
| Builtin OU | Medium | 0 | 0 | None | Analysis | ||
| Computers container | Medium | 0 | 0 | None | Analysis | ||
| Domain Controllers | Critical | 0 | 1 (Details) | 0 | 0 | None | Analysis |
| Domain Root | Medium | 0 | 0 | None | Analysis | ||
| Enterprise Read Only Domain Controllers | Other | 0 | 0 | 0 | 0 | None | Analysis |
| Group Policy Creator Owners | Medium | 1 (Details) | 0 | 0 | 0 | None | Analysis |
| Krbtgt account | Medium | 0 | 0 | None | Analysis | ||
| Read Only Domain Controllers | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Users container | Medium | 0 | 0 | None | Analysis |
This section focuses on the relations that this domain has with other domains
This part displays the direct links that this domain has with other domains.
| Trust Partner | Type | Attribut | Direction ? | SID Filtering active ? | TGT Delegation ? | Creation ? | Is Active ? ? |
|---|
These are the domains that PingCastle was able to detect but which is not releated to direct trusts. It may be children of a forest or bastions.
| Reachable domain | Discovered using | Netbios | Creation date |
|---|
This section focuses on security checks specific to the Active Directory environment.
The program checks the last date of the AD backup. This date is computed using the replication metadata of the attribute dsaSignature (reference).
+Last backup date: Never
+LAPS is used to have a unique local administrator password on all workstations / servers of the domain. +Then this password is changed at a fixed interval. The risk is when a local administrator hash is retrieved and used on other workstation in a pass-the-hash attack.
+Mitigation: having a process when a new workstation is created or install LAPS and apply it through a GPO
+LAPS installation date: Never
+Windows Event Forwarding is a native mechanism used to collect logs on all workstations / servers of the domain. +Microsoft recommends to Use Windows Event Forwarding to help with intrusion detection +Here is the list of servers configured for WEF found in GPO
+Number of WEF configuration found: 0
+The account password for the krbtgt account should be rotated twice yearly at a minimum. More frequent password rotations are recommended, with 40 days the current recommendation by ANSSI. Additional rotations based on external events, such as departure of an employee who had privileged network access, are also strongly recommended.
+You can perform this action using this script
+You can use the version gathered using replication metadata from two reports to guess the frequency of the password change or if the two consecutive resets has been done. Version starts at 1.
+Kerberos password last changed: 2021-08-04 12:43:57Z +version: 2 +
+This control detects accounts which are former 'unofficial' admins. +Indeed when an account belongs to a privileged group, the attribute admincount is set. If the attribute is set without being an official member, this is suspicious. To suppress this warning, the attribute admincount of these accounts should be removed after review.
+Number of accounts to review: 0
+This control detects if one of the attributes userPassword or unixUserPassword has been set on accounts. +Indeed, these attributes are designed to store encrypted secrets for unix (or mainframe) interconnection. However in the large majority, interconnected systems are poorly designed and the user password is stored in these attributes in clear text or poorly encrypted. +The userPassword attribute is also used in classic LDAP systems to change the user password by setting its value. But, with Active Directory, it is considered by default as a normal attribute and doesn't trigger a password but shows instead the password in clear text. +
+Number of accounts to review: 0
+You can check here backdoors or typo error in the scriptPath attribute
| Script Name | Count |
|---|---|
| None | 1 |
This detects trusted certificate which can be used in man in the middle attacks or which can issue smart card logon certificates
+Number of trusted certificates: 0 +
| Source | Store | Subject | Issuer | NotBefore | NotAfter | Module size | Signature Alg | SC Logon |
|---|
This section display advanced information, if any has been found
Note: PSO (Password Settings Objects) will be visible only if the user which collected the information has the permission to view it.
PSO shown in the report will be prefixed by "PSO:"
| Policy Name | Complexity | Max Password Age | Min Password Age | Min Password Length | Password History | Reversible Encryption | Lockout Threshold | Lockout Duration | Reset account counter locker after |
|---|---|---|---|---|---|---|---|---|---|
| Default Domain Policy ? | True | 42 day(s) | 1 day(s) | 7 | 24 | False | 0 | Not Set | Not Set |
This is the settings related to screensavers stored in Group Policies. Each non compliant setting is written in red.
| Policy Name | Screensaver enforced | Password request | Start after (seconds) | Grace Period (seconds) |
|---|
This section focuses on security settings stored in the Active Directory technical security policies.
The password in GPO are obfuscated, not encrypted. Consider any passwords listed here as compromised and change it immediatly.
Giving local group membership in a GPO is a way to become administrator.
The local admin of a domain controller can become domain administrator instantly.
A GPO can be used to deploy security settings to workstations.
The best practice out of the default security baseline is reported in green.
The following settings in red are unsual and may need to be reviewed.
Each setting is accompagnied which its value and a link to the GPO explanation.
| Policy Name | Setting | Value |
|---|
Audit settings allow the system to generate logs which are useful to detect intrusions. Here are the settings found in GPO.
Simple audit events are described here and Advanced audit events are described here
You can get a list of all audit settings with the command line: auditpol.exe /get /category:* (source)
Simple audit settings are located in: Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Audit Policy. Simple audit settings are named [Simple Audit].
Advanced audit settings are located in: Computer Configuration / Policies / Windows Settings / Security Settings / Advanced Audit Policy Configuration. There category is displayed below.
| Policy Name | Category | Setting | Value |
|---|
Giving privileges in a GPO is a way to become administrator without being part of a group.
For example, SeTcbPriviledge give the right to act as SYSTEM, which has more privileges than the administrator account.
| GPO Name | Privilege | Members |
|---|---|---|
| Default Domain Controllers Policy ? | SeAssignPrimaryTokenPrivilege | NT AUTHORITY\NETWORK SERVICE |
| Default Domain Controllers Policy ? | SeAssignPrimaryTokenPrivilege | NT AUTHORITY\LOCAL SERVICE |
| Default Domain Controllers Policy ? | SeBackupPrivilege | BUILTIN\Server Operators |
| Default Domain Controllers Policy ? | SeBackupPrivilege | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | SeBackupPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeDebugPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeLoadDriverPrivilege | BUILTIN\Print Operators |
| Default Domain Controllers Policy ? | SeLoadDriverPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeMachineAccountPrivilege | Authenticated Users |
| Default Domain Controllers Policy ? | SeRestorePrivilege | BUILTIN\Server Operators |
| Default Domain Controllers Policy ? | SeRestorePrivilege | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | SeRestorePrivilege | Administrators |
| Default Domain Controllers Policy ? | SeSecurityPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeTakeOwnershipPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeEnableDelegationPrivilege | Administrators |
Login authorization and restriction can be set by GPO. Indeed, by default, everyone is allowed to login on every computer except domain controllers. Defining login restriction is a way to have different isolated tiers. Here are the settings found in GPO.
| GPO Name | Privilege | Members |
|---|---|---|
| Default Domain Controllers Policy ? | Log on as a batch job ? | BUILTIN\Performance Log Users |
| Default Domain Controllers Policy ? | Log on as a batch job ? | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | Log on as a batch job ? | Administrators |
| Default Domain Controllers Policy ? | Allow log on locally ? | NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Print Operators |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Server Operators |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Account Operators |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | Allow log on locally ? | Administrators |
| Default Domain Controllers Policy ? | Access this computer from the network ? | BUILTIN\Pre-Windows 2000 Compatible Access |
| Default Domain Controllers Policy ? | Access this computer from the network ? | NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Authenticated Users |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Administrators |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Everyone |
A GPO login script is a way to force the execution of data on behalf of users. Only enabled users are analyzed.
A GPO can be used to deploy applications or copy files. These files may be controlled by a third party to control the execution of local programs.