Name | Description | Severity |
---|---|---|
WSUS Dangerous Misconfigurations | Lists the misconfigured parameters related to Windows Server Update Services (WSUS). | critical |
Dangerous SYSVOL Replication Configuration | Checks that the "Distributed File System Replication" (DFS-R) mechanism replaced the "File Replication Service" (FRS). | medium |
Detection of Password Weaknesses | Verifies for weaknesses in passwords that may heighten the vulnerability of Active Directory accounts. | high |
Insufficient Hardening Against Ransomware | Ensures that the domain implemented hardening measures to protect against ransomware. | medium |
ADCS Dangerous Misconfigurations | List dangerous permissions and misconfigured parameters related to the Windows Public Key Infrastructure (PKI). | critical |
GPO Execution Sanity | Verifies that the Group Policy Objects (GPOs) applied to domain computers are sane. | high |
Logon Restrictions for Privileged Users | Checks for privileged users who can connect to less privileged machines leading to a risk of credential theft. | high |
Unsecured Configuration of Netlogon Protocol | CVE-2020-1472 ("Zerologon") affects Netlogon protocol and allows elevation of privilege | critical |
Vulnerable Credential Roaming Related Attributes | Credential roaming attributes are vulnerable, making the related user protected secrets readable by an attacker. | low |
Potential Clear-Text Password | Checks for objects containing potential clear-text passwords in attributes readable by domain users. | high |
Dangerous Sensitive Privileges | Identifies misconfigured sensitive privilege rights that decrease the security of a directory infrastructure. | high |
Mapped Certificates on Accounts | Ensures that privileged objects do not have any mapped certificate assigned to them. | critical |
Domain Without Computer-Hardening GPOs | Checks hardening GPOs have been deployed on the domain. | medium |
Protected Users Group Not Used | Verifies for privileged users who are not members of the Protected Users group. | high |
Account with Possible Empty Password | Identifies user accounts that allow empty passwords. | high |
Users Allowed to Join Computers to the Domain | Verify that regular users cannot join external computers to the domain. | medium |
Last Change of the Microsoft Entra SSO Account Password | Ensures regular changes to the Microsoft Entra SSO account password. | high |
Dangerous Rights in the AD Schema | Lists schema entries considered anomalous that could potentially offer a means of persistence. | high |
User Account Using Old Password | Checks for regular updates of all active account passwords in Active Directory to reduce credential theft risk. | medium |
Verify Permissions Related to Microsoft Entra Connect Accounts | Ensure the permissions set on Microsoft Entra Connect accounts are sane | critical |
Domain Controllers Managed by Illegitimate Users | Some domain controllers can be managed by non-administrative users due to dangerous access rights. | critical |
Application of Weak Password Policies on Users | Some password policies applied on specific user accounts are not strong enough and can lead to credentials theft. | critical |
Verify Sensitive GPO Objects and Files Permissions | Ensures that the permissions assigned to GPO objects and files linked to sensitive containers, such as the domain controllers or OU, are appropriate and secure. | critical |
Domain with Unsafe Backward-Compatibility Configuration | The dsHeuristics attribute can modify AD behavior, but some fields are security-sensitive and pose a security risk. | low |
Domains with an Outdated Functional Level | Checks for the correct functional level of a domain or forest which determines the availability of advanced features and security options. | medium |
Local Administrative Account Management | Ensures the secure and central management of local administrative accounts using LAPS. | medium |
Kerberos Configuration on User Account | Detects accounts that use weak Kerberos configuration. | medium |
Root Objects Permissions Allowing DCSync-Like Attacks | Checks for unsafe permissions on root objects that may enable unauthorized users to steal authentication credentials. | critical |
Accounts Using a Pre-Windows 2000 Compatible Access Control | Checks for account members of the Pre-Windows 2000 Compatible Access group which can bypass security measures. | high |
Disabled Accounts in Privileged Groups | Accounts that are not used anymore should not stay in privileged groups. | low |
Computers Running an Obsolete OS | Identifies obsolete systems that Microsoft no longer support and which increase the infrastructure vulnerability. | high |
Accounts With a Dangerous SID History Attribute | Checks user or computer accounts using a privileged SID in SID history attribute. | high |
Use of Weak Cryptography Algorithms in Active Directory PKI | Identifies weak cryptographic algorithms used in root certificates deployed on an internal Active Directory PKI. | critical |
Recent Use of the Default Administrator Account | Checks for recent uses of the built-in administrator account. | medium |
User Primary Group | Verify users' Primary Group has not been changed | critical |
Dangerous Kerberos Delegation | Checks for unauthorized Kerberos delegation, and ensures protection for privileged users against it. | critical |
Reversible Passwords | Verifies that the option to store passwords in a reversible format does not get enabled. | medium |
Reversible Passwords in GPO | Checks that GPO preferences do not allow passwords in a reversible format. | medium |
Ensure SDProp Consistency | Control that the adminSDHolder object is in a clean state. | critical |
Last Password Change on KRBTGT account | Checks for KRBTGT accounts that have not changed their passwords for more than the recommended interval. | high |
Native Administrative Group Members | Abnormal accounts in the native administrative groups of Active Directory | critical |
Privileged Accounts Running Kerberos Services | Detects highly privileged accounts with the Service Principal Name (SPN) attribute which affects their security. | critical |
AdminCount Attribute Set on Standard Users | Checks for the adminCount attribute on decommissioned accounts leading to permission issues that are difficult to manage. | medium |
Dormant Accounts | Detects unused dormant accounts that can lead to security risks. | medium |
Dangerous Trust Relationships | Identifies misconfigured trust relationship attributes that decrease the security of a directory infrastructure. | high |
Accounts With Never Expiring Passwords | Checks for accounts with the DONT_EXPIRE_PASSWORD property flag in the userAccountControl attribute that allows indefinite use of the same password, bypassing password renewal policies. | medium |
Unlinked, Disabled or Orphan GPO | Unused or disabled GPOs slow directory performance and RSoP computation, and can lead to security policy confusion. Reactivating them by mistake can weaken existing policies. | low |
High Number of Administrators | Administrators have elevated privileges and can pose security risks when there is a high number of them since it increases the attack surface. This is also the sign that the least-privileged principle is not respected. | High |
Missing MFA for Privileged Account | MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, especially with privileged accounts. Accounts without an MFA method registered cannot benefit from it. | High |
Privileged Entra Account Synchronized With AD (Hybrid) | Hybrid accounts, i.e. synchronized from Active Directory, with privileged roles in Entra ID pose a security risk because they allow attackers who compromise AD to pivot to Entra ID. Privileged accounts in Entra ID must be cloud-only accounts. | High |