This section focuses on the core security indicators.
Locate the sub-process determining the score and fix some rules in that area to get a score improvement.
Domain Risk Level: 65 / 100
It is the maximum score of the 4 indicators and one score cannot be higher than 100. The lower the better
Stale Object : 15 /100
It is about operations related to user or computer objects
2 rules matched
Trusts : 0 /100
It is about links between two Active Directories
0 rules matched
Privileged Accounts : 65 /100
It is about administrators of the Active Directory
5 rules matched
Anomalies : 50 /100
It is about specific security control points
8 rules matched
| Stale Objects | Privileged accounts | Trusts | Anomalies | |
|---|---|---|---|---|
Inactive user or computer | Account take over | Old trust protocol | Audit | |
Network topography | ACL Check | SID Filtering | Backup | |
Object configuration | Admin control | SIDHistory | Certificate take over | |
Obsolete OS | Irreversible change | Trust impermeability | Golden ticket | |
Old authentication protocols | Privilege control | Trust inactive | Local group vulnerability | |
Provisioning | Network sniffing | |||
Replication | Pass-the-credential | |||
Vulnerability management | Password retrieval | |||
Reconnaissance | ||||
Temporary admins | ||||
Weak password |
Stale Objects : 15 /100
It is about operations related to user or computer objects
The purpose is to ensure that basic users cannot register extra computers in the domain
Technical explanation:By default, a basic user can register up to 10 computers within the domain. This default configuration represents a security issue as basic users shouldn't be able to create such accounts and this task should be handled by administrators.
Advised solution:To solve the issue limit the number of extra computers that can be registered by a basic user. It can be reduced by modifying the value of ms-DS-MachineAccountQuota to zero (0). Another solution can be to remove altogether the authenticated users group in the domain controllers policy. Do note that if you need to set delegation to an account so it can add computers to the domain, it can be done through 2 methods: Delegation in the OU or by assigning the SeMachineAccountPrivilege to a special group
Points:10 points if present
Documentation:http://support.microsoft.com/?id=243327
http://prajwaldesai.com/allow-domain-user-to-add-computer-to-domain/
http://blog.backslasher.net/preventing-users-from-adding-computers-to-a-domain.html
The purpose is to ensure that the minimum set of subnet(s) has been configured in the domain
Technical explanation:When multiple sites are created in a domain, networks should be declared in the domain in order to optimize processes such as DC attribution. In addition, PingCastle can collect the information to be able to build a network map. This rule has been triggered because at least one domain controller has an IP address which was not found in subnet declaration. These IP addresses have been collected by querying the DC FQDN IP address in both IPv6 and IPv4 format.
Advised solution:Locate the IP address which was found as not being part of declared subnet then add this subnet to the "Active Directory Sites" tool. If you have found IPv6 addresses and it was not expected, you should disable the IPv6 protocol on the network card.
Points:5 points if present
Details:The detail can be found in Domain controllers
| Domain controller | ip |
|---|---|
| WIN-TSR583VNC42 | 10.0.2.15 |
Privileged Accounts : 65 /100
It is about administrators of the Active Directory
The purpose is to ensure that all Administrator Accounts have the configuration flag "this account is sensitive and cannot be delegated"
Technical explanation:Without the flag "This account is sensitive and cannot be delegated" any account can be impersonated by some service account. It is a best practice to enforce this flag on administrators accounts.
Advised solution:To correct the situation, you should make sure that all your Administrator Accounts has the check-box "This account is sensitive and cannot be delegated" active. Please not that there is a section bellow in this report named "Admin Groups" which give more information.
Points:20 points if present
Documentation:STIG V-36435 - Delegation of privileged accounts must be prohibited.
Details:The detail can be found in Admin Groups
The purpose is to verify if the Native Administrator account is used.
Technical explanation:The Native Administrator account is the main administrator account, and it is sharing its password with Directory Services Restore Mode password. Since it is the same password, it can be used to take control of the domain even if the account is disabled, notably through a DSync attack. The last login date is retrieved through the LastLogonTimestamp LDAP attribute retrieved from the Active Directory. There is an exception for 35 days to avoid this rule to be triggered at the domain creation.
Advised solution:To mitigate the security risk, a good practice is to use the Native Administrator account only for emergency, while the daily work is performed through other accounts.
It is indeed strongly recommended to not use this account but to use nominative account for administrators and dedicated account for services.
Do note that the anomaly will be removed 35 days after the last native administrator login.
To track where the administrator account has been used for the last time, we recommend to extract the attribute LastLogon of the administrator account on ALL domain controllers.
It can be done with tools such as ADSIEdit or ADExplorer.
Then, for each domain controller, extract the events 4624 at the date matching the LastLogon date. You will identify the computer and the process at the origin of the logon event.
Please note that PingCastle relies on the attribute LastLogonTimestamp to perform this check. The LastLogonTimestamp attribute is replicated but has a latency of a maximum of 14 days, while LastLogon is updated at each logon and is more accurate but not replicated.
20 points if the occurence is strictly lower than 35
Documentation:The purpose is to ensure that no account can make unexpected modifications to the schema
Technical explanation:The group "Schema Admins" is used to give permissions to alter the schema. Once a modification is performed on the schema such as new objects, it cannot be undone. This can result in a rebuild of the domain. The best practice is to have this group empty and to add an administrator when a schema update is required then to remove this group membership.
Advised solution:Remove the accounts or groups belonging to the "schema administrators" group.
Points:10 points if present
Documentation:STIG V-72835 - Membership to the Schema Admins group must be limited
ANSSI - Recommandations de sécurité relatives à Active Directory - R13 [subsection.3.2]
The detail can be found in Admin Groups
The purpose is to ensure that the Recycle Bin feature is enabled
Technical explanation:The Recycle Bin avoids immediate deletion of objects (which can still be partially recovered by its tombstone). This lowers the administration work needed to restore. It also extends the period where traces are available when an investigation is needed.
Advised solution:First, be sure that the forest level is at least Windows 2008 R2.
You can check it with Get-ADForest or in the Domain Information section.
Then you can enable it using the powershell command:
Enable-ADOptionalFeature -identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=test,DC=mysmartlogon,DC=com' -Scope ForestOrConfigurationSet -Target 'test.mysmartlogon.com'
10 points if present
Details:The detail can be found in Domain Information
The purpose is to ensure that no specific delegation has been setup to manage the Microsoft DNS.
Technical explanation:Administrators of the DNS Service have the possibility to inject a DLL in this service.
However this service is hosted most of the time in the domain controller and is running as system.
That means that DNS Admins are potentially domain admins.
The security descriptor used to grant admin rights is located on the nTSecurityDescriptor attribute of the object CN=MicrosoftDNS,CN=System.
In this case, an explicit delegation has been setup and this delegation is not using the existing DnsAdmins group.
You should remove the explicit delegation located in the CN=MicrosoftDNS,CN=System container and make the user or group member of the DnsAdmins group.
Points:5 points if present
Documentation:https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/007efcd2-2955-46dd-a59e-f83ae88f4678
The detail can be found in Delegations
| Account | Right |
|---|---|
| AUTORITE NT\ENTERPRISE DOMAIN CONTROLLERS | GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
Trusts : 0 /100
It is about operations related to user or computer objects
No rule matched
Anomalies : 50 /100
It is about specific security control points
The purpose is to make sure that there is a proper password policy in place for the native local administrator account.
Technical explanation:LAPS (Local Administrator Password Solution) is the advised solution to handle passwords for the native local administrator account on all workstations, as it is a simple way to handle most of the subject.
Advised solution:If you don't have any provisioning process or password solution to manage local administrators, you should install the LAPS solution. If you mitigate the risk differently, you should add this rule as an exception, as the risk is covered.
Points:15 points if present
Documentation:https://www.microsoft.com/en-us/download/details.aspx?id=46899
ANSSI CERTFR-2015-ACT-046
STIG V-36438 - Local administrator accounts on domain systems must not share the same password.
The detail can be found in LAPS
The purpose is to ensure that the audit policy on domain controllers collect the right set of events.
Technical explanation:To detect and mitigate an attack, the right set of events need to be collected.
The audit policy is a compromise between too much and too few events to collect.
To solve this problem, the suggested audit policy from adsecurity.org is checked against the audit policy in place.
Identitfy the Audit settings to apply and fix them.
Beware that there is two places for audit settings:
a) in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies
b) in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration
10 points if present
Documentation:https://adsecurity.org/?p=3299
Details:The detail can be found in Audit settings
| Audit | Problem | Rationale |
|---|---|---|
| Audit Policy Change | No GPO check for audit success | Collect event 4908, to track special groups such as "administrators" |
| Audit object access | No GPO check for audit success | Collect event 4698, 4699, 4702 to track schedule tasks lifecycle |
| Policy Change / Authentication Policy Change | No GPO check for audit success | Collect events 4713, 4716, 4739, 4867, to track trust modifications |
| Account Management / Computer Account Management | No GPO check for audit success | Collect events 4741, 4742 to track computer changes |
| Detailled Tracking / DPAPI Activity | No GPO check for audit success | Collect event 4692 to track the export of DPAPI backup key |
| Account Logon / Kerberos Authentication Service | No GPO check for audit success | Collect events 4768, 4771 for kerberos authentication |
| Account Logon / Kerberos Service Ticket Operations | No GPO check for audit success | Collect events 4769 for kerberos authentication |
| Logon/Logoff / Logoff | No GPO check for audit success | Collect events 4634 for account logoff |
| Logon/Logoff / Logon | No GPO check for audit success | Collect events 4624, 4625, 4648 for account logon |
| Account Logon / Other Account Logon Events | No GPO check for audit success | Collect event 4648 for explicit credential logon |
| Detailled Tracking / Process Creation | No GPO check for audit success | Collect event 4688 to get the history of executed programs |
| Account Management / Security Group Management | No GPO check for audit success | Collect events 4728, 4732, 4756 for group membership change |
| System / Security System Extension | No GPO check for audit success | Collect events 4610, 4697 to track lsass security packages and services |
| Privilege Use / Sensitive Privilege Use | No GPO check for audit success | Collect events 4672, 4673, 4674 for privileges tracking such as the debug one |
| Logon/Logoff / Special Logon | No GPO check for audit success | Collect event 4964 for special group attributed at logon |
| Account Management / User Account Management | No GPO check for audit success | Collect events 4720,22,23,38,65,66,80,94 for user account mamangement |
The purpose is to ensure that credentials cannot be extracted from the DC via its printer spooler
Technical explanation:When there’s an account with unconstrained delegation configured (which is fairly common) and the Print Spooler service running on a computer, you can get that computers credentials sent to the system with unconstrained delegation as a user. With a domain controller, the TGT of the DC can be extracted allowing an attacker to reuse it with a DCSync attack and obtain all user hashes and impersonate them.
Advised solution:The spooler service should be deactivated on domain controllers. Please note as a consequence that the Printer Pruning functionality (rarely used) will be unavailable.
Points:10 points if present
Documentation:https://adsecurity.org/?p=4056
https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory
The detail can be found in Domain controllers
| Domain controller |
|---|
| WIN-TSR583VNC42 |
The purpose is to verify if the password policy of the domain enforces users to have at least 8 characters in their password
Technical explanation:A check is performed to identify if the GPO regarding password policy allows less than 8 characters password. Short passwords represents a high risk because they can fairly easily be brute-forced. Most CERT and agencies advises for at least 8 characters (and often this number goes up to 12)
Advised solution:To solve the issue, the best way is to either remove the GPO enabling short password, or to modify it in order to increase the password length to at least 8 characters
Points:10 points if present
Documentation:https://www.microsoft.com/en-us/research/publication/password-guidance/
BSI M 4.314 Sichere Richtlinieneinstellungen für Domänen und Domänen-Controller
The detail can be found in Password policies
| GPO |
|---|
| Default Domain Policy |
The purpose is to ensure the failure of one domain controller will not stop the domain.
Technical explanation:A single domain controller failure can lead to a lack of availability of the domain if the number of servers is too low. To have a minimum redundancy, the number of DC should be at least 2. For Labs, this rule can be ignored and you can add this rule into the exception list.
Advised solution:Increase the number of domain controllers by installing new ones.
Points:5 points if the occurence is strictly lower than 2
Documentation:Details:The detail can be found in Domain controllers
The purpose is to ensure that Powershell logging is enabled.
Technical explanation:Powershell is a powerful language, also used by hackers because of this quality. Hackers are able to run programs such as mimikatz in memory using obfuscated commands such as Invoke-Mimikatz.
Because there is no artefact on the disk, the incident response task is difficult for the forensic analysts.
For this reason, we recommend to enable Powershell logging via a group policy, despite the fact that these security settings may be part of the workstation or server images.
Go to Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell
And enable "Turn on Module logging" and "Turn on Powershell Script Block logging"
We recommend to set "*" as the module list.
Informative rule (0 point)
Documentation:https://adsecurity.org/?p=2604
https://docs.microsoft.com/en-us/powershell/scripting/wmf/whats-new/script-logging?view=powershell-6
STIG V-68819 - PowerShell script block logging must be enabled
The detail can be found in Security settings
The purpose is to ensure that local name resolution protocol (LLMNR) cannot be used to collect credentials by performing a network attack
Technical explanation:LLMNR is a protocol which translates names such as foo.bar.com into an ip address. LLMNR has been designed to translate name locally in case the default protocol DNS is not available.
Regarding Active Directory, DNS is mandatory which makes LLMNR useless.
LLMNR exploits typo mistakes or faster response time to redirect users to a specially designed share, server or website.
Being trusted, this service will trigger the single sign on procedure which can be abused to retrieve the user credentials.
LLMNR is enabled by default on all OS except starting from Windows 10 v1903 and Windows Server v1903 where it is disabled.
Enable the GPO Turn off multicast name resolution and check that no GPO override this setting.
(if it is the case, the policy involved will be displayed below)
Informative rule (0 point)
Documentation:Details:The detail can be found in Security settings
The purpose is to give information regarding a best practice for the Service Account password policy. Indeed, having a 20+ characters password for this account greatly helps reducing the risk behind Kerberoast attack (offline crack of the TGS tickets)
Technical explanation:The rule is purely informative, as it gives insights regarding a best practice. It verifies if there is a GPO or PSO enforcing a 20+ characters password for the Service Account.
Advised solution: The recommended way to handle service accounts is to use "Managed service accounts" introduced since Windows 2008 R2 (search for "msDS-ManagedServiceAccount").
To solve the anomaly, you should implement a PSO or GPO password guarantying a 20+ length password.
Informative rule (0 point)
Documentation:https://www.microsoft.com/en-us/research/publication/password-guidance/
Details:The detail can be found in Password Policies
This section gives information about the user accounts stored in the Active Directory
| Nb User Accounts | Nb Enabled ? | Nb Disabled ? | Nb Active ? | Nb Inactive ? | Nb Locked ? | Nb pwd never Expire ? | Nb SidHistory ? | Nb Bad PrimaryGroup ? | Nb Password not Req. ? | Nb Des enabled. ? | Nb unconstrained delegations ? | Nb Reversible password ? |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2 | 1 | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| Administrateur | 2020-07-16 08:30:13Z | 2020-07-16 10:33:57Z | CN=Administrateur,CN=Users,DC=foret2019,DC=local |
This section gives information about the computer accounts stored in the Active Directory
| Nb Computer Accounts | Nb Enabled ? | Nb Disabled ? | Nb Active ? | Nb Inactive ? | Nb SidHistory ? | Nb Bad PrimaryGroup ? | Nb unconstrained delegations ? | Nb Reversible password ? |
|---|---|---|---|---|---|---|---|---|
| 1 | 1 | 0 | 1 | 0 | 0 | 0 | 1 | 0 |
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| WIN-TSR583VNC42$ | 2020-07-16 08:31:40Z | 2020-07-16 10:32:24Z | CN=WIN-TSR583VNC42,OU=Domain Controllers,DC=foret2019,DC=local |
| Operating System | Nb OS | Nb Enabled ? | Nb Disabled ? | Nb Active ? | Nb Inactive ? | Nb SidHistory ? | Nb Bad PrimaryGroup ? | Nb unconstrained delegations ? | Nb Reversible password ? |
|---|---|---|---|---|---|---|---|---|---|
| Windows 2019 | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 1 | 0 |
Here is a specific zoom related to the Active Directory servers: the domain controllers.
| Domain controller | Operating System | Creation Date ? | Startup Time | Uptime | Owner ? | Null sessions ? | SMB v1 ? | Remote spooler ? | FSMO role ? |
|---|---|---|---|---|---|---|---|---|---|
| WIN-TSR583VNC42 | Windows 2019 | 2020-07-16 08:31:40Z | 2020-07-16 10:31:52Z | 0 days | FORET2019\Admins du domaine | NO | NO | YES | PDC, RID pool manager, Infrastructure master, Schema master, Domain naming Master |
This section is focused on the groups which are critical for admin activities. If the report has been saved which the full details, each group can be zoomed with its members. If it is not the case, for privacy reasons, only general statictics are available.
| Group Name | Nb Admins ? | Nb Enabled ? | Nb Disabled ? | Nb Inactive ? | Nb PWd never expire ? | Nb Smart Card required ? | Nb Service accounts ? | Nb can be delegated ? | Nb external users ? |
|---|---|---|---|---|---|---|---|---|---|
| Account Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Administrators | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | 0 |
| Backup Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Certificate Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Certificate Publishers | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Domain Administrators | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | 0 |
| Enterprise Administrators | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | 0 |
| Enterprise Key Administrators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Key Administrators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Print Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Schema Administrators | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | 0 |
| Server Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| SamAccountName ? | Enabled ? | Active ? | Pwd never Expired ? | Locked ? | Smart Card required ? | Service account ? | Flag Cannot be delegated present ? | Distinguished name ? |
|---|---|---|---|---|---|---|---|---|
| Administrateur | YES | YES | YES | NO | NO | NO | NO | CN=Administrateur,CN=Users,DC=foret2019,DC=local |
Each specific rights defined for Organizational Unit (OU) are listed below.
| DistinguishedName | Account | Right |
|---|---|---|
| DC=foret2019 | FORET2019\Contrôleurs de domaine | EXT_RIGHT_REPLICATION_GET_CHANGES_ALL |
| CN=Keys | AUTORITE NT\ENTERPRISE DOMAIN CONTROLLERS | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=Keys | FORET2019\Administrateurs clés | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=Keys | FORET2019\Administrateurs clés Enterprise | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=Keys | FORET2019\Contrôleurs de domaine | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=MicrosoftDNS,CN=System | AUTORITE NT\ENTERPRISE DOMAIN CONTROLLERS | GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=MicrosoftDNS,CN=System | FORET2019\DnsAdmins | GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=RAS and IAS Servers Access Check,CN=System | FORET2019\Serveurs RAS et IAS | GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=WMIPolicy,CN=System | FORET2019\Propriétaires créateurs de la stratégie de groupe | GenericWrite, DSSelf, Write all prop |
| CN=SOM,CN=WMIPolicy,CN=System | FORET2019\Propriétaires créateurs de la stratégie de groupe | GenericWrite, DSSelf, Write all prop |
This section focuses on permissions issues that can be exploited to take control of the domain.
This is an advanced section that should be examined after having looked at the Admin Groups section.
This analysis focuses on accounts found in control path and located in other domains.
No operative link with other domains has been found.
This part try to summarize in a single table if major issues have been found.
Focus on finding critical objects such as the Everyone group then try to decrease the number of objects having indirect access.
The detail is displayed below.
| Priority to remediate ? | Critical Object Found ? | Number of objects with Indirect ? | Max number of indirect numbers ? | Max ratio ? |
|---|---|---|---|---|
| Critical | NO | 0 | 0 | 0 |
| High | NO | 0 | 0 | 0 |
| Medium | NO | 0 | 0 | 0 |
| Other | NO | 0 | 0 | 0 |
If the report has been saved which the full details, each object can be zoomed with its full detail. If it is not the case, for privacy reasons, only general statictics are available.
| Group or user account ? | Priority ? | Number of users member of the group ? | Number of computer member of the group ? | Number of object having indirect control ? | Number of unresolved members (removed?) ? | Link with other domains | Detail |
|---|---|---|---|---|---|---|---|
| Account Operators | High | 0 | 0 | 0 | 0 | None | Analysis |
| Administrator | Critical | 0 | 0 | None | Analysis | ||
| Administrators | Critical | 1 (Details) | 0 | 0 | 0 | None | Analysis |
| Backup Operators | High | 0 | 0 | 0 | 0 | None | Analysis |
| Certificate Operators | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Certificate Publishers | Other | 0 | 0 | 0 | 0 | None | Analysis |
| Domain Administrators | Critical | 1 (Details) | 0 | 0 | 0 | None | Analysis |
| Enterprise Administrators | Critical | 1 (Details) | 0 | 0 | 0 | None | Analysis |
| Enterprise Key Administrators | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Key Administrators | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Print Operators | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Schema Administrators | Critical | 1 (Details) | 0 | 0 | 0 | None | Analysis |
| Server Operators | High | 0 | 0 | 0 | 0 | None | Analysis |
If the report has been saved which the full details, each object can be zoomed with its full detail. If it is not the case, for privacy reasons, only general statictics are available.
| Group or user account ? | Priority ? | Number of users member of the group ? | Number of computer member of the group ? | Number of object having indirect control ? | Number of unresolved members (removed?) ? | Link with other domains | Detail |
|---|---|---|---|---|---|---|---|
| Builtin OU | Medium | 0 | 0 | None | Analysis | ||
| Computers container | Medium | 0 | 0 | None | Analysis | ||
| Domain Controllers | Critical | 0 | 1 (Details) | 0 | 0 | None | Analysis |
| Domain Root | Medium | 0 | 0 | None | Analysis | ||
| Enterprise Read Only Domain Controllers | Other | 0 | 0 | 0 | 0 | None | Analysis |
| Group Policy Creator Owners | Medium | 1 (Details) | 0 | 0 | 0 | None | Analysis |
| Krbtgt account | Medium | 0 | 0 | None | Analysis | ||
| Read Only Domain Controllers | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Users container | Medium | 0 | 0 | None | Analysis |
This section focuses on the relations that this domain has with other domains
This part displays the direct links that this domain has with other domains.
| Trust Partner | Type | Attribut | Direction ? | SID Filtering active ? | TGT Delegation ? | Creation ? | Is Active ? ? |
|---|
These are the domains that PingCastle was able to detect but which is not releated to direct trusts. It may be children of a forest or bastions.
| Reachable domain | Via | Netbios | Creation date |
|---|
This section focuses on security checks specific to the Active Directory environment.
The program checks the last date of the AD backup. This date is computed using the replication metadata of the attribute dsaSignature (reference).
Last backup date: Never
LAPS is used to have a unique local administrator password on all workstations / servers of the domain. Then this password is changed at a fixed interval. The risk is when a local administrator hash is retrieved and used on other workstation in a pass-the-hash attack.
Mitigation: having a process when a new workstation is created or install LAPS and apply it through a GPO
LAPS installation date: Never
Windows Event Forwarding is a native mechanism used to collect logs on all workstations / servers of the domain. Microsoft recommends to Use Windows Event Forwarding to help with intrusion detection Here is the list of servers configured for WEF found in GPO
Number of WEF configuration found: 0
The password of the krbtgt account should be changed twice every 40 days using this script
You can use the version gathered using replication metadata from two reports to guess the frequency of the password change or if the two consecutive resets has been done. Version starts at 1.
Kerberos password last changed: 2020-07-16 10:31:41Z version: 2
This control detects accounts which are former 'unofficial' admins. Indeed when an account belongs to a privileged group, the attribute admincount is set. If the attribute is set without being an official member, this is suspicious. To suppress this warning, the attribute admincount of these accounts should be removed after review.
Number of accounts to review: 0
You can check here backdoors or typo error in the scriptPath attribute
| Script Name | Count |
|---|---|
| None | 1 |
This detects trusted certificate which can be used in man in the middle attacks or which can issue smart card logon certificates
Number of trusted certificates: 0
| Source | Store | Subject | Issuer | NotBefore | NotAfter | Module size | Signature Alg | SC Logon |
|---|
Note: PSO (Password Settings Objects) will be visible only if the user which collected the information has the permission to view it.
PSO shown in the report will be prefixed by "PSO:"
| Policy Name | Complexity | Max Password Age | Min Password Age | Min Password Length | Password History | Reversible Encryption | Lockout Threshold | Lockout Duration | Reset account counter locker after |
|---|---|---|---|---|---|---|---|---|---|
| Default Domain Policy ? | True | 42 day(s) | 1 day(s) | 7 | 24 | False | 0 | Not Set | Not Set |
This is the settings related to screensavers stored in Group Policies. Each non compliant setting is written in red.
| Policy Name | Screensaver enforced | Password request | Start after (seconds) | Grace Period (seconds) |
|---|
This section focuses on security settings stored in the Active Directory technical security policies.
The password in GPO are obfuscated, not encrypted. Consider any passwords listed here as compromised and change it immediatly.
Giving local group membership in a GPO is a way to become administrator.
The local admin of a domain controller can become domain administrator instantly.
A GPO can be used to deploy security settings to workstations.
The best practice out of the default security baseline is reported in green.
The following settings in red are unsual and may need to be reviewed.
Each setting is accompagnied which its value and a link to the GPO explanation.
| Policy Name | Setting | Value |
|---|
Audit settings allow the system to generate logs which are useful to detect intrusions. Here are the settings found in GPO.
Simple audit events are described here and Advanced audit events are described here
You can get a list of all audit settings with the command line: auditpol.exe /get /category:* (source)
| Policy Name | Category | Setting | Value |
|---|
Giving privileges in a GPO is a way to become administrator without being part of a group.
For example, SeTcbPriviledge give the right to act as SYSTEM, which has more privileges than the administrator account.
| GPO Name | Privilege | Members |
|---|---|---|
| Default Domain Controllers Policy ? | SeAssignPrimaryTokenPrivilege | AUTORITE NT\SERVICE RÉSEAU |
| Default Domain Controllers Policy ? | SeAssignPrimaryTokenPrivilege | AUTORITE NT\SERVICE LOCAL |
| Default Domain Controllers Policy ? | SeBackupPrivilege | BUILTIN\Opérateurs de serveur |
| Default Domain Controllers Policy ? | SeBackupPrivilege | BUILTIN\Opérateurs de sauvegarde |
| Default Domain Controllers Policy ? | SeBackupPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeDebugPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeLoadDriverPrivilege | BUILTIN\Opérateurs d’impression |
| Default Domain Controllers Policy ? | SeLoadDriverPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeMachineAccountPrivilege | Authenticated Users |
| Default Domain Controllers Policy ? | SeRestorePrivilege | BUILTIN\Opérateurs de serveur |
| Default Domain Controllers Policy ? | SeRestorePrivilege | BUILTIN\Opérateurs de sauvegarde |
| Default Domain Controllers Policy ? | SeRestorePrivilege | Administrators |
| Default Domain Controllers Policy ? | SeSecurityPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeTakeOwnershipPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeEnableDelegationPrivilege | Administrators |
Login authorization and restriction can be set by GPO. Indeed, by default, everyone is allowed to login on every computer except domain controllers. Defining login restriction is a way to have different isolated tiers. Here are the settings found in GPO.
| GPO Name | Privilege | Members |
|---|---|---|
| Default Domain Controllers Policy ? | Log on as a batch job ? | BUILTIN\Utilisateurs du journal de performances |
| Default Domain Controllers Policy ? | Log on as a batch job ? | BUILTIN\Opérateurs de sauvegarde |
| Default Domain Controllers Policy ? | Log on as a batch job ? | Administrators |
| Default Domain Controllers Policy ? | Allow log on locally ? | AUTORITE NT\ENTERPRISE DOMAIN CONTROLLERS |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Opérateurs d’impression |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Opérateurs de serveur |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Opérateurs de compte |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Opérateurs de sauvegarde |
| Default Domain Controllers Policy ? | Allow log on locally ? | Administrators |
| Default Domain Controllers Policy ? | Access this computer from the network ? | BUILTIN\Accès compatible pré-Windows 2000 |
| Default Domain Controllers Policy ? | Access this computer from the network ? | AUTORITE NT\ENTERPRISE DOMAIN CONTROLLERS |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Authenticated Users |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Administrators |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Everyone |
A GPO login script is a way to force the execution of data on behalf of users. Only enabled users are analyzed.
A GPO can be used to deploy applications or copy files. These files may be controlled by a third party to control the execution of local programs.