test.mysmartlogon.com - Active Directory Compromission Graph

Date: 2019-01-05 - Engine version: 2.5.3.1 Beta

This report has been generated with the Basic Edition of PingCastle.
Being part of a commercial package is forbidden (selling the information contained in the report).
If you are an auditor, you MUST purchase an Auditor license to share the development effort.

Active Directory Indicators

Indicators

Domain Risk Level: 100 / 100

It is the maximum score of the 4 indicators and one score cannot be higher than 100. The lower the better

Stale Object : 0 /100

It is about operations related to user or computer objects

1 rules matched

Trusts : 0 /100

It is about links between two Active Directories

4 rules matched

Privileged Accounts : 25 /100

It is about administrators of the Active Directory

1 rules matched

Anomalies : 100 /100

It is about specific security control points

12 rules matched

Stale Objects

Stale Objects : 0 /100

It is about operations related to user or computer objects

Objectives

House keeping

✓ No object should have on his control path a permission related to deleted objectsRisk: 25

Privileged Accounts

Privileged Accounts : 25 /100

It is about administrators of the Active Directory

Objectives

Best practices

✗ 1 operator group(s) are not emptyRisk: 25

Trusts

Trusts : 0 /100

It is about operations related to user or computer objects

Objectives

Trust permeability

✓ No domain can take control of an admin or critical objectRisk: 100
✓ No more than 1 domain can take control of an admin or critical objectRisk: 85
✓ No domain can take control of a user defined objectRisk: 20

Best practices

✓ No child domain of a forest should have permission on this domainRisk: 25

Foreign domains involved

No operative link with other domains has been found.

Anomalies analysis

Anomalies : 100 /100

It is about specific security control points

Objectives

Access to critical priority objects

✗ "Any users" have no direct or indirect access to critical objectsRisk: 100
✓ No more than 100 users have no direct or indirect access to critical objectsRisk: 90
✓ No more than 50 users have no direct or indirect access to critical objectsRisk: 80
✓ No more than 10 users have no direct or indirect access to critical objectsRisk: 70

Access to high priority objects

✓ "Any users" have no direct or indirect access to high value objectsRisk: 90
✓ No more than 100 users have no direct or indirect access to high value objectsRisk: 80
✓ No more than 50 users have no direct or indirect access to high value objectsRisk: 70
✓ No more than 10 users have no direct or indirect access to high value objectsRisk: 60

Access to medium priority objects

✗ "Any users" have no direct or indirect access to medium value objectsRisk: 80
✓ No more than 100 users have no direct or indirect access to medium value objectsRisk: 70
✓ No more than 50 users have no direct or indirect access to medium value objectsRisk: 60
✓ No more than 10 users have no direct or indirect access to medium value objectsRisk: 50

Indirect links

Priority to remediate ?	Critical Object Found ?	Number of objects with Indirect ?	Max number of indirect numbers ?	Max ratio ?
Critical	YES	6	5	100
High	NO	1	1	100
Medium	YES	3	1	100
Other	YES	2	1	0

Detailled analysis

Admin groups

Group or user account ?	Priority ?	Number of users member of the group ?	Number of computer member of the group ?	Number of object having indirect control ?	Link with other domains	Rules triggered	Detail
Account Operator	High	1 (Details)	0	1 (Details)	None	0 rule triggered	Analysis
Administrator	Critical	1 (Details)	0	1 (Details)	None	0 rule triggered	Analysis
Administrators	Critical	5 (Details)	0	2 (Details)	None	0 rule triggered	Analysis
Backup Operators	High	0	0	0	None	0 rule triggered	Analysis
Certificate Operators	Medium	0	0	0	None	0 rule triggered	Analysis
Certificate Publishers	Other	0	1 (Details)	1 (Details)	None	0 rule triggered	Analysis
Domain Administrators	Critical	5 (Details)	0	5 (Details)	None	0 rule triggered	Analysis
Enterprise Administrators	Critical	1 (Details)	0	1 (Details)	None	0 rule triggered	Analysis
Incoming Forest Trust Builders	Medium	0	0	0	None	0 rule triggered	Analysis
Network Operators	Medium	0	0	0	None	0 rule triggered	Analysis
Print Operators	Medium	0	0	0	None	0 rule triggered	Analysis
Schema Administrators	Critical	2 (Details)	0	2 (Details)	None	0 rule triggered	Analysis
Server Operators	High	0	0	0	None	0 rule triggered	Analysis

Critical Infrastructure

Group or user account ?	Priority ?	Number of users member of the group ?	Number of computer member of the group ?	Number of object having indirect control ?	Link with other domains	Rules triggered	Detail
Builtin OU	Medium	0	0	0	None	0 rule triggered	Analysis
Domain Controllers	Critical	0	2 (Details)	2 (Details)	None	0 rule triggered	Analysis
Domain Root	Medium	0	0	0	None	0 rule triggered	Analysis
Enterprise Read Only Domain Controllers	Other	0	0	1 (Details)	None	0 rule triggered	Analysis
Group Policy Creator Owners	Medium	1 (Details)	0	1 (Details)	None	0 rule triggered	Analysis
Krbtgt account	Medium	1 (Details)	0	1 (Details)	None	0 rule triggered	Analysis
Read Only Domain Controllers	Medium	0	0	1 (Details)	None	0 rule triggered	Analysis

User Defined

Group or user account ?	Priority ?	Number of users member of the group ?	Number of computer member of the group ?	Number of object having indirect control ?	Number of unresolved members (removed?) ?	Link with other domains	Rules triggered	Detail

Direct User Members

SamAccountName	Enabled	Active	Pwd never Expired	Locked	Smart Card required	Service account	Flag Cannot be delegated present	Distinguished name
wrongaccount8	✓	✗	NO	NO	NO	NO	NO	CN=wrongaccount8,CN=Users,DC=test,DC=mysmartlogon,DC=com

Indirect Members

Name	Security Identifier	Distance	Last authorized object	Path
wronguser4	S-1-5-21-4005144719-3948538632-2546531719-1115	3	wrongaccount83	wronguser4->Users->wrongaccount83

Direct User Members

SamAccountName	Enabled	Active	Pwd never Expired	Locked	Smart Card required	Service account	Flag Cannot be delegated present	Distinguished name
Administrator	✓	✓	YES	NO	NO	NO	YES	CN=Administrator,CN=Users,DC=test,DC=mysmartlogon,DC=com

Indirect Members

Name	Security Identifier	Distance	Last authorized object	Path
wronguser4	S-1-5-21-4005144719-3948538632-2546531719-1115	2	Vincent Le TOux	wronguser4->Users->Vincent Le TOux

Direct User Members

SamAccountName	Enabled	Active	Pwd never Expired	Locked	Smart Card required	Service account	Flag Cannot be delegated present	Distinguished name
Adiant	✓	✓	NO	NO	NO	YES	NO	CN=Adiant,CN=Users,DC=test,DC=mysmartlogon,DC=com
Administrator	✓	✓	YES	NO	NO	NO	YES	CN=Administrator,CN=Users,DC=test,DC=mysmartlogon,DC=com
teste (	✗	✗	NO	NO	NO	NO	YES	CN=New Object with (dsg,CN=Users,DC=test,DC=mysmartlogon,DC=com
wrongAccount5	✓	✗	NO	NO	YES	NO	NO	CN=wrongAccount5,OU=TestOU,DC=test,DC=mysmartlogon,DC=com
wrongAccount1	✓	✗	NO	NO	NO	NO	NO	CN=wrongAccount1,CN=Users,DC=test,DC=mysmartlogon,DC=com

Indirect Members

Name	Security Identifier	Distance	Last authorized object	Path
wrongaccount83	S-1-5-21-4005144719-3948538632-2546531719-1119	2	vincent le toux	wrongaccount83->vincent le toux
wronguser4	S-1-5-21-4005144719-3948538632-2546531719-1115	3	vincent le toux	wronguser4->Users->vincent le toux

Indirect Members

Name	Security Identifier	Distance	Last authorized object	Path
wronguser4	S-1-5-21-4005144719-3948538632-2546531719-1115	2		wronguser4->Users->Cert Publishers

Direct Computer Members

SamAccountName	Enabled	Active	Locked	Flag Cannot be delegated present	Distinguished name
WIN-PGAHI2ECI8E$	✓	✓	NO	NO	CN=WIN-PGAHI2ECI8E,OU=Domain Controllers,DC=test,DC=mysmartlogon,DC=com

Direct User Members

SamAccountName	Enabled	Active	Pwd never Expired	Locked	Smart Card required	Service account	Flag Cannot be delegated present	Distinguished name
teste (	✗	✗	NO	NO	NO	NO	YES	CN=New Object with (dsg,CN=Users,DC=test,DC=mysmartlogon,DC=com
wrongAccount5	✓	✗	NO	NO	YES	NO	NO	CN=wrongAccount5,OU=TestOU,DC=test,DC=mysmartlogon,DC=com
wrongAccount1	✓	✗	NO	NO	NO	NO	NO	CN=wrongAccount1,CN=Users,DC=test,DC=mysmartlogon,DC=com
Adiant	✓	✓	NO	NO	NO	YES	NO	CN=Adiant,CN=Users,DC=test,DC=mysmartlogon,DC=com
Administrator	✓	✓	YES	NO	NO	NO	YES	CN=Administrator,CN=Users,DC=test,DC=mysmartlogon,DC=com

Indirect Members

Name	Security Identifier	Distance	Last authorized object	Path
wronguser4	S-1-5-21-4005144719-3948538632-2546531719-1115	2		wronguser4->Users->Domain Admins
wrongaccount83	S-1-5-21-4005144719-3948538632-2546531719-1119	2	vincent le toux	wrongaccount83->vincent le toux
wrongAccount6	S-1-5-21-4005144719-3948538632-2546531719-1117	3	wrongAccount5	wrongAccount6->TestOU->wrongAccount5
wrongAccount7	S-1-5-21-4005144719-3948538632-2546531719-1118	3	wrongAccount5	wrongAccount7->TestOU->wrongAccount5
wrongaccount9	S-1-5-21-4005144719-3948538632-2546531719-1120	3	wrongAccount5	wrongaccount9->TestOU->wrongAccount5

Indirect Members

Name	Security Identifier	Distance	Last authorized object	Path
wronguser4	S-1-5-21-4005144719-3948538632-2546531719-1115	2		wronguser4->Users->Domain Controllers
Vincent Le TOux	S-1-5-21-4005144719-3948538632-2546531719-500	2		Vincent Le TOux->ADIANT-A7B9AAC6$->Domain Controllers

Direct Computer Members

SamAccountName	Enabled	Active	Locked	Flag Cannot be delegated present	Distinguished name
WIN-PGAHI2ECI8E$	✓	✓	NO	NO	CN=WIN-PGAHI2ECI8E,OU=Domain Controllers,DC=test,DC=mysmartlogon,DC=com
ADIANT-A7B9AAC6$	✓	✓	NO	NO	CN=ADIANT-A7B9AAC6,CN=Computers,DC=test,DC=mysmartlogon,DC=com

Direct User Members

SamAccountName	Enabled	Active	Pwd never Expired	Locked	Smart Card required	Service account	Flag Cannot be delegated present	Distinguished name
Administrator	✓	✓	YES	NO	NO	NO	YES	CN=Administrator,CN=Users,DC=test,DC=mysmartlogon,DC=com

Indirect Members

Name	Security Identifier	Distance	Last authorized object	Path
wronguser4	S-1-5-21-4005144719-3948538632-2546531719-1115	2		wronguser4->Users->Enterprise Admins

Indirect Members

Name	Security Identifier	Distance	Last authorized object	Path
wronguser4	S-1-5-21-4005144719-3948538632-2546531719-1115	2		wronguser4->Users->Enterprise Read-only Domain Controllers

Direct User Members

SamAccountName	Enabled	Active	Pwd never Expired	Locked	Smart Card required	Service account	Flag Cannot be delegated present	Distinguished name
Administrator	✓	✓	YES	NO	NO	NO	YES	CN=Administrator,CN=Users,DC=test,DC=mysmartlogon,DC=com

Indirect Members

Name	Security Identifier	Distance	Last authorized object	Path
wronguser4	S-1-5-21-4005144719-3948538632-2546531719-1115	2		wronguser4->Users->Group Policy Creator Owners

Direct User Members

SamAccountName	Enabled	Active	Pwd never Expired	Locked	Smart Card required	Service account	Flag Cannot be delegated present	Distinguished name
krbtgt	✗	✗	NO	NO	NO	NO	YES	CN=krbtgt,CN=Users,DC=test,DC=mysmartlogon,DC=com

Indirect Members

Name	Security Identifier	Distance	Last authorized object	Path
wronguser4	S-1-5-21-4005144719-3948538632-2546531719-1115	2	krbtgt	wronguser4->Users->krbtgt

Indirect Members

Name	Security Identifier	Distance	Last authorized object	Path
wronguser4	S-1-5-21-4005144719-3948538632-2546531719-1115	2		wronguser4->Users->Read-only Domain Controllers

Direct User Members

SamAccountName	Enabled	Active	Pwd never Expired	Locked	Smart Card required	Service account	Flag Cannot be delegated present	Distinguished name
Adiant	✓	✓	NO	NO	NO	YES	NO	CN=Adiant,CN=Users,DC=test,DC=mysmartlogon,DC=com
Administrator	✓	✓	YES	NO	NO	NO	YES	CN=Administrator,CN=Users,DC=test,DC=mysmartlogon,DC=com

Indirect Members

Name	Security Identifier	Distance	Last authorized object	Path
wronguser4	S-1-5-21-4005144719-3948538632-2546531719-1115	2		wronguser4->Users->Schema Admins
wrongaccount83	S-1-5-21-4005144719-3948538632-2546531719-1119	2	vincent le toux	wrongaccount83->vincent le toux