test.mysmartlogon.com - Active Directory Compromission Graph

Date: 2019-01-05 - Engine version: 2.5.3.1 Beta

This report has been generated with the Basic Edition of PingCastle.
Being part of a commercial package is forbidden (selling the information contained in the report).
If you are an auditor, you MUST purchase an Auditor license to share the development effort.

Indicators

050100

Domain Risk Level: 100 / 100

It is the maximum score of the 4 indicators and one score cannot be higher than 100. The lower the better

050100

Stale Object : 0 /100

It is about operations related to user or computer objects

1 rules matched

050100

Trusts : 0 /100

It is about links between two Active Directories

4 rules matched

050100

Privileged Accounts : 25 /100

It is about administrators of the Active Directory

1 rules matched

050100

Anomalies : 100 /100

It is about specific security control points

12 rules matched

050100

Stale Objects : 0 /100

It is about operations related to user or computer objects

Objectives

House keeping

  • ✓ No object should have on his control path a permission related to deleted objectsRisk: 25
050100

Privileged Accounts : 25 /100

It is about administrators of the Active Directory

Objectives

Best practices

  • ✗ 1 operator group(s) are not emptyRisk: 25
050100

Trusts : 0 /100

It is about operations related to user or computer objects

Objectives

Trust permeability

  • ✓ No domain can take control of an admin or critical objectRisk: 100
  • ✓ No more than 1 domain can take control of an admin or critical objectRisk: 85
  • ✓ No domain can take control of a user defined objectRisk: 20

Best practices

  • ✓ No child domain of a forest should have permission on this domainRisk: 25

Foreign domains involved

No operative link with other domains has been found.

050100

Anomalies : 100 /100

It is about specific security control points

Objectives

Access to critical priority objects

  • ✗ "Any users" have no direct or indirect access to critical objectsRisk: 100
  • ✓ No more than 100 users have no direct or indirect access to critical objectsRisk: 90
  • ✓ No more than 50 users have no direct or indirect access to critical objectsRisk: 80
  • ✓ No more than 10 users have no direct or indirect access to critical objectsRisk: 70

Access to high priority objects

  • ✓ "Any users" have no direct or indirect access to high value objectsRisk: 90
  • ✓ No more than 100 users have no direct or indirect access to high value objectsRisk: 80
  • ✓ No more than 50 users have no direct or indirect access to high value objectsRisk: 70
  • ✓ No more than 10 users have no direct or indirect access to high value objectsRisk: 60

Access to medium priority objects

  • ✗ "Any users" have no direct or indirect access to medium value objectsRisk: 80
  • ✓ No more than 100 users have no direct or indirect access to medium value objectsRisk: 70
  • ✓ No more than 50 users have no direct or indirect access to medium value objectsRisk: 60
  • ✓ No more than 10 users have no direct or indirect access to medium value objectsRisk: 50

Indirect links

Priority to remediate ? Critical Object Found ? Number of objects with Indirect ? Max number of indirect numbers ? Max ratio ?
CriticalYES65100
HighNO11100
MediumYES31100
OtherYES210

Admin groups

Group or user account ? Priority ? Number of users member of the group ? Number of computer member of the group ? Number of object having indirect control ? Number of unresolved members (removed?) ? Link with other domains Rules triggered Detail
Account OperatorHigh1 (Details)01 (Details)0None0 rule triggeredAnalysis
AdministratorCritical1 (Details)01 (Details)0None0 rule triggeredAnalysis
AdministratorsCritical5 (Details)02 (Details)0None0 rule triggeredAnalysis
Backup OperatorsHigh0000None0 rule triggeredAnalysis
Certificate OperatorsMedium0000None0 rule triggeredAnalysis
Certificate PublishersOther01 (Details)1 (Details)0None0 rule triggeredAnalysis
Domain AdministratorsCritical5 (Details)05 (Details)0None0 rule triggeredAnalysis
Enterprise AdministratorsCritical1 (Details)01 (Details)0None0 rule triggeredAnalysis
Incoming Forest Trust BuildersMedium0000None0 rule triggeredAnalysis
Network OperatorsMedium0000None0 rule triggeredAnalysis
Print OperatorsMedium0000None0 rule triggeredAnalysis
Schema AdministratorsCritical2 (Details)02 (Details)0None0 rule triggeredAnalysis
Server OperatorsHigh0000None0 rule triggeredAnalysis

Critical Infrastructure

Group or user account ? Priority ? Number of users member of the group ? Number of computer member of the group ? Number of object having indirect control ? Number of unresolved members (removed?) ? Link with other domains Rules triggered Detail
Builtin OUMedium0000None0 rule triggeredAnalysis
Domain ControllersCritical02 (Details)2 (Details)0None0 rule triggeredAnalysis
Domain RootMedium0000None0 rule triggeredAnalysis
Enterprise Read Only Domain ControllersOther001 (Details)0None0 rule triggeredAnalysis
Group Policy Creator OwnersMedium1 (Details)01 (Details)0None0 rule triggeredAnalysis
Krbtgt accountMedium1 (Details)01 (Details)0None0 rule triggeredAnalysis
Read Only Domain ControllersMedium001 (Details)0None0 rule triggeredAnalysis

User Defined

Group or user account ? Priority ? Number of users member of the group ? Number of computer member of the group ? Number of object having indirect control ? Number of unresolved members (removed?) ? Link with other domains Rules triggered Detail