Consolidation

Date: 2018-07-25 - Engine version: 2.5.1.0

Active Directory Indicators

Indicators
050100

Average Risk Level: 100 / 100

Best Risk Level: 100 / 100

Worst Risk Level: 100 / 100

Median Risk Level: 100 / 100

Risk model
Staled Objects Privileged accounts Trusts Anomalies
Inactive user or computer
">ACL Check
Old trust protocol
Backup
Network topography
Admin control
SID Filtering
Certificate take over
Object configuration
Irreversible change
SIDHistory
Golden ticket
Obsolete OS
Privilege control
Trust impermeability
Local group vulnerability
Old authentication protocols
Trust inactive
Network sniffing
Provisioning
Pass-the-credential
Replication
Password retrieval
Unfinished migration
Reconnaissance
Vulnerability management
Temporary admins
Weak password
Legend:
  score is 0 - no risk identified but some improvements detected
  score between 1 and 10 - a few actions have been identified
  score between 10 and 30 - rules should be looked with attention
  score higher than 30 - major risks identified

Score detail
Domain Domain Risk Level Stale objects Privileged accounts Trusts Anomalies Generated
test.mysmartlogon.com 100 46 45 100 100 2018-07-25 17:32:48Z

Rules Matched

Domain Category Rule Score Description Rationale
test.mysmartlogon.com PrivilegedAccounts P-DelegationLoginScript 15 Ensure that all login scripts cannot be modified by any user Number of login scripts that can be modified by any user: 1
test.mysmartlogon.com StaleObjects S-DC-SubnetMissing 5 Check for completeness of network declaration The subnet declaration is incomplete [1 ip of DC not found in declared subnets]
test.mysmartlogon.com Anomalies A-BackupMetadata 15 Check for the last backup date according to Microsoft standard Last AD backup has been performed 2334 day(s) ago
test.mysmartlogon.com Anomalies A-ProtectedUsers 0 Check for presence of the Protected users group The Protected Users group doesn't exist on the domain.
test.mysmartlogon.com Anomalies A-LAPS-Not-Installed 15 Check if the LAPS tool to handle the native local administrator password is installed LAPS doesn't seem to be installed
test.mysmartlogon.com StaleObjects S-SMB-v1 1 DC Vulnerability (SMB v1) SMB v1 activated on 1 DC
test.mysmartlogon.com Trusts T-SIDHistorySameDomain 50 Check for local backdoor stored in SID History Account(s) with SID History matching the domain = 1
test.mysmartlogon.com StaleObjects S-ADRegistration 10 Check the procesuss of registration of computers to the domain Non admin users can add up to 1 computer(s) to a domain
test.mysmartlogon.com Anomalies A-SHA1RootCert 0 Check for Root Certificates using unsafe hashing algorithm (SHA1) At least one trusted ROOT certificate found has a SHA1 signature [11]
test.mysmartlogon.com Anomalies A-NullSession 10 Retrieve data from the domain without any account Number of DC with NULL SESSION enabled: 1
test.mysmartlogon.com Anomalies A-SHA1IntermediateCert 1 Check for Intermediate Certificates using unsafe hashing algorithm (SHA1) At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6]
test.mysmartlogon.com Anomalies A-MinPwdLen 10 Check for Short password length in password policy Policy where the password complexity is less than 8 characters: 4
test.mysmartlogon.com Anomalies A-PwdGPO 60 Find Password GPO Number of passwords found in GPO: 3
test.mysmartlogon.com Anomalies A-Krbtgt 50 Mitigate golden ticket attack via a regular change of the krbtgt password Last change of the Kerberos password: 2334 day(s) ago
test.mysmartlogon.com PrivilegedAccounts P-SchemaAdmin 10 Avoid unexpected schema modifications which could result in domain rebuild The group Schema Admins is not empty: 2 account(s)
test.mysmartlogon.com PrivilegedAccounts P-Delegated 20 At least one Administrator Account can be delegated Presence of Admin accounts which have not the flag "this account is sensitive and cannot be delegated": 4
test.mysmartlogon.com Trusts T-Inactive 20 Check for inactive trusts At least one inactive trust has been found: 1
test.mysmartlogon.com Trusts T-SIDFiltering 50 Check for Trusts whose security is not maximum Number of trusts without SID Filtering: 1
test.mysmartlogon.com StaleObjects S-C-PrimaryGroup 15 Check for hidden group membership for computer accounts Presence of wrong primary group: 1
test.mysmartlogon.com StaleObjects S-SIDHistory 15 SIDHistory check 1 domain(s) used in SIDHistory

Domain Information

Domain Netbios Name Domain Functional Level Forest Functional Level Creation date Nb DC Engine Level
test.mysmartlogon.com TEST Windows Server 2008 Windows Server 2008 2012-03-03 18:12:40Z 2 2.5.1.0 Normal
Total 1

User Information

Domain Nb User Accounts Nb Enabled Nb Disabled Nb Active Nb Inactive Nb Locked Nb pwd never Expire Nb SidHistory Nb Bad PrimaryGroup Nb Password not Req. Nb Des enabled. Nb Trusted delegation Nb Reversible password
test.mysmartlogon.com 20 15 5 3 12 0 4 2 0 0 0 0 0
Total 20 15 5 3 12 0 4 2 0 0 0 0 0

Computer Information

Domain Nb Computer Accounts Nb Enabled Nb Disabled Nb Active Nb Inactive Nb SidHistory Nb Bad PrimaryGroup Nb Trusted delegation Nb Reversible password
test.mysmartlogon.com 5 5 0 2 3 0 1 0 0
Total 5 5 0 2 3 0 1 0 0
Domain Windows XP Windows 7 Windows 2008
test.mysmartlogon.com 0 1 1
Total 0 1 1

Admin Groups

Domain Group Name Nb Admins Nb Enabled Nb Disabled Nb Inactive Nb PWd never expire Nb can be delegated Nb external users
test.mysmartlogon.com Administrators 5 4 1 2 1 4 0
test.mysmartlogon.com Account Operators 0 0 0 0 0 0 0
test.mysmartlogon.com Server Operators 0 0 0 0 0 0 0
test.mysmartlogon.com Print Operators 0 0 0 0 0 0 0
test.mysmartlogon.com Backup Operators 0 0 0 0 0 0 0
test.mysmartlogon.com Crypto Operators 0 0 0 0 0 0 0
test.mysmartlogon.com Incoming Forest Trust Builders 0 0 0 0 0 0 0
test.mysmartlogon.com Network Operators 0 0 0 0 0 0 0
test.mysmartlogon.com Domain Admins 5 4 1 2 1 4 0
test.mysmartlogon.com Enterprise Admins 1 1 0 0 1 0 0
test.mysmartlogon.com Schema Admins 2 2 0 0 1 1 0
test.mysmartlogon.com Cert Publishers 0 0 0 0 0 0 0

Trusts

Discovered domains

Domain Trust Partner Type Attribut Direction SID Filtering active Creation Is Active ?
test.mysmartlogon.com bastion.local Uplevel Forest Trust Outbound Yes 2018-07-23 13:02:08Z True
test.mysmartlogon.com mil MIT Non-Transitive Outbound No 2014-06-09 12:49:20Z False

Other discovered domains

From Reachable domain Via Netbios Creation date

SID Map

Domain Domain SID
bastion.local S-1-5-21-2628413355-2805387784-110191576
test.mysmartlogon.com S-1-5-21-4005144719-3948538632-2546531719

Anomalies

Domain Krbtgt AdminSDHolder DC with null session Smart card account not update Date LAPS Installed
test.mysmartlogon.com 2012-03-03 19:17:15Z 0 1 0 Never

Password Policies

Password policies

Domain Policy Name Complexity Max Password Age Min Password Age Min Password Length Password History Reversible Encryption Lockout Threshold Lockout Duration Reset account counter locker after
test.mysmartlogon.com Default Domain Policy False Never expires 0 day 0 0 False 0 Not Set Not Set
test.mysmartlogon.com Default Domain Controllers Policy False Never expires 0 day 0 Not Set Not Set Not Set Not Set Not Set
test.mysmartlogon.com test nfc 2 False Never expires 0 day 1 Not Set Not Set Not Set Not Set Not Set
test.mysmartlogon.com PSO:test False 90 day(s) 0 day 0 5 False 50 1 minute(s) Infinite

Screensaver policies

Domain Policy Name Screensaver enforced Password request Start after (seconds) Grace Period (seconds)
test.mysmartlogon.com test nfc 2 True True 90000 Not Set

LSA settings

Domain Policy Name Setting Value
test.mysmartlogon.com Default Domain Controllers Policy LSAAnonymousNameLookup 1

GPO

Obfuscated Password

Domain GPO Name Password origin UserName Password Changed Other
test.mysmartlogon.com test nfc 2 groups.xml administrator vletoux 2016-04-02 19:40:14Z NewName:adiant-admin
test.mysmartlogon.com test nfc 2 drives.xml adiant vletoux 2016-04-02 19:39:33Z Path:test
test.mysmartlogon.com test nfc 2 groups.xml test test 2016-04-02 20:21:02Z