This section focuses on the core security indicators.
Locate the sub-process determining the score and fix some rules in that area to get a score improvement.
Domain Risk Level: 100 / 100
It is the maximum score of the 4 indicators and one score cannot be higher than 100. The lower the better
Stale Object : 80 /100
It is about operations related to user or computer objects
6 rules matched
Trusts : 100 /100
It is about links between two Active Directories
4 rules matched
Privileged Accounts : 100 /100
It is about administrators of the Active Directory
14 rules matched
Anomalies : 100 /100
It is about specific security control points
18 rules matched
| Stale Objects | Privileged accounts | Trusts | Anomalies | |
|---|---|---|---|---|
Inactive user or computer | Account take over | Old trust protocol | Audit | |
Network topography | ACL Check | SID Filtering | Backup | |
Object configuration | Admin control | SIDHistory | Certificate take over | |
Obsolete OS | Irreversible change | Trust impermeability | Golden ticket | |
Old authentication protocols | Privilege control | Trust inactive | Local group vulnerability | |
Provisioning | Network sniffing | |||
Replication | Pass-the-credential | |||
Vulnerability management | Password retrieval | |||
Reconnaissance | ||||
Temporary admins | ||||
Weak password |
Stale Objects : 80 /100
It is about operations related to user or computer objects
The purpose is to ensure that all the Domain Controllers are updated regularly. This is done by checking if a DC has been rebooted in the past 6 months. If not, it means it has not be patched as well in these 6 monthes
Technical explanation:Domain Controller needs to be updated regularly because threats to the AD evolve all the time, so assets in the AD should evolve accordingly. The date of last update is computed by getting the StatisticsStartTime from [net statistics workstation]. If not available, the PingCastle solution will use the lastLogonTimestamp attribute which is refreshed based on the LastLogon attribute. Do note that there is a maximum delay for refresh: 14 days.
Advised solution:Frequently updating the DC should be part of the AD policies, as there should be a dedicated time-slot for the servers to reboot and apply security patches
Points:15 points if present
Documentation:BSI M 4.315 Aufrechterhaltung der Betriebssicherheit von Active Directory
Details:The detail can be found in Domain controllers
| Domain controller | Reason |
|---|---|
| ADIANT-A7B9AAC6 | LastComputerLogonDate=11/9/2018 7:29:04 AM |
The purpose is to check for unusual value in the primarygroupid attribute used to store group membership
Technical explanation:In Active Directory, group membership is stored on the "members" attribute and on the "primarygroupid" attribute.
The default primary group value is "Domain Users" for the users, "Domain Computers" for the computers and "Domain Controllers" for the domain controllers.
The primarygroupid contains the RID (last digits of a SID) of the group targeted. It can be used to store hidden membership as this attribute is not often analyzed.
This rule can also be triggered if one domain controller is not in the default container (named "Domain Controllers" and located at the root) which is not a recommended practice.
Unless strongly justified, change the primary group id to its default. 513 or 514 for users, 516 or 521 for domain controllers, 514 or 515 for computers. The primary group can be edited in a friendly manner by editing the account with the "Active Directory Users and Computers" and after selecting the "Member Of" tab, "set primary group".
Points:15 points if present
Documentation:Details:The detail can be found in User information and Computer information
The purpose is to ensure that every account requires a password
Technical explanation:An account can be set without a password if it has the flag "PASSWD_NOTREQD" set as "True" in the "useraccountcontrol" attribute. This represents a high security risk as the account is not protected at all without a password
Advised solution:The best solution to solve the problem is to change the "useraccountcontrol" attribute of all the accounts that have it and that are not used in trusts. If the flag is removed while there is no password set, you will have an error. You can use this to detect accounts without any passwords. Do note that you can manually check all the accounts that need to be worked on using the following PowerShell command: get-adobject -ldapfilter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -properties useraccountcontrol
Points:15 points if present
Documentation:https://support.microsoft.com/en-us/kb/305144
ANSSI - Recommandations de sécurité relatives à Active Directory - R36 [subsection.3.6]
The detail can be found in User information and Computer information
The purpose is to ensure that a migration has been completed correctly and that the SIDHistory attribute has been cleared out from user and computer accounts. This attribute is indeed set when migrating a user or a computer from one domain to another
Technical explanation:The SIDHistory attribute is useful when doing a migration because it allows to keep the reference to the former account. On the other hand, once the migration is over, it is mandatory that this attribute is removed to evaluate the permissions in regards with the new account and not the former one.
Advised solution:To solve the security issue, you should remove all the SIDHistory attributes. To do so, you can list the objects having an SIDHistory attribute using the command: get-ADObject -ldapfilter "(sidhistory=*)" -properties sidhistory.
Each security descriptor of the domain (including file shares for example) should be reviewed to be rewritten with the new SID of the account. Then, the attribute can be removed of these accounts using the migration tool or a PowerShell snippet Remove-SIDHistory once the migration is completed. Please note that once the SID History has been removed, it cannot be added back again without doing a real migration. Hopefully hacking tools such as mimikatz can be used to undo a deletion with for example the lsadump::dcshadow attack.
5 points per discovery with a minimal of 15 points
Documentation:ANSSI - Recommandations de sécurité relatives à Active Directory - R15 [paragraph.3.3.1.5]
Details:The SIDHistory detail can be found in User information and Computer information and a quick summary in SID History
| SID | Object(s) |
|---|---|
| S-1-5-18 | 1 |
The purpose is to ensure that basic users cannot register extra computers in the domain
Technical explanation:By default, a basic user can register up to 10 computers within the domain. This default configuration represents a security issue as basic users shouldn't be able to create such accounts and this task should be handled by administrators.
Advised solution:To solve the issue limit the number of extra computers that can be registered by a basic user. It can be reduced by modifying the value of ms-DS-MachineAccountQuota to zero (0). Another solution can be to remove altogether the authenticated users group in the domain controllers policy. Do note that if you need to set delegation to an account so it can add computers to the domain, it can be done through 2 methods: Delegation in the OU or by assigning the SeMachineAccountPrivilege to a special group
Points:10 points if present
Documentation:http://support.microsoft.com/?id=243327
http://prajwaldesai.com/allow-domain-user-to-add-computer-to-domain/
http://blog.backslasher.net/preventing-users-from-adding-computers-to-a-domain.html
The purpose is to verify if Domain Controller(s) are vulnerable to the SMB v1 vulnerability
Technical explanation:The SMB downgrade attack is used to obtain credentials or executing commands on behalf of a user by using SMB v1 as protocol. Indeed, because SMB v1 supports old authentication protocol, the integrity can be bypassed
Advised solution:It is highly recommended by Microsoft to disable SMB v1 whenever it is possible on both client and server side. Do note that if you are still not following best practices regarding the usage of deprecated OS (Windows 2000, 2003, XP, CE), regarding Network printer using SMBv1 scan2shares functionalities, or regarding software accessing Windows share with a custom implementation relying on SMB v1, you should consider fixing this issues before disabling SMB v1, as it will generates additional errors.
Points:10 points if present
Documentation:https://github.com/lgandx/Responder-Windows
https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect
ttps://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
BSI M 2.412 Schutz der Authentisierung beim Einsatz von Active Directory
ANSSI CERTFR-2017-ACT-019
ANSSI CERTFR-2016-ACT-039
The detail can be found in Domain controllers
| Domain controller |
|---|
| WIN-PGAHI2ECI8E |
Privileged Accounts : 100 /100
It is about administrators of the Active Directory
The purpose is to ensure that standard users are not granted dangerous privileges
Technical explanation:To perform special operations, the operating system relies on privileges. They can be displayed by running the command: whoami /all.
SeLoadDriverPrivilege can be used to take control of the system by loading a specifically designed driver. This procedure can be performed by low privileged users as the driver can be defined in HKCU.
SeTcbPrivilege is the privilege used to "Act on behalf the operating system". This is the privilege reserved to the SYSTEM user. This procedure allow any users to act as SYSTEM.
SeDebugPrivilege is the privilege used to debug program and to access any program's memory. It can be used to create a new process and set the parent process to a privileged one.
SeRestorePrivilege can be used to modify a service running as local system and startable by all users to a chosen one.
SeBackupPrivilege can be used to backup Windows registry and use third party tools for extracting local NTLM hashes.
SeTakeOwnershipPrivilege can be used to take ownership of any secureable object in the system including a service registry key. Then to change its ACL to define its own service running as LocalSystem.
SeCreateTokenPrivilege can be used to create a custom token with all privileges and thus be abused like SeTcbPrivilege
SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege can be abused to impersonate privileged tokens. These tokens can be retrieved by establishing security context such as Local DCOM DCE/RPC reflexion.
SeSecurityPrivilege can be use to clear the security event log and shrink it to make events flushed soon. Also read security log and view events where the user inverted the login and its password.
Locate the GPO specified in Details and remove the privilege.
Most of the settings are located in :
Computer configuration -> Policies -> Windows Settings ->Security Settings -> Local Policies -> User Rights Assignment.
As an alternative, the file GptTmpl.inf can be manually edited.
15 points per discovery
Documentation:https://www.romhack.io/slides/RomHack%202018%20-%20Andrea%20Pierini%20-%20whoami%20priv%20-%20show%20me%20your%20Windows%20privileges%20and%20I%20will%20lead%20you%20to%20SYSTEM.pdf
https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
https://github.com/decoder-it/psgetsystem
ANSSI - Recommandations de sécurité relatives à Active Directory - R18 [subsubsection.3.3.2]
The detail can be found in Privileges
| GPO | Account | Privilege |
|---|---|---|
| Default Domain Policy | Everyone | SeDebugPrivilege |
| Default Domain Policy | Everyone | SeLoadDriverPrivilege |
| test nfc 2 | Everyone | SeDebugPrivilege |
| test nfc 2 | Everyone | SeLoadDriverPrivilege |
The purpose is to ensure that standard users cannot modify GPO
Technical explanation:When the group Authenticated Users, Everyone or any similar groups have permission to modify a GPO, it can be abused to take control of the accounts where this GPO applies. It can potentially lead to the compromise of the domain
Advised solution:Edit the Access Control List (ACL) of the GPO object or the directory where the items is located. Then remove any write permission given to the group.
Points:15 points per discovery
Documentation:ANSSI - Recommandations de sécurité relatives à Active Directory - R18 [subsubsection.3.3.2]
STIG V-2370 - The access control permissions for the directory service site group policy must be configured to use the required access permissions.
| GPO | Item | Account | Right |
|---|---|---|---|
| Test GPO site | \\WIN-PGAHI2ECI8E.test.mysmartlogon.com\sysvol\test.mysmartlogon.com\Policies\{59C59FC3-6DCA-4659-9842-E9C490088449} | Everyone | FullControl |
| Default Domain Controllers Policy | \\WIN-PGAHI2ECI8E.test.mysmartlogon.com\sysvol\test.mysmartlogon.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI | Authenticated Users | FullControl |
| Default Domain Controllers Policy | \\WIN-PGAHI2ECI8E.test.mysmartlogon.com\sysvol\test.mysmartlogon.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Registry.pol | Authenticated Users | FullControl |
The purpose is to ensure that standard users cannot login to Domain Controllers
Technical explanation:Domain Controllers are critical components of the Active Directory. If an attacker is able to open a session, he will be able to discover unsecure backup media or perform a local privilege escalation to become the DC admin and thus the AD admin.
Local logon requires usually physical interaction, which explains why network seggregation is a best practice, but this can be bypassed. Indeed VNC or remote server management software is a way to perform local logon remotely.
In addition, remote server management software have been the subject of many vulnerabilites, some of them can be exploited even if this software is disabled.
Locate the GPO specified in Details and remove the privilege "Allow log on locally" or "Allow log on through Remote Desktop Services" to "Everyone", "Authenticated Users", "Domain Users" or "Domain Computers".
The settings are located in :
Computer configuration -> Policies -> Windows Settings ->Security Settings -> Local Policies -> User Rights Assignment.
As an alternative, the file GptTmpl.inf can be manually edited.
15 points per discovery
Documentation:https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/allow-log-on-locally
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04197764-1
ANSSI - Recommandations de sécurité relatives à Active Directory - R18 [subsubsection.3.3.2]
The detail can be found in Privileges
| GPO | Account | Privilege |
|---|---|---|
| Default Domain Controllers Policy | Everyone | SeInteractiveLogonRight |
| Default Domain Controllers Policy | Authenticated Users | SeInteractiveLogonRight |
| Default Domain Controllers Policy | Authenticated Users | SeRemoteInteractiveLogonRight |
The purpose is to ensure that standard users cannot modify login scripts
Technical explanation:When the group Authenticated Users, Everyone or any similar groups have permission to modify a login script, it can be abused to take control of the accounts using this script. It can potentially lead to the compromise of the domain
Advised solution:Edit the Access Control List (ACL) of the script object or the directory where the file is located. Then remove any write permission given to the group.
Points:15 points per discovery
Documentation:ANSSI - Recommandations de sécurité relatives à Active Directory - R18 [subsubsection.3.3.2]
STIG V-2370 - The access control permissions for the directory service site group policy must be configured to use the required access permissions.
The detail can be found in GPO Login script
| Script | Account | Right |
|---|---|---|
| test.ps1 | Authenticated Users | Modify, Synchronize |
| \\test.mysmartlogon.com\sysvol\test.mysmartlogon.com\bin\test.ps1 | Authenticated Users | Modify, Synchronize |
The purpose is to ensure that there is no control path involving everyone.
Technical explanation:
If you have access to a key server and the helpdesk can reset your password, then the helpdesk has access to the key server.
This is the kind of logic used by hackers to take control of the domain using key infrastructure objects (domain root, ...) or groups (domain administrators, ...).
Permissions are collected and analyzed to produce a control paths analysis.
Only write permissions (and specific ones) are used for this analysis.
Then the program identifies which users or computers, that are not members of known groups, can take control of this object.
To be fast, some tradeoffs have been selected. For example, logged on users on servers are ignored.
The program may also select paths which are not exploitable and ignore paths if it cannot read every permissions.
[Everyone] includes the anonymous, everyone, authenticated users, domain users, domain computers and builtin-users groups.
You should analyze the chart and determine which underlying object is involved and grants write permissions to everyone.
Then edit the permissions and locate the write permission involved.
Then delete it or replace it according to your delegation model.
25 points if present
Documentation:https://github.com/BloodHoundAD/BloodHound
https://github.com/ANSSI-FR/AD-control-paths
The detail can be found in Control Paths Analysis
| Group |
|---|
| Certificate Publishers |
| Domain Controllers |
| Domain Root |
The purpose is to ensure that all Administrator Accounts have the configuration flag "this account is sensitive and cannot be delegated"
Technical explanation:Without the flag "This account is sensitive and cannot be delegated" any account can be impersonated by some service account. It is a best practice to enforce this flag on administrators accounts.
Advised solution:To correct the situation, you should make sure that all your Administrator Accounts has the check-box "This account is sensitive and cannot be delegated" active. Please not that there is a section bellow in this report named "Admin Groups" which give more information.
Points:20 points if present
Documentation:STIG V-36435 - Delegation of privileged accounts must be prohibited.
Details:The detail can be found in Admin Groups
The purpose is to verify that each delegation are linked to an account which exists
Technical explanation:In the case where a delegation has been created where the account can't be translated to a NT account, it means that the delegation is actually from another domain or that the user has been deleted.
Advised solution:To reduce the risk, the easiest way is essentially to remove the delegation
Points:15 points if present
Documentation:Details:The detail can be found in Delegations
| DN | delegation | right |
|---|---|---|
| CN=Users,DC=test,DC=mysmartlogon,DC=com | S-1-5-21-4005144719-3948538632-2546531719-1115 | WRITE_PROP_MEMBER, VAL_WRITE_SELF_MEMBERSHIP, EXT_RIGHT_FORCE_CHANGE_PWD |
The purpose is to check that files deployed to computers cannot be changed by everyone.
Technical explanation:Application provided in a msi form or general files can be deployed by a GPO. If an attacker can modify one of this file, it can take control of the user account.
Advised solution:Locate the file mentionned by the GPO specified in Details and change its permissions.
Points:5 points per discovery
Documentation:ANSSI - Recommandations de sécurité relatives à Active Directory - R18 [subsubsection.3.3.2]
STIG V-2370 - The access control permissions for the directory service site group policy must be configured to use the required access permissions.
The detail can be found in GPO Deployed Files
| GPO | Type | FileName | Account | Right |
|---|---|---|---|---|
| WEF test | Files (User section) | \\test.mysmartlogon.com\sysvol\test.mysmartlogon.com\bin\test.txt | Authenticated Users | Modify, Synchronize |
| WEF test | Application (Computer section) | \\test.mysmartlogon.com\SYSVOL\test.mysmartlogon.com\bin\7z1900.msi | Authenticated Users | Modify, Synchronize |
| WEF test | Application (Computer section) | \\test.mysmartlogon.com\SYSVOL\test.mysmartlogon.com\bin\7z1900.msi | Authenticated Users | Modify, Synchronize |
The purpose is to verify that there is no delegation granted to "Everyone" and to "Authenticated Users"
Technical explanation:To delegate control to a OU, access checks can be modified. In case of a misconfiguration, access can be granted to the group "Everyone" or "Authenticated Users".
Advised solution:Review the delegation to remove this permission and if needed, set a more targeted group as recipient of the delegation.
Points:15 points per discovery
Documentation:ANSSI - Recommandations de sécurité relatives à Active Directory - R18 [subsubsection.3.3.2]
STIG V-2370 - The access control permissions for the directory service site group policy must be configured to use the required access permissions.
The detail can be found in Delegations
| DN | delegation | right |
|---|---|---|
| DC=test,DC=mysmartlogon,DC=com | Everyone | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
The purpose is to check that it is not possible to go into recovery mode without the administrator password
Technical explanation:The recovery mode is a special mode allowing an admin to fix an issue preventing the computer to boot. By pressing F8 in the short time span allowed, the computer boots with just a simple command line.
Usually, the administrator password is requested to avoid that people having physical access get control of it. It can typically be done by creating a new user account and add this account as member of the administrators group. This rule checks if there are any GPO which disable this password prompt.
Locate the GPO specified in Details and turn off the setting "Recovery console: Allow automatic administrative logon"
The setting is located in :
Computer configuration -> Policies -> Windows Settings ->Security Settings -> Local Policies -> Security Options.
As an alternative, the file GptTmpl.inf can be manually edited.
15 points if present
Documentation:https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon
STIG V-1159 - The Recovery Console option is set to permit automatic logon to the system.
The detail can be found in Security settings
| GPO |
|---|
| Default Domain Policy |
The purpose is to perform a review of which accounts have ownership rights on a domain controller and can then modify their permissions
Technical explanation:By default, the "Domain Administrators" group or the "Enterprise Administrators" group are set as owners for "Domain Controllers". Nonetheless, in some cases (for instance when the server has been promoted from an existing server), the owner can be a non-admin person which joined the server to the domain. If this person has still rights over this account, it can be used to take ownership over the whole domain. A chain of compromising events can be designed to take control of the domain by including this account.
Advised solution:To solve this security issue, you should change the ownership of the domain controller to match the "Domain Administrators" group.
To control the ownership of domain controller objects, you can use the following PowerShell command:
Get-ADComputer -server my.domain.to.check -LDAPFilter "(&(objectCategory=computer)(|(primarygroupid=521)(primarygroupid=516)))" -properties name, ntsecuritydescriptor | select name,{$_.ntsecuritydescriptor.Owner}.
To change it you can edit the owner of an object using adexplorer.exe. First, locate the DC object then right click to select properties. Open the security tab and press the advanced button. You then have a new dialog with an owner tab. Select the owner and change it for the domain administrators group. You’re done (no reboot needed)
10 points if present
Details:The detail can be found in Domain controllers
| Domain controller | Owner |
|---|---|
| CN=ADIANT-A7B9AAC6,CN=Computers,DC=test,DC=mysmartlogon,DC=com | TEST\administrator |
The purpose is to ensure that the password of admin accounts cannot be retrieved using the kerberoast attack.
Technical explanation:To access a service using kerberos, a user does request a ticket (named TGS) to the DC specific to the service.
However this ticket is encrypted using a derivative of the service password. This ticket can then be brute-forced to retrieve the original password.
Any account having the attribute SPN populated is considered as a service account.
Given the fact that any user can request a ticket for service account, these accounts can have their password retrieved.
In addition, services are known to have their password not changed at a regular basis and to use well-known words.
Please note that this program skips service accounts having their password changed for less than 40 days ago to allow a mitigation using a password change process.
If the account is a service account, the service should be removed from the privileged group or have a process to change it at a regular basis.
If the user is a person, the SPN attribute of the account should be removed.
5 points per discovery
Documentation:https://adsecurity.org/?p=3466
Details:The detail can be found in Admin Groups
| Group | User |
|---|---|
| Administrators | Adiant |
The purpose is to ensure that no specific delegation has been setup to manage the Microsoft DNS.
Technical explanation:Administrators of the DNS Service have the possibility to inject a DLL in this service.
However this service is hosted most of the time in the domain controller and is running as system.
That means that DNS Admins are potentially domain admins.
The security descriptor used to grant admin rights is located on the nTSecurityDescriptor attribute of the object CN=MicrosoftDNS,CN=System.
In this case, an explicit delegation has been setup and this delegation is not using the existing DnsAdmins group.
You should remove the explicit delegation located in the CN=MicrosoftDNS,CN=System container and make the user or group member of the DnsAdmins group.
Points:5 points if present
Documentation:https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/007efcd2-2955-46dd-a59e-f83ae88f4678
The detail can be found in Delegations
| Account | Right |
|---|---|
| TEST\wrongaccount3 | GenericWrite, DSSelf, Write all prop |
The purpose is to ensure that the operator groups, which can have indirect control to the domain, are empty
Technical explanation:Operator groups (account operators, server operators, ...) can take indirect control of the domain. Indeed these groups have write access to critical resources of the domain.
Advised solution:It is recommended to have these groups empty. Assign administrators into administrators group. Other accounts should have proper delegation rights in an OU or in the scope they are managing.
Points:Informative rule (0 point)
Documentation:ANSSI - Recommandations de sécurité relatives à Active Directory - R27 [subsection.3.5]
Details:The detail can be found in Admin Groups
| Group | Members |
|---|---|
| Account Operators | 1 |
Trusts : 100 /100
It is about operations related to user or computer objects
The purpose is to ensure that accounts are not linked for more privileged accounts in the same domain
Technical explanation:SID History is an attribute used in migration to link with a former account. It is not possible to have an account linked with an account belonging to the same domain. This can be analyzed by comparing the domain part of the SID History with the domain SID.
Advised solution:It is not possible to have this occurrence except if a user from domain A has been migrated to domain B and then migrated again to domain A. This should be strongly investigated as it may be linked to a compromise of the domain.
Points:50 points if present
Documentation:ANSSI - Recommandations de sécurité relatives à Active Directory - R15 [paragraph.3.3.1.5]
The purpose is to check if all trusts are protected using the functionality named SID Filtering
Technical explanation:SID Filtering is a mechanism used to block account presenting a SID History property. SID History is used to link an existing account to another account and can be use to propagate a compromise through trusts. SID Filtering for domain to domain trust is called a quarantine and is disabled by default. SID Filtering to a forest is enabled by default and disabling it is called "enabling SID History".
The algorithm to compute the SID Filtering is:
get the attribute trustDirection and TrustAttributes of the trust object.
if the direction is 0 or 1 or if the trust is intra forest (trustattributes & 32 != 0) then SID Filtering is not applicable.
Then, if the trust is a forest trust (trusattributes & 8 != 0) then
check if /enablesidhistory has been enabled - trustattributes & 64 != 0.
If enabled: SID Filtering is deactivated.
Else if not a forest trust (trustattributes & 8 == 0) then check for the quarantined attribute (trustattributes & 4 != 0).
If the quarantine flag is set, SID Filtering is enabled.
You can use the PowerShell command to get its status:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().GetSidFilteringStatus('my.domain.to.test.local')
A trust without SID Filtering means either that a migration is in progress or that the domain can be compromised instantly via the trust.
The solution is to complete existing migration ASAP and enable the SID Filtering feature
If the trust is a domain trust, you should use netdom /quarantine and set it to yes
If the trust is a forest trust, you should use netdom /enablesidhistory and set it to no
Do not apply /quarantine on a forest trust: you will break the transitivity of the trust.
100 points if the occurence is greater or equals than 4
then 80 points if the occurence is greater or equals than 2
then 50 points if present
https://msdn.microsoft.com/en-us/library/cc237940.aspx
ANSSI - Recommandations de sécurité relatives à Active Directory - R16 [paragraph.3.3.1.6]
STIG V-8538 - Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.
BSI M 4.314 Sichere Richtlinieneinstellungen für Domänen und Domänen-Controller
The detail can be found in Trusts section
| Trust |
|---|
| mil |
The purpose is to verify that every trust has a remote domain which is active.
Technical explanation:When a trust is active, it is using a shared secret to communicate to a domain. This secret is hold in a special account whose name is the remote domain name. This password is changed every month and as consequence the whenChanged attribute of this account is changed. When there is no modification of the whenChanged attribute, it can be guessed that the secret has not being changed and that there was either a problem with the remote domain or that the remote domain does not exist anymore.
Advised solution:Check for network connectivity issues from the remote domain or if the remote domain still exists. If it doesn't exist anymore, the trust should be removed. Indeed the secret used by the trust can be used to issue fake kerberos tickets and be used as a backdoor.
Points:20 points if present
Documentation:https://msdn.microsoft.com/fr-fr/library/ms680921(v=vs.85).aspx
Details:The detail can be found in Trusts section
| Trust |
|---|
| mil |
| test4.mysmartlogon.com |
The purpose is to ensure that the SID History creation is not enabled
Technical explanation:To migrate accounts to another domain, the attribute SID History should be added to the new account. Despite the fact that numerous hacking tools such as mimikatz allows the creation of the SID History attribute, its official creation requires the presence of a special auditing group named DOMAIN-$$$ such as TEST-$$$ for the TEST domain.
Advised solution:If a migration is in progress, declare it in PingCastle so this rule won't be triggered. Else, remove this auditing group. You can locate it by using the LDAP query (sAMAccountName=*$$$)
Points:5 points if present
Documentation:ANSSI - Recommandations de sécurité relatives à Active Directory - R15 [paragraph.3.3.1.5]
Anomalies : 100 /100
It is about specific security control points
The purpose is to alert when a clear text password has been identified in the GPO. Regardless of whether the password is present or not, both the account and password should be considered compromised
Technical explanation:A check is performed to identify passwords in the GPO. If a password is identified through the PingCastle solution, it means that it can be identified through many other means by attackers, and that the account should be considered compromised.
Do note that the AES key used to encrypt passwords in GPOs has been made public for interoperability reasons, which is why even an encrypted password is compromised. It has been revealed in this page
In order to solve this issue, you should manually change the password to a new one. If this password is shared on many systems, each system should have a different password. If the GPO was used to define the native local administrator account, it is recommended to install a password solution manager such as the LAPS solution.
Points:20 points per discovery
Documentation:https://msdn.microsoft.com/en-us/library/cc422924.aspx
ANSSI CERTFR-2015-ACT-046
The detail can be found in the Obfuscated Passwords
| GPO | login | password |
|---|---|---|
| test nfc 2 | administrator | vletoux |
| test nfc 2 | adiant | vletoux |
| test nfc 2 | test | test |
| WEF test | ssss | dddd |
The purpose is to alert when the password for the krbtgt account can be used to compromise the whole domain. This password can be used to sign every kerberos ticket. Monitoring it closely often mitigates the risk of golden ticket attacks greatly.
Technical explanation:Kerberos is an authentication protocol. It is using to sign its tickets a secret stored as the password of the krbtgt account. If the hash of the password of the krbtgt account is retrieved, it can be use to generate authentication tickets at will.
To mitigate this attack, it is recommended to change the krbtgt password every 40 days. If it not the case, every backup done until the last password change of the krbtgt account can be used to emit Golden tickets, compromising the entire domain.
Retrieval of this secret is one of the highest priority in an attack, as this password is rarely changed and offer a long term backdoor.
Also this attack can be performed using the former password of the krbtgt account. That's why the krbtgt password should be changed twice to invalidate its leak.
The password of the krbtgt account should be changed twice to invalidate the golden ticket attack.
Beware: two changes of the krbtgt password not replicated to domain controllers can break these domain controllers You should wait at least 8 hours between each krbtgt password change.
There are several possibilities to change the krbtgt password.
First, a Microsoft script can be run in order to guarantee the correct replication of these secrets. Unfortunately this script supports only English operating systems.
Second, a more manual way is to essentially reset the password manually once, then to wait 3 days, then to reset it again. This is the safest way as it ensures the password is no longer usable by the Golden ticket attack.
50 points if the occurence is greater or equals than 732
then 40 points if the occurence is greater or equals than 366
then 30 points if the occurence is greater or equals than 180
then 20 points if the occurence is greater or equals than 70
https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51
ANSSI CERTFR-2014-ACT-032
The detail can be found in Krbtgt
The purpose is to make sure the requirement of Smart Cards doesn't degrade password rotation
Technical explanation:Using Smart Card to protected sensitive account is a good thing. Nevertheless, when the "Smart Card required" flag is set, the password of the account is not changed anymore by default. Internally the hash of this password is used to sign the user's kerberos tickets, making this account vulnerable to Silver ticket attacks. The rule is triggered 90 days after the last change of the attribute unicodePwd. This value is collected using the replication metadata of the attribute 589914
Advised solution:There are 3 solutions to fix this issue, the most obvious being to change the user password on a regular basis. The fastest way is to check if the domain has the attribute msDS-ExpirePasswordsOnSmartCardOnlyAccounts, which is available for Windows 2016 and later versions and handle periodically hash change. Another possibility instead of changing the password is to disable the flag "this account requires a smart card" then re-enable it which will trigger internally a password hash change.
Points:30 points if present
Documentation:https://blogs.technet.microsoft.com/positivesecurity/2017/05/17/smartcard-and-pass-the-hash/
ANSSI - Recommandations de sécurité relatives à Active Directory - R38 [paragraph.3.6.2.2]
STIG V-72821 - All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.
The detail can be found in Smart Card and Password
The purpose is check if the backups are actually up to date in case they are needed. The alert can be triggered when a domain is backed up using non-recommended methods
Technical explanation:A verification is done on the backups, ensuring that the backup is performed according to Microsoft standards. Indeed at each backup the DIT Database Partition Backup Signature is updated. If for any reasons, backups are needed to perform a rollback (rebuild a domain) or to track past changes, the backups will actually be up to date. This check is equivalent to a REPADMIN /showbackup *.
Advised solution:Plan AD backups based on Microsoft standards. These standards depend on the Operating System. For example with the wbadmin utility: wbadmin start systemstatebackup -backuptarget:d:
Points:15 points if the occurence is greater or equals than 7
Documentation:https://technet.microsoft.com/en-us/library/jj130668(v=ws.10).aspx
STIG V-25385 - Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.
The detail can be found in Backup
The purpose is to ensure that there is no rogue admin accounts in the Active Directory
Technical explanation:A check is performed on non-admin accounts in order to identify if they have an attribute admincount set. If they have this attribute, it means that this account, which is not supposed to be admin, has been granted administrator rights in the past. This typically happens when an administrator gives temporary rights to a normal account, off process.
Advised solution:These accounts should be reviewed, especially in regards with their past activities and have the admincount attribute removed. In order to identify which accounts are detected by this rule, we advise to run a PowerShell command that will show you all users having this flag set: get-adobject -ldapfilter "(admincount=1)"
Do not forget to look at the section AdminSDHolder below.
50 points if the occurence is greater or equals than 50
then 45 points if the occurence is greater or equals than 45
then 40 points if the occurence is greater or equals than 40
then 35 points if the occurence is greater or equals than 35
then 30 points if the occurence is greater or equals than 30
then 25 points if the occurence is greater or equals than 25
then 20 points if the occurence is greater or equals than 20
then 15 points if present
https://msdn.microsoft.com/en-us/library/ms675212(v=vs.85).aspx
ANSSI - Recommandations de sécurité relatives à Active Directory - R40 [paragraph.3.6.3.1]
The detail can be found in the AdminSDHolder User List
The purpose is to verify if the password policy of the domain enforces users to have at least 8 characters in their password
Technical explanation:A check is performed to identify if the GPO regarding password policy allows less than 8 characters password. Short passwords represents a high risk because they can fairly easily be brute-forced. Most CERT and agencies advises for at least 8 characters (and often this number goes up to 12)
Advised solution:To solve the issue, the best way is to either remove the GPO enabling short password, or to modify it in order to increase the password length to at least 8 characters
Points:10 points if present
Documentation:https://www.microsoft.com/en-us/research/publication/password-guidance/
BSI M 4.314 Sichere Richtlinieneinstellungen für Domänen und Domänen-Controller
The detail can be found in Password policies
| GPO |
|---|
| Default Domain Controllers Policy |
| Default Domain Policy |
| test nfc 2 |
| PSO:test |
The purpose is to ensure that the audit policy on domain controllers collect the right set of events.
Technical explanation:To detect and mitigate an attack, the right set of events need to be collected.
The audit policy is a compromise between too much and too few events to collect.
To solve this problem, the suggested audit policy from adsecurity.org is checked against the audit policy in place.
Identitfy the Audit settings to apply and fix them.
Beware that there is two places for audit settings:
a) in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies
b) in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration
10 points if present
Documentation:https://adsecurity.org/?p=3299
Details:The detail can be found in Audit settings
| Audit | Problem | Rationale |
|---|---|---|
| Audit Policy Change | No GPO check for audit success | Collect event 4908, to track special groups such as "administrators" |
| Audit object access | No GPO check for audit success | Collect event 4698, 4699, 4702 to track schedule tasks lifecycle |
| Detailled Tracking / DPAPI Activity | No GPO check for audit success | Collect event 4692 to track the export of DPAPI backup key |
| Detailled Tracking / Process Creation | No GPO check for audit success | Collect event 4688 to get the history of executed programs |
| Privilege Use / Sensitive Privilege Use | No GPO check for audit success | Collect events 4672, 4673, 4674 for privileges tracking such as the debug one |
The purpose is to access without any account, aka NULL Sessions, within the Active Directory. A NULL Session is a session opened anonymously to access the AD, often used by attackers to perform a recon operation on the AD, to identify weaknesses
Technical explanation:Unless other rules which check for known cause of anonymous access, this rule tries to enumerate accounts from the domain without any account. The program use two methods: MS-SAMR with a NULL connection and MS-LSAT which forces SID resolution with well known SID.
NULL sessions are deactivated by default since Windows 2003 and Windows XP. For compatibility reasons a setting enabling them may be still active years after.
It is possible to verify the results provided by the PingCastle solution by using a Kali distribution. You should run [rpcclient -U " target_ip_address] and press enter at the password prompt to finally type [enumdomusers].
Locate other PingCastle rules such as A-PreWin2000Anonymous or A-DsHeuristicsAnonymous which triggered and apply the solutions. You can use the PingCastle scanner mode to do a manual check and prove the extraction of the data.
Points:10 points if present
Documentation:https://www.sans.org/reading-room/whitepapers/windows/null-sessions-nt-2000-286
BSI M 2.412 Schutz der Authentisierung beim Einsatz von Active Directory
STIG V-14798 - Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
The detail can be found in Domain controllers and Null Session
| Domain controller |
|---|
| WIN-PGAHI2ECI8E |
The purpose is to ensure that all DC don't use weak SSL protocols when acting as server.
Technical explanation:SSL version 2 and SSL version 3 are considered weak and it is strongly advised to disable them.
The SSL protocols in Windows is provided by the Schannel component.
The Schannel component needs to be tuned in order to not propose these weak protocols. Many guidelines to handle this problem issued by Microsoft do not talk about Schannel but rather IIS. These guidlines are quoted in the documentation section below.
PingCastle is able to check the SSL version if LDAPS is exposed. LDAPS is automatically exposed once a certificate is available for the DC and the service restarted.
Please note that PingCastle is using the native .Net SSL stack to perform this test. .Net begins to ignore these weak protocols starting the version 4.7 of the framework and as a consequence, PingCasle may miss some weak protocol detection.
To test these protocol, you can use openssl with the following commands:
openssl s_client -connect dc.domain.local:636 -ssl2
openssl s_client -connect dc.domain.local:636 -ssl3
Apply Windows updates and registry tweaks described in the documentation section to disable the weak SSL protocols.
10 points if present
Documentation:https://social.technet.microsoft.com/wiki/contents/articles/2249.windows-server-20082008r2-how-to-disable-sslv2-on-domain-controller-dsforum2wiki.aspx
https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
https://adsecurity.org/?p=376
The detail can be found in Domain controllers
| DC | Protocol |
|---|---|
| WIN-PGAHI2ECI8E | Ssl2 |
| WIN-PGAHI2ECI8E | Ssl3 |
The authentication protocol NTLM v1 can use the LM password hash algorithm which is weak if enabled by a GPO.
Technical explanation:LM hash, or LAN Manager hash is a hash algorithm developed by Microsoft since Windows 3.1. Due to flaw design, hashes retrieved from the network can be reverted to the clear text password in a matter of seconds.
Advised solution:A GPO explicitly disabled the default security policy LmCompatibilityLevel or NoLMHash. Using the information provided, identify the setting modified in the GPO and fix it.
All security settings should be modified in the Domain GPO Editor and are located in Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options
For NoLMHash the setting is located in: Network security: Do not store LAN Manager hash value on next password change
For LmCompatibilityLevel the setting is located in: Network security: LAN Manager authentication level
5 points if present
Documentation:BSI M 2.412 Schutz der Authentisierung beim Einsatz von Active Directory
STIG V-3379 - The system is configured to store the LAN Manager hash of the password in the SAM.
ANSSI - Recommandations de sécurité relatives à Active Directory - R37 [paragraph.3.6.2.1]
The detail can be found in Security settings
| GPO | Setting |
|---|---|
| Default Domain Policy | NoLMHash |
The purpose is to check that the integrity of the network protocol LDAP as not been explicitly disabled.
Technical explanation:The LDAP signature feature enables the integrity of the network communication between the computer and the domain controller.
Hackers aim at intercepting the communication at the network layer and modify the network dialog to grant themselves admin privileges.
The goal of this feature is to defeat these attacks.
Unfortunately, not all devices support LDAP signature. That's why the best practice is to Require Signature if possible or to, at least, try to negotiate it.
In this case, the LDAP signature feature is configured to None (no negotiation), which can enable hackers to perform their attacks.
Locate the GPO specified in Details and change the setting in "Network security: LDAP client signing requirements".
Disable this setting, or set it to "Negotiate signing" or "Require Signature".
The setting is located in :
Computer configuration -> Policies -> Windows Settings ->Security Settings -> Local Policies -> Security Options.
As an alternative, the file GptTmpl.inf can be manually edited.
5 points if present
Documentation:https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements
BSI M 2.412 Schutz der Authentisierung beim Einsatz von Active Directory
ANSSI CERTFR-2015-ACT-021
STIG V-3381 - The Recovery Console option is set to permit automatic logon to the system.
The detail can be found in Security settings
| GPO |
|---|
| Default Domain Policy |
The purpose is to identify domains which allow access without any account because of a Pre-Windows 2000 compatibility.
Technical explanation:When a Windows 2003 DC is promoted, a pre-Windows 2000 compatibility setting can be enabled through the wizard. If it is enabled, the wizard will add "Everyone" and "Anonymous" to the pre-Windows 2000 compatible access group, and by doing so, it will authorize the domain to be queried without an account (null session)
It is possible to verify the results provided by the PingCastle solution by using a Kali distribution. You should run [rpcclient -U " target_ip_address] and press enter at the password prompt to finally type [enumdomusers].
Remove the "EveryOne" and "Anonymous" from the PreWin2000 group while making sure that the group "Authenticated Users" is present. Then reboot each DC
Points:5 points if present
Documentation:https://msdn.microsoft.com/en-us/library/cc223672.aspx
STIG V-8547 - The Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group.
BSI M 2.412 Schutz der Authentisierung beim Einsatz von Active Directory
The purpose is to ensure that there is no use of the SHA1 hashing algorithm in Intermediate Certificate
Technical explanation:The SHA1 hashing algorithm is not considered as safe. There are design flaws inherent to the algorithm that allow an attacker to generate a hash collision in less than a brute-force time
Advised solution:To solve the matter, the certificate should be removed from the GPO and if needed, certificates depending on it should be reissued.
Points:1 points if present
Documentation:https://tools.ietf.org/html/rfc6194
STIG V-14820 - PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
The detail can be found in Certificates
| GPO | Subject |
|---|---|
| GPO:Default Domain Policy;Machine | SERIALNUMBER=200804, CN=Foreigner CA, C=BE |
| GPO:Default Domain Policy;Machine | CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US |
| GPO:Default Domain Policy;Machine | CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB |
| NTLMStore | CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB |
| NTLMStore | CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US |
| NTLMStore | CN=COMODO Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB |
The purpose is to ensure that local name resolution protocol (LLMNR) cannot be used to collect credentials by performing a network attack
Technical explanation:LLMNR is a protocol which translates names such as foo.bar.com into an ip address. LLMNR has been designed to translate name locally in case the default protocol DNS is not available.
Regarding Active Directory, DNS is mandatory which makes LLMNR useless.
LLMNR exploits typo mistakes or faster response time to redirect users to a specially designed share, server or website.
Being trusted, this service will trigger the single sign on procedure which can be abused to retrieve the user credentials.
LLMNR is enabled by default on all OS except starting from Windows 10 v1903 and Windows Server v1903 where it is disabled.
Enable the GPO Turn off multicast name resolution and check that no GPO override this setting.
(if it is the case, the policy involved will be displayed below)
Informative rule (0 point)
Documentation:Details:The detail can be found in Security settings
| GPO |
|---|
| Default Domain Policy |
The purpose is to give information regarding a best practice for the Service Account password policy. Indeed, having a 20+ characters password for this account greatly helps reducing the risk behind Kerberoast attack (offline crack of the TGS tickets)
Technical explanation:The rule is purely informative, as it gives insights regarding a best practice. It verifies if there is a GPO or PSO enforcing a 20+ characters password for the Service Account.
Advised solution: The recommended way to handle service accounts is to use "Managed service accounts" introduced since Windows 2008 R2 (search for "msDS-ManagedServiceAccount").
To solve the anomaly, you should implement a PSO or GPO password guarantying a 20+ length password.
Informative rule (0 point)
Documentation:https://www.microsoft.com/en-us/research/publication/password-guidance/
Details:The detail can be found in Password Policies
The purpose is to ensure that Powershell logging is enabled.
Technical explanation:Powershell is a powerful language, also used by hackers because of this quality. Hackers are able to run programs such as mimikatz in memory using obfuscated commands such as Invoke-Mimikatz.
Because there is no artefact on the disk, the incident response task is difficult for the forensic analysts.
For this reason, we recommend to enable Powershell logging via a group policy, despite the fact that these security settings may be part of the workstation or server images.
Go to Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell
And enable "Turn on Module logging" and "Turn on Powershell Script Block logging"
We recommend to set "*" as the module list.
Informative rule (0 point)
Documentation:https://adsecurity.org/?p=2604
https://docs.microsoft.com/en-us/powershell/scripting/wmf/whats-new/script-logging?view=powershell-6
STIG V-68819 - PowerShell script block logging must be enabled
The detail can be found in Security settings
The purpose is to ensure that the schema has been updated for the creation of Protected Users group.
Technical explanation:The Protected Users group is a special group which is a very effective mitigation solution to counter attacks using Credential theft starting with Windows 8.1. Older Operating System must be updated to take this protection in account such as the Windows 7 KB2871997 patch.
Advised solution:The Protected Users group is automatically created when a Windows 2012 R2 domain controller is installed and upgraded to a PDC (primary DC). The group is then be automatically created and replicated.
Warning: Do not add service account into this group as this will result in "authentication failure" messages. Use "protected accounts" instead
Informative rule (0 point)
Documentation:https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
ANSSI CERTFR-2017-ALE-012
STIG V-78131 - Accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
The schema version is indicated in Domain Information
The purpose is to ensure that there is no use of the SHA1 hashing algorithm in Root Certificate
Technical explanation:The SHA1 hashing algorithm is not considered as safe. There are design flaws inherent to the algorithm that allow an attacker to generate a hash collision in less than a brute-force time
Advised solution:To solve the matter, the certificate should be removed from the GPO and if needed, certificates depending on it should be reissued.
Points:Informative rule (0 point)
Documentation:https://tools.ietf.org/html/rfc6194
STIG V-14820 - PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
The detail can be found in Certificates
| GPO | Subject |
|---|---|
| GPO:Default Domain Policy;Machine | CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE |
| GPO:Default Domain Policy;Machine | CN=Belgium Root CA2, C=BE |
| GPO:Default Domain Policy;Machine | CN=MaskTech CSCA, OU=Test Division, O=MaskTech GmbH, C=DE |
| GPO:Default Domain Policy;Machine | CN=CA, DC=test, DC=mysmartlogon, DC=com |
| GPO:Default Domain Policy;Machine | CN=DOD EMAIL CA-29, C=US, O=U.S. Government, OU=DoD, OU=PKI |
| NTLMStore | CN=CA, DC=test, DC=mysmartlogon, DC=com |
| NTLMStore | CN=MaskTech CSCA, OU=Test Division, O=MaskTech GmbH, C=DE |
| NTLMStore | CN=Belgium Root CA2, C=BE |
| NTLMStore | CN=DOD EMAIL CA-29, C=US, O=U.S. Government, OU=DoD, OU=PKI |
| NTLMStore | CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE |
| NTLMStore | CN=CA, DC=test, DC=mysmartlogon, DC=com |
This section shows the main technical characteristics of the domain.
| Domain | Netbios Name | Domain Functional Level | Forest Functional Level | Creation date | DC count | Schema version | Recycle Bin enabled |
|---|---|---|---|---|---|---|---|
| test.mysmartlogon.com | TEST | Windows Server 2008 R2 | Windows Server 2008 R2 | 2012-03-03 18:12:40Z | 2 | Windows Server 2008 R2 | TRUE |
This section gives information about the user accounts stored in the Active Directory
A honey pot has been configured. It is used to generate fake security issues that are heavily monitored and that a hacker will spot using security tools like PingCastle. By enabling this feature, all the accounts listed below will not be evaluated with PingCastle rules.
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| HoneyPot | 2020-01-18 10:07:42Z | Never | CN=Honey Pot,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| HoneyPotInexistant | Access Denied | Never | |
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| 123456789 | 2017-11-15 13:47:44Z | Never | CN=tata yoyo.123456789,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| ADHealthCheck$ | 2016-12-03 10:22:26Z | Never | CN=ADHealthCheck,CN=Managed Service Accounts,DC=test,DC=mysmartlogon,DC=com |
| BlueHat | 2018-01-19 15:23:37Z | Never | CN=BlueHat,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| HINSON | 2014-11-30 16:02:50Z | Never | CN=Kimberly Hinson,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| min | 2014-06-21 21:19:29Z | 2014-07-03 21:24:07Z | CN=min,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| testitb1 | 2019-04-06 11:31:38Z | 2019-04-06 13:33:30Z | CN=testitb,CN=Builtin,DC=test,DC=mysmartlogon,DC=com |
| wrongAccount1 | 2015-06-26 10:20:33Z | Never | CN=wrongAccount1,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| wrongaccount10 | 2018-08-20 14:22:43Z | Never | CN=wrongaccount10,OU=TestOU,DC=test,DC=mysmartlogon,DC=com |
| wrongAccount2 | 2015-06-26 10:20:48Z | Never | CN=wrongAccount2,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| wrongaccount3 | 2015-06-26 11:13:15Z | Never | CN=wrongaccount3,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| wrongAccount5 | 2015-06-26 15:47:18Z | Never | CN=wrongAccount5,OU=TestOU,DC=test,DC=mysmartlogon,DC=com |
| wrongAccount6 | 2015-06-26 15:47:35Z | Never | CN=wrongAccount6,OU=TestOU,DC=test,DC=mysmartlogon,DC=com |
| wrongAccount7 | 2015-06-27 07:26:05Z | 2015-06-27 09:27:23Z | CN=wrongAccount7,OU=TestOU,DC=test,DC=mysmartlogon,DC=com |
| wrongaccount8 | 2016-03-28 10:40:52Z | Never | CN=wrongaccount8,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| wrongaccount9 | 2016-03-30 13:02:35Z | Never | CN=wrongaccount9,OU=TestOU,DC=test,DC=mysmartlogon,DC=com |
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| Administrator | 2012-03-03 18:13:00Z | 2019-08-26 13:56:05Z | CN=Administrator,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| HINSON | 2014-11-30 16:02:50Z | Never | CN=Kimberly Hinson,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| min | 2014-06-21 21:19:29Z | 2014-07-03 21:24:07Z | CN=min,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| test | 2013-03-31 11:33:16Z | 2019-11-11 11:52:36Z | CN=test,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| test2 | 2019-03-23 07:19:15Z | 2020-01-12 14:26:14Z | CN=test2,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| testitb1 | 2019-04-06 11:31:38Z | 2019-04-06 13:33:30Z | CN=testitb,CN=Builtin,DC=test,DC=mysmartlogon,DC=com |
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| BlueHat | 2018-01-19 15:23:37Z | Never | CN=BlueHat,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| test | 2013-03-31 11:33:16Z | 2019-11-11 11:52:36Z | CN=test,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| wrongaccount8 | 2016-03-28 10:40:52Z | Never | CN=wrongaccount8,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| BlueHat | 2018-01-19 15:23:37Z | Never | CN=BlueHat,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| SID History from domain | First date seen ? | Last date seen ? | Count |
|---|---|---|---|
| S-1-5-18 | 2013-03-31 11:33:16Z | 2013-03-31 11:33:16Z | 1 |
| test.mysmartlogon.com | 2016-03-28 10:40:52Z | 2018-01-19 15:23:37Z | 2 |
This section gives information about the computer accounts stored in the Active Directory
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| ADIANT-2CC70D66$ | 2013-04-01 09:32:22Z | 2013-04-01 11:32:26Z | CN=ADIANT-2CC70D66,CN=Computers,DC=test,DC=mysmartlogon,DC=com |
| ADIANT-A7B9AAC6$ | 2013-04-01 10:10:33Z | 2018-11-09 07:29:04Z | CN=ADIANT-A7B9AAC6,CN=Computers,DC=test,DC=mysmartlogon,DC=com |
| ADIANT-VIRTUAL-$ | 2019-01-27 12:57:02Z | 2019-01-27 13:57:02Z | CN=ADIANT-VIRTUAL-,CN=Computers,DC=test,DC=mysmartlogon,DC=com |
| TEST$ | 2019-01-27 09:40:38Z | 2019-01-27 10:40:41Z | CN=TEST,CN=Computers,DC=test,DC=mysmartlogon,DC=com |
| WIN-1MLHM2RAF4U$ | 2012-03-03 18:24:33Z | 2019-03-09 18:00:28Z | CN=WIN-1MLHM2RAF4U,CN=Computers,DC=test,DC=mysmartlogon,DC=com |
| WINDOWS7X86$ | 2012-03-03 22:07:05Z | 2016-09-15 23:54:27Z | CN=WINDOWS7X86,CN=Computers,DC=test,DC=mysmartlogon,DC=com |
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| ADIANT-VIRTUAL-$ | 2019-01-27 12:57:02Z | 2019-01-27 13:57:02Z | CN=ADIANT-VIRTUAL-,CN=Computers,DC=test,DC=mysmartlogon,DC=com |
| TEST$ | 2019-01-27 09:40:38Z | 2019-01-27 10:40:41Z | CN=TEST,CN=Computers,DC=test,DC=mysmartlogon,DC=com |
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| ADIANT-A7B9AAC6$ | 2013-04-01 10:10:33Z | 2018-11-09 07:29:04Z | CN=ADIANT-A7B9AAC6,CN=Computers,DC=test,DC=mysmartlogon,DC=com |
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| WIN-PGAHI2ECI8E$ | 2012-03-03 18:17:15Z | 2020-01-12 14:24:39Z | CN=WIN-PGAHI2ECI8E,OU=Domain Controllers,DC=test,DC=mysmartlogon,DC=com |
| Operating System | Nb OS | Nb Enabled ? | Nb Disabled ? | Nb Active ? | Nb Inactive ? | Nb SidHistory ? | Nb Bad PrimaryGroup ? | Nb unconstrained delegations ? | Nb Reversible password ? |
|---|---|---|---|---|---|---|---|---|---|
| Windows XP | 2 | 2 | 0 | 0 | 2 | 0 | 1 | 0 | 0 |
| Windows 7 | 3 | 3 | 0 | 1 | 2 | 0 | 0 | 0 | 0 |
| Windows 10 | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 |
| Windows 2008 | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 1 | 0 |
| OperatingSystem not set | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| Ubuntu Desktop Linux | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
Here is a specific zoom related to the Active Directory servers: the domain controllers.
| Domain controller | Operating System | Creation Date ? | Startup Time | Uptime | Owner ? | Null sessions ? | SMB v1 ? | Remote spooler ? | FSMO role ? |
|---|---|---|---|---|---|---|---|---|---|
| WIN-PGAHI2ECI8E | Windows 2008 | 2012-03-03 18:17:15Z | 2019-09-03 17:41:16Z | 136 days | TEST\Domain Admins | YES | YES | NO | PDC, RID pool manager, Infrastructure master, Schema master, Domain naming Master |
| ADIANT-A7B9AAC6 | Windows XP | 2013-04-01 10:10:33Z | Inactive? | TEST\administrator | NO | NO | NO |
This section is focused on the groups which are critical for admin activities. If the report has been saved which the full details, each group can be zoomed with its members. If it is not the case, for privacy reasons, only general statictics are available.
| Group Name | Nb Admins ? | Nb Enabled ? | Nb Disabled ? | Nb Inactive ? | Nb PWd never expire ? | Nb Smart Card required ? | Nb Service accounts ? | Nb can be delegated ? | Nb external users ? |
|---|---|---|---|---|---|---|---|---|---|
| Account Operators | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 1 | 0 |
| Administrators | 6 | 5 | 1 | 3 | 1 | 1 | 1 | 4 | 0 |
| Backup Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Certificate Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Certificate Publishers | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Domain Administrators | 5 | 4 | 1 | 2 | 1 | 1 | 1 | 3 | 0 |
| Enterprise Administrators | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| Print Operators | 2 | 2 | 0 | 1 | 2 | 0 | 0 | 2 | 0 |
| Schema Administrators | 2 | 2 | 0 | 0 | 1 | 0 | 1 | 1 | 0 |
| Server Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| SamAccountName ? | Enabled ? | Active ? | Pwd never Expired ? | Locked ? | Smart Card required ? | Service account ? | Flag Cannot be delegated present ? | Distinguished name ? |
|---|---|---|---|---|---|---|---|---|
| Adiant | YES | YES | NO | NO | NO | YES | NO | CN=Adiant,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| Administrator | YES | YES | YES | NO | NO | NO | YES | CN=Administrator,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| test2 | YES | YES | YES | NO | NO | NO | NO | CN=test2,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| teste ( | NO | NO | NO | NO | NO | NO | YES | CN=New Object with (dsg,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| testitb1 | YES | NO | YES | NO | NO | NO | NO | CN=testitb,CN=Builtin,DC=test,DC=mysmartlogon,DC=com |
| tset ☺☻♥♦♣♠•◘○◙♂♀♪♫☼ | YES | NO | NO | NO | NO | NO | NO | CN=test ☺☻♥♦♣♠•◘○◙♂♀♪♫☼►◄↕‼¶§▬↨↑↓→←∟↔▲▼,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| wrongAccount1 | YES | NO | NO | NO | NO | NO | NO | CN=wrongAccount1,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| wrongAccount5 | YES | NO | NO | NO | YES | NO | NO | CN=wrongAccount5,OU=TestOU,DC=test,DC=mysmartlogon,DC=com |
| wrongaccount8 | YES | NO | NO | NO | NO | NO | NO | CN=wrongaccount8,CN=Users,DC=test,DC=mysmartlogon,DC=com |
Each specific rights defined for Organizational Unit (OU) are listed below.
| DistinguishedName | Account | Right |
|---|---|---|
| DC=test | Everyone | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| DC=test | TEST\Domain Controllers | EXT_RIGHT_REPLICATION_GET_CHANGES_ALL |
| CN=MicrosoftDNS,CN=System | NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS | GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=MicrosoftDNS,CN=System | TEST\DnsAdmins | GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=MicrosoftDNS,CN=System | TEST\wrongaccount3 | GenericWrite, DSSelf, Write all prop |
| CN=RAS and IAS Servers Access Check,CN=System | TEST\RAS and IAS Servers | GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=WMIPolicy,CN=System | TEST\Group Policy Creator Owners | GenericWrite, DSSelf, Write all prop |
| CN=SOM,CN=WMIPolicy,CN=System | TEST\Group Policy Creator Owners | GenericWrite, DSSelf, Write all prop |
| CN=Users | S-1-5-21-4005144719-3948538632-2546531719-1115 | WRITE_PROP_MEMBER, VAL_WRITE_SELF_MEMBERSHIP, EXT_RIGHT_FORCE_CHANGE_PWD |
| OU=TestOU | TEST\Adiant | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| OU=TestOU | TEST\wrongAccount6 | GenericAll, GenericWrite, WriteDacl, WriteOwner, WRITE_PROP_MEMBER, VAL_WRITE_SELF_MEMBERSHIP |
| OU=TestOU | TEST\wrongAccount7 | EXT_RIGHT_FORCE_CHANGE_PWD |
| OU=TestOU | TEST\wrongaccount9 | EXT_RIGHT_FORCE_CHANGE_PWD |
This section focuses on permissions issues that can be exploited to take control of the domain.
This is an advanced section that should be examined after having looked at the Admin Groups section.
This analysis focuses on accounts found in control path and located in other domains.
No operative link with other domains has been found.
This part try to summarize in a single table if major issues have been found.
Focus on finding critical objects such as the Everyone group then try to decrease the number of objects having indirect access.
The detail is displayed below.
| Priority to remediate ? | Critical Object Found ? | Number of objects with Indirect ? | Max number of indirect numbers ? | Max ratio ? |
|---|---|---|---|---|
| Critical | YES | 5 | 4 | 80 |
| High | NO | 0 | 0 | 0 |
| Medium | YES | 1 | 1 | 0 |
| Other | YES | 1 | 1 | 0 |
If the report has been saved which the full details, each object can be zoomed with its full detail. If it is not the case, for privacy reasons, only general statictics are available.
| Group or user account ? | Priority ? | Number of users member of the group ? | Number of computer member of the group ? | Number of object having indirect control ? | Number of unresolved members (removed?) ? | Link with other domains | Detail |
|---|---|---|---|---|---|---|---|
| Account Operators | High | 1 (Details) | 0 | 0 | 0 | None | Analysis |
| Administrator | Critical | 1 (Details) | 0 | None | Analysis | ||
| Administrators | Critical | 6 (Details) | 0 | 1 (Details) | 0 | None | Analysis |
| Backup Operators | High | 0 | 0 | 0 | 0 | None | Analysis |
| Certificate Operators | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Certificate Publishers | Other | 0 | 1 (Details) | 1 including EVERYONE (Details) | 0 | None | Analysis |
| Domain Administrators | Critical | 5 (Details) | 0 | 4 (Details) | 0 | None | Analysis |
| Enterprise Administrators | Critical | 1 (Details) | 0 | 0 | 0 | None | Analysis |
| Print Operators | Medium | 2 (Details) | 0 | 0 | 0 | None | Analysis |
| Schema Administrators | Critical | 2 (Details) | 0 | 1 (Details) | 0 | None | Analysis |
| Server Operators | High | 0 | 0 | 0 | 0 | None | Analysis |
If the report has been saved which the full details, each object can be zoomed with its full detail. If it is not the case, for privacy reasons, only general statictics are available.
| Group or user account ? | Priority ? | Number of users member of the group ? | Number of computer member of the group ? | Number of object having indirect control ? | Number of unresolved members (removed?) ? | Link with other domains | Detail |
|---|---|---|---|---|---|---|---|
| Builtin OU | Medium | 0 | 0 | None | Analysis | ||
| Certificate store | Medium | 0 | 0 | None | Analysis | ||
| Computers container | Medium | 0 | 0 | None | Analysis | ||
| Domain Controllers | Critical | 0 | 2 (Details) | 2 including EVERYONE (Details) | 0 | None | Analysis |
| Domain Root | Medium | 1 including EVERYONE (Details) | 0 | None | Analysis | ||
| Enterprise Read Only Domain Controllers | Other | 0 | 0 | 0 | 0 | None | Analysis |
| Group Policy Creator Owners | Medium | 1 (Details) | 0 | 0 | 0 | None | Analysis |
| Krbtgt account | Medium | 0 | 0 | None | Analysis | ||
| Read Only Domain Controllers | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Users container | Medium | 0 | 1 (Details) | None | Analysis |
This section focuses on the relations that this domain has with other domains
This part displays the direct links that this domain has with other domains.
| Trust Partner | Type | Attribut | Direction ? | SID Filtering active ? | TGT Delegation ? | Creation ? | Is Active ? ? |
|---|---|---|---|---|---|---|---|
| mil ? | MIT | Non-Transitive | Outbound | No | Not applicable | 2014-06-09 12:49:20Z | FALSE |
| test4.mysmartlogon.com ? | Uplevel | Forest Trust | Inbound | Not applicable | No | 2019-04-06 21:53:36Z | FALSE |
These are the domains that PingCastle was able to detect but which is not releated to direct trusts. It may be children of a forest or bastions.
| Reachable domain | Via | Netbios | Creation date |
|---|
This section focuses on security checks specific to the Active Directory environment.
The program checks the last date of the AD backup. This date is computed using the replication metadata of the attribute dsaSignature (reference).
Last backup date: Never
LAPS is used to have a unique local administrator password on all workstations / servers of the domain. Then this password is changed at a fixed interval. The risk is when a local administrator hash is retrieved and used on other workstation in a pass-the-hash attack.
Mitigation: having a process when a new workstation is created or install LAPS and apply it through a GPO
LAPS installation date: 2019-03-22 21:12:37Z
Windows Event Forwarding is a native mechanism used to collect logs on all workstations / servers of the domain. Microsoft recommends to Use Windows Event Forwarding to help with intrusion detection Here is the list of servers configured for WEF found in GPO
Number of WEF configuration found: 3
| GPO Name | Order | Server |
|---|---|---|
| WEF test | 1 | Server=http://192.168.0.25:5985/wsman/SubscriptionManager/WEC |
| WEF test | 2 | test |
| WEF test | 3 | teset2 |
The password of the krbtgt account should be changed twice every 40 days using this script
You can use the version gathered using replication metadata from two reports to guess the frequency of the password change or if the two consecutive resets has been done. Version starts at 1.
Kerberos password last changed: 2019-03-10 18:21:24Z version: 3
This control detects accounts which are former 'unofficial' admins. Indeed when an account belongs to a privileged group, the attribute admincount is set. If the attribute is set without being an official member, this is suspicious. To suppress this warning, the attribute admincount of these accounts should be removed after review.
Number of accounts to review: 1
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| wrongaccount9 | 2016-03-30 13:02:35Z | Never | CN=wrongaccount9,OU=TestOU,DC=test,DC=mysmartlogon,DC=com |
This control detects domain controllers which can be accessed without authentication. Hackers can then perform a reconnaissance of the environement with only a network connectivity and no account at all.
Domain controllers vulnerable: 1
| Domain Controller |
|---|
| WIN-PGAHI2ECI8E |
This control detects users which use only smart card and whose password hash has not been changed for at least 40 days. Indeed, once the smart card required check is activated in the user account properties, a random password hash is set. But this hash is not changed anymore like for users having a password whose change is controlled by password policies. As a consequence, a capture of the hash using a memory attack tool can lead to a compromission of this account unlimited in time. The best practice is to reset these passwords on a regular basis or to uncheck and check again the "require smart card" property to force a hash change.
Users with smart card and having their password unchanged since at least 40 days: 3
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| BlueHat | 2018-01-19 15:23:37Z | Never | CN=BlueHat,CN=Users,DC=test,DC=mysmartlogon,DC=com |
| wrongaccount10 | 2018-08-20 14:22:43Z | Never | CN=wrongaccount10,OU=TestOU,DC=test,DC=mysmartlogon,DC=com |
| wrongAccount5 | 2015-06-26 15:47:18Z | Never | CN=wrongAccount5,OU=TestOU,DC=test,DC=mysmartlogon,DC=com |
You can check here backdoors or typo error in the scriptPath attribute
| Script Name | Count |
|---|---|
| None | 21 |
This detects trusted certificate which can be used in man in the middle attacks or which can issue smart card logon certificates
Number of trusted certificates: 17
| Source | Store | Subject | Issuer | NotBefore | NotAfter | Module size | Signature Alg | SC Logon |
|---|---|---|---|---|---|---|---|---|
| GPO:Default Domain Policy;Machine | Root | CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE | CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE | 2000-05-30 12:48:38Z | 2020-05-30 12:48:38Z | 2048 | sha1RSA | False |
| GPO:Default Domain Policy;Machine | Root | CN=Belgium Root CA2, C=BE | CN=Belgium Root CA2, C=BE | 2007-10-04 12:00:00Z | 2021-12-15 09:00:00Z | 2048 | sha1RSA | False |
| GPO:Default Domain Policy;Machine | Root | CN=MaskTech CSCA, OU=Test Division, O=MaskTech GmbH, C=DE | CN=MaskTech CSCA, OU=Test Division, O=MaskTech GmbH, C=DE | 2014-02-13 15:30:41Z | 2019-01-16 15:30:41Z | 3072 | sha1RSA | False |
| GPO:Default Domain Policy;Machine | Root | CN=CA, DC=test, DC=mysmartlogon, DC=com | CN=CA, DC=test, DC=mysmartlogon, DC=com | 2015-10-03 09:34:06Z | 2030-10-02 09:44:04Z | 2048 | sha1RSA | False |
| GPO:Default Domain Policy;Machine | Root | CN=DOD EMAIL CA-29, C=US, O=U.S. Government, OU=DoD, OU=PKI | CN=DOD EMAIL CA-29, C=US, O=U.S. Government, OU=DoD, OU=PKI | 2014-05-01 09:08:21Z | 2041-09-15 09:08:21Z | 2048 | sha1RSA | False |
| GPO:Default Domain Policy;Machine | CA | SERIALNUMBER=200804, CN=Foreigner CA, C=BE | CN=Belgium Root CA2, C=BE | 2007-10-04 14:00:00Z | 2014-06-04 14:00:00Z | 2048 | sha1RSA | False |
| GPO:Default Domain Policy;Machine | CA | CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US | CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE | 2005-06-07 10:09:10Z | 2020-05-30 12:48:38Z | 2048 | sha1RSA | False |
| GPO:Default Domain Policy;Machine | CA | CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB | CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US | 2011-08-24 02:00:00Z | 2020-05-30 12:48:38Z | 2048 | sha1RSA | False |
| Enterprise NTAuth ? | NTLMStore | CN=CA, DC=test, DC=mysmartlogon, DC=com | CN=CA, DC=test, DC=mysmartlogon, DC=com | 2015-10-03 09:34:06Z | 2030-10-02 09:44:04Z | 2048 | sha1RSA | False |
| Enterprise NTAuth ? | NTLMStore | CN=MaskTech CSCA, OU=Test Division, O=MaskTech GmbH, C=DE | CN=MaskTech CSCA, OU=Test Division, O=MaskTech GmbH, C=DE | 2014-02-13 15:30:41Z | 2019-01-16 15:30:41Z | 3072 | sha1RSA | False |
| Enterprise NTAuth ? | NTLMStore | CN=Belgium Root CA2, C=BE | CN=Belgium Root CA2, C=BE | 2007-10-04 12:00:00Z | 2021-12-15 09:00:00Z | 2048 | sha1RSA | False |
| Enterprise NTAuth ? | NTLMStore | CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB | CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US | 2011-08-24 02:00:00Z | 2020-05-30 12:48:38Z | 2048 | sha1RSA | False |
| Enterprise NTAuth ? | NTLMStore | CN=DOD EMAIL CA-29, C=US, O=U.S. Government, OU=DoD, OU=PKI | CN=DOD EMAIL CA-29, C=US, O=U.S. Government, OU=DoD, OU=PKI | 2014-05-01 09:08:21Z | 2041-09-15 09:08:21Z | 2048 | sha1RSA | False |
| Enterprise NTAuth ? | NTLMStore | CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE | CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE | 2000-05-30 12:48:38Z | 2020-05-30 12:48:38Z | 2048 | sha1RSA | False |
| Enterprise NTAuth ? | NTLMStore | CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US | CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE | 2005-06-07 10:09:10Z | 2020-05-30 12:48:38Z | 2048 | sha1RSA | False |
| Enterprise NTAuth ? | NTLMStore | CN=COMODO Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB | CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US | 2011-04-27 02:00:00Z | 2020-05-30 12:48:38Z | 2048 | sha1RSA | False |
| Enterprise NTAuth ? | NTLMStore | CN=CA, DC=test, DC=mysmartlogon, DC=com | CN=CA, DC=test, DC=mysmartlogon, DC=com | 2012-03-03 19:21:37Z | 2027-03-03 19:31:35Z | 2048 | sha1RSA | False |
Note: PSO (Password Settings Objects) will be visible only if the user which collected the information has the permission to view it.
PSO shown in the report will be prefixed by "PSO:"
| Policy Name | Complexity | Max Password Age | Min Password Age | Min Password Length | Password History | Reversible Encryption | Lockout Threshold | Lockout Duration | Reset account counter locker after |
|---|---|---|---|---|---|---|---|---|---|
| Default Domain Controllers Policy ? | False | Never expires | 0 day | 0 | Not Set | Not Set | Not Set | Not Set | Not Set |
| Default Domain Policy ? | False | Never expires | 0 day | 0 | 0 | False | 0 | Not Set | Not Set |
| test nfc 2 [Not linked] ? | False | Never expires | 0 day | 1 | Not Set | Not Set | Not Set | Not Set | Not Set |
| PSO:test | False | 90 day(s) | 0 day | 0 | 5 | False | 50 | 5 minute(s) | 1 minute(s) |
This is the settings related to screensavers stored in Group Policies. Each non compliant setting is written in red.
| Policy Name | Screensaver enforced | Password request | Start after (seconds) | Grace Period (seconds) |
|---|---|---|---|---|
| test nfc 2 [Not linked] ? | True | True | 90000 | Not Set |
This section focuses on security settings stored in the Active Directory technical security policies.
The password in GPO are obfuscated, not encrypted. Consider any passwords listed here as compromised and change it immediatly.
| GPO Name | Password origin | UserName | Password | Changed | Other |
|---|---|---|---|---|---|
| test nfc 2 | groups.xml | administrator | vletoux | 2016-04-02 19:40:14Z | NewName:adiant-admin |
| test nfc 2 | drives.xml | adiant | vletoux | 2016-04-02 19:39:33Z | Path:test |
| test nfc 2 | groups.xml | test | test | 2016-04-02 20:21:02Z | |
| WEF test | registry.xml | ssss | dddd | 2019-09-17 16:56:10Z | Autologon info |
Giving local group membership in a GPO is a way to become administrator.
The local admin of a domain controller can become domain administrator instantly.
A GPO can be used to deploy security settings to workstations.
The best practice out of the default security baseline is reported in green.
The following settings in red are unsual and may need to be reviewed.
Each setting is accompagnied which its value and a link to the GPO explanation.
| Policy Name | Setting | Value |
|---|---|---|
| Default Domain Controllers Policy ? | Allow anonymous SID/Name translation (Technical details) | Enabled |
| Default Domain Controllers Policy ? | Microsoft network server: Digitally sign communications (if client agrees) (Technical details) | Disabled |
| Default Domain Policy ? | Recovery console: Allow automatic administrative logon | Enabled |
| Default Domain Policy ? | LDAP client signing requirements (Technical details) | None (Do not request signature) |
| Default Domain Policy ? | Do not store LAN Manager hash value on next password change (Technical details) | Disabled |
| Default Domain Policy ? | Turn off multicast name resolution (Technical details) | LLMNR Enabled |
Audit settings allow the system to generate logs which are useful to detect intrusions. Here are the settings found in GPO.
Simple audit events are described here and Advanced audit events are described here
You can get a list of all audit settings with the command line: auditpol.exe /get /category:* (source)
| Policy Name | Category | Setting | Value |
|---|---|---|---|
| Audit_Varonis ? | Account Logon | Kerberos Authentication Service | Success and Failure |
| Audit_Varonis ? | Account Logon | Kerberos Service Ticket Operations | Success and Failure |
| Audit_Varonis ? | Account Logon | Other Account Logon Events | Success |
| Audit_Varonis ? | Account Management | Application Group Management | Success and Failure |
| Audit_Varonis ? | Account Management | Computer Account Management | Success and Failure |
| Audit_Varonis ? | Account Management | Distribution Group Management | Success and Failure |
| Audit_Varonis ? | Account Management | Other Account Management Events | Success and Failure |
| Audit_Varonis ? | Account Management | Security Group Management | Success and Failure |
| Audit_Varonis ? | Account Management | User Account Management | Success and Failure |
| Audit_Varonis ? | DS Access | Detailed Directory Service Replication | Success |
| Audit_Varonis ? | DS Access | Directory Service Access | Success |
| Audit_Varonis ? | DS Access | Directory Service Changes | Success |
| Audit_Varonis ? | DS Access | Directory Service Replication | Success |
| Audit_Varonis ? | Logon/Logoff | Account Lockout | Success |
| Audit_Varonis ? | System | User/Device Claims | Success |
| Audit_Varonis ? | Logon/Logoff | IPsec Extended Mode | Success |
| Audit_Varonis ? | Logon/Logoff | IPsec Main Mode | Success |
| Audit_Varonis ? | Logon/Logoff | IPsec Quick Mode | Success |
| Audit_Varonis ? | Logon/Logoff | Logoff | Success |
| Audit_Varonis ? | Logon/Logoff | Logon | Success |
| Audit_Varonis ? | Logon/Logoff | Network Policy Server | Success |
| Audit_Varonis ? | Logon/Logoff | Other Logon/Logoff | Success |
| Audit_Varonis ? | Logon/Logoff | Special Logon | Success |
| Audit_Varonis ? | Object Access | Certification Services | Success |
| Audit_Varonis ? | Object Access | Other Object Access | Success |
| Audit_Varonis ? | Policy Change | Audit Policy Change | Success |
| Audit_Varonis ? | Policy Change | Authentication Policy Change | Success |
| Audit_Varonis ? | Policy Change | Authorization Policy Change | Success |
| Audit_Varonis ? | Policy Change | Filtering Platform Policy Change | Success |
| Audit_Varonis ? | Policy Change | MPSSVC Rule-Level Policy Change | Success |
| Audit_Varonis ? | Policy Change | Other Policy Change Events | Success |
| Audit_Varonis ? | System | IPsec Driver | Success |
| Audit_Varonis ? | System | Other System Events | Success and Failure |
| Audit_Varonis ? | System | Security State Change | Success |
| Audit_Varonis ? | System | Security System Extension | Success |
| Audit_Varonis ? | System | System Integrity | Success and Failure |
Giving privileges in a GPO is a way to become administrator without being part of a group.
For example, SeTcbPriviledge give the right to act as SYSTEM, which has more privileges than the administrator account.
| GPO Name | Privilege | Members |
|---|---|---|
| Default Domain Controllers Policy ? | SeAssignPrimaryTokenPrivilege | IIS APPPOOL\crl.eid.belgium.be |
| Default Domain Controllers Policy ? | SeAssignPrimaryTokenPrivilege | IIS APPPOOL\SmartPolicy |
| Default Domain Controllers Policy ? | SeAssignPrimaryTokenPrivilege | NT AUTHORITY\LOCAL SERVICE |
| Default Domain Controllers Policy ? | SeAssignPrimaryTokenPrivilege | NT AUTHORITY\NETWORK SERVICE |
| Default Domain Controllers Policy ? | SeAssignPrimaryTokenPrivilege | IIS APPPOOL\DefaultAppPool |
| Default Domain Controllers Policy ? | SeAssignPrimaryTokenPrivilege | IIS APPPOOL\Classic .NET AppPool |
| Default Domain Controllers Policy ? | SeBackupPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeBackupPrivilege | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | SeBackupPrivilege | BUILTIN\Server Operators |
| Default Domain Controllers Policy ? | SeDebugPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeLoadDriverPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeLoadDriverPrivilege | BUILTIN\Print Operators |
| Default Domain Controllers Policy ? | SeMachineAccountPrivilege | Authenticated Users |
| Default Domain Controllers Policy ? | SeMachineAccountPrivilege | Authenticated Users |
| Default Domain Controllers Policy ? | SeRestorePrivilege | Administrators |
| Default Domain Controllers Policy ? | SeRestorePrivilege | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | SeRestorePrivilege | BUILTIN\Server Operators |
| Default Domain Controllers Policy ? | SeSecurityPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeTakeOwnershipPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeEnableDelegationPrivilege | Administrators |
| Default Domain Policy ? | SeDebugPrivilege | Everyone |
| Default Domain Policy ? | SeLoadDriverPrivilege | Everyone |
| test nfc 2 [Not linked] ? | SeDebugPrivilege | adiant-test |
| test nfc 2 [Not linked] ? | SeDebugPrivilege | Everyone |
| test nfc 2 [Not linked] ? | SeLoadDriverPrivilege | Everyone |
Login authorization and restriction can be set by GPO. Indeed, by default, everyone is allowed to login on every computer except domain controllers. Defining login restriction is a way to have different isolated tiers. Here are the settings found in GPO.
| GPO Name | Privilege | Members |
|---|---|---|
| Banned Login for admin ? | Deny access to this computer from the network ? | Domain Admins |
| Banned Login for admin ? | Deny log on as a batch job ? | Domain Admins |
| Banned Login for admin ? | Deny log on as a service ? | Domain Admins |
| Banned Login for admin ? | Deny log on locally ? | Domain Admins |
| Banned Login for admin ? | Deny logon through Remote Desktop Services ? | Domain Admins |
| Banned Login for admin ? | Allow log on locally ? | Domain Users |
| Banned Login for admin ? | Allow log on locally ? | Administrators |
| Banned Login for admin ? | Allow logon through Remote Desktop Services ? | Domain Users |
| Default Domain Controllers Policy ? | Log on as a batch job ? | Administrators |
| Default Domain Controllers Policy ? | Log on as a batch job ? | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | Log on as a batch job ? | BUILTIN\IIS_IUSRS |
| Default Domain Controllers Policy ? | Log on as a batch job ? | BUILTIN\Performance Log Users |
| Default Domain Controllers Policy ? | Log on as a batch job ? | TEST\test |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Server Operators |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Print Operators |
| Default Domain Controllers Policy ? | Allow log on locally ? | Everyone |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | Allow log on locally ? | Authenticated Users |
| Default Domain Controllers Policy ? | Allow log on locally ? | Administrators |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Account Operators |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Everyone |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Administrators |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Authenticated Users |
| Default Domain Controllers Policy ? | Access this computer from the network ? | NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS |
| Default Domain Controllers Policy ? | Access this computer from the network ? | BUILTIN\Pre-Windows 2000 Compatible Access |
| Default Domain Controllers Policy ? | Allow logon through Remote Desktop Services ? | Authenticated Users |
A GPO login script is a way to force the execution of data on behalf of users. Only enabled users are analyzed.
| GPO Name | Action | Source | Command line | Parameters |
|---|---|---|---|---|
| test nfc 2 [Not linked] ? | Logon | scripts.ini (User section) | test.vbs | machin trust |
| test nfc 2 [Not linked] ? | Logoff | scripts.ini (User section) | test123 | |
| test nfc 2 [Not linked] ? | Logoff | scripts.ini (User section) | tatayoyo | |
| test nfc 2 [Not linked] ? | Logon | psscripts.ini (User section) | test.ps1 | tsettte |
| test nfc 2 [Not linked] ? | Logoff | psscripts.ini (User section) | test456 | |
| Default Domain Controllers Policy ? | Logon | Registry.pol (Computer section) | \\test.mysmartlogon.com\sysvol\test.mysmartlogon.com\bin\test.ps1 |
A GPO can be used to deploy applications or copy files. These files may be controlled by a third party to control the execution of local programs.
| GPO Name | Type | File |
|---|---|---|
| WEF test [Not linked] ? | Files (User section) | \\test.mysmartlogon.com\sysvol\test.mysmartlogon.com\bin\test.txt |
| WEF test [Not linked] ? | Application (Computer section) | \\test.mysmartlogon.com\SYSVOL\test.mysmartlogon.com\bin\7z1900.msi |
| WEF test [Not linked] ? | Application (Computer section) | \\test.mysmartlogon.com\SYSVOL\test.mysmartlogon.com\bin\7z1900.msi |