Name | Description | Severity |
---|---|---|
Hybrid Entra ID Information | Collects information such as hybrid users and computers from the on-premises Active Directory environment about resources synchronized with Microsoft Entra ID. | low |
Exchange Group Members | Unusual accounts in sensitive Exchange groups | high |
Service Accounts Misconfigurations | Shows potential misconfigurations of domain service accounts. | medium |
Conflicting Security Principals | Checks that there are no duplicated (conflicting) users, computers, or groups. | low |
Shadow Credentials | Detects Shadow Credentials backdoors and misconfigurations in the "Windows Hello for Business" feature and its associated key credentials. | high |
Enabled Guest Account | Checks that the built-in guest account is disabled. | low |
Managed Service Accounts Dangerous Misconfigurations | Ensures Managed Service Accounts (MSAs) are deployed and well configured. | high |
Privileged AD User Accounts Synchronized to Microsoft Entra ID | Checks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID. | high |
Privileged Authentication Silo Configuration | A step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts. | high |
Unsecure Dynamic DNS Zone Updates Allowed | Checks that the DNS server configuration disallows unsecure dynamic DNS zone updates. | high |
WSUS Dangerous Misconfigurations | Lists the misconfigured parameters related to Windows Server Update Services (WSUS). | critical |
Property Sets Integrity | Checks for the integrity of property sets and validates permissions | medium |
Dangerous SYSVOL Replication Configuration | Checks that the "Distributed File System Replication" (DFS-R) mechanism replaced the "File Replication Service" (FRS). | medium |
Detection of Password Weaknesses | Verifies for weaknesses in passwords that may heighten the vulnerability of Active Directory accounts. | high |
Insufficient Hardening Against Ransomware | Ensures that the domain implemented hardening measures to protect against ransomware. | medium |
ADCS Dangerous Misconfigurations | List dangerous permissions and misconfigured parameters related to the Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI). | critical |
GPO Execution Sanity | Verifies that the Group Policy Objects (GPOs) applied to domain computers are sane. | high |
Logon Restrictions for Privileged Users | Checks for privileged users who can connect to less privileged machines leading to a risk of credential theft. | high |
Unsecured Configuration of Netlogon Protocol | CVE-2020-1472 ("Zerologon") affects Netlogon protocol and allows elevation of privilege | critical |
Vulnerable Credential Roaming Related Attributes | Credential roaming attributes are vulnerable, making the related user protected secrets readable by an attacker. | low |
Potential Clear-Text Password | Checks for objects containing potential clear-text passwords in attributes readable by domain users. | high |
Dangerous Sensitive Privileges | Identifies misconfigured sensitive privilege rights that decrease the security of a directory infrastructure. | high |
Mapped Certificates on Accounts | Ensures that privileged objects do not have any mapped certificate assigned to them. | critical |
Domain Without Computer-Hardening GPOs | Checks hardening GPOs have been deployed on the domain. | medium |
Protected Users Group Not Used | Verifies for privileged users who are not members of the Protected Users group. | high |
Account with Possible Empty Password | Identifies user accounts that allow empty passwords. | high |
Users Allowed to Join Computers to the Domain | Verify that regular users cannot join external computers to the domain. | medium |
Last Change of the Microsoft Entra SSO Account Password | Ensures regular changes to the Microsoft Entra SSO account password. | high |
Dangerous Rights in the AD Schema | Lists schema entries considered anomalous that could potentially offer a means of persistence. | high |
User Account Using Old Password | Checks for regular updates of all active account passwords in Active Directory to reduce credential theft risk. | medium |
Verify Permissions Related to Microsoft Entra Connect Accounts | Ensure the permissions set on Microsoft Entra Connect accounts are sane | critical |
Brute-Force Attack Detection | Detects brute-force and password spraying attacks. | critical |
Domain Controllers Managed by Illegitimate Users | Some domain controllers can be managed by non-administrative users due to dangerous access rights. | critical |
Application of Weak Password Policies on Users | Some password policies applied on specific user accounts are not strong enough and can lead to credentials theft. | critical |
Verify Sensitive GPO Objects and Files Permissions | Ensures that the permissions assigned to GPO objects and files linked to sensitive containers, such as the domain controllers or OU, are appropriate and secure. | critical |
Rogue Domain Controllers | Ensure only legitimate Domain controllers servers are registered into Active Directory infrastructure. | high |
Domain with Unsafe Backward-Compatibility Configuration | The dsHeuristics attribute can modify AD behavior, but some fields are security-sensitive and pose a security risk. | low |
Domains with an Outdated Functional Level | Checks for the correct functional level of a domain or forest which determines the availability of advanced features and security options. | medium |
Local Administrative Account Management | Ensures the secure and central management of local administrative accounts using LAPS. | medium |
Kerberos Configuration on User Account | Detects accounts that use weak Kerberos configuration. | medium |
Root Objects Permissions Allowing DCSync-Like Attacks | Checks for unsafe permissions on root objects that may enable unauthorized users to steal authentication credentials. | critical |
Accounts Using a Pre-Windows 2000 Compatible Access Control | Checks for account members of the Pre-Windows 2000 Compatible Access group which can bypass security measures. | high |
Disabled Accounts in Privileged Groups | Accounts that are not used anymore should not stay in privileged groups. | low |
Computers Running an Obsolete OS | Identifies obsolete systems that Microsoft no longer support and which increase the infrastructure vulnerability. | high |
Accounts With a Dangerous SID History Attribute | Checks user or computer accounts using a privileged SID in SID history attribute. | high |
Use of Weak Cryptography Algorithms in Active Directory PKI | Identifies weak cryptographic algorithms used in root certificates deployed on an internal Active Directory PKI. | critical |
Recent Use of the Default Administrator Account | Checks for recent uses of the built-in administrator account. | medium |
User Primary Group | Verify users' Primary Group has not been changed | critical |
Dangerous Kerberos Delegation | Checks for unauthorized Kerberos delegation, and ensures protection for privileged users against it. | critical |
Reversible Passwords | Verifies that the option to store passwords in a reversible format does not get enabled. | medium |