Indicators of Exposure

NameDescriptionSeverity
Service Accounts Misconfigurations

Shows potential misconfigurations of domain service accounts.

medium
Conflicting Security Principals

Checks that there are no duplicated (conflicting) users, computers, or groups.

low
Shadow Credentials

Detects Shadow Credentials backdoors and misconfigurations in the "Windows Hello for Business" feature and its associated key credentials.

high
Enabled Guest Account

Checks that the built-in guest account is disabled.

low
Managed Service Accounts Dangerous Misconfigurations

Ensures Managed Service Accounts (MSAs) are deployed and well configured.

high
Privileged AD User Accounts Synchronized to Microsoft Entra ID

Checks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID.

high
Privileged Authentication Silo Configuration

A step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts.

high
Unsecure Dynamic DNS Zone Updates Allowed

Checks that the DNS server configuration disallows unsecure dynamic DNS zone updates.

high
WSUS Dangerous Misconfigurations

Lists the misconfigured parameters related to Windows Server Update Services (WSUS).

critical
Property Sets Integrity

Checks for the integrity of property sets and validates permissions

medium
Dangerous SYSVOL Replication Configuration

Checks that the "Distributed File System Replication" (DFS-R) mechanism replaced the "File Replication Service" (FRS).

medium
Detection of Password Weaknesses

Verifies for weaknesses in passwords that may heighten the vulnerability of Active Directory accounts.

high
Insufficient Hardening Against Ransomware

Ensures that the domain implemented hardening measures to protect against ransomware.

medium
ADCS Dangerous Misconfigurations

List dangerous permissions and misconfigured parameters related to the Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI).

critical
GPO Execution Sanity

Verifies that the Group Policy Objects (GPOs) applied to domain computers are sane.

high
Logon Restrictions for Privileged Users

Checks for privileged users who can connect to less privileged machines leading to a risk of credential theft.

high
Unsecured Configuration of Netlogon Protocol

CVE-2020-1472 ("Zerologon") affects Netlogon protocol and allows elevation of privilege

critical
Vulnerable Credential Roaming Related Attributes

Credential roaming attributes are vulnerable, making the related user protected secrets readable by an attacker.

low
Potential Clear-Text Password

Checks for objects containing potential clear-text passwords in attributes readable by domain users.

high
Dangerous Sensitive Privileges

Identifies misconfigured sensitive privilege rights that decrease the security of a directory infrastructure.

high
Mapped Certificates on Accounts

Ensures that privileged objects do not have any mapped certificate assigned to them.

critical
Domain Without Computer-Hardening GPOs

Checks hardening GPOs have been deployed on the domain.

medium
Protected Users Group Not Used

Verifies for privileged users who are not members of the Protected Users group.

high
Account with Possible Empty Password

Identifies user accounts that allow empty passwords.

high
Users Allowed to Join Computers to the Domain

Verify that regular users cannot join external computers to the domain.

medium
Last Change of the Microsoft Entra SSO Account Password

Ensures regular changes to the Microsoft Entra SSO account password.

high
Dangerous Rights in the AD Schema

Lists schema entries considered anomalous that could potentially offer a means of persistence.

high
User Account Using Old Password

Checks for regular updates of all active account passwords in Active Directory to reduce credential theft risk.

medium
Verify Permissions Related to Microsoft Entra Connect Accounts

Ensure the permissions set on Microsoft Entra Connect accounts are sane

critical
Brute-Force Attack Detection

Detects brute-force and password spraying attacks.

critical
Domain Controllers Managed by Illegitimate Users

Some domain controllers can be managed by non-administrative users due to dangerous access rights.

critical
Application of Weak Password Policies on Users

Some password policies applied on specific user accounts are not strong enough and can lead to credentials theft.

critical
Verify Sensitive GPO Objects and Files Permissions

Ensures that the permissions assigned to GPO objects and files linked to sensitive containers, such as the domain controllers or OU, are appropriate and secure.

critical
Rogue Domain Controllers

Ensure only legitimate Domain controllers servers are registered into Active Directory infrastructure.

high
Domain with Unsafe Backward-Compatibility Configuration

The dsHeuristics attribute can modify AD behavior, but some fields are security-sensitive and pose a security risk.

low
Domains with an Outdated Functional Level

Checks for the correct functional level of a domain or forest which determines the availability of advanced features and security options.

medium
Local Administrative Account Management

Ensures the secure and central management of local administrative accounts using LAPS.

medium
Kerberos Configuration on User Account

Detects accounts that use weak Kerberos configuration.

medium
Root Objects Permissions Allowing DCSync-Like Attacks

Checks for unsafe permissions on root objects that may enable unauthorized users to steal authentication credentials.

critical
Accounts Using a Pre-Windows 2000 Compatible Access Control

Checks for account members of the Pre-Windows 2000 Compatible Access group which can bypass security measures.

high
Disabled Accounts in Privileged Groups

Accounts that are not used anymore should not stay in privileged groups.

low
Computers Running an Obsolete OS

Identifies obsolete systems that Microsoft no longer support and which increase the infrastructure vulnerability.

high
Accounts With a Dangerous SID History Attribute

Checks user or computer accounts using a privileged SID in SID history attribute.

high
Use of Weak Cryptography Algorithms in Active Directory PKI

Identifies weak cryptographic algorithms used in root certificates deployed on an internal Active Directory PKI.

critical
Recent Use of the Default Administrator Account

Checks for recent uses of the built-in administrator account.

medium
User Primary Group

Verify users' Primary Group has not been changed

critical
Dangerous Kerberos Delegation

Checks for unauthorized Kerberos delegation, and ensures protection for privileged users against it.

critical
Reversible Passwords

Verifies that the option to store passwords in a reversible format does not get enabled.

medium
Reversible Passwords in GPO

Checks that GPO preferences do not allow passwords in a reversible format.

medium
Ensure SDProp Consistency

Control that the adminSDHolder object is in a clean state.

critical