SMART PROFILER
SECURITY ASSESSMENT REPORT
Technology: Microsoft Active Directory
Tenant: DynamicPacks.net
Assessment Date: 03/06/2025 18:24:15
This Introduction contains a global summary of the health and security scans performed on the company infrastructure with SmartProfiler for Active Directory Assessment. Detailed information about the scans can be found in the Health & Security Maturity Framework and Technical Findings sections of this report. The assessment was performed according to ANSSI and MITRE ATT&CK definition. ANSSI is French National Agency for the Security of Information Systems. For more information, please check out here: https://www.cert.ssi.gouv.fr/uploads/guide-ad.html. There are tests that also recommended by Microsoft have been performed too.
SmartProfiler’s Active Directory tests are divided into three main categories: AD Security, AD Configuration , and AD Health Check. You can click on each category in the left section or select the Score Category to view the associated tests and their status. Please note there are no sub-categories for AD Health Issues.
9
CRITICAL
109
HIGH
14
MEDIUM
8
LOW
145
PASSED
0
MANUAL CHECK
OVERALL AD FOREST STATUS
50.35%
Shows overall Security score for AD Forest based on the tests executed by SmartProfiler. Overall Score includes Security-Config and Health AD Tests.
OVERALL SCORE
42.92%
Shows overall score settings that need to be configured correctly in AD Domains. These settings are recommended by Microsoft.
SECURITY SCORE
66.1%
Shows overall score settings that need to be configured correctly in AD Domains. These settings are recommended by Microsoft.
CONFIGURATION SCORE
88.24%
Shows health score for AD and Domain Controllers. Health issues can be found in AD Health Status category in left pane.
HEALTH SCORE
Technology Categories and Status
CRTIICAL
HIGH
MEDIUM
LOW
PASSED
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| vuln3_protected_users | Protected Users Group Status | High | 1 | Total Domains Not Using Protected Users Group:1 | MITREANSSI | NO |
X
TEST NAME Protected Users Group Status Description Protected Users Group is NOT in use. The Protected Users group was introduced in Server 2012-R2 Active Directory to minimize credential exposure for privileged accounts. Users in the Protected Users group are more secure when authenticating Windows resources. The differences include no longer caching clear-text passwords, even when Windows Digest is enabled, NTLM will no longer cache clear-text passwords, and Kerberos will no longer create DES or RC4 keys. When logging into domain controllers, members of the Protected Users group cannot authenticate via NTLM (Kerberos only), use DES or RC4 for Kerberos pre-authentication, and cannot be delegated with constrained or unconstrained delegation. Recommendation and Steps Ensure that all privileged users are members of the Protected Users group. If using a pre-2012-R2 schema, then the protected users group does not exist. This is an exposure, but the remediation is to upgrade the schema. Warning: use of the Protected Users group comes with significant functional impacts. Privileged users must be members of the Protected Users group. Associated Objects Per Domain/AD Forest 
Affected Objects
More Information TEST IDvuln3_protected_users
|
| MS-RECOMMENDED | Missing Microsoft LAPS in AD Forest | High | Not Deployed | Microsoft LAPS Status:Not Deployed | MITREANSSI | NO |
X
TEST NAME Missing Microsoft LAPS in AD Forest Description Microsoft LAPS is not deployed in AD Forest. Microsoft LAPS helps in protecting against pass-the-hash and lateral-traversal attacks, improved security for remote help desk scenarios, Ability to sign in to and recover devices that are otherwise inaccessible, a fine-grained security model (access control lists and optional password encryption) for securing passwords that are stored in Windows Server Active Directory, and support for the Azure role-based access control model for securing passwords that are stored in Azure Active Directory. Recommendation and Steps It is recommended to implement Microsoft LAPS in AD Forest using the official Microsoft documentation available here: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | AD Recycle Bin Status | Medium | Disabled | AD Recycle Bin Status:Disabled | Configuration | NO |
X
TEST NAME AD Recycle Bin Status Description AD Recycle Bin feature is NOT Enabled. Please review and enable AD Recycle Bin feature in Active Directory. There are some Forest Functional Level requirements which must be met before it can be enabled. Recommendation and Steps Refer issue details. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Privileged Management Status | Medium | Disabled | Privileged Access Management Status:Disabled | Configuration | NO |
X
TEST NAME Privileged Management Status Description AD Privileged Access Management is NOT enabled. Refer issue details. Recommendation and Steps Please review and enable AD Privileged Access Management feature in Active Directory. There are some Forest Functional Level requirements which must be met before it can be enabled. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | gMSA Accounts Status | Low | 1 | Total Domains With gMSA Accounts:1 | MITREANSSI | NO |
X
TEST NAME gMSA Accounts Status Description gMSA is NOT in use. The group Managed Service Account (gMSA) feature in Windows Server 2016 allows automatic rotation of passwords for service accounts, making them much more difficult for attackers to compromise. The feature should be used whenever possible for service accounts. Recommendation and Steps Group Managed Service Accounts should be used to protect service accounts. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Managed Service Accounts Status | Passed | Are in use | Managed Service Accounts Status:Are in use | Configuration | YES |
X
TEST NAME Managed Service Accounts Status Description No Managed Service Accounts were found in the Domains. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| vuln1_permissions_adminsdholder | AdminSDHolder was Modified in last 30 days | Critical | 1 | AdminSDHolder Object was modified in total domains:1 | MITREANSSI | NO |
X
TEST NAME AdminSDHolder was Modified in last 30 days Description AdminSDHolder was modified in the last 30 days. Active Directory Domain Services uses AdminSDHolder, protected groups and Security Descriptor propagator (SD propagator or SDPROP for short) to secure privileged users and groups from unintentional modification. Unlike most objects in the Active Directory domain, which are owned by the Administrators group, AdminSDHolder is owned by the Domain Admins group. The AdminSDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in privileged Active Directory groups. Every hour, a background process runs on the domain controller to compare manual modifications to an ACL and overwrites them so that the ACL matches the ACL on the AdminSDHolder object. Any changes to AdminSDHolder object is a security risk. Recommendation and Steps Please review why AdminSDHolder was modified and if any user or computer accounts that were added to the security tab of the AdminSDHolder object. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_permissions_adminsdholder
|
| MS-RECOMMENDED | Objects Modified in Last 10 Days | High | 19551 | Total Objects Modified in AD Domains in last 10 days:19551 | MITREANSSI | NO |
X
TEST NAME Objects Modified in Last 10 Days Description Objects were created in last 10 days. As such there is no impact, but need to identify as to if there is any privileged account that was created in the last 10 days. Recommendation and Steps Please review the list of objects created. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Objects Created in Last 10 Days | High | 19551 | Total Objects Created in AD Domains in last 10 days:19551 | MITREANSSI | NO |
X
TEST NAME Objects Created in Last 10 Days Description Objects were created in last 10 days. As such there is no impact, but need to identify as to if there is any privileged account that was created in the last 10 days. Recommendation and Steps Please review the list of objects created. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Anyone can Join Computers to Domain | High | 1 | Total Domains Allowing Normal Users to Join Computers to domain:1 | MITREANSSI | NO |
X
TEST NAME Anyone can Join Computers to Domain Description Normal users can add computers to Active Directory. The ability to add computer accounts to a domain without restrictions or monitoring present opportunities for attackers to add their own accounts or take advantage of uncontrolled computers with vulnerabilities, thereby extending their reach and entrenching themselves in the environment. Recommendation and Steps It is recommended to set the ms-DS-MachineAccountQuota attribute on the domain NC head to 0 to disable regular users' ability to add computer accounts. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| vuln3_rodc_denied_group | Denied RODC Password Replication Group missing Privileged Accounts | High | 8 | Total Missing Privileged Groups in Denied RODC Password Replication Group:8 | MITREANSSI | NO |
X
TEST NAME Denied RODC Password Replication Group missing Privileged Accounts Description Denied RODC Password Replication Group does not contain privileged groups. Some default groups are missing from the Denied RODC Password Replication Group. It is a security risk to expose passwords of privileged groups. Recommendation and Steps The Denied RODC Password Replication Group must include the following members: Domain Controllers, Read-only Domain Controllers, Group Policy Creator Owners, Domain Admins, Cert Publishers, Enterprise Admins, Schema Admins, and KRBTGT groups. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln3_rodc_denied_group
|
| MS-RECOMMENDED | Schema Admin Group members | High | 1 | Schema Admins Group contains members:1 | MITREANSSI | NO |
X
TEST NAME Schema Admin Group members Description Found members in Schema Admins Group. Only members of the Schema Admins group can modify the schema, so accounts should only be added to this group when a change to the Schema is required and removed afterwards. This approach helps prevent an attacker from compromising a Schema Admin account, which could have serious consequences. Recommendation and Steps It is recommended to remove all members from the Schema Admins Group. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Missing Domain Zones Scavenging | High | 1 | Total Domain Zones Not Enabled with Scavenging:1 | Configuration | NO |
X
TEST NAME Missing Domain Zones Scavenging Description Domain Zones do not have DNS Aging enabled. It is important to note that if you do not enable Aging for a Domain Zone DNS Server may result in a huge number of stale DNS records. Recommendation and Steps It is recommended to enable DNS Aging for each Domain Zone. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| vuln1_permissions_adminsdholder | Orphaned Admins on AdminSDHolder | Passed | 0 | Total Possible Orphaned Admins in all Domains on AdminSDHolder object:0 | MITREANSSI | YES |
X
TEST NAME Orphaned Admins on AdminSDHolder Description No Orphaned Admins were found on the AdminSDHolder Object. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_permissions_adminsdholder
|
| vuln1_privileged_members_perm vuln2_privileged_members_perm | Dangerous Permissions on AdminSDHolder | Passed | 0 | AD Domains Affected:0 | MITREANSSI | YES |
X
TEST NAME Dangerous Permissions on AdminSDHolder Description No Full Control Permissions on AdminSDHolder Object. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_privileged_members_perm vuln2_privileged_members_perm
|
| vuln1_delegation_a2d2 | Constrained delegation to domain controller service | Passed | 0 | Total Computers with Constrained Delegation in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Constrained delegation to domain controller service Description No computer accounts found with constrained delegation. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_delegation_a2d2
|
| vuln1_delegation_sourcedeleg | Resource-based constrained delegation on domain controllers | Passed | 0 | Total Computers with Resource-Based Delegation in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Resource-based constrained delegation on domain controllers Description No Resource-based constrained delegation is configured on domain controllers. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_delegation_sourcedeleg
|
| vuln1_dsheuristics_bad | Anonymous Access to Active Directory | Passed | 0 | Anonymous Access To Active Directory:0 | MITREANSSI | YES |
X
TEST NAME Anonymous Access to Active Directory Description Anonymous Access to Active Directory is disabled Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_dsheuristics_bad
|
| vuln2_compatible_2000_anonymous | Anonymous or EVERYONE in Pre-Windows 2000 Group | Passed | 0 | Number of Domains Affected:0 | MITREANSSI | YES |
X
TEST NAME Anonymous or EVERYONE in Pre-Windows 2000 Group Description Everyone or Anonymous groups were not found in Pre-Windows 2000 compatibility group. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln2_compatible_2000_anonymous
|
| MS-RECOMMENDED | Found Hidden Domain Controllers | Passed | 0 | Total Hidden Domain Controllers:0 | MITREANSSI | YES |
X
TEST NAME Found Hidden Domain Controllers Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Successful Exploit Machine Accounts Found | Passed | 0 | Total Exploit Machine Accounts:0 | MITREANSSI | YES |
X
TEST NAME Successful Exploit Machine Accounts Found Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Possible User-based Service Accounts found | Passed | 0 | Total Possible User-Based Service Accounts:0 | MITREANSSI | YES |
X
TEST NAME Possible User-based Service Accounts found Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Domain Trusts Found | Passed | Not Found | Domain Trusts Status:Not Found | MITREANSSI | YES |
X
TEST NAME Domain Trusts Found Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Replication Errors DCs | Passed | 0 | Total DCS in Replication Errors:0 | HealthCheck | YES |
X
TEST NAME Replication Errors DCs Description Active Directory Replication is working normally. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| vuln3_rodc_allowed_group | Allowed RODC Password Replication Group is not empty | Passed | 0 | Total Members in RODC Replication Group:0 | MITREANSSI | YES |
X
TEST NAME Allowed RODC Password Replication Group is not empty Description Allowed RODC Password Replication Group is empty. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln3_rodc_allowed_group
|
| vuln_password_change_msa_no_change_90 | Managed service accounts with passwords unchanged for more than 90 days | Passed | 0 | Total Managed Service Accounts Password Unchanged Since last 90 days:0 | MITREANSSI | YES |
X
TEST NAME Managed service accounts with passwords unchanged for more than 90 days Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln_password_change_msa_no_change_90
|
| vuln3_rodc_never_reveal | msDS-NeverRevealGroupattribute RODC missing Privileged Accounts | Passed | 0 | Total Privileged Groups Not in PRP Denied List:0 | MITREANSSI | YES |
X
TEST NAME msDS-NeverRevealGroupattribute RODC missing Privileged Accounts Description Privileged Groups found in msDS-NeverRevealGroupattribute Attribute. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln3_rodc_never_reveal
|
| vuln1_dnszone_bad_prop vuln3_dnszone_bad_prop | Unsecure Updates Zones | Passed | 0 | Total DNS Zones accepting non-secure updates:0 | Configuration | YES |
X
TEST NAME Unsecure Updates Zones Description Domain DNS Zones are configured to accept dynamic updates securely. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_dnszone_bad_prop vuln3_dnszone_bad_prop
|
| MS-RECOMMENDED | AD Partitions Backup Status | Passed | 0 | Total AD Partitions not backed up since last 7 days:0 | HealthCheck | YES |
X
TEST NAME AD Partitions Backup Status Description All AD Partitions were backed up recently. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? | |||||||
| vuln2_dont_expire | User Accounts Pass Never Expires | High | 225 | Total Users with Password Never Expires in all Domains:225 | MITREANSSI | NO |
X
TEST NAME User Accounts Pass Never Expires Description Password Never Expires user accounts were found in AD Domains. Every user must be set to renew their password except user accounts which are created for use with applications. Service Accounts can be set to not expire. Recommendation and Steps Please check why passwords for these user accounts are set to not expire. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln2_dont_expire
| ||||||
| vuln2_kerberos_properties_deskey | Users With DES encryption | Medium | 1 | Total Users with DES Encryption in all Domains:1 | MITREANSSI | NO |
X
TEST NAME Users With DES encryption Description The USE_DES_KEY_ONLY flag is set for some users. This flag allows domain controllers to issue Kerberos tickets encrypted with the DES algorithm. This property was designed for backward compatibility with older Kerberos implementations. The DES algorithm is considered weak and must not be used anymore. This flag weakens the security of distributed Kerberos tickets significantly, and speeds up brute force cracking attempts. Recommendation and Steps The USE_DES_KEY_ONLY flag must be unset from userAccountControl attribute of each affected account. This can be performed by unchecking the Use Kerberos DES encryption types for this account" options in the user account properties." Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln2_kerberos_properties_deskey
| ||||||
| vuln3_reversible_password | Users With Reversible Encryption | Medium | 3 | Total Users with Reversible Encryption set in all Domains:3 | MITREANSSI | NO |
X
TEST NAME Users With Reversible Encryption Description Some accounts have their passwords stored in Active Directory using reversible encryption. Some accounts have their passwords stored in Active Directory using reversible encryption. With administrator privileges, it becomes possible to retrieve cleartext passwords of all affected accounts. Recommendation and Steps To avoid common downward spirals in password management, it is important to remove dangerous properties regarding user account passwords (Active Directory Users and computers console):reversible password storage (ENCRYPTED_TEXT_PASSWORD_ALLOWED flag in the userAccountControl attribute). The checkbox Store password using reversible encryption must be left unchecked in the Account tab of each account properties. If these settings have a legitimate use, it should be documented, for instance in the account description attribute. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln3_reversible_password
| ||||||
| vuln1_kerberos_properties_preauth_priv vuln2_kerberos_properties_preauth | Users With Kerberos Pre-Authentication | Medium | 1 | Total Pre-Authentication Users in all domains:1 | MITREANSSI | NO |
X
TEST NAME Users With Kerberos Pre-Authentication Description The DONT_REQUIRE_PREAUTH flag is set for some privileged users. Kerberos pre-authentication ensures that users requesting a Ticket Granting Ticket (TGT) know a given authentication secret. Without pre-authentication, it is possible to acquire a ticket encrypted with one of the Kerberos keys associated with the requested account. It is then possible to carry out a brute-force or dictionary guessing attack to crack an account password if it is not strong enough. Recommendation and Steps All affected accounts must have their DONT_REQUIRE_PREAUTH flag unset then their password changed immediately. By default, all user accounts require pre-authentication because their DONT_REQUIRE_PREAUTH flag is not set. That property was designed for backward compatibility with older Kerberos implementations. It must never be set for privileged domain accounts. Any incompatible software must be upgraded. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_kerberos_properties_preauth_priv vuln2_kerberos_properties_preauth
| ||||||
| vuln_user_accounts_dormant | Users Disabled | Medium | 2999 | Total Disabled Users in all Domains:2999 | MITREANSSI | NO |
X
TEST NAME Users Disabled Description Disabled user accounts were found in AD Domains. Disabled users can be enabled for authentication. Recommendation and Steps Please check why these users are disabled. If they are disabled for a long time, then they must be deleted or moved to Disabled OU. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln_user_accounts_dormant
| ||||||
| vuln2_dont_expire | Users with LastPasswordSet was never Set | Passed | 0 | Total Users with LastPasswordSet was never set in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Users with LastPasswordSet was never Set Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln2_dont_expire
| ||||||
| vuln1_user_accounts_dormant | Users with PWDLastSet to ZERO | Passed | 0 | Total Users with PWDLastSet to ZERO in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Users with PWDLastSet to ZERO Description PWDLastSet is set to some timestamp for all users and no dormant accounts were found. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_user_accounts_dormant
| ||||||
| vuln1_spn_priv | Users with SPNs Configured | Passed | 0 | Total Users with SPN defined in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Users with SPNs Configured Description No Users found with Service Principals Configured. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_spn_priv
| ||||||
| vuln_smartcard_expire_passwords | Password Expiration is missing for smart card users | Passed | 0 | AD Domains Affected:0 | MITREANSSI | YES |
X
TEST NAME Password Expiration is missing for smart card users Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln_smartcard_expire_passwords
| ||||||
| MS-RECOMMENDED | Accounts vulnerable to Kerberoasting Found | Passed | 0 | Total Kerberoasting Accounts Found:0 | MITREANSSI | YES |
X
TEST NAME Accounts vulnerable to Kerberoasting Found Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| ||||||
| vuln3_primary_group_id_nochange vuln1_primary_group_id_1000 | Users Modified with PrimaryGroupID | Passed | 0 | Total Users with PrimaryGroupID Modified in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Users Modified with PrimaryGroupID Description Test has been passed Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln3_primary_group_id_nochange vuln1_primary_group_id_1000
| ||||||
| MS-RECOMMENDED | Users Sending Bad Logons | Passed | 0 | Total Users sending Bad Logons in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Users Sending Bad Logons Description No Bad Logon Attempts were found from users. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
| ||||||
| vuln1_user_accounts_dormant | Stale User Accounts | Passed | 0 | Total Stale User Accounts in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Stale User Accounts Description No Stale user accounts were found in AD Domains. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_user_accounts_dormant
| ||||||
| MS-RECOMMENDED | Users Expired | Passed | 0 | Total Expired Users in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Users Expired Description No Expired Accounts were found in Active Directory. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| ||||||
| vuln2_dont_expire | User Accounts Pass Not Required | Passed | 0 | Total Users with Password Not Required set in all Domains:0 | MITREANSSI | YES |
X
TEST NAME User Accounts Pass Not Required Description No Users with Password Not Required flag. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln2_dont_expire
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| vuln1_user_accounts_dormant | Stale Computer Accounts | High | 2050 | Total Stale Computer Accounts in all Domains:2050 | MITREANSSI | NO |
X
TEST NAME Stale Computer Accounts Description Found Stale Computer Accounts were found. This type of user or computer accounts are not disabled and did not authenticate against the Active Directory for more than a year. Dormant accounts are either legitimate accounts which are rarely used, or obsolete accounts. Obsolete accounts grant users illegitimate access (e.g. after they leave the company) or be stealthily used by attackers, which is even more problematic if the accounts are privileged. Their mere existence also makes user and access rights accountability much harder. Recommendation and Steps Recommended action is to remove Stale Computer or user accounts or move them to an Organizational Unit and then protect that OU. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_user_accounts_dormant
|
| vuln_user_accounts_dormant | Computers Disabled | Medium | 2007 | Total Disabled Computer Accounts in all Domains:2007 | MITREANSSI | NO |
X
TEST NAME Computers Disabled Description Disabled computer accounts were found in AD Domains. Disabled computer accounts can be compromised. Recommendation and Steps Please check why these computer accounts are disabled. If they are disabled and not in use, then these accounts either must be removed or moved to a disabled OU. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln_user_accounts_dormant
|
| vuln1_spn_priv | Computers with SPNs Configured | Passed | 0 | Total Computers using ServicePrincipalNames in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Computers with SPNs Configured Description No Computer accounts were found with Service Principals Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_spn_priv
|
| vuln2_delegation_t4d | Computers With Unconstrained Delegation | Passed | 0 | Total Computers with Unconstrained Delegation in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Computers With Unconstrained Delegation Description No accounts found with unconstrained delegation. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln2_delegation_t4d
|
| vuln3_primary_group_id_nochange vuln1_primary_group_id_1000 | Computers Modified with PrimaryGroupID | Passed | 0 | Total Computers modified with PrimaryGroupID:0 | MITREANSSI | YES |
X
TEST NAME Computers Modified with PrimaryGroupID Description Test has been passed Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln3_primary_group_id_nochange vuln1_primary_group_id_1000
|
| MS-RECOMMENDED | Computers Sending Bad Logons | Passed | 0 | Total Computers sending Bad Logon Attempts in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Computers Sending Bad Logons Description No Computers are sending Bad Logon Attempts. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Unsupported Operating Systems | Passed | 0 | Total End Of Life-Unsupported Operating Systems:0 | Configuration | YES |
X
TEST NAME Unsupported Operating Systems Description No Computers running an unsupported operating version were found in Active Directory. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| vuln1_spn_priv | Admins with SPNs Configured | Passed | 0 | Total Admin Accounts With ServicePrincipalName Identified:0 | MITREANSSI | YES |
X
TEST NAME Admins with SPNs Configured Description Admin Accounts with Service Principal Names are not found. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_spn_priv
|
| MS-RECOMMENDED | Admins Sending Bad Logons | Passed | 0 | Total Privileged Users With Bad Logon Attempts:0 | MITREANSSI | YES |
X
TEST NAME Admins Sending Bad Logons Description No Admins found with Bad Logon Attempts. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| vuln1_permissions_dc | Domain Controllers not owned by Admins | Passed | 0 | Total Domain Controllers owned by non-privileged accounts:0 | Configuration | YES |
X
TEST NAME Domain Controllers not owned by Admins Description All Domain Controller computer accounts are owned by privileged accounts. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_permissions_dc
|
| vuln3_owner | Computer Objects not managed by Admins | Passed | 0 | Total Computers Not Managed By Admins in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Computer Objects not managed by Admins Description Computer accounts are managed by admin accounts. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| vuln3_owner | Organizational Units not managed by Admins | Passed | 0 | Total Organizational Units Not Managed By Admins:0 | MITREANSSI | YES |
X
TEST NAME Organizational Units not managed by Admins Description Organizational units are managed by admin accounts. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| MS-RECOMMENDED | Sensitive GPOs Modified | High | WARNING: Modified | Sensitive GPOs Status in Last 10 Days:WARNING: Modified | MITREANSSI | NO |
X
TEST NAME Sensitive GPOs Modified Description Sensitive Group Policy Objects have been changed in the last 10 days. Changes to the Default Domain Policy or Default Domain Controllers Policy should be accounted for by the administrators. If the change cannot be accounted for, investigate the change looking for potential weakening of security posture and why the change was made. Recommendation and Steps Please ensure the change is made by an Administrator as changing to default domain and domain controller policies is generally not required. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Changes to Privileged Groups in Last 15 days | High | 13 | Total Privileged Groups Modified in Last 15 Days in All Domains:13 | MITREANSSI | NO |
X
TEST NAME Changes to Privileged Groups in Last 15 days Description Found indicator of exposure found. Recent additions or deletions to privileged group members could be normal operational changes or could indicate attempts at persistence or cleaning up of tracks after an attack. Recommendation and Steps Confirm that any additions/removals from privileged groups are valid and properly accounted for. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Recently Created Privileged Admins | Passed | 0 | Total Privileged Accounts created in last 10 days in all domains:0 | MITREANSSI | YES |
X
TEST NAME Recently Created Privileged Admins Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Users Identified with Privileged SIDs in sIDHistory | Passed | 0 | Total Users containing Admin Accounts in sIDHistory in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Users Identified with Privileged SIDs in sIDHistory Description Users do not contain Privileged Accounts SID in sIDHistory. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Computers Identified with Privileged SIDs in sIDHistory | Passed | 0 | Total Computers containing Admin Accounts in sIDHistory in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Computers Identified with Privileged SIDs in sIDHistory Description No computer accounts with privileged Accounts SID in sIDHistory. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Found Excluded Groups by AdminSDHolder and SDProp | Passed | 0 | Total Excluded Groups by SDProp Process:0 | MITREANSSI | YES |
X
TEST NAME Found Excluded Groups by AdminSDHolder and SDProp Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | krbtgt Account with Resource-Based Constrained Delegation | Passed | 0 | Affected number of Domains:0 | MITREANSSI | YES |
X
TEST NAME krbtgt Account with Resource-Based Constrained Delegation Description krbtgt account do not have resource-based constrained delegation. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| MS-RECOMMENDED | Built-In Admin Account Not protected | High | 1 | Default Administrator Account not protected in all domains:1 | MITREANSSI | NO |
X
TEST NAME Built-In Admin Account Not protected Description Default Administrator account is not protected. Use of a domain's Administrator account should be reserved only for initial build activities, and possibly, disaster-recovery scenarios. To ensure that an Administrator account can be used to effect repairs in the event that no other accounts can be used, you should not change the default membership of the Administrator account in any domain in the forest. Instead, you should secure the Administrator account in each domain in the forest. Recommendation and Steps It is recommended to enable the Account is sensitive and cannot be delegated flag on the administrator account and make sure to change the password. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Built-In Admin Account Not Disabled | High | 1 | Default Admin Account not disabled in Total Domains:1 | MITREANSSI | NO |
X
TEST NAME Built-In Admin Account Not Disabled Description Default Administrators account in domains have not been renamed or disabled. Anyone with an administrator account can attempt to log on to domain which will cause Bad Logon Events on domain controllers. Recommendation and Steps Please review the list and make sure to rename and disabled Default Administrator account in each domain. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Built-In Admin Account Not Renamed | High | 1 | Default Admin Account not renamed in Total Domains:1 | MITREANSSI | NO |
X
TEST NAME Built-In Admin Account Not Renamed Description Default Administrators account in domains have not been renamed or disabled. Anyone with an administrator account can attempt to log on to domain which will cause Bad Logon Events on domain controllers. Recommendation and Steps Please review the list and make sure to rename and disabled Default Administrator account in each domain. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Built-In Admin Account was used in last 10 days | High | 1 | Total Domains in which Default Administrator account was used in last 10 days:1 | MITREANSSI | NO |
X
TEST NAME Built-In Admin Account was used in last 10 days Description Default Administrator account was used recently in some domains. The default Admin account should only be used for initial Active Directory setup and for disaster recovery purposes. If default admin account is used, then it could indicate that the user has been compromised. Recommendation and Steps If best practices are followed and domain Admin is not used, this would indicate a compromise. Ensure any logins to the built-in Domain Administrator account are legitimate and accounted for. If not accounted for, a breach is likely and should be investigated. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Guest Account is not renamed | High | 1 | Guest Account not renamed in Total Domains:1 | MITREANSSI | NO |
X
TEST NAME Guest Account is not renamed Description Guest account in domains have not been renamed or disabled. The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system. Recommendation and Steps Please review the list and make sure to rename and disabled Guest account in each domain. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Built-In Admin Account Password Not Changed in 90 days | Passed | 0 | Total Domains in which Default Administrator password not changed since last 90 days:0 | MITREANSSI | YES |
X
TEST NAME Built-In Admin Account Password Not Changed in 90 days Description Default Administrator account password was changed in 90 days. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| vuln2_krbtgt | KRBTGT Account Password Not Changed | Passed | 0 | Total Domains Using KRBTGT Old Password:0 | MITREANSSI | YES |
X
TEST NAME KRBTGT Account Password Not Changed Description krbtgt password was changed within 180 days. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Guest Account is enabled | Passed | 0 | Total Guest Accounts Enabled in All Domains:0 | MITREANSSI | YES |
X
TEST NAME Guest Account is enabled Description Guest Account is disabled in all domains. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Administrator Account ServicePrincipalNames Found | Passed | 0 | Total AD Domains Affected:0 | MITREANSSI | YES |
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| MS-RECOMMENDED | Misconfigured Administrative Accounts Found | Critical | 203 | Total Admins Misconfigured:203 | MITREANSSI | NO |
X
TEST NAME Misconfigured Administrative Accounts Found Description Test has failed. Administrative accounts were found that are not configured to have the 'This account is sensitive and cannot be delegated' option enabled. This leaves the account vulnerable to potential abuse of delegated rights to change the administrative account password disable copy or modify the account properties. Recommendation and Steps This can be remediated by running the following PowerShell command as a privileged user (Domain Admin) Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| vuln2_privileged_members_password | Weak Password Policies Affected Admins | Critical | 203 | Total Privileged Account using Weak Password Policy:203 | MITREANSSI | NO |
X
TEST NAME Weak Password Policies Affected Admins Description Privileged Users are not using strong password policies. A password length of seven characters can be cracked instantly by various brute force tools. Apart from the danger of account compromise, having a weak password policy also leads to complex problems like regulatory compliance. Recommendation and Steps For privileged accounts, enforcing a password policy with the following requirements is recommended: forced change at most every 3 years and length of 8 or more characters is recommended. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln2_privileged_members_password
|
| vuln3_protected_users | Missing Privileged Groups in Protected Users Group | High | Not In Use | Total Missing Privileged Groups in Protected Users Group:Not In Use | MITREANSSI | NO |
X
TEST NAME Missing Privileged Groups in Protected Users Group Description Not all Privileged Groups are part of Protected Users Group. Accounts for services and computers should never be members of the Protected Users group. This group provides incomplete protection anyway, because the password or certificate is always available on the host. Authentication will fail with the error the username or password is incorrect" for any service or computer that is added to the Protected Users group." Recommendation and Steps Privileged users must be members of the Protected Users group so as to enforce Kerberos authentication, reduce Kerberos ticket lifetime, enforce usage of strong encryption algorithm (AES), prevent caching of passwords on workstations, and prevent any type of Kerberos delegation. However, please note use of the Protected Users group comes with significant functional impacts. Ensure to add all protected groups and users to Protected Users Group. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln3_protected_users
|
| vuln2_dont_expire | Privileged Accounts Pass Never Expires | High | 224 | Total Privileged Accounts set to Password Never Expire in all Domains:224 | MITREANSSI | NO |
X
TEST NAME Privileged Accounts Pass Never Expires Description Privileged User Accounts were found that use Password Never Expires Flag. MITRE and ANSSI Frameworks do not recommend Privileged Accounts with Password Never Expires set. It is a security risk. Recommendation and Steps It is recommended that all Privileged Account's password expires, and these accounts change their passwords regularly. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln2_dont_expire
|
| vuln_privileged_members | Too Many Privileged Accounts | High | 1 | Affected AD Domains:1 | MITREANSSI | NO |
X
TEST NAME Too Many Privileged Accounts Description Test has failed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln_privileged_members
|
| vuln1_user_accounts_dormant | Inactive Admins | High | 201 | Total Enabled Admin Accounts Not In Use Since Last 30 Days:201 | MITREANSSI | NO |
X
TEST NAME Inactive Admins Description Admin Accounts were found that have been inactive for some time. While the presence of an unused admin account is not automatically a problem, removing these accounts reduces the attack surface of AD. Recommendation and Steps It is recommended to review the list provided and ensure Admin is active and uses Active Directory. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_user_accounts_dormant
|
| vuln1_privileged_members | Privileged Groups Contain more than 20 members | High | 1 | Privileged Groups Contain More than 20 members:1 | MITREANSSI | NO |
X
TEST NAME Privileged Groups Contain more than 20 members Description Administrative groups contain more than 20 members. It is a security risk to keep too many members as part of administrative groups unless you keep a track of these members. Recommendation and Steps It is necessary to keep a track of members being added to Administrative Groups. Any orphaned admin that has been removed from Active Directory or disabled must be removed from Administrative Groups. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Disabled Admins part of Privileged Groups | High | 12 | Total Disabled Admins In Privileged Groups:12 | MITREANSSI | NO |
X
TEST NAME Disabled Admins part of Privileged Groups Description Some Disabled users are part of Privileged Groups. When a user is disabled, it tends to not be monitored as closely as active accounts. If this user is also a privileged user, then it becomes a target for takeover if an attacker can enable the account. Recommendation and Steps Recommended action is to remove Disabled Users from Privileged groups. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| vuln1_dont_expire_priv | Password Do Not Expire | High | 201 | Total Admin Accounts set to PasswordNeverExpires:201 | MITREANSSI | NO |
X
TEST NAME Password Do Not Expire Description Some privileged accounts have passwords that never expire. If no security mechanism enforces a periodic password rotation, taking over an account allows any malicious user to keep their access rights in the domain for extended periods of time. Recommendation and Steps Passwords should be periodically changed for all privileged group members (at most every 3 years). To enforce application of the domain password policy on these accounts, their DONT_EXPIRE flag should not be set. This account flag should then be unset, usually by unchecking the password never expires" option in the "Account" tab of the user properties. Their passwords should then be rolled immediately." Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_dont_expire_priv
|
| vuln1_kerberos_properties_preauth_priv | Kerberos Pre-authentication Disabled | Passed | 0 | Total Pre-Authentication Admins in all domains:0 | MITREANSSI | YES |
X
TEST NAME Kerberos Pre-authentication Disabled Description All Admin accounts have DONT_REQUIRE_PREAUTH flag set to false. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_kerberos_properties_preauth_priv
|
| vuln1_password_change_priv | Passwords Not Changed within 90 days | Passed | 0 | Total Admin Accounts Did Not Change Their Passwords Since Last 90 Days:0 | MITREANSSI | YES |
X
TEST NAME Passwords Not Changed within 90 days Description Privileged User Accounts have been changing their passwords regularly. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_password_change_priv
|
| vuln1_dnsadmins and vuln1_permissions_msdn | DNSAdmins Group has members | Passed | 0 | Total Members In DNSAdmins Group In All Domains:0 | MITREANSSI | YES |
X
TEST NAME DNSAdmins Group has members Description No other users are part of DNS Admins Group Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_dnsadmins and vuln1_permissions_msdn
|
| MS-RECOMMENDED | Privileged Groups Contained Computer Accounts | Passed | 0 | Total computer accounts part of privileged groups:0 | MITREANSSI | YES |
X
TEST NAME Privileged Groups Contained Computer Accounts Description No computer accounts are member of privileged Groups. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Privileged Admins missing AdminCount=1 Flag | Passed | 0 | Total Admins not set with AdminCount=1 flag in all domains:0 | MITREANSSI | YES |
X
TEST NAME Privileged Admins missing AdminCount=1 Flag Description All members in privileged groups have AdminCount=1 flag set. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | ForeignSecurityPrincipals In Privileged Groups | Passed | 0 | Total ForeignSecurityPrincipal in Privileged Groups:0 | MITREANSSI | YES |
X
TEST NAME ForeignSecurityPrincipals In Privileged Groups Description No ForeignSecurityPrincipal or orphaned princials were found in privileged admin groups. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Operators Groups are not empty | Passed | 0 | Operators Groups containing total members in all domains:0 | MITREANSSI | YES |
X
TEST NAME Operators Groups are not empty Description All Operators Groups are empty in all domains. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | AdminsCount Flag set users not acting as Admins | Passed | 0 | Total Unknown Admins Found:0 | MITREANSSI | YES |
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| vuln2_privileged_members_password | Default Domain Policy-Minimum Password Length | High | 1 | Account Policies Not Configured correctly in Total Domains:1 | Configuration | NO |
X
TEST NAME Default Domain Policy-Minimum Password Length Description Account Policies are configured correctly. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln2_privileged_members_password
|
| MS-RECOMMENDED | FGPP Policies Not Applying | High | 5 | Total FGPP Not Applying in All Domains:5 | Configuration | NO |
X
TEST NAME FGPP Policies Not Applying Description Some FGPP Policies have been created but they do not apply to any objects. Users will not receive Password Policies from FGPP. Recommendation and Steps Please review the list and make sure FGPP Policies are applying to desired objects. Associated Objects Per Domain/AD Forest
Affected Objects
|
| vuln2_privileged_members_password | FGPP Policies-Minimum Password Length | Passed | 0 | FGPP Not Configured Correctly In Domains:0 | Configuration | YES |
X
TEST NAME FGPP Policies-Minimum Password Length Description FGPP password parameters are enabled and configured correctly. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln2_privileged_members_password
|
| MS-RECOMMENDED | Account Lockout Policies Missing | Passed | 0 | Total Accounts Locked Out in All Domains:0 | MITREANSSI | YES |
X
TEST NAME Account Lockout Policies Missing Description Account Lockout Policies are configured in Active Directory domains. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? | |
| MS-RECOMMENDED | TLS 1.1 Enabled DCs | Critical | 1 | Total Domain Controllers with TLS 1.1 Protocol Enabled:1 | MITREANSSI | NO |
X
TEST NAME TLS 1.1 Enabled DCs Description TLS 1.1 protocol is not disabled on all domain controllers. Modern cyber-attacks methods often make specific use of legacy protocols in their attack and often utilize them to target organizations that have yet to implement the proper mitigation. Recommendation and Steps To retire the use of legacy protocols, your organization must first discover which internal entities and applications rely on them. Recommendation is to disabled TLS 1.1 protocol on all affected domain controllers by applying a registry fix or using Default Domain Controllers GPO. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | NTLM Authentication Enabled DCs | Critical | 1 | Total Domain Controllers with NTLM Enabled:1 | MITREANSSI | NO |
X
TEST NAME NTLM Authentication Enabled DCs Description Found NTLM enabled on all domain controllers. NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. The main risk of disabling NTLM is the potential usage of legacy or incorrectly configured applications that can still use NTLM authentication. Recommendation and Steps It is recommended to disable NTLM Protocol on domain controllers by using the registry or GPO. Edit the Default Domain Policy, go to the GPO section Computer Configurations, Select Policies, and then take, security Setting from Windows Settings, then choose Local Policies -> Security Options, and find the policy Network Security: LAN Manager authentication level. Configure Send LM & NTLM responses to use NTLMv2 session security if negotiated to apply settings to all domain controllers. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | AllowNT4Crypto DCs | High | 1 | Total DCs with AllowNT4Crypto Enabled:1 | MITREANSSI | NO |
X
TEST NAME AllowNT4Crypto DCs Description Found Domain Controllers were found with NT4 Crypto. Allowing old NT4 cryptography algorithms could be a serious security risk, and could be a signal that in the environment there might still be very old and unsecure hardware or software being used (like NT4 or older SAMBA SMB clients).. Besides, all currently supported OS don't even honor this setting anymore. Recommendation and Steps Recommended action is to disable NT4 Crypto on affected domain controllers. In Registry Editor navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters and change the value of AllowNT4Crypto to 0. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | RC4 Encryption Enabled DCs | High | 1 | Total Domain Controllers With RC4 Encryption Enabled:1 | MITREANSSI | NO |
X
TEST NAME RC4 Encryption Enabled DCs Description Some Domain Controllers have RC4 encryption enabled or supported. The USE_DES_KEY_ONLY flag is set for some users. This flag allows domain controllers to issue Kerberos tickets encrypted with the DES algorithm. This property was designed for backward compatibility with older Kerberos implementations. The DES algorithm is considered weak and must not be used anymore. This flag weakens the security of distributed Kerberos tickets significantly, and speeds up brute force cracking attempts. Recommendation and Steps The USE_DES_KEY_ONLY flag must be unset from userAccountControl attribute of each affected account. This can be performed by unchecking the Use Kerberos DES encryption types for this account" options in the user account properties. Any incompatible software must be upgraded." Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Missing Updates DCs | High | 1 | Total DCs Not Updated Since Last 45 Days:1 | MITREANSSI | NO |
X
TEST NAME Missing Updates DCs Description Some domain controllers have not been patched for the last 45 days. Domain Controllers will not receive important security updates. Recommendation and Steps All Domain Controllers must be patched to avoid security risks. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| vuln3_primary_group_id_nochange vuln1_primary_group_id_1000 | Domain Controllers Modified with PrimaryGroupID | Passed | 0 | Total Domain Controllers modified with PrimaryGroupID:0 | MITREANSSI | YES |
X
TEST NAME Domain Controllers Modified with PrimaryGroupID Description Test has been passed Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln3_primary_group_id_nochange vuln1_primary_group_id_1000
|
| MS-RECOMMENDED | SMB 1 Protocol Enabled DCs | Passed | 0 | Total Domain Controllers with SMB1 Server Protocol Enabled:0 | MITREANSSI | YES |
X
TEST NAME SMB 1 Protocol Enabled DCs Description SMB1 Protocol is disabled on all domain controllers. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | SMB 1 Client Protocol Enabled DCs | Passed | 0 | Total Domain Controllers with SMB1 Client Service Enabled:0 | MITREANSSI | YES |
X
TEST NAME SMB 1 Client Protocol Enabled DCs Description SMB1 client Protocol is disabled on all domain controllers. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | LAN Manager password hashes Enabled DCs | Passed | 0 | Total DCs with LAN Manager Password Hashes:0 | MITREANSSI | YES |
X
TEST NAME LAN Manager password hashes Enabled DCs Description No Domain Controllers are storing LAN Manager Password Hashes Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | SMB Signing Disabled DCs | Passed | 0 | Total Domains Controller Without SMB Signing:0 | MITREANSSI | YES |
X
TEST NAME SMB Signing Disabled DCs Description SMB Signing is enabled on domain controllers. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | LDAP Signing Disabled DCs | Passed | 0 | Total Domain Controllers Without LDAP Signing:0 | MITREANSSI | YES |
X
TEST NAME LDAP Signing Disabled DCs Description LDAP Signing is enabled on domain controllers. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| vuln1_dc_inconsistent_uac | Inconsistent DCs | Passed | 0 | Total Domain Controllers in Inconsistent State:0 | MITREANSSI | YES |
X
TEST NAME Inconsistent DCs Description No domain controllers in inconsistent state. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_dc_inconsistent_uac
|
| vuln1_password_change_inactive_dc | Unauthenticated DCs since last 45 Days | Passed | 0 | Total Domain Controllers Not Authenticated Within 45 days In All Domains:0 | MITREANSSI | YES |
X
TEST NAME Unauthenticated DCs since last 45 Days Description All Domain Controllers have been authenticating and working as expected Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_password_change_inactive_dc
|
| vuln1_password_change_dc_no_change | Secrets not renewed DCs | Passed | 0 | Total Domain Controllers Not Changed Password Within 45 Days In All Domains:0 | MITREANSSI | YES |
X
TEST NAME Secrets not renewed DCs Description Domain Controllers have been renewing their secrets. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_password_change_dc_no_change
|
| MS-RECOMMENDED | Missed Reboot Cycles DCs | Passed | 0 | Total DCs Not Rebooted Since Last 30 Days:0 | HealthCheck | YES |
X
TEST NAME Missed Reboot Cycles DCs Description All Domain controllers have been rebooting regularly. Please ensure all Domain Controllers were checked. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | No Contacts with Domain Controllers in Last Three Months | Passed | 0 | Total Domain Controllers not contacted since last three months:0 | MITREANSSI | YES |
X
TEST NAME No Contacts with Domain Controllers in Last Three Months Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Ensure UNC Paths for SYSVOL and NETLOGON are harderend | Passed | 0 | SYSVOL and Netlogon Hardening Missing on Total DCs:0 | MITREANSSI | YES |
X
TEST NAME Ensure UNC Paths for SYSVOL and NETLOGON are harderend Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? | ||
| MS-RECOMMENDED | Missing DNS Scavenging DCs | Critical | 1 | Total DNS Servers Not Enabled with Server Level Scavenging:1 | Configuration | NO |
X
TEST NAME Missing DNS Scavenging DCs Description Some DNS Servers do not have automatic scavenging enabled. Disabling Scavenging might result in a huge number of stale DNS Entries. Recommendation and Steps Note that if all your Domain Zones are AD Integrated it is recommended to keep Scavenging enabled only on one DNS Server. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Errors and Warnings in Log DCs | High | 1 | Total DCs with Event Log Errors:1 | Configuration | NO |
X
TEST NAME Errors and Warnings in Log DCs Description Domain Controllers have errors in Event Logs since last 10 days in Directory Service-Application and System Logs. The errors may impact domain controller operation. Recommendation and Steps Test reports number of errors and warnings reported since last 10 days. You might want to check domain controllers event log to ensure the errors and warnings can be ignored safely or consult a technician to resolve these errors. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Scheduled Tasks found on Domain Controllers | High | 3 | Total Scheduled Tasks on DCs:3 | MITREANSSI | NO |
X
TEST NAME Scheduled Tasks found on Domain Controllers Description Test has failed. Scheduled tasks have been known to be exploited to allow attackers to elevate privileges gain persistence and download and deploy malware. This finding indicates that scheduled tasks were found on the Domain Controllers within the domain queried. Recommendation and Steps Review scheduled tasks listed in the accompanying file(s) for legitimacy and validate that they are needed. Remove any unneeded unnecessary tasks. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Missing SSL Authentication DCs | Medium | 1 | Total DCs without SSL:1 | HealthCheck | NO |
X
TEST NAME Missing SSL Authentication DCs Description Domain Controllers have not been configured with SSL. It is a security risk. All clients must be authenticated via a secure channel. Recommendation and Steps Please review the list provided and make sure to configure Domain Controllers with SSL. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Missing Enough DNS Servers in NIC DCs | Medium | 1 | Total DCs With inadequate Number Of DNS Servers in NIC Property:1 | HealthCheck | NO |
X
TEST NAME Missing Enough DNS Servers in NIC DCs Description Some Domain Controllers have not been configured with enough DNS Servers in the TCP/IP property of the network card. Domain Controllers will not be able to reach other DNS Servers for DNS lookups. Configuring enough DNS Servers will ensure a DNS Query can be resolved. Recommendation and Steps Please check affected objects excel sheet and check which Domain Controller requires updating with DNS configuration. It is recommended to configure domain controllers with at least 2 DNS Servers. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| vuln1_dc_inconsistent_uac | Orphaned DCs | Passed | 0 | Total Orphaned Domain Controllers:0 | HealthCheck | YES |
X
TEST NAME Orphaned DCs Description No Orphaned Domain Controllers were found. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_dc_inconsistent_uac
| |
| MS-RECOMMENDED | Missing DNS Forwarders DCs | Passed | 0 | Total DNS Servers Do Not Have Forwarders Configured:0 | Configuration | YES |
X
TEST NAME Missing DNS Forwarders DCs Description DNS Servers have one or more DNS Forwarders configured. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Missing Root Hints DCs | Passed | 0 | Total DNS Servers Do Not Have Root Hints Configured:0 | Configuration | YES |
X
TEST NAME Missing Root Hints DCs Description All DNS Servers have one or more Root Hints configured. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Missing Host Records DCs | Passed | 0 | Total DCs Missing Host Records in DNS:0 | HealthCheck | YES |
X
TEST NAME Missing Host Records DCs Description A Host Records for all domain controllers are registered in the DNS Server. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Not Enough Free Space DCs | Passed | 0 | Total DCs with Low Disk Space:0 | HealthCheck | YES |
X
TEST NAME Not Enough Free Space DCs Description Domain Controllers have more than 10 GB of disk space available. Please ensure all Domain Controllers were checked. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Loopback Address Missing DCs | Passed | 0 | Total DCs not configured with Loopback Address:0 | HealthCheck | YES |
X
TEST NAME Loopback Address Missing DCs Description All Domain Controllers have been configured with loopback 127.0.0.1 address. Please ensure all Domain Controllers were checked. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Multihomed DCs | Passed | 0 | Total DCS in Multihomed State:0 | HealthCheck | YES |
X
TEST NAME Multihomed DCs Description No Multihomed Domain Controllers were found. Please ensure all Domain Controllers were checked. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| vuln2_sysvol_ntfrs | NTFS Replication DCs | Passed | 0 | Total Domain Controllers utilizing NTFRS for AD Replication:0 | Configuration | YES |
X
TEST NAME NTFS Replication DCs Description No domain controllers were found with NTFRS Service enabled. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln2_sysvol_ntfrs
| |
| MS-RECOMMENDED | Strict Replication Disabled DCs | Passed | 0 | Total DCs with Strict Replication Consistency not enabled:0 | Configuration | YES |
X
TEST NAME Strict Replication Disabled DCs Description Strict Replication Consistency is enabled on all domain controllers. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | DCDiag Failure DCs | Passed | 0 | Total DCs with DCDiag Failures:0 | HealthCheck | YES |
X
TEST NAME DCDiag Failure DCs Description All DCDiag tests have been passed on all domain controllers. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Out Of Default OUs DCs | Passed | 0 | Total DCs outside of it's Default OU:0 | Configuration | YES |
X
TEST NAME Out Of Default OUs DCs Description All Domain Controllers are located under Domain Controllers OU. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Unsupported OS DCs | Passed | 0 | Total DCs running Unsupported Operating Systems:0 | Configuration | YES |
X
TEST NAME Unsupported OS DCs Description All Domain Controllers are running Windows Server 2012 or later versions. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Not Enough Local Disks DCs | Passed | 0 | Total DCs Not Configured With Recommended Disk Configuration:0 | HealthCheck | YES |
X
TEST NAME Not Enough Local Disks DCs Description Disks on Domain Controllers configured as per Active Directory best practices. Please ensure all Domain Controllers were checked. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Missing DNS Dynmaic Registration on NIC DCs | Passed | 0 | Total DCS NIC Dynamic Updates Not Enabled:0 | HealthCheck | YES |
X
TEST NAME Missing DNS Dynmaic Registration on NIC DCs Description Dynamic DNS Registration is enabled for all domain controllers. Please ensure all Domain Controllers were checked. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Missing _msdcs Zone DCs | Passed | 0 | Total DNS Servers Missing _msdcs Zone:0 | HealthCheck | YES |
X
TEST NAME Missing _msdcs Zone DCs Description DNS Servers host _msdcs zone. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Event Log Config Not Correct DCs | Passed | 0 | Total DCs with Event Log misconfiguration:0 | Configuration | YES |
X
TEST NAME Event Log Config Not Correct DCs Description Event Log Configuration was fetched from Domain Controllers. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| |
| MS-RECOMMENDED | Event Log Size Not Optimized DCs | Passed | 0 | Total DCs with Event Log Size not optimal:0 | Configuration | YES |
X
TEST NAME Event Log Size Not Optimized DCs Description Event Log size Configuration on Domain Controllers is ok. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| MS-RECOMMENDED | Print Spooler Service Running DCs | Critical | 1 | Total Domain Controllers with Print Spooler Service running:1 | MITREANSSI | NO |
X
TEST NAME Print Spooler Service Running DCs Description Print Spooler Service is not disabled on all domain controllers. CVE-2021-1675 is weaponized to compromise Domain Controllers. This is actually already happening in the real world, leading to a zero-day vulnerability event. Luckily, the vulnerability can be easily thwarted with a simple configuration change on Domain Controllers by disabling the Print Spooler service. Recommendation and Steps Print spooler services are enabled by default. If not absolutely required, disable the service on all domain controllers. If required, make sure the server is fully patched and follow Microsoft guidance here. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Software Installed on Domain Controllers | High | 17 | Total Software Installed on DCs:17 | MITREANSSI | NO |
X
TEST NAME Software Installed on Domain Controllers Description Test has failed. A list of software installed on Domain Controllers. Best Practice dictates that nothing should be installed on a Domain Controller that is not necessary for it to function. These should be audited and reviewed regularly. Recommendation and Steps Remove any software installations that are not needed for Domain Controller functionality. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Additional Roles and Features DCs | Low | 1 | Total Domain Controllers with Additional Roles and Features:1 | Configuration | NO |
X
TEST NAME Additional Roles and Features DCs Description Domain Controllers were found running other Roles and Features. Domain Controller performance is impacted. The System Resources will be utilized by other Roles and Features installed. Recommendation and Steps Please review the list provided and make sure to remove any other Roles and Features which are not needed or shift them to other servers. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Fax Server role installed DCs | Passed | 0 | Total Domain Controllers have Fax Server Installed::0 | MITREANSSI | YES |
X
TEST NAME Fax Server role installed DCs Description Role/Feature is not insatlled Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Microsoft FTP service installed DCs | Passed | 0 | Total Domain Controllers have FTP Server Installed::0 | MITREANSSI | YES |
X
TEST NAME Microsoft FTP service installed DCs Description Role/Feature is not insatlled Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Peer Name Resolution Protocol installed DCs | Passed | 0 | Total Domain Controllers have Peer Name Resolution Protocol Installed::0 | MITREANSSI | YES |
X
TEST NAME Peer Name Resolution Protocol installed DCs Description Role/Feature is not insatlled Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Simple TCP-IP Services installed DCs | Passed | 0 | Total Domain Controllers have Simple TCP/IP Services Installed::0 | MITREANSSI | YES |
X
TEST NAME Simple TCP-IP Services installed DCs Description Role/Feature is not insatlled Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Telnet Client installed DCs | Passed | 0 | Total Domain Controllers have Telnet Client Installed::0 | MITREANSSI | YES |
X
TEST NAME Telnet Client installed DCs Description Role/Feature is not insatlled Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | TFTP Client installed DCs | Passed | 0 | Total Domain Controllers have TFTP Client Installed::0 | MITREANSSI | YES |
X
TEST NAME TFTP Client installed DCs Description Role/Feature is not insatlled Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Server Message Block (SMB) v1 protocol Installed DCs | Passed | 0 | Total Domain Controllers have SMB 1.0/CIFS File Sharing Support Installed::0 | MITREANSSI | YES |
X
TEST NAME Server Message Block (SMB) v1 protocol Installed DCs Description Role/Feature is not insatlled Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Windows PowerShell 2.0 installed DCs | Passed | 0 | Total Domain Controllers have Windows PowerShell 2.0 Engine Installed::0 | MITREANSSI | YES |
X
TEST NAME Windows PowerShell 2.0 installed DCs Description Role/Feature is not insatlled Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | ADWS Service Set to Manual DCs | Passed | 0 | Total DCs ADWS Not Set to Start Automatic:0 | Configuration | YES |
X
TEST NAME ADWS Service Set to Manual DCs Description ADWS Service is set to start automatically on all domain controllers. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | DHCP Service Running DCs | Passed | 0 | Total Domain Controllers with DHCP Server running:0 | Configuration | YES |
X
TEST NAME DHCP Service Running DCs Description DHCP Server Service is disabled or not installed on all domain controllers. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | AD Services not running DCs | Passed | 0 | Total DCs with Services Not Running:0 | HealthCheck | YES |
X
TEST NAME AD Services not running DCs Description All Domain Controller Services are running. Please ensure all Domain Controllers were checked. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? | |
| MS-RECOMMENDED | Sites without Subnets Association | High | 1 | Total AD Sites Without Subnets:1 | Configuration | NO |
X
TEST NAME Sites without Subnets Association Description Some AD Sites do not have Subnets associated. Application and User authentication is impacted. Users and applications will go to domain controllers in other sites for authentications. Recommendation and Steps It is highly recommended to associate required user/application subnets with AD Sites. If subnets are not associated with AD Sites users in the AD Sites might choose a remote domain controller for authentication. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Missing AD Sites Coverage | Medium | 1 | Total AD Sites Not Covered:1 | Configuration | NO |
X
TEST NAME Missing AD Sites Coverage Description Some Active Directory sites are not covered. Each Active Directory site needs to be covered by each other. Otherwise, users will be authenticated to other site domain controllers resulting in crossing network boundaries. Recommendation and Steps Please ensure KCC has run its algorithm to cover each Active Directory Site. Initiate the KCC algorithm manually. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Sites Missing Bridgehead Server | Medium | 1 | Number Of AD Sites Without Bridgehead Servers:1 | Configuration | NO |
X
TEST NAME Sites Missing Bridgehead Server Description Some AD Sites are configured with manual or no automatic Bridgehead Servers were found. Since KCC can designate a domain controller as a bridgehead server automatically, it is recommended to avoid assigning manual Bridgehead Servers. A bridgehead server is a server that is mainly used for intersite replication. You can configure a bridgehead server for every site that is created for each intersite replication protocol. This helps to control the server that is used to replicate information to other servers. Recommendation and Steps The ability to configure a server as a bridgehead server gives you greater control over the resources used for replication between intersite. It is recommended to remove manually configured bridgehead servers and let KCC designate a bridgehead server automatically. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | AD Sites Redundancy | Medium | 1 | Total AD Sites with Only One Domain Controller:1 | Configuration | NO |
X
TEST NAME AD Sites Redundancy Description Some AD Sites have only one Domain Controller deployed. Single Point of Failure. If the domain controller goes down in the AD Site, the authentication will be impacted for users and applications reside in the AD Site. Recommendation and Steps It is recommended to have at least two domain controllers deployed in an AD Site to avoid clients reaching out to remote domain controllers for authentication. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Replication Interval Not Optimized Sites | Low | 1 | Replication Interval is not optimized for Site Links:1 | Configuration | NO |
X
TEST NAME Replication Interval Not Optimized Sites Description Some Active Directory Site Links are using non-standard Replication Intervals. AD Sites have been configured to use 180 as the replication interval. If you have only one AD Site in your environment, then ignore the issue. The frequent changes will not replicate as quickly as possible between AD Sites. Recommendation and Steps It is recommended to configure a lower replication interval for sites that process changes frequently. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Total Undefined Subnets | Passed | 0 | Total Undefined Subnets in AD Forest:0 | Configuration | YES |
X
TEST NAME Total Undefined Subnets Description Did not find any subnets that is under unknown category. Please ensure all Domain Controllers were checked. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Sites without ISTG Role | Passed | 0 | Total AD Sites Do Not Have ISTG Defined:0 | Configuration | YES |
X
TEST NAME Sites without ISTG Role Description All AD Sites have ISTG Defined. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Manual Replication Connection Objects | Passed | 0 | Total Manual Replication Connection Objects:0 | Configuration | YES |
X
TEST NAME Manual Replication Connection Objects Description No Manual AD Replication Connection Objects found in the AD Forest. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Missing Global Catalog Sites | Passed | 0 | Total AD Sites Without Global Catalog Servers or No Universal Group Caching Enabled:0 | Configuration | YES |
X
TEST NAME Missing Global Catalog Sites Description All Sites are configured at least with one Global Catalog Server. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Duplicate Site Links | Passed | 0 | Total Duplicate Site Links:0 | Configuration | YES |
X
TEST NAME Duplicate Site Links Description No Duplicate site Links were found. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Sites With Manual Bridgehead Server | Passed | 0 | Number Of AD Sites With Manual Bridgehead Servers:0 | Configuration | YES |
X
TEST NAME Sites With Manual Bridgehead Server Description No manual Bridgehead servers are configured. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Sites creating Mesh Topology | Passed | 0 | Total AD Site Links Containing More than Two AD Sites:0 | Configuration | YES |
X
TEST NAME Sites creating Mesh Topology Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | AD Sites without Site Link | Passed | 0 | Total AD Sites Not In Site Links:0 | Configuration | YES |
X
TEST NAME AD Sites without Site Link Description All AD Sites are associated with a Site Link. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | AD Sites without Domain Controller | Passed | 0 | Total AD Sites Without Domain Controllers:0 | Configuration | YES |
X
TEST NAME AD Sites without Domain Controller Description All AD Sites have at least one Domain Controller deployed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| MS-RECOMMENDED | PDC Emulator Time Source | High | Internal Source | Root PDC Time Source:Internal Source | Configuration | NO |
X
TEST NAME PDC Emulator Time Source Description Domain Controller Time Synchronization is not correct. Impacts authentication between domain controllers and clients. Recommendation and Steps Please ensure PDC syncs its time from an External NTP Server and other domain controllers sync using the default Time Synchronization settings. All other Domain Controllers must be using NT5DS registry entry. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Domain Controllers Time Source | Passed | 0 | Total DCs Not Defined With Correct Time-Source:0 | Configuration | YES |
X
TEST NAME Domain Controllers Time Source Description Domain Controllers have been configured with the correct time source. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Domain FSMO Placement | Passed | FSMO Placement is correct. | AD FSMO Placement Status:FSMO Placement is correct. | Configuration | YES |
X
TEST NAME Domain FSMO Placement Description FSMO Placement is correct. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Domain Naming Master and Schema Master Placement | Passed | Hosted on same computer | Status:Hosted on same computer | Configuration | YES |
X
TEST NAME Domain Naming Master and Schema Master Placement Description Schema Master and Domain Naming Master are hosted on same computer. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? | |||||||
| vuln2_password_change_server_no_change_90 | Unauthenticated Servers | High | 10 | Total Servers Not Authenticated Within 90 Days in All Domains:28 | MITREANSSI | NO |
X
TEST NAME Unauthenticated Servers Description Some Servers have not been changing their passwords. Some servers have not changed their passwords for more than 90 days, indicating their secrets are not renewed. Recommendation and Steps It is recommended to check the issue and then take necessary remediation steps. Default domain controller settings have them change their passwords automatically every 30 days. The reason for this change not occurring properly must be investigated as it may be indicative of a compromise. Check HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange: must be set to 0 or inexistent. Check HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge: must be set to 30. Incorrect values should be reset to their default setting. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln2_password_change_server_no_change_90
| ||||||
| vuln3_password_change_server_no_change_45 | Secrets not renewed Servers | High | 10 | Total Servers Not Changing Password within 45 days in all Domains:0 | MITREANSSI | NO |
X
TEST NAME Secrets not renewed Servers Description All servers have been changing their passwords within 45 days. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln3_password_change_server_no_change_45
| ||||||
| MS-RECOMMENDED | Unprotected OUs | Medium | 2 | Total Ous not protected:2 | MITREANSSI | NO |
X
TEST NAME Unprotected OUs Description Some Organizational Units have not been protected from Accidental deletion. Accidental Deletion protects objects from being deleted accidentally. Recommendation and Steps Please ensure Accidental Deletion is configured for all OUs. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| ||||||
| MS-RECOMMENDED | Ogranizational Units without Objects | Low | 4998 | Total Empty Organizational Units In All Domains:4998 | Configuration | NO |
X
TEST NAME Ogranizational Units without Objects Description Empty Organizational Units were found in AD Domains. Empty Organizational Units have no function in Active Directory. Recommendation and Steps Please check why these empty OUs are sitting in the Active Directory. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| ||||||
| MS-RECOMMENDED | Security Groups without Objects | Low | 35 | Total Empty Security Groups In All Domains:35 | Configuration | NO |
X
TEST NAME Security Groups without Objects Description Security Groups have been created in Domain, but they do not hold any members. Refer issue details. Recommendation and Steps Please check why empty Security Groups have been created in Domain. The output also contains the pre-defined security groups other than user-defined security groups. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| ||||||
| MS-RECOMMENDED | Users without UPN specified | Low | 4 | Total Users with UPN Blank in all Domains:4 | Configuration | NO |
X
TEST NAME Users without UPN specified Description Some Domain Users do not have UPN filled. UPN is required by other applications. Recommendation and Steps Please review the list and make sure to address the users that do not have the UPN filled. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| ||||||
| MS-RECOMMENDED | Missing Location Text in AD Sites | Low | 1 | Total AD Sites Not Defined With Location:1 | Configuration | NO |
X
TEST NAME Missing Location Text in AD Sites Description AD Sites do not have a description text set that defines the AD site location. In a large environment it will be difficult to identify sites or applications will fail to query AD Site description if not defined. Recommendation and Steps It is recommended to set a description text to identify the role of the AD Site. Some applications use AD Site Location text to get the details about the AD Sites. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| ||||||
| MS-RECOMMENDED | Managed Service Accounts Not Linked | Passed | 0 | Total Managed Service Accounts are not Linked:0 | Configuration | YES |
X
TEST NAME Managed Service Accounts Not Linked Description Managed Service Accounts are linked to computer accounts. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| ||||||
| MS-RECOMMENDED | TombstoneLifeTime Modified? | Passed | 180 | Current TombstoneLifeTime Value:180 | Configuration | YES |
X
TEST NAME TombstoneLifeTime Modified? Description TombstoneLifetime value is set to 180 days. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| ||||||
| MS-RECOMMENDED | Check AD Forest Functional Level | Passed | DynamicPacks.net is Windows2016Forest | AD Forest Functional Level:DynamicPacks.net is Windows2016Forest | Configuration | YES |
X
TEST NAME Check AD Forest Functional Level Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| ||||||
| MS-RECOMMENDED | Check AD Domain Functional Level | Passed | Ok | Status:Ok | Configuration | YES |
X
TEST NAME Check AD Domain Functional Level Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
| ||||||
| vuln1_delegation_sourcedeleg | Duplicate SPNs | Passed | 0 | Total Duplicate SPNs in AD Domains:0 | MITREANSSI | YES |
X
TEST NAME Duplicate SPNs Description No Duplicate SPNs were found in Active Directory. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln1_delegation_sourcedeleg
| ||||||
| vuln2_adupdate_bad | AD Forest Schema Not upto date | Passed | OK:88 | Current Forest Schema Version Status:OK:88 | MITREANSSI | YES |
X
TEST NAME AD Forest Schema Not upto date Description Forest is using UpToDate schema Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln2_adupdate_bad
| ||||||
| MS-RECOMMENDED | Found Unused Netlogon Scripts | Passed | 0 | Total Unused Scripts In All Domains:0 | MITREANSSI | YES |
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| MS-RECOMMENDED | No Group Policy Objects Defining Log Size and Retention | High | 1 | Total AD Domains Affected:1 | MITREANSSI | NO |
X
TEST NAME No Group Policy Objects Defining Log Size and Retention Description Test has failed. Group Policy Objects are used to centralize enforcement of configurations and policies for domain user and computer assets. GPO's can be leveraged to define log file size and retention. Recommendation and Steps Create a Group Policy Object to enforce the configuration of logging on servers and endpoints. At a minimum logging should be enabled and enforced on mission critical systems. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | No Group Policy Objects to Prevent Domain Admins from logging on to Workstations or Servers Found | High | 1 | Total AD Domains Affected:1 | MITREANSSI | NO |
X
TEST NAME No Group Policy Objects to Prevent Domain Admins from logging on to Workstations or Servers Found Description Test has failed. Group Policy Objects are used to centralize enforcement of configurations and policies for domain user and computer assets. GPO's can be leveraged to remove the ability to perform unsafe actions like logging into a workstation as a Domain Admin. These actions increase the risk and likelihood of credential theft and compromise. Recommendation and Steps Create a Group Policy Object to prevent Domain Admins from logging on to Workstations or Servers. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | No Group Policy Objects to Block ISO Execution Found | High | 1 | Total AD Domains Affected:1 | MITREANSSI | NO |
X
TEST NAME No Group Policy Objects to Block ISO Execution Found Description Test has failed. Group Policy Objects are used to centralize enforcement of configurations and policies for domain user and computer assets. GPO's can be leveraged to disable execution of ISO automatically. Recommendation and Steps Create a Group Policy Object to disable ISO execution. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | No Group Policy Objects to Mitigate SMBv1 Found | High | 1 | Total AD Domains Affected:1 | MITREANSSI | NO |
X
TEST NAME No Group Policy Objects to Mitigate SMBv1 Found Description Test has failed. Group Policy Objects are used to centralize enforcement of configurations and policies for domain user and computer assets. GPO's can be leveraged to disable unsafe protocols like SMBv1. While disabling or removing SMBv1 might cause some compatibility issues with old computers or software SMBv1 has significant security vulnerabilities and should not be used. Recommendation and Steps Create a Group Policy Object to disable SMBv1 protocols. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | No Group Policy Objects Enforcing UAC Prompt for Elevation Found | High | 1 | Total AD Domains Affected:1 | MITREANSSI | NO |
X
TEST NAME No Group Policy Objects Enforcing UAC Prompt for Elevation Found Description Test has failed. Group Policy Objects are used to centralize enforcement of configurations and policies for domain user and computer assets. GPO's can be leveraged to enforce security measures like the User Account Control (UAC) prompt to grant elevated permissions. Enforcing the use of the UAC prompt hinders an attackers ability to silently or programmatically elevate a standard users privileges to administrative permissions. Recommendation and Steps Create a Group Policy Object to enforce UAC prompts for all users. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | No Group Policy Objects to Mitigate Accidental Script Execution | High | 1 | Total AD Domains Affected:1 | MITREANSSI | NO |
X
TEST NAME No Group Policy Objects to Mitigate Accidental Script Execution Description Test has failed. Groups Policy Objects are used to centralize enforcement of configurations and policies for domain user and computer assets. GPO's can be leveraged to replace the default file associations with a program of your choice. Replacing the default file association of JavaScript (.js) file extensions to a program like notepad will mitigate the risk associated with automated or inadvertent file execution. The following extensions are evaluated Recommendation and Steps Create a Group Policy Object to replace the default file association for JavaScript file extensions. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | No Group Policy Objects to Mitigate NTLMv1 Protocol | High | 1 | Total AD Domains Affected:1 | MITREANSSI | NO |
X
TEST NAME No Group Policy Objects to Mitigate NTLMv1 Protocol Description Test has failed. NTLMv1 is a legacy authentication protocol with weak encryption that allows attackers to easily retrieve credentials from the network and perform NTLM Relay attacks. Recommendation and Steps Create a Group Policy Object to disable NTLMv1 protocols. Additionally, disabling these protocols in a Golden Image is recommended. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | GPOs not Linked to OUs | Medium | 5002 | Total OUs without GPO Linked:5002 | Configuration | NO |
X
TEST NAME GPOs not Linked to OUs Description Some Organizational Units have no GPO linked in AD Domains. Please note list might include child OUs for which GPO is applied at the Parent OU. If OU contains objects, then a GPO must be configured to apply standard settings. Recommendation and Steps Please review the list and link a GPO if necessary. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | GPO Description | Low | 3002 | Number of GPOs not set with Description:3002 | Configuration | NO |
X
TEST NAME GPO Description Description Some Group Policy Objects do not have a description set. While there is no direct impact on this but ensuring a description is set on GPO for identification. Recommendation and Steps It is recommended to set description for each GPO in domain. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Disabled GPOs | Passed | 0 | Total Disabled GPOs:0 | Configuration | YES |
X
TEST NAME Disabled GPOs Description No Disabled GPOs found in AD Domains. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | GPOs not Applying | Passed | 0 | Total GPOs not applying correctly in All Domains:0 | Configuration | YES |
X
TEST NAME GPOs not Applying Description All GPO objects are applying successfully. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Orphaned GPO Containers | Passed | 0 | Total Orphaned Group Policy Objects:0 | Configuration | YES |
X
TEST NAME Orphaned GPO Containers Description No Orphaned Group Policy Objects were found. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Found GPOs with Block Inheritance | Passed | 0 | Total GPOs with Block Inheritance Defined:0 | Configuration | YES |
X
TEST NAME Found GPOs with Block Inheritance Description None of the Organizational Units have been configured with GPO Block Policy Inheritance settings. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | GPO Naming Convention | Passed | 0 | Number Of GPOs do not follow Standard Naming Convention:0 | Configuration | YES |
X
TEST NAME GPO Naming Convention Description All GPO follow standard naming convention. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Found GPO with WMI Filters | Passed | 0 | Total GPO with WMI Filter:0 | Configuration | YES |
X
TEST NAME Found GPO with WMI Filters Description No GPOs have been configured with WMI Filters. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Domain GPO Application Status | Passed | 0 | Total GPOs Not Applied:0 | HealthCheck | YES |
X
TEST NAME Domain GPO Application Status Description All GPOs have been configured to apply to required objects. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | No Group Policy Objects for Preventing passwords using reversible encryption | Passed | 0 | Total AD Domains Affected:0 | MITREANSSI | YES |
X
TEST NAME No Group Policy Objects for Preventing passwords using reversible encryption Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | GPO Preferences Containing Passwords | Passed | 0 | GPO Preferences Containing Password in All AD Domains:0 | MITREANSSI | YES |
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| MS-RECOMMENDED | Too many DNS Static Records | Passed | 0 | Total Static Records:0 | Configuration | YES |
X
TEST NAME Too many DNS Static Records Description No DNS Static Records were found in Domain Zones. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | DNS Round-Robin Not Enabled | Passed | 0 | Total DNS Servers Not Enabled With Round Robin:0 | Configuration | YES |
X
TEST NAME DNS Round-Robin Not Enabled Description All DNS Servers have DNS Round Robin Enabled. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Conditional Forwarders Not Working | Passed | 0 | Total Conditional Forwarders Configured:0 | HealthCheck | YES |
X
TEST NAME Conditional Forwarders Not Working Description DNS Servers do not host any Conditional Forwarders. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| MS-RECOMMENDED | Lock screen camera status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Lock screen camera status Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Lock screen slide show status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Lock screen slide show status Description Setting is not configured at all or not configured correctly. Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user. Recommendation and Steps Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> Prevent enabling lock screen slide show to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Passwords to be saved status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Passwords to be saved status Description Setting is not configured at all or not configured correctly. Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client. Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156 Recommendation and Steps Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Connection Client >> Do not allow passwords to be saved to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Always prompt for password upon connection status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Always prompt for password upon connection status Description Setting is not configured at all or not configured correctly. This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server. Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156 Recommendation and Steps Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> Always prompt for password upon connection to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Require secure RPC communication status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Require secure RPC communication status Description Setting is not configured at all or not configured correctly. Allowing unsecure RPC communication exposes the system to man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle attack occurs when an intruder captures packets between a client and server and modifies them before allowing the packets to be exchanged. Usually the attacker will modify the information in the packets in an attempt to cause either the client or server to reveal sensitive information. Recommendation and Steps Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> Require secure RPC communication to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Set client connection encryption level status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Set client connection encryption level status Description Setting is not configured at all or not configured correctly. Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting High Level will ensure encryption of Remote Desktop Services sessions in both directions. Recommendation and Steps Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> Set client connection encryption level to Enabled with High Level selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Windows Defender SmartScreen status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Windows Defender SmartScreen status Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | AutoPlay status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME AutoPlay status Description Setting is not configured at all or not configured correctly. Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, AutoPlay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables AutoPlay on all drives. Recommendation and Steps Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> Turn off AutoPlay to Enabled with All Drives selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Default behavior for AutoRun status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Default behavior for AutoRun status Description Setting is not configured at all or not configured correctly. Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing. Recommendation and Steps Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> Set the default behavior for AutoRun to Enabled with Do not execute any autorun commands selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | UNC Paths Hardened status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME UNC Paths Hardened status Description Setting is not configured at all or not configured correctly. Additional security requirements are applied to Universal Naming Convention (UNC) paths specified in hardened UNC paths before allowing access to them. This aids in preventing tampering with or spoofing of connections to these paths. Recommendation and Steps Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Network Provider >> Hardened UNC Paths to Enabled with at least the following configured in Hardened UNC Paths: (click the Show button to display) Value Name: \*SYSVOL Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Insecure guest logons status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Insecure guest logons status Description Setting is not configured at all or not configured correctly. Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper access. Recommendation and Steps Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Lanman Workstation >> Enable insecure guest logons to Disabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit- Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit- Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings status Description Setting is not configured at all or not configured correctly. The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Accounts: Rename guest account to a name other than Guest. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Domain controller- LDAP server signing requirements status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Domain controller- LDAP server signing requirements status Description Setting is not configured at all or not configured correctly. Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. In the case of an LDAP server, this means that an attacker could cause a client to make decisions based on false records from the LDAP directory. The risk of an attacker pulling this off can be decreased by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for Internet Protocol (IP) traffic, can make all types of man-in-the-middle attacks extremely difficult. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain controller: LDAP server signing requirements to Require signing. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Domain controller- Refuse machine account password changes status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Domain controller- Refuse machine account password changes status Description Setting is not configured at all or not configured correctly. Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain controller: Refuse machine account password changes to Disabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Domain member- Digitally encrypt secure channel data (when possible) status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Domain member- Digitally encrypt secure channel data (when possible) status Description Setting is not configured at all or not configured correctly. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain member: Digitally encrypt secure channel data (when possible) to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Domain member- Digitally sign secure channel data (when possible) status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Domain member- Digitally sign secure channel data (when possible) status Description Setting is not configured at all or not configured correctly. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain member: Digitally sign secure channel data (when possible) to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Domain member- Disable machine account password changes status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Domain member- Disable machine account password changes status Description Setting is not configured at all or not configured correctly. Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for the system. A new password for the computer account will be generated every 30 days. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain member: Disable machine account password changes to Disabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Domain member- Maximum machine account password age status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Domain member- Maximum machine account password age status Description Setting is not configured at all or not configured correctly. Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This must be set to no more than 30 days, ensuring the machine changes its password monthly. Recommendation and Steps This is the default configuration for this setting (30 days). Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain member: Maximum machine account password age to 30 or less (excluding 0, which is unacceptable). Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Domain member- Require strong (Windows 2000 or later) session key status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Domain member- Require strong (Windows 2000 or later) session key status Description Setting is not configured at all or not configured correctly. A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hijacking or eavesdropping, if strong session keys are not used to establish the connection. Requiring strong session keys enforces 128-bit encryption between systems. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Domain member: Require strong (Windows 2000 or Later) session key to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Interactive logon- Machine inactivity limit status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Interactive logon- Machine inactivity limit status Description Setting is not configured at all or not configured correctly. Unattended systems are susceptible to unauthorized use and should be locked when unattended. The screen saver should be set at a maximum of 15 minutes and be password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Interactive logon: Machine inactivity limit to 900 seconds or less, excluding 0 which is effectively disabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Microsoft network client- Digitally sign communications (always) status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Microsoft network client- Digitally sign communications (always) status Description Setting is not configured at all or not configured correctly. The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Microsoft network client: Digitally sign communications (always) to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Microsoft network client- Send unencrypted password to third-party SMB servers status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Microsoft network client- Send unencrypted password to third-party SMB servers status Description Setting is not configured at all or not configured correctly. Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when authenticating to an SMB server reduces the overall security of the environment. Check with the vendor of the SMB server to determine if there is a way to support encrypted password authentication. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Microsoft Network Client: Send unencrypted password to third-party SMB servers to Disabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Network access- Do not allow anonymous enumeration of SAM accounts status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Network access- Do not allow anonymous enumeration of SAM accounts status Description Setting is not configured at all or not configured correctly. Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Do not allow anonymous enumeration of SAM accounts to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Network access- Do not allow anonymous enumeration of SAM accounts and shares status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Network access- Do not allow anonymous enumeration of SAM accounts and shares status Description Setting is not configured at all or not configured correctly. Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network access: Do not allow anonymous enumeration of SAM accounts and shares to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Network security- Allow LocalSystem NULL session fallback status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Network security- Allow LocalSystem NULL session fallback status Description Setting is not configured at all or not configured correctly. NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Allow LocalSystem NULL session fallback to Disabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Network security- Allow LocalSystem NULL session fallback status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Network security- Allow LocalSystem NULL session fallback status Description Setting is not configured at all or not configured correctly. NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Allow LocalSystem NULL session fallback to Disabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Network security- LAN Manager authentication level status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Network security- LAN Manager authentication level status Description Setting is not configured at all or not configured correctly. The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to standalone computers that are running later versions. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: LAN Manager authentication level to Send NTLMv2 response only. Refuse LM & NTLM. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Network security- LDAP client signing requirements | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Network security- LDAP client signing requirements Description Setting is not configured at all or not configured correctly. This setting controls the signing requirements for LDAP clients. This must be set to Negotiate signing or Require signing, depending on the environment and type of LDAP server in use. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: LDAP client signing requirements to Negotiate signing at a minimum. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Network security- Minimum session security for NTLM SSP based (including secure RPC) clients status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Network security- Minimum session security for NTLM SSP based (including secure RPC) clients status Description Setting is not configured at all or not configured correctly. Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Minimum session security for NTLM SSP based (including secure RPC) clients to Require NTLMv2 session security and Require 128-bit encryption (all options selected). Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Network security- Minimum session security for NTLM SSP based (including secure RPC) servers status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Network security- Minimum session security for NTLM SSP based (including secure RPC) servers status Description Setting is not configured at all or not configured correctly. Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> Network security: Minimum session security for NTLM SSP based (including secure RPC) servers to Require NTLMv2 session security and Require 128-bit encryption (all options selected). Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | System objects- Strengthen default permissions of internal system objects status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME System objects- Strengthen default permissions of internal system objects status Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | User Account Control- Admin Approval Mode for the Built-in Administrator account status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME User Account Control- Admin Approval Mode for the Built-in Administrator account status Description Setting is not configured at all or not configured correctly. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode. Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Admin Approval Mode for the Built-in Administrator account to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | User Account Control- Behavior of the elevation prompt for administrators in Admin Approval Mode status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME User Account Control- Behavior of the elevation prompt for administrators in Admin Approval Mode status Description Setting is not configured at all or not configured correctly. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged-on administrators to complete a task that requires raised privileges. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode to Prompt for consent on the secure desktop. The more secure option for this setting, Prompt for credentials on the secure desktop, would also be acceptable. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | User Account Control- Behavior of the elevation prompt for standard users status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME User Account Control- Behavior of the elevation prompt for standard users status Description Setting is not configured at all or not configured correctly. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account. Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Behavior of the elevation prompt for standard users to Automatically deny elevation requests. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | User Account Control- Detect application installations and prompt for elevation status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME User Account Control- Detect application installations and prompt for elevation status Description Setting is not configured at all or not configured correctly. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Detect application installations and prompt for elevation to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | User Account Control- Only elevate UIAccess applications that are installed in secure locations status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME User Account Control- Only elevate UIAccess applications that are installed in secure locations status Description Setting is not configured at all or not configured correctly. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the WindowsSystem32 folders, to run with elevated privileges. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Only elevate UIAccess applications that are installed in secure locations to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | User Account Control- Run all administrators in Admin Approval Mode status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME User Account Control- Run all administrators in Admin Approval Mode status Description Setting is not configured at all or not configured correctly. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC. Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Run all administrators in Admin Approval Mode to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | User Account Control- Virtualize file and registry write failures to per-user locations status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME User Account Control- Virtualize file and registry write failures to per-user locations status Description Setting is not configured at all or not configured correctly. User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> User Account Control: Virtualize file and registry write failures to per-user locations to Enabled. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Credential Validation status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Credential Validation status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential Validation records events related to validation tests on credentials for a user account logon. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> Audit Credential Validation with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Computer Account Management status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Computer Account Management status Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Other Account Management Events status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Other Account Management Events status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Other Account Management Events records events such as the access of a password hash or the Password Policy Checking API being called. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> Audit Other Account Management Events with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Security Group Management status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Security Group Management status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Security Group Management records events such as creating, deleting, or changing security groups, including changes in group members. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> Audit Security Group Management with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit User Account Management status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit User Account Management status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> Audit User Account Management with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit PNP Activity status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit PNP Activity status Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Process Creation status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Process Creation status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Process Creation records events related to the creation of a process and the source. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> Audit Process Creation with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Directory Service Access status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Directory Service Access status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Audit Directory Service Access records events related to users accessing an Active Directory object. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> Directory Service Access with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Directory Service Changes status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Directory Service Changes status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Audit Directory Service Changes records events related to changes made to objects in Active Directory Domain Services. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> Directory Service Changes with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Account Lockout status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Account Lockout status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Account Lockout events can be used to identify potentially malicious logon attempts. Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Account Lockout with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Group Membership status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Group Membership status Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Logon status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Logon status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Logon with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Other Logon/Logoff Events status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Other Logon/Logoff Events status Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Special Logon status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Special Logon status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Special Logon records special logons that have administrative privileges and can be used to elevate processes. Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Special Logon with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Detailed File Share status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Detailed File Share status Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit File Share status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit File Share status Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Other Object Access Events status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Other Object Access Events status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Auditing for other object access records events related to the management of task scheduler jobs and COM+ objects. Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Other Object Access Events with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Removable Storage status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Removable Storage status Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Audit Policy Change status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Audit Policy Change status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Audit Policy Change records events related to changes in audit policy. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> Audit Audit Policy Change with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Authentication Policy Change status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Authentication Policy Change status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Authentication Policy Change records events related to changes in authentication policy, including Kerberos policy and Trust changes. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> Audit Authentication Policy Change with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit MPSSVC Rule-Level Policy Change status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit MPSSVC Rule-Level Policy Change status Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Other Policy Change Events status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Other Policy Change Events status Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Sensitive Privilege Use status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Sensitive Privilege Use status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Sensitive Privilege Use records events related to use of sensitive privileges, such as Act as part of the operating system or Debug programs. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Other System Events status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Other System Events status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit Other System Events with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Security State Change status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Security State Change status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Security State Change records events related to changes in the security state, such as startup and shutdown of the system. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit Security State Change with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit Security System Extension status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit Security System Extension status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Security System Extension records events related to extension code being loaded by the security subsystem. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit Security System Extension with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Audit System Integrity status | High | Missing | Setting Status:Missing | MITREANSSI | NO |
X
TEST NAME Audit System Integrity status Description Setting is not configured at all or not configured correctly. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. System Integrity records events related to violations of integrity to the security subsystem. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222 Recommendation and Steps Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> Audit System Integrity with Success selected. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Domain member- Digitally encrypt or sign secure channel data (always) status | Passed | Found | Setting Status:Found | MITREANSSI | YES |
X
TEST NAME Domain member- Digitally encrypt or sign secure channel data (always) status Description Setting is configured or test is passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Microsoft network server- Digitally sign communications (always) status | Passed | Found | Setting Status:Found | MITREANSSI | YES |
X
TEST NAME Microsoft network server- Digitally sign communications (always) status Description Setting is configured or test is passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Network security- Do not store LAN Manager hash value on next password change status | Passed | Found | Setting Status:Found | MITREANSSI | YES |
X
TEST NAME Network security- Do not store LAN Manager hash value on next password change status Description Setting is configured or test is passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| Security Framework | Test | Severity | Items | Affected Objects | Control Type | Configured Correctly? |
| MS-RECOMMENDED | Accounts with Extended Rights to Read LAPS Passwords Found | Critical | LAPS/Module Not Installed | Illegal Accounts Found to read LAPS in AD Domains:LAPS/Module Not Installed | MITREANSSI | NO |
X
TEST NAME Accounts with Extended Rights to Read LAPS Passwords Found Description Test has failed. Accounts in an Active Directory with extended or overly permissive rights to OU's and Computers may be granted unintentional permissions to read modify or administer the Local Admin Password Solution (LAPS) on domain objects. Recommendation and Steps Identified accounts should be reviewed to ensure that they are supposed to have the rights to view read or modify LAPS password information. Auditing of LAPS access can be configured by running the PowerShell commands. Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | LAPS SearchFlag modified | Critical | Modified | LAPS SearchFlags Modified:Modified | MITREANSSI | NO |
X
TEST NAME LAPS SearchFlag modified Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | High Value Targets Found | High | 204 | Total High Value Targets Found:204 | MITREANSSI | NO |
X
TEST NAME High Value Targets Found Description Test has failed. Members of Administrative groups have elevated privileges in an Active Directory environment. Compromise of these accounts allows attackers to control various aspects of the domain up to and including a complete domain takeover. Recommendation and Steps Review members of these Administrative groups and ensure that they do require these rights. Proper delegation of rights to non-default Security Groups offers greater security for the domain. Consider using a Privileged Access Management (PAM) tool and Just in Time (JIT) Administration utilities. Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Access Control Lists on Computers Found | Passed | 0 | Total Abusable ACLs on Computer Objects:0 | MITREANSSI | YES |
X
TEST NAME Access Control Lists on Computers Found Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Access Control Lists on Security Groups Found | Passed | 0 | Found Dangerous Group Permissions in AD Domains:0 | MITREANSSI | YES |
X
TEST NAME Access Control Lists on Security Groups Found Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Access Control Lists on Users Found | Passed | 0 | Found Dangerous User Permissions:0 | MITREANSSI | YES |
X
TEST NAME Access Control Lists on Users Found Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Group Policy Objects with Improper Permissions Found | Passed | 0 | Abusable GPO Permissions found in Total AD Domains:0 | MITREANSSI | YES |
X
TEST NAME Group Policy Objects with Improper Permissions Found Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Group Policy Object Assignments with Improper Permissions Found | Passed | 0 | Total Abusable GPO Permissions in AD Domains:0 | MITREANSSI | YES |
| vuln_permissions_msdns | Dangerous Permissions Found on MicrosoftDNS Container | Passed | 0 | AD Domains Affected:0 | MITREANSSI | YES |
X
TEST NAME Dangerous Permissions Found on MicrosoftDNS Container Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln_permissions_msdns
|
| vuln_permissions_naming_context | Dangerous Permissions Found on Naming Contexts | Passed | 0 | AD Domains Affected:0 | MITREANSSI | YES |
X
TEST NAME Dangerous Permissions Found on Naming Contexts Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln_permissions_naming_context
|
| vuln_compatible_2000_anonymous | Pre-Windows 2000 Compatible Access Group is not empty | Passed | 0 | Number of AD Domains Affected:0 | MITREANSSI | YES |
X
TEST NAME Pre-Windows 2000 Compatible Access Group is not empty Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln_compatible_2000_anonymous
|
| vuln_sidhistory_present | Found Groups with SID history Set | Passed | 0 | Total Groups With sIDHistory Affected domains:0 | MITREANSSI | YES |
X
TEST NAME Found Groups with SID history Set Description Test has passed. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDvuln_sidhistory_present
|
| MS-RECOMMENDED | Normal Users Full Control Permissions on OUs | Passed | 0 | Total Normal User Accounts with Full Control Rights to Organizational Units in all Domains:0 | MITREANSSI | YES |
X
TEST NAME Normal Users Full Control Permissions on OUs Description No Organizational Units have Full Control for any account configured. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | EVERYONE Full Control Permissions on OUs | Passed | 0 | Total Organizational Units with Everyone Full Control Access Rights:0 | MITREANSSI | YES |
X
TEST NAME EVERYONE Full Control Permissions on OUs Description No Organizational Units have Full Control for Everyone configured. Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
More Information TEST IDMS-RECOMMENDED
|
| MS-RECOMMENDED | Abusable Permissions Found on SYSVOL and NETLOGON | Passed | Ok | Abusable Permissions Found on SYSVOL and Netlogon Shares:Ok | MITREANSSI | YES |
X
TEST NAME Abusable Permissions Found on SYSVOL and NETLOGON Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Unauthorized Users having GPLink Rights on Domain NC | Passed | 1 | AD Domains Affected:1 | MITREANSSI | YES |
| MS-RECOMMENDED | Unauthorized Users having GPLink Rights on Domain Controllers OU | Passed | 1 | AD Domains Affected:1 | MITREANSSI | YES |
X
TEST NAME Unauthorized Users having GPLink Rights on Domain Controllers OU Description Recommendation and Steps Associated Objects Per Domain/AD Forest
Affected Objects
|
| MS-RECOMMENDED | Unauthorized Users having GPLink Rights on AD Sites | Passed | 0 | AD Sites Affected:0 | MITREANSSI | YES |
#TABLE_AD-FEATURES1#TABLE_RISKY-ITEMS2#TABLE_AD-SECURITY-RISKS-USERS3#TABLE_AD-SECURITY-RISKS-COMPUTERS4#TABLE_AD-SECURITY-RISKS-ADMINS5#TABLE_AD-SECURITY-RISKS-OBJECTS-OWNERSHIP6#TABLE_SENSITIVE-CHANGES7#TABLE_CRITICAL-ACCOUNTS-STATUS8#TABLE_PRIVILEGED-ACCOUNTS9#TABLE_DOMAIN-POLICIES10#TABLE_DC-SECURITY11#TABLE_DC-CONFIGURATION12#TABLE_DC-ROLES/SERVICEs13#TABLE_AD-SITES14#TABLE_TIME-SYNC-AND-FSMO15#TABLE_AD-OBJECTS16#TABLE_AD-GPO17#TABLE_AD-DNS18#TABLE_DC-HARDERNING-SETTINGS19#TABLE_AD-PERMISSIONS20
OVERALL AZURE INFRA SSO STATUS
AZURE ENTRA ID SSO
52.63%
OVERALL SCORE
| Test | Severity |
Items | Affected Objects | |||||
|---|---|---|---|---|---|---|---|---|
| Ensure On-Prem AD Users are not Privileged Users in Azure Entra ID |
|
Status:Configured correctly | Configured correctly | |||||
X
TEST NAME Ensure On-Prem AD Users are not Privileged Users in Azure Entra ID Description Item has met all the requirements as per test. If On-Prem AD users are assigned privileged roles in Azure Entra ID, it poses a significant security risk. These users could gain unauthorized access to sensitive cloud resources, increasing the likelihood of a data breach or system compromise. Mismanagement of user roles could also lead to compliance violations, particularly with industry standards such as GDPR, HIPAA, or ISO 27001, exposing the organization to legal and financial consequences. Furthermore, allowing improper access may lead to privilege escalation, operational disruptions, and potential changes to critical cloud infrastructure, which could harm both security and business continuity. | ||||||||
| Ensure Azure Administrative Units are used |
|
Administrative Units Status:Not Defined | Not Defined | |||||
X
TEST NAME Ensure Azure Administrative Units are used Description Item does not meet all the requirements as per test. Not utilizing Azure Administrative Units could result in inefficient management of resources, with broad access being granted to users or administrators who may not need it. This can increase the risk of unauthorized access to sensitive information or cloud resources, leading to potential security breaches. Without proper segregation of duties and role assignment via AUs, organizations may face compliance issues, as it may be difficult to demonstrate effective control over access permissions in Azure AD. Additionally, lack of AUs could lead to operational inefficiencies, as administrative tasks might not be delegated effectively across different teams, which can cause delays or errors in managing user resources and access policies. Recommendation and Steps o ensure that Azure Administrative Units (AUs) are used effectively, organizations should leverage them to delegate administrative tasks in a structured manner, ensuring that different business units or departments can be managed independently. Administrators should assign appropriate permissions to users within each AU to align with their specific roles, ensuring that administrative access is limited to only the necessary resources. It is recommended to define clear boundaries for each AU and to assign roles such as Helpdesk Administrator or User Administrator to specific administrative units rather than granting broad access to the entire Azure Active Directory. Regular audits should also be conducted to verify that these units are configured correctly and that administrators are adhering to the principle of least privilege. Associated Objects Per Domain/AD Forest
Affected Objects
| ||||||||
| Ensure Azure Guests cannot invite other Guests |
|
Guests can Invite Other Guests Status:Guests can Invite Other Guests | Guests can Invite Other Guests | |||||
X
TEST NAME Ensure Azure Guests cannot invite other Guests Description Item has met all the requirements as per test. Allowing Azure Guests to invite other Guests introduces significant security and governance risks. Unauthorized or malicious users could invite unvetted individuals, increasing the likelihood of external security threats or data breaches. This can lead to unauthorized access to organizational resources, potentially compromising sensitive information. Additionally, without restrictions, there could be compliance violations related to data sharing and control over who has access to the organization?s resources. Failure to manage guest invitations could also result in a lack of visibility into external users accessing the tenant, making it harder to monitor and enforce security policies effectively. | ||||||||
| Ensure non-Admins cannot register custom applications |
|
Users can register their Own Applications Status:Users can't register their Own Applications | Users can't register their Own Applications | |||||
X
TEST NAME Ensure non-Admins cannot register custom applications Description Item has met all the requirements as per test. Allowing non-admin users to register custom applications in Azure AD creates significant security and governance risks. Unauthorized application registrations could introduce potential security vulnerabilities, such as unvetted third-party applications that have access to organizational data or resources. This can lead to unauthorized data access, breaches, and compliance violations, especially if sensitive or regulated information is exposed to unapproved applications. Moreover, it increases the risk of shadow IT, where users create and manage their own applications outside of IT governance, making it difficult to monitor, secure, and maintain proper access control. By restricting this capability to trusted administrators, organizations can better control the application lifecycle and ensure that only approved, secured, and monitored applications are integrated into the environment. | ||||||||
| Ensure no Guest Accounts in Azure Privileged groups |
|
Status:No Guest Users in Privileged Roles | No Guest Users in Privileged Roles | |||||
X
TEST NAME Ensure no Guest Accounts in Azure Privileged groups Description Item has met all the requirements as per test. Allowing guest accounts in Azure privileged groups introduces a major security risk, as external users may not have the necessary vetting or trust to access sensitive resources within the organization. Privileged accounts such as Global Administrator, Security Administrator, and other elevated roles provide extensive access to critical systems and data, and if guest accounts are included in these groups, it could lead to unauthorized access, data breaches, and potential misuse of organizational resources. Additionally, such misconfigurations may result in non-compliance with regulatory requirements like GDPR or HIPAA, as external access to sensitive data could be improperly managed. Without proper safeguards, this oversight can lead to escalation of privileges and create significant operational and security risks within the organization. | ||||||||
| Ensure Security Defaults is enabled |
|
Status:Disabled | Disabled | |||||
X
TEST NAME Ensure Security Defaults is enabled Description Item does not meet all the requirements as per test. If Security Defaults are not enabled, organizations may be leaving their Azure AD environment vulnerable to basic security threats such as password attacks, unauthorized access, and identity spoofing. Without these fundamental protections in place, attackers could exploit weaknesses, such as reliance on single-factor authentication or the use of legacy authentication methods that lack encryption or strong verification. This could lead to data breaches, unauthorized access to critical systems, and non-compliance with industry regulations like GDPR or HIPAA, which require strong security practices. Enabling Security Defaults ensures that a strong foundation is in place to protect user identities and sensitive data, reducing the overall risk of attacks and enhancing the organization's security posture. Recommendation and Steps To ensure that Security Defaults is enabled in Azure Active Directory (Azure AD), organizations should configure the security settings within Azure AD to enforce essential security measures, such as Multi-Factor Authentication (MFA) for all users, blocking legacy authentication protocols, and requiring secure authentication methods. Enabling Security Defaults helps mitigate common identity and access risks, providing a baseline level of protection for all accounts in the directory. Organizations should regularly review their security configurations to ensure that Security Defaults are still enabled and that no changes have been made that could undermine these protections. Additionally, for more advanced requirements, consider using Conditional Access policies to tailor security enforcement while maintaining the protection provided by Security Defaults. Associated Objects Per Domain/AD Forest
Affected Objects
| ||||||||
| Ensure Normal Azure Users do not have Permissions to provide unrestricted user Consent |
|
Status:Allowed: Full | Allowed: Full | |||||
X
TEST NAME Ensure Normal Azure Users do not have Permissions to provide unrestricted user Consent Description Item does not meet all the requirements as per test. Allowing normal Azure users to grant unrestricted user consent introduces significant security and governance risks. Unauthorized or unmonitored consent could result in users granting excessive permissions to third-party applications, which may lead to unauthorized access to sensitive data or resources. This can increase the risk of data breaches, as malicious applications or users could exploit these permissions to access, modify, or exfiltrate critical information. Furthermore, improper user consent could lead to compliance violations, as regulations like GDPR require organizations to control how and to whom personal data is shared. By restricting user consent to administrators, organizations can better safeguard their data and ensure only trusted applications are granted access to resources. Recommendation and Steps To ensure that normal Azure users do not have permissions to provide unrestricted user consent, organizations should configure Azure Active Directory (Azure AD) consent settings to restrict the ability to grant permissions to third-party applications. This can be done by navigating to the Enterprise Applications settings in the Azure AD portal and setting the User consent settings to allow only administrators to consent on behalf of users. Additionally, administrators should review and monitor consented applications to ensure that only trusted and necessary applications have access to organizational resources. Regular audits of user consent activity should also be implemented to detect and address any unauthorized consent given by non-admin users. Associated Objects Per Domain/AD Forest
Affected Objects
| ||||||||
| Ensure Conditional Access Policy with signin user-risk location as Factor |
|
Status:No Conditional Access Policy found with Sign-in risk | No Conditional Access Policy found with Sign-in risk | |||||
X
TEST NAME Ensure Conditional Access Policy with signin user-risk location as Factor Description Item does not meet all the requirements as per test. Implementing Conditional Access with sign-in user-risk location as a factor enhances security by ensuring only trusted locations can access sensitive resources. This reduces exposure to potential unauthorized access from high-risk regions. Recommendation and Steps Enforce this policy across critical applications to monitor and control access based on the user?s sign-in risk and location. Regularly review and adjust risk levels for evolving threat landscapes. Associated Objects Per Domain/AD Forest
Affected Objects
| ||||||||
| Ensure no Guest accounts that are inactive for more than 45 days |
|
Inactive Guests:Not Found | Not Found | |||||
X
TEST NAME Ensure no Guest accounts that are inactive for more than 45 days Description Item has met all the requirements as per test. Enforcing the policy to remove guest accounts inactive for more than 45 days reduces the risk of unauthorized access and potential security breaches from dormant accounts. This ensures a cleaner, more secure environment. | ||||||||
| AAD Connect sync account password reset |
|
Status:Not Configured correctly | Not Configured correctly | |||||
X
TEST NAME AAD Connect sync account password reset Description Item does not meet all the requirements as per test. Ensuring the AAD Connect sync account password reset is completed secures synchronization between on-premises Active Directory and Azure AD, preventing potential security vulnerabilities due to outdated or compromised credentials. Recommendation and Steps Reset the AAD Connect sync account password periodically and update the credentials in both Azure AD Connect and all connected systems. Verify synchronization functions correctly after the reset and monitor for any disruptions in directory syncing. Associated Objects Per Domain/AD Forest
Affected Objects
| ||||||||
| Ensure Guest users are restricted |
|
Status:Restricted but can see membership of all non-hidden groups | Restricted but can see membership of all non-hidden groups | |||||
X
TEST NAME Ensure Guest users are restricted Description Item does not meet all the requirements as per test. Restricting guest users enhances security by limiting their access to sensitive organizational resources, reducing the potential for data leakage or unauthorized access by external parties. Recommendation and Steps Implement policies to restrict guest user permissions, limit access to essential resources only, and regularly review guest user activity. Use Conditional Access to enforce restrictions and monitor for any anomalous behavior. Associated Objects Per Domain/AD Forest
Affected Objects
| ||||||||
| Conditional Access Policy that does not require a password change from high risk users |
|
Status:No Conditional Access Policy for High Risk Users | No Conditional Access Policy for High Risk Users | |||||
X
TEST NAME Conditional Access Policy that does not require a password change from high risk users Description Item does not meet all the requirements as per test. Creating a Conditional Access policy that doesn't require a password change for high-risk users can expose the organization to security vulnerabilities, as it allows compromised accounts to remain active without mandatory remediation. Recommendation and Steps Revise the policy to enforce password changes or additional security measures for high-risk users. Implement continuous risk assessment to trigger mandatory actions such as password resets when risks are detected, ensuring stronger protection. Associated Objects Per Domain/AD Forest
Affected Objects
| ||||||||
| Conditional Access Policy that does not require MFA when sign-in risk has been identified |
|
Status:No Conditional Access Policy found. | No Conditional Access Policy found. | |||||
X
TEST NAME Conditional Access Policy that does not require MFA when sign-in risk has been identified Description Item does not meet all the requirements as per test. A Conditional Access policy that does not require MFA when sign-in risk is identified weakens security, as it allows potentially compromised accounts to access sensitive resources without additional authentication, increasing the risk of unauthorized access. Recommendation and Steps Update the policy to enforce MFA for any sign-in attempts identified as high risk. Leverage real-time risk detection and ensure MFA is triggered for users exhibiting suspicious sign-in behaviors to enhance protection against account compromise. Associated Objects Per Domain/AD Forest
Affected Objects
| ||||||||
| Ensure Synced AAD Users not privileged Users in Azure |
|
Status:Configured correctly | Configured correctly | |||||
X
TEST NAME Ensure Synced AAD Users not privileged Users in Azure Description Item has met all the requirements as per test. Ensuring that synced Azure AD users are not granted privileged roles reduces the risk of accidental or unauthorized access to critical resources, enhancing security by limiting the scope of privileged access. | ||||||||
| Ensure No Private IP Addresses in Conditional Access policies |
|
Status:No Private IP Address in Conditional Access Policies | No Private IP Address in Conditional Access Policies | |||||
X
TEST NAME Ensure No Private IP Addresses in Conditional Access policies Description Item has met all the requirements as per test. Ensuring no private IP addresses are used in Conditional Access policies prevents accidental exposure of internal resources to external threats, as private IPs could inadvertently bypass security checks or lead to unauthorized access. | ||||||||
| Ensure Number Matching enabled in MFA |
|
Status:Number Matching Not Enabled | Number Matching Not Enabled | |||||
X
TEST NAME Ensure Number Matching enabled in MFA Description Item does not meet all the requirements as per test. Enabling number matching in MFA strengthens security by requiring users to enter a code displayed on their device during authentication, making it harder for attackers to bypass the second factor through phishing or social engineering. Recommendation and Steps Enforce number matching as part of MFA for all users, particularly for high-risk accounts. Regularly review and update MFA settings to include additional secure authentication methods, ensuring robust protection against unauthorized access. Associated Objects Per Domain/AD Forest
Affected Objects
| ||||||||
| Ensure AD privileged users are not synced to AAD | {function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML=) | |||||||