290 Active Directory Security and Health Tests and Recommendations from Vendors

290 Active Directory Security and Health Tests and Recommendations from Vendors

When evaluating an Active Directory forest, it is crucial to prioritize the assessment of Active Directory health and identify any misconfiguration within the forest and domain controllers. SmartProfiler for Active Directory offers a comprehensive range of tests to address these concerns. With SmartProfiler, you can perform tests focusing on “Health,” “Security,” and “Configuration” in your Active Directory environment.

To ensure transparency and provide you with valuable insights, we have compiled a list of Active Directory Security and Health Tests and Recommendations from vendors – links associated with each test implemented by SmartProfiler. These links serve as references, explaining why Microsoft and other reputable vendors recommend executing these tests within an Active Directory Forest. The SmartProfiler for Active Directory includes 53 Configuration tests, 23 Health tests, and 73 Security tests, all of which are recommended by esteemed organizations such as MITRE and ANSSI. Below, you will find the list of tests featured in SmartProfiler for Active Directory, accompanied by their respective links to MITRE, ANSSI, or Microsoft sites.

TypeSmartProfiler TestRecommendation from Vendor Link
ReportingGet AD Subnets Count Per Site 
ReportingGet AD Forest Info and FSMO 
ReportingGet AD Forest Site Info 
ReportingGet AD Forest Site Link Info 
ReportingGet Domain Controller Info 
MITRE-ANSSIEnsure Active Directory have no Stale Computer Accountshttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#user_accounts_dormant
ConfigurationEnsure Active Directory Sites are Covered by each otherhttps://techcommunity.microsoft.com/t5/ask-the-directory-services-team/sites-sites-everywhere-8230/ba-p/399239
Health CheckEnsure Active Directory do not have Orphaned Domain Controllershttps://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/remove-orphaned-domains
MITRE-ANSSIEnsure Active Directory do not have Expired Accountshttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/regularly-check-for-and-remove-inactive-user-accounts-in-active-directory
MITRE-ANSSIEnsure Active Directory Domains have Account Lockout Policies Configuredhttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/set-the-account-lockout-threshold-to-the-recommended-value
ConfigurationEnsure GPO Naming Convention follows Standard ConventionGeneral Recommendation
ConfigurationEnsure Domain GPO Description is setA general recommendation to ensure GPOs can be identified easily in a large Active Directory environment.
ConfigurationEnsure Active Directory does not have Duplicate Site Linkshttps://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/duplicate-active-directory-replication-connections
ConfigurationEnsure Active Directory has an Automatic Selected BridgeHead Server Configuredhttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts
ConfigurationEnsure Active Directory has No Manual BridgeHead Servers Configuredhttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts
ConfigurationEnsure AD Site Link Topology is Per Microsoft Recommendedhttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/designing-the-site-topology
ConfigurationEnsure AD Site Replication Interval is configured Per Microsoft Recommendationhttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/determining-the-interval
ConfigurationEnsure AD Sites have atleast two Domain Controllers for Redundancyhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd378865(v=ws.10)
ConfigurationEnsure AD Sites are in Site Linkshttps://techcommunity.microsoft.com/t5/windows-server-for-it-pro/considerations-with-creating-an-additional-ad-site-and-linking/td-p/1453048
MITRE-ANSSIEnsure GPOs are applying to Objectshttps://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx
ConfigurationCheck AD Forest and Domain Functional Levelshttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
MITRE-ANSSIEnsure Organizational Units are protected from Accidental Deletionhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd723677(v=ws.10)
Health CheckEnsure Domain Controllers DNS Loopback Address ConfiguredGeneral Recommendation
Health CheckEnsure NIC on Domain Controllers Have DNS Dynamic Update Configuredhttps://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003
Health CheckEnsure Domain Controller is not a Multihomed Domain Controllerhttps://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/unwanted-nic-registered-dns-mulithomed-dc
MITRE-ANSSIEnsure Domain Controllers are fully updatedhttps://techcommunity.microsoft.com/t5/security-compliance-and-identity/updating-best-practices-for-domain-controllers/ba-p/3263043
Health CheckEnsure AD Partitions are Backed up regularlyhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd723688(v=ws.10)
Health CheckEnsure GPOs are Linked to Organizational Unitshttps://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx
ConfigurationEnsure AD Sites have one domain controllerGeneral Recommendation
Health CheckEnsure Domain Controllers have been rebooted once in 30 daysA general recommendation to ensure domain controllers are rebooted every 30 days
ConfigurationEnsure AD Forest TombstoneLifetime has not been modifiedhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd723674(v=ws.10)
Health CheckEnsure no AD Forest Replication Errorshttps://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/common-active-directory-replication-errors
ConfigurationEnsure Domain Zone Scavenging is enabledhttps://social.technet.microsoft.com/wiki/contents/articles/21724.how-dns-aging-and-scavenging-works.aspx
ConfigurationEnsure Domain Zones have Secure Updates configuredhttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/configure-all-dns-zones-only-to-allow-zone-transfers-to-specified-ip-addresses https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dnszone_bad_prop
ConfigurationEnsure Domain Zone do not have Static RecordsGeneral Recommendation
ConfigurationEnsure DNS Servers are configured with Forwardershttps://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/forwarders-resolution-timeouts
ConfigurationEnsure DNS Root Hints are configuredGeneral Recommendation
ConfigurationEnsure DNS Round Robin is Enabled on DNS ServersGeneral Recommendation
Health CheckEnsure DNS Servers have _msdcs zone hostedGeneral Recommendation
Health CheckEnsure Conditional Forwarders Configured on DNS Servers are workingA general recommendation to ensure conditional forwarders configured are working.
ConfigurationEnsure DNS Server Level Scavenging is Configuredhttps://social.technet.microsoft.com/wiki/contents/articles/21724.how-dns-aging-and-scavenging-works.aspx
Health CheckEnsure Domain Controllers have Host Record Registered with correct IP Addresshttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd378978(v=ws.10)
ConfigurationEnsure Domain GPO WMI Filters are identified and reviewedhttps://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/wmi-group-policy-filters-not-working
Health CheckEnsure Undefined Subnets are identified and defined in Active Directoryhttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/prevent-degraded-performance-by-defining-missing-subnets
Health CheckEnsure Domain GPOs are Applyinghttps://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx
Health CheckEnsure Disabled GPO are identified and reviewedhttps://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx
ConfigurationEnsure AD Sites have Subnets Definedhttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/prevent-degraded-performance-by-defining-missing-subnets
MITRE-ANSSIEnsure Disabled Computers are identified and moved to OUGeneral Recommendation
ConfigurationEnsure AD Site has Location Text SpecifiedA general recommendation to ensure sites can be identified easily.
MITRE-ANSSIEnsure No Stale User Accounts in domainhttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/regularly-check-for-and-remove-inactive-user-accounts-in-active-directory
MITRE-ANSSIEnsure No Domain Users with Password Never Expirehttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire
ConfigurationEnsure No Empty Organizational Units in DomainsA general recommendation to ensure no empty Ous in domains.
Health CheckEnsure Domain Controller Local Disks are configured per MicrosoftGeneral Recommendation
Health CheckEnsure Enough DNS Servers are configured on Domain Controller NICGeneral Recommendation
Health CheckEnsure Domain Controller Disks have enough Free SpaceGeneral Recommendation
ConfigurationEnsure each AD Site has Global Catalog Role or Universal Group Caching is enabledhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd723676(v=ws.10)
ConfigurationEnsure AD Site has at least one Domain Controllerhttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/ad-ds-design-and-planning
ConfigurationEnsure Root PDC Emulator is configured With Correct Time Sourcehttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd723673(v=ws.10)
ConfigurationEnsure Domain Controllers have correct Time Source Configuredhttps://social.technet.microsoft.com/wiki/contents/articles/50924.active-directory-time-synchronization.aspx
ConfigurationEnsure Domain Controllers are running with Supported Operating Systemshttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/upgrade-computers-running-an-unsupported-operating-system
ConfigurationEnsure Domain Controllers are in Default OUGeneral Recommendation
ConfigurationEnsure AD Forest has ISTG Role defined in AD Siteshttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts
MITRE-ANSSIEnsure Disabled Domain Users are identified and moved to OUGeneral Recommendation
ConfigurationEnsure Manual Replication Connection Objects are identified and removedhttps://support.microsoft.com/en-us/topic/80c00040-91ce-d0ec-2527-f4d14226bfc6
ConfigurationEnsure No Errors in Domain Controller Event LogGeneral Recommendation
Health CheckDomain Controllers DCDiag Testhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731968(v=ws.11)
MITRE-ANSSIEnsure Highly-Privileged Administrative Groups do not contain more than 20 membershttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/review-and-reduce-the-number-of-accounts-in-highly-privileged-administrative-groups
ConfigurationEnsure AD FSMO Placement is as per Microsoft Recommendationhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd391860(v=ws.10)
ConfigurationEnsure Domain Naming Master and Schema Master are hosted on same domain controllerhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd378868(v=ws.10)
ConfigurationEnsure No Empty Security Groups In AD DomainsGeneral Recommendation
ConfigurationEnsure End Of Life Operating Systems and Unsupported Operating Systems are detectedhttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/upgrade-computers-running-an-unsupported-operating-system
Health CheckDomain Controller Services Status Testhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd723679(v=ws.10)
ConfigurationEnsure Domain GPOs Block Inheritance is Identified and reviewedhttps://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/overriding-and-blocking-group-policy
ReportingGet AD Domain Info and FSMO 
ConfigurationEnsure Domain Account Policies are configured correctlyhttps://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/minimum-password-length
ConfigurationEnsure FGPP Policies have correct Password parameters configuredhttps://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/minimum-password-length
ConfigurationEnsure FGPP Policies are applying to objectshttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements–level-100-#fine_grained_pswd_policy_mgmt
Health CheckEnsure AD Users with Large Token Size are identified and reviewedhttps://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-authentication-problems-if-user-belongs-to-groups?source=recommendations
ConfigurationEnsure Managed Service Accounts are in usehttps://techcommunity.microsoft.com/t5/ask-the-directory-services-team/managed-service-accounts-understanding-implementing-best/ba-p/397009
ConfigurationEnsure Managed Service Accounts Are Linkedhttps://techcommunity.microsoft.com/t5/ask-the-directory-services-team/managed-service-accounts-understanding-implementing-best/ba-p/397009
MITRE-ANSSIEnsure Normal Users do not have Full Control Permissions on Domain Organizational Unitshttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects
MITRE-ANSSIEnsure Everyone has no Full Control Access Rights on Organizational Unitshttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects
ConfigurationEnsure Domain Controllers do not have other Roles and Features InstalledGeneral Recommendation
Health CheckEnsure Domain Controllers have SSL Authentication Enabledhttps://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority
ConfigurationEnsure Domain Controller Event Log Config is configured correctlyGeneral Recommendation
ConfigurationEnsure Domain Controller Event Log Size is configured correctlyGeneral Recommendation
MITRE-ANSSIEnsure Privileged Accounts are not sending Too Many Bad Logon AttemptsGeneral Recommendation
MITRE-ANSSIEnsure Domain Computers are not sending Too Many Bad Logon AttemptsGeneral Recommendation
MITRE-ANSSIEnsure Normal Users are not sending Too Many Bad Logon AttemptsGeneral Recommendation
ConfigurationEnsure Domain Users have UPN Specifiedhttps://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/howto-troubleshoot-upn-changes
ConfigurationEnsure AD Privileged Access Management is Enabledhttps://learn.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services
ConfigurationEnsure AD Recycle Bin Feature is Enabledhttps://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-ad-recycle-bin-understanding-implementing-best-practices-and/ba-p/396944
ConfigurationEnsure SMB1 Protocol is Disabled on Domain Controllershttps://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server
MITRE-ANSSIEnsure Pre-Windows 2000 Compatibility Group membership does not include Anonymous and Everyonehttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#compatible_2000_anonymous
MITRE-ANSSIIdentify User accounts that can accept blank passwordshttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/review-accounts-whose-attribute-pwdlastset-has-a-zero-value
Health CheckEnsure Active Directory Database Size is Optimalhttps://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/gauging-size-differences-in-ad-databases/ba-p/243158
MITRE-ANSSIEnsure Privileged accounts With a Password Never Expires are not configuredhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire
MITRE-ANSSIEnsure Unprivileged Active Directory Users can not add computer accounts to the domainhttps://social.technet.microsoft.com/wiki/contents/articles/5446.active-directory-how-to-prevent-authenticated-users-from-joining-workstations-to-a-domain.aspx
MITRE-ANSSITest User Accounts Whose LastPasswordSet Was Never Sethttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire
MITRE-ANSSIEnsure User Accounts PWDLastSet has no ZERO Valuehttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/review-accounts-whose-attribute-pwdlastset-has-a-zero-value
MITRE-ANSSIEnsure Users with Kerberos pre-authentication disabled are identifiedhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#kerberos_properties_preauth_priv
MITRE-ANSSIEnsure Kerberos pre-authentication is Enabled for privileged accountshttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#kerberos_properties_preauth_priv
MITRE-ANSSIEnsure Enabled admin accounts that are inactive are identifiedhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#user_accounts_dormant
MITRE-ANSSIEnsure User accounts with password not required are identifiedhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire
MITRE-ANSSIEnsure User accounts that use DES encryption are Identifiedhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#kerberos_properties_deskey
MITRE-ANSSIEnsure User accounts that store passwords with reversible encryption are identifiedhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#reversible_password
MITRE-ANSSIEnsure Computer or user accounts with unconstrained delegation are identifiedhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#delegation_t4d
MITRE-ANSSIEnsure Anonymous access to Active Directory is Disabledhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad
MITRE-ANSSIEnsure Users are Changing Their Passwords and No Old Passwordshttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#password_change_server_no_change_90
MITRE-ANSSIEnsure Users with ServicePrincipalName are identifiedhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#delegation_sourcedeleg
MITRE-ANSSIEnsure Admin Accounts with ServicePrincipalName are identifiedhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#delegation_sourcedeleg
MITRE-ANSSIList All Service Principals Used By Computer Accounts and Identify Them to Ensure they are in usehttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#delegation_sourcedeleg
MITRE-ANSSIEnsure Duplicate SPNs are identified and removedhttps://learn.microsoft.com/en-us/windows/win32/ad/service-principal-names
ConfigurationEnsure Active Directory Web Services (ADWS) to start automatically on All Domain Controllershttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/configure-the-active-directory-web-services-adws-to-start-automatically-on-all-servers
ConfigurationEnsure Strict Replication Consistency is enabled on Domain Controllershttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd723692(v=ws.10)
Health CheckEnsure Orphaned Group Policy Containers are identified and removedhttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/consider-removing-orphaned-group-policy-containers-from-active-directory
MITRE-ANSSIEnsure AllowNT4Crypto setting on all Domain Controllers is disabledhttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/disable-the-allownt4crypto-setting-on-all-affected-domain-controllers
MITRE-ANSSIEnsure LAN Manager password hashes are not stored on Domain Controllershttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/prevent-storage-of-lan-manager-password-hashes
MITRE-ANSSIEnsure accounts with adminCount=1 are Identified and Monitoredhttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b–privileged-accounts-and-groups-in-active-directory
MITRE-ANSSIEnsure Disabled Privileged User Accounts are not part of Privileged GroupsGeneral Recommendation
MITRE-ANSSIEnsure Privileged User Accounts are Changing Their Passwords Regularlyhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#user_accounts_dormant
MITRE-ANSSIEnsure SMB Signing is Enabled on Domain Controllershttps://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
MITRE-ANSSIEnsure LDAP Signing is Enabled on Domain Controllershttps://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements
MITRE-ANSSIEnsure gMSA Accounts are Identified and Are In Usehttps://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
MITRE-ANSSIEnsure Sensitive Group Policy Objects have not been changed Since Last 10 DaysGeneral Recommendation
MITRE-ANSSIEnsure Kerberos  krbtgt Account Password Is Changed Within 180 Dayshttps://techcommunity.microsoft.com/t5/core-infrastructure-and-security/faqs-from-the-field-on-krbtgt-reset/ba-p/2367838
MITRE-ANSSIEnsure RC4 Encryption is Disabled on Domain Controllershttps://learn.microsoft.com/en-us/windows-server/security/kerberos/preventing-kerberos-change-password-that-uses-rc4-secret-keys and https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#kerberos_properties_deskey
MITRE-ANSSIEnsure Orphaned Admins from AdminSDHolder are Identified and Removedhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#permissions_adminsdholder
MITRE-ANSSIEnsure Changes to Privileged Groups are Identified and Monitoredhttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b–privileged-accounts-and-groups-in-active-directory
MITRE-ANSSIEnsure Servers Are Changing Their Passwords Within 45 Dayshttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#password_change_server_no_change_45
MITRE-ANSSIEnsure Servers Have Authenticated Within 90 Dayshttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#password_change_server_no_change_90
MITRE-ANSSIEnsure Domain Controllers Have Authenticated Within 45 Dayshttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#password_change_inactive_dc
MITRE-ANSSIEnsure User Objects have not been Modified With PrimaryGroupIDhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#primary_group_id_nochange
MITRE-ANSSIEnsure Computer Objects have not been Modified With PrimaryGroupIDhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#primary_group_id_nochange
MITRE-ANSSIEnsure Domain Controller Objects have not been Modified With PrimaryGroupIDhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#primary_group_id_nochange
MITRE-ANSSIEnsure Active Directory Forest is running with Updated Schemahttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#adupdate_bad
MITRE-ANSSIEnsure DNSAdmin Groups do not include Member Accountshttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dnsadmins
MITRE-ANSSIEnsure Allowed RODC Password Replication Group is emptyhttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#rodc_allowed_group
MITRE-ANSSIEnsure Denied RODC Password Replication Group Includes Privileged Groupshttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#rodc_denied_group
MITRE-ANSSIEnsure RODC Domain Controllers do not have Groups in msDS-RevealOnDemandGroup Attributehttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#rodc_reveal
MITRE-ANSSIEnsure RODC Domain Controllers have Privileged Groups in msDS-NeverRevealGroupattribute Attributehttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#rodc_never_reveal
MITRE-ANSSIEnsure Protected Users Group is in usehttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#protected_users
MITRE-ANSSIEnsure All Privileged Groups are part of Protected Users Grouphttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#protected_users
MITRE-ANSSIEnsure Default Administrator Account is Protectedhttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d–securing-built-in-administrator-accounts-in-active-directory
MITRE-ANSSIEnsure Default Administrator account is disabledhttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d–securing-built-in-administrator-accounts-in-active-directory
MITRE-ANSSIEnsure Default Administrator account is renamedhttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d–securing-built-in-administrator-accounts-in-active-directory
MITRE-ANSSIEnsure Guest Account is Disabled in All Domainshttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#permissions_adminsdholder
MITRE-ANSSIEnsure Schema Admins Groups is Emptyhttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/remove-all-members-from-the-schema-admins-group-unless-you-are-actively-changing-the-schema
ConfigurationEnsure DHCP Server Service is disabled on Domain Controllershttps://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/disable-or-remove-the-dhcp-server-service-installed-on-any-domain-controllers
MITRE-ANSSIEnsure Privileged Accounts Password Expireshttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire_priv
MITRE-ANSSIEnsure Dangerous Permissions are Detected On AdminSDHolder Objecthttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#permissions_adminsdholder
MITRE-ANSSIEnsure Computer Objects are Managed by Privileged Accountshttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner
MITRE-ANSSIEnsure Organizational Units are Managed by Privileged Accountshttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner
MITRE-ANSSIConstrained authentication delegation to a domain controller servicehttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#delegation_a2d2
MITRE-ANSSIResource-based constrained delegation on domain controllershttps://www.cert.ssi.gouv.fr/uploads/guide-ad.html#delegation_sourcedeleg

SmartProfiler for Active Directory

SmartProfiler for Active Directory Security Assessment is an automated Health & Risk assessment solution to help you significantly improve your Active Directory health & security posture. SmartProfiler for Active Directory follows MITRE and ANSSI controls and other tests designed by our Active Directory Experts. Below screenshot taken from SmartProfiler for Active Directory shows the vendor link available for each test executed during the Active Directory security assessment.

Active Directory Security and Health Tests and Recommendations from Vendors

Try SmartProfiler, a unified tool to help with security evaluation across many Microsoft technologies.

Translate »
Index