When evaluating an Active Directory forest, it is crucial to prioritize the assessment of Active Directory health and identify any misconfiguration within the forest and domain controllers. SmartProfiler for Active Directory offers a comprehensive range of tests to address these concerns. With SmartProfiler, you can perform tests focusing on “Health,” “Security,” and “Configuration” in your Active Directory environment.
To ensure transparency and provide you with valuable insights, we have compiled a list of Active Directory Security and Health Tests and Recommendations from vendors – links associated with each test implemented by SmartProfiler. These links serve as references, explaining why Microsoft and other reputable vendors recommend executing these tests within an Active Directory Forest. The SmartProfiler for Active Directory includes 53 Configuration tests, 23 Health tests, and 73 Security tests, all of which are recommended by esteemed organizations such as MITRE and ANSSI. Below, you will find the list of tests featured in SmartProfiler for Active Directory, accompanied by their respective links to MITRE, ANSSI, or Microsoft sites.
| Type | SmartProfiler Test | Recommendation from Vendor Link |
| Reporting | Get AD Subnets Count Per Site | |
| Reporting | Get AD Forest Info and FSMO | |
| Reporting | Get AD Forest Site Info | |
| Reporting | Get AD Forest Site Link Info | |
| Reporting | Get Domain Controller Info | |
| MITRE-ANSSI | Ensure Active Directory have no Stale Computer Accounts | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#user_accounts_dormant |
| Configuration | Ensure Active Directory Sites are Covered by each other | https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/sites-sites-everywhere-8230/ba-p/399239 |
| Health Check | Ensure Active Directory do not have Orphaned Domain Controllers | https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/remove-orphaned-domains |
| MITRE-ANSSI | Ensure Active Directory do not have Expired Accounts | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/regularly-check-for-and-remove-inactive-user-accounts-in-active-directory |
| MITRE-ANSSI | Ensure Active Directory Domains have Account Lockout Policies Configured | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/set-the-account-lockout-threshold-to-the-recommended-value |
| Configuration | Ensure GPO Naming Convention follows Standard Convention | General Recommendation |
| Configuration | Ensure Domain GPO Description is set | A general recommendation to ensure GPOs can be identified easily in a large Active Directory environment. |
| Configuration | Ensure Active Directory does not have Duplicate Site Links | https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/duplicate-active-directory-replication-connections |
| Configuration | Ensure Active Directory has an Automatic Selected BridgeHead Server Configured | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts |
| Configuration | Ensure Active Directory has No Manual BridgeHead Servers Configured | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts |
| Configuration | Ensure AD Site Link Topology is Per Microsoft Recommended | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/designing-the-site-topology |
| Configuration | Ensure AD Site Replication Interval is configured Per Microsoft Recommendation | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/determining-the-interval |
| Configuration | Ensure AD Sites have atleast two Domain Controllers for Redundancy | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd378865(v=ws.10) |
| Configuration | Ensure AD Sites are in Site Links | https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/considerations-with-creating-an-additional-ad-site-and-linking/td-p/1453048 |
| MITRE-ANSSI | Ensure GPOs are applying to Objects | https://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx |
| Configuration | Check AD Forest and Domain Functional Levels | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels |
| MITRE-ANSSI | Ensure Organizational Units are protected from Accidental Deletion | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd723677(v=ws.10) |
| Health Check | Ensure Domain Controllers DNS Loopback Address Configured | General Recommendation |
| Health Check | Ensure NIC on Domain Controllers Have DNS Dynamic Update Configured | https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003 |
| Health Check | Ensure Domain Controller is not a Multihomed Domain Controller | https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/unwanted-nic-registered-dns-mulithomed-dc |
| MITRE-ANSSI | Ensure Domain Controllers are fully updated | https://techcommunity.microsoft.com/t5/security-compliance-and-identity/updating-best-practices-for-domain-controllers/ba-p/3263043 |
| Health Check | Ensure AD Partitions are Backed up regularly | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd723688(v=ws.10) |
| Health Check | Ensure GPOs are Linked to Organizational Units | https://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx |
| Configuration | Ensure AD Sites have one domain controller | General Recommendation |
| Health Check | Ensure Domain Controllers have been rebooted once in 30 days | A general recommendation to ensure domain controllers are rebooted every 30 days |
| Configuration | Ensure AD Forest TombstoneLifetime has not been modified | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd723674(v=ws.10) |
| Health Check | Ensure no AD Forest Replication Errors | https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/common-active-directory-replication-errors |
| Configuration | Ensure Domain Zone Scavenging is enabled | https://social.technet.microsoft.com/wiki/contents/articles/21724.how-dns-aging-and-scavenging-works.aspx |
| Configuration | Ensure Domain Zones have Secure Updates configured | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/configure-all-dns-zones-only-to-allow-zone-transfers-to-specified-ip-addresses https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dnszone_bad_prop |
| Configuration | Ensure Domain Zone do not have Static Records | General Recommendation |
| Configuration | Ensure DNS Servers are configured with Forwarders | https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/forwarders-resolution-timeouts |
| Configuration | Ensure DNS Root Hints are configured | General Recommendation |
| Configuration | Ensure DNS Round Robin is Enabled on DNS Servers | General Recommendation |
| Health Check | Ensure DNS Servers have _msdcs zone hosted | General Recommendation |
| Health Check | Ensure Conditional Forwarders Configured on DNS Servers are working | A general recommendation to ensure conditional forwarders configured are working. |
| Configuration | Ensure DNS Server Level Scavenging is Configured | https://social.technet.microsoft.com/wiki/contents/articles/21724.how-dns-aging-and-scavenging-works.aspx |
| Health Check | Ensure Domain Controllers have Host Record Registered with correct IP Address | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd378978(v=ws.10) |
| Configuration | Ensure Domain GPO WMI Filters are identified and reviewed | https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/wmi-group-policy-filters-not-working |
| Health Check | Ensure Undefined Subnets are identified and defined in Active Directory | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/prevent-degraded-performance-by-defining-missing-subnets |
| Health Check | Ensure Domain GPOs are Applying | https://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx |
| Health Check | Ensure Disabled GPO are identified and reviewed | https://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx |
| Configuration | Ensure AD Sites have Subnets Defined | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/prevent-degraded-performance-by-defining-missing-subnets |
| MITRE-ANSSI | Ensure Disabled Computers are identified and moved to OU | General Recommendation |
| Configuration | Ensure AD Site has Location Text Specified | A general recommendation to ensure sites can be identified easily. |
| MITRE-ANSSI | Ensure No Stale User Accounts in domain | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/regularly-check-for-and-remove-inactive-user-accounts-in-active-directory |
| MITRE-ANSSI | Ensure No Domain Users with Password Never Expire | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire |
| Configuration | Ensure No Empty Organizational Units in Domains | A general recommendation to ensure no empty Ous in domains. |
| Health Check | Ensure Domain Controller Local Disks are configured per Microsoft | General Recommendation |
| Health Check | Ensure Enough DNS Servers are configured on Domain Controller NIC | General Recommendation |
| Health Check | Ensure Domain Controller Disks have enough Free Space | General Recommendation |
| Configuration | Ensure each AD Site has Global Catalog Role or Universal Group Caching is enabled | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd723676(v=ws.10) |
| Configuration | Ensure AD Site has at least one Domain Controller | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/ad-ds-design-and-planning |
| Configuration | Ensure Root PDC Emulator is configured With Correct Time Source | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd723673(v=ws.10) |
| Configuration | Ensure Domain Controllers have correct Time Source Configured | https://social.technet.microsoft.com/wiki/contents/articles/50924.active-directory-time-synchronization.aspx |
| Configuration | Ensure Domain Controllers are running with Supported Operating Systems | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/upgrade-computers-running-an-unsupported-operating-system |
| Configuration | Ensure Domain Controllers are in Default OU | General Recommendation |
| Configuration | Ensure AD Forest has ISTG Role defined in AD Sites | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts |
| MITRE-ANSSI | Ensure Disabled Domain Users are identified and moved to OU | General Recommendation |
| Configuration | Ensure Manual Replication Connection Objects are identified and removed | https://support.microsoft.com/en-us/topic/80c00040-91ce-d0ec-2527-f4d14226bfc6 |
| Configuration | Ensure No Errors in Domain Controller Event Log | General Recommendation |
| Health Check | Domain Controllers DCDiag Test | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731968(v=ws.11) |
| MITRE-ANSSI | Ensure Highly-Privileged Administrative Groups do not contain more than 20 members | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/review-and-reduce-the-number-of-accounts-in-highly-privileged-administrative-groups |
| Configuration | Ensure AD FSMO Placement is as per Microsoft Recommendation | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd391860(v=ws.10) |
| Configuration | Ensure Domain Naming Master and Schema Master are hosted on same domain controller | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd378868(v=ws.10) |
| Configuration | Ensure No Empty Security Groups In AD Domains | General Recommendation |
| Configuration | Ensure End Of Life Operating Systems and Unsupported Operating Systems are detected | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/upgrade-computers-running-an-unsupported-operating-system |
| Health Check | Domain Controller Services Status Test | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd723679(v=ws.10) |
| Configuration | Ensure Domain GPOs Block Inheritance is Identified and reviewed | https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/overriding-and-blocking-group-policy |
| Reporting | Get AD Domain Info and FSMO | |
| Configuration | Ensure Domain Account Policies are configured correctly | https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/minimum-password-length |
| Configuration | Ensure FGPP Policies have correct Password parameters configured | https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/minimum-password-length |
| Configuration | Ensure FGPP Policies are applying to objects | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements–level-100-#fine_grained_pswd_policy_mgmt |
| Health Check | Ensure AD Users with Large Token Size are identified and reviewed | https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-authentication-problems-if-user-belongs-to-groups?source=recommendations |
| Configuration | Ensure Managed Service Accounts are in use | https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/managed-service-accounts-understanding-implementing-best/ba-p/397009 |
| Configuration | Ensure Managed Service Accounts Are Linked | https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/managed-service-accounts-understanding-implementing-best/ba-p/397009 |
| MITRE-ANSSI | Ensure Normal Users do not have Full Control Permissions on Domain Organizational Units | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects |
| MITRE-ANSSI | Ensure Everyone has no Full Control Access Rights on Organizational Units | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects |
| Configuration | Ensure Domain Controllers do not have other Roles and Features Installed | General Recommendation |
| Health Check | Ensure Domain Controllers have SSL Authentication Enabled | https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority |
| Configuration | Ensure Domain Controller Event Log Config is configured correctly | General Recommendation |
| Configuration | Ensure Domain Controller Event Log Size is configured correctly | General Recommendation |
| MITRE-ANSSI | Ensure Privileged Accounts are not sending Too Many Bad Logon Attempts | General Recommendation |
| MITRE-ANSSI | Ensure Domain Computers are not sending Too Many Bad Logon Attempts | General Recommendation |
| MITRE-ANSSI | Ensure Normal Users are not sending Too Many Bad Logon Attempts | General Recommendation |
| Configuration | Ensure Domain Users have UPN Specified | https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/howto-troubleshoot-upn-changes |
| Configuration | Ensure AD Privileged Access Management is Enabled | https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services |
| Configuration | Ensure AD Recycle Bin Feature is Enabled | https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-ad-recycle-bin-understanding-implementing-best-practices-and/ba-p/396944 |
| Configuration | Ensure SMB1 Protocol is Disabled on Domain Controllers | https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server |
| MITRE-ANSSI | Ensure Pre-Windows 2000 Compatibility Group membership does not include Anonymous and Everyone | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#compatible_2000_anonymous |
| MITRE-ANSSI | Identify User accounts that can accept blank passwords | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/review-accounts-whose-attribute-pwdlastset-has-a-zero-value |
| Health Check | Ensure Active Directory Database Size is Optimal | https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/gauging-size-differences-in-ad-databases/ba-p/243158 |
| MITRE-ANSSI | Ensure Privileged accounts With a Password Never Expires are not configured | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire |
| MITRE-ANSSI | Ensure Unprivileged Active Directory Users can not add computer accounts to the domain | https://social.technet.microsoft.com/wiki/contents/articles/5446.active-directory-how-to-prevent-authenticated-users-from-joining-workstations-to-a-domain.aspx |
| MITRE-ANSSI | Test User Accounts Whose LastPasswordSet Was Never Set | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire |
| MITRE-ANSSI | Ensure User Accounts PWDLastSet has no ZERO Value | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/review-accounts-whose-attribute-pwdlastset-has-a-zero-value |
| MITRE-ANSSI | Ensure Users with Kerberos pre-authentication disabled are identified | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#kerberos_properties_preauth_priv |
| MITRE-ANSSI | Ensure Kerberos pre-authentication is Enabled for privileged accounts | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#kerberos_properties_preauth_priv |
| MITRE-ANSSI | Ensure Enabled admin accounts that are inactive are identified | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#user_accounts_dormant |
| MITRE-ANSSI | Ensure User accounts with password not required are identified | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire |
| MITRE-ANSSI | Ensure User accounts that use DES encryption are Identified | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#kerberos_properties_deskey |
| MITRE-ANSSI | Ensure User accounts that store passwords with reversible encryption are identified | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#reversible_password |
| MITRE-ANSSI | Ensure Computer or user accounts with unconstrained delegation are identified | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#delegation_t4d |
| MITRE-ANSSI | Ensure Anonymous access to Active Directory is Disabled | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad |
| MITRE-ANSSI | Ensure Users are Changing Their Passwords and No Old Passwords | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#password_change_server_no_change_90 |
| MITRE-ANSSI | Ensure Users with ServicePrincipalName are identified | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#delegation_sourcedeleg |
| MITRE-ANSSI | Ensure Admin Accounts with ServicePrincipalName are identified | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#delegation_sourcedeleg |
| MITRE-ANSSI | List All Service Principals Used By Computer Accounts and Identify Them to Ensure they are in use | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#delegation_sourcedeleg |
| MITRE-ANSSI | Ensure Duplicate SPNs are identified and removed | https://learn.microsoft.com/en-us/windows/win32/ad/service-principal-names |
| Configuration | Ensure Active Directory Web Services (ADWS) to start automatically on All Domain Controllers | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/configure-the-active-directory-web-services-adws-to-start-automatically-on-all-servers |
| Configuration | Ensure Strict Replication Consistency is enabled on Domain Controllers | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd723692(v=ws.10) |
| Health Check | Ensure Orphaned Group Policy Containers are identified and removed | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/consider-removing-orphaned-group-policy-containers-from-active-directory |
| MITRE-ANSSI | Ensure AllowNT4Crypto setting on all Domain Controllers is disabled | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/disable-the-allownt4crypto-setting-on-all-affected-domain-controllers |
| MITRE-ANSSI | Ensure LAN Manager password hashes are not stored on Domain Controllers | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/prevent-storage-of-lan-manager-password-hashes |
| MITRE-ANSSI | Ensure accounts with adminCount=1 are Identified and Monitored | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b–privileged-accounts-and-groups-in-active-directory |
| MITRE-ANSSI | Ensure Disabled Privileged User Accounts are not part of Privileged Groups | General Recommendation |
| MITRE-ANSSI | Ensure Privileged User Accounts are Changing Their Passwords Regularly | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#user_accounts_dormant |
| MITRE-ANSSI | Ensure SMB Signing is Enabled on Domain Controllers | https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing |
| MITRE-ANSSI | Ensure LDAP Signing is Enabled on Domain Controllers | https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements |
| MITRE-ANSSI | Ensure gMSA Accounts are Identified and Are In Use | https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview |
| MITRE-ANSSI | Ensure Sensitive Group Policy Objects have not been changed Since Last 10 Days | General Recommendation |
| MITRE-ANSSI | Ensure Kerberos krbtgt Account Password Is Changed Within 180 Days | https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/faqs-from-the-field-on-krbtgt-reset/ba-p/2367838 |
| MITRE-ANSSI | Ensure RC4 Encryption is Disabled on Domain Controllers | https://learn.microsoft.com/en-us/windows-server/security/kerberos/preventing-kerberos-change-password-that-uses-rc4-secret-keys and https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#kerberos_properties_deskey |
| MITRE-ANSSI | Ensure Orphaned Admins from AdminSDHolder are Identified and Removed | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#permissions_adminsdholder |
| MITRE-ANSSI | Ensure Changes to Privileged Groups are Identified and Monitored | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b–privileged-accounts-and-groups-in-active-directory |
| MITRE-ANSSI | Ensure Servers Are Changing Their Passwords Within 45 Days | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#password_change_server_no_change_45 |
| MITRE-ANSSI | Ensure Servers Have Authenticated Within 90 Days | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#password_change_server_no_change_90 |
| MITRE-ANSSI | Ensure Domain Controllers Have Authenticated Within 45 Days | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#password_change_inactive_dc |
| MITRE-ANSSI | Ensure User Objects have not been Modified With PrimaryGroupID | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#primary_group_id_nochange |
| MITRE-ANSSI | Ensure Computer Objects have not been Modified With PrimaryGroupID | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#primary_group_id_nochange |
| MITRE-ANSSI | Ensure Domain Controller Objects have not been Modified With PrimaryGroupID | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#primary_group_id_nochange |
| MITRE-ANSSI | Ensure Active Directory Forest is running with Updated Schema | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#adupdate_bad |
| MITRE-ANSSI | Ensure DNSAdmin Groups do not include Member Accounts | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dnsadmins |
| MITRE-ANSSI | Ensure Allowed RODC Password Replication Group is empty | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#rodc_allowed_group |
| MITRE-ANSSI | Ensure Denied RODC Password Replication Group Includes Privileged Groups | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#rodc_denied_group |
| MITRE-ANSSI | Ensure RODC Domain Controllers do not have Groups in msDS-RevealOnDemandGroup Attribute | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#rodc_reveal |
| MITRE-ANSSI | Ensure RODC Domain Controllers have Privileged Groups in msDS-NeverRevealGroupattribute Attribute | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#rodc_never_reveal |
| MITRE-ANSSI | Ensure Protected Users Group is in use | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#protected_users |
| MITRE-ANSSI | Ensure All Privileged Groups are part of Protected Users Group | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#protected_users |
| MITRE-ANSSI | Ensure Default Administrator Account is Protected | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d–securing-built-in-administrator-accounts-in-active-directory |
| MITRE-ANSSI | Ensure Default Administrator account is disabled | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d–securing-built-in-administrator-accounts-in-active-directory |
| MITRE-ANSSI | Ensure Default Administrator account is renamed | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d–securing-built-in-administrator-accounts-in-active-directory |
| MITRE-ANSSI | Ensure Guest Account is Disabled in All Domains | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#permissions_adminsdholder |
| MITRE-ANSSI | Ensure Schema Admins Groups is Empty | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/remove-all-members-from-the-schema-admins-group-unless-you-are-actively-changing-the-schema |
| Configuration | Ensure DHCP Server Service is disabled on Domain Controllers | https://learn.microsoft.com/en-us/services-hub/health/remediation-steps-ad/disable-or-remove-the-dhcp-server-service-installed-on-any-domain-controllers |
| MITRE-ANSSI | Ensure Privileged Accounts Password Expires | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire_priv |
| MITRE-ANSSI | Ensure Dangerous Permissions are Detected On AdminSDHolder Object | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#permissions_adminsdholder |
| MITRE-ANSSI | Ensure Computer Objects are Managed by Privileged Accounts | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner |
| MITRE-ANSSI | Ensure Organizational Units are Managed by Privileged Accounts | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#owner |
| MITRE-ANSSI | Constrained authentication delegation to a domain controller service | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#delegation_a2d2 |
| MITRE-ANSSI | Resource-based constrained delegation on domain controllers | https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#delegation_sourcedeleg |
SmartProfiler for Active Directory Security Assessment is an automated Health & Risk assessment solution to help you significantly improve your Active Directory health & security posture. SmartProfiler for Active Directory follows MITRE and ANSSI controls and other tests designed by our Active Directory Experts. Below screenshot taken from SmartProfiler for Active Directory shows the vendor link available for each test executed during the Active Directory security assessment.
Try SmartProfiler, a unified tool to help with security evaluation across many Microsoft technologies.