April 28, 2024
SmartProfiler is designed to uncover issues in On-Premises Active Directory. Active Directory is a primary source for Authentication and Authorization for users and business applications. Microsoft doesn’t provide out of the box tools that can be used to perform health & risk assessment of Active Directory environment. SmartProfiler AD-OnPrem Security Tool can be used to perform assessment of multiple Active Directory forests and provide an assessment report which includes issues and recommendations to fix the issues.
Know if your Active Directory environment follow all recommendations highlighted by MITRE & ANSSI and CIS/NIST.
SmartProfiler for Active Directory offers additional tests apart from tests offered by MITRE and ANSSI organizations. SmartProfiler is a tool that has been specifically developed to support MITRE and ANSSI Frameworks. It is worth noting that SmartProfiler provides a more comprehensive set of tests than the MITRE and ANSSI organizations, offering a total of 278 tests across all relevant categories. While the MITRE and ANSSI provides only 87 tests, SmartProfiler’s additional tests are specifically designed by our Active Directory Experts to ensure that every aspect of Active Directory environment is covered.
In SmartProfiler for Active Directory dashboard you can see all issues that have been identified during the assessment.
In addition to performing security and health assessment of your Active Directory, SmartProfiler for Active Directory also provides vendor links for each test so you can learn more about each test’s importance and the reasons you should check your environments against vendor recommendations.
SmartProfiler for Active Directory ships with AD Issues Fixer. You can fix low, high and medium issues with a mouse click and follow the on-screen steps to resolve an issue. The AD Issues Fixer can also be used to export the PowerShell script with affected objects to fix the issues. This way you have an opportunity to review the Fix Script before running it.
With SmartProfiler you can quickly check if a particular GPO Setting or set of GPO Settings are configured in Active Directory Domains or not.
SmartProfiler comes with NIST/CIS Analyzer which can be used to analyze security settings recommended by organizations such as NIST and CIS. Currently, SmartProfiler supports: CIS_Microsoft_Windows_Server_2022_Benchmark_v2.0.0 and other templates for Windows Server 2019, Windows Server 2016 and Windows Server 2012 R2 CIS Security Configuration to be checked on Domain Controllers and Member Servers.
SmartProfiler for Active Directory now enables you to analyze Tier 0 Objects and OU Permissions and fix them. The feature is available as a module and can be used once the license is purchased for AD OU Permissions Analyzer & Fixer.
With Domain Controllers Security Analyzer you can see security status of each domain controller in the Active Directory forest and ensure all domain controllers are not operating with any security risk.
When running Active Directory assessments, the each execution collects data in a separate Assessment Run. For example, you can run first Assessment Run before fixing issues and Second Assessment Run after fixing all issues. Once done you can compare these Assessment Runs using Compare Assessments in SmartProfiler.
With SmartProfiler for Active Directory now you can create your own Active Directory query targeting AD Domains and show the result in SmartProfiler console.
With Active Directory Real-Time Monitoring in SmartProfiler, you can monitor single or all AD Domains in an AD Forest ensuring all risks are captured and notified via email.
SmartProfiler checks all important components in Active Directory. Here’s a list of categories.
If you have made the decision to conduct an Active Directory Security Assessment for your production AD Forests, it is crucial to recognize the potential security threats that may exist within your Active Directory environment. However, neglecting to address health and configuration issues poses a significant security risk. In this article, we will explore the importance of performing a “complete” Active Directory assessment, in addition to recommended security tests by organizations such as MITRE and ANSSI.
Learn MoreHere is a list of Active Directory Advanced Assessment checks that SmartProfiler performs for a given Active Directory Forest.
| Orphaned Admins on AdminSDHolder | IOC |
| Dangerous Permissions on AdminSDHolder | IOC |
| AdminSDHolder was Modified in last 30 days | IOC |
| Constrained delegation to domain controller service | IOC |
| Resource-based constrained delegation on domain controllers | IOC |
| Anonymous Access to Active Directory | IOE |
| Anonymous or EVERYONE in Pre-Windows 2000 Group | IOE IOC |
| Potentially Sensitive Information Found in User Description Field | IOE IOC |
| Found Hidden Domain Controllers | IOE |
| Successful Exploit Machine Accounts Found | IOE |
| Possible User-based Service Accounts found | IOC |
| Objects Modified in Last 10 Days | IOE IOC |
| Objects Created in Last 10 Days | IOE IOC |
| Domain Trusts Found | IOE IOC |
| Anyone can Join Computers to Domain | IOE |
| Replication Errors DCs | IOE |
| Normal Users Full Control Permissions on OUs | IOE |
| EVERYONE Full Control Permissions on OUs | IOE |
| Allowed RODC Password Replication Group is not empty | IOE |
| Found Privileged Groups in msDS-RevealOnDemandGroup of RODC | IOE |
| Managed service accounts with passwords unchanged for more than 90 days | IOE |
| Denied RODC Password Replication Group missing Privileged Accounts | IOE |
| msDS-NeverRevealGroupattribute RODC missing Privileged Accounts | IOE |
| Schema Admin Group members | IOE |
| Unsecure Updates Zones | IOE IOC |
| Missing Domain Zones Scavenging | IOC |
| AD Partitions Backup Status |
| Users with Blank Password | IOE IOC |
| Users with LastPasswordSet was never Set | IOE |
| Users with PWDLastSet to ZERO | IOE |
| Users with SPNs Configured | IOE |
| Password Expiration is misssing for smart card users | IOE |
| Accounts vulnerable to Kerberoasting Found | IOE |
| Users With DES encryption | IOE |
| Users With Reversible Encryption | IOE |
| Users With Kerberos Pre-Authentication | IOE |
| Users Modified with PrimaryGroupID | IOC |
| Users Sending Bad Logons | IOC |
| Users Disabled | IOC |
| Stale User Accounts | IOC |
| Users Expired | IOC |
| User Accounts Pass Never Expires | IOC |
| User Accounts Pass Not Required | IOC |
| Computers with SPNs Configured | IOE |
| Computers With Unconstrained Delegation | IOE |
| Computers Modified with PrimaryGroupID | IOC |
| Computers Sending Bad Logons | IOC |
| Computers Disabled | IOC |
| Stale Computer Accounts | IOC |
| Unsupported Operating Systems | IOE |
| Admins with SPNs Configured | IOE |
| Admins Sending Bad Logons | IOC |
| Domain Controllers not owned by Admins | IOC |
| Computer Objects not managed by Admins | IOC |
| Organizational Units not managed by Admins | IOC |
| Sensitive GPOs Modified | IOC |
| Recently Created Privileged Admins | IOC |
| Changes to Privileged Groups in Last 15 days | IOC |
| Users Identified with Privileged SIDs in sIDHistory | IOC |
| Computers Identified with Privileged SIDs in sIDHistory | IOC |
| Found Excluded Groups by AdminSDHolder and SDProp | IOC |
| krbtgt Account with Resource-Based Constrained Delegation | IOC |
| Built-In Admin Account Not protected | IOE IOC |
| Built-In Admin Account Not Disabled | IOE IOC |
| Built-In Admin Account Not Renamed | IOE |
| Built-In Admin Account Password Not Changed in 90 days | IOE |
| Built-In Admin Account was used in last 10 days | IOC |
| KRBTGT Account Password Not Changed | IOE |
| Guest Account is enabled | IOE |
| Administrator Account ServicePrincipalNames Found | IOE |
| Misconfigured Administrative Accounts Found | IOE IOC |
| Missing Privileged Groups in Protected Users Group | IOE IOC |
| Privileged Accounts Pass Never Expires | IOE IOC |
| Too Many Privileged Accounts | IOC |
| Inactive Admins | IOE |
| Privileged Groups Contain more than 20 members | IOE |
| Kerberos Pre-authentication Disabled | IOE IOC |
| Disabled Admins part of Privileged Groups | IOE |
| Passwords Not Changed within 90 days | IOE |
| DNSAdmins Group has members | IOE IOC |
| Privileged Groups Contained Computer Accounts | IOE IOC |
| Privileged Admins missing AdminCount=1 Flag | IOC |
| ForeignSecurityPrincipals In Privileged Groups | IOE IOC |
| Operators Groups are not empty | IOE IOC |
| Weak Password Policies Affected Admins | IOE IOC |
| Password Do Not Expire | IOE |
| AdminsCount Flag set users not acting as Admins | IOC |
| Sensitive GPOs Modified | IOC |
| Recently Created Privileged Admins | IOC |
| Changes to Privileged Groups in Last 15 days | IOC |
| Users Identified with Privileged SIDs in sIDHistory | IOC |
| Computers Identified with Privileged SIDs in sIDHistory | IOC |
| Found Excluded Groups by AdminSDHolder and SDProp | IOC |
| krbtgt Account with Resource-Based Constrained Delegation | IOC |
| Default Domain Policy-Minimum Password Length | IOE |
| FGPP Policies-Minimum Password Length | IOE |
| FGPP Policies Not Applying | IOE |
| Account Lockout Policies Missing | IOE |
| High Value Targets Found | IOE IOC |
| Accounts with Extended Rights to Read LAPS Passwords Found | IOE IOC |
| Access Control Lists on Computers Found | IOE IOC |
| Access Control Lists on Security Groups Found | IOE IOC |
| Access Control Lists on Users Found | IOE IOC |
| Group Policy Objects with Improper Permissions Found | IOE IOC |
| Group Policy Object Assignments with Improper Permissions Found | IOE IOC |
| Dangerous Permissions Found on MicrosoftDNS Container | IOE IOC |
| Dangerous Permissions Found on Naming Contexts | IOE IOC |
| Outbound forest trust relationships with sID History enabled | IOE IOC |
| Trust account passwords unchanged for more than a year | IOE IOC |
| Pre-Windows 2000 Compatible Access Group is not empty | IOE IOC |
| Found Groups with SID history Set | IOE IOC |
| PDC Emulator Time Source | |
| Domain Controllers Time Source | |
| Domain FSMO Placement | |
| Domain Naming Master and Schema Master Placement |
| Domain Controllers Modified with PrimaryGroupID | IOC |
| SMB 1 Protocol Enabled DCs | IOE |
| AllowNT4Crypto DCs | IOE |
| LAN Manager password hashes Enabled DCs | IOE |
| SMB Signing Disabled DCs | IOE |
| LDAP Signing Disabled DCs | IOE |
| TLS 1.1 Enabled DCs | IOE |
| NTLM Authentication Enabled DCs | IOE |
| Inconsistent DCs | IOE |
| RC4 Encryption Enabled DCs | IOE |
| Unauthenticated DCs since last 45 Days | IOE |
| Secrets not renewed DCs | IOE |
| Managed Service Accounts Not Linked | IOE |
| Missing Updates DCs | IOE |
| Missed Reboot Cycles DCs | IOE |
| No Contacts with Domain Controllers in Last Three Months | IOE |
| Orphaned DCs | IOE |
| Missing DNS Scavenging DCs | IOE |
| Missing DNS Forwarders DCs | IOE |
| Missing Root Hints DCs | IOE |
| Missing Host Records DCs | IOE |
| Not Enough Free Space DCs | IOE |
| Errors and Warnings in Log DCs | IOE |
| Loopback Address Missing DCs | IOE |
| Multihomed DCs | IOE |
| Missing SSL Authentication DCs | IOE |
| NTFS Replication DCs | IOE |
| Strict Replication Disabled DCs | IOE IOC |
| DCDiag Failure DCs | |
| Out Of Default OUs DCs | |
| Unsupported OS DCs | IOE |
| Missing Enough DNS Servers in NIC DCs | |
| Not Enough Local Disks DCs | |
| Missing DNS Dynmaic Registration on NIC DCs | |
| Missing _msdcs Zone DCs | |
| Event Log Config Not Correct DCs | |
| Event Log Size Not Optimized DCs | |
| Scheduled Tasks found on Domain Controllers | IOC |
| Fax Server role installed DCs | IOE |
| Microsoft FTP service installed DCs | IOE |
| Peer Name Resolution Protocol installed DCs | IOE |
| Simple TCP-IP Services installed DCs | IOE |
| Telnet Client installed DCs | IOE |
| TFTP Client installed DCs | IOE |
| Server Message Block (SMB) v1 protocol Installed DCs | IOE |
| Windows PowerShell 2.0 installed DCs | IOE |
| Print Spooler Service Running DCs | IOE |
| ADWS Service Set to Manual DCs | IOE |
| DHCP Service Running DCs | IOE |
| Additional Roles and Features DCs | IOE |
| AD Services not running DCs | IOE |
| Software Installed on Domain Controllers | IOE |
Here’s the list of frequently asked questions we have put together for each of our products and services. In case you still have any questions or require support on our products please feel free to connect with us using the contact us form or by sending an email to Support@Microsoft-Assessment.com.
No. SmartProfiler is a ready-only assessment. SmartProfiler Assessment collects data from target tenants and then analyze the data.
No. SmartProfiler collects information in CSV files stored on SmartProfler computer.
It depends on the Assessment Technology as listed below: For Office 365 Assessment 1-2 hours to complete assessment For Active Directory 5 hours. However, it depends on how big the Active Directory environment is. For Azure Virtual Desktop 1-2 hours For Azure 1-2 hours.
SmartProfiler generates reports in Microsoft Word format. However, you can edit Impact and Recommendations for each test before generating the report.
ince report is generated in Microsoft Word format, you can brand these reports.
If you’re really looking for an Active Directory security assessment tool, download SmartProfiler and perform an assessment. This will assist you in identifying security, health, and configuration problems.
The health and misconfiguration assessment feature of SmartProfiler can be very useful in demonstrating that your environment does not use Microsoft’s suggested settings.
The best feature of SmartProfiler is that it can perform the assessment without a Global Admin account and without needing the registration of an Azure AD application. Because it only required a Global Reader Account, we were able to use the tool effectively for our clients and clients could allow us to conduct the assessment!
SmartProfiler's advanced assessment parameters really gives you insights about your Active Directory environment and make sure every risk is mitigated.