Domain Risk Level: 65 / 100
It is the maximum score of the 4 indicators and one score cannot be higher than 100. The lower the better
Stale Object : 35 /100
It is about operations related to user or computer objects
4 rules matched
Trusts : 0 /100
It is about links between two Active Directories
0 rules matched
Privileged Accounts : 60 /100
It is about administrators of the Active Directory
5 rules matched
Anomalies : 65 /100
It is about specific security control points
6 rules matched
| Stale Objects | Privileged accounts | Trusts | Anomalies |
|---|---|---|---|
Inactive user or computer | Account take over | Old trust protocol | Backup |
Network topography | ACL Check | SID Filtering | Certificate take over |
Object configuration | Admin control | SIDHistory | Golden ticket |
Obsolete OS | Irreversible change | Trust impermeability | Local group vulnerability |
Old authentication protocols | Privilege control | Trust inactive | Network sniffing |
Provisioning | Pass-the-credential | ||
Replication | Password retrieval | ||
Vulnerability management | Reconnaissance | ||
Temporary admins | |||
Weak password |
Stale Objects : 35 /100
It is about operations related to user or computer objects
The purpose is to ensure that there are as few inactive accounts as possible within the domain
Technical explanation:Inactive accounts often stay in the network because of weaknesses in the decommissioning process. These stale computer accounts can be used as backdoors and therefore represents a possible security breach.
Advised solution:To mitigate the risk, you should monitor the number of inactive accounts and reduce it as much as possible. A list of all inactive accounts is obtainable through the command: Search-ADaccount -UsersOnly -AccountInactive -Timespan 180.
Points:10 points if the occurence is greater or equals than 15
Documentation:ANSSI - Recommandations de sécurité relatives à Active Directory - R45 [paragraph.3.6.6.2]
Details:The detail can be found in User information and Computer information
The purpose is to ensure that there are as few inactive computers as possible within the domain
Technical explanation:Inactive computers often stay in the network because of weaknesses in the decommissioning process. These stale computer accounts can be used as backdoors and therefore represents a possible security breach.
Advised solution:To mitigate the risk, you should monitor the number of inactive accounts and reduce it as much as possible. A list of all inactive accounts is obtainable through the command: Search-ADaccount -ComputersOnly -AccountInactive -Timespan 180.
Points:30 points if the occurence is greater or equals than 30
then 10 points if the occurence is greater or equals than 20
then 5 points if the occurence is greater or equals than 15
ANSSI - Recommandations de sécurité relatives à Active Directory - R45 [paragraph.3.6.6.2]
The purpose is to verify if Domain Controller(s) are vulnerable to the SMB v1 vulnerability
Technical explanation:The SMB downgrade attack is used to obtain credentials or executing commands on behalf of a user by using SMB v1 as protocol. Indeed, because SMB v1 supports old authentication protocol, the integrity can be bypassed
Advised solution:It is highly recommended by Microsoft to disable SMB v1 whenever it is possible on both client and server side. Do note that if you are still not following best practices regarding the usage of deprecated OS (Windows 2000, 2003, XP, CE), regarding Network printer using SMBv1 scan2shares functionalities, or regarding software accessing Windows share with a custom implementation relying on SMB v1, you should consider fixing this issues before disabling SMB v1, as it will generates additional errors.
Points:10 points if present
Documentation:https://github.com/lgandx/Responder-Windows
https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect
ttps://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
BSI M 2.412 Schutz der Authentisierung beim Einsatz von Active Directory
ANSSI CERTFR-2017-ACT-019
ANSSI CERTFR-2016-ACT-039
The detail can be found in Domain controllers
Domain controller: AD02
Domain controller: AD01
The purpose is to ensure that the minimum set of subnet(s) has been configured in the domain
Technical explanation:When multiple sites are created in a domain, networks should be declared in the domain in order to optimize processes such as DC attribution. In addition, PingCastle can collect the information to be able to build a network map. This rule has been triggered because at least one domain controller has an IP address which was not found in subnet declaration. These IP addresses have been collected by querying the DC FQDN IP address in both IPv6 and IPv4 format.
Advised solution:Locate the IP address which was found as not being part of declared subnet then add this subnet to the "Active Directory Sites" tool. If you have found IPv6 addresses and it was not expected, you should disable the IPv6 protocol on the network card.
Points:5 points if present
Details:The detail can be found in Domain controllers
Domain Controller AD02 ip address 172.30.8.15
Domain Controller AD01 ip address 172.30.8.14
Privileged Accounts : 60 /100
It is about administrators of the Active Directory
The purpose is to ensure that all Administrator Accounts have the configuration flag "this account is sensitive and cannot be delegated"
Technical explanation:Without the flag "This account is sensitive and cannot be delegated" any account can be impersonated by some service account. It is a best practice to enforce this flag on administrators accounts.
Advised solution:To correct the situation, you should make sure that all your Administrator Accounts has the check-box "This account is sensitive and cannot be delegated" active. Please not that there is a section bellow in this report named "Admin Groups" which give more information.
Points:20 points if present
Documentation:STIG V-36435 - Delegation of privileged accounts must be prohibited.
Details:The detail can be found in Admin Groups
The purpose is to check for "Service Accounts" in the "Domain Administrator" group
Technical explanation:"Service Accounts" can imply a high security risk as their password are stored in clear text in the LSA database, which can then be easily exploited using Mimikatz or Cain&Abel for instance. In addition, their passwords don't change and can be used in kerberoast attacks.
Advised solution:To mitigate the security risk, it is strongly advised to lower the privileges of the "Service Accounts", meaning that they should be removed from the "Domain Administrator" group, while ensuring that the password of each and every "Service Account" is higher than 20 characters
Points:15 points if the occurence is greater or equals than 2
Documentation:STIG V-36432 - Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
ANSSI - Recommandations de sécurité relatives à Active Directory - R11 [subsection.2.5]
The detail can be found in Admin Groups
The purpose is to ensure that the Recycle Bin feature is enabled
Technical explanation:The Recycle Bin avoids immediate deletion of objects (which can still be partially recovered by its tombstone). This lowers the administration work needed to restore. It also extends the period where traces are available when an investigation is needed.
Advised solution:First, be sure that the forest level is at least Windows 2008 R2.
You can check it with Get-ADForest or in the Domain Information section.
Then you can enable it using the powershell command:
Enable-ADOptionalFeature -identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=test,DC=mysmartlogon,DC=com' -Scope ForestOrConfigurationSet -Target 'test.mysmartlogon.com'
10 points if present
Details:The detail can be found in Domain Information
The purpose is to ensure that no account can make unexpected modifications to the schema
Technical explanation:The group "Schema Admins" is used to give permissions to alter the schema. Once a modification is performed on the schema such as new objects, it cannot be undone. This can result in a rebuild of the domain. The best practice is to have this group empty and to add an administrator when a schema update is required then to remove this group membership.
Advised solution:Remove the accounts or groups belonging to the "schema administrators" group.
Points:10 points if present
Documentation:STIG V-72835 - Membership to the Schema Admins group must be limited
ANSSI - Recommandations de sécurité relatives à Active Directory - R13 [subsection.3.2]
The detail can be found in Admin Groups
The purpose is to check that files deployed to computers cannot be changed by everyone.
Technical explanation:Application provided in a msi form or general files can be deployed by a GPO. If an attacker can modify one of this file, it can take control of the user account.
Advised solution:Locate the file mentionned by the GPO specified in Details and change its permissions.
Points:5 points per discovery
Documentation:ANSSI - Recommandations de sécurité relatives à Active Directory - R18 [subsubsection.3.3.2]
STIG V-2370 - The access control permissions for the directory service site group policy must be configured to use the required access permissions.
The detail can be found in GPO Deployed Files
GPO: 志翔桌面管控客户端推送 Type: Application (User section) FileName: \\AD01\Users\vdsadmin\Desktop\test\sensor.msi Account: Everyone Right: FullControl
Trusts : 0 /100
It is about operations related to user or computer objects
No rule matched
Anomalies : 65 /100
It is about specific security control points
The purpose is to alert when the password for the krbtgt account can be used to compromise the whole domain. This password can be used to sign every kerberos ticket. Monitoring it closely often mitigates the risk of golden ticket attacks greatly.
Technical explanation:Kerberos is an authentication protocol. It is using to sign its tickets a secret stored as the password of the krbtgt account. If the hash of the password of the krbtgt account is retrieved, it can be use to generate authentication tickets at will.
To mitigate this attack, it is recommended to change the krbtgt password every 40 days. If it not the case, every backup done until the last password change of the krbtgt account can be used to emit Golden tickets, compromising the entire domain.
Retrieval of this secret is one of the highest priority in an attack, as this password is rarely changed and offer a long term backdoor.
Also this attack can be performed using the former password of the krbtgt account. That's why the krbtgt password should be changed twice to invalidate its leak.
The password of the krbtgt account should be changed twice to invalidate the golden ticket attack.
Beware: two changes of the krbtgt password not replicated to domain controllers can break these domain controllers You should wait at least 8 hours between each krbtgt password change.
There are several possibilities to change the krbtgt password.
First, a Microsoft script can be run in order to guarantee the correct replication of these secrets. Unfortunately this script supports only English operating systems.
Second, a more manual way is to essentially reset the password manually once, then to wait 3 days, then to reset it again. This is the safest way as it ensures the password is no longer usable by the Golden ticket attack.
50 points if the occurence is greater or equals than 732
then 40 points if the occurence is greater or equals than 366
then 30 points if the occurence is greater or equals than 180
then 20 points if the occurence is greater or equals than 70
https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51
ANSSI CERTFR-2014-ACT-032
The detail can be found in Krbtgt
The purpose is to make sure that there is a proper password policy in place for the native local administrator account.
Technical explanation:LAPS (Local Administrator Password Solution) is the advised solution to handle passwords for the native local administrator account on all workstations, as it is a simple way to handle most of the subject.
Advised solution:If you don't have any provisioning process or password solution to manage local administrators, you should install the LAPS solution. If you mitigate the risk differently, you should add this rule as an exception, as the risk is covered.
Points:15 points if present
Documentation:https://www.microsoft.com/en-us/download/details.aspx?id=46899
STIG V-36438 - Local administrator accounts on domain systems must not share the same password.
ANSSI CERTFR-2015-ACT-046
The detail can be found in LAPS
The purpose is to ensure that credentials cannot be extracted from the DC via its printer spooler
Technical explanation:When there’s an account with unconstrained delegation configured (which is fairly common) and the Print Spooler service running on a computer, you can get that computers credentials sent to the system with unconstrained delegation as a user. With a domain controller, the TGT of the DC can be extracted allowing an attacker to reuse it with a DCSync attack and obtain all user hashes and impersonate them.
Advised solution:The spooler service should be deactivated on domain controllers. Please note as a consequence that the Printer Pruning functionality (rarely used) will be unavailable.
Points:10 points if present
Documentation:https://adsecurity.org/?p=4056
https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory
The detail can be found in Domain controllers
Domain Controller AD02
Domain Controller AD01
The purpose is to ensure that local name resolution protocol (LLMNR) cannot be used to collect credentials by performing a network attack
Technical explanation:LLMNR is a protocol which translates names such as foo.bar.com into an ip address. LLMNR has been designed to translate name locally in case the default protocol DNS is not available.
Regarding Active Directory, DNS is mandatory which makes LLMNR useless.
LLMNR exploits typo mistakes or faster response time to redirect users to a specially designed share, server or website.
Being trusted, this service will trigger the single sign on procedure which can be abused to retrieve the user credentials.
LLMNR is enabled by default on all OS except starting from Windows 10 v1903 and Windows Server v1903 where it is disabled.
Enable the GPO Turn off multicast name resolution and check that no GPO override this setting.
(if it is the case, the policy involved will be displayed below)
Informative rule (0 point)
Documentation:Details:The detail can be found in Security settings
The purpose is to ensure that there is no use of the SHA1 hashing algorithm in Root Certificate
Technical explanation:The SHA1 hashing algorithm is not considered as safe. There are design flaws inherent to the algorithm that allow an attacker to generate a hash collision in less than a brute-force time
Advised solution:To solve the matter, the certificate should be removed from the GPO and if needed, certificates depending on it should be reissued.
Points:Informative rule (0 point)
Documentation:https://tools.ietf.org/html/rfc6194
STIG V-14820 - PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
The detail can be found in Certificates
Found in GPO NTLMStore Subject is CN=New-vdesktop-AD02-CA, DC=vdesktop, DC=demo, DC=com
Found in GPO NTLMStore Subject is CN=vdesktop-AD02COPY-CA, DC=vdesktop, DC=demo, DC=com
Found in GPO NTLMStore Subject is CN=vdesktop-AD02-CA-vdstool, DC=vdesktop, DC=demo, DC=com
Found in GPO NTLMStore Subject is CN=vdesktop-AD02-CA, DC=vdesktop, DC=demo, DC=com
The purpose is to give information regarding a best practice for the Service Account password policy. Indeed, having a 20+ characters password for this account greatly helps reducing the risk behind Kerberoast attack (offline crack of the TGS tickets)
Technical explanation:The rule is purely informative, as it gives insights regarding a best practice. It verifies if there is a GPO or PSO enforcing a 20+ characters password for the Service Account.
Advised solution: The recommended way to handle service accounts is to use "Managed service accounts" introduced since Windows 2008 R2 (search for "msDS-ManagedServiceAccount").
To solve the anomaly, you should implement a PSO or GPO password guarantying a 20+ length password.
Informative rule (0 point)
Documentation:https://www.microsoft.com/en-us/research/publication/password-guidance/
Details:The detail can be found in Password Policies
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| 13812341234 | 2018-04-12 06:49:29Z | 2019-03-06 19:39:44Z | CN=任广明,OU=技术研究中心,DC=vdesktop,DC=demo,DC=com |
| 13812341234 | 2018-04-12 01:57:47Z | 2018-09-04 16:00:45Z | CN=陈佳,OU=EC事业部,DC=vdesktop,DC=demo,DC=com |
| test1 | 2017-10-25 14:24:41Z | 2017-12-04 11:25:05Z | CN=test1,OU=UserOU,DC=vdesktop,DC=demo,DC=com |
| test2 | 2017-10-25 14:25:00Z | 2017-12-04 19:37:03Z | CN=test2,OU=UserOU,DC=vdesktop,DC=demo,DC=com |
| test3 | 2017-10-26 08:56:02Z | 2017-11-10 16:40:23Z | CN=test3,OU=UserOU,DC=vdesktop,DC=demo,DC=com |
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| 13812341234 | 2018-01-08 02:22:39Z | Never | CN=虞正尧,OU=技术研究中心,DC=vdesktop,DC=demo,DC=com |
| Administrator | 2017-10-24 08:59:49Z | 2019-09-17 17:43:05Z | CN=Administrator,CN=Users,DC=vdesktop,DC=demo,DC=com |
| vdsadmin | 2017-10-24 10:38:57Z | 2019-09-10 01:05:49Z | CN=vdsadmin,OU=UserOU,DC=vdesktop,DC=demo,DC=com |
| vdstool | 2019-09-04 02:31:15Z | 2019-09-18 10:06:22Z | CN=vdstool,OU=UserOU,DC=vdesktop,DC=demo,DC=com |
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| HY130828311061$ | 2017-11-27 07:46:29Z | 2017-12-27 15:49:14Z | CN=HY130828311061,OU=hy,DC=vdesktop,DC=demo,DC=com |
| HY132365671071$ | 2018-08-02 08:51:37Z | 2019-02-28 11:51:05Z | CN=HY132365671071,OU=hy,DC=vdesktop,DC=demo,DC=com |
| HY188682737071$ | 2018-03-02 07:57:31Z | 2018-03-23 14:58:10Z | CN=HY188682737071,CN=Computers,DC=vdesktop,DC=demo,DC=com |
| HY188684188681$ | 2017-11-28 05:54:00Z | 2017-12-19 15:24:30Z | CN=HY188684188681,OU=hy,DC=vdesktop,DC=demo,DC=com |
| Output limited to 100 items - go to the advanced menu before running the report or add "--no-enum-limit" to remove that limit | |||
| Name | Creation | Last logon | Distinguished name |
|---|---|---|---|
| AD01$ | 2017-10-24 09:00:38Z | 2019-09-10 16:20:36Z | CN=AD01,OU=Domain Controllers,DC=vdesktop,DC=demo,DC=com |
| AD02$ | 2019-09-06 14:31:52Z | 2019-09-16 22:35:06Z | CN=AD02,OU=Domain Controllers,DC=vdesktop,DC=demo,DC=com |
| Operating System | Nb OS | Nb Enabled ? | Nb Disabled ? | Nb Active ? | Nb Inactive ? | Nb SidHistory ? | Nb Bad PrimaryGroup ? | Nb unconstrained delegations ? | Nb Reversible password ? |
|---|---|---|---|---|---|---|---|---|---|
| Windows 7 | 530 | 530 | 0 | 419 | 111 | 0 | 0 | 0 | 0 |
| Windows 2012 | 3 | 3 | 0 | 3 | 0 | 0 | 0 | 2 | 0 |
Here is a specific zoom related to the Active Directory servers: the domain controllers.
| Domain controller | Operating System | Creation Date ? | Startup Time | Uptime | Owner ? | Null sessions ? | SMB v1 ? | Remote spooler ? | FSMO role ? |
|---|---|---|---|---|---|---|---|---|---|
| AD02 | Windows 2012 | 2019-09-06 14:31:52Z | 2019-09-06 22:34:25Z | 11 days | VDESKTOP\Domain Admins | NO | YES | YES | |
| AD01 | Windows 2012 | 2017-10-24 09:00:38Z | 2019-09-06 16:20:13Z | 12 days | VDESKTOP\Domain Admins | NO | YES | YES | PDC, RID pool manager, Infrastructure master, Schema master, Domain naming Master |
This section is focused on the groups which are critical for admin activities. If the report has been saved which the full details, each group can be zoomed with its members. If it is not the case, for privacy reasons, only general statictics are available.
| Group Name | Nb Admins ? | Nb Enabled ? | Nb Disabled ? | Nb Inactive ? | Nb PWd never expire ? | Nb Smart Card required ? | Nb Service accounts ? | Nb can be delegated ? | Nb external users ? |
|---|---|---|---|---|---|---|---|---|---|
| Account Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Administrators | 3 | 3 | 0 | 0 | 3 | 0 | 0 | 3 | 0 |
| Backup Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Cert Publishers | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Crypto Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Domain Admins | 3 | 3 | 0 | 0 | 3 | 0 | 0 | 3 | 0 |
| Enterprise Admins | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | 0 |
| Network Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Print Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Schema Admins | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 1 | 0 |
| Server Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| SamAccountName ? | Enabled ? | Active ? | Pwd never Expired ? | Locked ? | Smart Card required ? | Service account ? | Flag Cannot be delegated present ? | Distinguished name ? |
|---|---|---|---|---|---|---|---|---|
| Administrator | ✓ | ✓ | YES | NO | NO | NO | NO | CN=Administrator,CN=Users,DC=vdesktop,DC=demo,DC=com |
| vdsadmin | ✓ | ✓ | YES | NO | NO | NO | NO | CN=vdsadmin,OU=UserOU,DC=vdesktop,DC=demo,DC=com |
| vdstool | ✓ | ✓ | YES | NO | NO | NO | NO | CN=vdstool,OU=UserOU,DC=vdesktop,DC=demo,DC=com |
Each specific rights defined for Organizational Unit (OU) are listed below.
| DistinguishedName | Account | Right |
|---|---|---|
| DC=vdesktop | VDESKTOP\Domain Controllers | EXT_RIGHT_REPLICATION_GET_CHANGES_ALL |
| CN=RAS and IAS Servers Access Check,CN=System | VDESKTOP\RAS and IAS Servers | GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=WMIPolicy,CN=System | VDESKTOP\Group Policy Creator Owners | GenericWrite, DSSelf, Write all prop |
| CN=SOM,CN=WMIPolicy,CN=System | VDESKTOP\Group Policy Creator Owners | GenericWrite, DSSelf, Write all prop |
| Trust Partner | Type | Attribut | Direction ? | SID Filtering active ? | TGT Delegation ? | Creation ? | Is Active ? ? |
|---|
These are the domains that PingCastle was able to detect but which is not releated to direct trusts. It may be children of a forest or bastions.
| Reachable domain | Via | Netbios | Creation date |
|---|
The program checks the last date of the AD backup. This date is computed using the replication metadata of the attribute dsaSignature (reference).
Last backup date: 2019-09-18 03:44:50Z
LAPS is used to have a unique local administrator password on all workstations / servers of the domain. Then this password is changed at a fixed interval. The risk is when a local administrator hash is retrieved and used on other workstation in a pass-the-hash attack.
Mitigation: having a process when a new workstation is created or install LAPS and apply it through a GPO
LAPS installation date: Never
Windows Event Forwarding is a native mechanism used to collect logs on all workstations / servers of the domain. Microsoft recommends to Use Windows Event Forwarding to help with intrusion detection Here is the list of servers configured for WEF found in GPO
Number of WEF servers configured: 0
The password of the krbtgt account should be changed twice every 40 days using this script
You can use the version gathered using replication metadata from two reports to guess the frequency of the password change or if the two consecutive resets has been done. Version starts at 1.
Kerberos password last changed: 2017-10-24 17:00:39Z version: 2
This control detects accounts which are former 'unofficial' admins. Indeed when an account belongs to a privileged group, the attribute admincount is set. If the attribute is set without being an official member, this is suspicious. To suppress this warning, the attribute admincount of these accounts should be removed after review.
Number of accounts to review: 0
You can check here backdoors or typo error in the scriptPath attribute
| Script Name | Count |
|---|---|
| None | 451 |
This detects trusted certificate which can be used in man in the middle attacks or which can issue smart card logon certificates
Number of trusted certificates: 4
| Source | Store | Subject | Issuer | NotBefore | NotAfter | Module size | Signature Alg | SC Logon |
|---|---|---|---|---|---|---|---|---|
| Enterprise NTAuth ? | NTLMStore | CN=New-vdesktop-AD02-CA, DC=vdesktop, DC=demo, DC=com | CN=New-vdesktop-AD02-CA, DC=vdesktop, DC=demo, DC=com | 2019-09-05 10:58:07Z | 2029-09-05 11:08:07Z | 2048 | sha1RSA | False |
| Enterprise NTAuth ? | NTLMStore | CN=vdesktop-AD02COPY-CA, DC=vdesktop, DC=demo, DC=com | CN=vdesktop-AD02COPY-CA, DC=vdesktop, DC=demo, DC=com | 2019-09-04 10:41:25Z | 2029-09-04 10:51:24Z | 2048 | sha1RSA | False |
| Enterprise NTAuth ? | NTLMStore | CN=vdesktop-AD02-CA-vdstool, DC=vdesktop, DC=demo, DC=com | CN=vdesktop-AD02-CA-vdstool, DC=vdesktop, DC=demo, DC=com | 2019-08-29 11:18:00Z | 2029-08-29 11:27:59Z | 2048 | sha1RSA | False |
| Enterprise NTAuth ? | NTLMStore | CN=vdesktop-AD02-CA, DC=vdesktop, DC=demo, DC=com | CN=vdesktop-AD02-CA, DC=vdesktop, DC=demo, DC=com | 2019-08-21 15:25:17Z | 2024-08-21 15:35:17Z | 2048 | sha1RSA | False |
Note: PSO (Password Settings Objects) will be visible only if the user which collected the information has the permission to view it.
PSO shown in the report will be prefixed by "PSO:"
| Policy Name | Complexity | Max Password Age | Min Password Age | Min Password Length | Password History | Reversible Encryption | Lockout Threshold | Lockout Duration | Reset account counter locker after |
|---|
This is the settings related to screensavers stored in Group Policies. Each non compliant setting is written in red.
| Policy Name | Screensaver enforced | Password request | Start after (seconds) | Grace Period (seconds) |
|---|
The password in GPO are obfuscated, not encrypted. Consider any passwords listed here as compromissed and change it immediatly.
Giving local group membership in a GPO is a way to become administrator.
The local admin of a domain controller can become domain administrator instantly.
A GPO can be used to deploy security settings to workstations.
The best practice out of the default security baseline in reported in green.
The following settings in red are unsual and may need to be reviewed.
Each setting is accompagnied which its value and a link to the GPO explanation.
| Policy Name | Setting | Value |
|---|
Giving privileges in a GPO is a way to become administrator without being part of a group.
For example, SeTcbPriviledge give the right to act as SYSTEM, which has more privileges than the administrator account.
A GPO login script is a way to force the execution of data on behalf of users.
A GPO can be used to deploy applications or copy files. These files may be controlled by a third party to control the execution of local programs.
| GPO Name | Type | File |
|---|---|---|
| 强制与AD时钟同步 | Application (User section) | \\AD01\Users\vdsadmin\Desktop\探针安装包\sensor.msi |
| 志翔桌面管控客户端推送 | Application (User section) | \\AD01\Users\vdsadmin\Desktop\test\sensor.msi |