-
Notifications
You must be signed in to change notification settings - Fork 2
Auditing Features
This audit will look for many small security and best practices recommendations. Most of the tests are simple but could leave an AD server open to attack. Test performed include the following.
- Unprivileged accounts with "adminCount=1" attribute set. [REF-LINK](https://cybergladius.social/@CyberGladius/109649278142902592)
- Users and computers with non-default Primary Group IDs.
- Disabled accounts with Group Membership other than 'Domain Users' group.
- Check if default "Computer" folder in AD has computer objects in it.
- Check the domain password & lockout policy setting and make recommendations.
- Audit for AD objects with DCSync rights ACEs on the root domain.
- Audit for AD objects with high-risk ACEs on the root domain.
- Check for inactive computer accounts.
- Check for inactive user accounts.
- Check for user accounts with weak or breached passwords.
- Check for user accounts with the "Password never expires" option set.
- Check for passwords stored with reversible encryption.
- Check for accounts with the same password.
- Check for accounts with deligated rights to a service account.
This admin audit report will generate a list of all user accounts within the domain that have group membership in highly privileged groups. These groups should be used as little as possible, and membership should only be given if required by a job role. Here is a list of the groups audited.
- Domain Admins
- Enterprise Admins
- Administrators
- Schema Admins
- Backup Operators
- Account Operators
- Server Operators
- Domain Controllers
- Print Operators
- Replicator
- Enterprise Key Admins
- Key Admins
The audit includes Domain Controllers, and Managed Service Accounts. Any account that have group membership that could be used to escalate to Domain Admins will be listed in the report. This is a good way to find rogue domain controllers, and managed service accounts that have been compromised.
This option will update the KRBTGT password for all domain controllers. During normal operation, the KRBTGT password needs to be updated every 90 days, twice. Every 90 days, update the KRBTGT password, wait 10 hours, then update it again. Alternatively, use this scripts '-Daily' option to automate this process.
See my blog post for more details: https://cybergladius.com/ad-hardening-against-kerberos-golden-ticket-attack/
Search for computers that have been inactive for more than X days; default is 90 days. This will disable the computer, strip all group membership, and move it to the Disabled.Desktop OU. This can be run manually or automated via the 'Daily' option.
See my blog post for more details: https://cybergladius.com/ad-hardening-inactive-computer-objects/
!!NOTE!!: You must update the settings in 'AD-PowerAdmin_settings.ps1' to matches your AD setup.
Search for User that have been inactive for more than X days; default is 90 days. This will disable the user, strip all group membership, and move it to the Disabled.Users OU. This can be run manually or automated via the 'Daily' option.
See my blog post for more details: https://cybergladius.com/ad-hardening-inactive-computer-objects/
!!NOTE!!: You must update the settings in 'AD-PowerAdmin_settings.ps1' to matches your AD setup.