Active Directory Security Report PowerShell
Active Directory is one of the most critical system in your infrastructure, we saw previously how to get some basic information about how you’re using it, and get some statistics about the users, computers and groups.
Today, we’ll add some security indicators to this report:
- Users that don’t require password
- Users that don’t require preauth
- Presence of dynamic object
- Presence of DsrmAdminLogonBehavior registry key
- Attribute not audited
- Trusts without SID Filtering enabled
- AdminSDHolder Metadata
- Domain Metadata
This is not an extensive list, just a very few points you can easily keep on your sight.
Users that don’t require password
This UserAccountControl flags allow users to bypass the password domain policy. This can lead to weak password, or no password at all.
Users that don’t require preauth
This can lead to a security risk as well explain here.
Presence of dynamic object
Dynamic object presence can be a sign malicious activity if you don’t use it as a Privilege Access Management. Indeed, those type of object are really discrete in the logs and are use by attackers to grant temporary administrative permissions very quietly.
Presence of DsrmAdminLogonBehavior registry key
This registry key control the logon behavior of the Directory Service Restore Mode (DSRM) account. Depending of the value, it can allow the DSRM account to logon on a running Domain Controller. Once logged on, a DSRM account is as powerful as a domain admin.
Attribute not audited
If some attributes aren’t audited, you won’t be able to track any modification made to them from the security logs, it will be completely unnoticeable.
Trusts without SID Filtering enabled
If you have trusts without SID History filtering, users (with the appropriate permission in his domain) from the trusted domain can inject domain admin SID from your domain into his SidHistory attribute and take over your domain.
Metadata of the AdminSdHolder container is a nice thing to monitor, you will be able to spot any modification on this very sensitive object.
Like AdminSdHolder, metadata on the domain naming context are quite a source of information. With them, you can track group policies link’s modification at the domain level, the ACL, password policy, etc…
This is only a very few of Active Directory security risks easily identifiable, if you are awar of some more, let me know in the comment, I’ll be happy to add them to the report, if you know how to check them, you can send a pull request on the GitHub repo 🙂