| Users DES encryption attribute status |
Name:
User accounts using DES encryption to log in
Default scope:
All users DES |
DES encryption is weak and easy for an adversary to crack. User accounts configured to use DES encryption for authentication are particularly vulnerable to being compromised.
Remediation:
To resolve vulnerability, in the account's Account tab -Account options, uncheck “Use only Kerberos DES encryption types for this account”. |
User accounts in scope that have “Use only Kerberos DES encryption types for this account enabled |
| Account password reversible encryption status |
Name:
User accounts have a reversible password |
User accounts with the "Store password using reversible encryption" enabled will have their passwords stored in a manner that can be easily harvested by an adversary looking for an entry point to the directory.
Remediation:
To resolve vulnerability, in the account's Account tab - Account options, uncheck “Store password using reversible encryption”. |
User accounts in scope that have “Store password using reversible encryption” enabled |
|
Name:
Computer accounts with reversible password
Default scope:
All computers |
Computer accounts with the "Store password using reversible encryption" enabled will have their passwords stored in a manner that can be easily harvested by an adversary looking for an entry point to the directory.
Remediation:
Disable "Store password using reversible encryption" unless the setting is required for the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS) or Digest Authentication in Internet Information Services (IIS). Set the "Store password using reversible encryption" to false on all Computer accounts either through the computer’s local security policy or the assigned group policy. |
Accounts in scope that have "Store password using reversible encryption" enabled |
| Users Kerberos preauthentication status |
Name:
User accounts with Kerberos pre-authentication disabled
Default scope:
All users |
User accounts with Kerberos pre-authentication disabled can be compromised as part of ASREP-Roasting attacks.
Remediation:
To resolve vulnerability, in the account’s Account tab -Account options, uncheck "Do not require Kerberos preauthentication". |
User accounts in scope that have “Do not require Kerberos preauthentication” enabled |
| Users Service Principal Name status |
Name:
Non-privileged user accounts with Service Principal Names
Default scope:
All except Tier Zero users |
User accounts with Service Principal Names (SPNs) defined are exposed to Kerberos-based authentication attacks, providing an adversary with an entry point to the directory.
Remediation:
To resolve vulnerability, remove the Service Principal Name from the user object if possible. If the Service Principal Name cannot be removed, enforce a very strong password on the user object which contains 32 characters with upper case, lower case, numeral, and special characters. |
User accounts in scope that have “Service Principal Name” not empty |
| Users delegated account attribute status |
Name: Administrator account can be delegated
Default scope: Tier Zero users |
Administrator accounts that are not configured to disallow delegation can be delegated and taken control of by an adversary.
Remediation:
To resolve vulnerability, ensure that administrator accounts are configured so that the "This account is sensitive and cannot be delegated" option is enabled and that the accounts are also added as members to the Protected Users group. |
User accounts in scope which have "This account is sensitive and cannot be delegated" disabled and are not members of the “Protected Users” group |
| Users Password Never Expires status |
Name:
Non-privileged user accounts configured for Password Never Expires
Default scope:
All except Tier Zero users |
User accounts with passwords that are not cycled regularly are more susceptible to brute force password cracking attempts. Accounts that are configured to never require a password change should be remediated accordingly.
Remediation:
To resolve vulnerability, set the “Don’t Expire Password” option on the user account to “disabled” and enforce the organizations password policy |
User accounts in scope that have “Password Never Expires” enabled |
|
Name:
Privileged user accounts configured for Password Never Expires
Default scope:
Tier Zero users |
Administrative accounts with passwords that are not cycled regularly are more susceptible to brute force password cracking attempts. Accounts that are configured to never require a password change should be remediated accordingly.
Remediation:
To resolve vulnerability, on the user Properties Account tab, make sure Password never expires is unchecked. |
|
| Protected Users group membership status |
Name:
Protected Users group is not being used
Default scope:
Tier Zero users |
The Protected Users group should be used to protect privileged user accounts from attacks to steal their credentials. If the group is not in use, privileged accounts are exposed to possible credential theft.
Remediation:
Members of the Protected Users group are blocked from using NTLM authentication. Therefore, do not add privileged users to the Protected Users group if they require access to resources that require NTLM to authenticate. In addition, accounts for services and computers should never be members of the Protected Users group as it will cause authentication to fail.
To resolve this vulnerability, consider adding any privileged account that does not require NTLM and is not a service account to the Protected Users group. |
User accounts in scope that are not members of the “Protected Users” group |
| Account last used |
Name:
Enabled privileged user accounts that are inactive
Default scope: Tier Zero users |
The number of privileged accounts in a domain should be limited and closely monitored. Privileged accounts that are not regularly used are ripe targets for being compromised without detection, allowing an adversary more time to perform reconnaissance in the environment.
Remediation:
After inactive accounts are identified, it is recommended to disable those user accounts, wait several weeks, and then delete the accounts if no issues have been reported. |
Accounts in scope that were last used more than 90 days ago
NOTE: The number of days is editable. |
|
Name:
Privileged computers that have not recently authenticated to the domain
Default scope:
Tier Zero computers |
Privileged computers such as domain controllers will authenticate with the domain regularly. Domain controllers that are not authenticating and offline are susceptible to having password hashes stolen or used to introduce nefarious changes to the directory.
Remediation:
Privileged computers that are offline for extended periods of time should be investigated. Domain controllers that are out of sync with the domain over 30 days should be reinstalled or removed. |
Accounts in scope that were last used more than 30 days ago
NOTE: The number of days is editable. |
|
Domain controller SMBv1 protocol status
|
|
NOTE: For vulnerabilities that use this template, the hybrid agent service account must be a member of the Domain Admins group. | |
Name:
Domain Controller is running SMBv1 protocol
Default scope:
N/A |
The SMBv1 protocol supports legacy insecure authentication protocols. If running, it can allow an adversary to access a domain controller and harvest credentials or execute commands.
Remediation:
Disable the SMBv1 protocol on the impacted domain controllers. |
Computers in scope that have the SMBv1 protocol enabled |
|
Domain controller Print Spooler status
|
|
NOTE: For vulnerabilities that use this template, the hybrid agent service account must be a member of the Domain Admins group. | |
Name:
Printer Spooler service is enabled on a domain controller
Default scope:
N/A |
If an account has unconstrained delegation configured over the Printer Spooler service on a domain controller, an adversary can use that attack path to gain access to the domain controller and leverage the Printer Spooler service vulnerability to remotely execute code or obtain the password hashes contained on the domain controller.
Remediation:
Disable the Printer Spooler service on all domain controllers. |
Domain controller that has the Print Spooler service enabled |
| Group Policy "Store passwords using reversible encryption" setting |
Name:
Group Policy allows reversible passwords
Default scope:
All Group Policies |
Group Policies containing reversible passwords are an attractive target as those passwords can be easily decrypted and used to elevate an adversary's privileges.
Remediation:
Configure the "Store passwords using reversible encryption" setting located in “Computer Configuration - Policies - Windows Settings - Security Settings - Account Policies - Password Policy” section of the Group Policy to “disabled”. There are a couple of use cases where this setting would be enabled: Challenge Handshake Authentication Protocol (CHAP) for remote access or Internet Authentication Services (IAS), Internet Information Services (IIS) Digest Authentication Disabling this setting could break these applications. If this is needed for backwards compatibility the recommendation is to apply this to a single user or smallest subset of users vs the full domain. |
Group Policy objects in scope that have "Store passwords using reversible encryption" enabled |
| Domain "Replicating Directory Changes All" and "Replicating Directory Changes" delegation |
Name:
Non-privileged accounts can steal password hashes (DCSync)
Default scope:
All except Tier Zero accounts |
If non-privileged accounts have the "Replicating Directory Changes All" and "Replicating Directory Changes" permissions, they can impersonate a domain controller and receive a replicated copy of the Active Directory database that will allow them to steal password hashes.
Remediation:
These delegations should be removed unless there is a compelling reason for their existence. |
Domain has "Replicating Changes All" and "Replicating Directory Changes" set to Allow for any accounts in scope |
| Object read-only domain controller msDS-NeverRevealGroup status |
Name:
Protected group credentials exposed on read-only domain controllers
Default scope:
- Administrators
- Account Operators
- Backup Operators
- Denied RODC Password Replication Group
- Server Operators
|
Read-only domain controllers (RODCs) should be configured so that privileged user and group credentials are not replicated. If privileged passwords are replicated, an adversary who gains access to the RODC can harvest the credentials and elevate their privileges.
Remediation:
Ensure the built-in groups Administrators, Account Operators, Backup Operators, Denied RODC Password Replication Group, and Server Operators are set to “Deny” on the Password Replication Policy tab of the read-only domain controller in Active Directory Users and Computers. |
Objects in scope are not listed in the read-only domain controller "msDS-NeverRevealGroup" attribute |
| RODC password replication policy |
Name:
Privileged account token can be stolen from a read-only domain controller
Default scope:
All groups except Allowed RODC Password Replication
|
Read-only domain controllers (RODCs) should be configured so that privileged user and group credentials are not replicated. If privileged passwords are replicated, an adversary who gains access to the RODC can harvest the credentials and elevate their privileges.
Remediation:
Remove the account from the msDS-RevealOnDemandGroup attribute. Locate the account on the Properties - Password Replication Policy tab of read-only domain controller in Active Directory Users and Computers and either remove the account or change the setting to Deny. |
Objects in scope are listed in the read-only domain controller “msDS-RevealOnDemandGroup” attribute |
| Account password last changed |
Name:
Managed and Group Managed Service accounts that have not cycled their password recently
Default scope:
All Service Accounts |
Managed Service Accounts (MSA) and Group Managed Service accounts (gMSA) that have not had their passwords cycled recently could indicate they've been compromised.
Remediation:
The reason that prevented the managed service account from updating their password the default 30 days should be investigated. Such as verifying if the msDS-ManagedPasswordInterval attribute on the service account is set to a value greater than 30. |
Accounts in scope that have not updated its password within last 30 days.
NOTE: The number of days is editable. |
| Computer account ms-Msc-AmdPwd attribute permissions |
Name:
Non-default configuration of the Microsoft Local Administrator Password
Default scope:
All except Domain Admins
|
An incorrectly configured Microsoft Local Administrator Password (ms-Msc-AmdPwd attribute) can expose the local Administrator password for an adversary to steal. Confidential attributes can only be viewed by Domain Admins by default, and unlike other attributes, is not accessible by Authenticated Users.
Remediation:
Review accounts that can view the “ms-mcs-AdmPwd” attribute of a computer account and determine if the access is required. If not required, change the value to Deny read. |
Computer ms-Msc-AmdPwd attribute has Allow Read set for any account in scope |
| User permission on Resource-Based Constrained Delegation settings for KRBTGT |
Non-privileged user accounts with write permissions over Resource-Based Constrained Delegation on the KRBTGT account
Default scope:
All except Tier Zero users |
Non-privileged user accounts that have the permission to write Resource-Based Constrained Delegation (RBCD) on the KRBTGT account can allow an adversary to impersonate any user and take control of the KRBTGT account, and from there, the entire domain.
Remediation:
To resolve vulnerability, review the KRBTGT object security to determine if non-privileged user accounts should have Write permissions in the Resource-Based Constrained Delegation attribute. If not required, remove them. |
Users in scope that have Allow Write permission on Resource-Based Constrained Delegation settings for KRBTGT account |
| Privileged computers permission granted on Resource-Based Constrained Delegation |
Name:
Privileged computer that has write permissions on Resource-Based Constrained Delegation granted to a non-privileged account
Default scope:
All except Tier Zero objects
|
Non-privileged accounts that have the permission to write Resource-Based Constrained Delegation (RBCD) on a privileged computer such as a domain controller can allow an adversary to impersonate any user and take control of the DC.
Remediation:
To resolve vulnerability, review the privileged computer security to determine if non-privileged user accounts should have Write permissions in the Resource-Based Constrained Delegation attribute. If not required, remove Write permissions on the attribute.
|
Privileged computers that have accounts in scope with Allow Write permission on Resource-Based Constrained Delegation |
|
gMSA root key access
|
|
NOTE: For vulnerabilities that use this template, the hybrid agent service account must be a member of the Domain Admins or Enterprise Admins group. | |
Name:
Non-privileged accounts can access the gMSA root key
Default scope:
All except Tier Zero objects
|
Non-privileged accounts with access to the Group Key Distribution Services Master Root Keys could gain access to any gMSA account in the environment.
|
|
NOTE: For Assessment results to be returned for this vulnerability, the account under which the agent service is run must have Domain Admin or Enterprise Admin permissions to read the msKds-ProvRootKey objects in Active Directory |
Remediation:
Restrict access to the msKds-ProvRootKey objects in the domain to only privileged users and groups. The default groups that have access to the objects are SYSTEM, Domain Admins, and Enterprise Admins.
|
Accounts in scope that have Allow Read or Allow Write permission for msKds-RootKeyData attribute on msKds-ProvRootKey objects |
| Write access on certificate templates |
Name:
Non-privileged accounts have access to write properties on certificate templates
Default scope:
All except Tier Zero users and groups and Foreign Security Principal (S-1-5-9)
|
Non-privileged users with write access on certificate templates allow attackers to create illegitimate certificates for any user, which allows them to elevate their privileges and compromise the domain.
A template is misconfigured at the access control level if it has Access Control Entries (ACEs) that allow unintended, or otherwise non-privileged, AD principals to edit sensitive security settings in the template.
Remediation:
Remove non-privileged users from having any write access to “Certificate Templates” container in Configuration - Services - Public Key Services or any pKICertificateTemplate object in that container. |
Accounts in scope have WriteOwner, WriteDacl or WriteProperty permissions on NTAuthCertificates objects in the “Certificate Templates” container |
| AdminSDHolder inheritance status |
Name:
Inheritance is enabled on the AdminSDHolder container
Default scope:
N/A
|
The AdminSDHolder object is rarely modified. If inheritance is enabled on the ACL of this object, it could be the result of an adversary propagating changes in the directory that make accessing additional privileged accounts easier for them.
Remediation:
On the AdminSDHolder object in the System container, open Security - Advanced, click “Disable inheritance”, and select the option to “Remove all inherited permissions from this object”. |
AdminSDHolder permission inheritance set to enabled |
| User access to gMSA password |
Name:
Non-privileged users with access to gMSA password
Default scope:
All except Tier Zero users
|
Non-privileged users that are members of a group that is listed in a Group Managed Service Account’s (gMSA) msDS-groupMSAMembership attribute can gain access to the password of the account and move laterally to resources it manages.
Remediation:
Unless there is a business reason, remove non-privileged users from the group that is listed in the Group Managed Service Account’s (gMSA) msDS-groupMSAMembership attribute. |
Users in scope that are able to retrieve the password for a Group Managed Service Account (gMSA) |
| Domain trust Kerberos AES encryption support status |
Name:
Domain trust without Kerberos AES encryption enabled
Default scope:
All Trusted Domains
|
The setting “The other domain supports Kerberos AES Encryption” determines whether the trust supports AES encryption. Trusts that do not have the setting enabled will use RC4 encrypted Kerberos tickets which are considered significantly less secure than AES.
Remediation:
Removing the previously allowed RC4_HMAC_MD5 encryption suite may have operational impacts and must be thoroughly tested for the environment before changing.
In the Active Directory Domains and Trusts console, right-click the forest root domain, and select Properties. Select the Trusts tab, highlight the trust, and then click the Properties button. Then enable the setting "The other domain supports Kerberos AES Encryption". |
Domain trust in scope has Kerberos AES encryption support disabled |
| KRBTGT account password last changed |
Name:
Kerberos KRBTGT account password has not changed recently
Default scope:
N/A |
The KRBTGT account is a domain default account that acts as a service account for the Key Distribution Center (KDC) service. During the Kerberos Authentication process, TGTs are issued to accounts requesting access to resources. These TGTs are encrypted by cryptographic key which is derived from the password of the KRBTGT account. In many Active Directory environments, the password for the KRBTGT account has not been changed since before moving to the 2008 domain functional level. This means that the password is not AES encrypted, which can expose the account to attack and break trusts with forests that require AES encryption.
Remediation:
There is no specific recommendation from Microsoft regarding password reset frequency for the KRBTGT account, but security organizations recommend that it be reset periodically. The KRBTGT account keeps the two most recent passwords in password history. Therefore, the password should be reset twice to invalidate all tickets issued from the old KRBTGT password. When the tickets are invalidated, all machines and all applications will contact the domain controllers in the environment for new Kerberos tickets.
|
Kerberos KRBTGT account password has not been updated within the last 180 days |
