Security Guardian Current

Security Guardian Current - Release Notes

New Features Known Issues Release History Incident response management System Requirements Product licensing Third Party Contributions

Discovery for Initial Access Vulnerabilities

The following table describes the vulnerabilities identified in the pre-defined Active Directory Discovery for Initial Access.

NOTE: Initial Access techniques are used by adversaries to obtain a foothold within a network, such as targeted spear-phishing, exploiting vulnerabilities or configuration weaknesses in public-facing systems.

Vulnerability Template	Vulnerability	Risk	What to find
Built-in Guest account status	Name: Built-in Guest account is enabled Default scope: N/A	The built-in Guest account enables access to Active Directory without requiring a password and should be disabled. Remediation: To resolve vulnerability, disable the built-in Guest account (if it has been renamed, the account whose SID is S-1-5-domain-501).	Built-in Guest accounts that are enabled
Anonymous access to Active Directory status	Name: Anonymous access to Active Directory is enabled Default scope: N/A	Anonymous access allows accounts to perform reconnaissance against Active Directory by binding to Active Directory over RPC (including over Name Service Provider Interface (NSPI)) without authenticating. Anonymous access to Active Directory is enabled using the fLDAPBlockAnonOps bit in the dsHeuristics attribute of CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=domain,DC=com. Remediation: Set the 7th character (fLDAPBlockAnonOps bit) of the dsHeuristics attribute to 0 to ensure that anonymous access is blocked. The dsHeuristics attribute is located on the Directory Service object in CN=WindowNT,CN=Services,CN=Configuration, DC=domain,DC=com.	The dsHeuristics attribute on the Directory Service object indicates Anonymous access to Active Directory is enabled
Active Directory user and group synchronization status	Active Directory Tier Zero object synchronized to Entra ID Default scope: Tier Zero users and groups NOTE: If no Entra ID collection is available, an Inconclusive message is returned.	Tier Zero users or groups that are synchronized to Entra ID will have corresponding cloud objects. This can pose a security risk since organizations can have password write-back enabled, which would leave Active Directory Tier Zero object under the influence of Entra ID users. While Entra ID is considered more secure than Active Directory, synchronizing Tier Zero accounts complicates knowing which accounts can control Tier Zero objects within the domain. Remediation: If applicable to your organization, consider excluding Tier Zero accounts from synchronizing to Entra ID.	Active Directory users and groups in scope that are synchronized to Entra ID

Vulnerability Template

Vulnerability

Risk

What to find

Built-in Guest account status

Name:

Built-in Guest account is enabled

Default scope:

N/A

The built-in Guest account enables access to Active Directory without requiring a password and should be disabled.

Remediation:

To resolve vulnerability, disable the built-in Guest account (if it has been renamed, the account whose SID is S-1-5-domain-501).

Built-in Guest accounts that are enabled

Anonymous access to Active Directory status

Name:

Anonymous access to Active Directory is enabled

Default scope:

N/A

Anonymous access allows accounts to perform reconnaissance against Active Directory by binding to Active Directory over RPC (including over Name Service Provider Interface (NSPI)) without authenticating. Anonymous access to Active Directory is enabled using the
fLDAPBlockAnonOps bit in the dsHeuristics attribute of CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,
DC=domain,DC=com.

Remediation:

Set the 7th character (fLDAPBlockAnonOps bit) of the dsHeuristics attribute to 0 to ensure that anonymous access is blocked. The dsHeuristics attribute is located on the Directory Service object in CN=WindowNT,CN=Services,CN=Configuration,
DC=domain,DC=com.

The dsHeuristics attribute on the Directory Service object indicates Anonymous access to Active Directory is enabled

Active Directory user and group synchronization status

Active Directory Tier Zero object synchronized to Entra ID

Default scope:

Tier Zero users and groups

NOTE: If no Entra ID collection is available, an Inconclusive message is returned.

Tier Zero users or groups that are synchronized to Entra ID will have corresponding cloud objects. This can pose a security risk since organizations can have password write-back enabled, which would leave Active Directory Tier Zero object under the influence of Entra ID users. While Entra ID is considered more secure than Active Directory, synchronizing Tier Zero accounts complicates knowing which accounts can control Tier Zero objects within the domain.

Remediation:

If applicable to your organization, consider excluding Tier Zero accounts from synchronizing to Entra ID.

Active Directory users and groups in scope that are synchronized to Entra ID

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación

Seleccione su producto:

Con el fin de ofrecerle un mejor servicio, complete el campo Motivo del chat:

Soluciones recomendadas para su problema

Security Guardian Current - Release Notes

Discovery for Initial Access Vulnerabilities