The following table describes the vulnerabilities identified in the pre-defined Active Directory Discovery for Initial Access.

Vulnerability Template Vulnerability Risk What to find
Built-in Guest account status

Name:

Built-in Guest account is enabled

Default scope:

N/A

The built-in Guest account enables access to Active Directory without requiring a password and should be disabled.

Remediation:

To resolve vulnerability, disable the built-in Guest account (if it has been renamed, the account whose SID is S-1-5-domain-501).

Built-in Guest accounts that are enabled
Anonymous access to Active Directory status

Name:

Anonymous access to Active Directory is enabled

Default scope:

N/A

Anonymous access allows accounts to perform reconnaissance against Active Directory by binding to Active Directory over RPC (including over Name Service Provider Interface (NSPI)) without authenticating. Anonymous access to Active Directory is enabled using the
fLDAPBlockAnonOps bit in the dsHeuristics attribute of CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,
DC=domain,DC=com.

Remediation:

Set the 7th character (fLDAPBlockAnonOps bit) of the dsHeuristics attribute to 0 to ensure that anonymous access is blocked. The dsHeuristics attribute is located on the Directory Service object in CN=WindowNT,CN=Services,CN=Configuration,
DC=domain,DC=com.

 

The dsHeuristics attribute on the Directory Service object indicates Anonymous access to Active Directory is enabled