The following table contains an alphabetical list of all indicators that originate from Security Guardian Assessments,
| Indicator | Indicator Type | Severity |
|---|---|---|
| Abnormally large number of Tier Zero user accounts in the domain | Hygiene | High |
| Accounts that allow Kerberos protocol transition delegation | Hygiene | High |
| Active Directory Operator groups that are not protected by AdminSDHolder | Hygiene | Critical |
| Anonymous access to Active Directory is enabled | Hygiene | High |
| Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group | Hygiene | Critical |
| Built-in Administrator account that has been used | Hygiene | Critical |
| Built-in Guest account is enabled | Hygiene | Critical |
| Computer accounts with non-default Primary Group IDs | Hygiene | Critical |
| Computer accounts with reversible password | Hygiene | High |
| Computer accounts with unconstrained delegation | Hygiene | High |
| Computer accounts without readable Primary Group ID | Hygiene | Critical |
| Default Active Directory groups which should not be in use contain members | Hygiene | Critical |
| DNS zone configuration allows anonymous record updates | Hygiene | High |
| Domain Admins can log into computers with non-Tier Zero Group Policy | Hygiene | Critical |
| Domain Controller is running SMBv1 protocol | Hygiene | High |
| Domain trust configured insecurely | Hygiene | High |
| Domain with obsolete domain functional level | Hygiene | Medium |
| Domain trust without Kerberos AES encryption enabled | Hygiene | High |
| Enabled Tier Zero user accounts that are inactive | Hygiene | High |
| Foreign Security Principals are members of a Tier Zero group | Hygiene | High |
| Group Policy allows reversible passwords | Hygiene | High |
| Groups with SID from local domain in their SID History | Hygiene | Critical |
| Groups with well-known SIDs in their SID History | Hygiene | Critical |
| Inheritance is enabled on the AdminSDHolder container | Hygiene | Critical |
| Kerberos KRBTGT account password has not changed recently | Hygiene | Medium |
| KRBTGT accounts with Resource-Based Constrained Delegation | Hygiene | Critical |
| Managed and Group Managed Service accounts that have not cycled their password recently | Hygiene | Critical |
| Non-Tier Zero accounts are able to log onto Tier Zero computers | Hygiene | Critical |
| Non-Tier Zero accounts are members of DnsAdmins group | Hygiene | Critical |
| Non-Tier Zero accounts can access the gMSA root key | Hygiene | Critical |
| Non-Tier Zero accounts can link GPOs to the domain | Hygiene | Critical |
| Non-Tier Zero accounts can link Group Policy Objects to an Active Directory site | Hygiene | Critical |
| Non-Tier Zero accounts can link Group Policy Objects to Domain Controller OU | Hygiene | Critical |
| Non-Tier Zero accounts can perform a DCSync attack *Name to change | Hygiene | Critical |
| Non-Tier Zero account can use a misconfigured certificate template to impersonate any user | Hygiene | Medium |
| Non-Tier Zero accounts have access to write properties on certificate templates | Hygiene | Critical |
| Non-Tier Zero accounts that can promote a computer to a domain controller | Hygiene | Critical |
| Non-Tier Zero accounts with Microsoft Local Administrator Password (LAPS) access | Hygiene | High |
| Non-Tier Zero accounts with Migrate SID history permission delegation | Hygiene | Critical |
| Non-Tier Zero accounts with Reanimate tombstones permission delegation | Hygiene | Critical |
| Non-Tier Zero computer can be compromised through Resource-Based Constrained Delegation | Hygiene | High |
| Non-Tier Zero user accounts configured for Password Never Expires | Hygiene | High |
| Non-Tier Zero user accounts with Service Principal Names | Hygiene | Critical |
| Non-Tier Zero user accounts with write permissions over Resource-Based Constrained Delegation on the KRBTGT account | Hygiene | Critical |
| Non-Tier Zero users can create computer accounts | Hygiene | High |
| Non-Tier Zero users with access to gMSA password | Hygiene | Critical |
| Ordinary user accounts with hidden privileges (SDProp) | Hygiene | Critical |
| Printer Spooler service is enabled on a domain controller | Hygiene | Medium |
| Suspicious ESX Admins group detected in domain | Hygiene | High |
| Tier Zero account can be delegated | Hygiene | High |
| Tier Zero account token can be stolen from a read-only domain controller | Hygiene | High |
| Tier Zero computer accounts that have not cycled their password recently | Hygiene | High |
| Tier Zero computer can be compromised through Resource-Based Constrained Delegation | Hygiene | High |
| Tier Zero computer is owned by a non-Tier Zero account | Hygiene | Critical |
| Tier Zero computer that has write permissions on Resource-Based Constrained Delegation granted to a non-Tier Zero account | Hygiene | High |
| Tier Zero computers that have not recently authenticated to the domain | Hygiene | High |
| Tier Zero Group Policy allows Recovery Mode to be not password-protected | Hygiene | Critical |
| Tier Zero groups that have computer accounts as members | Hygiene | High |
| Suspicious ESX Admins group found in domain | Hygiene | High |
| Tier Zero groups with SID History populated | Hygiene | Critical |
| Tier Zero user account is disabled | Hygiene | Medium |
| Tier Zero user accounts configured for Password Never Expires | Hygiene | High |
| Tier Zero user accounts whose passwords have not changed recently | Hygiene | High |
| Tier Zero user accounts with Service Principal Names | Hygiene | Critical |
| Tier Zero user accounts with SID History populated | Hygiene | Critical |
| Tier Zero users owned by non-Tier Zero accounts | Hygiene | Critical |
| Protected group credentials exposed on read-only domain controllers | Hygiene | High |
| Protected Users group is not being used | Hygiene | High |
| Schema Admins group contains members | Hygiene | Critical |
| User accounts do not require a password | Hygiene | High |
| User accounts have a reversible password | Hygiene | High |
| User accounts in protected groups that are not protected by AdminSDHolder (SDProp) | Hygiene | Critical |
| User accounts using DES encryption to log in | Hygiene | High |
| User accounts with Kerberos pre-authentication disabled | Hygiene | High |
| User accounts with non-default Primary Group IDs | Hygiene | Critical |
| User accounts with SID from local domain in their SID History | Hygiene | Critical |
| User accounts with unconstrained delegation | Hygiene | High |
| User accounts with well-known SIDs in their SID History | Hygiene | Critical |
| User accounts without readable Primary Group ID | Hygiene | Critical |