The following table contains an alphabetical list of all indicators that originate from Security Guardian Assessments,

Indicator Type Severity
Abnormally large number of Tier Zero user accounts in the domain Hygiene High
Accounts that allow Kerberos protocol transition delegation Hygiene High
Active Directory Tier Zero object synchronized to Entra ID Hygiene Medium
Active Directory Operator groups that are not protected by AdminSDHolder Hygiene Critical
Administrators are not enabled for self service password recovery Hygiene Medium
All domain users can create computer accounts Hygiene High
Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group Hygiene Critical
Anonymous access to Active Directory is enabled Hygiene High
Built-in Guest account is enabled Hygiene Critical
Built-in Administrator account that has been used Hygiene Critical
Computer accounts with non-default Primary Group IDs Hygiene Critical
Computer accounts with reversible password Hygiene High
Computer accounts with unconstrained delegation Hygiene High
Computer accounts without readable Primary Group ID Hygiene Critical
Default Active Directory groups which should not be in use contain members Hygiene Critical

DnsAdmins group contains members

Hygiene Critical
DNS zone configuration allows anonymous record updates Hygiene High
Domain Admins can log into computers with non-Tier Zero group policy Hygiene Critical
Domain trust configured insecurely Hygiene High
Domain trust without Kerberos AES encryption enabled Hygiene High
Domain with obsolete domain functional level Hygiene Medium
Domain Controller is running SMBv1 protocol Hygiene High
Enabled Tier Zero user accounts that are inactive Hygiene High
Entra ID cloud applications that are not included in a conditional access policy Hygiene Medium
Entra ID Conditional Access policies do not block legacy authentication for all users Hygiene High
Entra ID Conditional Access policies do not protect all non-privileged users with multi-factor authentication (MFA) Hygiene High
Entra ID Conditional Access policies do not protect all privileged users with multi-factor authentication (MFA) Hygiene High
Entra ID Conditional Access policies do not protect all users from high user risk Hygiene High
Entra ID Conditional Access policies do not protect all users from risky sign-ins Hygiene High
Entra ID Conditional Access policies do not protect all users with strictly enforce location for Continuous Access Evaluation Hygiene High
Entra ID Conditional Access policies do not require token protection for sign-in sessions for users Hygiene Medium
Entra ID Conditional Access policy configured to disable Continuous Access Evaluation for users Hygiene Critical

Entra ID guest user accounts that are inactive

Hygiene Medium
Entra ID Microsoft Authenticator policy does not require geographic location and application name contexts for all users Hygiene Medium
Entra ID Privileged accounts that are not secured by multi-factor authentication (MFA) Hygiene High
Entra ID privileged role members whose passwords have not changed recently Hygiene Medium
Entra ID users are allowed to consent for all applications Hygiene Medium
Foreign Security Principals are members of a Tier Zero group Hygiene High
Group Policy allows reversible passwords Hygiene High
Group Policy does not enforce built-in Administrator account lockout on all computers Hygiene Medium
Groups with SID from local domain in their SID History Hygiene Critical
Groups with well-known SIDs in their SID History Hygiene Critical
Guest accounts assigned to the Global Administrator role Hygiene High
Inheritance is enabled on the AdminSDHolder container Hygiene Critical
Kerberos KRBTGT account password that has not changed recently Hygiene Medium
KRBTGT accounts with Resource-Based Constrained Delegation Hygiene Critical
Managed and Group Managed Service accounts that have not cycled their password recently Hygiene Critical
More than recommended number of Global Administrators in the organization Hygiene Medium
More than recommended number of privileged role assignments Hygiene Medium
Non-default configuration of the Microsoft Local Administrator Password Hygiene High
Non-privileged accounts are able to log onto privileged computers Hygiene Critical
Non-Tier Zero accounts are able to log onto Tier Zero computers Hygiene Critical
Non-Tier Zero accounts can link GPOs to the domain Hygiene Critical
Non-Tier Zero accounts can link Group Policy Objects to an Active Directory site Hygiene Critical
Non-Tier Zero accounts can link Group Policy Objects to Domain Controller OU Hygiene Critical

Non-Tier Zero accounts can steal password hashes (DCSync)

Hygiene Critical
Non-Tier Zero accounts have access to write properties on certificate templates Hygiene Critical
Non-Tier Zero accounts that can promote a computer to a domain controller Hygiene Critical
Non-Tier Zero computer can be compromised through Resource-Based Constrained Delegation Hygiene High
Non-Tier Zero user accounts configured for Password Never Expires Hygiene High
Non-Tier Zero user accounts with Service Principal Names Hygiene Critical
Non-Tier Zero user accounts with write permissions over Resource-Based Constrained Delegation on the KRBTGT account Hygiene Critical
Non-Tier Zero users with access to gMSA password Hygiene Critical
Non-Tier Zero account can request an overly permissive certificate with privileged EKU (ESC2) Hygiene High
Non-Tier Zero accounts can access the gMSA root key Hygiene Critical
Non-Tier Zero accounts with Microsoft Local Administrator Password (LAPS) access Hygiene High
Non-Tier Zero accounts with Reanimate tombstones permission delegation Hygiene Critical
Non-Tier Zero account can use a misconfigured certificate template to impersonate any user Hygiene High
Non Tier-Zero accounts with Unexpire password permission delegation Hygiene Critical
Non Tier-Zero accounts with Migrate SID history permission delegation Hygiene Critical
Ordinary user accounts with hidden privileges (SDProp) Hygiene Critical
Password hash synchronization with on-premises Active Directory is delayed Hygiene Medium
Password hash synchronization with on-premises Active Directory is not enabled Hygiene Medium
Printer Spooler service is enabled on a domain controller Hygiene Medium
Protected group credentials exposed on read-only domain controllers Hygiene High
Protected Users group is not being used Hygiene High
Schema Admins group contains members Hygiene Critical
Security defaults are enabled Hygiene Medium
Suspicious ESX Admins group detected in domain Hygiene High
Synchronization with on-premises Active Directory is delayed Hygiene Medium
Synchronized Active Directory user is assigned an Entra ID privileged role Hygiene Medium
Tier Zero account token can be stolen from a read-only domain controller Hygiene High
Tier Zero computer accounts that have not cycled their password recently Hygiene High
Tier Zero computer can be compromised through Resource-Based Constrained Delegation Hygiene High
Tier Zero computer is owned by a non-Tier Zero account Hygiene Critical
Tier Zero computer that has write permissions on Resource-Based Constrained Delegation granted to a non-Tier Zero account Hygiene High
Tier Zero computers that have not recently authenticated to the domain Hygiene High
Tier Zero Group Policy allows Authenticated Users to add computers to the domain Hygiene Medium
Tier Zero Group Policy allows Recovery Mode to be not password-protected Hygiene Critical
Tier Zero groups that have computer accounts as members Hygiene High
Tier Zero groups with SID History populated Hygiene Critical
Tier Zero user account is disabled Hygiene Medium
Tier Zero user accounts configured for Password Never Expires Hygiene High
Tier Zero user accounts whose passwords have not changed recently Hygiene High
Tier Zero user accounts with Service Principal Names Hygiene Critical
Tier Zero user accounts with SID History populated Hygiene Critical
Tier Zero users owned by non-Tier Zero accounts Hygiene Critical
Tier Zero account can be delegated Hygiene High
User accounts do not require a password Hygiene High
User accounts have a reversible password Hygiene High
User accounts in protected groups that are not protected by AdminSDHolder (SDProp) Hygiene Critical
User accounts using DES encryption to log in Hygiene High
User accounts with non-default Primary Group IDs Hygiene Critical
User accounts with Kerberos pre-authentication disabled Hygiene High
User accounts with SID from local domain in their SID History Hygiene Critical
User accounts with unconstrained delegation Hygiene High
User accounts with well-known SIDs in their SID History Hygiene Critical
User accounts without readable Primary Group ID Hygiene Critical