Abnormally large number of Tier Zero user accounts in the domain |
Hygiene |
High |
Accounts that allow Kerberos protocol transition delegation |
Hygiene |
High |
Active Directory Operator groups that are not protected by AdminSDHolder |
Hygiene |
Critical |
Anonymous access to Active Directory is enabled |
Hygiene |
High |
Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group |
Hygiene |
Critical |
Built-in Administrator account that has been used |
Hygiene |
Critical |
Built-in Guest account is enabled |
Hygiene |
Critical |
Computer accounts with non-default Primary Group IDs |
Hygiene |
Critical |
Computer accounts with reversible password |
Hygiene |
High |
Computer accounts with unconstrained delegation |
Hygiene |
High |
Computer accounts without readable Primary Group ID |
Hygiene |
Critical |
Default Active Directory groups which should not be in use contain members |
Hygiene |
Critical |
DNS zone configuration allows anonymous record updates |
Hygiene |
High |
Domain Admins can log into computers with non-Tier Zero Group Policy |
Hygiene |
Critical |
Domain Controller is running SMBv1 protocol |
Hygiene |
High |
Domain trust configured insecurely |
Hygiene |
High |
Domain with obsolete domain functional level |
Hygiene |
Medium |
Domain trust without Kerberos AES encryption enabled |
Hygiene |
High |
Enabled Tier Zero user accounts that are inactive |
Hygiene |
High |
Foreign Security Principals are members of a Tier Zero group |
Hygiene |
High |
Group Policy allows reversible passwords |
Hygiene |
High |
Groups with SID from local domain in their SID History |
Hygiene |
Critical |
Groups with well-known SIDs in their SID History |
Hygiene |
Critical |
Inheritance is enabled on the AdminSDHolder container |
Hygiene |
Critical |
Kerberos KRBTGT account password has not changed recently |
Hygiene |
Medium |
KRBTGT accounts with Resource-Based Constrained Delegation |
Hygiene |
Critical |
Managed and Group Managed Service accounts that have not cycled their password recently |
Hygiene |
Critical |
Non-Tier Zero accounts are able to log onto Tier Zero computers |
Hygiene |
Critical |
Non-Tier Zero accounts are members of DnsAdmins group |
Hygiene |
Critical |
Non-Tier Zero accounts can access the gMSA root key |
Hygiene |
Critical |
Non-Tier Zero accounts can link GPOs to the domain |
Hygiene |
Critical |
Non-Tier Zero accounts can link Group Policy Objects to an Active Directory site |
Hygiene |
Critical |
Non-Tier Zero accounts can link Group Policy Objects to Domain Controller OU |
Hygiene |
Critical |
Non-Tier Zero accounts can perform a DCSync attack *Name to change |
Hygiene |
Critical |
Non-Tier Zero account can use a misconfigured certificate template to impersonate any user |
Hygiene |
Medium |
Non-Tier Zero accounts have access to write properties on certificate templates |
Hygiene |
Critical |
Non-Tier Zero accounts that can promote a computer to a domain controller |
Hygiene |
Critical |
Non-Tier Zero accounts with Microsoft Local Administrator Password (LAPS) access |
Hygiene |
High |
Non-Tier Zero accounts with Migrate SID history permission delegation |
Hygiene |
Critical |
Non-Tier Zero accounts with Reanimate tombstones permission delegation |
Hygiene |
Critical |
Non-Tier Zero computer can be compromised through Resource-Based Constrained Delegation |
Hygiene |
High |
Non-Tier Zero user accounts configured for Password Never Expires |
Hygiene |
High |
Non-Tier Zero user accounts with Service Principal Names |
Hygiene |
Critical |
Non-Tier Zero user accounts with write permissions over Resource-Based Constrained Delegation on the KRBTGT account |
Hygiene |
Critical |
Non-Tier Zero users can create computer accounts |
Hygiene |
High |
Non-Tier Zero users with access to gMSA password |
Hygiene |
Critical |
Ordinary user accounts with hidden privileges (SDProp) |
Hygiene |
Critical |
Printer Spooler service is enabled on a domain controller |
Hygiene |
Medium |
Suspicious ESX Admins group detected in domain |
Hygiene |
High |
Tier Zero account can be delegated |
Hygiene |
High |
Tier Zero account token can be stolen from a read-only domain controller |
Hygiene |
High |
Tier Zero computer accounts that have not cycled their password recently |
Hygiene |
High |
Tier Zero computer can be compromised through Resource-Based Constrained Delegation |
Hygiene |
High |
Tier Zero computer is owned by a non-Tier Zero account |
Hygiene |
Critical |
Tier Zero computer that has write permissions on Resource-Based Constrained Delegation granted to a non-Tier Zero account |
Hygiene |
High |
Tier Zero computers that have not recently authenticated to the domain |
Hygiene |
High |
Tier Zero Group Policy allows Recovery Mode to be not password-protected |
Hygiene |
Critical |
Tier Zero groups that have computer accounts as members |
Hygiene |
High |
Suspicious ESX Admins group found in domain |
Hygiene |
High |
Tier Zero groups with SID History populated |
Hygiene |
Critical |
Tier Zero user account is disabled |
Hygiene |
Medium |
Tier Zero user accounts configured for Password Never Expires |
Hygiene |
High |
Tier Zero user accounts whose passwords have not changed recently |
Hygiene |
High |
Tier Zero user accounts with Service Principal Names |
Hygiene |
Critical |
Tier Zero user accounts with SID History populated |
Hygiene |
Critical |
Tier Zero users owned by non-Tier Zero accounts |
Hygiene |
Critical |
Protected group credentials exposed on read-only domain controllers |
Hygiene |
High |
Protected Users group is not being used |
Hygiene |
High |
Schema Admins group contains members |
Hygiene |
Critical |
User accounts do not require a password |
Hygiene |
High |
User accounts have a reversible password |
Hygiene |
High |
User accounts in protected groups that are not protected by AdminSDHolder (SDProp) |
Hygiene |
Critical |
User accounts using DES encryption to log in |
Hygiene |
High |
User accounts with Kerberos pre-authentication disabled |
Hygiene |
High |
User accounts with non-default Primary Group IDs |
Hygiene |
Critical |
User accounts with SID from local domain in their SID History |
Hygiene |
Critical |
User accounts with unconstrained delegation |
Hygiene |
High |
User accounts with well-known SIDs in their SID History |
Hygiene |
Critical |
User accounts without readable Primary Group ID |
Hygiene |
Critical |