The following table describes the vulnerabilities identified in the pre-defined Active Directory Discovery for Initial Access.
Vulnerability Template | Vulnerability | Risk | What to find |
---|---|---|---|
Built-in Guest account status |
Name: Built-in Guest account is enabled Default scope: N/A |
The built-in Guest account enables access to Active Directory without requiring a password and should be disabled. Remediation: To resolve vulnerability, disable the built-in Guest account (if it has been renamed, the account whose SID is S-1-5-domain-501). |
Built-in Guest accounts that are enabled |
Anonymous access to Active Directory status |
Name: Anonymous access to Active Directory is enabled Default scope: N/A |
Anonymous access allows accounts to perform reconnaissance against Active Directory by binding to Active Directory over RPC (including over Name Service Provider Interface (NSPI)) without authenticating. Anonymous access to Active Directory is enabled using the Remediation: Set the 7th character (fLDAPBlockAnonOps bit) of the dsHeuristics attribute to 0 to ensure that anonymous access is blocked. The dsHeuristics attribute is located on the Directory Service object in CN=WindowNT,CN=Services,CN=Configuration,
|
The dsHeuristics attribute on the Directory Service object indicates Anonymous access to Active Directory is enabled |