Skip to main content

AD_SecurityAssessment Explained

Question

Where does the AD_SecurityAssessment report get the data for it's categories and results so the information can be used to investigate and mitigate vulnerabilities?

Answer

CategoryCheckTables/ViewsJob
AD ObjectsObjects created (Past 7 Days)SA_ADInventory_PrincipalsView.Active Directory Inventory\1-AD_Scan
AD ObjectsPrincipals with non-default Primary Group IDsSA_ADInventory_Users, SA_ADInventory_Computers.Active Directory Inventory\1-AD_Scan
AD ObjectsGuest account enabledSA_ADInventory_UsersView.Active Directory Inventory\1-AD_Scan
AD ObjectsUnprivileged users who can add computer accountsSA_ADPerms_PermissionsExtViewActive Directory Permissions Analyzer\0. Collection
AD ObjectsComputers with SERVER_TRUST_ACCOUNT enabledSA_ADInventory_ComputersView.Active Directory Inventory\1-AD_Scan
AD ObjectsUser accounts with SPN configuredSA_ADInventory_UsersView.Active Directory Inventory\1-AD_Scan
AD PermissionsStale users with group membership permissionsSA_AD_GroupMembershipPermissions_DetailsActive Directory Permissions Analyzer\2. Groups\AD_GroupPermissions
AD PermissionsDomain users with direct permissionsSA_AD_GroupPermissions_Details, SA_AD_UserPermissions_Details, SA_AD_ComputerPermissions_Details, SA_AD_ContainerPermissions_Details, SA_AD_OUPermissions_DetailsActive Directory Permissions Analyzer\2. Groups\AD_GroupPermissions
Active Directory Permissions Analyzer\1. Users\AD_UserPermissions
Active Directory Permissions Analyzer\4. Computers\AD_ComputerPermissions
Active Directory Permissions Analyzer\7. Containers\AD_ContainerPermissions
Active Directory Permissions Analyzer\3. OUs\AD_OUPermissions
AD PermissionsUsers with Replication PermissionsSA_AD_DomainReplication_UserSummaryActive Directory Permissions Analyzer\8. Domains\AD_DomainReplication
AD PermissionsNon-Default AdminSDHolderSA_AD_AdminSDHolder_UserSummaryActive Directory Permissions Analyzer\7. Containers\AD_AdminSDHolder
AD PermissionsUsers that can reset passwordsSA_AD_ResetPasswordPermissions_DetailsActive Directory Permissions Analyzer\1. Users\AD_ResetPasswordPermissions
Administrator AccountsUnprivileged users with adminCount=1SA_ADInventory_ExtendedAttributes.Active Directory Inventory\1-AD_Scan
Administrator AccountsAdmin accounts with SPN configuredSA_ADInventory_UsersView.Active Directory Inventory\1-AD_Scan
Administrator AccountsAdmin accounts with unprivileged ownersSA_ADPerms_ObjectsActive Directory Permissions Analyzer\0. Collection
Administrator AccountsAdmin accounts without adminCount=1SA_ADInventory_ExtendedAttributes.Active Directory Inventory\1-AD_Scan
Administrator AccountsStale admin accounts that are enabledSA_AD_SensitiveSecurityGroups_UserListActive Directory\1. Groups\AD_SensitiveSecurityGroups
Administrator Accounts# of privileged accountsSA_AD_SensitiveSecurityGroups_UserListActive Directory\1. Groups\AD_SensitiveSecurityGroups
Administrator AccountsDisabled admin accountsSA_AD_SensitiveSecurityGroups_UserListActive Directory\1. Groups\AD_SensitiveSecurityGroups
Administrator AccountsAdmin accounts not in protected users groupSA_ADInventory_EffectiveGroupMembersView.Active Directory Inventory\1-AD_Scan
Administrator AccountsRecently created adminsSA_AD_SensitiveSecurityGroups_UserListActive Directory\1. Groups\AD_SensitiveSecurityGroups
Administrator AccountsRecent logon by BUILTIN\AdministratorSA_ADInventory_UsersView.Active Directory Inventory\1-AD_Scan
DelegationResource-Based Constrained Delegation on a computerSA_ADInventory_ComputersView.Active Directory Inventory\1-AD_Scan
DelegationDomain controllers with Resource-Based Constrained DelegationSA_AD_ComputerDelegation_DetailsActive Directory\3. Computers\AD_ComputerDelegation
DelegationNon Domain Controllers trusted for delegationSA_ADInventory_ComputersView.Active Directory Inventory\1-AD_Scan
DelegationNon Domain Controllers with Unconstrained DelegationSA_ADInventory_ComputersView.Active Directory Inventory\1-AD_Scan
DelegationService Acccounts trusted for delegationSA_AD_SensitiveSecurityGroups_UserListActive Directory\1. Groups\AD_SensitiveSecurityGroups
DelegationUsers with Unconstrained DelegationSA_ADInventory_UsersView.Active Directory Inventory\1-AD_Scan
DelegationWrite access to Resource-Based Constrained Delegation on Domain ControllerSA_ADPerms_PermissionsExtViewActive Directory Permissions Analyzer\0. Collection
DelegationObjects with Constrained DelegationSA_ADInventory_ExtendedAttributes.Active Directory Inventory\1-AD_Scan
Group PolicyDelegated access to GPO linked on Domain Controller OUSA_ADPerms_PermissionsViewActive Directory Permissions Analyzer\0. Collection
Group PolicyDelegated access to GPO linked on domainSA_ADPerms_PermissionsViewActive Directory Permissions Analyzer\0. Collection
Group PolicyDelegated access to GPO linked on AD siteSA_ADPerms_PermissionsViewActive Directory Permissions Analyzer\0. Collection
Infrastructure SecurityDomain Controllers with old passwordsSA_ADInventory_ComputersView.Active Directory Inventory\1-AD_Scan
Infrastructure SecurityPrint spooler service enabled on Domain ControllerSA_SG_ServiceAccounts_ServiceAccountsWindows\Priviledged Accounts\Service Accounts\SG_ServiceAccounts
Infrastructure SecurityDomain Controllers that have not logged on in 60 daysSA_ADInventory_ComputersView.Active Directory Inventory\1-AD_Scan
Infrastructure SecurityUsers with rights to exploit DCShadowSA_AD_DCShadowPermissions_DetailsActive Directory Permissions Analyzer\9. Sites\AD_DCShadowPermissions
Infrastructure SecurityDomains with functional level < 2012 R2SA_AD_DomainInfo_DomainsActive Directory\5. Domains\AD_DomainInfo
Infrastructure SecurityAnonymous bind to AD enabledSA_AD_DomainInfo_dSHeuristics_DetailsActive Directory\5. Domains\AD_DomainInfo
Infrastructure SecurityAnonymous NSPI access enabledSA_AD_DomainInfo_dSHeuristics_DetailsActive Directory\5. Domains\AD_DomainInfo
Infrastructure SecurityDC computer accounts with unprivileged ownerSA_ADPerms_ObjectsActive Directory Permissions Analyzer\0. Collection
Krbtgt SecurityKerberos krbtgt account with old passwordSA_ADInventory_UsersView.Active Directory Inventory\1-AD_Scan
Krbtgt SecurityKrbtgt account with Resource-Based Constrained DelegationSA_ADPerms_PermissionsExtViewActive Directory Permissions Analyzer\0. Collection
Krbtgt SecurityWrite access to Resource-Based Constrained Delegation on krbtgt accountSA_ADPerms_PermissionsExtViewActive Directory Permissions Analyzer\0. Collection
Password SecurityHighest Password ReuseSA_AD_WeakPasswords_CountActive Directory\2. Users\AD_WeakPasswords
Password SecurityReversible passwords found in GPOsSA_AD_CPassword_SysvolActive Directory\4. Group Policy\AD_CPassword
Password SecurityPasswords older than a yearSA_AD_PasswordStatus_DetailsActive Directory\2. Users\AD_PasswordStatus
Password SecurityPassword never expiresSA_AD_PasswordStatus_Details, SA_AD_SensitiveSecurityGroups_SummaryActive Directory\1. Groups\AD_SensitiveSecurityGroups
Password SecurityPassword not requiredSA_AD_PasswordStatus_DetailsActive Directory\2. Users\AD_PasswordStatus
Password SecurityPassword expiredSA_AD_PasswordStatus_DetailsActive Directory\2. Users\AD_PasswordStatus
Password SecurityAES Key MissingSA_AD_WeakPasswords_ResultsActive Directory\2. Users\AD_WeakPasswords
Password SecurityClear Text PasswordSA_AD_WeakPasswords_ResultsActive Directory\2. Users\AD_WeakPasswords
Password SecurityDefault Computer PasswordSA_AD_WeakPasswords_ResultsActive Directory\2. Users\AD_WeakPasswords
Password SecurityDelegable AdminsSA_AD_WeakPasswords_ResultsActive Directory\2. Users\AD_WeakPasswords
Password SecurityDES Encryption OnlySA_AD_WeakPasswords_ResultsActive Directory\2. Users\AD_WeakPasswords
Password SecurityEmpty PasswordSA_AD_WeakPasswords_ResultsActive Directory\2. Users\AD_WeakPasswords
Password SecurityLM HashSA_AD_WeakPasswords_ResultsActive Directory\2. Users\AD_WeakPasswords
Password SecurityPassword Never ExpiresSA_AD_WeakPasswords_Results, SA_AD_SensitiveSecurityGroups_SummaryActive Directory\2. Users\AD_WeakPasswords
Active Directory\1. Groups\AD_SensitiveSecurityGroups
Password SecurityPassword Not requiredSA_AD_WeakPasswords_ResultsActive Directory\2. Users\AD_WeakPasswords
Password SecurityShares Common PasswordSA_AD_WeakPasswords_ResultsActive Directory\2. Users\AD_WeakPasswords
Password SecurityWeak Historical PasswordSA_AD_WeakPasswords_ResultsActive Directory\2. Users\AD_WeakPasswords
Password SecurityWeak PasswordSA_AD_WeakPasswords_ResultsActive Directory\2. Users\AD_WeakPasswords
Password SecurityPasswords stored with reversible encryptionSA_ADInventory_UsersView.Active Directory Inventory\1-AD_Scan
Password SecurityUsers with LAPS read permissionsSA_AD_LAPSPermissions_ResultsActive Directory Permission Analyzer\4. Computers\AD_LAPSPermissions
Password SecuritygMSA not in useSA_AD_SensitiveSecurityGroups_UserListActive Directory\1. Groups\AD_SensitiveSecurityGroups
Password SecuritygMSA with old passwordsSA_ADPerms_ObjectsActive Directory Permissions Analyzer\0. Collection
Sensitive Security# of accounts in Pre-Windows 2000 Compatible Access GroupSA_ADInventory_GroupMembersView.Active Directory Inventory\1-AD_Scan
Sensitive Security GroupsNon standard membershipSA_ADInventory_GroupsView.Active Directory Inventory\1-AD_Scan
Sensitive Security GroupsComputer accountsSA_AD_SensitiveSecurityGroups_MembershipActive Directory\1. Groups\AD_SensitiveSecurityGroups
Sensitive Security GroupsOld password (over 180 days)SA_AD_SensitiveSecurityGroups_UserListActive Directory\1. Groups\AD_SensitiveSecurityGroups
Sensitive Security GroupsNon-admins in DNS admins groupSA_AD_SensitiveSecurityGroups_MembershipActive Directory\1. Groups\AD_SensitiveSecurityGroups
Sensitive Security GroupsGroups not protected by SDPropSA_AD_DomainInfo_dSHeuristics_DetailsActive Directory\5. Domains\AD_DomainInfo
Sensitive Security GroupsHighest user countSA_AD_SensitiveSecurityGroups_SummaryActive Directory\1. Groups\AD_SensitiveSecurityGroups
Sensitive Security GroupsOldest passwordSA_AD_SensitiveSecurityGroups_SummaryActive Directory\1. Groups\AD_SensitiveSecurityGroups
Sensitive Security GroupsPassword not requiredSA_AD_SensitiveSecurityGroups_SummaryActive Directory\1. Groups\AD_SensitiveSecurityGroups
Sensitive Security GroupsPassword never expiresSA_AD_SensitiveSecurityGroups_SummaryActive Directory\1. Groups\AD_SensitiveSecurityGroups
Sensitive Security GroupsDisabled membersSA_AD_SensitiveSecurityGroups_SummaryActive Directory\1. Groups\AD_SensitiveSecurityGroups
SID HistoryHistorical admin SIDs on non adminsSA_AD_SIDHistory_SummaryActive Directory\2. Users\AD_SIDHistory
SID HistoryHistorical SID from same domainSA_AD_SIDHistory_SummaryActive Directory\2. Users\AD_SIDHistory
Stale ObjectsStale users countSA_ADInventory_UsersView.Active Directory Inventory\1-AD_Scan
Stale ObjectsComputers with unsupported Microsoft OSSA_ADInventory_ComputersView.Active Directory Inventory\1-AD_Scan
Stale ObjectsComputers with old password last set dateSA_ADInventory_ComputersView.Active Directory Inventory\1-AD_Scan
TrustsForeign Security Principals in admin groupsSA_ADInventory_DistinguishedNames.Active Directory Inventory\1-AD_Scan
TrustsInsecure trust configurationSA_AD_DomainInfo_TrustDetailsActive Directory\5. Domains\AD_DomainInfo
TrustsOutbound trust with SID History enabledSA_AD_DomainInfo_FilteringActive Directory\5. Domains\AD_DomainInfo