Active Directory Security Report PowerShell

Posted on by

Active Directory Security Report PowerShell

Hello,

Active Directory is one of the most critical system in your infrastructure, we saw previously how to get some basic information about how you’re using it, and get some statistics about the users, computers and groups.

Today, we’ll add some security indicators to this report:

  • Users that don’t require password
  • Users that don’t require preauth
  • Presence of dynamic object
  • Presence of DsrmAdminLogonBehavior registry key
  • Attribute not audited
  • Trusts without SID Filtering enabled
  • AdminSDHolder Metadata
  • Domain Metadata

This is not an extensive list, just a very few points you can easily keep on your sight.

Users that don’t require password

This UserAccountControl flags allow users to bypass the password domain policy. This can lead to weak password, or no password at all.

Users that don’t require preauth

This can lead to a security risk as well explain here.

Presence of dynamic object

Dynamic object presence can be a sign malicious activity if you don’t use it as a Privilege Access Management. Indeed, those type of object are really discrete in the logs and are use by attackers to grant temporary administrative permissions very quietly.

Presence of DsrmAdminLogonBehavior registry key

This registry key control the logon behavior of the Directory Service Restore Mode (DSRM) account. Depending of the value, it can allow the DSRM account to logon on a running Domain Controller. Once logged on, a DSRM account is as powerful as a domain admin.

Attribute not audited

If some attributes aren’t audited, you won’t be able to track any modification made to them from the security logs, it will be completely unnoticeable.

Trusts without SID Filtering enabled

If you have trusts without SID History filtering, users (with the appropriate permission in his domain) from the trusted domain can inject domain admin SID from your domain into his SidHistory attribute and take over your domain.

AdminSDHolder Metadata

Metadata of the AdminSdHolder container is a nice thing to monitor, you will be able to spot any modification on this very sensitive object.

Domain Metadata

Like AdminSdHolder, metadata on the domain naming context are quite a source of information. With them, you can track group policies link’s modification at the domain level, the ACL, password policy, etc…

Conclusion

This is only a very few of Active Directory security risks easily identifiable, if you are awar of some more, let me know in the comment, I’ll be happy to add them to the report, if you know how to check them, you can send a pull request on the GitHub repo 🙂

2 thoughts on “Active Directory Security Report PowerShell

  1. Hello there, I found your Basic AD Report quite intriguing, nice work with that! Now I\’m wondering if you ever implemented the above mentioned reports into the basic script? I don\’t seem to be able to find it in the repository.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.