This section focuses on the core security indicators.
Locate the sub-process determining the score and fix some rules in that area to get a score improvement.
Domain Risk Level: 55 / 100
It is the maximum score of the 4 indicators and one score cannot be higher than 100. The lower the better
Stale Object : 34 /100
It is about operations related to user or computer objects
9 rules matched
Trusts : 0 /100
It is about connections between two Active Directories
0 rules matched
Privileged Accounts : 20 /100
It is about administrators of the Active Directory
2 rules matched
Anomalies : 55 /100
It is about specific security control points
9 rules matched
| Stale Objects | Privileged accounts | Trusts | Anomalies | |
|---|---|---|---|---|
Inactive user or computer | Account take over | Old trust protocol | Audit | |
Network topography | ACL Check | SID Filtering | Backup | |
Object configuration | Admin control | SIDHistory | Certificate take over | |
Obsolete OS | Control paths | Trust impermeability | Golden ticket | |
Old authentication protocols | Delegation Check | Trust inactive | Local group vulnerability | |
Provisioning | Irreversible change | Trust with Azure | Network sniffing | |
Replication | Privilege control | Pass-the-credential | ||
Vulnerability management | Read-Only Domain Controllers | Password retrieval | ||
Reconnaissance | ||||
Temporary admins | ||||
Weak password |
This section represents the maturity score (inspired from ANSSI).
Maturity Level:
Maturity levels:
2 rule(s) matched
6 rule(s) matched
6 rule(s) matched
6 rule(s) matched
No rule matched
To reach Level 2 you need to fix the following rules:
P-AdminPwdTooOld
Description:The purpose is to ensure that all admins are changing their passwords at least every 3 years
Technical explanation:This rule ensure that passwords of administrator are well managed.
Advised solution:We advised to read the ANSSI guidelines about this, which is quoted in the documentation section below.
10 points if present
Documentation:[FR]ANSSI - Privileged account passwords age too old (vuln1_password_change_priv)1
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
The detail can be found in Admin Groups
| Account | Creation | LastChanged |
|---|---|---|
| itsonicwall | 2019-08-01 23:45:55Z | 2019-08-01 16:45:55Z |
| ccramer | 2014-07-25 20:03:05Z | 2020-02-14 06:02:29Z |
| ejavaid | 2010-12-02 14:38:38Z | 2011-12-08 16:17:21Z |
S-Inactive
Description:The purpose is to ensure that there are as few inactive accounts as possible within the domain. Stale user accounts are a significant security issue, as former employees and external attackers could use those accounts to attack the organization.
Technical explanation:Inactive accounts often stay in the network because of weaknesses in the decommissioning process. These stale computer accounts can be used as backdoors and therefore represents a possible security breach.
Advised solution:To mitigate the risk, you should monitor the number of inactive accounts and reduce it as much as possible. A list of all inactive accounts is obtainable through the command: Search-ADAccount –AccountInActive –UsersOnly –TimeSpan 180:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName.
Points:10 points if the occurence is greater than or equals than 25
Documentation:[MITRE]Mitre Att&ck - Mitigation - User Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R45 [paragraph.3.6.6.2]
[FR]ANSSI - Dormant accounts (vuln1_user_accounts_dormant)1
The detail can be found in User information and Computer information
To reach Level 3 you need to fix the following rules:
S-OldNtlm
Description:The purpose is to check if NTLMv1 or LM can be used by DC
Technical explanation:NTLMv1 is an old protocol which is known to be vulnerable to cryptographic attacks.
It is typically used when a hacker sniffs the network and tries to retrieve NTLM hashes which can then be used to impersonate users.
This attack can be combined with coerced authentication attacks - a hacker forces the DC to connect to a controlled host.
In this case, NTLMv1 can be specified so the hacker can retrieve the NTLM hash of the DC, impersonates it and then take control of the domain.
This attack is still possible with NTLMv2 but this is more difficult.
Windows has default security settings regarding LM/NTLM. Windows XP: Send LM & NTLM responses, Windows Server 2003: Send NTLM response only, Vista/2008: Win7/2008 R2: Send NTLMv2 response only.
However Domain Controllers have relaxed default settings to accept the connection of older operating systems.
That means that by default, NTLMv1 is accepted on domain controllers.
If no GPO defines the LAN Manager Authentication Level, the DC fall back to the non secure default.
After an audit of NTLMv1 usage (see the links below), you need to raise the LAN Manager Authentication Level to "Send NTLMv2 response only. Refuse LM & NTLM".
This can be done by editing the policy "Network security: LAN Manager authentication level" which can be accessed in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
The policy will be applied after a computer reboot.
Beware that you may break software which is not compatible with Ntlmv2 such as very old Linux stacks or very old Windows before Windows Vista.
But please note that Ntlmv2 can be activited on all Windows starting Windows 95 and other operating systems.
15 points if present
Documentation:https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/audit-domain-controller-ntlmv1
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-ntlm-2-authentication
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R37 [paragraph.3.6.2.1]
The detail can be found in Security settings
| GPO | Value |
|---|---|
| Windows default without an active GPO | 3 |
A-DC-Spooler
Description:The purpose is to ensure that credentials cannot be extracted from the DC via its Print Spooler service
Technical explanation:When there's an account with unconstrained delegation configured (which is fairly common) and the Print Spooler service running on a computer, you can get that computers credentials sent to the system with unconstrained delegation as a user. With a domain controller, the TGT of the DC can be extracted allowing an attacker to reuse it with a DCSync attack and obtain all user hashes and impersonate them.
Advised solution:The Print Spooler service should be deactivated on domain controllers. Please note as a consequence that the Printer Pruning functionality (rarely used) will be unavailable.
Points:10 points if present
Documentation:https://adsecurity.org/?p=4056
https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory
[MITRE]T1187 Forced Authentication
The detail can be found in Domain controllers
| Domain controller |
|---|
| EGIADC01 |
S-OS-W10
Description:The purpose is to ensure that there is no use of non-supported version of Windows 10 or Windows 11 within the domain
Technical explanation:Some versions of Windows 10 and Windows 11 OS are no longer supported, and may be vulnerable to exploits that are not patched anymore.
Advised solution:In order to solve this security issue, you should upgrade all the Windows 10 or Windows 11 to a more recent version.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows 1*"}
15 points if the occurence is greater than or equals than 15
then 10 points if the occurence is greater than or equals than 6
then 5 points if present
https://docs.microsoft.com/en-us/windows/release-health/release-information
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
| Version | Number | Active |
|---|---|---|
| Windows 10 1809 | 8 | 0 |
| Windows 10 20H2 | 11 | 0 |
| Windows 10 21H1 | 14 | 0 |
| Windows 10 21H2 | 15 | 0 |
S-OS-2012
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows Server 2012 for the workstations within the domain
Technical explanation:The Windows Server 2012 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
Advised solution:In order to solve this security issue, you should upgrade all the servers to a more recent version of Windows, starting from Windows Server 2012.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
10 points if the occurence is greater than or equals than 15
then 5 points if the occurence is greater than or equals than 6
then 2 points if present
https://learn.microsoft.com/fr-fr/lifecycle/products/windows-server-2012-r2
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
S-PwdNeverExpires
Description:The purpose is to ensure that every account has a password which is compliant with password expiration policies
Technical explanation:Some accounts have passwords which never expire. Should an attacker compromise one of these accounts, he would be able to maintain long-term access to the Active Directory domain.
We have noted that some Linux servers, domain joined, are configured with a password which never expires.
This is a misconfiguration because a password change can be configured. It was however not the default on some plateform.
See one of the link below for more information.
In order to make Active Directory enforce periodic password change, accounts must not have the "Password never expires" flag set in the "Account" tab of the user properties. Their passwords should then be rolled immediately.
For services accounts, Windows provide the "managed service accounts" and "group managed service accounts" features to facilite the automatic change of passwords.
Please note that there is a document in the section below which references solutions for service accounts of well known products.
Also Linux servers should be configured with automatic machine account change.
1 points if present
Documentation:https://adsecurity.org/?p=4115
https://access.redhat.com/discussions/1283873
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
[FR]ANSSI - Accounts with never-expiring passwords (vuln2_dont_expire)2
The detail can be found in User information
S-OS-Win7
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows 7 for the workstations within the domain
Technical explanation:The Windows 7 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
PingCastle is trying to guess if Extended Security Support (ESU) has been purchased from Microsoft. Based on the documentation referenced below, the program checks if the script Activate-ProductOnline.ps1 is present.
If the script is detected, Windows 7 is considered as supported and this rule is not triggered.
In order to solve this security issue, you should upgrade all the workstations to a more recent version of Windows, starting from Windows 10.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
5 points if the occurence is greater than or equals than 15
then 2 points if the occurence is greater than or equals than 6
then 1 points if present
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/activate-windows-7-esus-on-multiple-devices-with-a-mak/ba-p/1167196
[FR]ANSSI CERTFR-2005-INF-003
[MITRE]Mitre Att&ck - Mitigation - Update Software
The detail can be found in Operating Systems
To reach Level 4 you need to fix the following rules:
A-LAPS-Not-Installed
Description:The purpose is to make sure that there is a proper password policy in place for the native local administrator account.
Technical explanation:LAPS (Local Administrator Password Solution) is the advised solution to handle passwords for the native local administrator account on all workstations, as it is a simple way to handle most of the subject.
Advised solution:If you don't have any provisioning process or password solution to manage local administrators, you should install the LAPS solution. If you mitigate the risk differently, you should add this rule as an exception, as the risk is covered.
Points:15 points if present
Documentation:https://www.microsoft.com/en-us/download/details.aspx?id=46899
[US]STIG V-36438 - Local administrator accounts on domain systems must not share the same password.
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI CERTFR-2015-ACT-046
[MITRE]T1078.003 Valid Accounts: Local Accounts
The detail can be found in LAPS
A-BackupMetadata
Description:The purpose is to check if the backups are actually up to date in case they are needed. The alert can be triggered when a domain is backed up using non-recommended methods
Technical explanation:A verification is done on the backups, ensuring that the backup is performed according to Microsoft standards. Indeed, at each backup the DIT Database Partition Backup Signature is updated. If for any reasons, backups are needed to perform a rollback (rebuild a domain) or to track past changes, the backups will actually be up to date. This check is equivalent to a REPADMIN /showbackup *.
Advised solution:Plan AD backups based on Microsoft standards. These standards depend on the Operating System. For example with the wbadmin utility: wbadmin start systemstatebackup -backuptarget:d:
Points:15 points if the occurence is greater than or equals than 7
Documentation:https://technet.microsoft.com/en-us/library/jj130668(v=ws.10).aspx
[MITRE]Mitre Att&ck - Mitigation - Data Backup
[US]STIG V-25385 - Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.
The detail can be found in Backup
A-DC-Coerce
Description:The objective is to assess the vulnerability of the Domain Controller (DC) to Coerce attacks.
Technical explanation:Coerce attacks are a category of attacks which aims to forcing domain controllers to authenticate to a device controlled by the attacker for the purpose to relay this authentication to gain privileges.
This category of attacks is usually mitigated by applying patch (PetitPotam), disabling services (Spooler), added RPC filter (EDR or firewall) or ensuring integrity (SMB integrity).
Because each of these protections can be individually bypassed (NTLM integrity is disabled on LDAPS), the aim of this scan is to detect proactively if vulnerable RPC services are exposed.
PingCastle estimates that Coerceable interfaces are protected if:
- the GPO "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" is applied through a GPO to DC
- or if RPC interfaces are not reachable
Because these interfaces need to be tested from a computer controlled by the attacker, PingCastle cannot do this test with reliability.
Instead, it sends a malformed RPC packet to try to trigger an error such as "Permission denied" or "RPC interface unavailable".
If the error RPC_X_BAD_STUB_DATA (1783) is triggered, PingCastle considers that the interface is available.
A report that a vulnerable interface is online may not be accurate because its full exploitation is not tested.
Also to avoid EDR alerts or to not perform the scan, you can run PingCastle with the flag --skip-dc-rpc
To effectively mitigate the vulnerability, consider one of the following approaches:
1. Apply Group Policy Object (GPO) - "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers":
Apply this GPO specifically to the Organizational Unit (OU) "Domain Controllers".
Caution: Enabling this GPO might impact services dependent on NTLM such as files copy Backups.
Consider setting the GPO in "Audit mode" initially to identify and assess the impact on affected services.
2. Enable RPC Filters in Windows Firewall:
Configure Windows Firewall to block specific Interface IDs associated with vulnerable RPC interfaces.
This is done using the netsh command. See the documentation links for more information.
Exercise caution: This method filters the entire interface, not specific Operation Numbers (OpNum).
Adjust exceptions for necessary services to ensure critical functionality.
3. Implement External Filters (e.g., EDR, Firewalls):
Leverage third-party solutions, such as Endpoint Detection and Response (EDR) tools or firewalls.
Notable project: rpcfirewall https://github.com/zeronetworks/rpcfirewall, offering logical filtering at the OpNum level.
Be cautious of potential impact and ensure compatibility with existing infrastructure.
10 points if present
Documentation:https://github.com/p0dalirius/Coercer
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers
https://blog.nviso.eu/2023/12/08/rpc-or-not-here-we-log-preventing-exploitation-and-abuse-with-rpc-firewall/
[MITRE]T1187 Forced Authentication
The detail can be found in Domain controllers
| DCName | IP | Interface | Function | OpNum |
|---|---|---|---|---|
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
| EGIADC01 | 192.168.253.52 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01 | 192.168.253.52 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01 | 192.168.253.52 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
P-ProtectedUsers
Description:The purpose is to ensure that all privileged accounts are in the Protected User security group
Technical explanation:The Protected User group is a special security group which automatically applies protections to minimize credential exposure. Starting with Windows 8.1. Older Operating System must be updated to take this protection in account such as the Windows 7 KB2871997 patch.
For admins, it:
- Disables NTLM authentication
- Reduces Kerberos ticket lifetime
- Mandates strong encryption algorithms, such as AES
- Prevents password caching on workstations
- Prevents any type of Kerberos delegation
Please also note that a few links (see below) recommends that at least one account is kept outside of the group Protected Users in case there is a permission problem.
That's why this rule is not triggered if only one account is not protected.
After having reviewed the potential impact on adding users to this group, add the missing privileged accounts to this group.
Points:10 points if the occurence is greater than or equals than 2
Documentation:https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
https://blog.netwrix.com/2015/02/20/add-sensitive-user-accounts-to-active-directory-protected-users-group/
https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of-before-using-the-protected-users-group/
https://blog.andreas-schreiner.de/2018/09/07/active-directory-sicherheit-teil-1-privilegierte-benutzer/
[FR]ANSSI - Privileged accounts outside of the Protected Users group (vuln3_protected_users)3
[MITRE]Mitre Att&ck - Mitigation - Privileged Process Integrity
[US]STIG V-78131 - Accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
[FR]ANSSI CERTFR-2017-ALE-012
The detail can be found in Admin Groups
| User |
|---|
| itsonicwall |
| ccramer |
| ejavaid |
A-NotEnoughDC
Description:The purpose is to ensure the failure of one domain controller will not stop the domain.
Technical explanation:A single domain controller failure can lead to a lack of availability of the domain if the number of servers is too low. To have a minimum redundancy, the number of DC should be at least 2. For Labs, this rule can be ignored, and you can add this rule into the exception list.
Advised solution:Increase the number of domain controllers by installing new ones.
Points:5 points if the occurence is strictly lower than 2
Documentation:https://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx
[MITRE]Mitre Att&ck - Mitigation - Data Backup
The detail can be found in Domain controllers
A-DsHeuristicsLDAPSecurity
Description:The purpose is to identify domains having mitigation for CVE-2021-42291 not set to enabled
Technical explanation:The way an Active Directory behaves can be controlled via the attribute DsHeuristics of CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration.
A parameter stored in its attribute and whose value is LDAPAddAutZVerifications and LDAPOwnerModify can be set to modify the mitigatation of CVE-2021-42291.
The KB5008383 has introduced changes to default security descriptor of Computer containers to add audit and limit computer creation without being admin.
Indeed, it is recommended to not let anyone create computer accounts as they can be used to abuse Kerberos or to perform relay attacks.
Mitigations in CVE-2021-42291 consist of 3 choices to be set on 2 settings.
They are named LDAPAddAutZVerifications and LDAPOwnerModify and are respectively the 28th and 29th character of this string.
For the expected values:
- With the value 0 (the default), it enables an additional audit mechanism
- With the value 1 (recommended), it enforces new security permissions, especially to require an action of the domain admin when unusual actions are performed
- With the value 2 (not recommended), it disables the audit mechanism that has been added by default and do not enable the new security permissions
The easiest and fastest way to correct this issue is to replace the 28th and 29th character of the DsHeuristics attribute.
The value of LDAPAddAutZVerifications and LDAPOwnerModify should be set to 1.
Open the procedure embedded into the KB5008383 to apply this mitigation and change the DsHeuristics value.
Note: You have to pay attention that there are control characters at the 10th and 20th position to avoid undesired changes of the DsHeuristics attribute.
Typically if the DsHeuristics is empty, the expected new value is 00000000010000000002000000011
Informative rule (0 point)
Documentation:https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5
https://support.microsoft.com/en-au/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
[MITRE]T1187 Forced Authentication
[FR]ANSSI - Dangerous dsHeuristics settings (vuln3_dsheuristics_bad)3
| Setting | Position | Value |
|---|---|---|
| LDAPAddAuthZVerifications | 28th | Not Set |
| LDAPOwnerModify | 29th | Not Set |
To reach the maximum level you need to fix the following rules:
A-DnsZoneAUCreateChild
Description:The purpose is to check if Authenticated Users has the right to create DNS records
Technical explanation:When a computer is joined to a domain, a DNS record is created in the DnsZone to allow the computer to update its DNS settings.
By design, Microsoft choose to grant to the group Authenticated Users (aka every computers and users) the right to create DNS records.
Once created, only the owner keeps the right to edit the new object.
The vulnerability is that specific DNS records can be created to perform man-in-the-middle attacks.
One example is to create a wildcard record (a record with the name "*"), a failover DNS record or anticipating the creation of a DNS record with the right permissions.
As of today, this rule is considered "informative" because the default configuration where Authenticated Users can create DNS records is considered safe.
The reason for this classification is that no exploitation of that vulnerability has been reported.
The proposed enhancement is to replace the identity who has been granted the right to create DNS Records (permission CreateChild) from Authenticated Users to Domain Computers.
To perform this change, you have to edit the permission of the DNSZone whose object is located in the container CN=MicrosoftDNS,DC=DomainDnsZones.
It should be noticed that if there is a privilege escalation on a computer, an attacker can impersonate the computer account and bypass this mitigation.
The best mitigation is to create the DNS records manually as part as the domain join process and to revoke the permission granted to Authenticated Users.
Informative rule (0 point)
Documentation:https://www.ws-its.de/gegenmassnahme-zum-angriff-dns-wildcard/
https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
[MITRE]T1557 Man-in-the-Middle
| DNSZone |
|---|
| 20.168.192.in-addr.arpa |
| 147.56.50.in-addr.arpa |
| 147.56.50.in-addr.arpa CNF:08160273-defb-4859-aa24-150122611381 |
| tradesandtools.com CNF:1ef04c1f-7515-4ef4-bdc7-d8893d08e62b |
| 253.168.192.in-addr.arpa |
| 252.168.192.in-addr.arpa |
| 10.168.192.in-addr.arpa |
| 11.168.192.in-addr.arpa |
| 12.168.192.in-addr.arpa |
S-KerberosArmoringDC
Description:The purpose is to ensure that DC supports Kerberos armoring when functional level is at least Windows Server 2012
Technical explanation:Kerberos Armoring is an optimization of the Kerberos protocol. It avoids the pre-authentication steps and thereby prevents pre-authentication attacks.
It is supported only starting Windows Server 2012 DC and Windows 8 workstations.
If Kerberos Armoring is requested for other operating systems (such as Windows 7 or Linux), the Kerberos authentication protocol may refuse to work.
To enable Kerberos armoring for domain controllers, edit the GPO and go to Computer Configuration > Administrative Templates > System > KDC
then enable the policy "KDC support for claims, compound authentication and Kerberos armoring".
The policy should be set to at least "Supported".
The safest settings is "Fail authentication requests when Kerberos armoring is not available" but it should be enabled only if the clients support Kerberos armoring.
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)
https://pupuweb.com/solved-how-enable-kerberos-armoring-eap-fast-ad/
[MITRE]T1558 Steal or Forge Kerberos Tickets
If activated, the detail can be found in Security settings
S-KerberosArmoring
Description:The purpose is to ensure that clients support Kerberos armoring when domain functional level is at least Windows Server 2012
Technical explanation:Kerberos Armoring is an optimization of the Kerberos protocol. It avoids the pre-authentication steps thus prohibiting pre-authentication attacks;
It is supported only starting Windows Server 2012 DC and Windows 8 workstations.
If Kerberos armoring is requested for other operating systems (such as Windows 7 or Linux), the Kerberos authentication protocol may refuse to work.
To enable Kerberos armoring for client, edit the GPO and go to Computer Configuration > Administrative Templates > System > Kerberos
then enable the policy "Kerberos client support for claims, compound authentication and Kerberos armoring".
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)
https://pupuweb.com/solved-how-enable-kerberos-armoring-eap-fast-ad/
[MITRE]T1558 Steal or Forge Kerberos Tickets
If activated, the detail can be found in Security settings
A-NoServicePolicy
Description:The purpose is to give information regarding a best practice for the Service Account password policy. Indeed, having a 20+ characters password for this account greatly helps reducing the risk of Kerberoasting attacks (offline cracking of the TGS tickets)
Note: PSO (Password Settings Objects) will be visible only if the user, which collected the information, has the permission to view it.
The rule is purely informative, as it gives insights regarding a best practice. It verifies if there is a GPO or PSO enforcing a 20+ characters password for the Service Accounts.
Advised solution: The recommended way to handle service accounts is to use "Managed service accounts" introduced since Windows Server 2008 R2 (search for "msDS-ManagedServiceAccount").
To solve the anomaly, you should implement a PSO or GPO password guarantying a 20+ length password.
Informative rule (0 point)
Documentation:https://www.microsoft.com/en-us/research/publication/password-guidance/
[MITRE]T1201 Password Policy Discovery
The detail can be found in Password Policies
A-NoNetSessionHardening
Description:The purpose is to ensure that mitigations are in place against the Bloodhound tool
Technical explanation:By default, Windows computers allow any authenticated user to enumerate network sessions to it.
This means an attacker could enumerate network sessions to a file share hosting home directories or a Domain Controller to see who's connected to SYSVOL (to apply Group Policy) and determine which workstations each user and admin account is logged into.
Bloodhound uses this capability extensively to map out credentials in the network.
Disabling Net Session Enumeration removes the capability for any user to enumerate net session info (Recon).
If this mitigation is not part of the computer image, apply the following recommendations:
Run the NetCease PowerShell script (referenced below) on a reference workstation.
Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit .
In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
Right-click the Registry node, point to New, and select Registry Wizard.
Select the reference workstation on which the desired registry settings exist, then click Next .
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\
and select the check box for “SrvsvcSessionInfo” from which you want to create a Registry preference item. Select the check box for a key only if you want to create a Registry item for the key rather than for a value within the key.
Click Finish.
The settings that you selected appear as preference items in the Registry Wizard Values collection
Informative rule (0 point)
Documentation:https://github.com/p0w3rsh3ll/NetCease
https://adsecurity.org/?p=3299
[MITRE]T1087.001 Account Discovery: Local Account
The detail can be found in Security settings
S-DefaultOUChanged
Description:The purpose is to ensure that the default location of computers and user OU has not been changed.
Technical explanation:Default OU such as CN=Computers or CN=Users are stored within the wellKnownObjects attribute of the Domain object.
There are 12 default locations officialy defined.
They can be changed using the program redircmp.
Changing these default can alter the behavior of programs (such as security audit programs) as they may not check the modified objects.
You have to use redircmp to set the value back to normal. See documentation for more details
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5a00c890-6be5-4575-93c4-8bf8be0ca8d8
https://rickardnobel.se/verify-redirected-computers-container-in-active-directory/
[MITRE]Mitre Att&ck - Mitigation - User Account Management
| Expected | Found |
|---|---|
| CN=Computers,DC=egia,DC=com | OU=Computers,OU=MS365EGIA,DC=egia,DC=com |
This section represents an evaluation of the techniques available in the MITRE ATT&CK®
1 technique(s) matched
No technique matched
No technique matched
No technique matched
4 technique(s) matched
2 technique(s) matched
No technique matched
Initial Access
T1078.003 Valid Accounts: Local Accounts [1]
A-LAPS-Not-Installed
Description:The purpose is to make sure that there is a proper password policy in place for the native local administrator account.
Technical explanation:LAPS (Local Administrator Password Solution) is the advised solution to handle passwords for the native local administrator account on all workstations, as it is a simple way to handle most of the subject.
Advised solution:If you don't have any provisioning process or password solution to manage local administrators, you should install the LAPS solution. If you mitigate the risk differently, you should add this rule as an exception, as the risk is covered.
Points:15 points if present
Documentation:https://www.microsoft.com/en-us/download/details.aspx?id=46899
[US]STIG V-36438 - Local administrator accounts on domain systems must not share the same password.
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI CERTFR-2015-ACT-046
[MITRE]T1078.003 Valid Accounts: Local Accounts
The detail can be found in LAPS
Credential Access
T1187 Forced Authentication [3]
A-DC-Coerce
Description:The objective is to assess the vulnerability of the Domain Controller (DC) to Coerce attacks.
Technical explanation:Coerce attacks are a category of attacks which aims to forcing domain controllers to authenticate to a device controlled by the attacker for the purpose to relay this authentication to gain privileges.
This category of attacks is usually mitigated by applying patch (PetitPotam), disabling services (Spooler), added RPC filter (EDR or firewall) or ensuring integrity (SMB integrity).
Because each of these protections can be individually bypassed (NTLM integrity is disabled on LDAPS), the aim of this scan is to detect proactively if vulnerable RPC services are exposed.
PingCastle estimates that Coerceable interfaces are protected if:
- the GPO "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" is applied through a GPO to DC
- or if RPC interfaces are not reachable
Because these interfaces need to be tested from a computer controlled by the attacker, PingCastle cannot do this test with reliability.
Instead, it sends a malformed RPC packet to try to trigger an error such as "Permission denied" or "RPC interface unavailable".
If the error RPC_X_BAD_STUB_DATA (1783) is triggered, PingCastle considers that the interface is available.
A report that a vulnerable interface is online may not be accurate because its full exploitation is not tested.
Also to avoid EDR alerts or to not perform the scan, you can run PingCastle with the flag --skip-dc-rpc
To effectively mitigate the vulnerability, consider one of the following approaches:
1. Apply Group Policy Object (GPO) - "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers":
Apply this GPO specifically to the Organizational Unit (OU) "Domain Controllers".
Caution: Enabling this GPO might impact services dependent on NTLM such as files copy Backups.
Consider setting the GPO in "Audit mode" initially to identify and assess the impact on affected services.
2. Enable RPC Filters in Windows Firewall:
Configure Windows Firewall to block specific Interface IDs associated with vulnerable RPC interfaces.
This is done using the netsh command. See the documentation links for more information.
Exercise caution: This method filters the entire interface, not specific Operation Numbers (OpNum).
Adjust exceptions for necessary services to ensure critical functionality.
3. Implement External Filters (e.g., EDR, Firewalls):
Leverage third-party solutions, such as Endpoint Detection and Response (EDR) tools or firewalls.
Notable project: rpcfirewall https://github.com/zeronetworks/rpcfirewall, offering logical filtering at the OpNum level.
Be cautious of potential impact and ensure compatibility with existing infrastructure.
10 points if present
Documentation:https://github.com/p0dalirius/Coercer
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers
https://blog.nviso.eu/2023/12/08/rpc-or-not-here-we-log-preventing-exploitation-and-abuse-with-rpc-firewall/
[MITRE]T1187 Forced Authentication
The detail can be found in Domain controllers
| DCName | IP | Interface | Function | OpNum |
|---|---|---|---|---|
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
| EGIADC01 | 192.168.253.52 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01 | 192.168.253.52 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01 | 192.168.253.52 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
A-DC-Spooler
Description:The purpose is to ensure that credentials cannot be extracted from the DC via its Print Spooler service
Technical explanation:When there's an account with unconstrained delegation configured (which is fairly common) and the Print Spooler service running on a computer, you can get that computers credentials sent to the system with unconstrained delegation as a user. With a domain controller, the TGT of the DC can be extracted allowing an attacker to reuse it with a DCSync attack and obtain all user hashes and impersonate them.
Advised solution:The Print Spooler service should be deactivated on domain controllers. Please note as a consequence that the Printer Pruning functionality (rarely used) will be unavailable.
Points:10 points if present
Documentation:https://adsecurity.org/?p=4056
https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory
[MITRE]T1187 Forced Authentication
The detail can be found in Domain controllers
| Domain controller |
|---|
| EGIADC01 |
A-DsHeuristicsLDAPSecurity
Description:The purpose is to identify domains having mitigation for CVE-2021-42291 not set to enabled
Technical explanation:The way an Active Directory behaves can be controlled via the attribute DsHeuristics of CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration.
A parameter stored in its attribute and whose value is LDAPAddAutZVerifications and LDAPOwnerModify can be set to modify the mitigatation of CVE-2021-42291.
The KB5008383 has introduced changes to default security descriptor of Computer containers to add audit and limit computer creation without being admin.
Indeed, it is recommended to not let anyone create computer accounts as they can be used to abuse Kerberos or to perform relay attacks.
Mitigations in CVE-2021-42291 consist of 3 choices to be set on 2 settings.
They are named LDAPAddAutZVerifications and LDAPOwnerModify and are respectively the 28th and 29th character of this string.
For the expected values:
- With the value 0 (the default), it enables an additional audit mechanism
- With the value 1 (recommended), it enforces new security permissions, especially to require an action of the domain admin when unusual actions are performed
- With the value 2 (not recommended), it disables the audit mechanism that has been added by default and do not enable the new security permissions
The easiest and fastest way to correct this issue is to replace the 28th and 29th character of the DsHeuristics attribute.
The value of LDAPAddAutZVerifications and LDAPOwnerModify should be set to 1.
Open the procedure embedded into the KB5008383 to apply this mitigation and change the DsHeuristics value.
Note: You have to pay attention that there are control characters at the 10th and 20th position to avoid undesired changes of the DsHeuristics attribute.
Typically if the DsHeuristics is empty, the expected new value is 00000000010000000002000000011
Informative rule (0 point)
Documentation:https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5
https://support.microsoft.com/en-au/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
[MITRE]T1187 Forced Authentication
[FR]ANSSI - Dangerous dsHeuristics settings (vuln3_dsheuristics_bad)3
| Setting | Position | Value |
|---|---|---|
| LDAPAddAuthZVerifications | 28th | Not Set |
| LDAPOwnerModify | 29th | Not Set |
A-DnsZoneAUCreateChild
Description:The purpose is to check if Authenticated Users has the right to create DNS records
Technical explanation:When a computer is joined to a domain, a DNS record is created in the DnsZone to allow the computer to update its DNS settings.
By design, Microsoft choose to grant to the group Authenticated Users (aka every computers and users) the right to create DNS records.
Once created, only the owner keeps the right to edit the new object.
The vulnerability is that specific DNS records can be created to perform man-in-the-middle attacks.
One example is to create a wildcard record (a record with the name "*"), a failover DNS record or anticipating the creation of a DNS record with the right permissions.
As of today, this rule is considered "informative" because the default configuration where Authenticated Users can create DNS records is considered safe.
The reason for this classification is that no exploitation of that vulnerability has been reported.
The proposed enhancement is to replace the identity who has been granted the right to create DNS Records (permission CreateChild) from Authenticated Users to Domain Computers.
To perform this change, you have to edit the permission of the DNSZone whose object is located in the container CN=MicrosoftDNS,DC=DomainDnsZones.
It should be noticed that if there is a privilege escalation on a computer, an attacker can impersonate the computer account and bypass this mitigation.
The best mitigation is to create the DNS records manually as part as the domain join process and to revoke the permission granted to Authenticated Users.
Informative rule (0 point)
Documentation:https://www.ws-its.de/gegenmassnahme-zum-angriff-dns-wildcard/
https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
[MITRE]T1557 Man-in-the-Middle
| DNSZone |
|---|
| 20.168.192.in-addr.arpa |
| 147.56.50.in-addr.arpa |
| 147.56.50.in-addr.arpa CNF:08160273-defb-4859-aa24-150122611381 |
| tradesandtools.com CNF:1ef04c1f-7515-4ef4-bdc7-d8893d08e62b |
| 253.168.192.in-addr.arpa |
| 252.168.192.in-addr.arpa |
| 10.168.192.in-addr.arpa |
| 11.168.192.in-addr.arpa |
| 12.168.192.in-addr.arpa |
T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay [1]
S-OldNtlm
Description:The purpose is to check if NTLMv1 or LM can be used by DC
Technical explanation:NTLMv1 is an old protocol which is known to be vulnerable to cryptographic attacks.
It is typically used when a hacker sniffs the network and tries to retrieve NTLM hashes which can then be used to impersonate users.
This attack can be combined with coerced authentication attacks - a hacker forces the DC to connect to a controlled host.
In this case, NTLMv1 can be specified so the hacker can retrieve the NTLM hash of the DC, impersonates it and then take control of the domain.
This attack is still possible with NTLMv2 but this is more difficult.
Windows has default security settings regarding LM/NTLM. Windows XP: Send LM & NTLM responses, Windows Server 2003: Send NTLM response only, Vista/2008: Win7/2008 R2: Send NTLMv2 response only.
However Domain Controllers have relaxed default settings to accept the connection of older operating systems.
That means that by default, NTLMv1 is accepted on domain controllers.
If no GPO defines the LAN Manager Authentication Level, the DC fall back to the non secure default.
After an audit of NTLMv1 usage (see the links below), you need to raise the LAN Manager Authentication Level to "Send NTLMv2 response only. Refuse LM & NTLM".
This can be done by editing the policy "Network security: LAN Manager authentication level" which can be accessed in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
The policy will be applied after a computer reboot.
Beware that you may break software which is not compatible with Ntlmv2 such as very old Linux stacks or very old Windows before Windows Vista.
But please note that Ntlmv2 can be activited on all Windows starting Windows 95 and other operating systems.
15 points if present
Documentation:https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/audit-domain-controller-ntlmv1
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-ntlm-2-authentication
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R37 [paragraph.3.6.2.1]
The detail can be found in Security settings
| GPO | Value |
|---|---|
| Windows default without an active GPO | 3 |
T1558 Steal or Forge Kerberos Tickets [2]
S-KerberosArmoringDC
Description:The purpose is to ensure that DC supports Kerberos armoring when functional level is at least Windows Server 2012
Technical explanation:Kerberos Armoring is an optimization of the Kerberos protocol. It avoids the pre-authentication steps and thereby prevents pre-authentication attacks.
It is supported only starting Windows Server 2012 DC and Windows 8 workstations.
If Kerberos Armoring is requested for other operating systems (such as Windows 7 or Linux), the Kerberos authentication protocol may refuse to work.
To enable Kerberos armoring for domain controllers, edit the GPO and go to Computer Configuration > Administrative Templates > System > KDC
then enable the policy "KDC support for claims, compound authentication and Kerberos armoring".
The policy should be set to at least "Supported".
The safest settings is "Fail authentication requests when Kerberos armoring is not available" but it should be enabled only if the clients support Kerberos armoring.
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)
https://pupuweb.com/solved-how-enable-kerberos-armoring-eap-fast-ad/
[MITRE]T1558 Steal or Forge Kerberos Tickets
If activated, the detail can be found in Security settings
S-KerberosArmoring
Description:The purpose is to ensure that clients support Kerberos armoring when domain functional level is at least Windows Server 2012
Technical explanation:Kerberos Armoring is an optimization of the Kerberos protocol. It avoids the pre-authentication steps thus prohibiting pre-authentication attacks;
It is supported only starting Windows Server 2012 DC and Windows 8 workstations.
If Kerberos armoring is requested for other operating systems (such as Windows 7 or Linux), the Kerberos authentication protocol may refuse to work.
To enable Kerberos armoring for client, edit the GPO and go to Computer Configuration > Administrative Templates > System > Kerberos
then enable the policy "Kerberos client support for claims, compound authentication and Kerberos armoring".
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)
https://pupuweb.com/solved-how-enable-kerberos-armoring-eap-fast-ad/
[MITRE]T1558 Steal or Forge Kerberos Tickets
If activated, the detail can be found in Security settings
Discovery
T1087.001 Account Discovery: Local Account [1]
A-NoNetSessionHardening
Description:The purpose is to ensure that mitigations are in place against the Bloodhound tool
Technical explanation:By default, Windows computers allow any authenticated user to enumerate network sessions to it.
This means an attacker could enumerate network sessions to a file share hosting home directories or a Domain Controller to see who's connected to SYSVOL (to apply Group Policy) and determine which workstations each user and admin account is logged into.
Bloodhound uses this capability extensively to map out credentials in the network.
Disabling Net Session Enumeration removes the capability for any user to enumerate net session info (Recon).
If this mitigation is not part of the computer image, apply the following recommendations:
Run the NetCease PowerShell script (referenced below) on a reference workstation.
Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit .
In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
Right-click the Registry node, point to New, and select Registry Wizard.
Select the reference workstation on which the desired registry settings exist, then click Next .
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\
and select the check box for “SrvsvcSessionInfo” from which you want to create a Registry preference item. Select the check box for a key only if you want to create a Registry item for the key rather than for a value within the key.
Click Finish.
The settings that you selected appear as preference items in the Registry Wizard Values collection
Informative rule (0 point)
Documentation:https://github.com/p0w3rsh3ll/NetCease
https://adsecurity.org/?p=3299
[MITRE]T1087.001 Account Discovery: Local Account
The detail can be found in Security settings
T1201 Password Policy Discovery [1]
A-NoServicePolicy
Description:The purpose is to give information regarding a best practice for the Service Account password policy. Indeed, having a 20+ characters password for this account greatly helps reducing the risk of Kerberoasting attacks (offline cracking of the TGS tickets)
Note: PSO (Password Settings Objects) will be visible only if the user, which collected the information, has the permission to view it.
The rule is purely informative, as it gives insights regarding a best practice. It verifies if there is a GPO or PSO enforcing a 20+ characters password for the Service Accounts.
Advised solution: The recommended way to handle service accounts is to use "Managed service accounts" introduced since Windows Server 2008 R2 (search for "msDS-ManagedServiceAccount").
To solve the anomaly, you should implement a PSO or GPO password guarantying a 20+ length password.
Informative rule (0 point)
Documentation:https://www.microsoft.com/en-us/research/publication/password-guidance/
[MITRE]T1201 Password Policy Discovery
The detail can be found in Password Policies
No match
Mitigation did matched
Mitigation did matched
Mitigation did matched
Mitigation did matched
Mitigation did matched
Mitigation did matched
Active Directory Configuration
Mitre Att&ck - Mitigation - Active Directory Configuration [1]
S-PwdNeverExpires
Description:The purpose is to ensure that every account has a password which is compliant with password expiration policies
Technical explanation:Some accounts have passwords which never expire. Should an attacker compromise one of these accounts, he would be able to maintain long-term access to the Active Directory domain.
We have noted that some Linux servers, domain joined, are configured with a password which never expires.
This is a misconfiguration because a password change can be configured. It was however not the default on some plateform.
See one of the link below for more information.
In order to make Active Directory enforce periodic password change, accounts must not have the "Password never expires" flag set in the "Account" tab of the user properties. Their passwords should then be rolled immediately.
For services accounts, Windows provide the "managed service accounts" and "group managed service accounts" features to facilite the automatic change of passwords.
Please note that there is a document in the section below which references solutions for service accounts of well known products.
Also Linux servers should be configured with automatic machine account change.
1 points if present
Documentation:https://adsecurity.org/?p=4115
https://access.redhat.com/discussions/1283873
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
[FR]ANSSI - Accounts with never-expiring passwords (vuln2_dont_expire)2
The detail can be found in User information
Data Backup
Mitre Att&ck - Mitigation - Data Backup [2]
A-BackupMetadata
Description:The purpose is to check if the backups are actually up to date in case they are needed. The alert can be triggered when a domain is backed up using non-recommended methods
Technical explanation:A verification is done on the backups, ensuring that the backup is performed according to Microsoft standards. Indeed, at each backup the DIT Database Partition Backup Signature is updated. If for any reasons, backups are needed to perform a rollback (rebuild a domain) or to track past changes, the backups will actually be up to date. This check is equivalent to a REPADMIN /showbackup *.
Advised solution:Plan AD backups based on Microsoft standards. These standards depend on the Operating System. For example with the wbadmin utility: wbadmin start systemstatebackup -backuptarget:d:
Points:15 points if the occurence is greater than or equals than 7
Documentation:https://technet.microsoft.com/en-us/library/jj130668(v=ws.10).aspx
[MITRE]Mitre Att&ck - Mitigation - Data Backup
[US]STIG V-25385 - Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.
The detail can be found in Backup
A-NotEnoughDC
Description:The purpose is to ensure the failure of one domain controller will not stop the domain.
Technical explanation:A single domain controller failure can lead to a lack of availability of the domain if the number of servers is too low. To have a minimum redundancy, the number of DC should be at least 2. For Labs, this rule can be ignored, and you can add this rule into the exception list.
Advised solution:Increase the number of domain controllers by installing new ones.
Points:5 points if the occurence is strictly lower than 2
Documentation:https://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx
[MITRE]Mitre Att&ck - Mitigation - Data Backup
The detail can be found in Domain controllers
Privileged Account Management
Mitre Att&ck - Mitigation - Privileged Account Management [2]
A-LAPS-Not-Installed
Description:The purpose is to make sure that there is a proper password policy in place for the native local administrator account.
Technical explanation:LAPS (Local Administrator Password Solution) is the advised solution to handle passwords for the native local administrator account on all workstations, as it is a simple way to handle most of the subject.
Advised solution:If you don't have any provisioning process or password solution to manage local administrators, you should install the LAPS solution. If you mitigate the risk differently, you should add this rule as an exception, as the risk is covered.
Points:15 points if present
Documentation:https://www.microsoft.com/en-us/download/details.aspx?id=46899
[US]STIG V-36438 - Local administrator accounts on domain systems must not share the same password.
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI CERTFR-2015-ACT-046
[MITRE]T1078.003 Valid Accounts: Local Accounts
The detail can be found in LAPS
P-AdminPwdTooOld
Description:The purpose is to ensure that all admins are changing their passwords at least every 3 years
Technical explanation:This rule ensure that passwords of administrator are well managed.
Advised solution:We advised to read the ANSSI guidelines about this, which is quoted in the documentation section below.
10 points if present
Documentation:[FR]ANSSI - Privileged account passwords age too old (vuln1_password_change_priv)1
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
The detail can be found in Admin Groups
| Account | Creation | LastChanged |
|---|---|---|
| itsonicwall | 2019-08-01 23:45:55Z | 2019-08-01 16:45:55Z |
| ccramer | 2014-07-25 20:03:05Z | 2020-02-14 06:02:29Z |
| ejavaid | 2010-12-02 14:38:38Z | 2011-12-08 16:17:21Z |
Privileged Process Integrity
Mitre Att&ck - Mitigation - Privileged Process Integrity [1]
P-ProtectedUsers
Description:The purpose is to ensure that all privileged accounts are in the Protected User security group
Technical explanation:The Protected User group is a special security group which automatically applies protections to minimize credential exposure. Starting with Windows 8.1. Older Operating System must be updated to take this protection in account such as the Windows 7 KB2871997 patch.
For admins, it:
- Disables NTLM authentication
- Reduces Kerberos ticket lifetime
- Mandates strong encryption algorithms, such as AES
- Prevents password caching on workstations
- Prevents any type of Kerberos delegation
Please also note that a few links (see below) recommends that at least one account is kept outside of the group Protected Users in case there is a permission problem.
That's why this rule is not triggered if only one account is not protected.
After having reviewed the potential impact on adding users to this group, add the missing privileged accounts to this group.
Points:10 points if the occurence is greater than or equals than 2
Documentation:https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
https://blog.netwrix.com/2015/02/20/add-sensitive-user-accounts-to-active-directory-protected-users-group/
https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of-before-using-the-protected-users-group/
https://blog.andreas-schreiner.de/2018/09/07/active-directory-sicherheit-teil-1-privilegierte-benutzer/
[FR]ANSSI - Privileged accounts outside of the Protected Users group (vuln3_protected_users)3
[MITRE]Mitre Att&ck - Mitigation - Privileged Process Integrity
[US]STIG V-78131 - Accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
[FR]ANSSI CERTFR-2017-ALE-012
The detail can be found in Admin Groups
| User |
|---|
| itsonicwall |
| ccramer |
| ejavaid |
Update Software
Mitre Att&ck - Mitigation - Update Software [3]
S-OS-W10
Description:The purpose is to ensure that there is no use of non-supported version of Windows 10 or Windows 11 within the domain
Technical explanation:Some versions of Windows 10 and Windows 11 OS are no longer supported, and may be vulnerable to exploits that are not patched anymore.
Advised solution:In order to solve this security issue, you should upgrade all the Windows 10 or Windows 11 to a more recent version.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows 1*"}
15 points if the occurence is greater than or equals than 15
then 10 points if the occurence is greater than or equals than 6
then 5 points if present
https://docs.microsoft.com/en-us/windows/release-health/release-information
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
| Version | Number | Active |
|---|---|---|
| Windows 10 1809 | 8 | 0 |
| Windows 10 20H2 | 11 | 0 |
| Windows 10 21H1 | 14 | 0 |
| Windows 10 21H2 | 15 | 0 |
S-OS-2012
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows Server 2012 for the workstations within the domain
Technical explanation:The Windows Server 2012 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
Advised solution:In order to solve this security issue, you should upgrade all the servers to a more recent version of Windows, starting from Windows Server 2012.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
10 points if the occurence is greater than or equals than 15
then 5 points if the occurence is greater than or equals than 6
then 2 points if present
https://learn.microsoft.com/fr-fr/lifecycle/products/windows-server-2012-r2
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
S-OS-Win7
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows 7 for the workstations within the domain
Technical explanation:The Windows 7 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
PingCastle is trying to guess if Extended Security Support (ESU) has been purchased from Microsoft. Based on the documentation referenced below, the program checks if the script Activate-ProductOnline.ps1 is present.
If the script is detected, Windows 7 is considered as supported and this rule is not triggered.
In order to solve this security issue, you should upgrade all the workstations to a more recent version of Windows, starting from Windows 10.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
5 points if the occurence is greater than or equals than 15
then 2 points if the occurence is greater than or equals than 6
then 1 points if present
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/activate-windows-7-esus-on-multiple-devices-with-a-mak/ba-p/1167196
[FR]ANSSI CERTFR-2005-INF-003
[MITRE]Mitre Att&ck - Mitigation - Update Software
The detail can be found in Operating Systems
User Account Management
Mitre Att&ck - Mitigation - User Account Management [2]
S-Inactive
Description:The purpose is to ensure that there are as few inactive accounts as possible within the domain. Stale user accounts are a significant security issue, as former employees and external attackers could use those accounts to attack the organization.
Technical explanation:Inactive accounts often stay in the network because of weaknesses in the decommissioning process. These stale computer accounts can be used as backdoors and therefore represents a possible security breach.
Advised solution:To mitigate the risk, you should monitor the number of inactive accounts and reduce it as much as possible. A list of all inactive accounts is obtainable through the command: Search-ADAccount –AccountInActive –UsersOnly –TimeSpan 180:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName.
Points:10 points if the occurence is greater than or equals than 25
Documentation:[MITRE]Mitre Att&ck - Mitigation - User Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R45 [paragraph.3.6.6.2]
[FR]ANSSI - Dormant accounts (vuln1_user_accounts_dormant)1
The detail can be found in User information and Computer information
S-DefaultOUChanged
Description:The purpose is to ensure that the default location of computers and user OU has not been changed.
Technical explanation:Default OU such as CN=Computers or CN=Users are stored within the wellKnownObjects attribute of the Domain object.
There are 12 default locations officialy defined.
They can be changed using the program redircmp.
Changing these default can alter the behavior of programs (such as security audit programs) as they may not check the modified objects.
You have to use redircmp to set the value back to normal. See documentation for more details
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5a00c890-6be5-4575-93c4-8bf8be0ca8d8
https://rickardnobel.se/verify-redirected-computers-container-in-active-directory/
[MITRE]Mitre Att&ck - Mitigation - User Account Management
| Expected | Found |
|---|---|
| CN=Computers,DC=egia,DC=com | OU=Computers,OU=MS365EGIA,DC=egia,DC=com |
Stale Objects : 34 /100
It is about operations related to user or computer objects
S-OldNtlm
Description:The purpose is to check if NTLMv1 or LM can be used by DC
Technical explanation:NTLMv1 is an old protocol which is known to be vulnerable to cryptographic attacks.
It is typically used when a hacker sniffs the network and tries to retrieve NTLM hashes which can then be used to impersonate users.
This attack can be combined with coerced authentication attacks - a hacker forces the DC to connect to a controlled host.
In this case, NTLMv1 can be specified so the hacker can retrieve the NTLM hash of the DC, impersonates it and then take control of the domain.
This attack is still possible with NTLMv2 but this is more difficult.
Windows has default security settings regarding LM/NTLM. Windows XP: Send LM & NTLM responses, Windows Server 2003: Send NTLM response only, Vista/2008: Win7/2008 R2: Send NTLMv2 response only.
However Domain Controllers have relaxed default settings to accept the connection of older operating systems.
That means that by default, NTLMv1 is accepted on domain controllers.
If no GPO defines the LAN Manager Authentication Level, the DC fall back to the non secure default.
After an audit of NTLMv1 usage (see the links below), you need to raise the LAN Manager Authentication Level to "Send NTLMv2 response only. Refuse LM & NTLM".
This can be done by editing the policy "Network security: LAN Manager authentication level" which can be accessed in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
The policy will be applied after a computer reboot.
Beware that you may break software which is not compatible with Ntlmv2 such as very old Linux stacks or very old Windows before Windows Vista.
But please note that Ntlmv2 can be activited on all Windows starting Windows 95 and other operating systems.
15 points if present
Documentation:https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/audit-domain-controller-ntlmv1
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-ntlm-2-authentication
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R37 [paragraph.3.6.2.1]
The detail can be found in Security settings
| GPO | Value |
|---|---|
| Windows default without an active GPO | 3 |
S-Inactive
Description:The purpose is to ensure that there are as few inactive accounts as possible within the domain. Stale user accounts are a significant security issue, as former employees and external attackers could use those accounts to attack the organization.
Technical explanation:Inactive accounts often stay in the network because of weaknesses in the decommissioning process. These stale computer accounts can be used as backdoors and therefore represents a possible security breach.
Advised solution:To mitigate the risk, you should monitor the number of inactive accounts and reduce it as much as possible. A list of all inactive accounts is obtainable through the command: Search-ADAccount –AccountInActive –UsersOnly –TimeSpan 180:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName.
Points:10 points if the occurence is greater than or equals than 25
Documentation:[MITRE]Mitre Att&ck - Mitigation - User Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R45 [paragraph.3.6.6.2]
[FR]ANSSI - Dormant accounts (vuln1_user_accounts_dormant)1
The detail can be found in User information and Computer information
S-OS-W10
Description:The purpose is to ensure that there is no use of non-supported version of Windows 10 or Windows 11 within the domain
Technical explanation:Some versions of Windows 10 and Windows 11 OS are no longer supported, and may be vulnerable to exploits that are not patched anymore.
Advised solution:In order to solve this security issue, you should upgrade all the Windows 10 or Windows 11 to a more recent version.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows 1*"}
15 points if the occurence is greater than or equals than 15
then 10 points if the occurence is greater than or equals than 6
then 5 points if present
https://docs.microsoft.com/en-us/windows/release-health/release-information
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
| Version | Number | Active |
|---|---|---|
| Windows 10 1809 | 8 | 0 |
| Windows 10 20H2 | 11 | 0 |
| Windows 10 21H1 | 14 | 0 |
| Windows 10 21H2 | 15 | 0 |
S-OS-2012
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows Server 2012 for the workstations within the domain
Technical explanation:The Windows Server 2012 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
Advised solution:In order to solve this security issue, you should upgrade all the servers to a more recent version of Windows, starting from Windows Server 2012.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
10 points if the occurence is greater than or equals than 15
then 5 points if the occurence is greater than or equals than 6
then 2 points if present
https://learn.microsoft.com/fr-fr/lifecycle/products/windows-server-2012-r2
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
S-PwdNeverExpires
Description:The purpose is to ensure that every account has a password which is compliant with password expiration policies
Technical explanation:Some accounts have passwords which never expire. Should an attacker compromise one of these accounts, he would be able to maintain long-term access to the Active Directory domain.
We have noted that some Linux servers, domain joined, are configured with a password which never expires.
This is a misconfiguration because a password change can be configured. It was however not the default on some plateform.
See one of the link below for more information.
In order to make Active Directory enforce periodic password change, accounts must not have the "Password never expires" flag set in the "Account" tab of the user properties. Their passwords should then be rolled immediately.
For services accounts, Windows provide the "managed service accounts" and "group managed service accounts" features to facilite the automatic change of passwords.
Please note that there is a document in the section below which references solutions for service accounts of well known products.
Also Linux servers should be configured with automatic machine account change.
1 points if present
Documentation:https://adsecurity.org/?p=4115
https://access.redhat.com/discussions/1283873
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
[FR]ANSSI - Accounts with never-expiring passwords (vuln2_dont_expire)2
The detail can be found in User information
S-OS-Win7
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows 7 for the workstations within the domain
Technical explanation:The Windows 7 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
PingCastle is trying to guess if Extended Security Support (ESU) has been purchased from Microsoft. Based on the documentation referenced below, the program checks if the script Activate-ProductOnline.ps1 is present.
If the script is detected, Windows 7 is considered as supported and this rule is not triggered.
In order to solve this security issue, you should upgrade all the workstations to a more recent version of Windows, starting from Windows 10.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
5 points if the occurence is greater than or equals than 15
then 2 points if the occurence is greater than or equals than 6
then 1 points if present
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/activate-windows-7-esus-on-multiple-devices-with-a-mak/ba-p/1167196
[FR]ANSSI CERTFR-2005-INF-003
[MITRE]Mitre Att&ck - Mitigation - Update Software
The detail can be found in Operating Systems
S-KerberosArmoringDC
Description:The purpose is to ensure that DC supports Kerberos armoring when functional level is at least Windows Server 2012
Technical explanation:Kerberos Armoring is an optimization of the Kerberos protocol. It avoids the pre-authentication steps and thereby prevents pre-authentication attacks.
It is supported only starting Windows Server 2012 DC and Windows 8 workstations.
If Kerberos Armoring is requested for other operating systems (such as Windows 7 or Linux), the Kerberos authentication protocol may refuse to work.
To enable Kerberos armoring for domain controllers, edit the GPO and go to Computer Configuration > Administrative Templates > System > KDC
then enable the policy "KDC support for claims, compound authentication and Kerberos armoring".
The policy should be set to at least "Supported".
The safest settings is "Fail authentication requests when Kerberos armoring is not available" but it should be enabled only if the clients support Kerberos armoring.
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)
https://pupuweb.com/solved-how-enable-kerberos-armoring-eap-fast-ad/
[MITRE]T1558 Steal or Forge Kerberos Tickets
If activated, the detail can be found in Security settings
S-KerberosArmoring
Description:The purpose is to ensure that clients support Kerberos armoring when domain functional level is at least Windows Server 2012
Technical explanation:Kerberos Armoring is an optimization of the Kerberos protocol. It avoids the pre-authentication steps thus prohibiting pre-authentication attacks;
It is supported only starting Windows Server 2012 DC and Windows 8 workstations.
If Kerberos armoring is requested for other operating systems (such as Windows 7 or Linux), the Kerberos authentication protocol may refuse to work.
To enable Kerberos armoring for client, edit the GPO and go to Computer Configuration > Administrative Templates > System > Kerberos
then enable the policy "Kerberos client support for claims, compound authentication and Kerberos armoring".
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)
https://pupuweb.com/solved-how-enable-kerberos-armoring-eap-fast-ad/
[MITRE]T1558 Steal or Forge Kerberos Tickets
If activated, the detail can be found in Security settings
S-DefaultOUChanged
Description:The purpose is to ensure that the default location of computers and user OU has not been changed.
Technical explanation:Default OU such as CN=Computers or CN=Users are stored within the wellKnownObjects attribute of the Domain object.
There are 12 default locations officialy defined.
They can be changed using the program redircmp.
Changing these default can alter the behavior of programs (such as security audit programs) as they may not check the modified objects.
You have to use redircmp to set the value back to normal. See documentation for more details
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5a00c890-6be5-4575-93c4-8bf8be0ca8d8
https://rickardnobel.se/verify-redirected-computers-container-in-active-directory/
[MITRE]Mitre Att&ck - Mitigation - User Account Management
| Expected | Found |
|---|---|
| CN=Computers,DC=egia,DC=com | OU=Computers,OU=MS365EGIA,DC=egia,DC=com |
Privileged Accounts : 20 /100
It is about administrators of the Active Directory
P-ProtectedUsers
Description:The purpose is to ensure that all privileged accounts are in the Protected User security group
Technical explanation:The Protected User group is a special security group which automatically applies protections to minimize credential exposure. Starting with Windows 8.1. Older Operating System must be updated to take this protection in account such as the Windows 7 KB2871997 patch.
For admins, it:
- Disables NTLM authentication
- Reduces Kerberos ticket lifetime
- Mandates strong encryption algorithms, such as AES
- Prevents password caching on workstations
- Prevents any type of Kerberos delegation
Please also note that a few links (see below) recommends that at least one account is kept outside of the group Protected Users in case there is a permission problem.
That's why this rule is not triggered if only one account is not protected.
After having reviewed the potential impact on adding users to this group, add the missing privileged accounts to this group.
Points:10 points if the occurence is greater than or equals than 2
Documentation:https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
https://blog.netwrix.com/2015/02/20/add-sensitive-user-accounts-to-active-directory-protected-users-group/
https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of-before-using-the-protected-users-group/
https://blog.andreas-schreiner.de/2018/09/07/active-directory-sicherheit-teil-1-privilegierte-benutzer/
[FR]ANSSI - Privileged accounts outside of the Protected Users group (vuln3_protected_users)3
[MITRE]Mitre Att&ck - Mitigation - Privileged Process Integrity
[US]STIG V-78131 - Accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
[FR]ANSSI CERTFR-2017-ALE-012
The detail can be found in Admin Groups
| User |
|---|
| itsonicwall |
| ccramer |
| ejavaid |
P-AdminPwdTooOld
Description:The purpose is to ensure that all admins are changing their passwords at least every 3 years
Technical explanation:This rule ensure that passwords of administrator are well managed.
Advised solution:We advised to read the ANSSI guidelines about this, which is quoted in the documentation section below.
10 points if present
Documentation:[FR]ANSSI - Privileged account passwords age too old (vuln1_password_change_priv)1
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
The detail can be found in Admin Groups
| Account | Creation | LastChanged |
|---|---|---|
| itsonicwall | 2019-08-01 23:45:55Z | 2019-08-01 16:45:55Z |
| ccramer | 2014-07-25 20:03:05Z | 2020-02-14 06:02:29Z |
| ejavaid | 2010-12-02 14:38:38Z | 2011-12-08 16:17:21Z |
Trusts : 0 /100
It is about links between two Active Directories
No rule matched
Anomalies : 55 /100
It is about specific security control points
A-LAPS-Not-Installed
Description:The purpose is to make sure that there is a proper password policy in place for the native local administrator account.
Technical explanation:LAPS (Local Administrator Password Solution) is the advised solution to handle passwords for the native local administrator account on all workstations, as it is a simple way to handle most of the subject.
Advised solution:If you don't have any provisioning process or password solution to manage local administrators, you should install the LAPS solution. If you mitigate the risk differently, you should add this rule as an exception, as the risk is covered.
Points:15 points if present
Documentation:https://www.microsoft.com/en-us/download/details.aspx?id=46899
[US]STIG V-36438 - Local administrator accounts on domain systems must not share the same password.
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI CERTFR-2015-ACT-046
[MITRE]T1078.003 Valid Accounts: Local Accounts
The detail can be found in LAPS
A-BackupMetadata
Description:The purpose is to check if the backups are actually up to date in case they are needed. The alert can be triggered when a domain is backed up using non-recommended methods
Technical explanation:A verification is done on the backups, ensuring that the backup is performed according to Microsoft standards. Indeed, at each backup the DIT Database Partition Backup Signature is updated. If for any reasons, backups are needed to perform a rollback (rebuild a domain) or to track past changes, the backups will actually be up to date. This check is equivalent to a REPADMIN /showbackup *.
Advised solution:Plan AD backups based on Microsoft standards. These standards depend on the Operating System. For example with the wbadmin utility: wbadmin start systemstatebackup -backuptarget:d:
Points:15 points if the occurence is greater than or equals than 7
Documentation:https://technet.microsoft.com/en-us/library/jj130668(v=ws.10).aspx
[MITRE]Mitre Att&ck - Mitigation - Data Backup
[US]STIG V-25385 - Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.
The detail can be found in Backup
A-DC-Coerce
Description:The objective is to assess the vulnerability of the Domain Controller (DC) to Coerce attacks.
Technical explanation:Coerce attacks are a category of attacks which aims to forcing domain controllers to authenticate to a device controlled by the attacker for the purpose to relay this authentication to gain privileges.
This category of attacks is usually mitigated by applying patch (PetitPotam), disabling services (Spooler), added RPC filter (EDR or firewall) or ensuring integrity (SMB integrity).
Because each of these protections can be individually bypassed (NTLM integrity is disabled on LDAPS), the aim of this scan is to detect proactively if vulnerable RPC services are exposed.
PingCastle estimates that Coerceable interfaces are protected if:
- the GPO "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" is applied through a GPO to DC
- or if RPC interfaces are not reachable
Because these interfaces need to be tested from a computer controlled by the attacker, PingCastle cannot do this test with reliability.
Instead, it sends a malformed RPC packet to try to trigger an error such as "Permission denied" or "RPC interface unavailable".
If the error RPC_X_BAD_STUB_DATA (1783) is triggered, PingCastle considers that the interface is available.
A report that a vulnerable interface is online may not be accurate because its full exploitation is not tested.
Also to avoid EDR alerts or to not perform the scan, you can run PingCastle with the flag --skip-dc-rpc
To effectively mitigate the vulnerability, consider one of the following approaches:
1. Apply Group Policy Object (GPO) - "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers":
Apply this GPO specifically to the Organizational Unit (OU) "Domain Controllers".
Caution: Enabling this GPO might impact services dependent on NTLM such as files copy Backups.
Consider setting the GPO in "Audit mode" initially to identify and assess the impact on affected services.
2. Enable RPC Filters in Windows Firewall:
Configure Windows Firewall to block specific Interface IDs associated with vulnerable RPC interfaces.
This is done using the netsh command. See the documentation links for more information.
Exercise caution: This method filters the entire interface, not specific Operation Numbers (OpNum).
Adjust exceptions for necessary services to ensure critical functionality.
3. Implement External Filters (e.g., EDR, Firewalls):
Leverage third-party solutions, such as Endpoint Detection and Response (EDR) tools or firewalls.
Notable project: rpcfirewall https://github.com/zeronetworks/rpcfirewall, offering logical filtering at the OpNum level.
Be cautious of potential impact and ensure compatibility with existing infrastructure.
10 points if present
Documentation:https://github.com/p0dalirius/Coercer
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers
https://blog.nviso.eu/2023/12/08/rpc-or-not-here-we-log-preventing-exploitation-and-abuse-with-rpc-firewall/
[MITRE]T1187 Forced Authentication
The detail can be found in Domain controllers
| DCName | IP | Interface | Function | OpNum |
|---|---|---|---|---|
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
| EGIADC01 | 192.168.253.52 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01 | 192.168.253.52 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01 | 192.168.253.52 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
A-DC-Spooler
Description:The purpose is to ensure that credentials cannot be extracted from the DC via its Print Spooler service
Technical explanation:When there's an account with unconstrained delegation configured (which is fairly common) and the Print Spooler service running on a computer, you can get that computers credentials sent to the system with unconstrained delegation as a user. With a domain controller, the TGT of the DC can be extracted allowing an attacker to reuse it with a DCSync attack and obtain all user hashes and impersonate them.
Advised solution:The Print Spooler service should be deactivated on domain controllers. Please note as a consequence that the Printer Pruning functionality (rarely used) will be unavailable.
Points:10 points if present
Documentation:https://adsecurity.org/?p=4056
https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory
[MITRE]T1187 Forced Authentication
The detail can be found in Domain controllers
| Domain controller |
|---|
| EGIADC01 |
A-NotEnoughDC
Description:The purpose is to ensure the failure of one domain controller will not stop the domain.
Technical explanation:A single domain controller failure can lead to a lack of availability of the domain if the number of servers is too low. To have a minimum redundancy, the number of DC should be at least 2. For Labs, this rule can be ignored, and you can add this rule into the exception list.
Advised solution:Increase the number of domain controllers by installing new ones.
Points:5 points if the occurence is strictly lower than 2
Documentation:https://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx
[MITRE]Mitre Att&ck - Mitigation - Data Backup
The detail can be found in Domain controllers
A-DsHeuristicsLDAPSecurity
Description:The purpose is to identify domains having mitigation for CVE-2021-42291 not set to enabled
Technical explanation:The way an Active Directory behaves can be controlled via the attribute DsHeuristics of CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration.
A parameter stored in its attribute and whose value is LDAPAddAutZVerifications and LDAPOwnerModify can be set to modify the mitigatation of CVE-2021-42291.
The KB5008383 has introduced changes to default security descriptor of Computer containers to add audit and limit computer creation without being admin.
Indeed, it is recommended to not let anyone create computer accounts as they can be used to abuse Kerberos or to perform relay attacks.
Mitigations in CVE-2021-42291 consist of 3 choices to be set on 2 settings.
They are named LDAPAddAutZVerifications and LDAPOwnerModify and are respectively the 28th and 29th character of this string.
For the expected values:
- With the value 0 (the default), it enables an additional audit mechanism
- With the value 1 (recommended), it enforces new security permissions, especially to require an action of the domain admin when unusual actions are performed
- With the value 2 (not recommended), it disables the audit mechanism that has been added by default and do not enable the new security permissions
The easiest and fastest way to correct this issue is to replace the 28th and 29th character of the DsHeuristics attribute.
The value of LDAPAddAutZVerifications and LDAPOwnerModify should be set to 1.
Open the procedure embedded into the KB5008383 to apply this mitigation and change the DsHeuristics value.
Note: You have to pay attention that there are control characters at the 10th and 20th position to avoid undesired changes of the DsHeuristics attribute.
Typically if the DsHeuristics is empty, the expected new value is 00000000010000000002000000011
Informative rule (0 point)
Documentation:https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5
https://support.microsoft.com/en-au/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
[MITRE]T1187 Forced Authentication
[FR]ANSSI - Dangerous dsHeuristics settings (vuln3_dsheuristics_bad)3
| Setting | Position | Value |
|---|---|---|
| LDAPAddAuthZVerifications | 28th | Not Set |
| LDAPOwnerModify | 29th | Not Set |
A-NoServicePolicy
Description:The purpose is to give information regarding a best practice for the Service Account password policy. Indeed, having a 20+ characters password for this account greatly helps reducing the risk of Kerberoasting attacks (offline cracking of the TGS tickets)
Note: PSO (Password Settings Objects) will be visible only if the user, which collected the information, has the permission to view it.
The rule is purely informative, as it gives insights regarding a best practice. It verifies if there is a GPO or PSO enforcing a 20+ characters password for the Service Accounts.
Advised solution: The recommended way to handle service accounts is to use "Managed service accounts" introduced since Windows Server 2008 R2 (search for "msDS-ManagedServiceAccount").
To solve the anomaly, you should implement a PSO or GPO password guarantying a 20+ length password.
Informative rule (0 point)
Documentation:https://www.microsoft.com/en-us/research/publication/password-guidance/
[MITRE]T1201 Password Policy Discovery
The detail can be found in Password Policies
A-NoNetSessionHardening
Description:The purpose is to ensure that mitigations are in place against the Bloodhound tool
Technical explanation:By default, Windows computers allow any authenticated user to enumerate network sessions to it.
This means an attacker could enumerate network sessions to a file share hosting home directories or a Domain Controller to see who's connected to SYSVOL (to apply Group Policy) and determine which workstations each user and admin account is logged into.
Bloodhound uses this capability extensively to map out credentials in the network.
Disabling Net Session Enumeration removes the capability for any user to enumerate net session info (Recon).
If this mitigation is not part of the computer image, apply the following recommendations:
Run the NetCease PowerShell script (referenced below) on a reference workstation.
Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit .
In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
Right-click the Registry node, point to New, and select Registry Wizard.
Select the reference workstation on which the desired registry settings exist, then click Next .
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\
and select the check box for “SrvsvcSessionInfo” from which you want to create a Registry preference item. Select the check box for a key only if you want to create a Registry item for the key rather than for a value within the key.
Click Finish.
The settings that you selected appear as preference items in the Registry Wizard Values collection
Informative rule (0 point)
Documentation:https://github.com/p0w3rsh3ll/NetCease
https://adsecurity.org/?p=3299
[MITRE]T1087.001 Account Discovery: Local Account
The detail can be found in Security settings
A-DnsZoneAUCreateChild
Description:The purpose is to check if Authenticated Users has the right to create DNS records
Technical explanation:When a computer is joined to a domain, a DNS record is created in the DnsZone to allow the computer to update its DNS settings.
By design, Microsoft choose to grant to the group Authenticated Users (aka every computers and users) the right to create DNS records.
Once created, only the owner keeps the right to edit the new object.
The vulnerability is that specific DNS records can be created to perform man-in-the-middle attacks.
One example is to create a wildcard record (a record with the name "*"), a failover DNS record or anticipating the creation of a DNS record with the right permissions.
As of today, this rule is considered "informative" because the default configuration where Authenticated Users can create DNS records is considered safe.
The reason for this classification is that no exploitation of that vulnerability has been reported.
The proposed enhancement is to replace the identity who has been granted the right to create DNS Records (permission CreateChild) from Authenticated Users to Domain Computers.
To perform this change, you have to edit the permission of the DNSZone whose object is located in the container CN=MicrosoftDNS,DC=DomainDnsZones.
It should be noticed that if there is a privilege escalation on a computer, an attacker can impersonate the computer account and bypass this mitigation.
The best mitigation is to create the DNS records manually as part as the domain join process and to revoke the permission granted to Authenticated Users.
Informative rule (0 point)
Documentation:https://www.ws-its.de/gegenmassnahme-zum-angriff-dns-wildcard/
https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
[MITRE]T1557 Man-in-the-Middle
| DNSZone |
|---|
| 20.168.192.in-addr.arpa |
| 147.56.50.in-addr.arpa |
| 147.56.50.in-addr.arpa CNF:08160273-defb-4859-aa24-150122611381 |
| tradesandtools.com CNF:1ef04c1f-7515-4ef4-bdc7-d8893d08e62b |
| 253.168.192.in-addr.arpa |
| 252.168.192.in-addr.arpa |
| 10.168.192.in-addr.arpa |
| 11.168.192.in-addr.arpa |
| 12.168.192.in-addr.arpa |
This section shows the main technical characteristics of the domain.
| Domain | Netbios Name | Domain Functional Level | Forest Functional Level | Creation date | DC count | Schema version | Recycle Bin enabled |
|---|---|---|---|---|---|---|---|
| egia.com | EGIA | Windows Server 2016 | Windows Server 2016 | 2001-10-06 18:33:39Z | 1 | Windows Server 2019 | TRUE |
Here is the Azure AD configuration that has been found in the domain
| Tenant name | Tenant id | Kerberos Enabled |
|---|---|---|
| EGIA563.onmicrosoft.com ? | 482e9867-0585-418e-bb72-953ca4dc0306 | FALSE |
This section gives information about the user accounts stored in the Active Directory
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| accountinguser | 2015-10-12 14:34:13Z | Never | 2015-10-12 07:34:14Z | CN=Accountinguser,OU=Sacramento,DC=egia,DC=com |
| Admin | 2002-09-13 23:34:50Z | 2019-08-13 05:22:33Z | 2002-09-13 16:34:51Z | CN=Admin,OU=ofsdirect.com,DC=egia,DC=com |
| AlamedaMP | 2010-04-22 22:13:52Z | Never | 2010-04-22 15:13:52Z | CN=Alameda MP,OU=Rebates,DC=egia,DC=com |
| Arcserve | 2001-10-06 18:33:48Z | Never | 2001-01-19 11:20:31Z | CN=Arcserve,CN=Users,DC=egia,DC=com |
| asanders | 2017-08-11 19:51:20Z | 2017-08-11 12:53:55Z | 2017-08-11 12:51:20Z | CN=Andrea Sanders,OU=Sacramento,DC=egia,DC=com |
| aschuette | 2017-08-03 17:13:19Z | 2017-08-03 14:02:40Z | 2017-08-03 10:13:19Z | CN=Andrew Schuette,OU=Sacramento,DC=egia,DC=com |
| bbackup | 2010-11-28 16:01:14Z | 2019-03-23 20:57:54Z | 2010-11-28 08:01:14Z | CN=Barracuda Backup,CN=Users,DC=egia,DC=com |
| BCMBackup | 2012-11-27 22:16:25Z | Never | 2012-11-27 14:16:25Z | CN=BCM Backup,OU=Sacramento,DC=egia,DC=com |
| bjohnson | 2019-04-23 18:17:02Z | 2019-04-23 14:24:39Z | 2019-04-23 11:17:02Z | CN=Bill Johnson,CN=Users,DC=egia,DC=com |
| bkagent | 2002-05-07 14:37:57Z | 2020-08-07 09:45:13Z | 2002-09-26 15:32:26Z | CN=Backup Agent,CN=Users,DC=egia,DC=com |
| blyle | 2024-02-09 18:34:18Z | 2024-02-09 14:12:22Z | 2024-02-09 10:34:18Z | CN=Brianna Lyle,OU=Sacramento,DC=egia,DC=com |
| bwhite | 2017-12-26 18:34:30Z | 2018-03-14 00:14:05Z | 2018-02-12 08:34:09Z | CN=Brionna White,CN=Users,DC=egia,DC=com |
| CallReportingAdmin | 2010-04-13 19:40:57Z | Never | 2015-06-04 09:30:12Z | CN=Call Reporting Admin,CN=Users,DC=egia,DC=com |
| ChicagoLand | 2008-12-15 20:34:56Z | Never | 2008-12-15 12:34:56Z | CN=ChicagoLand,OU=Rebates,DC=egia,DC=com |
| conference | 2015-01-14 18:34:20Z | 2023-01-04 07:52:51Z | 2017-01-20 06:45:40Z | CN=Conference,OU=Sacramento,DC=egia,DC=com |
| Consultant | 2002-09-17 17:27:04Z | 2020-09-08 09:31:41Z | 2010-11-21 13:30:35Z | CN=Consultant,OU=Retired,DC=egia,DC=com |
| contractorapp1 | 2016-05-10 17:26:18Z | Never | 2016-05-10 10:26:19Z | CN=ContractorApp1,OU=Sacramento,DC=egia,DC=com |
| contractorapp2 | 2016-05-10 17:26:58Z | Never | 2016-05-10 10:26:58Z | CN=ContractorApp2,OU=Sacramento,DC=egia,DC=com |
| ContractorServices | 2007-12-01 00:08:06Z | Never | 2007-11-30 16:08:06Z | CN=ContractorServices,CN=Users,DC=egia,DC=com |
| ctodd | 2019-02-25 23:16:57Z | Never | 2019-02-25 15:16:57Z | CN=CJ Todd,OU=Sacramento,DC=egia,DC=com |
| ddelgado | 2020-01-13 18:57:00Z | 2020-01-14 10:30:29Z | 2020-01-14 10:29:57Z | CN=David Delgado,OU=Sacramento,DC=egia,DC=com |
| ddoyle | 2017-08-23 19:06:42Z | 2017-08-25 15:30:00Z | 2017-08-23 12:06:42Z | CN=Dan Doyle,OU=Sacramento,DC=egia,DC=com |
| devteamvpn | 2018-03-09 20:54:37Z | 2021-02-07 19:25:14Z | 2021-02-07 19:25:13Z | CN=Dev Teamvpn,CN=Users,DC=egia,DC=com |
| dmunoz | 2019-07-10 21:47:00Z | 2019-07-10 14:57:47Z | 2019-07-10 14:57:35Z | CN=David Munoz,OU=Sacramento,DC=egia,DC=com |
| drentschler | 2016-10-18 19:15:38Z | 2021-06-15 09:35:25Z | 2016-12-22 10:40:11Z | CN=Danny Rentschler,OU=Sacramento,DC=egia,DC=com |
| dwilson | 2012-08-16 23:49:49Z | 2024-01-29 08:27:28Z | 2020-01-31 06:42:35Z | CN=Donica Wilson,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| dyashinsky | 2019-03-25 20:11:57Z | 2024-02-09 10:35:19Z | 2024-02-09 10:32:23Z | CN=Darrel Yashinsky,OU=Sacramento,DC=egia,DC=com |
| efax | 2007-08-03 16:26:52Z | Never | 2007-08-03 09:26:52Z | CN=e Fax,CN=Users,DC=egia,DC=com |
| EGIAServices | 2007-08-07 18:59:18Z | Never | 2007-08-07 11:59:18Z | CN=EGIA Services,CN=Users,DC=egia,DC=com |
| egude | 2019-09-16 21:25:37Z | 2022-03-04 05:44:33Z | 2022-03-04 05:44:33Z | CN=Eric Gude,OU=Sacramento,DC=egia,DC=com |
| ehatton | 2023-10-12 16:29:29Z | 2023-10-12 09:32:43Z | 2023-10-12 09:29:29Z | CN=Eric Hatton,OU=Sacramento,DC=egia,DC=com |
| EMC | 2016-10-20 16:43:39Z | 2020-07-31 16:57:06Z | 2016-10-20 09:43:49Z | CN=EMC,OU=Sacramento,DC=egia,DC=com |
| epic | 2018-09-11 21:29:59Z | 2018-09-11 15:12:14Z | 2018-09-11 14:29:59Z | CN=epic event,CN=Users,DC=egia,DC=com |
| excessisout | 2009-02-12 19:42:14Z | Never | 2009-02-12 11:42:14Z | CN=Excess Is Out,OU=Rebates,DC=egia,DC=com |
| fssa | 2016-11-15 18:46:41Z | 2021-09-05 06:18:02Z | 2016-11-15 10:46:41Z | CN=File Share Service Account,OU=Service Accounts,DC=egia,DC=com |
| gpotest | 2016-10-25 17:51:34Z | Never | 2016-10-28 14:29:32Z | CN=gpotest,OU=GPO Testing,DC=egia,DC=com |
| hemc | 2008-05-14 19:05:59Z | Never | 2008-05-14 12:05:59Z | CN=EGIA Home Energy Makeover,CN=Users,DC=egia,DC=com |
| hlopez | 2023-08-17 17:11:47Z | 2023-08-18 12:57:03Z | 2023-08-18 12:52:41Z | CN=Henry Lopez,OU=Sacramento,DC=egia,DC=com |
| homemakeovercontest | 2010-09-16 16:08:39Z | Never | 2010-09-16 09:08:39Z | CN=HomeMakeoverContest,CN=Users,DC=egia,DC=com |
| HomeownerServices | 2008-05-09 21:01:03Z | Never | 2008-05-09 14:01:03Z | CN=Homeowner Services,CN=Users,DC=egia,DC=com |
| ILS_ANONYMOUS_USER | 2001-10-24 20:31:48Z | Never | 2001-10-24 13:31:48Z | CN=ILS_ANONYMOUS_USER,CN=Users,DC=egia,DC=com |
| ILSRebates | 2010-02-23 01:54:37Z | Never | 2010-02-22 17:54:37Z | CN=ILS Rebates,OU=Rebates,DC=egia,DC=com |
| Info | 2010-08-23 20:57:49Z | Never | 2010-08-23 13:57:59Z | CN=Info,CN=Users,DC=egia,DC=com |
| IS-REQUESTS | 2002-01-03 18:47:31Z | Never | 2002-01-03 10:47:31Z | CN=IS-REQUESTS,CN=Users,DC=egia,DC=com |
| itcsr | 2019-07-10 17:44:11Z | 2019-07-20 14:59:52Z | 2019-07-10 10:44:11Z | CN=IT csr,CN=Users,DC=egia,DC=com |
| itsupport | 2016-09-20 19:02:53Z | 2016-11-15 09:05:21Z | 2017-01-19 15:58:36Z | CN=IT Support,OU=Sacramento,DC=egia,DC=com |
| itvpnusr98W | 2018-07-18 21:28:28Z | 2022-02-24 15:35:16Z | 2022-02-03 14:16:00Z | CN=it vpn,CN=Users,DC=egia,DC=com |
| IUSER | 2010-08-31 18:37:47Z | 2021-07-20 04:59:01Z | 2010-08-31 11:37:47Z | CN=Internet User,CN=Users,DC=egia,DC=com |
| IUSR_BLUE | 2001-11-19 17:54:31Z | Never | 2010-07-16 09:08:26Z | CN=IUSR_BLUE,CN=Users,DC=egia,DC=com |
| IUSR_DEV | 2001-10-12 23:55:53Z | Never | 2001-10-12 16:55:53Z | CN=IUSR_DEV,CN=Users,DC=egia,DC=com |
| IUSR_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:09:06Z | CN=IUSR_NT-SERVER,CN=Users,DC=egia,DC=com |
| IWAM_DEV | 2001-10-12 23:55:49Z | Never | 2001-10-12 16:55:49Z | CN=IWAM_DEV,CN=Users,DC=egia,DC=com |
| IWAM_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:08:14Z | CN=IWAM_NT-SERVER,CN=Users,DC=egia,DC=com |
| jgalapon | 2019-04-23 18:15:05Z | 2019-04-23 14:24:17Z | 2019-04-23 11:15:05Z | CN=Juston Galapon,OU=Sacramento,DC=egia,DC=com |
| jmatulich | 2004-06-21 16:33:52Z | 2023-12-12 09:38:28Z | 2023-10-17 12:40:28Z | CN=Jeff Matulich,OU=Sacramento,DC=egia,DC=com |
| Jobs | 2010-07-07 23:32:20Z | Never | 2010-07-07 16:32:20Z | CN=Jobs,CN=Users,DC=egia,DC=com |
| lamador | 2020-02-24 22:29:55Z | 2021-03-18 14:25:48Z | 2020-02-24 14:29:55Z | CN=Leilani Amador,OU=Sacramento,DC=egia,DC=com |
| lehrbar | 2016-06-16 20:41:43Z | 2018-03-01 09:48:52Z | 2018-01-11 14:33:51Z | CN=Lucas Ehrbar,OU=Sacramento,DC=egia,DC=com |
| loaner | 2019-03-11 18:56:04Z | 2020-02-13 11:05:45Z | 2020-02-13 11:05:45Z | CN=loaner loaner,CN=Users,DC=egia,DC=com |
| malatorre | 2014-12-17 18:09:55Z | 2022-11-22 10:04:40Z | 2020-03-31 06:07:00Z | CN=Maria Alatorre,OU=Sacramento,DC=egia,DC=com |
| mayang | 2019-01-18 16:42:36Z | 2019-07-01 08:03:09Z | 2019-02-04 13:33:53Z | CN=Mai Yang2,CN=Users,DC=egia,DC=com |
| mbratsis | 2017-03-08 21:16:22Z | 2023-09-29 10:02:50Z | 2023-09-28 20:07:02Z | CN=Matthew Bratsis,OU=Sacramento,DC=egia,DC=com |
| mbratsis2 | 2020-01-17 16:28:52Z | 2021-04-29 16:28:28Z | 2020-01-17 08:28:52Z | CN=Matthew Bratsis2,OU=Sacramento,DC=egia,DC=com |
| mferreira | 2020-02-20 18:33:17Z | 2022-03-29 09:50:55Z | 2020-02-21 07:59:29Z | CN=Miguel Ferreira,OU=Sacramento,DC=egia,DC=com |
| mtech | 2019-03-19 20:55:34Z | 2022-12-13 18:52:49Z | 2020-06-15 16:25:19Z | CN=Martin tech,CN=Users,DC=egia,DC=com |
| mvitanza | 2023-08-17 17:16:02Z | 2023-08-18 08:03:47Z | 2023-08-17 10:16:02Z | CN=Marisa Vitanza,OU=Sacramento,DC=egia,DC=com |
| MWDRebates | 2008-06-17 21:36:06Z | Never | 2008-06-17 14:36:06Z | CN=MWD Rebates,OU=Rebates,DC=egia,DC=com |
| myang | 2018-04-13 21:16:35Z | 2020-06-29 12:39:44Z | 2020-02-10 07:54:36Z | CN=Mai Yang,CN=Users,DC=egia,DC=com |
| mzan | 2017-08-07 17:00:09Z | 2018-01-04 11:43:39Z | 2018-01-04 11:43:21Z | CN=Matthew Zan,OU=Sacramento,DC=egia,DC=com |
| NicorRebates | 2010-05-04 00:41:55Z | Never | 2010-05-03 17:41:55Z | CN=Nicor Rebates,OU=Rebates,DC=egia,DC=com |
| nkahal | 2010-12-20 04:57:36Z | Never | 2011-12-26 12:25:15Z | CN=Niraj Kahal,OU=Sacramento,DC=egia,DC=com |
| nsingh | 2011-07-07 04:15:59Z | Never | 2023-06-07 14:29:43Z | CN=Navdeep Singh,OU=Sacramento,DC=egia,DC=com |
| nvaladez | 2023-08-17 18:23:24Z | 2023-11-01 12:49:03Z | 2023-08-17 11:23:24Z | CN=Nayeli Valadez,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| paheatingrebates | 2010-04-20 22:27:56Z | Never | 2010-04-20 15:27:56Z | CN=PAHeating Rebates,OU=Rebates,DC=egia,DC=com |
| PAQ | 2010-09-02 20:37:13Z | Never | 2010-09-02 13:37:23Z | CN=PAQ,OU=Rebates,DC=egia,DC=com |
| pbrokaw | 2023-11-22 02:07:37Z | Never | 2023-11-21 18:07:37Z | CN=Pat Brokaw,OU=Sacramento,DC=egia,DC=com |
| pmanager | 2010-11-21 21:28:03Z | Never | 2010-11-21 13:28:03Z | CN=Print Manager,CN=Users,DC=egia,DC=com |
| Rebate01 | 2003-04-03 21:47:09Z | Never | 2010-06-23 17:27:53Z | CN=Rebate01,OU=Rebates,DC=egia,DC=com |
| Rebates | 2001-10-06 18:33:48Z | Never | 1600-12-31 16:00:00Z | CN=Rebate Process,OU=Rebates,DC=egia,DC=com |
| registrations | 2010-08-30 23:46:33Z | Never | 2010-08-30 16:46:33Z | CN=Registrations,CN=Users,DC=egia,DC=com |
| rerebates | 2004-10-15 20:23:26Z | Never | 2004-10-15 13:23:26Z | CN=Roseville Electric Rebates,OU=Rebates,DC=egia,DC=com |
| rfaust | 2019-05-30 21:15:48Z | 2020-03-09 10:43:53Z | 2020-02-10 07:53:37Z | CN=Robin Faust,OU=Sacramento,DC=egia,DC=com |
| Ricoh | 2011-10-21 20:55:51Z | 2022-05-12 11:03:55Z | 2011-10-21 13:56:48Z | CN=Ricoh,CN=Users,DC=egia,DC=com |
| rmehra | 2012-07-11 06:02:30Z | Never | 2013-01-17 21:51:15Z | CN=Rishab Mehra,OU=Sacramento,DC=egia,DC=com |
| rmong | 2018-08-24 15:58:20Z | 2022-01-31 11:39:55Z | 2020-05-14 09:35:35Z | CN=Ricky Mong,CN=Users,DC=egia,DC=com |
| rpender | 2019-06-25 20:47:54Z | 2020-03-09 16:24:28Z | 2020-03-02 08:15:56Z | CN=Roger Pender,OU=Sacramento,DC=egia,DC=com |
| saccount | 2010-11-21 21:35:59Z | Never | 2010-11-21 13:35:59Z | CN=Service Account,CN=Users,DC=egia,DC=com |
| SalesMarketing | 2009-06-11 21:35:56Z | Never | 2009-06-11 14:35:56Z | CN=SalesMarketing,CN=Users,DC=egia,DC=com |
| sangeles | 2018-08-09 20:55:13Z | 2023-08-01 09:41:03Z | 2020-02-11 10:58:01Z | CN=Stephanie Angeles,OU=Sacramento,DC=egia,DC=com |
| SaveEnergy | 2009-12-03 19:47:49Z | Never | 2009-12-03 11:47:49Z | CN=SaveEnergy,CN=Users,DC=egia,DC=com |
| ScanRouter | 2002-10-30 21:34:13Z | Never | 2002-10-30 13:34:13Z | CN=ScanRouter,CN=Users,DC=egia,DC=com |
| ScanRouterMail | 2002-10-30 23:16:24Z | Never | 2002-10-30 15:16:24Z | CN=ScanRouterMail,CN=Users,DC=egia,DC=com |
| ScanRouterService | 2011-01-20 20:04:57Z | Never | 2011-01-20 12:14:44Z | CN=ScanRouterService,CN=Users,DC=egia,DC=com |
| SCVRebates | 2009-08-17 16:50:54Z | Never | 2009-08-17 09:50:54Z | CN=SCV Rebates,OU=Rebates,DC=egia,DC=com |
| sfenger | 2024-01-16 18:01:36Z | 2024-01-22 07:53:37Z | 2024-01-16 10:01:36Z | CN=Samantha Fenger,OU=Sacramento,DC=egia,DC=com |
| sharyl | 2017-01-16 22:49:14Z | 2017-03-01 14:34:10Z | 2017-03-01 14:32:43Z | CN=sharyl,OU=Sacramento,DC=egia,DC=com |
| skillian | 2015-12-16 16:20:23Z | 2020-03-17 07:42:31Z | 2015-12-16 08:20:24Z | CN=Scott Killian,OU=Sacramento,DC=egia,DC=com |
| slathar | 2011-01-04 18:12:28Z | 2021-07-17 11:55:18Z | 2023-06-07 14:35:01Z | CN=Sunil Lather,OU=Sacramento,DC=egia,DC=com |
| smercado | 2018-08-15 17:12:46Z | 2022-06-19 21:10:52Z | 2020-04-10 07:30:44Z | CN=Samara Mercado,CN=Users,DC=egia,DC=com |
| socalwatersmart | 2011-08-16 04:00:46Z | Never | 2011-08-15 21:00:46Z | CN=SoCalWaterSmart,CN=Users,DC=egia,DC=com |
| SolanoRebates | 2007-02-28 18:25:46Z | Never | 2007-02-28 10:25:46Z | CN=Solano Rebates,OU=Rebates,DC=egia,DC=com |
| sonicwalladmin | 2017-07-13 17:08:10Z | 2017-07-13 13:57:32Z | 2017-07-13 10:08:10Z | CN=sonicwall admin,CN=Users,DC=egia,DC=com |
| spam | 2007-10-28 17:12:29Z | Never | 2007-10-28 10:12:29Z | CN=Spam Box,CN=Users,DC=egia,DC=com |
| spiceworks | 2016-09-22 16:51:38Z | 2020-05-13 03:41:47Z | 2016-10-11 06:12:25Z | CN=SpiceWorks,OU=Service Accounts,DC=egia,DC=com |
| SQLJobs | 2011-03-10 01:08:39Z | 2021-07-22 16:01:16Z | 2011-03-09 17:08:39Z | CN=SQLJobs,CN=Users,DC=egia,DC=com |
| sqlserveralert | 2001-11-14 22:23:36Z | Never | 2001-11-14 15:09:20Z | CN=SQLServer Alert,CN=Users,DC=egia,DC=com |
| SSRS | 2010-08-24 23:56:48Z | 2020-06-16 09:12:07Z | 2010-08-24 16:56:48Z | CN=SQL Server Reporting Services,CN=Users,DC=egia,DC=com |
| ssymons | 2017-08-23 19:05:31Z | 2017-08-23 12:29:36Z | 2017-08-23 12:05:31Z | CN=Shelby Symons,OU=Sacramento,DC=egia,DC=com |
| support | 2003-11-19 22:37:59Z | Never | 2003-11-19 14:38:00Z | CN=Support,CN=Users,DC=egia,DC=com |
| suser | 2010-05-05 02:13:31Z | Never | 2010-05-04 19:13:31Z | CN=SQL User,OU=Sacramento,DC=egia,DC=com |
| svc_prod_sql | 2014-08-12 03:15:59Z | Never | 2014-08-11 20:15:59Z | CN=Production SQL Service,OU=Service Accounts,DC=egia,DC=com |
| svcDevSQLServer | 2010-12-30 05:20:06Z | 2021-07-12 06:46:36Z | 2010-12-29 21:20:06Z | CN=DEV SQL Service,CN=Users,DC=egia,DC=com |
| SWGRebates | 2008-01-25 22:04:44Z | Never | 2008-01-25 14:05:04Z | CN=SWG Rebates,OU=Rebates,DC=egia,DC=com |
| tech | 2007-05-08 15:37:42Z | Never | 2012-02-03 14:51:52Z | CN=Tech,CN=Users,DC=egia,DC=com |
| techadmin | 2019-05-31 17:04:45Z | Never | 2019-05-31 10:04:45Z | CN=tecch admin,CN=Users,DC=egia,DC=com |
| test | 2013-04-15 18:54:26Z | 2022-11-07 11:42:04Z | 2017-01-20 06:45:04Z | CN=Test,OU=Sacramento,DC=egia,DC=com |
| tpiper | 2007-04-19 15:08:14Z | 2021-07-24 22:55:15Z | 2015-08-07 10:50:09Z | CN=Todd Piper,OU=Sacramento,DC=egia,DC=com |
| tpollack | 2015-08-24 17:23:40Z | 2023-03-10 11:32:41Z | 2020-02-04 08:24:45Z | CN=Toviah Pollack,OU=Sacramento,DC=egia,DC=com |
| tsluser | 2010-05-07 20:12:03Z | Never | 2010-05-07 13:12:04Z | CN=tsluser,CN=Users,DC=egia,DC=com |
| VipreService | 2011-01-20 19:58:42Z | Never | 2011-06-27 23:55:45Z | CN=VipreService,CN=Users,DC=egia,DC=com |
| vmadmin | 2016-08-23 21:50:09Z | 2020-06-26 05:15:08Z | 2016-08-23 14:50:09Z | CN=VM Ware Admin,OU=Sacramento,DC=egia,DC=com |
| vpntest2 | 2016-09-30 16:13:35Z | Never | 2016-09-30 09:13:36Z | CN=vpntest2,CN=Users,DC=egia,DC=com |
| webmaster | 2001-11-14 22:23:36Z | Never | 2010-12-06 13:52:35Z | CN=Webmaster,CN=Users,DC=egia,DC=com |
| WyomingRebates | 2010-04-01 16:25:45Z | Never | 2010-04-01 09:25:45Z | CN=Wyoming Rebates,OU=Rebates,DC=egia,DC=com |
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| aarevalo | 2013-05-22 15:23:55Z | 2024-06-10 10:00:22Z | 2024-03-21 10:20:36Z | CN=Adriana Arevalo,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| AccountingTemp | 2012-08-14 16:54:44Z | 2024-08-06 07:42:28Z | 2017-01-24 08:43:23Z | CN=Accounting Temp,OU=Sacramento,DC=egia,DC=com |
| acowden | 2024-04-16 18:09:25Z | Never | 2024-06-06 08:33:55Z | CN=Ashley Cowden,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| Admin | 2002-09-13 23:34:50Z | 2019-08-13 05:22:33Z | 2002-09-13 16:34:51Z | CN=Admin,OU=ofsdirect.com,DC=egia,DC=com |
| ADSyncAdmin-Local | 2024-02-21 20:56:43Z | 2024-02-21 12:57:48Z | 2024-07-28 11:03:12Z | CN=ADSyncAdmin-Local,OU=Service Accounts,DC=egia,DC=com |
| ahuerta | 2024-03-08 04:00:46Z | 2024-08-05 09:51:53Z | 2024-03-27 11:20:41Z | CN=Arturo Huerta,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| AlamedaMP | 2010-04-22 22:13:52Z | Never | 2010-04-22 15:13:52Z | CN=Alameda MP,OU=Rebates,DC=egia,DC=com |
| Arcserve | 2001-10-06 18:33:48Z | Never | 2001-01-19 11:20:31Z | CN=Arcserve,CN=Users,DC=egia,DC=com |
| aschindler | 2024-05-02 21:06:23Z | Never | 2024-07-10 11:55:41Z | CN=Angela Schindler,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| bbackup | 2010-11-28 16:01:14Z | 2019-03-23 20:57:54Z | 2010-11-28 08:01:14Z | CN=Barracuda Backup,CN=Users,DC=egia,DC=com |
| BCMBackup | 2012-11-27 22:16:25Z | Never | 2012-11-27 14:16:25Z | CN=BCM Backup,OU=Sacramento,DC=egia,DC=com |
| bfernandez | 2014-07-11 16:10:54Z | 2020-04-02 13:10:54Z | 2024-04-18 11:52:02Z | CN=Breanna Fernandez,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| bhollandsworth | 2010-04-14 17:14:15Z | 2023-09-28 09:56:25Z | 2024-04-29 11:02:25Z | CN=Brenda Hollandsworth,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| bkagent | 2002-05-07 14:37:57Z | 2020-08-07 09:45:13Z | 2002-09-26 15:32:26Z | CN=Backup Agent,CN=Users,DC=egia,DC=com |
| blyle | 2024-02-09 18:34:18Z | 2024-02-09 14:12:22Z | 2024-02-09 10:34:18Z | CN=Brianna Lyle,OU=Sacramento,DC=egia,DC=com |
| bmatulich | 2003-08-19 21:08:08Z | 2024-08-10 07:25:54Z | 2022-10-18 17:59:03Z | CN=Bruce Matulich,OU=Sacramento,DC=egia,DC=com |
| CallReportingAdmin | 2010-04-13 19:40:57Z | Never | 2015-06-04 09:30:12Z | CN=Call Reporting Admin,CN=Users,DC=egia,DC=com |
| cbuege | 2019-03-07 20:24:09Z | 2022-04-28 14:56:28Z | 2024-05-21 13:19:00Z | CN=Carrie Buege,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| ccramer | 2014-07-25 20:03:05Z | 2024-08-13 13:25:44Z | 2020-02-14 06:02:29Z | CN=Clinton Cramer,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| ChicagoLand | 2008-12-15 20:34:56Z | Never | 2008-12-15 12:34:56Z | CN=ChicagoLand,OU=Rebates,DC=egia,DC=com |
| conference | 2015-01-14 18:34:20Z | 2023-01-04 07:52:51Z | 2017-01-20 06:45:40Z | CN=Conference,OU=Sacramento,DC=egia,DC=com |
| Consultant | 2002-09-17 17:27:04Z | 2020-09-08 09:31:41Z | 2010-11-21 13:30:35Z | CN=Consultant,OU=Retired,DC=egia,DC=com |
| contractorapp1 | 2016-05-10 17:26:18Z | Never | 2016-05-10 10:26:19Z | CN=ContractorApp1,OU=Sacramento,DC=egia,DC=com |
| contractorapp2 | 2016-05-10 17:26:58Z | Never | 2016-05-10 10:26:58Z | CN=ContractorApp2,OU=Sacramento,DC=egia,DC=com |
| ContractorServices | 2007-12-01 00:08:06Z | Never | 2007-11-30 16:08:06Z | CN=ContractorServices,CN=Users,DC=egia,DC=com |
| crolbiecki | 2024-03-21 22:19:36Z | 2024-07-18 09:30:28Z | 2024-04-15 15:13:11Z | CN=Clinton Rolbiecki,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| ctodd | 2019-02-25 23:16:57Z | Never | 2019-02-25 15:16:57Z | CN=CJ Todd,OU=Sacramento,DC=egia,DC=com |
| ddecoster | 2024-05-15 20:36:52Z | Never | 2024-05-15 13:41:01Z | CN=Donna Decoster,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| ddelgado | 2020-01-13 18:57:00Z | 2020-01-14 10:30:29Z | 2020-01-14 10:29:57Z | CN=David Delgado,OU=Sacramento,DC=egia,DC=com |
| drentschler | 2016-10-18 19:15:38Z | 2021-06-15 09:35:25Z | 2016-12-22 10:40:11Z | CN=Danny Rentschler,OU=Sacramento,DC=egia,DC=com |
| dthao | 2014-07-11 20:28:48Z | 2022-12-25 23:44:22Z | 2024-04-11 12:18:53Z | CN=Darlene Thao,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| dvinokurov | 2024-06-28 15:06:56Z | Never | 2024-06-28 08:06:56Z | CN=David Vinokurov,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| dwilson | 2012-08-16 23:49:49Z | 2024-01-29 08:27:28Z | 2020-01-31 06:42:35Z | CN=Donica Wilson,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| dyashinsky | 2019-03-25 20:11:57Z | 2024-02-09 10:35:19Z | 2024-02-09 10:32:23Z | CN=Darrel Yashinsky,OU=Sacramento,DC=egia,DC=com |
| efax | 2007-08-03 16:26:52Z | Never | 2007-08-03 09:26:52Z | CN=e Fax,CN=Users,DC=egia,DC=com |
| EGIAServices | 2007-08-07 18:59:18Z | Never | 2007-08-07 11:59:18Z | CN=EGIA Services,CN=Users,DC=egia,DC=com |
| egonzalez | 2024-04-23 18:12:17Z | Never | 2024-04-23 11:12:17Z | CN=Edgar Gonzalez,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| ehatton | 2023-10-12 16:29:29Z | 2023-10-12 09:32:43Z | 2023-10-12 09:29:29Z | CN=Eric Hatton,OU=Sacramento,DC=egia,DC=com |
| ejavaid | 2010-12-02 14:38:38Z | 2024-05-21 11:33:55Z | 2011-12-08 16:17:21Z | CN=Eddie Javaid,OU=Sacramento,DC=egia,DC=com |
| emarquez | 2024-05-28 19:19:45Z | 2024-05-28 12:24:42Z | 2024-07-11 12:02:11Z | CN=Elena Marquez,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| EMC | 2016-10-20 16:43:39Z | 2020-07-31 16:57:06Z | 2016-10-20 09:43:49Z | CN=EMC,OU=Sacramento,DC=egia,DC=com |
| epic | 2018-09-11 21:29:59Z | 2018-09-11 15:12:14Z | 2018-09-11 14:29:59Z | CN=epic event,CN=Users,DC=egia,DC=com |
| excessisout | 2009-02-12 19:42:14Z | Never | 2009-02-12 11:42:14Z | CN=Excess Is Out,OU=Rebates,DC=egia,DC=com |
| fssa | 2016-11-15 18:46:41Z | 2021-09-05 06:18:02Z | 2016-11-15 10:46:41Z | CN=File Share Service Account,OU=Service Accounts,DC=egia,DC=com |
| hemc | 2008-05-14 19:05:59Z | Never | 2008-05-14 12:05:59Z | CN=EGIA Home Energy Makeover,CN=Users,DC=egia,DC=com |
| hlopez | 2023-08-17 17:11:47Z | 2023-08-18 12:57:03Z | 2023-08-18 12:52:41Z | CN=Henry Lopez,OU=Sacramento,DC=egia,DC=com |
| homemakeovercontest | 2010-09-16 16:08:39Z | Never | 2010-09-16 09:08:39Z | CN=HomeMakeoverContest,CN=Users,DC=egia,DC=com |
| HomeownerServices | 2008-05-09 21:01:03Z | Never | 2008-05-09 14:01:03Z | CN=Homeowner Services,CN=Users,DC=egia,DC=com |
| ILS_ANONYMOUS_USER | 2001-10-24 20:31:48Z | Never | 2001-10-24 13:31:48Z | CN=ILS_ANONYMOUS_USER,CN=Users,DC=egia,DC=com |
| ILSRebates | 2010-02-23 01:54:37Z | Never | 2010-02-22 17:54:37Z | CN=ILS Rebates,OU=Rebates,DC=egia,DC=com |
| Info | 2010-08-23 20:57:49Z | Never | 2010-08-23 13:57:59Z | CN=Info,CN=Users,DC=egia,DC=com |
| IS-REQUESTS | 2002-01-03 18:47:31Z | Never | 2002-01-03 10:47:31Z | CN=IS-REQUESTS,CN=Users,DC=egia,DC=com |
| itsonicwall | 2019-08-01 23:45:55Z | 2024-08-05 10:13:14Z | 2019-08-01 16:45:55Z | CN=IT SonicWall,OU=Service Accounts,DC=egia,DC=com |
| itvpnusr98W | 2018-07-18 21:28:28Z | 2022-02-24 15:35:16Z | 2022-02-03 14:16:00Z | CN=it vpn,CN=Users,DC=egia,DC=com |
| IUSER | 2010-08-31 18:37:47Z | 2021-07-20 04:59:01Z | 2010-08-31 11:37:47Z | CN=Internet User,CN=Users,DC=egia,DC=com |
| IUSR_BLUE | 2001-11-19 17:54:31Z | Never | 2010-07-16 09:08:26Z | CN=IUSR_BLUE,CN=Users,DC=egia,DC=com |
| IUSR_DEV | 2001-10-12 23:55:53Z | Never | 2001-10-12 16:55:53Z | CN=IUSR_DEV,CN=Users,DC=egia,DC=com |
| IUSR_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:09:06Z | CN=IUSR_NT-SERVER,CN=Users,DC=egia,DC=com |
| IWAM_DEV | 2001-10-12 23:55:49Z | Never | 2001-10-12 16:55:49Z | CN=IWAM_DEV,CN=Users,DC=egia,DC=com |
| IWAM_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:08:14Z | CN=IWAM_NT-SERVER,CN=Users,DC=egia,DC=com |
| jbetancourt | 2024-08-06 17:19:27Z | Never | 2024-08-06 10:19:27Z | CN=Jessica Betancount,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| jchandler | 2003-11-17 17:07:04Z | 2024-05-15 12:03:52Z | 2018-02-09 13:43:17Z | CN=Jeremy Chandler,OU=Sacramento,DC=egia,DC=com |
| jmadrigal | 2014-12-29 17:39:09Z | 2024-08-13 07:38:01Z | 2024-03-07 14:14:18Z | CN=Jessica Madrigal,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| jmiller | 2016-06-30 20:56:47Z | 2024-08-07 00:41:03Z | 2024-03-07 14:13:30Z | CN=Justine Miller,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| jmorris | 2024-07-03 19:03:02Z | Never | 2024-07-03 12:03:02Z | CN=Jen Morris,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| Jobs | 2010-07-07 23:32:20Z | Never | 2010-07-07 16:32:20Z | CN=Jobs,CN=Users,DC=egia,DC=com |
| jvaladez | 2013-05-20 13:55:31Z | 2024-03-19 09:00:55Z | 2020-06-17 17:00:36Z | CN=Jose Valadez,OU=Sacramento,DC=egia,DC=com |
| kguerrero | 2015-04-20 13:34:27Z | 2022-12-28 15:34:54Z | 2024-04-05 08:01:36Z | CN=Karla Guerrero,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| kong | 2024-07-02 22:06:40Z | Never | 2024-07-02 15:06:41Z | CN=Katrina Ong,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| ksatterwhite | 2015-02-06 19:58:58Z | 2022-09-16 09:19:28Z | 2024-05-03 14:14:33Z | CN=Kimberley Satterwhite,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| lamador | 2020-02-24 22:29:55Z | 2021-03-18 14:25:48Z | 2020-02-24 14:29:55Z | CN=Leilani Amador,OU=Sacramento,DC=egia,DC=com |
| ldisney | 2013-03-25 15:44:51Z | 2024-08-04 18:08:57Z | 2024-06-19 14:44:38Z | CN=Laurie Disney,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| lgopa2 | 2024-04-08 20:40:21Z | 2024-08-13 09:18:47Z | 2024-04-08 13:40:21Z | CN=Larisa Gopa2,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| madisondisney | 2024-03-14 18:03:52Z | 2024-08-05 07:37:50Z | 2024-03-14 11:34:38Z | CN=Madison Disney,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| malatorre | 2014-12-17 18:09:55Z | 2022-11-22 10:04:40Z | 2020-03-31 06:07:00Z | CN=Maria Alatorre,OU=Sacramento,DC=egia,DC=com |
| mayang | 2019-01-18 16:42:36Z | 2019-07-01 08:03:09Z | 2019-02-04 13:33:53Z | CN=Mai Yang2,CN=Users,DC=egia,DC=com |
| mbratsis | 2017-03-08 21:16:22Z | 2023-09-29 10:02:50Z | 2023-09-28 20:07:02Z | CN=Matthew Bratsis,OU=Sacramento,DC=egia,DC=com |
| mbratsis2 | 2020-01-17 16:28:52Z | 2021-04-29 16:28:28Z | 2020-01-17 08:28:52Z | CN=Matthew Bratsis2,OU=Sacramento,DC=egia,DC=com |
| mbryant | 2024-05-09 21:01:37Z | Never | 2024-05-09 14:01:37Z | CN=Molly Bryant,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| mdegenhardt | 2023-09-15 20:21:59Z | 2023-09-15 13:26:36Z | 2024-07-02 12:27:00Z | CN=Matthew Degenhardt,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| mferreira | 2020-02-20 18:33:17Z | 2022-03-29 09:50:55Z | 2020-02-21 07:59:29Z | CN=Miguel Ferreira,OU=Sacramento,DC=egia,DC=com |
| mkelley | 2024-03-08 04:17:12Z | 2024-05-17 13:17:36Z | 2024-05-21 10:25:42Z | CN=Martha Kelley,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| MSOL_bd60f9d632d0 | 2024-02-08 14:14:29Z | 2024-08-09 15:32:48Z | 2024-02-21 14:26:27Z | CN=MSOL_bd60f9d632d0,CN=Users,DC=egia,DC=com |
| mtech | 2019-03-19 20:55:34Z | 2022-12-13 18:52:49Z | 2020-06-15 16:25:19Z | CN=Martin tech,CN=Users,DC=egia,DC=com |
| mvitanza | 2023-08-17 17:16:02Z | 2023-08-18 08:03:47Z | 2023-08-17 10:16:02Z | CN=Marisa Vitanza,OU=Sacramento,DC=egia,DC=com |
| mwalker | 2024-03-21 22:22:43Z | 2024-03-21 15:30:02Z | 2024-03-21 15:22:43Z | CN=Mary Walker,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| MWDRebates | 2008-06-17 21:36:06Z | Never | 2008-06-17 14:36:06Z | CN=MWD Rebates,OU=Rebates,DC=egia,DC=com |
| myang | 2018-04-13 21:16:35Z | 2020-06-29 12:39:44Z | 2020-02-10 07:54:36Z | CN=Mai Yang,CN=Users,DC=egia,DC=com |
| NicorRebates | 2010-05-04 00:41:55Z | Never | 2010-05-03 17:41:55Z | CN=Nicor Rebates,OU=Rebates,DC=egia,DC=com |
| nodom | 2015-06-22 14:19:08Z | 2024-08-05 09:21:49Z | 2024-02-29 13:08:42Z | CN=Nathaniel Odom,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| nsingh | 2011-07-07 04:15:59Z | Never | 2023-06-07 14:29:43Z | CN=Navdeep Singh,OU=Sacramento,DC=egia,DC=com |
| nvaladez | 2023-08-17 18:23:24Z | 2023-11-01 12:49:03Z | 2023-08-17 11:23:24Z | CN=Nayeli Valadez,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| paheatingrebates | 2010-04-20 22:27:56Z | Never | 2010-04-20 15:27:56Z | CN=PAHeating Rebates,OU=Rebates,DC=egia,DC=com |
| PAQ | 2010-09-02 20:37:13Z | Never | 2010-09-02 13:37:23Z | CN=PAQ,OU=Rebates,DC=egia,DC=com |
| pbrokaw | 2023-11-22 02:07:37Z | Never | 2023-11-21 18:07:37Z | CN=Pat Brokaw,OU=Sacramento,DC=egia,DC=com |
| pkeating | 2024-05-23 19:44:45Z | Never | 2024-05-29 13:56:52Z | CN=PJ Keating,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| pmanager | 2010-11-21 21:28:03Z | Never | 2010-11-21 13:28:03Z | CN=Print Manager,CN=Users,DC=egia,DC=com |
| pwhite | 2024-05-01 16:44:43Z | Never | 2024-05-01 09:44:43Z | CN=Paris White,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| Rebate01 | 2003-04-03 21:47:09Z | Never | 2010-06-23 17:27:53Z | CN=Rebate01,OU=Rebates,DC=egia,DC=com |
| registrations | 2010-08-30 23:46:33Z | Never | 2010-08-30 16:46:33Z | CN=Registrations,CN=Users,DC=egia,DC=com |
| rerebates | 2004-10-15 20:23:26Z | Never | 2004-10-15 13:23:26Z | CN=Roseville Electric Rebates,OU=Rebates,DC=egia,DC=com |
| rfaust | 2019-05-30 21:15:48Z | 2020-03-09 10:43:53Z | 2020-02-10 07:53:37Z | CN=Robin Faust,OU=Sacramento,DC=egia,DC=com |
| Ricoh | 2011-10-21 20:55:51Z | 2022-05-12 11:03:55Z | 2011-10-21 13:56:48Z | CN=Ricoh,CN=Users,DC=egia,DC=com |
| rmong | 2018-08-24 15:58:20Z | 2022-01-31 11:39:55Z | 2020-05-14 09:35:35Z | CN=Ricky Mong,CN=Users,DC=egia,DC=com |
| rwilliams | 2018-08-02 21:29:05Z | 2024-07-02 15:44:46Z | 2024-05-02 11:33:24Z | CN=Rhonda Williams,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| saccount | 2010-11-21 21:35:59Z | Never | 2010-11-21 13:35:59Z | CN=Service Account,CN=Users,DC=egia,DC=com |
| SalesMarketing | 2009-06-11 21:35:56Z | Never | 2009-06-11 14:35:56Z | CN=SalesMarketing,CN=Users,DC=egia,DC=com |
| sangeles | 2018-08-09 20:55:13Z | 2023-08-01 09:41:03Z | 2020-02-11 10:58:01Z | CN=Stephanie Angeles,OU=Sacramento,DC=egia,DC=com |
| SaveEnergy | 2009-12-03 19:47:49Z | Never | 2009-12-03 11:47:49Z | CN=SaveEnergy,CN=Users,DC=egia,DC=com |
| ScanRouter | 2002-10-30 21:34:13Z | Never | 2002-10-30 13:34:13Z | CN=ScanRouter,CN=Users,DC=egia,DC=com |
| ScanRouterMail | 2002-10-30 23:16:24Z | Never | 2002-10-30 15:16:24Z | CN=ScanRouterMail,CN=Users,DC=egia,DC=com |
| ScanRouterService | 2011-01-20 20:04:57Z | Never | 2011-01-20 12:14:44Z | CN=ScanRouterService,CN=Users,DC=egia,DC=com |
| SCVRebates | 2009-08-17 16:50:54Z | Never | 2009-08-17 09:50:54Z | CN=SCV Rebates,OU=Rebates,DC=egia,DC=com |
| sfenger | 2024-01-16 18:01:36Z | 2024-01-22 07:53:37Z | 2024-01-16 10:01:36Z | CN=Samantha Fenger,OU=Sacramento,DC=egia,DC=com |
| skillian | 2015-12-16 16:20:23Z | 2020-03-17 07:42:31Z | 2015-12-16 08:20:24Z | CN=Scott Killian,OU=Sacramento,DC=egia,DC=com |
| slee | 2018-08-08 21:31:38Z | 2021-06-20 07:32:12Z | 2024-04-05 05:32:33Z | CN=Somaey Lee,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| smccrary | 2020-03-09 20:10:33Z | 2023-08-31 08:40:22Z | 2024-06-13 13:25:09Z | CN=Sharon McCrary,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| smercado | 2018-08-15 17:12:46Z | 2022-06-19 21:10:52Z | 2020-04-10 07:30:44Z | CN=Samara Mercado,CN=Users,DC=egia,DC=com |
| smiller | 2024-05-09 19:22:18Z | Never | 2024-05-09 12:22:18Z | CN=Sarnai Miller,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| socalwatersmart | 2011-08-16 04:00:46Z | Never | 2011-08-15 21:00:46Z | CN=SoCalWaterSmart,CN=Users,DC=egia,DC=com |
| SolanoRebates | 2007-02-28 18:25:46Z | Never | 2007-02-28 10:25:46Z | CN=Solano Rebates,OU=Rebates,DC=egia,DC=com |
| sonicwalladmin | 2017-07-13 17:08:10Z | 2017-07-13 13:57:32Z | 2017-07-13 10:08:10Z | CN=sonicwall admin,CN=Users,DC=egia,DC=com |
| spam | 2007-10-28 17:12:29Z | Never | 2007-10-28 10:12:29Z | CN=Spam Box,CN=Users,DC=egia,DC=com |
| spiceworks | 2016-09-22 16:51:38Z | 2020-05-13 03:41:47Z | 2016-10-11 06:12:25Z | CN=SpiceWorks,OU=Service Accounts,DC=egia,DC=com |
| SQLJobs | 2011-03-10 01:08:39Z | 2021-07-22 16:01:16Z | 2011-03-09 17:08:39Z | CN=SQLJobs,CN=Users,DC=egia,DC=com |
| sspray | 2024-05-08 21:40:54Z | Never | 2024-05-08 14:40:54Z | CN=Stephanie Spray,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| SSRS | 2010-08-24 23:56:48Z | 2020-06-16 09:12:07Z | 2010-08-24 16:56:48Z | CN=SQL Server Reporting Services,CN=Users,DC=egia,DC=com |
| suser | 2010-05-05 02:13:31Z | Never | 2010-05-04 19:13:31Z | CN=SQL User,OU=Sacramento,DC=egia,DC=com |
| svc_prod_sql | 2014-08-12 03:15:59Z | Never | 2014-08-11 20:15:59Z | CN=Production SQL Service,OU=Service Accounts,DC=egia,DC=com |
| svcDevSQLServer | 2010-12-30 05:20:06Z | 2021-07-12 06:46:36Z | 2010-12-29 21:20:06Z | CN=DEV SQL Service,CN=Users,DC=egia,DC=com |
| SWGRebates | 2008-01-25 22:04:44Z | Never | 2008-01-25 14:05:04Z | CN=SWG Rebates,OU=Rebates,DC=egia,DC=com |
| tech | 2007-05-08 15:37:42Z | Never | 2012-02-03 14:51:52Z | CN=Tech,CN=Users,DC=egia,DC=com |
| techadmin | 2019-05-31 17:04:45Z | Never | 2019-05-31 10:04:45Z | CN=tecch admin,CN=Users,DC=egia,DC=com |
| test | 2013-04-15 18:54:26Z | 2022-11-07 11:42:04Z | 2017-01-20 06:45:04Z | CN=Test,OU=Sacramento,DC=egia,DC=com |
| tfelczak | 2023-08-17 17:07:56Z | 2023-08-17 12:27:59Z | 2024-08-07 09:11:23Z | CN=Tiffany Felczak,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| tgibson | 2003-09-22 15:49:18Z | 2024-03-07 14:25:41Z | 2024-03-07 14:15:01Z | CN=Teresa Gibson,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| tle | 2010-08-23 15:26:48Z | 2024-08-13 12:28:43Z | 2012-11-28 15:21:13Z | CN=Tuan Le,OU=Sacramento,DC=egia,DC=com |
| tpiper | 2007-04-19 15:08:14Z | 2021-07-24 22:55:15Z | 2015-08-07 10:50:09Z | CN=Todd Piper,OU=Sacramento,DC=egia,DC=com |
| tpollack | 2015-08-24 17:23:40Z | 2023-03-10 11:32:41Z | 2020-02-04 08:24:45Z | CN=Toviah Pollack,OU=Sacramento,DC=egia,DC=com |
| tsluser | 2010-05-07 20:12:03Z | Never | 2010-05-07 13:12:04Z | CN=tsluser,CN=Users,DC=egia,DC=com |
| ttrybul | 2023-09-21 20:25:11Z | 2023-09-22 12:43:30Z | 2024-07-26 12:25:31Z | CN=Tammy Trybul,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| twilliamson | 2024-05-03 19:46:29Z | Never | 2024-05-09 06:36:44Z | CN=Tim Williamson,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| uagslaptop | 2024-07-25 14:52:52Z | Never | 2024-07-25 07:52:52Z | CN=uags laptop,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| VipreService | 2011-01-20 19:58:42Z | Never | 2011-06-27 23:55:45Z | CN=VipreService,CN=Users,DC=egia,DC=com |
| vmadmin | 2016-08-23 21:50:09Z | 2020-06-26 05:15:08Z | 2016-08-23 14:50:09Z | CN=VM Ware Admin,OU=Sacramento,DC=egia,DC=com |
| vperrault | 2024-02-09 18:39:05Z | 2024-08-08 11:15:58Z | 2024-03-15 14:03:43Z | CN=Veronica Perrault,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| WyomingRebates | 2010-04-01 16:25:45Z | Never | 2010-04-01 09:25:45Z | CN=Wyoming Rebates,OU=Rebates,DC=egia,DC=com |
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| Admin | 2002-09-13 23:34:50Z | 2019-08-13 05:22:33Z | 2002-09-13 16:34:51Z | CN=Admin,OU=ofsdirect.com,DC=egia,DC=com |
| AlamedaMP | 2010-04-22 22:13:52Z | Never | 2010-04-22 15:13:52Z | CN=Alameda MP,OU=Rebates,DC=egia,DC=com |
| Arcserve | 2001-10-06 18:33:48Z | Never | 2001-01-19 11:20:31Z | CN=Arcserve,CN=Users,DC=egia,DC=com |
| bkagent | 2002-05-07 14:37:57Z | 2020-08-07 09:45:13Z | 2002-09-26 15:32:26Z | CN=Backup Agent,CN=Users,DC=egia,DC=com |
| ChicagoLand | 2008-12-15 20:34:56Z | Never | 2008-12-15 12:34:56Z | CN=ChicagoLand,OU=Rebates,DC=egia,DC=com |
| ContractorServices | 2007-12-01 00:08:06Z | Never | 2007-11-30 16:08:06Z | CN=ContractorServices,CN=Users,DC=egia,DC=com |
| efax | 2007-08-03 16:26:52Z | Never | 2007-08-03 09:26:52Z | CN=e Fax,CN=Users,DC=egia,DC=com |
| EGIAServices | 2007-08-07 18:59:18Z | Never | 2007-08-07 11:59:18Z | CN=EGIA Services,CN=Users,DC=egia,DC=com |
| excessisout | 2009-02-12 19:42:14Z | Never | 2009-02-12 11:42:14Z | CN=Excess Is Out,OU=Rebates,DC=egia,DC=com |
| hemc | 2008-05-14 19:05:59Z | Never | 2008-05-14 12:05:59Z | CN=EGIA Home Energy Makeover,CN=Users,DC=egia,DC=com |
| HomeownerServices | 2008-05-09 21:01:03Z | Never | 2008-05-09 14:01:03Z | CN=Homeowner Services,CN=Users,DC=egia,DC=com |
| ILS_ANONYMOUS_USER | 2001-10-24 20:31:48Z | Never | 2001-10-24 13:31:48Z | CN=ILS_ANONYMOUS_USER,CN=Users,DC=egia,DC=com |
| ILSRebates | 2010-02-23 01:54:37Z | Never | 2010-02-22 17:54:37Z | CN=ILS Rebates,OU=Rebates,DC=egia,DC=com |
| IS-REQUESTS | 2002-01-03 18:47:31Z | Never | 2002-01-03 10:47:31Z | CN=IS-REQUESTS,CN=Users,DC=egia,DC=com |
| IUSR_BLUE | 2001-11-19 17:54:31Z | Never | 2010-07-16 09:08:26Z | CN=IUSR_BLUE,CN=Users,DC=egia,DC=com |
| IUSR_DEV | 2001-10-12 23:55:53Z | Never | 2001-10-12 16:55:53Z | CN=IUSR_DEV,CN=Users,DC=egia,DC=com |
| IUSR_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:09:06Z | CN=IUSR_NT-SERVER,CN=Users,DC=egia,DC=com |
| IWAM_DEV | 2001-10-12 23:55:49Z | Never | 2001-10-12 16:55:49Z | CN=IWAM_DEV,CN=Users,DC=egia,DC=com |
| IWAM_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:08:14Z | CN=IWAM_NT-SERVER,CN=Users,DC=egia,DC=com |
| Jobs | 2010-07-07 23:32:20Z | Never | 2010-07-07 16:32:20Z | CN=Jobs,CN=Users,DC=egia,DC=com |
| MWDRebates | 2008-06-17 21:36:06Z | Never | 2008-06-17 14:36:06Z | CN=MWD Rebates,OU=Rebates,DC=egia,DC=com |
| NicorRebates | 2010-05-04 00:41:55Z | Never | 2010-05-03 17:41:55Z | CN=Nicor Rebates,OU=Rebates,DC=egia,DC=com |
| paheatingrebates | 2010-04-20 22:27:56Z | Never | 2010-04-20 15:27:56Z | CN=PAHeating Rebates,OU=Rebates,DC=egia,DC=com |
| Rebate01 | 2003-04-03 21:47:09Z | Never | 2010-06-23 17:27:53Z | CN=Rebate01,OU=Rebates,DC=egia,DC=com |
| Rebates | 2001-10-06 18:33:48Z | Never | 1600-12-31 16:00:00Z | CN=Rebate Process,OU=Rebates,DC=egia,DC=com |
| rerebates | 2004-10-15 20:23:26Z | Never | 2004-10-15 13:23:26Z | CN=Roseville Electric Rebates,OU=Rebates,DC=egia,DC=com |
| SalesMarketing | 2009-06-11 21:35:56Z | Never | 2009-06-11 14:35:56Z | CN=SalesMarketing,CN=Users,DC=egia,DC=com |
| SaveEnergy | 2009-12-03 19:47:49Z | Never | 2009-12-03 11:47:49Z | CN=SaveEnergy,CN=Users,DC=egia,DC=com |
| ScanRouter | 2002-10-30 21:34:13Z | Never | 2002-10-30 13:34:13Z | CN=ScanRouter,CN=Users,DC=egia,DC=com |
| ScanRouterMail | 2002-10-30 23:16:24Z | Never | 2002-10-30 15:16:24Z | CN=ScanRouterMail,CN=Users,DC=egia,DC=com |
| SCVRebates | 2009-08-17 16:50:54Z | Never | 2009-08-17 09:50:54Z | CN=SCV Rebates,OU=Rebates,DC=egia,DC=com |
| SolanoRebates | 2007-02-28 18:25:46Z | Never | 2007-02-28 10:25:46Z | CN=Solano Rebates,OU=Rebates,DC=egia,DC=com |
| spam | 2007-10-28 17:12:29Z | Never | 2007-10-28 10:12:29Z | CN=Spam Box,CN=Users,DC=egia,DC=com |
| sqlserveralert | 2001-11-14 22:23:36Z | Never | 2001-11-14 15:09:20Z | CN=SQLServer Alert,CN=Users,DC=egia,DC=com |
| support | 2003-11-19 22:37:59Z | Never | 2003-11-19 14:38:00Z | CN=Support,CN=Users,DC=egia,DC=com |
| suser | 2010-05-05 02:13:31Z | Never | 2010-05-04 19:13:31Z | CN=SQL User,OU=Sacramento,DC=egia,DC=com |
| SWGRebates | 2008-01-25 22:04:44Z | Never | 2008-01-25 14:05:04Z | CN=SWG Rebates,OU=Rebates,DC=egia,DC=com |
| tsluser | 2010-05-07 20:12:03Z | Never | 2010-05-07 13:12:04Z | CN=tsluser,CN=Users,DC=egia,DC=com |
| WyomingRebates | 2010-04-01 16:25:45Z | Never | 2010-04-01 09:25:45Z | CN=Wyoming Rebates,OU=Rebates,DC=egia,DC=com |
Here is the distribution where the password has been changed for the last time. Only enabled user accounts are analyzed (no guest account for example).
This section gives information about the computer accounts stored in the Active Directory
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| DESKTOP-1ROLPJI$ | 2018-05-14 21:13:38Z | 2021-03-10 07:24:53Z | 2021-03-10 07:24:54Z | CN=DESKTOP-1ROLPJI,CN=Computers,DC=egia,DC=com |
| DESKTOP-8KLEBP4$ | 2022-05-11 15:44:45Z | 2023-12-20 15:13:06Z | 2023-05-23 12:32:50Z | CN=DESKTOP-8KLEBP4,OU=Computers,OU=MS365EGIA,DC=egia,DC=com |
| DESKTOP-90810I8$ | 2020-02-05 17:53:42Z | 2022-06-06 10:06:33Z | 2022-06-03 07:59:09Z | CN=DESKTOP-90810I8,CN=Computers,DC=egia,DC=com |
| DESKTOP-95N1LDC$ | 2023-08-17 17:49:06Z | 2023-11-01 12:47:18Z | 2023-11-01 13:02:13Z | CN=DESKTOP-95N1LDC,CN=Computers,DC=egia,DC=com |
| DESKTOP-FIT3S1H$ | 2021-07-08 17:58:32Z | 2022-11-22 10:04:47Z | 2022-11-22 10:17:21Z | CN=DESKTOP-FIT3S1H,CN=Computers,DC=egia,DC=com |
| DESKTOP-H4C5MT3$ | 2021-12-28 15:13:07Z | 2021-12-28 07:13:07Z | 2021-12-28 07:13:07Z | CN=DESKTOP-H4C5MT3,CN=Computers,DC=egia,DC=com |
| DESKTOP-L8EA86Q$ | 2023-09-21 22:37:46Z | 2023-09-21 15:37:50Z | 2023-09-21 15:37:50Z | CN=DESKTOP-L8EA86Q,OU=Computers,OU=MS365EGIA,DC=egia,DC=com |
| DESKTOP-TQH2330$ | 2023-08-30 23:15:50Z | 2023-08-30 16:15:51Z | 2023-08-30 16:15:50Z | CN=DESKTOP-TQH2330,CN=Computers,DC=egia,DC=com |
| DONICA-WIN10LAP$ | 2019-05-07 21:02:57Z | 2024-01-29 08:27:30Z | 2024-01-29 08:42:29Z | CN=DONICA-WIN10LAP,CN=Computers,DC=egia,DC=com |
| EGIA500$ | 2024-01-22 15:59:04Z | 2024-01-22 07:59:04Z | 2024-01-22 07:59:04Z | CN=EGIA500,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-480$ | 2023-08-01 16:21:13Z | 2023-08-01 09:21:13Z | 2023-08-01 09:21:13Z | CN=EGIA-LAP-480,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-481$ | 2023-07-25 21:04:44Z | 2023-07-25 14:04:45Z | 2023-07-25 14:04:44Z | CN=EGIA-LAP-481,OU=Computers,OU=MS365EGIA,DC=egia,DC=com |
| EGIA-LAP-484$ | 2023-08-16 21:03:22Z | 2023-08-16 14:03:23Z | 2023-08-16 14:03:22Z | CN=EGIA-LAP-484,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-488$ | 2023-09-28 17:19:08Z | 2023-09-28 10:35:12Z | 2023-09-28 10:19:08Z | CN=EGIA-LAP-488,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-503$ | 2024-02-09 18:36:56Z | 2024-02-09 10:36:57Z | 2024-02-09 10:36:56Z | CN=EGIA-LAP-503,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-504$ | 2024-02-09 22:13:04Z | 2024-02-09 14:13:05Z | 2024-02-09 14:13:04Z | CN=EGIA-LAP-504,CN=Computers,DC=egia,DC=com |
| WIN10-RFAUST$ | 2019-06-05 17:26:13Z | 2020-03-09 10:43:52Z | 2020-03-12 07:25:14Z | CN=WIN10-RFAUST,CN=Computers,DC=egia,DC=com |
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| EGIADC01$ | 2022-09-02 21:47:01Z | 2024-08-06 12:17:55Z | 2024-07-30 11:20:08Z | CN=EGIADC01,OU=Domain Controllers,DC=egia,DC=com |
If you need to find the computers running a specific OS, we advise to use PingCastle.exe and the export / computers feature available from the main menu. Indeed the computer details are not included in the report for performance issues. Doing this will impact significantly the report size and the time to load the report.
| Operating System | Nb OS | Nb Enabled ? | Nb Disabled ? | Nb Active ? | Nb Inactive ? | Nb SidHistory ? | Nb Bad PrimaryGroup ? | Nb unconstrained delegations ? | Nb Reversible password ? |
|---|---|---|---|---|---|---|---|---|---|
| OperatingSystem not set | 2 | 0 | 2 | 0 | 0 | 0 | 0 | 0 | 0 |
| unknown | 6 | 0 | 6 | 0 | 0 | 0 | 0 | 0 | 0 |
| Mac OS X | 3 | 0 | 3 | 0 | 0 | 0 | 0 | 0 | 0 |
| EMC Celerra File Server | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows Server 2022 | 2 | 2 | 0 | 2 | 0 | 0 | 0 | 1 | 0 |
| Windows Server 2003 SP2 | 4 | 0 | 4 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 2000 Server | 5 | 0 | 5 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows Server 2008 R2 | 11 | 0 | 11 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows XP | 18 | 0 | 18 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows Server 2008 | 3 | 0 | 3 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 2000 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 7 | 128 | 2 | 126 | 2 | 0 | 0 | 0 | 0 | 0 |
| Windows 7 | 3 | 0 | 3 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows Server 2008 R2 | 8 | 0 | 8 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 8.1 | 17 | 0 | 17 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 8 | 2 | 0 | 2 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 10 1507 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 10 1703 | 3 | 0 | 3 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 10 1709 | 4 | 0 | 4 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows Server 2016 1607 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 10 1803 | 9 | 0 | 9 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 10 1809 | 8 | 1 | 7 | 0 | 1 | 0 | 0 | 0 | 0 |
| Windows 10 1511 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 10 1903 | 9 | 0 | 9 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 10 1909 | 6 | 0 | 6 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 10 2004 | 9 | 0 | 9 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 10 20H2 | 11 | 1 | 10 | 0 | 1 | 0 | 0 | 0 | 0 |
| Windows 10 21H1 | 14 | 1 | 13 | 0 | 1 | 0 | 0 | 0 | 0 |
| Windows 10 22H2 | 24 | 11 | 13 | 10 | 1 | 0 | 0 | 0 | 0 |
| Windows 11 21H2 | 2 | 0 | 2 | 0 | 0 | 0 | 0 | 0 | 0 |
| Windows 10 21H2 | 15 | 2 | 13 | 0 | 2 | 0 | 0 | 0 | 0 |
| Windows Server 2012 R2 | 2 | 1 | 1 | 1 | 0 | 0 | 0 | 0 | 0 |
| Windows 11 22H2 | 14 | 7 | 7 | 0 | 7 | 0 | 0 | 0 | 0 |
| Windows 11 23H2 | 21 | 21 | 0 | 18 | 3 | 0 | 0 | 0 | 0 |
Here is a specific zoom related to the Active Directory servers: the domain controllers.
| Domain controller | Operating System | Creation Date ? | Startup Time | Uptime | Owner ? | Null sessions ? | SMB v1 ? | Remote spooler ? | FSMO role ? | WebDAV ? |
|---|---|---|---|---|---|---|---|---|---|---|
| EGIADC01 | Windows 2022 | 2022-09-02 21:47:01Z | 2024-04-11 20:17:44Z | 124 days | EGIA\Domain Admins | NO | NO | YES | PDC, RID pool manager, Infrastructure master, Schema master, Domain naming Master | NO |
No data is available in the report or no computers are enforcing LAPS.
This section is focused on the groups which are critical for admin activities. If the report has been saved which the full details, each group can be zoomed with its members. If it is not the case, for privacy reasons, only general statistics are available.
| Group Name | Nb Admins ? | Nb Enabled ? | Nb Disabled ? | Nb Inactive ? | Nb PWd never expire ? | Nb Smart Card required ? | Nb Service accounts ? | Nb can be delegated ? | Nb external users ? | Nb protected users ? |
|---|---|---|---|---|---|---|---|---|---|---|
| Account Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Administrators | 5 | 4 | 1 | 0 | 3 | 0 | 0 | 0 | 0 | 1 |
| Backup Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Certificate Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Certificate Publishers | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Dns Admins | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Domain Administrators | 3 | 2 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 1 |
| Enterprise Administrators | 4 | 3 | 1 | 0 | 2 | 0 | 0 | 0 | 0 | 1 |
| Enterprise Key Administrators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Key Administrators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Print Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Replicator | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Schema Administrators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Server Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| SamAccountName ? | Enabled ? | Active ? | Pwd never Expired ? | Locked ? | Smart Card required ? | Service account ? | Flag Cannot be delegated present ? | Creation date ? | Last login ? | Password last set ? | In Protected Users ? | Distinguished name ? |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Administrator | NO | NO | NO | NO | NO | NO | YES | 2001-10-06 18:33:47Z | 2021-07-19 23:25:17Z | 2015-04-08 09:31:00Z | NO | CN=Administrator,OU=Groups,DC=egia,DC=com |
| ccramer | YES | YES | YES | NO | NO | NO | YES | 2014-07-25 20:03:05Z | 2024-08-13 13:25:44Z | 2020-02-14 06:02:29Z | NO | CN=Clinton Cramer,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| ejavaid | YES | YES | YES | NO | NO | NO | YES | 2010-12-02 14:38:38Z | 2024-05-21 11:33:55Z | 2011-12-08 16:17:21Z | NO | CN=Eddie Javaid,OU=Sacramento,DC=egia,DC=com |
| itsonicwall | YES | YES | YES | NO | NO | NO | YES | 2019-08-01 23:45:55Z | 2024-08-05 10:13:14Z | 2019-08-01 16:45:55Z | NO | CN=IT SonicWall,OU=Service Accounts,DC=egia,DC=com |
| mwservice | YES | YES | NO | NO | NO | NO | YES | 2023-10-16 16:55:28Z | 2024-08-13 14:36:24Z | 2024-08-13 14:36:58Z | YES | CN=MW Service,OU=Service Accounts,DC=egia,DC=com |
Here is the distribution of the last logon of privileged users. Only enabled accounts are analyzed.
Here is the distribution of the password age for privileged users. Only enabled accounts are analyzed.
Each specific rights defined for Organizational Unit (OU) are listed below.
| DistinguishedName | Account | Right |
|---|---|---|
| DC=egia | EGIA\Domain Controllers | EXT_RIGHT_REPLICATION_GET_CHANGES_ALL |
| DC=egia | EGIA\Exchange Enterprise Servers | WriteDacl |
| DC=egia | EGIA\MSOL_bd60f9d632d0 | EXT_RIGHT_REPLICATION_GET_CHANGES_ALL, EXT_RIGHT_FORCE_CHANGE_PWD |
| CN=Keys | EGIA\Domain Controllers | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=Keys | EGIA\Enterprise Key Admins | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=Keys | EGIA\Key Admins | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=MicrosoftDNS,CN=System | EGIA\DnsAdmins | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=RAS and IAS Servers Access Check,CN=System | EGIA\RAS and IAS Servers | GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=WMIPolicy,CN=System | EGIA\Group Policy Creator Owners | GenericWrite, DSSelf, Write all prop |
| CN=SOM,CN=WMIPolicy,CN=System | EGIA\Group Policy Creator Owners | GenericWrite, DSSelf, Write all prop |
In particular for AD database access (DCSync, AADConnect, ...).
This section focuses on permissions issues that can be exploited to take control of the domain.
This is an advanced section that should be examined after having looked at the Admin Groups section.
This analysis focuses on accounts found in control path and located in other domains.
No operative link with other domains has been found.
This part tries to summarize in a single table if major issues have been found.
Focus on finding critical objects such as the Everyone group then try to decrease the number of objects having indirect access.
The detail is displayed below.
| Priority to remediate ? | Critical Object Found ? | Number of objects with Indirect ? | Max number of indirect numbers ? | Max ratio ? |
|---|---|---|---|---|
| Critical | NO | 0 | 0 | 0 |
| High | NO | 0 | 0 | 0 |
| Medium | NO | 1 | 4 | 0 |
| Other | NO | 0 | 0 | 0 |
If the report has been saved which the full details, each object can be zoomed with its full detail. If it is not the case, for privacy reasons, only general statistics are available.
| Group or user account ? | Priority ? | Users member ? | Computer member of the group ? | Indirect control ? | Unresolved members ? | Links ? | Detail ? |
|---|---|---|---|---|---|---|---|
| Account Operators | High | 0 | 0 | 0 | 0 | None | Analysis |
| Administrator | Critical | 0 | 0 | None | Analysis | ||
| Administrators | Critical | 5 (Details) | 0 | 0 | 0 | None | Analysis |
| Backup Operators | High | 0 | 0 | 0 | 0 | None | Analysis |
| Certificate Operators | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Certificate Publishers | Other | 0 | 3 (Details) | 0 | 0 | None | Analysis |
| Dns Admins | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Domain Administrators | Critical | 3 (Details) | 0 | 0 | 0 | None | Analysis |
| Enterprise Administrators | Critical | 4 (Details) | 0 | 0 | 0 | None | Analysis |
| Enterprise Key Administrators | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Key Administrators | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Print Operators | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Replicator | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Schema Administrators | Critical | 0 | 0 | 0 | 0 | None | Analysis |
| Server Operators | High | 0 | 0 | 0 | 0 | None | Analysis |
If the report has been saved which the full details, each object can be zoomed with its full detail. If it is not the case, for privacy reasons, only general statistics are available.
| Group or user account ? | Priority ? | Users member ? | Computer member of the group ? | Indirect control ? | Unresolved members ? | Links ? | Detail ? |
|---|---|---|---|---|---|---|---|
| Builtin OU | Medium | 0 | 0 | None | Analysis | ||
| Certificate store | Medium | 0 | 0 | None | Analysis | ||
| Computers container | Medium | 0 | 0 | None | Analysis | ||
| Domain Controllers | Critical | 0 | 1 (Details) | 0 | 0 | None | Analysis |
| Domain Root | Medium | 4 (Details) | 0 | None | Analysis | ||
| Enterprise Read Only Domain Controllers | Other | 0 | 0 | 0 | 0 | None | Analysis |
| Group Policy Creator Owners | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Krbtgt account | Medium | 0 | 0 | None | Analysis | ||
| Read Only Domain Controllers | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Users container | Medium | 0 | 0 | None | Analysis |
This section focuses on the relations that this domain has with other domains
This part displays the direct links that this domain has with other domains.
| Trust Partner | Type | Attribut | Direction ? | SID Filtering active ? | TGT Delegation ? | Creation ? | Is Active ? ? | Algorithm ? |
|---|
These are the domains that PingCastle was able to detect but which is not releated to direct trusts. It may be children of a forest or bastions.
| Reachable domain | Discovered using | Netbios | Creation date |
|---|
This detects trusted certificates which can be used in man in the middle attacks, or which can issue smart card logon certificates
Number of trusted certificates: 0
This section lists certificate templates which can be used to generate a certificate. A misconfiguration can allow an attacker to create its own certificate and use it to impersonate other users
Number of certificate templates: 11
| Name | Destination | Manager approval ? | Enrollee can supply subject ? | Issuance requirements ? | Vulnerable ACL ? | Everyone can enroll ? | Agent template ? | Any purpose ? | For Authentication ? | Flag No Security ? |
|---|---|---|---|---|---|---|---|---|---|---|
| User ? | User | NO | NO | NO | NO | YES | NO | NO | YES | NO |
| UserSignature ? | User | NO | NO | NO | NO | YES | NO | NO | YES | NO |
| EFS ? | User | NO | NO | NO | NO | YES | NO | NO | NO | NO |
| Administrator ? | User | NO | NO | NO | NO | NO | NO | NO | YES | NO |
| EFSRecovery ? | User | NO | NO | NO | NO | NO | NO | NO | NO | NO |
| CodeSigning ? | User | NO | NO | NO | NO | NO | NO | NO | NO | NO |
| Machine ? | Computer | NO | NO | NO | NO | YES | NO | NO | YES | NO |
| DomainController ? | Computer | NO | NO | NO | NO | NO | NO | NO | YES | NO |
| WebServer ? | Computer | NO | YES | NO | NO | NO | NO | NO | NO | NO |
| SubCA ? | Computer | NO | YES | NO | NO | NO | NO | YES | YES | NO |
| ExchangeUser ? | User | NO | YES | NO | NO | NO | NO | NO | NO | NO |
The delegations for certificate templates are listed below.
| DistinguishedName | Account | Right |
|---|---|---|
| CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration | EGIA\Domain Controllers | Enroll |
| CN=EFS,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration | Domain Users | Enroll |
| CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration | Domain Computers | Enroll |
| CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration | Domain Users | Enroll |
| CN=UserSignature,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration | Domain Users | Enroll |
Azure AD Connect help maintaining a synchronization between the Active Directory and Azure AD. Azure AD Connect servers should be considered as Tiers0 as they usually have the right to read the hashes of the user passwords.
| Identifier ? | Computer ? | Tenant ? | IsEnabled ? | Created ? | LastLogon ? | PwdLastSet ? | Computer object found ? |
|---|---|---|---|---|---|---|---|
| bd60f9d632d0462e920a96a28db9cee0 | EGIADC01 | egia.org | TRUE | 2024-02-08 14:14:29Z | 2024-08-09 15:32:48Z | 2024-02-21 14:26:27Z | TRUE |
WSUS settings allow workstations and servers located on the intranet to be updated. The reference documentation is here. Here are the settings found in GPO.
| Policy Name | WSUS Server ? | UseWUServer ? | ElevateNonAdmins ? | AUOptions ? | NoAutoUpdate ? | NoAutoRebootWithLoggedOnUsers ? |
|---|
Echange is the mail server of Microsoft. Because it is deeply integrated into the Active Directory, it is a component to be monitored
PingCastle is checking objects of type msExchExchangeServer and the schema to provide the information below.
Exchange schema installation: 2001-11-14 21:40:40Z
The Exchange schema version is : Exchange 2003 RTM
| Name | In service date | Version | Proxy |
|---|---|---|---|
| WHITE | 2008-05-30 22:03:51Z | Version 6.5 (Build 7638.2: Service Pack 2) | |
| RED | 2001-11-14 21:40:40Z | Version 6.0 (Build 4712.7: Service Pack 1) |
SCCM or its more recent name Microsoft Endpoint Manager is the Microsoft tool to manage the workstations and servers. It is used typically to deploy packages.
PingCastle is checking objects of type mSSMSManagementPoint and the schema to provide the information below.
| Name | Version | Client operational version | AAD TenantID | AAD TenantName |
|---|
Service Connection Points are a configuration stored in the AD to expose services to all computers.
| Service ? | Class ? | DNS ? | Binding Info ? | DN ? |
|---|---|---|---|---|
| AD LDS | LDAP | EGIAVC02.egia.com | ldaps://EGIAVC02.egia.com:636 ldap://EGIAVC02.egia.com:389 | CN={3554f926-e5f9-41b5-aaf7-dc22b4cfb969},CN=EGIAVC02,OU=Disabled Computer Accounts,DC=egia,DC=com |
| AD LDS | LDAP | EGIAVC01.egia.com | ldaps://EGIAVC01.egia.com:636 ldap://EGIAVC01.egia.com:389 | CN={ea6a59f2-368a-44a4-859c-a40a41032d79},CN=EGIAVC01,OU=Disabled Computer Accounts,DC=egia,DC=com |
| RDS Gateway | TSGateway | EGIAWeb01.egia.com | 443 | CN=TSGateway,CN=EGIAWEB01,OU=Disabled Computer Accounts,DC=egia,DC=com |
This section checks for known pain points in AES activation and RC4 removal for kerberos
This section is here to evaluate the know problems when removing RC4. If you plan to do so, you should check all the items highlighted below and proceed with a small group of test computers.
Please see the following articles:
This program will proceed to know:
This program starts by determining for how long the infrastructure in place is compatible with AES.
This is done by retrieving the creation date of the groupe 'Read-Only Domain Controllers' which is linked to the first DC compatible with AES (Windows Server 2008).
Installation date of the first DC compatible with AES: 2010-08-08 19:43:20Z
All passwords saved after this date have their hash saved with both RC4 and AES.
To issue Kerberos ticket, the krbtgt account holding the kerberos secret key must have a password changed AFTER the installation of the first DC compatible with AES.
Last krbtgt change: 2024-08-14 11:51:31Z
OK
To support AES, all DC must be at least Windows 2008.
| Domain Controller | OS | AES compatible |
|---|---|---|
| EGIADC01 | Windows 2022 | Yes |
OK
To be used over trusts, AES requires the trust to support this algorithm. This is done thought the special attribute msDS-SupportedEncryptionTypes.
Be aware that checking 'The other domain supports Kerberos AES Encryption' in the trust property disables RC4. This check is not recommended during the migration phase.
No trust detected
OK
To be used over Azure, the special AzureSSO account must be setup to support AES.
No AzureAD SSO detected
OK
Kerberos tickets for services are signed by the password hash of the service account. The service account must be declared as compatible to handle AES. This is done through the special attribute named msDS-SupportedEncryptionTypes or by checking 'This account supports Kerberos AES XXX bit encryption' in the account properties.
The service account must also have a password newer than the first DC compatible with AES. If there was no password change, the creation date must be newer than the first DC compatible with AES.
If a service account is not compatible, you will received error messages like 'The encryption type requested is not supported by the KDC'. See the following KB for SharePoint of SCCM errors:
Number of service account found without AES configuration: 39
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| Admin | 2002-09-13 23:34:50Z | 2019-08-13 05:22:33Z | 2002-09-13 16:34:51Z | CN=Admin,OU=ofsdirect.com,DC=egia,DC=com |
| AlamedaMP | 2010-04-22 22:13:52Z | Never | 2010-04-22 15:13:52Z | CN=Alameda MP,OU=Rebates,DC=egia,DC=com |
| Arcserve | 2001-10-06 18:33:48Z | Never | 2001-01-19 11:20:31Z | CN=Arcserve,CN=Users,DC=egia,DC=com |
| bkagent | 2002-05-07 14:37:57Z | 2020-08-07 09:45:13Z | 2002-09-26 15:32:26Z | CN=Backup Agent,CN=Users,DC=egia,DC=com |
| ChicagoLand | 2008-12-15 20:34:56Z | Never | 2008-12-15 12:34:56Z | CN=ChicagoLand,OU=Rebates,DC=egia,DC=com |
| ContractorServices | 2007-12-01 00:08:06Z | Never | 2007-11-30 16:08:06Z | CN=ContractorServices,CN=Users,DC=egia,DC=com |
| efax | 2007-08-03 16:26:52Z | Never | 2007-08-03 09:26:52Z | CN=e Fax,CN=Users,DC=egia,DC=com |
| EGIAServices | 2007-08-07 18:59:18Z | Never | 2007-08-07 11:59:18Z | CN=EGIA Services,CN=Users,DC=egia,DC=com |
| excessisout | 2009-02-12 19:42:14Z | Never | 2009-02-12 11:42:14Z | CN=Excess Is Out,OU=Rebates,DC=egia,DC=com |
| hemc | 2008-05-14 19:05:59Z | Never | 2008-05-14 12:05:59Z | CN=EGIA Home Energy Makeover,CN=Users,DC=egia,DC=com |
| HomeownerServices | 2008-05-09 21:01:03Z | Never | 2008-05-09 14:01:03Z | CN=Homeowner Services,CN=Users,DC=egia,DC=com |
| ILS_ANONYMOUS_USER | 2001-10-24 20:31:48Z | Never | 2001-10-24 13:31:48Z | CN=ILS_ANONYMOUS_USER,CN=Users,DC=egia,DC=com |
| ILSRebates | 2010-02-23 01:54:37Z | Never | 2010-02-22 17:54:37Z | CN=ILS Rebates,OU=Rebates,DC=egia,DC=com |
| IS-REQUESTS | 2002-01-03 18:47:31Z | Never | 2002-01-03 10:47:31Z | CN=IS-REQUESTS,CN=Users,DC=egia,DC=com |
| IUSR_BLUE | 2001-11-19 17:54:31Z | Never | 2010-07-16 09:08:26Z | CN=IUSR_BLUE,CN=Users,DC=egia,DC=com |
| IUSR_DEV | 2001-10-12 23:55:53Z | Never | 2001-10-12 16:55:53Z | CN=IUSR_DEV,CN=Users,DC=egia,DC=com |
| IUSR_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:09:06Z | CN=IUSR_NT-SERVER,CN=Users,DC=egia,DC=com |
| IWAM_DEV | 2001-10-12 23:55:49Z | Never | 2001-10-12 16:55:49Z | CN=IWAM_DEV,CN=Users,DC=egia,DC=com |
| IWAM_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:08:14Z | CN=IWAM_NT-SERVER,CN=Users,DC=egia,DC=com |
| Jobs | 2010-07-07 23:32:20Z | Never | 2010-07-07 16:32:20Z | CN=Jobs,CN=Users,DC=egia,DC=com |
| MWDRebates | 2008-06-17 21:36:06Z | Never | 2008-06-17 14:36:06Z | CN=MWD Rebates,OU=Rebates,DC=egia,DC=com |
| NicorRebates | 2010-05-04 00:41:55Z | Never | 2010-05-03 17:41:55Z | CN=Nicor Rebates,OU=Rebates,DC=egia,DC=com |
| paheatingrebates | 2010-04-20 22:27:56Z | Never | 2010-04-20 15:27:56Z | CN=PAHeating Rebates,OU=Rebates,DC=egia,DC=com |
| Rebate01 | 2003-04-03 21:47:09Z | Never | 2010-06-23 17:27:53Z | CN=Rebate01,OU=Rebates,DC=egia,DC=com |
| Rebates | 2001-10-06 18:33:48Z | Never | 1600-12-31 16:00:00Z | CN=Rebate Process,OU=Rebates,DC=egia,DC=com |
| rerebates | 2004-10-15 20:23:26Z | Never | 2004-10-15 13:23:26Z | CN=Roseville Electric Rebates,OU=Rebates,DC=egia,DC=com |
| SalesMarketing | 2009-06-11 21:35:56Z | Never | 2009-06-11 14:35:56Z | CN=SalesMarketing,CN=Users,DC=egia,DC=com |
| SaveEnergy | 2009-12-03 19:47:49Z | Never | 2009-12-03 11:47:49Z | CN=SaveEnergy,CN=Users,DC=egia,DC=com |
| ScanRouter | 2002-10-30 21:34:13Z | Never | 2002-10-30 13:34:13Z | CN=ScanRouter,CN=Users,DC=egia,DC=com |
| ScanRouterMail | 2002-10-30 23:16:24Z | Never | 2002-10-30 15:16:24Z | CN=ScanRouterMail,CN=Users,DC=egia,DC=com |
| SCVRebates | 2009-08-17 16:50:54Z | Never | 2009-08-17 09:50:54Z | CN=SCV Rebates,OU=Rebates,DC=egia,DC=com |
| SolanoRebates | 2007-02-28 18:25:46Z | Never | 2007-02-28 10:25:46Z | CN=Solano Rebates,OU=Rebates,DC=egia,DC=com |
| spam | 2007-10-28 17:12:29Z | Never | 2007-10-28 10:12:29Z | CN=Spam Box,CN=Users,DC=egia,DC=com |
| sqlserveralert | 2001-11-14 22:23:36Z | Never | 2001-11-14 15:09:20Z | CN=SQLServer Alert,CN=Users,DC=egia,DC=com |
| support | 2003-11-19 22:37:59Z | Never | 2003-11-19 14:38:00Z | CN=Support,CN=Users,DC=egia,DC=com |
| suser | 2010-05-05 02:13:31Z | Never | 2010-05-04 19:13:31Z | CN=SQL User,OU=Sacramento,DC=egia,DC=com |
| SWGRebates | 2008-01-25 22:04:44Z | Never | 2008-01-25 14:05:04Z | CN=SWG Rebates,OU=Rebates,DC=egia,DC=com |
| tsluser | 2010-05-07 20:12:03Z | Never | 2010-05-07 13:12:04Z | CN=tsluser,CN=Users,DC=egia,DC=com |
| WyomingRebates | 2010-04-01 16:25:45Z | Never | 2010-04-01 09:25:45Z | CN=Wyoming Rebates,OU=Rebates,DC=egia,DC=com |
Not OK
The algorithm to use for kerberos request is decided by a local GPO which is overwritten by domain GPO.
Here is the list of domain GPO altering the kerberos algorithms
| Policy Name | Algorithm ? | AES compatible | RC4 compatible |
|---|
OK
Beware that no GPO supporting AES / RC4 have been found and if the supported algorithm is not defined in the master, AES will not be enabled by default
This section focuses on security checks specific to the Active Directory environment.
The program checks the last date of the AD backup. This date is computed using the replication metadata of the attribute dsaSignature (reference).
Last backup date: 2024-03-26 06:01:47Z
LAPS is used to have a unique local administrator password on all workstations / servers of the domain. Then this password is changed at a fixed interval. The risk is when a local administrator hash is retrieved and used on other workstation in a pass-the-hash attack. Please note that the LAPS schema is installed on the forest and as a consequence the installation date can be before the domain creation date.
Mitigation: having a process when a new workstation is created or install LAPS and apply it through a GPO
Legacy LAPS installation date: Never
Ms LAPS installation date: Never
Windows Event Forwarding is a native mechanism used to collect logs on all workstations / servers of the domain. Microsoft recommends to Use Windows Event Forwarding to help with intrusion detection Here is the list of servers configured for WEF found in GPO
Number of WEF configuration found: 0
The account password for the krbtgt account should be rotated twice yearly at a minimum. More frequent password rotations are recommended, with 40 days the current recommendation by ANSSI. Additional rotations based on external events, such as departure of an employee who had privileged network access, are also strongly recommended.
You can perform this action using this script
You can use the version gathered using replication metadata from two reports to guess the frequency of the password change or if the two consecutive resets have been done. Version starts at 1.
Kerberos password last changed: 2024-08-14 11:51:31Z version: 4
This control detects accounts which are former 'unofficial' admins. Indeed when an account belongs to a privileged group, the attribute admincount is set. If the attribute is set without being an official member, this is suspicious. To suppress this warning, the attribute admincount of these accounts should be removed after review.
Number of accounts to review: 0
This control detects if one of the attributes userPassword or unixUserPassword has been set on accounts. Indeed, these attributes are designed to store encrypted secrets for unix (or mainframe) interconnection. However in the large majority, interconnected systems are poorly designed and the user password is stored in these attributes in clear text or poorly encrypted. The userPassword attribute is also used in classic LDAP systems to change the user password by setting its value. But, with Active Directory, it is considered by default as a normal attribute and doesn't trigger a password but shows instead the password in clear text.
Number of accounts to review: 0
This control detects if one of the attributes javaCodebase, javaFactory or javaClassname has been set on accounts. Indeed, these attributes are designed to add custom code to AD object when running java code. However it can be abused to run code on servers having the flag com.sun.jndi.ldap.object.trustURLCodebase set to true. This is a vulnerability similar to the log4shell vulnerability.
Java Schema extension: Not Found
No active user account found with Java code
You can check here for backdoors or typos in the scriptPath attribute
| Script Name | Count |
|---|---|
| None | 157 |
| admin.vbs | 9 |
| login.bat | 4 |
| rebate.vbs | 4 |
| marketing.vbs | 3 |
| account.vbs | 2 |
This section display advanced information, if any has been found
Hardened Paths configuration
| Policy Name | Key | RequireIntegrity | RequireMutualAuthentication | RequirePrivacy |
|---|---|---|---|---|
| Default Domain Policy (New) ? | \\*\NETLOGON | Required | Required | |
| Default Domain Policy (New) ? | \\*\SYSVOL | Required | Required |
Note: PSO (Password Settings Objects) will be visible only if the user, which collected the information, has the permission to view it.
PSO shown in the report will be prefixed by "PSO:"
| Policy Name | Complexity | Max Password Age | Min Password Age | Min Password Length | Password History | Reversible Encryption | Lockout Threshold | Lockout Duration | Reset account counter locker after |
|---|---|---|---|---|---|---|---|---|---|
| Default Domain Policy (New) ? | True | 60 day(s) | 0 day | 8 | 2 | False | 999 | 1 minute(s) | 1 minute(s) |
This is the settings related to screensavers stored in Group Policies. Each non compliant setting is written in red.
| Policy Name | Screensaver enforced | Password request | Start after (seconds) | Grace Period (seconds) |
|---|
This section focuses on security settings stored in the Active Directory technical security policies.
The password in GPO are obfuscated, not encrypted. Consider any passwords listed here as compromised and change them immediately.
Giving local group membership in a GPO is a way to become administrator.
The local admin of a domain controller can become domain administrator instantly.
| GPO Name | User or group | Member of |
|---|---|---|
| SQL Servers Group Policy | EGIA\Database Admins | BUILTIN\Administrators |
| SQL Servers Group Policy | EGIA\Database Admins | BUILTIN\Remote Desktop Users |
A GPO can be used to deploy security settings to workstations.
The best practice out of the default security baseline is reported in green.
The following settings in red are unsual and may need to be reviewed.
Each setting is accompanied with its value and a link to the GPO explanation.
You will find below the checks where no occurences have been found
| Policy Name | Setting | Value |
|---|---|---|
| Default Domain Policy (New) ? | Turn off multicast name resolution (Technical details) | LLMNR disabled |
| Default Domain Policy (New) ? | Powershell: Turn on Module logging | Enabled |
| Default Domain Policy (New) ? | Powershell: Turn on Powershell Script Block logging | Enabled |
Audit settings allow the system to generate logs which are useful to detect intrusions. Here are the settings found in GPO.
Simple audit events are described here and Advanced audit events are described here
You can get a list of all audit settings with the command line: auditpol.exe /get /category:* (source)
Simple audit settings are located in: Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Audit Policy. Simple audit settings are named [Simple Audit].
Advanced audit settings are located in: Computer Configuration / Policies / Windows Settings / Security Settings / Advanced Audit Policy Configuration. This category is displayed below.
| Policy Name | Category | Setting | Value |
|---|---|---|---|
| Default Domain Controllers Policy ? | [Simple Audit] | Audit system events | Success and Failure |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit logon events | Success and Failure |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit object access | Unchanged |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit privilege use | Unchanged |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit policy change | Success and Failure |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit account management | Success and Failure |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit process tracking | Success |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit directory service access | Success |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit account logon events | Success and Failure |
| Default Domain Controllers Policy ? | Account Logon | Kerberos Authentication Service | Success and Failure |
| Default Domain Controllers Policy ? | Account Logon | Kerberos Service Ticket Operations | Success |
| Default Domain Controllers Policy ? | Account Management | Computer Account Management | Success |
| Default Domain Controllers Policy ? | Account Management | Distribution Group Management | Success |
| Default Domain Controllers Policy ? | Account Management | Security Group Management | Success |
| Default Domain Controllers Policy ? | Account Management | User Account Management | Success and Failure |
| Default Domain Controllers Policy ? | Detailed Tracking | DPAPI Activity | Success |
| Default Domain Controllers Policy ? | Detailed Tracking | Process Creation | Success |
| Default Domain Controllers Policy ? | Detailed Tracking | Process Termination | Success |
| Default Domain Controllers Policy ? | DS Access | Directory Service Access | Success |
| Default Domain Controllers Policy ? | DS Access | Directory Service Changes | Success |
| Default Domain Controllers Policy ? | Logon/Logoff | Logoff | Success |
| Default Domain Controllers Policy ? | Logon/Logoff | Logon | Success and Failure |
| Default Domain Controllers Policy ? | Logon/Logoff | Network Policy Server | Success and Failure |
| Default Domain Controllers Policy ? | Logon/Logoff | Other Logon/Logoff | Success |
| Default Domain Controllers Policy ? | Logon/Logoff | Special Logon | Success |
| Default Domain Controllers Policy ? | Object Access | Other Object Access | Success |
| Default Domain Controllers Policy ? | Policy Change | Authentication Policy Change | Success |
| Default Domain Controllers Policy ? | Policy Change | Authorization Policy Change | Success |
| Default Domain Controllers Policy ? | Privilege Use | Sensitive Privilege Use | Success |
| Default Domain Controllers Policy ? | System | Security State Change | Success |
| Default Domain Controllers Policy ? | System | Security System Extension | Success |
Giving privileges in a GPO is a way to become administrator without being part of a group.
For example, SeTcbPriviledge gives the right to act as SYSTEM, which has more privileges than the administrator account.
| GPO Name | Privilege | Members |
|---|---|---|
| Default Domain Controllers Policy ? | SeAssignPrimaryTokenPrivilege | EGIA\SQLServer2005MSSQLUser$BLUE$BKUPEXEC |
| Default Domain Controllers Policy ? | SeBackupPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeBackupPrivilege | BUILTIN\Server Operators |
| SQL Servers Group Policy ? | SeTcbPrivilege | EGIA\svc_prod_sql |
| Default Domain Controllers Policy ? | SeBackupPrivilege | BUILTIN\Backup Operators |
| SQL Servers Group Policy ? | SeAssignPrimaryTokenPrivilege | EGIA\svc_prod_sql |
| SQL Servers Group Policy ? | SeImpersonatePrivilege | Administrators |
| SQL Servers Group Policy ? | SeImpersonatePrivilege | EGIA\svc_prod_sql |
| SQL Servers Group Policy ? | SeImpersonatePrivilege | NT AUTHORITY\SERVICE |
| SQL Servers Group Policy ? | SeManageVolumePrivilege | EGIA\svc_prod_sql |
| SQL Servers Group Policy ? | SeManageVolumePrivilege | Administrators |
| Default Domain Controllers Policy ? | SeCreateTokenPrivilege | EGIA\Administrator |
| Default Domain Controllers Policy ? | SeDebugPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeLoadDriverPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeRestorePrivilege | EGIA\Administrator |
| Default Domain Controllers Policy ? | SeRestorePrivilege | Administrators |
| Default Domain Controllers Policy ? | SeRestorePrivilege | BUILTIN\Server Operators |
| Default Domain Controllers Policy ? | SeRestorePrivilege | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | SeSecurityPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeSecurityPrivilege | EGIA\Exchange Enterprise Servers |
| Default Domain Controllers Policy ? | SeTakeOwnershipPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeTcbPrivilege | EGIA\SQLServer2005MSSQLUser$BLUE$BKUPEXEC |
| Default Domain Controllers Policy ? | SeTcbPrivilege | EGIA\Administrator |
| Default Domain Controllers Policy ? | SeTcbPrivilege | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | SeEnableDelegationPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeMachineAccountPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeMachineAccountPrivilege | EGIA\Administrator |
| Default Domain Controllers Policy ? | SeMachineAccountPrivilege | Domain Administrators |
| Default Domain Controllers Policy ? | SeSyncAgentPrivilege | <empty> |
Login authorization and restriction can be set by GPOs. Indeed, by default, everyone is allowed to login on every computer except domain controllers. Defining login restriction is a way to have different isolated tiers. Here are the settings found in GPOs.
| GPO Name | Privilege | Members |
|---|---|---|
| SQL Servers Group Policy ? | Deny log on locally ? | EGIA\svc_prod_sql |
| SQL Servers Group Policy ? | Deny logon through Remote Desktop Services ? | EGIA\svc_prod_sql |
| SQL Servers Group Policy ? | Allow logon through Remote Desktop Services ? | EGIA\Database Admins |
| SQL Servers Group Policy ? | Log on as a service ? | EGIA\svc_prod_sql |
| Default Domain Controllers Policy ? | Log on as a batch job ? | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\Administrator |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IUSR_DCC1DW01 |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IUSR_DCH6NP01 |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IUSR_DEV |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IUSR_NT-SERVER |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IWAM_DCC1DW01 |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IWAM_DCH6NP01 |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IWAM_DEV |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IWAM_NT-SERVER |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\SQLServer2005MSSQLUser$BLUE$BKUPEXEC |
| Default Domain Controllers Policy ? | Allow log on locally ? | TsInternetUser |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Account Operators |
| Default Domain Controllers Policy ? | Allow log on locally ? | Administrators |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\Administrator |
| Default Domain Controllers Policy ? | Allow log on locally ? | Domain Administrators |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\ILS_ANONYMOUS_USER |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\IUSR_DCC1DW01 |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\IUSR_DCH6NP01 |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\IUSR_DEV |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\IUSR_NT-SERVER |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\IWAM_NT-SERVER |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\Oulook Web |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\TsInternetUser |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Print Operators |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Server Operators |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Administrators |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Authenticated Users |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Everyone |
| Default Domain Controllers Policy ? | Log on as a service ? | EGIA\ADSyncMSA93402$ |
| Default Domain Controllers Policy ? | Log on as a service ? | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | Log on as a service ? | EGIA\Administrator |
A GPO login script is a way to force the execution of data on behalf of users. Only enabled users are analyzed.
A GPO can be used to deploy applications or copy files. These files may be controlled by a third party to control the execution of local programs.