This section focuses on the core security indicators.
Locate the sub-process determining the score and fix some rules in that area to get a score improvement.
Domain Risk Level: 100 / 100
It is the maximum score of the 4 indicators and one score cannot be higher than 100. The lower the better
Stale Object : 100 /100
It is about operations related to user or computer objects
16 rules matched
Trusts : 0 /100
It is about connections between two Active Directories
0 rules matched
Privileged Accounts : 100 /100
It is about administrators of the Active Directory
12 rules matched
Anomalies : 100 /100
It is about specific security control points
20 rules matched
| Stale Objects | Privileged accounts | Trusts | Anomalies | |
|---|---|---|---|---|
Inactive user or computer | Account take over | Old trust protocol | Audit | |
Network topography | ACL Check | SID Filtering | Backup | |
Object configuration | Admin control | SIDHistory | Certificate take over | |
Obsolete OS | Control paths | Trust impermeability | Golden ticket | |
Old authentication protocols | Delegation Check | Trust inactive | Local group vulnerability | |
Provisioning | Irreversible change | Trust with Azure | Network sniffing | |
Replication | Privilege control | Pass-the-credential | ||
Vulnerability management | Read-Only Domain Controllers | Password retrieval | ||
Reconnaissance | ||||
Temporary admins | ||||
Weak password |
This section represents the maturity score (inspired from ANSSI).
Maturity Level:
Maturity levels:
6 rule(s) matched
12 rule(s) matched
22 rule(s) matched
7 rule(s) matched
1 rule(s) matched
To reach Level 2 you need to fix the following rules:
P-Kerberoasting
Description:The purpose is to ensure that the password of admin accounts cannot be retrieved using the Kerberoast attack.
Technical explanation:To access a service using Kerberos, a user requests a ticket (named TGS) to the DC specific to the service.
This ticket is encrypted using a derivative of the service password, but can be brute-forced to retrieve the original password.
Any account having the attribute SPN populated is considered as a service account.
Given that any user can request a ticket for a service account, these accounts can have their password retrieved.
In addition, services are known to have their password not changed at a regular basis and to use well-known words.
Please note that this program ignores service accounts that had their password changed in the last 40 days ago to support using password rotation as a mitigation.
If the account is a service account, the service should be removed from the privileged group or have a process to change its password at a regular basis.
If the user is a person, the SPN attribute of the account should be removed.
5 points per discovery
Documentation:https://adsecurity.org/?p=3466
[FR]ANSSI - Privileged accounts with SPN (vuln1_spn_priv)1
[MITRE]T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting
The detail can be found in Admin Groups
| Group | User |
|---|---|
| Administrators | Administrator |
| Domain Administrators | Administrator |
| Enterprise Administrators | Administrator |
| Schema Administrators | Administrator |
P-ServiceDomainAdmin
Description:The purpose is to check for accounts with non-expiring passwords in the "Domain Administrator" group
Technical explanation:PingCastle is checking accounts with never expiring password, that are mostly used as service accounts.
"Service Accounts" can imply a high security risk as their password are stored in clear text in the LSA database, which can then be easily exploited using Mimikatz or Cain&Abel for instance. In addition, their passwords don't change and can be used in Kerberoast attacks.
Accounts with never expiring passwords are mostly service accounts.
To mitigate the security risk, it is strongly advised to lower the privileges of the "Service Accounts", meaning that they should be removed from the "Domain Administrator" group, while ensuring that the password of each and every "Service Account" is longer than 20 characters
15 points if the occurence is greater than or equals than 2
Documentation:[FR]ANSSI - Privileged accounts with never-expiring passwords (vuln1_dont_expire_priv)1
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R11 [subsection.2.5]
[US]STIG V-36432 - Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[MITRE]T1003.004 OS Credential Dumping: LSA Secrets
The detail can be found in Admin Groups
S-Inactive
Description:The purpose is to ensure that there are as few inactive accounts as possible within the domain. Stale user accounts are a significant security issue, as former employees and external attackers could use those accounts to attack the organization.
Technical explanation:Inactive accounts often stay in the network because of weaknesses in the decommissioning process. These stale computer accounts can be used as backdoors and therefore represents a possible security breach.
Advised solution:To mitigate the risk, you should monitor the number of inactive accounts and reduce it as much as possible. A list of all inactive accounts is obtainable through the command: Search-ADAccount –AccountInActive –UsersOnly –TimeSpan 180:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName.
Points:10 points if the occurence is greater than or equals than 25
Documentation:[MITRE]Mitre Att&ck - Mitigation - User Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R45 [paragraph.3.6.6.2]
[FR]ANSSI - Dormant accounts (vuln1_user_accounts_dormant)1
The detail can be found in User information and Computer information
P-AdminPwdTooOld
Description:The purpose is to ensure that all admins are changing their passwords at least every 3 years
Technical explanation:This rule ensure that passwords of administrator are well managed.
Advised solution:We advised to read the ANSSI guidelines about this, which is quoted in the documentation section below.
10 points if present
Documentation:[FR]ANSSI - Privileged account passwords age too old (vuln1_password_change_priv)1
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
The detail can be found in Admin Groups
| Account | Creation | LastChanged |
|---|---|---|
| itsonicwall | 2019-08-01 23:45:55Z | 2019-08-01 16:45:55Z |
| BCMBackup | 2012-11-27 22:16:25Z | 2012-11-27 14:16:25Z |
| nkahal | 2010-12-20 04:57:36Z | 2011-12-26 12:25:15Z |
| rmehra | 2012-07-11 06:02:30Z | 2013-01-17 21:51:15Z |
| VipreService | 2011-01-20 19:58:42Z | 2011-06-27 23:55:45Z |
| saccount | 2010-11-21 21:35:59Z | 2010-11-21 13:35:59Z |
| pmanager | 2010-11-21 21:28:03Z | 2010-11-21 13:28:03Z |
| vmadmin | 2016-08-23 21:50:09Z | 2016-08-23 14:50:09Z |
| tle | 2010-08-23 15:26:48Z | 2012-11-28 15:21:13Z |
| tpiper | 2007-04-19 15:08:14Z | 2015-08-07 10:50:09Z |
| Consultant | 2002-09-17 17:27:04Z | 2010-11-21 13:30:35Z |
| devteamvpn | 2018-03-09 20:54:37Z | 2021-02-07 19:25:13Z |
| jvaladez | 2013-05-20 13:55:31Z | 2020-06-17 17:00:36Z |
| gpotest | 2016-10-25 17:51:34Z | 2016-10-28 14:29:32Z |
| ccramer | 2014-07-25 20:03:05Z | 2020-02-14 06:02:29Z |
| ejavaid | 2010-12-02 14:38:38Z | 2011-12-08 16:17:21Z |
| sharyl | 2017-01-16 22:49:14Z | 2017-03-01 14:32:43Z |
| spiceworks | 2016-09-22 16:51:38Z | 2016-10-11 06:12:25Z |
| itsupport | 2016-09-20 19:02:53Z | 2017-01-19 15:58:36Z |
| bkagent | 2002-05-07 14:37:57Z | 2002-09-26 15:32:26Z |
| Arcserve | 2001-10-06 18:33:48Z | 2001-01-19 11:20:31Z |
| Administrator | 2001-10-06 18:33:47Z | 2015-04-08 09:31:00Z |
| techadmin | 2019-05-31 17:04:45Z | 2019-05-31 10:04:45Z |
| sonicwalladmin | 2017-07-13 17:08:10Z | 2017-07-13 10:08:10Z |
| mtech | 2019-03-19 20:55:34Z | 2020-06-15 16:25:19Z |
| fssa | 2016-11-15 18:46:41Z | 2016-11-15 10:46:41Z |
S-DC-2008
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows Server 2008 as Domain Controller within the domain
Technical explanation:The OS Windows Server 2008 is not supported anymore by Microsoft (except when migrated to Azure, until January 9, 2024) and any vulnerability found will not be patched.
Advised solution:To resolve this security risk, the only way is to decommission DCs running Windows Server 2008 OS, in order to use new versions that are more secure and that are still being patched regarding new security threats
Points:5 points if present
Documentation:https://support.microsoft.com/en-us/help/4456235/end-of-support-for-windows-server-2008-and-windows-server-2008-r2
[MITRE]Mitre Att&ck - Mitigation - Update Software
[US]STIG V-8551 - The domain functional level must be at a Windows Server version still supported by Microsoft.
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R12 [subsection.3.1]
The operating system of domain controllers can be found in Domain controllers
A-WeakRSARootCert
Description:The purpose is to ensure that there is no use of a certificate using a weak RSA key
Technical explanation:A RSA key certificate with a modulus under 1024 bits is considered unsafe
Advised solution:To solve the matter, the certificate should be removed from the GPO and if needed, certificates depending on it should be reissued.
Points:5 points if present
Documentation:https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/commercial-national-security-algorithm-suite-factsheet.cfm
https://www.ssi.gouv.fr/guide/cryptographie-les-regles-du-rgs/
[MITRE]T1600.001 Weaken Encryption: Reduce Key Space
[US]STIG V-14820 - PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
[FR]ANSSI - Weak or vulnerable certificates (vuln1_certificates_vuln)1
The detail can be found in Certificates
| Source | Subject | Module | Expires |
|---|---|---|---|
| NTLMStore | CN=EGIA, OU=IS, O=Electric and Gas Industries Associates, L=San Leandro, S=CA, C=US, E=cert-auth-root@egia.com | 512 | 11/2/2003 2:44:17 PM |
To reach Level 3 you need to fix the following rules:
A-Krbtgt
Description:The purpose is to alert when the password for the krbtgt account can be used to compromise the whole domain. This password can be used to sign every Kerberos ticket. Monitoring it closely often mitigates the risk of golden ticket attacks greatly.
Technical explanation:Kerberos is an authentication protocol. It is using a secret, stored as the password of the krbtgt account, to sign its tickets. If the hash of the password of the krbtgt account is retrieved, it can be used to generate authentication tickets at will.
To mitigate this attack, it is recommended to change the krbtgt password between 40 days and 6 months. If this is not the case, every backup done until the last password change of the krbtgt account can be used to emit Golden tickets, compromising the entire domain.
Retrieval of this secret is one of the highest priority in an attack, as this password is rarely changed and offer a long term backdoor.
Also this attack can be performed using the former password of the krbtgt account. That's why the krbtgt password should be changed twice to invalidate its leak.
The password of the krbtgt account should be changed twice to invalidate the golden ticket attack.
Beware: two changes of the krbtgt password not replicated to domain controllers can break these domain controllers You should wait at least 10 hours between each krbtgt password change (this is the duration of a ticket life).
There are several possibilities to change the krbtgt password.
First, a Microsoft script can be run in order to guarantee the correct replication of these secrets.
Second, a more manual way is to essentially reset the password manually once, then to wait 3 days (this is a replication safety delay), then to reset it again. This is the safest way as it ensures the password is no longer usable by the Golden ticket attack.
50 points if the occurence is greater than or equals than 1464
then 40 points if the occurence is greater than or equals than 1098
then 30 points if the occurence is greater than or equals than 732
then 20 points if the occurence is greater than or equals than 366
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/faqs-from-the-field-on-krbtgt-reset/ba-p/2367838
https://github.com/microsoft/New-KrbtgtKeys.ps1
https://github.com/PSSecTools/Krbtgt
[FR]ANSSI CERTFR-2014-ACT-032
[FR]ANSSI - Krbtgt account password unchanged for more than a year (vuln2_krbtgt)2
[MITRE]T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket
The detail can be found in Krbtgt
S-OldNtlm
Description:The purpose is to check if NTLMv1 or LM can be used by DC
Technical explanation:NTLMv1 is an old protocol which is known to be vulnerable to cryptographic attacks.
It is typically used when a hacker sniffs the network and tries to retrieve NTLM hashes which can then be used to impersonate users.
This attack can be combined with coerced authentication attacks - a hacker forces the DC to connect to a controlled host.
In this case, NTLMv1 can be specified so the hacker can retrieve the NTLM hash of the DC, impersonates it and then take control of the domain.
This attack is still possible with NTLMv2 but this is more difficult.
Windows has default security settings regarding LM/NTLM. Windows XP: Send LM & NTLM responses, Windows Server 2003: Send NTLM response only, Vista/2008: Win7/2008 R2: Send NTLMv2 response only.
However Domain Controllers have relaxed default settings to accept the connection of older operating systems.
That means that by default, NTLMv1 is accepted on domain controllers.
If no GPO defines the LAN Manager Authentication Level, the DC fall back to the non secure default.
After an audit of NTLMv1 usage (see the links below), you need to raise the LAN Manager Authentication Level to "Send NTLMv2 response only. Refuse LM & NTLM".
This can be done by editing the policy "Network security: LAN Manager authentication level" which can be accessed in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
The policy will be applied after a computer reboot.
Beware that you may break software which is not compatible with Ntlmv2 such as very old Linux stacks or very old Windows before Windows Vista.
But please note that Ntlmv2 can be activited on all Windows starting Windows 95 and other operating systems.
15 points if present
Documentation:https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/audit-domain-controller-ntlmv1
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-ntlm-2-authentication
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R37 [paragraph.3.6.2.1]
The detail can be found in Security settings
| GPO | Value |
|---|---|
| Windows default without an active GPO | 3 |
S-DesEnabled
Description:The purpose is to verify that no weak encryption algorithm such as DES is used for accounts.
Technical explanation:DES is a very weak algorithm and once assigned to an account, it can be used in Kerberos ticket requests, even though it is easily cracked. If the attacker cracks the Kerberos ticket, they can steal the token and compromise the user account.
Advised solution:It is recommended to disable DES as an encryption algorithm in the user configuration dialog or in the "msDSSupportedEncryptionTypes" attribute at LDAP level. It has to be disabled in the property of an account by unchecking the box "Use Kerberos DES encryption for this account". You can also detect which accounts support Kerberos DES encryption by running: Get-ADObject -Filter {UserAccountControl -band 0x200000 -or msDs-supportedEncryptionTypes -band 3}.
Points:15 points if present
Documentation:https://docs.microsoft.com/en-us/archive/blogs/openspecification/msds-supportedencryptiontypes-episode-1-computer-accounts
https://docs.microsoft.com/en-us/services-hub/health/remediation-steps-ad/remove-the-highly-insecure-des-encryption-from-user-accounts
[FR]ANSSI - Use of Kerberos with weak encryption (vuln2_kerberos_properties_deskey)2
[MITRE]T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
The detail can be found in User information and Computer information
S-ADRegistrationSchema
Description:The purpose is to ensure that no schema class can be used to create arbitrary objects
Technical explanation:The classes added to the schema provide additional object types. If misconfigured, a class can be used to bypass a security restriction.
For the vulnerability PossSuperiorComputer:
A class has the attribute possSuperiors containing the class "computer" and this class inherits from "container".
That means that every computer can request this class to be added.
Once this class has been added, it can be used as a container to create additional users or computers without restrictions.
For the vulnerability PossSuperiorUser:
It is the same vulnerability as PossSuperiorComputer but with the "user" class instead of the "computer" class.
For PossSuperiorComputer:
You have to edit the schema to change the value of the attribute possSuperior and remove the "computer" value.
A PowerShell script in the documentation provides a fix.
For PossSuperiorUser:
You have to edit the schema to change the value of the attribute possSuperior and remove the "user" value.
A PowerShell script in the documentation provides a fix.
Also the class msExchStorageGroup is known to have this vulnerability via the CVE-2021-34470.
In this case, the vulnerability is exploitable even if Exchange has been uninstalled.
10 points if present
Documentation:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2186
https://gist.github.com/IISResetMe/399a75cfccabc1a17d0cc3b5ae29f3aa#file-update-msexchstoragegroupschema-ps1
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34470
[MITRE]Mitre Att&ck - Mitigation - User Account Management
[FR]ANSSI - Schema class allowing dangerous object creation (vuln2_warning_schema_posssuperiors)2
| Class | Vulnerability |
|---|---|
| msExchStorageGroup | PossSuperiorComputer |
S-OS-W10
Description:The purpose is to ensure that there is no use of non-supported version of Windows 10 or Windows 11 within the domain
Technical explanation:Some versions of Windows 10 and Windows 11 OS are no longer supported, and may be vulnerable to exploits that are not patched anymore.
Advised solution:In order to solve this security issue, you should upgrade all the Windows 10 or Windows 11 to a more recent version.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows 1*"}
15 points if the occurence is greater than or equals than 15
then 10 points if the occurence is greater than or equals than 6
then 5 points if present
https://docs.microsoft.com/en-us/windows/release-health/release-information
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
| Version | Number | Active |
|---|---|---|
| Windows 10 1507 | 1 | 0 |
| Windows 10 1703 | 3 | 0 |
| Windows 10 1709 | 4 | 0 |
| Windows 10 1803 | 9 | 0 |
| Windows 10 1809 | 8 | 0 |
| Windows 10 1511 | 1 | 0 |
| Windows 10 1903 | 9 | 0 |
| Windows 10 1909 | 6 | 0 |
| Windows 10 2004 | 9 | 0 |
| Windows 10 20H2 | 11 | 0 |
| Windows 10 21H1 | 14 | 0 |
| Windows 10 21H2 | 16 | 1 |
A-DC-Spooler
Description:The purpose is to ensure that credentials cannot be extracted from the DC via its Print Spooler service
Technical explanation:When there's an account with unconstrained delegation configured (which is fairly common) and the Print Spooler service running on a computer, you can get that computers credentials sent to the system with unconstrained delegation as a user. With a domain controller, the TGT of the DC can be extracted allowing an attacker to reuse it with a DCSync attack and obtain all user hashes and impersonate them.
Advised solution:The Print Spooler service should be deactivated on domain controllers. Please note as a consequence that the Printer Pruning functionality (rarely used) will be unavailable.
Points:10 points if present
Documentation:https://adsecurity.org/?p=4056
https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory
[MITRE]T1187 Forced Authentication
The detail can be found in Domain controllers
| Domain controller |
|---|
| EGIADC01W |
| EGIADC01 |
A-HardenedPaths
Description:The purpose is to ensure that there is no weakness related to hardened paths
Technical explanation:Two vulnerabilities have been reported in 2015 (MS15-011 and MS15-014) which allows a domain takeover via GPO modifications done with a man-in-the-middle attack.
To mitigate these vulnerabilites, Microsoft has designed a workaround named "Hardened Paths". It forces connection settings to enforce Integrity, Mutual Authentication or Privacy.
By default if this policy is empty, if will enforce Integrity and Mutual Authentication on the SYSVOL or NETLOGON shares.
This rule checks if there have been any overwrite to disable this protection.
You have to edit the Hardened Path section in the GPO.
This section is located in Computer Configuration/Policies/Administrative Templates/Network/Network Provider.
Check each value reported here and make sure that entries containing SYSVOL or NETLOGON have RequireIntegrity and RequireMutualAuthentication set to 1.
In addition to that, check entries having the pattern \\DCName\* and apply the same solution.
5 points if present
Documentation:
https://labs.f-secure.com/archive/how-to-own-any-windows-network-with-group-policy-hijacking-attacks/
https://talubu.wordpress.com/2018/02/28/configuring-unc-hardened-access-through-group-policy/
https://adsecurity.org/?p=1405
https://support.microsoft.com/en-us/topic/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10-2015-91b4bda2-945d-455b-ebbb-01d1ec191328
[US]STIG V-63577 - Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
The detail can be found in the Hardened Paths configuration section.
| GPO | Key | RequireIntegrity | RequireMutualAuthentication | RequirePrivacy |
|---|---|---|---|---|
| No GPO Found | NETLOGON | Not Set | Not Set | Not Set |
| No GPO Found | SYSVOL | Not Set | Not Set | Not Set |
A-PreWin2000Anonymous
Description:The purpose is to identify domains which allow access without any account because of a Pre-Windows 2000 compatibility
Technical explanation:When a Windows Server 2003 DC is promoted, a pre-Windows 2000 compatibility setting can be enabled through the wizard. If it is enabled, the wizard will add "Everyone" and "Anonymous" to the pre-Windows 2000 compatible access group, and by doing so, it will authorize the domain to be queried without an account (null session)
It is possible to verify the results provided by the PingCastle solution by using a Kali distribution. You should run [rpcclient -U " target_ip_address] and press enter at the password prompt to finally type [enumdomusers].
Remove the "Everyone" and "Anonymous" from the PreWin2000 group while making sure that the group "Authenticated Users" is present, then reboot each DC.
Note: removing the group "Authenticated Users" (and not keep it like advised here) is an advanced recommendation quoted in the rule A-PreWin2000AuthenticatedUsers
5 points if present
Documentation:https://msdn.microsoft.com/en-us/library/cc223672.aspx
[MITRE]T1110.003 Brute Force: Password Spraying
[US]STIG V-8547 - The Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group.
[FR]ANSSI - The "Pre - Windows 2000 Compatible Access" group includes "Anonymous" (vuln2_compatible_2000_anonymous)2
S-OS-2008
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows Server 2008 for the workstations within the domain
Technical explanation:The Windows Server 2008 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
Advised solution:In order to solve this security issue, you should upgrade all the servers to a more recent version of Windows, starting from Windows Server 2012.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
15 points if the occurence is greater than or equals than 15
then 10 points if the occurence is greater than or equals than 6
then 5 points if present
https://support.microsoft.com/en-us/help/4456235/end-of-support-for-windows-server-2008-and-windows-server-2008-r2
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
S-OS-2012
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows Server 2012 for the workstations within the domain
Technical explanation:The Windows Server 2012 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
Advised solution:In order to solve this security issue, you should upgrade all the servers to a more recent version of Windows, starting from Windows Server 2012.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
10 points if the occurence is greater than or equals than 15
then 5 points if the occurence is greater than or equals than 6
then 2 points if present
https://learn.microsoft.com/fr-fr/lifecycle/products/windows-server-2012-r2
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
S-OS-Win7
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows 7 for the workstations within the domain
Technical explanation:The Windows 7 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
PingCastle is trying to guess if Extended Security Support (ESU) has been purchased from Microsoft. Based on the documentation referenced below, the program checks if the script Activate-ProductOnline.ps1 is present.
If the script is detected, Windows 7 is considered as supported and this rule is not triggered.
In order to solve this security issue, you should upgrade all the workstations to a more recent version of Windows, starting from Windows 10.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
5 points if the occurence is greater than or equals than 15
then 2 points if the occurence is greater than or equals than 6
then 1 points if present
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/activate-windows-7-esus-on-multiple-devices-with-a-mak/ba-p/1167196
[FR]ANSSI CERTFR-2005-INF-003
[MITRE]Mitre Att&ck - Mitigation - Update Software
The detail can be found in Operating Systems
S-PwdNeverExpires
Description:The purpose is to ensure that every account has a password which is compliant with password expiration policies
Technical explanation:Some accounts have passwords which never expire. Should an attacker compromise one of these accounts, he would be able to maintain long-term access to the Active Directory domain.
We have noted that some Linux servers, domain joined, are configured with a password which never expires.
This is a misconfiguration because a password change can be configured. It was however not the default on some plateform.
See one of the link below for more information.
In order to make Active Directory enforce periodic password change, accounts must not have the "Password never expires" flag set in the "Account" tab of the user properties. Their passwords should then be rolled immediately.
For services accounts, Windows provide the "managed service accounts" and "group managed service accounts" features to facilite the automatic change of passwords.
Please note that there is a document in the section below which references solutions for service accounts of well known products.
Also Linux servers should be configured with automatic machine account change.
1 points if present
Documentation:https://adsecurity.org/?p=4115
https://access.redhat.com/discussions/1283873
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
[FR]ANSSI - Accounts with never-expiring passwords (vuln2_dont_expire)2
The detail can be found in User information
To reach Level 4 you need to fix the following rules:
P-Inactive
Description:The purpose is to ensure that all Administrator Accounts in the AD are necessary and used
Technical explanation:Accounts within the AD have attributes indicating the creation date of the account and the last login of this account. Accounts which haven't have a login since 6 months or created more than 6 months ago without any login are considered inactive. If an Administrator Account is set as inactive, the reason for having Administrator rights should be strongly justified.
Advised solution:To correct the situation, you should make sure that all your Administrator Account(s) are "Active", meaning that you should remove Administrator rights if an account is set as not "Active"
Points:30 points if the occurence is greater than or equals than 30
then 20 points if the occurence is greater than or equals than 15
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R36 [subsection.3.6]
S-C-Inactive
Description:The purpose is to ensure that there are as few inactive computers as possible within the domain.
Technical explanation:Inactive computers often stay in the network because of weaknesses in the decommissioning process. These stale computer accounts can be used as backdoors and therefore represents a possible security breach.
Advised solution:To mitigate the risk, you should monitor the number of inactive accounts and reduce it as much as possible. A list of all inactive accounts is obtainable through the command: Search-ADAccount –AccountInActive –ComputersOnly –TimeSpan 180:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName.
Points:30 points if the occurence is greater than or equals than 30
then 10 points if the occurence is greater than or equals than 20
then 5 points if the occurence is greater than or equals than 15
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R45 [paragraph.3.6.6.2]
[MITRE]Mitre Att&ck - Mitigation - User Account Management
[FR]ANSSI - Inactive servers (vuln3_password_change_inactive_servers)3
P-Delegated
Description:The purpose is to ensure that all Administrator Accounts have the configuration flag "this account is sensitive and cannot be delegated" (or are members of the built-in group "Protected Users" when your domain functional level is at least Windows Server 2012 R2).
Technical explanation:Without the flag "This account is sensitive and cannot be delegated" any account can be impersonated by some service account. It is a best practice to enforce this flag on administrators accounts.
Advised solution:To correct the situation, you should make sure that all your Administrator Accounts have the check-box "This account is sensitive and cannot be delegated" active or add your Administrator Accounts to the built-in group "Protected Users" if your domain functional level is at least Windows Server 2012 R2 (some functionalities may not work properly afterwards, you should check the official documentation).
If you want to enable the check-box "This account is sensitive and cannot be delegated" but this is not possible because the box is not present (typically for GMSA accounts), you can add the flag manually by adding the number 1048576 to the attribute useraccountcontrol of the account.
Please note that there is a section below in this report named "Admin Groups" which gives more information.
20 points if present
Documentation:[US]STIG V-36435 - Delegation of privileged accounts must be prohibited.
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
The detail can be found in Admin Groups
S-PrimaryGroup
Description:The purpose is to check for unusual values in the primarygroupid attribute used to store group memberships
Technical explanation:In Active Directory, group membership is stored on the "members" attribute and on the "primarygroupid" attribute. The default primary group value is "Domain Users" for the users, "Domain Computers" for the computers and "Domain Controllers" for the domain controllers. The primarygroupid contains the RID (last digits of a SID) of the group targeted. It can be used to store hidden membership as this attribute is not often analyzed.
Advised solution:Unless strongly justified, change the primary group id to its default: 513 or 514 for users, 516 or 521 for domain controllers, 514 or 515 for computers. The primary group can be edited in a friendly manner by editing the account with the "Active Directory Users and Computers" and after selecting the "Member Of" tab, "set primary group".
You can use the following script to list Users with a primary group id different from domain users:
$DomainUsersSid = New-Object System.Security.Principal.SecurityIdentifier ([System.Security.Principal.WellKnownSidType]::AccountDomainUsersSid,(Get-ADDomain).DomainSID)
Get-ADUser -Filter * -Properties PrimaryGroup | Where-Object { $_.PrimaryGroup -ne (Get-ADGroup -Filter {SID -eq $DomainUsersSid} ).DistinguishedName } | Select-Object UserPrincipalName,PrimaryGroup
15 points if present
Documentation:[FR]ANSSI - Accounts with modified PrimaryGroupID (vuln3_primary_group_id_nochange)3
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
The detail can be found in User information and Computer information
A-AdminSDHolder
Description:The purpose is to ensure that there are no rogue admin accounts in the Active Directory
Technical explanation:A check is performed on non-admin accounts in order to identify if they have an attribute admincount set. If they have this attribute, it means that this account, which is not supposed to be admin, has been granted administrator rights in the past. This typically happens when an administrator gives temporary rights to a normal account, off process.
Advised solution:These accounts should be reviewed, especially in regards with their past activities and have the admincount attribute removed. In order to identify which accounts are detected by this rule, we advise to run a PowerShell command that will show you all users having this flag set: get-adobject -ldapfilter "(admincount=1)"
Do not forget to look at the section AdminSDHolder below.
50 points if the occurence is greater than or equals than 50
then 45 points if the occurence is greater than or equals than 45
then 40 points if the occurence is greater than or equals than 40
then 35 points if the occurence is greater than or equals than 35
then 30 points if the occurence is greater than or equals than 30
then 25 points if the occurence is greater than or equals than 25
then 20 points if the occurence is greater than or equals than 20
then 15 points if present
https://msdn.microsoft.com/en-us/library/ms675212(v=vs.85).aspx
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R40 [paragraph.3.6.3.1]
The detail can be found in the AdminSDHolder User List
A-LAPS-Not-Installed
Description:The purpose is to make sure that there is a proper password policy in place for the native local administrator account.
Technical explanation:LAPS (Local Administrator Password Solution) is the advised solution to handle passwords for the native local administrator account on all workstations, as it is a simple way to handle most of the subject.
Advised solution:If you don't have any provisioning process or password solution to manage local administrators, you should install the LAPS solution. If you mitigate the risk differently, you should add this rule as an exception, as the risk is covered.
Points:15 points if present
Documentation:https://www.microsoft.com/en-us/download/details.aspx?id=46899
[US]STIG V-36438 - Local administrator accounts on domain systems must not share the same password.
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI CERTFR-2015-ACT-046
[MITRE]T1078.003 Valid Accounts: Local Accounts
The detail can be found in LAPS
A-BackupMetadata
Description:The purpose is to check if the backups are actually up to date in case they are needed. The alert can be triggered when a domain is backed up using non-recommended methods
Technical explanation:A verification is done on the backups, ensuring that the backup is performed according to Microsoft standards. Indeed, at each backup the DIT Database Partition Backup Signature is updated. If for any reasons, backups are needed to perform a rollback (rebuild a domain) or to track past changes, the backups will actually be up to date. This check is equivalent to a REPADMIN /showbackup *.
Advised solution:Plan AD backups based on Microsoft standards. These standards depend on the Operating System. For example with the wbadmin utility: wbadmin start systemstatebackup -backuptarget:d:
Points:15 points if the occurence is greater than or equals than 7
Documentation:https://technet.microsoft.com/en-us/library/jj130668(v=ws.10).aspx
[MITRE]Mitre Att&ck - Mitigation - Data Backup
[US]STIG V-25385 - Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.
The detail can be found in Backup
P-ProtectedUsers
Description:The purpose is to ensure that all privileged accounts are in the Protected User security group
Technical explanation:The Protected User group is a special security group which automatically applies protections to minimize credential exposure. Starting with Windows 8.1. Older Operating System must be updated to take this protection in account such as the Windows 7 KB2871997 patch.
For admins, it:
- Disables NTLM authentication
- Reduces Kerberos ticket lifetime
- Mandates strong encryption algorithms, such as AES
- Prevents password caching on workstations
- Prevents any type of Kerberos delegation
Please also note that a few links (see below) recommends that at least one account is kept outside of the group Protected Users in case there is a permission problem.
That's why this rule is not triggered if only one account is not protected.
After having reviewed the potential impact on adding users to this group, add the missing privileged accounts to this group.
Points:10 points if the occurence is greater than or equals than 2
Documentation:https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
https://blog.netwrix.com/2015/02/20/add-sensitive-user-accounts-to-active-directory-protected-users-group/
https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of-before-using-the-protected-users-group/
https://blog.andreas-schreiner.de/2018/09/07/active-directory-sicherheit-teil-1-privilegierte-benutzer/
[FR]ANSSI - Privileged accounts outside of the Protected Users group (vuln3_protected_users)3
[MITRE]Mitre Att&ck - Mitigation - Privileged Process Integrity
[US]STIG V-78131 - Accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
[FR]ANSSI CERTFR-2017-ALE-012
The detail can be found in Admin Groups
| User |
|---|
| ADSyncAdmin-Local |
| itsonicwall |
| BCMBackup |
| nkahal |
| rmehra |
| nsingh |
| VipreService |
| saccount |
| pmanager |
| vmadmin |
| tle |
| tpiper |
| Consultant |
| devteamvpn |
| jvaladez |
| gpotest |
| ccramer |
| slathar |
| ejavaid |
| sharyl |
| spiceworks |
| itsupport |
| bkagent |
| Arcserve |
| Administrator |
| mwservice |
| techadmin |
| sonicwalladmin |
| mtech |
| fssa |
A-DC-Coerce
Description:The objective is to assess the vulnerability of the Domain Controller (DC) to Coerce attacks.
Technical explanation:Coerce attacks are a category of attacks which aims to forcing domain controllers to authenticate to a device controlled by the attacker for the purpose to relay this authentication to gain privileges.
This category of attacks is usually mitigated by applying patch (PetitPotam), disabling services (Spooler), added RPC filter (EDR or firewall) or ensuring integrity (SMB integrity).
Because each of these protections can be individually bypassed (NTLM integrity is disabled on LDAPS), the aim of this scan is to detect proactively if vulnerable RPC services are exposed.
PingCastle estimates that Coerceable interfaces are protected if:
- the GPO "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" is applied through a GPO to DC
- or if RPC interfaces are not reachable
Because these interfaces need to be tested from a computer controlled by the attacker, PingCastle cannot do this test with reliability.
Instead, it sends a malformed RPC packet to try to trigger an error such as "Permission denied" or "RPC interface unavailable".
If the error RPC_X_BAD_STUB_DATA (1783) is triggered, PingCastle considers that the interface is available.
A report that a vulnerable interface is online may not be accurate because its full exploitation is not tested.
Also to avoid EDR alerts or to not perform the scan, you can run PingCastle with the flag --skip-dc-rpc
To effectively mitigate the vulnerability, consider one of the following approaches:
1. Apply Group Policy Object (GPO) - "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers":
Apply this GPO specifically to the Organizational Unit (OU) "Domain Controllers".
Caution: Enabling this GPO might impact services dependent on NTLM such as files copy Backups.
Consider setting the GPO in "Audit mode" initially to identify and assess the impact on affected services.
2. Enable RPC Filters in Windows Firewall:
Configure Windows Firewall to block specific Interface IDs associated with vulnerable RPC interfaces.
This is done using the netsh command. See the documentation links for more information.
Exercise caution: This method filters the entire interface, not specific Operation Numbers (OpNum).
Adjust exceptions for necessary services to ensure critical functionality.
3. Implement External Filters (e.g., EDR, Firewalls):
Leverage third-party solutions, such as Endpoint Detection and Response (EDR) tools or firewalls.
Notable project: rpcfirewall https://github.com/zeronetworks/rpcfirewall, offering logical filtering at the OpNum level.
Be cautious of potential impact and ensure compatibility with existing infrastructure.
10 points if present
Documentation:https://github.com/p0dalirius/Coercer
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers
https://blog.nviso.eu/2023/12/08/rpc-or-not-here-we-log-preventing-exploitation-and-abuse-with-rpc-firewall/
[MITRE]T1187 Forced Authentication
The detail can be found in Domain controllers
| DCName | IP | Interface | Function | OpNum |
|---|---|---|---|---|
| EGIADC01W | 192.168.253.50 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcAddUsersToFile | 9 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcAddUsersToFileEx | 15 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcDecryptFileSrv | 5 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcDuplicateEncryptionInfoFile | 12 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcEncryptFileSrv | 4 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcFileKeyInfo | 12 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcOpenFileRaw | 0 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcQueryRecoveryAgents | 7 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcQueryUsersOnFile | 6 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcRemoveUsersFromFile | 8 |
| EGIADC01W | 192.168.253.50 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01W | 192.168.253.50 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
| EGIADC01 | 192.168.253.52 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01 | 192.168.253.52 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01 | 192.168.253.52 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
S-SMB-v1
Description:The purpose is to verify if Domain Controller(s) are vulnerable to the SMB v1 vulnerability
Technical explanation:The SMB downgrade attack is used to obtain credentials or executing commands on behalf of a user by using SMB v1 as protocol. Indeed, because SMB v1 supports old authentication protocol, the integrity can be bypassed
Advised solution:It is highly recommended by Microsoft to disable SMB v1 whenever it is possible on both client and server-side. Do note that if you are still not following best practices regarding the usage of deprecated OS (Windows 2000, 2003, XP, CE), regarding Network printer using SMBv1 scan2shares functionalities, or regarding software accessing Windows share with a custom implementation relying on SMB v1, you should consider fixing these issues before disabling SMB v1, as it will generate additional errors.
Points:10 points if present
Documentation:https://github.com/lgandx/Responder-Windows
https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect
https://docs.microsoft.com/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
[FR]ANSSI CERTFR-2017-ACT-019
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
[FR]ANSSI CERTFR-2016-ACT-039
The detail can be found in Domain controllers
| Domain controller |
|---|
| EGIADC01W |
P-SchemaAdmin
Description:The purpose is to ensure that no account can make unexpected modifications to the schema
Technical explanation:The group "Schema Admins" is used to give permissions to alter the schema. Once a modification is performed on the schema such as new objects, it cannot be undone. This can result in a rebuild of the domain. The best practice is to have this group empty and to add an administrator when a schema update is required, then remove this group membership.
Advised solution:Remove the accounts or groups belonging to the "schema administrators" group.
Points:10 points if present
Documentation:[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R13 [subsection.3.2]
[US]STIG V-72835 - Membership to the Schema Admins group must be limited
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
The detail can be found in Admin Groups
A-AuditDC
Description:The purpose is to ensure that the audit policy on domain controllers collects the right set of events.
Technical explanation:To detect and mitigate an attack, the right set of events need to be collected.
The audit policy is a compromise between too much and too few events to collect.
To solve this problem, the suggested audit policy from adsecurity.org is checked against the audit policy in place.
Identify the Audit settings to apply and fix them.
Be aware that there are two places for audit settings.
For "Simple" audit configuration:
in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies
For "Advanced" audit configuration:
in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration
Also be sure that the audit GPO is applied to all domain controllers, as the underlying object may be in a OU where the GPO is not applied.
10 points if present
Documentation:https://adsecurity.org/?p=3299
https://adsecurity.org/?p=3377
[MITRE]Mitre Att&ck - Mitigation - Audit
The detail can be found in Audit settings
The table below shows the settings that were not found as configured in a GPO for a given domain controller.
| Type | Audit | Problem | Rationale | Domain controller |
|---|---|---|---|---|
| Advanced | Detailed Tracking / DPAPI Activity | No GPO check for audit success | Collect event 4692 to track the export of DPAPI backup key | EGIADC01W |
| Advanced | Account Logon / Kerberos Service Ticket Operations | No GPO check for audit success | Collect events 4769 for kerberos authentication | EGIADC01W |
| Advanced | System / Security System Extension | No GPO check for audit success | Collect events 4610, 4697 to track lsass security packages and services | EGIADC01W |
| Advanced | Privilege Use / Sensitive Privilege Use | No GPO check for audit success | Collect events 4672, 4673, 4674 for privileges tracking such as the debug one | EGIADC01W |
| Advanced | Logon/Logoff / Special Logon | No GPO check for audit success | Collect event 4964 for special group attributed at logon | EGIADC01W |
| Advanced | Detailed Tracking / DPAPI Activity | No GPO check for audit success | Collect event 4692 to track the export of DPAPI backup key | EGIADC01 |
| Advanced | Account Logon / Kerberos Service Ticket Operations | No GPO check for audit success | Collect events 4769 for kerberos authentication | EGIADC01 |
| Advanced | System / Security System Extension | No GPO check for audit success | Collect events 4610, 4697 to track lsass security packages and services | EGIADC01 |
| Advanced | Privilege Use / Sensitive Privilege Use | No GPO check for audit success | Collect events 4672, 4673, 4674 for privileges tracking such as the debug one | EGIADC01 |
| Advanced | Logon/Logoff / Special Logon | No GPO check for audit success | Collect event 4964 for special group attributed at logon | EGIADC01 |
P-RecycleBin
Description:The purpose is to ensure that the Recycle Bin feature is enabled
Technical explanation:The Recycle Bin avoids immediate deletion of objects (which can still be partially recovered by its tombstone). This lowers the administration work needed to restore. It also extends the period where traces are available when an investigation is needed.
Advised solution:First, be sure that the forest level is at least Windows Server 2008 R2.
You can check it with Get-ADForest or in the Domain Information section.
Then you can enable it using the PowerShell command:
Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target 'test.mysmartlogon.com'
10 points if present
Documentation:https://enterinit.com/powershell-enable-active-directory-recycle-bin
[MITRE]Mitre Att&ck - Mitigation - Audit
The detail can be found in Domain Information
A-DCLdapSign
Description:The purpose is to check if signing is really required for LDAP
Technical explanation:If the the request for signing of each LDAP request is not enforced, a man in the middle can be performed on an LDAP connection.
For example to add a user to the admin group.
This test is made by ignoring the local computer security policies.
Signature enforcement is done by setting the flag ISC_REQ_INTEGRITY when initializig the Negotiate / NTLM / Kerberos authentication.
The opposite test is made with the flag ISC_REQ_NO_INTEGRITY set.
PingCastle is testing if this setting is in place by performing a LDAP authentication with and without signature enforcement.
False positives may exists if the PingCastle program is run on the server tested. That's why, if PingCastle is run on a DC, the DC will not be tested.
You have to make sure that ALL LDAP clients are compatible with LDAP signature.
All versions of Windows since XP support this and also most of the Unix clients.
You have to follow the Microsoft article quoted in reference to enable LDAP signing.
This includes auditing the clients which are not compatible and instructions on how to enforce this policy.
5 points if present
Documentation:https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/enable-ldap-signing-in-windows-server
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-2020/ba-p/921536/page/4
https://github.com/zyn3rgy/LdapRelayScan
[MITRE]T1557 Man-in-the-Middle
| Domain controller |
|---|
| EGIADC01W |
A-PreWin2000Other
Description:The purpose is checking that no additional account has been added to the "Pre-Windows 2000 Compatible Access" group
Technical explanation:The pre-Windows 2000 compatible access group grants access to some RPC calls which should not be available to users or computers.
Advised solution:Remove the members from the PreWin2000 group while making sure that the group "Authenticated Users" is present. Then reboot each DC.
Points:2 points if present
Documentation:https://msdn.microsoft.com/en-us/library/cc223672.aspx
[FR]ANSSI - Use of the "Pre-Windows 2000 Compatible Access" group (vuln3_compatible_2000_not_default)3
[MITRE]T1110.003 Brute Force: Password Spraying
A-DsHeuristicsLDAPSecurity
Description:The purpose is to identify domains having mitigation for CVE-2021-42291 not set to enabled
Technical explanation:The way an Active Directory behaves can be controlled via the attribute DsHeuristics of CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration.
A parameter stored in its attribute and whose value is LDAPAddAutZVerifications and LDAPOwnerModify can be set to modify the mitigatation of CVE-2021-42291.
The KB5008383 has introduced changes to default security descriptor of Computer containers to add audit and limit computer creation without being admin.
Indeed, it is recommended to not let anyone create computer accounts as they can be used to abuse Kerberos or to perform relay attacks.
Mitigations in CVE-2021-42291 consist of 3 choices to be set on 2 settings.
They are named LDAPAddAutZVerifications and LDAPOwnerModify and are respectively the 28th and 29th character of this string.
For the expected values:
- With the value 0 (the default), it enables an additional audit mechanism
- With the value 1 (recommended), it enforces new security permissions, especially to require an action of the domain admin when unusual actions are performed
- With the value 2 (not recommended), it disables the audit mechanism that has been added by default and do not enable the new security permissions
The easiest and fastest way to correct this issue is to replace the 28th and 29th character of the DsHeuristics attribute.
The value of LDAPAddAutZVerifications and LDAPOwnerModify should be set to 1.
Open the procedure embedded into the KB5008383 to apply this mitigation and change the DsHeuristics value.
Note: You have to pay attention that there are control characters at the 10th and 20th position to avoid undesired changes of the DsHeuristics attribute.
Typically if the DsHeuristics is empty, the expected new value is 00000000010000000002000000011
Informative rule (0 point)
Documentation:https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5
https://support.microsoft.com/en-au/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
[MITRE]T1187 Forced Authentication
[FR]ANSSI - Dangerous dsHeuristics settings (vuln3_dsheuristics_bad)3
| Setting | Position | Value |
|---|---|---|
| LDAPAddAuthZVerifications | 28th | Not Set |
| LDAPOwnerModify | 29th | Not Set |
P-OperatorsEmpty
Description:The purpose is to ensure that the operator groups, which can have indirect control to the domain, are empty
Technical explanation:Operator groups (Account Operators, Server Operators, ...) can take indirect control of the domain. Indeed, these groups have write access to critical resources of the domain.
Advised solution:It is recommended to have these groups empty. Assign administrators into administrators group. Other accounts should have proper delegation rights in an OU or in the scope they are managing.
Points:Informative rule (0 point)
Documentation:[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R27 [subsection.3.5]
The detail can be found in Admin Groups
| Group | Members |
|---|---|
| Server Operators | 2 |
A-NoGPOLLMNR
Description:The purpose is to ensure that local name resolution protocol (LLMNR) cannot be used to collect credentials by performing a network attack
Technical explanation:LLMNR is a protocol which translates names such as foo.bar.com into an ip address. LLMNR has been designed to translate name locally in case the default protocol DNS is not available.
Regarding Active Directory, DNS is mandatory which makes LLMNR useless.
LLMNR exploits typo mistakes or faster response time to redirect users to a specially designed share, server or website.
Being trusted, this service will trigger the single sign on procedure which can be abused to retrieve the user credentials.
LLMNR is enabled by default on all OS except starting from Windows 10 v1903 and Windows Server v1903 where it is disabled.
Enable the GPO Turn off multicast name resolution and check that no GPO overrides this setting.
(if it is the case, the policy involved will be displayed below)
Informative rule (0 point)
Documentation:https://youtu.be/Fg2gvk0qgjM
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
The detail can be found in Security settings
P-AdminEmailOn
Description:The purpose is to ensure proper isolation of administrative activities and to prevent any admin from having an email address configured in the domain.
Technical explanation:The recommended approach for secure administration is to implement a Tier Zero model.
In this model, low privileged actions cannot be made by highly privileged accounts such as admins.
This means that, in practice, administrators should have two separate Windows accounts: one for regular activities and one for performing privileged actions.
Ensure that administrators do not use the privileged account for browsing the internet or receiving emails.
We highly recommend that you implement this practice to lower the risk of an admin compromise.
To remove this alert, you have to edit the properties of the user account and clear the email attribute.
Keep in mind that this action will silence the alert, but the risk may still be present.
Informative rule (0 point)
Documentation:https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/securing-privileged-access-for-the-ad-admin-part-1/ba-p/259166
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
| Account | |
|---|---|
| nkahal | nkahal@egia.org |
| rmehra | rmehra@egia.org |
| nsingh | navdeep.singh@nvish.com |
| tle | tle@egia.com |
| tpiper | tpiper@egia.com |
| bkagent | bkagent@egia.com |
| Administrator | Administrator@egia.com |
A-AuditPowershell
Description:The purpose is to ensure that PowerShell logging is enabled.
Technical explanation:PowerShell is a powerful language, also used by hackers because of this quality. Hackers are able to run programs such as mimikatz in memory using obfuscated commands such as Invoke–Mimikatz.
Because there is no artefact on the disk, the incident response task is difficult for the forensic analysts.
For this reason, we recommend to enable PowerShell logging via a group policy, despite the fact that these security settings may be part of the workstation or server images.
Go to Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell
And enable "Turn on Module logging" and "Turn on PowerShell Script Block logging"
We recommend to set "*" as the module list.
Informative rule (0 point)
Documentation:https://adsecurity.org/?p=2604
https://docs.microsoft.com/en-us/powershell/scripting/wmf/whats-new/script-logging?view=powershell-6
[US]STIG V-68819 - PowerShell script block logging must be enabled
[MITRE]Mitre Att&ck - Mitigation - Audit
The detail can be found in Security settings
S-FunctionalLevel3
Description:The purpose is checking the functional level of the domain and the forest, and ensure it is set to the latest secure version
Technical explanation:
Each functional level brings new security features:
* functional level Windows Server 2003: brings forest trusts and read-only domain controller (RODC) support;
* functional level Windows Server 2008: brings support for modern cryptographic algorithms such as AES and DFS for SYSVOL share replication;
* functional level Windows Server 2008R2: brings support for Active Directory Recycle Bin (protects objects against accidental deletion);
* functional level Windows Server 2012: brings advanced Kerberos features, such as compound authentication and claims support;
* functional level Windows Server 2012R2: brings numerous new security features such as authentication policies, authentication policy silos and the Protected users group;
* functional level Windows Server 2016 / 2019 / 2022: brings an upgraded smart card logon security and Privileged Identity Management (PIM) trust relationships between forests.
You have to raise the functional level of the domain or the forest (see the details to know if the domain and/or forest is concerned).
The recommended level is the functional level 7 (Windows Server 2016 / 2019 / 2022)
To upgrade the functional level, a requirement is that all domain controllers are running the right version.
Also, functional level needs to be upgraded level by level.
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/identifying-your-functional-level-upgrade
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/raise-active-directory-domain-forest-functional-levels
[FR]ANSSI - Insufficient forest and domains functional levels (vuln3_vuln_functional_level)3
[MITRE]Mitre Att&ck - Mitigation - Update Software
The functional levels are indicated in Domain Information
| Type | Level |
|---|---|
| Domain | Windows Server 2008 R2 |
| Forest | Windows Server 2008 R2 |
A-SHA1RootCert
Description:The purpose is to ensure that no Root Certificates use the deprecated SHA-1 hashing algorithm
Technical explanation:The SHA1 hashing algorithm is not considered as safe. There are design flaws inherent to the algorithm that allow an attacker to generate a hash collision in less than a brute-force time
Advised solution:To solve the matter, the certificate should be removed from the GPO and if needed, certificates depending on it should be reissued.
Points:Informative rule (0 point)
Documentation:https://tools.ietf.org/html/rfc6194
[FR]ANSSI - Weak or vulnerable certificates (vuln3_certificates_vuln)3
[MITRE]T1600.001 Weaken Encryption: Reduce Key Space
[US]STIG V-14820 - PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
The detail can be found in Certificates
| GPO | Subject |
|---|---|
| NTLMStore | CN=EGIA, OU=IS, O=Electric and Gas Industries Associates, L=San Leandro, S=CA, C=US, E=cert-auth-root@egia.com |
To reach Level 5 you need to fix the following rules:
S-Duplicate
Description:The purpose is to check if there are duplicate accounts within the domain. A duplicate account is essentially a duplicate of two objects having the same attributes.
Technical explanation:To identify a duplicate account, a check is performed on the "DN" and the "sAMAccountName". When a DC detects a conflict, there is a replacement performed on the second object.
Advised solution:Duplicate accounts being present often means there are process failures, and they should be identified and removed. To identify all duplicate accounts, you can use the following PowerShell commands: get-adobject -ldapfilter "(cn=*cnf:*)" ; get-adobject -ldapfilter "(sAMAccountName=$duplicate)"
Points:5 points if present
Documentation:[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
Details:The detail can be found in User information and Computer information
A-NoNetSessionHardening
Description:The purpose is to ensure that mitigations are in place against the Bloodhound tool
Technical explanation:By default, Windows computers allow any authenticated user to enumerate network sessions to it.
This means an attacker could enumerate network sessions to a file share hosting home directories or a Domain Controller to see who's connected to SYSVOL (to apply Group Policy) and determine which workstations each user and admin account is logged into.
Bloodhound uses this capability extensively to map out credentials in the network.
Disabling Net Session Enumeration removes the capability for any user to enumerate net session info (Recon).
If this mitigation is not part of the computer image, apply the following recommendations:
Run the NetCease PowerShell script (referenced below) on a reference workstation.
Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit .
In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
Right-click the Registry node, point to New, and select Registry Wizard.
Select the reference workstation on which the desired registry settings exist, then click Next .
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\
and select the check box for “SrvsvcSessionInfo” from which you want to create a Registry preference item. Select the check box for a key only if you want to create a Registry item for the key rather than for a value within the key.
Click Finish.
The settings that you selected appear as preference items in the Registry Wizard Values collection
Informative rule (0 point)
Documentation:https://github.com/p0w3rsh3ll/NetCease
https://adsecurity.org/?p=3299
[MITRE]T1087.001 Account Discovery: Local Account
The detail can be found in Security settings
P-UnprotectedOU
Description:The purpose is to ensure that Organizational Units (OUs) and Containers in Active Directory are protected to prevent accidental deletion, which could lead to data loss and disruptions in the network infrastructure.
Technical explanation:In Active Directory, Organizational Units can be protected from accidental deletion (reads: using the del key in the wrong place at the wrong time).
This way these objects cannot be deleted, unless the protection is removed. This Active Directory feature was first introduced in Windows Server 2008.
This protection consists of a Deny ACE added to the NTSecurityDescriptor attribute applied to Everyone with the flag set to Delete and DeleteTree.
To safeguard against accidental deletions, it is essential to enable the "Protect object from accidental deletion" option for critical OUs and Containers.
When this option is enabled, it adds an additional layer of security, preventing unintended deletions.
To implement this protection:
* Open the Active Directory Users and Computers management console.
* Locate the OU or Container that requires protection.
* Right-click on the OU or Container, select "Properties."
* In the "Object" tab, check the "Protect object from accidental deletion" option.
* Click "Apply" and then "OK" to save the changes.
You can list unprotected OU using the PowerShell command:
Get-ADOrganizationalUnit -filter {name -like "*"} -Properties ProtectedFromAccidentalDeletion | format-table Name,ProtectedFromAccidentalDeletion
and protect them using the command:
Get-ADOrganizationalUnit -filter {name -like "*"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
Note: only 10 will be listed below. Checkout the Delegations section for the complete list.
Informative rule (0 point)
Documentation:https://dirteam.com/sander/2011/07/13/preventing-ous-and-containers-from-accidental-deletion/
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
The detail can be found in Delegations
| OU |
|---|
| OU=Dell,DC=egia,DC=com |
P-DNSAdmin
Description:The purpose is to ensure that the Dns Admins group is not used
Technical explanation:Administrators of the DNS Service have the possibility to inject a DLL in this service.
However this service is hosted most of the time in the domain controller and is running as SYSTEM.
That means that DNS admins are potentially domain admins.
The security descriptor used to grant admin rights is located on the nTSecurityDescriptor attribute of the object CN=MicrosoftDNS,CN=System.
The "Write All Prop" access right induces the vulnerability.
In this case, the DnsAdmins group is not empty and grant to its user the possibility to interact with the DNS Service.
Rule update:
The Patch Tuesday of October 2021 fixed this vulnerability and assigned it the identifier CVE-2021-40469.
If the patch has been applied, there is no additional mitigation to perform.
This rule is transformed into an informative rule in PingCastle 2.10.1 and will be removed in future versions of PingCastle.
You should remove the members of the Dns Admins group and do a proper delegation to the specific DNS Zones.
First, grant only "Read Property", "List", "List object" and "Read permssions" to CN=MicrosoftDNS,CN=System to enable access to the RPC service.
Then on each zone (the object in the tree below with the class dnsZone), grant "Read Property", "List", "List object", "Read permissions", "Create Child", "Delete Child", "Delete", "Delete Tree".
Informative rule (0 point)
Documentation:https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/007efcd2-2955-46dd-a59e-f83ae88f4678
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI - DnsAdmins group members (vuln4_dnsadmins)4
The detail can be found in Admin Groups
S-DefaultOUChanged
Description:The purpose is to ensure that the default location of computers and user OU has not been changed.
Technical explanation:Default OU such as CN=Computers or CN=Users are stored within the wellKnownObjects attribute of the Domain object.
There are 12 default locations officialy defined.
They can be changed using the program redircmp.
Changing these default can alter the behavior of programs (such as security audit programs) as they may not check the modified objects.
You have to use redircmp to set the value back to normal. See documentation for more details
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5a00c890-6be5-4575-93c4-8bf8be0ca8d8
https://rickardnobel.se/verify-redirected-computers-container-in-active-directory/
[MITRE]Mitre Att&ck - Mitigation - User Account Management
| Expected | Found |
|---|---|
| CN=Computers,DC=egia,DC=com | OU=Computers,OU=MS365EGIA,DC=egia,DC=com |
A-DnsZoneAUCreateChild
Description:The purpose is to check if Authenticated Users has the right to create DNS records
Technical explanation:When a computer is joined to a domain, a DNS record is created in the DnsZone to allow the computer to update its DNS settings.
By design, Microsoft choose to grant to the group Authenticated Users (aka every computers and users) the right to create DNS records.
Once created, only the owner keeps the right to edit the new object.
The vulnerability is that specific DNS records can be created to perform man-in-the-middle attacks.
One example is to create a wildcard record (a record with the name "*"), a failover DNS record or anticipating the creation of a DNS record with the right permissions.
As of today, this rule is considered "informative" because the default configuration where Authenticated Users can create DNS records is considered safe.
The reason for this classification is that no exploitation of that vulnerability has been reported.
The proposed enhancement is to replace the identity who has been granted the right to create DNS Records (permission CreateChild) from Authenticated Users to Domain Computers.
To perform this change, you have to edit the permission of the DNSZone whose object is located in the container CN=MicrosoftDNS,DC=DomainDnsZones.
It should be noticed that if there is a privilege escalation on a computer, an attacker can impersonate the computer account and bypass this mitigation.
The best mitigation is to create the DNS records manually as part as the domain join process and to revoke the permission granted to Authenticated Users.
Informative rule (0 point)
Documentation:https://www.ws-its.de/gegenmassnahme-zum-angriff-dns-wildcard/
https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
[MITRE]T1557 Man-in-the-Middle
| DNSZone |
|---|
| 20.168.192.in-addr.arpa |
| 147.56.50.in-addr.arpa |
| 147.56.50.in-addr.arpa CNF:08160273-defb-4859-aa24-150122611381 |
| tradesandtools.com CNF:1ef04c1f-7515-4ef4-bdc7-d8893d08e62b |
| 253.168.192.in-addr.arpa |
| 252.168.192.in-addr.arpa |
| 10.168.192.in-addr.arpa |
| 11.168.192.in-addr.arpa |
| 12.168.192.in-addr.arpa |
A-NoServicePolicy
Description:The purpose is to give information regarding a best practice for the Service Account password policy. Indeed, having a 20+ characters password for this account greatly helps reducing the risk of Kerberoasting attacks (offline cracking of the TGS tickets)
Note: PSO (Password Settings Objects) will be visible only if the user, which collected the information, has the permission to view it.
The rule is purely informative, as it gives insights regarding a best practice. It verifies if there is a GPO or PSO enforcing a 20+ characters password for the Service Accounts.
Advised solution: The recommended way to handle service accounts is to use "Managed service accounts" introduced since Windows Server 2008 R2 (search for "msDS-ManagedServiceAccount").
To solve the anomaly, you should implement a PSO or GPO password guarantying a 20+ length password.
Informative rule (0 point)
Documentation:https://www.microsoft.com/en-us/research/publication/password-guidance/
[MITRE]T1201 Password Policy Discovery
The detail can be found in Password Policies
To reach the maximum level you need to fix the following rules:
A-PreWin2000AuthenticatedUsers
Description:The purpose is checking if the "Pre-Windows 2000 Compatible Access" group contains "Authenticated Users"
Technical explanation:The pre-Windows 2000 compatible access group grants access to some RPC calls.
Its default and secure value is the "Authenticated Users" group which allows users to perform group look-up using legacy protocols.
If this group contains "Authenticated Users", it increases the impact of the exploitation of vulnerabilities in legacy protocols such as the Print Spooler service.
Indeed, in the #PrintNightmare attack, it enables a patch bypass on domain controllers because the property Elevated Token is on when establishing a session to the DC.
Removing the group can have side impacts and as a consequence, this is reported here as a special hardening measure.
Remove "Authenticated Users" from the PreWin2000 group.
Points:Informative rule (0 point)
Documentation:https://msdn.microsoft.com/en-us/library/cc223672.aspx
https://www.gradenegger.eu/?p=1132
[MITRE]T1210 Exploitation of Remote Services
This section represents an evaluation of the techniques available in the MITRE ATT&CK®
1 technique(s) matched
No technique matched
No technique matched
1 technique(s) matched
8 technique(s) matched
2 technique(s) matched
1 technique(s) matched
Initial Access
T1078.003 Valid Accounts: Local Accounts [1]
A-LAPS-Not-Installed
Description:The purpose is to make sure that there is a proper password policy in place for the native local administrator account.
Technical explanation:LAPS (Local Administrator Password Solution) is the advised solution to handle passwords for the native local administrator account on all workstations, as it is a simple way to handle most of the subject.
Advised solution:If you don't have any provisioning process or password solution to manage local administrators, you should install the LAPS solution. If you mitigate the risk differently, you should add this rule as an exception, as the risk is covered.
Points:15 points if present
Documentation:https://www.microsoft.com/en-us/download/details.aspx?id=46899
[US]STIG V-36438 - Local administrator accounts on domain systems must not share the same password.
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI CERTFR-2015-ACT-046
[MITRE]T1078.003 Valid Accounts: Local Accounts
The detail can be found in LAPS
Defense Evasion
T1600.001 Weaken Encryption: Reduce Key Space [2]
A-WeakRSARootCert
Description:The purpose is to ensure that there is no use of a certificate using a weak RSA key
Technical explanation:A RSA key certificate with a modulus under 1024 bits is considered unsafe
Advised solution:To solve the matter, the certificate should be removed from the GPO and if needed, certificates depending on it should be reissued.
Points:5 points if present
Documentation:https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/commercial-national-security-algorithm-suite-factsheet.cfm
https://www.ssi.gouv.fr/guide/cryptographie-les-regles-du-rgs/
[MITRE]T1600.001 Weaken Encryption: Reduce Key Space
[US]STIG V-14820 - PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
[FR]ANSSI - Weak or vulnerable certificates (vuln1_certificates_vuln)1
The detail can be found in Certificates
| Source | Subject | Module | Expires |
|---|---|---|---|
| NTLMStore | CN=EGIA, OU=IS, O=Electric and Gas Industries Associates, L=San Leandro, S=CA, C=US, E=cert-auth-root@egia.com | 512 | 11/2/2003 2:44:17 PM |
A-SHA1RootCert
Description:The purpose is to ensure that no Root Certificates use the deprecated SHA-1 hashing algorithm
Technical explanation:The SHA1 hashing algorithm is not considered as safe. There are design flaws inherent to the algorithm that allow an attacker to generate a hash collision in less than a brute-force time
Advised solution:To solve the matter, the certificate should be removed from the GPO and if needed, certificates depending on it should be reissued.
Points:Informative rule (0 point)
Documentation:https://tools.ietf.org/html/rfc6194
[FR]ANSSI - Weak or vulnerable certificates (vuln3_certificates_vuln)3
[MITRE]T1600.001 Weaken Encryption: Reduce Key Space
[US]STIG V-14820 - PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
The detail can be found in Certificates
| GPO | Subject |
|---|---|
| NTLMStore | CN=EGIA, OU=IS, O=Electric and Gas Industries Associates, L=San Leandro, S=CA, C=US, E=cert-auth-root@egia.com |
Credential Access
T1003.004 OS Credential Dumping: LSA Secrets [1]
P-ServiceDomainAdmin
Description:The purpose is to check for accounts with non-expiring passwords in the "Domain Administrator" group
Technical explanation:PingCastle is checking accounts with never expiring password, that are mostly used as service accounts.
"Service Accounts" can imply a high security risk as their password are stored in clear text in the LSA database, which can then be easily exploited using Mimikatz or Cain&Abel for instance. In addition, their passwords don't change and can be used in Kerberoast attacks.
Accounts with never expiring passwords are mostly service accounts.
To mitigate the security risk, it is strongly advised to lower the privileges of the "Service Accounts", meaning that they should be removed from the "Domain Administrator" group, while ensuring that the password of each and every "Service Account" is longer than 20 characters
15 points if the occurence is greater than or equals than 2
Documentation:[FR]ANSSI - Privileged accounts with never-expiring passwords (vuln1_dont_expire_priv)1
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R11 [subsection.2.5]
[US]STIG V-36432 - Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[MITRE]T1003.004 OS Credential Dumping: LSA Secrets
The detail can be found in Admin Groups
T1110.003 Brute Force: Password Spraying [2]
A-PreWin2000Anonymous
Description:The purpose is to identify domains which allow access without any account because of a Pre-Windows 2000 compatibility
Technical explanation:When a Windows Server 2003 DC is promoted, a pre-Windows 2000 compatibility setting can be enabled through the wizard. If it is enabled, the wizard will add "Everyone" and "Anonymous" to the pre-Windows 2000 compatible access group, and by doing so, it will authorize the domain to be queried without an account (null session)
It is possible to verify the results provided by the PingCastle solution by using a Kali distribution. You should run [rpcclient -U " target_ip_address] and press enter at the password prompt to finally type [enumdomusers].
Remove the "Everyone" and "Anonymous" from the PreWin2000 group while making sure that the group "Authenticated Users" is present, then reboot each DC.
Note: removing the group "Authenticated Users" (and not keep it like advised here) is an advanced recommendation quoted in the rule A-PreWin2000AuthenticatedUsers
5 points if present
Documentation:https://msdn.microsoft.com/en-us/library/cc223672.aspx
[MITRE]T1110.003 Brute Force: Password Spraying
[US]STIG V-8547 - The Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group.
[FR]ANSSI - The "Pre - Windows 2000 Compatible Access" group includes "Anonymous" (vuln2_compatible_2000_anonymous)2
A-PreWin2000Other
Description:The purpose is checking that no additional account has been added to the "Pre-Windows 2000 Compatible Access" group
Technical explanation:The pre-Windows 2000 compatible access group grants access to some RPC calls which should not be available to users or computers.
Advised solution:Remove the members from the PreWin2000 group while making sure that the group "Authenticated Users" is present. Then reboot each DC.
Points:2 points if present
Documentation:https://msdn.microsoft.com/en-us/library/cc223672.aspx
[FR]ANSSI - Use of the "Pre-Windows 2000 Compatible Access" group (vuln3_compatible_2000_not_default)3
[MITRE]T1110.003 Brute Force: Password Spraying
T1187 Forced Authentication [3]
A-DC-Coerce
Description:The objective is to assess the vulnerability of the Domain Controller (DC) to Coerce attacks.
Technical explanation:Coerce attacks are a category of attacks which aims to forcing domain controllers to authenticate to a device controlled by the attacker for the purpose to relay this authentication to gain privileges.
This category of attacks is usually mitigated by applying patch (PetitPotam), disabling services (Spooler), added RPC filter (EDR or firewall) or ensuring integrity (SMB integrity).
Because each of these protections can be individually bypassed (NTLM integrity is disabled on LDAPS), the aim of this scan is to detect proactively if vulnerable RPC services are exposed.
PingCastle estimates that Coerceable interfaces are protected if:
- the GPO "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" is applied through a GPO to DC
- or if RPC interfaces are not reachable
Because these interfaces need to be tested from a computer controlled by the attacker, PingCastle cannot do this test with reliability.
Instead, it sends a malformed RPC packet to try to trigger an error such as "Permission denied" or "RPC interface unavailable".
If the error RPC_X_BAD_STUB_DATA (1783) is triggered, PingCastle considers that the interface is available.
A report that a vulnerable interface is online may not be accurate because its full exploitation is not tested.
Also to avoid EDR alerts or to not perform the scan, you can run PingCastle with the flag --skip-dc-rpc
To effectively mitigate the vulnerability, consider one of the following approaches:
1. Apply Group Policy Object (GPO) - "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers":
Apply this GPO specifically to the Organizational Unit (OU) "Domain Controllers".
Caution: Enabling this GPO might impact services dependent on NTLM such as files copy Backups.
Consider setting the GPO in "Audit mode" initially to identify and assess the impact on affected services.
2. Enable RPC Filters in Windows Firewall:
Configure Windows Firewall to block specific Interface IDs associated with vulnerable RPC interfaces.
This is done using the netsh command. See the documentation links for more information.
Exercise caution: This method filters the entire interface, not specific Operation Numbers (OpNum).
Adjust exceptions for necessary services to ensure critical functionality.
3. Implement External Filters (e.g., EDR, Firewalls):
Leverage third-party solutions, such as Endpoint Detection and Response (EDR) tools or firewalls.
Notable project: rpcfirewall https://github.com/zeronetworks/rpcfirewall, offering logical filtering at the OpNum level.
Be cautious of potential impact and ensure compatibility with existing infrastructure.
10 points if present
Documentation:https://github.com/p0dalirius/Coercer
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers
https://blog.nviso.eu/2023/12/08/rpc-or-not-here-we-log-preventing-exploitation-and-abuse-with-rpc-firewall/
[MITRE]T1187 Forced Authentication
The detail can be found in Domain controllers
| DCName | IP | Interface | Function | OpNum |
|---|---|---|---|---|
| EGIADC01W | 192.168.253.50 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcAddUsersToFile | 9 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcAddUsersToFileEx | 15 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcDecryptFileSrv | 5 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcDuplicateEncryptionInfoFile | 12 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcEncryptFileSrv | 4 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcFileKeyInfo | 12 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcOpenFileRaw | 0 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcQueryRecoveryAgents | 7 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcQueryUsersOnFile | 6 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcRemoveUsersFromFile | 8 |
| EGIADC01W | 192.168.253.50 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01W | 192.168.253.50 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
| EGIADC01 | 192.168.253.52 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01 | 192.168.253.52 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01 | 192.168.253.52 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
A-DC-Spooler
Description:The purpose is to ensure that credentials cannot be extracted from the DC via its Print Spooler service
Technical explanation:When there's an account with unconstrained delegation configured (which is fairly common) and the Print Spooler service running on a computer, you can get that computers credentials sent to the system with unconstrained delegation as a user. With a domain controller, the TGT of the DC can be extracted allowing an attacker to reuse it with a DCSync attack and obtain all user hashes and impersonate them.
Advised solution:The Print Spooler service should be deactivated on domain controllers. Please note as a consequence that the Printer Pruning functionality (rarely used) will be unavailable.
Points:10 points if present
Documentation:https://adsecurity.org/?p=4056
https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory
[MITRE]T1187 Forced Authentication
The detail can be found in Domain controllers
| Domain controller |
|---|
| EGIADC01W |
| EGIADC01 |
A-DsHeuristicsLDAPSecurity
Description:The purpose is to identify domains having mitigation for CVE-2021-42291 not set to enabled
Technical explanation:The way an Active Directory behaves can be controlled via the attribute DsHeuristics of CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration.
A parameter stored in its attribute and whose value is LDAPAddAutZVerifications and LDAPOwnerModify can be set to modify the mitigatation of CVE-2021-42291.
The KB5008383 has introduced changes to default security descriptor of Computer containers to add audit and limit computer creation without being admin.
Indeed, it is recommended to not let anyone create computer accounts as they can be used to abuse Kerberos or to perform relay attacks.
Mitigations in CVE-2021-42291 consist of 3 choices to be set on 2 settings.
They are named LDAPAddAutZVerifications and LDAPOwnerModify and are respectively the 28th and 29th character of this string.
For the expected values:
- With the value 0 (the default), it enables an additional audit mechanism
- With the value 1 (recommended), it enforces new security permissions, especially to require an action of the domain admin when unusual actions are performed
- With the value 2 (not recommended), it disables the audit mechanism that has been added by default and do not enable the new security permissions
The easiest and fastest way to correct this issue is to replace the 28th and 29th character of the DsHeuristics attribute.
The value of LDAPAddAutZVerifications and LDAPOwnerModify should be set to 1.
Open the procedure embedded into the KB5008383 to apply this mitigation and change the DsHeuristics value.
Note: You have to pay attention that there are control characters at the 10th and 20th position to avoid undesired changes of the DsHeuristics attribute.
Typically if the DsHeuristics is empty, the expected new value is 00000000010000000002000000011
Informative rule (0 point)
Documentation:https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5
https://support.microsoft.com/en-au/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
[MITRE]T1187 Forced Authentication
[FR]ANSSI - Dangerous dsHeuristics settings (vuln3_dsheuristics_bad)3
| Setting | Position | Value |
|---|---|---|
| LDAPAddAuthZVerifications | 28th | Not Set |
| LDAPOwnerModify | 29th | Not Set |
A-DCLdapSign
Description:The purpose is to check if signing is really required for LDAP
Technical explanation:If the the request for signing of each LDAP request is not enforced, a man in the middle can be performed on an LDAP connection.
For example to add a user to the admin group.
This test is made by ignoring the local computer security policies.
Signature enforcement is done by setting the flag ISC_REQ_INTEGRITY when initializig the Negotiate / NTLM / Kerberos authentication.
The opposite test is made with the flag ISC_REQ_NO_INTEGRITY set.
PingCastle is testing if this setting is in place by performing a LDAP authentication with and without signature enforcement.
False positives may exists if the PingCastle program is run on the server tested. That's why, if PingCastle is run on a DC, the DC will not be tested.
You have to make sure that ALL LDAP clients are compatible with LDAP signature.
All versions of Windows since XP support this and also most of the Unix clients.
You have to follow the Microsoft article quoted in reference to enable LDAP signing.
This includes auditing the clients which are not compatible and instructions on how to enforce this policy.
5 points if present
Documentation:https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/enable-ldap-signing-in-windows-server
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-2020/ba-p/921536/page/4
https://github.com/zyn3rgy/LdapRelayScan
[MITRE]T1557 Man-in-the-Middle
| Domain controller |
|---|
| EGIADC01W |
A-DnsZoneAUCreateChild
Description:The purpose is to check if Authenticated Users has the right to create DNS records
Technical explanation:When a computer is joined to a domain, a DNS record is created in the DnsZone to allow the computer to update its DNS settings.
By design, Microsoft choose to grant to the group Authenticated Users (aka every computers and users) the right to create DNS records.
Once created, only the owner keeps the right to edit the new object.
The vulnerability is that specific DNS records can be created to perform man-in-the-middle attacks.
One example is to create a wildcard record (a record with the name "*"), a failover DNS record or anticipating the creation of a DNS record with the right permissions.
As of today, this rule is considered "informative" because the default configuration where Authenticated Users can create DNS records is considered safe.
The reason for this classification is that no exploitation of that vulnerability has been reported.
The proposed enhancement is to replace the identity who has been granted the right to create DNS Records (permission CreateChild) from Authenticated Users to Domain Computers.
To perform this change, you have to edit the permission of the DNSZone whose object is located in the container CN=MicrosoftDNS,DC=DomainDnsZones.
It should be noticed that if there is a privilege escalation on a computer, an attacker can impersonate the computer account and bypass this mitigation.
The best mitigation is to create the DNS records manually as part as the domain join process and to revoke the permission granted to Authenticated Users.
Informative rule (0 point)
Documentation:https://www.ws-its.de/gegenmassnahme-zum-angriff-dns-wildcard/
https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
[MITRE]T1557 Man-in-the-Middle
| DNSZone |
|---|
| 20.168.192.in-addr.arpa |
| 147.56.50.in-addr.arpa |
| 147.56.50.in-addr.arpa CNF:08160273-defb-4859-aa24-150122611381 |
| tradesandtools.com CNF:1ef04c1f-7515-4ef4-bdc7-d8893d08e62b |
| 253.168.192.in-addr.arpa |
| 252.168.192.in-addr.arpa |
| 10.168.192.in-addr.arpa |
| 11.168.192.in-addr.arpa |
| 12.168.192.in-addr.arpa |
T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay [4]
S-OldNtlm
Description:The purpose is to check if NTLMv1 or LM can be used by DC
Technical explanation:NTLMv1 is an old protocol which is known to be vulnerable to cryptographic attacks.
It is typically used when a hacker sniffs the network and tries to retrieve NTLM hashes which can then be used to impersonate users.
This attack can be combined with coerced authentication attacks - a hacker forces the DC to connect to a controlled host.
In this case, NTLMv1 can be specified so the hacker can retrieve the NTLM hash of the DC, impersonates it and then take control of the domain.
This attack is still possible with NTLMv2 but this is more difficult.
Windows has default security settings regarding LM/NTLM. Windows XP: Send LM & NTLM responses, Windows Server 2003: Send NTLM response only, Vista/2008: Win7/2008 R2: Send NTLMv2 response only.
However Domain Controllers have relaxed default settings to accept the connection of older operating systems.
That means that by default, NTLMv1 is accepted on domain controllers.
If no GPO defines the LAN Manager Authentication Level, the DC fall back to the non secure default.
After an audit of NTLMv1 usage (see the links below), you need to raise the LAN Manager Authentication Level to "Send NTLMv2 response only. Refuse LM & NTLM".
This can be done by editing the policy "Network security: LAN Manager authentication level" which can be accessed in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
The policy will be applied after a computer reboot.
Beware that you may break software which is not compatible with Ntlmv2 such as very old Linux stacks or very old Windows before Windows Vista.
But please note that Ntlmv2 can be activited on all Windows starting Windows 95 and other operating systems.
15 points if present
Documentation:https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/audit-domain-controller-ntlmv1
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-ntlm-2-authentication
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R37 [paragraph.3.6.2.1]
The detail can be found in Security settings
| GPO | Value |
|---|---|
| Windows default without an active GPO | 3 |
S-SMB-v1
Description:The purpose is to verify if Domain Controller(s) are vulnerable to the SMB v1 vulnerability
Technical explanation:The SMB downgrade attack is used to obtain credentials or executing commands on behalf of a user by using SMB v1 as protocol. Indeed, because SMB v1 supports old authentication protocol, the integrity can be bypassed
Advised solution:It is highly recommended by Microsoft to disable SMB v1 whenever it is possible on both client and server-side. Do note that if you are still not following best practices regarding the usage of deprecated OS (Windows 2000, 2003, XP, CE), regarding Network printer using SMBv1 scan2shares functionalities, or regarding software accessing Windows share with a custom implementation relying on SMB v1, you should consider fixing these issues before disabling SMB v1, as it will generate additional errors.
Points:10 points if present
Documentation:https://github.com/lgandx/Responder-Windows
https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect
https://docs.microsoft.com/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
[FR]ANSSI CERTFR-2017-ACT-019
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
[FR]ANSSI CERTFR-2016-ACT-039
The detail can be found in Domain controllers
| Domain controller |
|---|
| EGIADC01W |
A-HardenedPaths
Description:The purpose is to ensure that there is no weakness related to hardened paths
Technical explanation:Two vulnerabilities have been reported in 2015 (MS15-011 and MS15-014) which allows a domain takeover via GPO modifications done with a man-in-the-middle attack.
To mitigate these vulnerabilites, Microsoft has designed a workaround named "Hardened Paths". It forces connection settings to enforce Integrity, Mutual Authentication or Privacy.
By default if this policy is empty, if will enforce Integrity and Mutual Authentication on the SYSVOL or NETLOGON shares.
This rule checks if there have been any overwrite to disable this protection.
You have to edit the Hardened Path section in the GPO.
This section is located in Computer Configuration/Policies/Administrative Templates/Network/Network Provider.
Check each value reported here and make sure that entries containing SYSVOL or NETLOGON have RequireIntegrity and RequireMutualAuthentication set to 1.
In addition to that, check entries having the pattern \\DCName\* and apply the same solution.
5 points if present
Documentation:
https://labs.f-secure.com/archive/how-to-own-any-windows-network-with-group-policy-hijacking-attacks/
https://talubu.wordpress.com/2018/02/28/configuring-unc-hardened-access-through-group-policy/
https://adsecurity.org/?p=1405
https://support.microsoft.com/en-us/topic/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10-2015-91b4bda2-945d-455b-ebbb-01d1ec191328
[US]STIG V-63577 - Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
The detail can be found in the Hardened Paths configuration section.
| GPO | Key | RequireIntegrity | RequireMutualAuthentication | RequirePrivacy |
|---|---|---|---|---|
| No GPO Found | NETLOGON | Not Set | Not Set | Not Set |
| No GPO Found | SYSVOL | Not Set | Not Set | Not Set |
A-NoGPOLLMNR
Description:The purpose is to ensure that local name resolution protocol (LLMNR) cannot be used to collect credentials by performing a network attack
Technical explanation:LLMNR is a protocol which translates names such as foo.bar.com into an ip address. LLMNR has been designed to translate name locally in case the default protocol DNS is not available.
Regarding Active Directory, DNS is mandatory which makes LLMNR useless.
LLMNR exploits typo mistakes or faster response time to redirect users to a specially designed share, server or website.
Being trusted, this service will trigger the single sign on procedure which can be abused to retrieve the user credentials.
LLMNR is enabled by default on all OS except starting from Windows 10 v1903 and Windows Server v1903 where it is disabled.
Enable the GPO Turn off multicast name resolution and check that no GPO overrides this setting.
(if it is the case, the policy involved will be displayed below)
Informative rule (0 point)
Documentation:https://youtu.be/Fg2gvk0qgjM
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
The detail can be found in Security settings
T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket [1]
A-Krbtgt
Description:The purpose is to alert when the password for the krbtgt account can be used to compromise the whole domain. This password can be used to sign every Kerberos ticket. Monitoring it closely often mitigates the risk of golden ticket attacks greatly.
Technical explanation:Kerberos is an authentication protocol. It is using a secret, stored as the password of the krbtgt account, to sign its tickets. If the hash of the password of the krbtgt account is retrieved, it can be used to generate authentication tickets at will.
To mitigate this attack, it is recommended to change the krbtgt password between 40 days and 6 months. If this is not the case, every backup done until the last password change of the krbtgt account can be used to emit Golden tickets, compromising the entire domain.
Retrieval of this secret is one of the highest priority in an attack, as this password is rarely changed and offer a long term backdoor.
Also this attack can be performed using the former password of the krbtgt account. That's why the krbtgt password should be changed twice to invalidate its leak.
The password of the krbtgt account should be changed twice to invalidate the golden ticket attack.
Beware: two changes of the krbtgt password not replicated to domain controllers can break these domain controllers You should wait at least 10 hours between each krbtgt password change (this is the duration of a ticket life).
There are several possibilities to change the krbtgt password.
First, a Microsoft script can be run in order to guarantee the correct replication of these secrets.
Second, a more manual way is to essentially reset the password manually once, then to wait 3 days (this is a replication safety delay), then to reset it again. This is the safest way as it ensures the password is no longer usable by the Golden ticket attack.
50 points if the occurence is greater than or equals than 1464
then 40 points if the occurence is greater than or equals than 1098
then 30 points if the occurence is greater than or equals than 732
then 20 points if the occurence is greater than or equals than 366
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/faqs-from-the-field-on-krbtgt-reset/ba-p/2367838
https://github.com/microsoft/New-KrbtgtKeys.ps1
https://github.com/PSSecTools/Krbtgt
[FR]ANSSI CERTFR-2014-ACT-032
[FR]ANSSI - Krbtgt account password unchanged for more than a year (vuln2_krbtgt)2
[MITRE]T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket
The detail can be found in Krbtgt
T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting [1]
P-Kerberoasting
Description:The purpose is to ensure that the password of admin accounts cannot be retrieved using the Kerberoast attack.
Technical explanation:To access a service using Kerberos, a user requests a ticket (named TGS) to the DC specific to the service.
This ticket is encrypted using a derivative of the service password, but can be brute-forced to retrieve the original password.
Any account having the attribute SPN populated is considered as a service account.
Given that any user can request a ticket for a service account, these accounts can have their password retrieved.
In addition, services are known to have their password not changed at a regular basis and to use well-known words.
Please note that this program ignores service accounts that had their password changed in the last 40 days ago to support using password rotation as a mitigation.
If the account is a service account, the service should be removed from the privileged group or have a process to change its password at a regular basis.
If the user is a person, the SPN attribute of the account should be removed.
5 points per discovery
Documentation:https://adsecurity.org/?p=3466
[FR]ANSSI - Privileged accounts with SPN (vuln1_spn_priv)1
[MITRE]T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting
The detail can be found in Admin Groups
| Group | User |
|---|---|
| Administrators | Administrator |
| Domain Administrators | Administrator |
| Enterprise Administrators | Administrator |
| Schema Administrators | Administrator |
T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting [1]
S-DesEnabled
Description:The purpose is to verify that no weak encryption algorithm such as DES is used for accounts.
Technical explanation:DES is a very weak algorithm and once assigned to an account, it can be used in Kerberos ticket requests, even though it is easily cracked. If the attacker cracks the Kerberos ticket, they can steal the token and compromise the user account.
Advised solution:It is recommended to disable DES as an encryption algorithm in the user configuration dialog or in the "msDSSupportedEncryptionTypes" attribute at LDAP level. It has to be disabled in the property of an account by unchecking the box "Use Kerberos DES encryption for this account". You can also detect which accounts support Kerberos DES encryption by running: Get-ADObject -Filter {UserAccountControl -band 0x200000 -or msDs-supportedEncryptionTypes -band 3}.
Points:15 points if present
Documentation:https://docs.microsoft.com/en-us/archive/blogs/openspecification/msds-supportedencryptiontypes-episode-1-computer-accounts
https://docs.microsoft.com/en-us/services-hub/health/remediation-steps-ad/remove-the-highly-insecure-des-encryption-from-user-accounts
[FR]ANSSI - Use of Kerberos with weak encryption (vuln2_kerberos_properties_deskey)2
[MITRE]T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
The detail can be found in User information and Computer information
Discovery
T1087.001 Account Discovery: Local Account [1]
A-NoNetSessionHardening
Description:The purpose is to ensure that mitigations are in place against the Bloodhound tool
Technical explanation:By default, Windows computers allow any authenticated user to enumerate network sessions to it.
This means an attacker could enumerate network sessions to a file share hosting home directories or a Domain Controller to see who's connected to SYSVOL (to apply Group Policy) and determine which workstations each user and admin account is logged into.
Bloodhound uses this capability extensively to map out credentials in the network.
Disabling Net Session Enumeration removes the capability for any user to enumerate net session info (Recon).
If this mitigation is not part of the computer image, apply the following recommendations:
Run the NetCease PowerShell script (referenced below) on a reference workstation.
Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit .
In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
Right-click the Registry node, point to New, and select Registry Wizard.
Select the reference workstation on which the desired registry settings exist, then click Next .
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\
and select the check box for “SrvsvcSessionInfo” from which you want to create a Registry preference item. Select the check box for a key only if you want to create a Registry item for the key rather than for a value within the key.
Click Finish.
The settings that you selected appear as preference items in the Registry Wizard Values collection
Informative rule (0 point)
Documentation:https://github.com/p0w3rsh3ll/NetCease
https://adsecurity.org/?p=3299
[MITRE]T1087.001 Account Discovery: Local Account
The detail can be found in Security settings
T1201 Password Policy Discovery [1]
A-NoServicePolicy
Description:The purpose is to give information regarding a best practice for the Service Account password policy. Indeed, having a 20+ characters password for this account greatly helps reducing the risk of Kerberoasting attacks (offline cracking of the TGS tickets)
Note: PSO (Password Settings Objects) will be visible only if the user, which collected the information, has the permission to view it.
The rule is purely informative, as it gives insights regarding a best practice. It verifies if there is a GPO or PSO enforcing a 20+ characters password for the Service Accounts.
Advised solution: The recommended way to handle service accounts is to use "Managed service accounts" introduced since Windows Server 2008 R2 (search for "msDS-ManagedServiceAccount").
To solve the anomaly, you should implement a PSO or GPO password guarantying a 20+ length password.
Informative rule (0 point)
Documentation:https://www.microsoft.com/en-us/research/publication/password-guidance/
[MITRE]T1201 Password Policy Discovery
The detail can be found in Password Policies
Lateral Movement
T1210 Exploitation of Remote Services [1]
A-PreWin2000AuthenticatedUsers
Description:The purpose is checking if the "Pre-Windows 2000 Compatible Access" group contains "Authenticated Users"
Technical explanation:The pre-Windows 2000 compatible access group grants access to some RPC calls.
Its default and secure value is the "Authenticated Users" group which allows users to perform group look-up using legacy protocols.
If this group contains "Authenticated Users", it increases the impact of the exploitation of vulnerabilities in legacy protocols such as the Print Spooler service.
Indeed, in the #PrintNightmare attack, it enables a patch bypass on domain controllers because the property Elevated Token is on when establishing a session to the DC.
Removing the group can have side impacts and as a consequence, this is reported here as a special hardening measure.
Remove "Authenticated Users" from the PreWin2000 group.
Points:Informative rule (0 point)
Documentation:https://msdn.microsoft.com/en-us/library/cc223672.aspx
https://www.gradenegger.eu/?p=1132
[MITRE]T1210 Exploitation of Remote Services
Mitigation did matched
Mitigation did matched
Mitigation did matched
Mitigation did matched
Mitigation did matched
Mitigation did matched
Mitigation did matched
Audit
Mitre Att&ck - Mitigation - Audit [3]
P-RecycleBin
Description:The purpose is to ensure that the Recycle Bin feature is enabled
Technical explanation:The Recycle Bin avoids immediate deletion of objects (which can still be partially recovered by its tombstone). This lowers the administration work needed to restore. It also extends the period where traces are available when an investigation is needed.
Advised solution:First, be sure that the forest level is at least Windows Server 2008 R2.
You can check it with Get-ADForest or in the Domain Information section.
Then you can enable it using the PowerShell command:
Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target 'test.mysmartlogon.com'
10 points if present
Documentation:https://enterinit.com/powershell-enable-active-directory-recycle-bin
[MITRE]Mitre Att&ck - Mitigation - Audit
The detail can be found in Domain Information
A-AuditDC
Description:The purpose is to ensure that the audit policy on domain controllers collects the right set of events.
Technical explanation:To detect and mitigate an attack, the right set of events need to be collected.
The audit policy is a compromise between too much and too few events to collect.
To solve this problem, the suggested audit policy from adsecurity.org is checked against the audit policy in place.
Identify the Audit settings to apply and fix them.
Be aware that there are two places for audit settings.
For "Simple" audit configuration:
in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies
For "Advanced" audit configuration:
in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration
Also be sure that the audit GPO is applied to all domain controllers, as the underlying object may be in a OU where the GPO is not applied.
10 points if present
Documentation:https://adsecurity.org/?p=3299
https://adsecurity.org/?p=3377
[MITRE]Mitre Att&ck - Mitigation - Audit
The detail can be found in Audit settings
The table below shows the settings that were not found as configured in a GPO for a given domain controller.
| Type | Audit | Problem | Rationale | Domain controller |
|---|---|---|---|---|
| Advanced | Detailed Tracking / DPAPI Activity | No GPO check for audit success | Collect event 4692 to track the export of DPAPI backup key | EGIADC01W |
| Advanced | Account Logon / Kerberos Service Ticket Operations | No GPO check for audit success | Collect events 4769 for kerberos authentication | EGIADC01W |
| Advanced | System / Security System Extension | No GPO check for audit success | Collect events 4610, 4697 to track lsass security packages and services | EGIADC01W |
| Advanced | Privilege Use / Sensitive Privilege Use | No GPO check for audit success | Collect events 4672, 4673, 4674 for privileges tracking such as the debug one | EGIADC01W |
| Advanced | Logon/Logoff / Special Logon | No GPO check for audit success | Collect event 4964 for special group attributed at logon | EGIADC01W |
| Advanced | Detailed Tracking / DPAPI Activity | No GPO check for audit success | Collect event 4692 to track the export of DPAPI backup key | EGIADC01 |
| Advanced | Account Logon / Kerberos Service Ticket Operations | No GPO check for audit success | Collect events 4769 for kerberos authentication | EGIADC01 |
| Advanced | System / Security System Extension | No GPO check for audit success | Collect events 4610, 4697 to track lsass security packages and services | EGIADC01 |
| Advanced | Privilege Use / Sensitive Privilege Use | No GPO check for audit success | Collect events 4672, 4673, 4674 for privileges tracking such as the debug one | EGIADC01 |
| Advanced | Logon/Logoff / Special Logon | No GPO check for audit success | Collect event 4964 for special group attributed at logon | EGIADC01 |
A-AuditPowershell
Description:The purpose is to ensure that PowerShell logging is enabled.
Technical explanation:PowerShell is a powerful language, also used by hackers because of this quality. Hackers are able to run programs such as mimikatz in memory using obfuscated commands such as Invoke–Mimikatz.
Because there is no artefact on the disk, the incident response task is difficult for the forensic analysts.
For this reason, we recommend to enable PowerShell logging via a group policy, despite the fact that these security settings may be part of the workstation or server images.
Go to Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell
And enable "Turn on Module logging" and "Turn on PowerShell Script Block logging"
We recommend to set "*" as the module list.
Informative rule (0 point)
Documentation:https://adsecurity.org/?p=2604
https://docs.microsoft.com/en-us/powershell/scripting/wmf/whats-new/script-logging?view=powershell-6
[US]STIG V-68819 - PowerShell script block logging must be enabled
[MITRE]Mitre Att&ck - Mitigation - Audit
The detail can be found in Security settings
Active Directory Configuration
Mitre Att&ck - Mitigation - Active Directory Configuration [5]
P-Delegated
Description:The purpose is to ensure that all Administrator Accounts have the configuration flag "this account is sensitive and cannot be delegated" (or are members of the built-in group "Protected Users" when your domain functional level is at least Windows Server 2012 R2).
Technical explanation:Without the flag "This account is sensitive and cannot be delegated" any account can be impersonated by some service account. It is a best practice to enforce this flag on administrators accounts.
Advised solution:To correct the situation, you should make sure that all your Administrator Accounts have the check-box "This account is sensitive and cannot be delegated" active or add your Administrator Accounts to the built-in group "Protected Users" if your domain functional level is at least Windows Server 2012 R2 (some functionalities may not work properly afterwards, you should check the official documentation).
If you want to enable the check-box "This account is sensitive and cannot be delegated" but this is not possible because the box is not present (typically for GMSA accounts), you can add the flag manually by adding the number 1048576 to the attribute useraccountcontrol of the account.
Please note that there is a section below in this report named "Admin Groups" which gives more information.
20 points if present
Documentation:[US]STIG V-36435 - Delegation of privileged accounts must be prohibited.
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
The detail can be found in Admin Groups
S-PrimaryGroup
Description:The purpose is to check for unusual values in the primarygroupid attribute used to store group memberships
Technical explanation:In Active Directory, group membership is stored on the "members" attribute and on the "primarygroupid" attribute. The default primary group value is "Domain Users" for the users, "Domain Computers" for the computers and "Domain Controllers" for the domain controllers. The primarygroupid contains the RID (last digits of a SID) of the group targeted. It can be used to store hidden membership as this attribute is not often analyzed.
Advised solution:Unless strongly justified, change the primary group id to its default: 513 or 514 for users, 516 or 521 for domain controllers, 514 or 515 for computers. The primary group can be edited in a friendly manner by editing the account with the "Active Directory Users and Computers" and after selecting the "Member Of" tab, "set primary group".
You can use the following script to list Users with a primary group id different from domain users:
$DomainUsersSid = New-Object System.Security.Principal.SecurityIdentifier ([System.Security.Principal.WellKnownSidType]::AccountDomainUsersSid,(Get-ADDomain).DomainSID)
Get-ADUser -Filter * -Properties PrimaryGroup | Where-Object { $_.PrimaryGroup -ne (Get-ADGroup -Filter {SID -eq $DomainUsersSid} ).DistinguishedName } | Select-Object UserPrincipalName,PrimaryGroup
15 points if present
Documentation:[FR]ANSSI - Accounts with modified PrimaryGroupID (vuln3_primary_group_id_nochange)3
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
The detail can be found in User information and Computer information
S-Duplicate
Description:The purpose is to check if there are duplicate accounts within the domain. A duplicate account is essentially a duplicate of two objects having the same attributes.
Technical explanation:To identify a duplicate account, a check is performed on the "DN" and the "sAMAccountName". When a DC detects a conflict, there is a replacement performed on the second object.
Advised solution:Duplicate accounts being present often means there are process failures, and they should be identified and removed. To identify all duplicate accounts, you can use the following PowerShell commands: get-adobject -ldapfilter "(cn=*cnf:*)" ; get-adobject -ldapfilter "(sAMAccountName=$duplicate)"
Points:5 points if present
Documentation:[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
Details:The detail can be found in User information and Computer information
S-PwdNeverExpires
Description:The purpose is to ensure that every account has a password which is compliant with password expiration policies
Technical explanation:Some accounts have passwords which never expire. Should an attacker compromise one of these accounts, he would be able to maintain long-term access to the Active Directory domain.
We have noted that some Linux servers, domain joined, are configured with a password which never expires.
This is a misconfiguration because a password change can be configured. It was however not the default on some plateform.
See one of the link below for more information.
In order to make Active Directory enforce periodic password change, accounts must not have the "Password never expires" flag set in the "Account" tab of the user properties. Their passwords should then be rolled immediately.
For services accounts, Windows provide the "managed service accounts" and "group managed service accounts" features to facilite the automatic change of passwords.
Please note that there is a document in the section below which references solutions for service accounts of well known products.
Also Linux servers should be configured with automatic machine account change.
1 points if present
Documentation:https://adsecurity.org/?p=4115
https://access.redhat.com/discussions/1283873
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
[FR]ANSSI - Accounts with never-expiring passwords (vuln2_dont_expire)2
The detail can be found in User information
P-UnprotectedOU
Description:The purpose is to ensure that Organizational Units (OUs) and Containers in Active Directory are protected to prevent accidental deletion, which could lead to data loss and disruptions in the network infrastructure.
Technical explanation:In Active Directory, Organizational Units can be protected from accidental deletion (reads: using the del key in the wrong place at the wrong time).
This way these objects cannot be deleted, unless the protection is removed. This Active Directory feature was first introduced in Windows Server 2008.
This protection consists of a Deny ACE added to the NTSecurityDescriptor attribute applied to Everyone with the flag set to Delete and DeleteTree.
To safeguard against accidental deletions, it is essential to enable the "Protect object from accidental deletion" option for critical OUs and Containers.
When this option is enabled, it adds an additional layer of security, preventing unintended deletions.
To implement this protection:
* Open the Active Directory Users and Computers management console.
* Locate the OU or Container that requires protection.
* Right-click on the OU or Container, select "Properties."
* In the "Object" tab, check the "Protect object from accidental deletion" option.
* Click "Apply" and then "OK" to save the changes.
You can list unprotected OU using the PowerShell command:
Get-ADOrganizationalUnit -filter {name -like "*"} -Properties ProtectedFromAccidentalDeletion | format-table Name,ProtectedFromAccidentalDeletion
and protect them using the command:
Get-ADOrganizationalUnit -filter {name -like "*"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
Note: only 10 will be listed below. Checkout the Delegations section for the complete list.
Informative rule (0 point)
Documentation:https://dirteam.com/sander/2011/07/13/preventing-ous-and-containers-from-accidental-deletion/
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
The detail can be found in Delegations
| OU |
|---|
| OU=Dell,DC=egia,DC=com |
Data Backup
Mitre Att&ck - Mitigation - Data Backup [1]
A-BackupMetadata
Description:The purpose is to check if the backups are actually up to date in case they are needed. The alert can be triggered when a domain is backed up using non-recommended methods
Technical explanation:A verification is done on the backups, ensuring that the backup is performed according to Microsoft standards. Indeed, at each backup the DIT Database Partition Backup Signature is updated. If for any reasons, backups are needed to perform a rollback (rebuild a domain) or to track past changes, the backups will actually be up to date. This check is equivalent to a REPADMIN /showbackup *.
Advised solution:Plan AD backups based on Microsoft standards. These standards depend on the Operating System. For example with the wbadmin utility: wbadmin start systemstatebackup -backuptarget:d:
Points:15 points if the occurence is greater than or equals than 7
Documentation:https://technet.microsoft.com/en-us/library/jj130668(v=ws.10).aspx
[MITRE]Mitre Att&ck - Mitigation - Data Backup
[US]STIG V-25385 - Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.
The detail can be found in Backup
Privileged Account Management
Mitre Att&ck - Mitigation - Privileged Account Management [9]
P-Inactive
Description:The purpose is to ensure that all Administrator Accounts in the AD are necessary and used
Technical explanation:Accounts within the AD have attributes indicating the creation date of the account and the last login of this account. Accounts which haven't have a login since 6 months or created more than 6 months ago without any login are considered inactive. If an Administrator Account is set as inactive, the reason for having Administrator rights should be strongly justified.
Advised solution:To correct the situation, you should make sure that all your Administrator Account(s) are "Active", meaning that you should remove Administrator rights if an account is set as not "Active"
Points:30 points if the occurence is greater than or equals than 30
then 20 points if the occurence is greater than or equals than 15
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R36 [subsection.3.6]
P-ServiceDomainAdmin
Description:The purpose is to check for accounts with non-expiring passwords in the "Domain Administrator" group
Technical explanation:PingCastle is checking accounts with never expiring password, that are mostly used as service accounts.
"Service Accounts" can imply a high security risk as their password are stored in clear text in the LSA database, which can then be easily exploited using Mimikatz or Cain&Abel for instance. In addition, their passwords don't change and can be used in Kerberoast attacks.
Accounts with never expiring passwords are mostly service accounts.
To mitigate the security risk, it is strongly advised to lower the privileges of the "Service Accounts", meaning that they should be removed from the "Domain Administrator" group, while ensuring that the password of each and every "Service Account" is longer than 20 characters
15 points if the occurence is greater than or equals than 2
Documentation:[FR]ANSSI - Privileged accounts with never-expiring passwords (vuln1_dont_expire_priv)1
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R11 [subsection.2.5]
[US]STIG V-36432 - Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[MITRE]T1003.004 OS Credential Dumping: LSA Secrets
The detail can be found in Admin Groups
A-AdminSDHolder
Description:The purpose is to ensure that there are no rogue admin accounts in the Active Directory
Technical explanation:A check is performed on non-admin accounts in order to identify if they have an attribute admincount set. If they have this attribute, it means that this account, which is not supposed to be admin, has been granted administrator rights in the past. This typically happens when an administrator gives temporary rights to a normal account, off process.
Advised solution:These accounts should be reviewed, especially in regards with their past activities and have the admincount attribute removed. In order to identify which accounts are detected by this rule, we advise to run a PowerShell command that will show you all users having this flag set: get-adobject -ldapfilter "(admincount=1)"
Do not forget to look at the section AdminSDHolder below.
50 points if the occurence is greater than or equals than 50
then 45 points if the occurence is greater than or equals than 45
then 40 points if the occurence is greater than or equals than 40
then 35 points if the occurence is greater than or equals than 35
then 30 points if the occurence is greater than or equals than 30
then 25 points if the occurence is greater than or equals than 25
then 20 points if the occurence is greater than or equals than 20
then 15 points if present
https://msdn.microsoft.com/en-us/library/ms675212(v=vs.85).aspx
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R40 [paragraph.3.6.3.1]
The detail can be found in the AdminSDHolder User List
A-LAPS-Not-Installed
Description:The purpose is to make sure that there is a proper password policy in place for the native local administrator account.
Technical explanation:LAPS (Local Administrator Password Solution) is the advised solution to handle passwords for the native local administrator account on all workstations, as it is a simple way to handle most of the subject.
Advised solution:If you don't have any provisioning process or password solution to manage local administrators, you should install the LAPS solution. If you mitigate the risk differently, you should add this rule as an exception, as the risk is covered.
Points:15 points if present
Documentation:https://www.microsoft.com/en-us/download/details.aspx?id=46899
[US]STIG V-36438 - Local administrator accounts on domain systems must not share the same password.
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI CERTFR-2015-ACT-046
[MITRE]T1078.003 Valid Accounts: Local Accounts
The detail can be found in LAPS
P-SchemaAdmin
Description:The purpose is to ensure that no account can make unexpected modifications to the schema
Technical explanation:The group "Schema Admins" is used to give permissions to alter the schema. Once a modification is performed on the schema such as new objects, it cannot be undone. This can result in a rebuild of the domain. The best practice is to have this group empty and to add an administrator when a schema update is required, then remove this group membership.
Advised solution:Remove the accounts or groups belonging to the "schema administrators" group.
Points:10 points if present
Documentation:[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R13 [subsection.3.2]
[US]STIG V-72835 - Membership to the Schema Admins group must be limited
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
The detail can be found in Admin Groups
P-AdminPwdTooOld
Description:The purpose is to ensure that all admins are changing their passwords at least every 3 years
Technical explanation:This rule ensure that passwords of administrator are well managed.
Advised solution:We advised to read the ANSSI guidelines about this, which is quoted in the documentation section below.
10 points if present
Documentation:[FR]ANSSI - Privileged account passwords age too old (vuln1_password_change_priv)1
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
The detail can be found in Admin Groups
| Account | Creation | LastChanged |
|---|---|---|
| itsonicwall | 2019-08-01 23:45:55Z | 2019-08-01 16:45:55Z |
| BCMBackup | 2012-11-27 22:16:25Z | 2012-11-27 14:16:25Z |
| nkahal | 2010-12-20 04:57:36Z | 2011-12-26 12:25:15Z |
| rmehra | 2012-07-11 06:02:30Z | 2013-01-17 21:51:15Z |
| VipreService | 2011-01-20 19:58:42Z | 2011-06-27 23:55:45Z |
| saccount | 2010-11-21 21:35:59Z | 2010-11-21 13:35:59Z |
| pmanager | 2010-11-21 21:28:03Z | 2010-11-21 13:28:03Z |
| vmadmin | 2016-08-23 21:50:09Z | 2016-08-23 14:50:09Z |
| tle | 2010-08-23 15:26:48Z | 2012-11-28 15:21:13Z |
| tpiper | 2007-04-19 15:08:14Z | 2015-08-07 10:50:09Z |
| Consultant | 2002-09-17 17:27:04Z | 2010-11-21 13:30:35Z |
| devteamvpn | 2018-03-09 20:54:37Z | 2021-02-07 19:25:13Z |
| jvaladez | 2013-05-20 13:55:31Z | 2020-06-17 17:00:36Z |
| gpotest | 2016-10-25 17:51:34Z | 2016-10-28 14:29:32Z |
| ccramer | 2014-07-25 20:03:05Z | 2020-02-14 06:02:29Z |
| ejavaid | 2010-12-02 14:38:38Z | 2011-12-08 16:17:21Z |
| sharyl | 2017-01-16 22:49:14Z | 2017-03-01 14:32:43Z |
| spiceworks | 2016-09-22 16:51:38Z | 2016-10-11 06:12:25Z |
| itsupport | 2016-09-20 19:02:53Z | 2017-01-19 15:58:36Z |
| bkagent | 2002-05-07 14:37:57Z | 2002-09-26 15:32:26Z |
| Arcserve | 2001-10-06 18:33:48Z | 2001-01-19 11:20:31Z |
| Administrator | 2001-10-06 18:33:47Z | 2015-04-08 09:31:00Z |
| techadmin | 2019-05-31 17:04:45Z | 2019-05-31 10:04:45Z |
| sonicwalladmin | 2017-07-13 17:08:10Z | 2017-07-13 10:08:10Z |
| mtech | 2019-03-19 20:55:34Z | 2020-06-15 16:25:19Z |
| fssa | 2016-11-15 18:46:41Z | 2016-11-15 10:46:41Z |
P-OperatorsEmpty
Description:The purpose is to ensure that the operator groups, which can have indirect control to the domain, are empty
Technical explanation:Operator groups (Account Operators, Server Operators, ...) can take indirect control of the domain. Indeed, these groups have write access to critical resources of the domain.
Advised solution:It is recommended to have these groups empty. Assign administrators into administrators group. Other accounts should have proper delegation rights in an OU or in the scope they are managing.
Points:Informative rule (0 point)
Documentation:[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R27 [subsection.3.5]
The detail can be found in Admin Groups
| Group | Members |
|---|---|
| Server Operators | 2 |
P-DNSAdmin
Description:The purpose is to ensure that the Dns Admins group is not used
Technical explanation:Administrators of the DNS Service have the possibility to inject a DLL in this service.
However this service is hosted most of the time in the domain controller and is running as SYSTEM.
That means that DNS admins are potentially domain admins.
The security descriptor used to grant admin rights is located on the nTSecurityDescriptor attribute of the object CN=MicrosoftDNS,CN=System.
The "Write All Prop" access right induces the vulnerability.
In this case, the DnsAdmins group is not empty and grant to its user the possibility to interact with the DNS Service.
Rule update:
The Patch Tuesday of October 2021 fixed this vulnerability and assigned it the identifier CVE-2021-40469.
If the patch has been applied, there is no additional mitigation to perform.
This rule is transformed into an informative rule in PingCastle 2.10.1 and will be removed in future versions of PingCastle.
You should remove the members of the Dns Admins group and do a proper delegation to the specific DNS Zones.
First, grant only "Read Property", "List", "List object" and "Read permssions" to CN=MicrosoftDNS,CN=System to enable access to the RPC service.
Then on each zone (the object in the tree below with the class dnsZone), grant "Read Property", "List", "List object", "Read permissions", "Create Child", "Delete Child", "Delete", "Delete Tree".
Informative rule (0 point)
Documentation:https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/007efcd2-2955-46dd-a59e-f83ae88f4678
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI - DnsAdmins group members (vuln4_dnsadmins)4
The detail can be found in Admin Groups
P-AdminEmailOn
Description:The purpose is to ensure proper isolation of administrative activities and to prevent any admin from having an email address configured in the domain.
Technical explanation:The recommended approach for secure administration is to implement a Tier Zero model.
In this model, low privileged actions cannot be made by highly privileged accounts such as admins.
This means that, in practice, administrators should have two separate Windows accounts: one for regular activities and one for performing privileged actions.
Ensure that administrators do not use the privileged account for browsing the internet or receiving emails.
We highly recommend that you implement this practice to lower the risk of an admin compromise.
To remove this alert, you have to edit the properties of the user account and clear the email attribute.
Keep in mind that this action will silence the alert, but the risk may still be present.
Informative rule (0 point)
Documentation:https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/securing-privileged-access-for-the-ad-admin-part-1/ba-p/259166
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
| Account | |
|---|---|
| nkahal | nkahal@egia.org |
| rmehra | rmehra@egia.org |
| nsingh | navdeep.singh@nvish.com |
| tle | tle@egia.com |
| tpiper | tpiper@egia.com |
| bkagent | bkagent@egia.com |
| Administrator | Administrator@egia.com |
Privileged Process Integrity
Mitre Att&ck - Mitigation - Privileged Process Integrity [1]
P-ProtectedUsers
Description:The purpose is to ensure that all privileged accounts are in the Protected User security group
Technical explanation:The Protected User group is a special security group which automatically applies protections to minimize credential exposure. Starting with Windows 8.1. Older Operating System must be updated to take this protection in account such as the Windows 7 KB2871997 patch.
For admins, it:
- Disables NTLM authentication
- Reduces Kerberos ticket lifetime
- Mandates strong encryption algorithms, such as AES
- Prevents password caching on workstations
- Prevents any type of Kerberos delegation
Please also note that a few links (see below) recommends that at least one account is kept outside of the group Protected Users in case there is a permission problem.
That's why this rule is not triggered if only one account is not protected.
After having reviewed the potential impact on adding users to this group, add the missing privileged accounts to this group.
Points:10 points if the occurence is greater than or equals than 2
Documentation:https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
https://blog.netwrix.com/2015/02/20/add-sensitive-user-accounts-to-active-directory-protected-users-group/
https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of-before-using-the-protected-users-group/
https://blog.andreas-schreiner.de/2018/09/07/active-directory-sicherheit-teil-1-privilegierte-benutzer/
[FR]ANSSI - Privileged accounts outside of the Protected Users group (vuln3_protected_users)3
[MITRE]Mitre Att&ck - Mitigation - Privileged Process Integrity
[US]STIG V-78131 - Accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
[FR]ANSSI CERTFR-2017-ALE-012
The detail can be found in Admin Groups
| User |
|---|
| ADSyncAdmin-Local |
| itsonicwall |
| BCMBackup |
| nkahal |
| rmehra |
| nsingh |
| VipreService |
| saccount |
| pmanager |
| vmadmin |
| tle |
| tpiper |
| Consultant |
| devteamvpn |
| jvaladez |
| gpotest |
| ccramer |
| slathar |
| ejavaid |
| sharyl |
| spiceworks |
| itsupport |
| bkagent |
| Arcserve |
| Administrator |
| mwservice |
| techadmin |
| sonicwalladmin |
| mtech |
| fssa |
Update Software
Mitre Att&ck - Mitigation - Update Software [6]
S-OS-W10
Description:The purpose is to ensure that there is no use of non-supported version of Windows 10 or Windows 11 within the domain
Technical explanation:Some versions of Windows 10 and Windows 11 OS are no longer supported, and may be vulnerable to exploits that are not patched anymore.
Advised solution:In order to solve this security issue, you should upgrade all the Windows 10 or Windows 11 to a more recent version.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows 1*"}
15 points if the occurence is greater than or equals than 15
then 10 points if the occurence is greater than or equals than 6
then 5 points if present
https://docs.microsoft.com/en-us/windows/release-health/release-information
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
| Version | Number | Active |
|---|---|---|
| Windows 10 1507 | 1 | 0 |
| Windows 10 1703 | 3 | 0 |
| Windows 10 1709 | 4 | 0 |
| Windows 10 1803 | 9 | 0 |
| Windows 10 1809 | 8 | 0 |
| Windows 10 1511 | 1 | 0 |
| Windows 10 1903 | 9 | 0 |
| Windows 10 1909 | 6 | 0 |
| Windows 10 2004 | 9 | 0 |
| Windows 10 20H2 | 11 | 0 |
| Windows 10 21H1 | 14 | 0 |
| Windows 10 21H2 | 16 | 1 |
S-OS-2008
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows Server 2008 for the workstations within the domain
Technical explanation:The Windows Server 2008 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
Advised solution:In order to solve this security issue, you should upgrade all the servers to a more recent version of Windows, starting from Windows Server 2012.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
15 points if the occurence is greater than or equals than 15
then 10 points if the occurence is greater than or equals than 6
then 5 points if present
https://support.microsoft.com/en-us/help/4456235/end-of-support-for-windows-server-2008-and-windows-server-2008-r2
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
S-DC-2008
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows Server 2008 as Domain Controller within the domain
Technical explanation:The OS Windows Server 2008 is not supported anymore by Microsoft (except when migrated to Azure, until January 9, 2024) and any vulnerability found will not be patched.
Advised solution:To resolve this security risk, the only way is to decommission DCs running Windows Server 2008 OS, in order to use new versions that are more secure and that are still being patched regarding new security threats
Points:5 points if present
Documentation:https://support.microsoft.com/en-us/help/4456235/end-of-support-for-windows-server-2008-and-windows-server-2008-r2
[MITRE]Mitre Att&ck - Mitigation - Update Software
[US]STIG V-8551 - The domain functional level must be at a Windows Server version still supported by Microsoft.
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R12 [subsection.3.1]
The operating system of domain controllers can be found in Domain controllers
S-OS-2012
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows Server 2012 for the workstations within the domain
Technical explanation:The Windows Server 2012 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
Advised solution:In order to solve this security issue, you should upgrade all the servers to a more recent version of Windows, starting from Windows Server 2012.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
10 points if the occurence is greater than or equals than 15
then 5 points if the occurence is greater than or equals than 6
then 2 points if present
https://learn.microsoft.com/fr-fr/lifecycle/products/windows-server-2012-r2
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
S-OS-Win7
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows 7 for the workstations within the domain
Technical explanation:The Windows 7 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
PingCastle is trying to guess if Extended Security Support (ESU) has been purchased from Microsoft. Based on the documentation referenced below, the program checks if the script Activate-ProductOnline.ps1 is present.
If the script is detected, Windows 7 is considered as supported and this rule is not triggered.
In order to solve this security issue, you should upgrade all the workstations to a more recent version of Windows, starting from Windows 10.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
5 points if the occurence is greater than or equals than 15
then 2 points if the occurence is greater than or equals than 6
then 1 points if present
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/activate-windows-7-esus-on-multiple-devices-with-a-mak/ba-p/1167196
[FR]ANSSI CERTFR-2005-INF-003
[MITRE]Mitre Att&ck - Mitigation - Update Software
The detail can be found in Operating Systems
S-FunctionalLevel3
Description:The purpose is checking the functional level of the domain and the forest, and ensure it is set to the latest secure version
Technical explanation:
Each functional level brings new security features:
* functional level Windows Server 2003: brings forest trusts and read-only domain controller (RODC) support;
* functional level Windows Server 2008: brings support for modern cryptographic algorithms such as AES and DFS for SYSVOL share replication;
* functional level Windows Server 2008R2: brings support for Active Directory Recycle Bin (protects objects against accidental deletion);
* functional level Windows Server 2012: brings advanced Kerberos features, such as compound authentication and claims support;
* functional level Windows Server 2012R2: brings numerous new security features such as authentication policies, authentication policy silos and the Protected users group;
* functional level Windows Server 2016 / 2019 / 2022: brings an upgraded smart card logon security and Privileged Identity Management (PIM) trust relationships between forests.
You have to raise the functional level of the domain or the forest (see the details to know if the domain and/or forest is concerned).
The recommended level is the functional level 7 (Windows Server 2016 / 2019 / 2022)
To upgrade the functional level, a requirement is that all domain controllers are running the right version.
Also, functional level needs to be upgraded level by level.
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/identifying-your-functional-level-upgrade
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/raise-active-directory-domain-forest-functional-levels
[FR]ANSSI - Insufficient forest and domains functional levels (vuln3_vuln_functional_level)3
[MITRE]Mitre Att&ck - Mitigation - Update Software
The functional levels are indicated in Domain Information
| Type | Level |
|---|---|
| Domain | Windows Server 2008 R2 |
| Forest | Windows Server 2008 R2 |
User Account Management
Mitre Att&ck - Mitigation - User Account Management [4]
S-C-Inactive
Description:The purpose is to ensure that there are as few inactive computers as possible within the domain.
Technical explanation:Inactive computers often stay in the network because of weaknesses in the decommissioning process. These stale computer accounts can be used as backdoors and therefore represents a possible security breach.
Advised solution:To mitigate the risk, you should monitor the number of inactive accounts and reduce it as much as possible. A list of all inactive accounts is obtainable through the command: Search-ADAccount –AccountInActive –ComputersOnly –TimeSpan 180:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName.
Points:30 points if the occurence is greater than or equals than 30
then 10 points if the occurence is greater than or equals than 20
then 5 points if the occurence is greater than or equals than 15
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R45 [paragraph.3.6.6.2]
[MITRE]Mitre Att&ck - Mitigation - User Account Management
[FR]ANSSI - Inactive servers (vuln3_password_change_inactive_servers)3
S-ADRegistrationSchema
Description:The purpose is to ensure that no schema class can be used to create arbitrary objects
Technical explanation:The classes added to the schema provide additional object types. If misconfigured, a class can be used to bypass a security restriction.
For the vulnerability PossSuperiorComputer:
A class has the attribute possSuperiors containing the class "computer" and this class inherits from "container".
That means that every computer can request this class to be added.
Once this class has been added, it can be used as a container to create additional users or computers without restrictions.
For the vulnerability PossSuperiorUser:
It is the same vulnerability as PossSuperiorComputer but with the "user" class instead of the "computer" class.
For PossSuperiorComputer:
You have to edit the schema to change the value of the attribute possSuperior and remove the "computer" value.
A PowerShell script in the documentation provides a fix.
For PossSuperiorUser:
You have to edit the schema to change the value of the attribute possSuperior and remove the "user" value.
A PowerShell script in the documentation provides a fix.
Also the class msExchStorageGroup is known to have this vulnerability via the CVE-2021-34470.
In this case, the vulnerability is exploitable even if Exchange has been uninstalled.
10 points if present
Documentation:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2186
https://gist.github.com/IISResetMe/399a75cfccabc1a17d0cc3b5ae29f3aa#file-update-msexchstoragegroupschema-ps1
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34470
[MITRE]Mitre Att&ck - Mitigation - User Account Management
[FR]ANSSI - Schema class allowing dangerous object creation (vuln2_warning_schema_posssuperiors)2
| Class | Vulnerability |
|---|---|
| msExchStorageGroup | PossSuperiorComputer |
S-Inactive
Description:The purpose is to ensure that there are as few inactive accounts as possible within the domain. Stale user accounts are a significant security issue, as former employees and external attackers could use those accounts to attack the organization.
Technical explanation:Inactive accounts often stay in the network because of weaknesses in the decommissioning process. These stale computer accounts can be used as backdoors and therefore represents a possible security breach.
Advised solution:To mitigate the risk, you should monitor the number of inactive accounts and reduce it as much as possible. A list of all inactive accounts is obtainable through the command: Search-ADAccount –AccountInActive –UsersOnly –TimeSpan 180:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName.
Points:10 points if the occurence is greater than or equals than 25
Documentation:[MITRE]Mitre Att&ck - Mitigation - User Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R45 [paragraph.3.6.6.2]
[FR]ANSSI - Dormant accounts (vuln1_user_accounts_dormant)1
The detail can be found in User information and Computer information
S-DefaultOUChanged
Description:The purpose is to ensure that the default location of computers and user OU has not been changed.
Technical explanation:Default OU such as CN=Computers or CN=Users are stored within the wellKnownObjects attribute of the Domain object.
There are 12 default locations officialy defined.
They can be changed using the program redircmp.
Changing these default can alter the behavior of programs (such as security audit programs) as they may not check the modified objects.
You have to use redircmp to set the value back to normal. See documentation for more details
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5a00c890-6be5-4575-93c4-8bf8be0ca8d8
https://rickardnobel.se/verify-redirected-computers-container-in-active-directory/
[MITRE]Mitre Att&ck - Mitigation - User Account Management
| Expected | Found |
|---|---|
| CN=Computers,DC=egia,DC=com | OU=Computers,OU=MS365EGIA,DC=egia,DC=com |
Stale Objects : 100 /100
It is about operations related to user or computer objects
S-C-Inactive
Description:The purpose is to ensure that there are as few inactive computers as possible within the domain.
Technical explanation:Inactive computers often stay in the network because of weaknesses in the decommissioning process. These stale computer accounts can be used as backdoors and therefore represents a possible security breach.
Advised solution:To mitigate the risk, you should monitor the number of inactive accounts and reduce it as much as possible. A list of all inactive accounts is obtainable through the command: Search-ADAccount –AccountInActive –ComputersOnly –TimeSpan 180:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName.
Points:30 points if the occurence is greater than or equals than 30
then 10 points if the occurence is greater than or equals than 20
then 5 points if the occurence is greater than or equals than 15
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R45 [paragraph.3.6.6.2]
[MITRE]Mitre Att&ck - Mitigation - User Account Management
[FR]ANSSI - Inactive servers (vuln3_password_change_inactive_servers)3
S-OldNtlm
Description:The purpose is to check if NTLMv1 or LM can be used by DC
Technical explanation:NTLMv1 is an old protocol which is known to be vulnerable to cryptographic attacks.
It is typically used when a hacker sniffs the network and tries to retrieve NTLM hashes which can then be used to impersonate users.
This attack can be combined with coerced authentication attacks - a hacker forces the DC to connect to a controlled host.
In this case, NTLMv1 can be specified so the hacker can retrieve the NTLM hash of the DC, impersonates it and then take control of the domain.
This attack is still possible with NTLMv2 but this is more difficult.
Windows has default security settings regarding LM/NTLM. Windows XP: Send LM & NTLM responses, Windows Server 2003: Send NTLM response only, Vista/2008: Win7/2008 R2: Send NTLMv2 response only.
However Domain Controllers have relaxed default settings to accept the connection of older operating systems.
That means that by default, NTLMv1 is accepted on domain controllers.
If no GPO defines the LAN Manager Authentication Level, the DC fall back to the non secure default.
After an audit of NTLMv1 usage (see the links below), you need to raise the LAN Manager Authentication Level to "Send NTLMv2 response only. Refuse LM & NTLM".
This can be done by editing the policy "Network security: LAN Manager authentication level" which can be accessed in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
The policy will be applied after a computer reboot.
Beware that you may break software which is not compatible with Ntlmv2 such as very old Linux stacks or very old Windows before Windows Vista.
But please note that Ntlmv2 can be activited on all Windows starting Windows 95 and other operating systems.
15 points if present
Documentation:https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/audit-domain-controller-ntlmv1
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-ntlm-2-authentication
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R37 [paragraph.3.6.2.1]
The detail can be found in Security settings
| GPO | Value |
|---|---|
| Windows default without an active GPO | 3 |
S-DesEnabled
Description:The purpose is to verify that no weak encryption algorithm such as DES is used for accounts.
Technical explanation:DES is a very weak algorithm and once assigned to an account, it can be used in Kerberos ticket requests, even though it is easily cracked. If the attacker cracks the Kerberos ticket, they can steal the token and compromise the user account.
Advised solution:It is recommended to disable DES as an encryption algorithm in the user configuration dialog or in the "msDSSupportedEncryptionTypes" attribute at LDAP level. It has to be disabled in the property of an account by unchecking the box "Use Kerberos DES encryption for this account". You can also detect which accounts support Kerberos DES encryption by running: Get-ADObject -Filter {UserAccountControl -band 0x200000 -or msDs-supportedEncryptionTypes -band 3}.
Points:15 points if present
Documentation:https://docs.microsoft.com/en-us/archive/blogs/openspecification/msds-supportedencryptiontypes-episode-1-computer-accounts
https://docs.microsoft.com/en-us/services-hub/health/remediation-steps-ad/remove-the-highly-insecure-des-encryption-from-user-accounts
[FR]ANSSI - Use of Kerberos with weak encryption (vuln2_kerberos_properties_deskey)2
[MITRE]T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
The detail can be found in User information and Computer information
S-PrimaryGroup
Description:The purpose is to check for unusual values in the primarygroupid attribute used to store group memberships
Technical explanation:In Active Directory, group membership is stored on the "members" attribute and on the "primarygroupid" attribute. The default primary group value is "Domain Users" for the users, "Domain Computers" for the computers and "Domain Controllers" for the domain controllers. The primarygroupid contains the RID (last digits of a SID) of the group targeted. It can be used to store hidden membership as this attribute is not often analyzed.
Advised solution:Unless strongly justified, change the primary group id to its default: 513 or 514 for users, 516 or 521 for domain controllers, 514 or 515 for computers. The primary group can be edited in a friendly manner by editing the account with the "Active Directory Users and Computers" and after selecting the "Member Of" tab, "set primary group".
You can use the following script to list Users with a primary group id different from domain users:
$DomainUsersSid = New-Object System.Security.Principal.SecurityIdentifier ([System.Security.Principal.WellKnownSidType]::AccountDomainUsersSid,(Get-ADDomain).DomainSID)
Get-ADUser -Filter * -Properties PrimaryGroup | Where-Object { $_.PrimaryGroup -ne (Get-ADGroup -Filter {SID -eq $DomainUsersSid} ).DistinguishedName } | Select-Object UserPrincipalName,PrimaryGroup
15 points if present
Documentation:[FR]ANSSI - Accounts with modified PrimaryGroupID (vuln3_primary_group_id_nochange)3
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
The detail can be found in User information and Computer information
S-OS-W10
Description:The purpose is to ensure that there is no use of non-supported version of Windows 10 or Windows 11 within the domain
Technical explanation:Some versions of Windows 10 and Windows 11 OS are no longer supported, and may be vulnerable to exploits that are not patched anymore.
Advised solution:In order to solve this security issue, you should upgrade all the Windows 10 or Windows 11 to a more recent version.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows 1*"}
15 points if the occurence is greater than or equals than 15
then 10 points if the occurence is greater than or equals than 6
then 5 points if present
https://docs.microsoft.com/en-us/windows/release-health/release-information
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
| Version | Number | Active |
|---|---|---|
| Windows 10 1507 | 1 | 0 |
| Windows 10 1703 | 3 | 0 |
| Windows 10 1709 | 4 | 0 |
| Windows 10 1803 | 9 | 0 |
| Windows 10 1809 | 8 | 0 |
| Windows 10 1511 | 1 | 0 |
| Windows 10 1903 | 9 | 0 |
| Windows 10 1909 | 6 | 0 |
| Windows 10 2004 | 9 | 0 |
| Windows 10 20H2 | 11 | 0 |
| Windows 10 21H1 | 14 | 0 |
| Windows 10 21H2 | 16 | 1 |
S-Inactive
Description:The purpose is to ensure that there are as few inactive accounts as possible within the domain. Stale user accounts are a significant security issue, as former employees and external attackers could use those accounts to attack the organization.
Technical explanation:Inactive accounts often stay in the network because of weaknesses in the decommissioning process. These stale computer accounts can be used as backdoors and therefore represents a possible security breach.
Advised solution:To mitigate the risk, you should monitor the number of inactive accounts and reduce it as much as possible. A list of all inactive accounts is obtainable through the command: Search-ADAccount –AccountInActive –UsersOnly –TimeSpan 180:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName.
Points:10 points if the occurence is greater than or equals than 25
Documentation:[MITRE]Mitre Att&ck - Mitigation - User Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R45 [paragraph.3.6.6.2]
[FR]ANSSI - Dormant accounts (vuln1_user_accounts_dormant)1
The detail can be found in User information and Computer information
S-ADRegistrationSchema
Description:The purpose is to ensure that no schema class can be used to create arbitrary objects
Technical explanation:The classes added to the schema provide additional object types. If misconfigured, a class can be used to bypass a security restriction.
For the vulnerability PossSuperiorComputer:
A class has the attribute possSuperiors containing the class "computer" and this class inherits from "container".
That means that every computer can request this class to be added.
Once this class has been added, it can be used as a container to create additional users or computers without restrictions.
For the vulnerability PossSuperiorUser:
It is the same vulnerability as PossSuperiorComputer but with the "user" class instead of the "computer" class.
For PossSuperiorComputer:
You have to edit the schema to change the value of the attribute possSuperior and remove the "computer" value.
A PowerShell script in the documentation provides a fix.
For PossSuperiorUser:
You have to edit the schema to change the value of the attribute possSuperior and remove the "user" value.
A PowerShell script in the documentation provides a fix.
Also the class msExchStorageGroup is known to have this vulnerability via the CVE-2021-34470.
In this case, the vulnerability is exploitable even if Exchange has been uninstalled.
10 points if present
Documentation:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2186
https://gist.github.com/IISResetMe/399a75cfccabc1a17d0cc3b5ae29f3aa#file-update-msexchstoragegroupschema-ps1
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34470
[MITRE]Mitre Att&ck - Mitigation - User Account Management
[FR]ANSSI - Schema class allowing dangerous object creation (vuln2_warning_schema_posssuperiors)2
| Class | Vulnerability |
|---|---|
| msExchStorageGroup | PossSuperiorComputer |
S-SMB-v1
Description:The purpose is to verify if Domain Controller(s) are vulnerable to the SMB v1 vulnerability
Technical explanation:The SMB downgrade attack is used to obtain credentials or executing commands on behalf of a user by using SMB v1 as protocol. Indeed, because SMB v1 supports old authentication protocol, the integrity can be bypassed
Advised solution:It is highly recommended by Microsoft to disable SMB v1 whenever it is possible on both client and server-side. Do note that if you are still not following best practices regarding the usage of deprecated OS (Windows 2000, 2003, XP, CE), regarding Network printer using SMBv1 scan2shares functionalities, or regarding software accessing Windows share with a custom implementation relying on SMB v1, you should consider fixing these issues before disabling SMB v1, as it will generate additional errors.
Points:10 points if present
Documentation:https://github.com/lgandx/Responder-Windows
https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect
https://docs.microsoft.com/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
[FR]ANSSI CERTFR-2017-ACT-019
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
[FR]ANSSI CERTFR-2016-ACT-039
The detail can be found in Domain controllers
| Domain controller |
|---|
| EGIADC01W |
S-OS-2008
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows Server 2008 for the workstations within the domain
Technical explanation:The Windows Server 2008 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
Advised solution:In order to solve this security issue, you should upgrade all the servers to a more recent version of Windows, starting from Windows Server 2012.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
15 points if the occurence is greater than or equals than 15
then 10 points if the occurence is greater than or equals than 6
then 5 points if present
https://support.microsoft.com/en-us/help/4456235/end-of-support-for-windows-server-2008-and-windows-server-2008-r2
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
S-DC-2008
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows Server 2008 as Domain Controller within the domain
Technical explanation:The OS Windows Server 2008 is not supported anymore by Microsoft (except when migrated to Azure, until January 9, 2024) and any vulnerability found will not be patched.
Advised solution:To resolve this security risk, the only way is to decommission DCs running Windows Server 2008 OS, in order to use new versions that are more secure and that are still being patched regarding new security threats
Points:5 points if present
Documentation:https://support.microsoft.com/en-us/help/4456235/end-of-support-for-windows-server-2008-and-windows-server-2008-r2
[MITRE]Mitre Att&ck - Mitigation - Update Software
[US]STIG V-8551 - The domain functional level must be at a Windows Server version still supported by Microsoft.
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R12 [subsection.3.1]
The operating system of domain controllers can be found in Domain controllers
S-Duplicate
Description:The purpose is to check if there are duplicate accounts within the domain. A duplicate account is essentially a duplicate of two objects having the same attributes.
Technical explanation:To identify a duplicate account, a check is performed on the "DN" and the "sAMAccountName". When a DC detects a conflict, there is a replacement performed on the second object.
Advised solution:Duplicate accounts being present often means there are process failures, and they should be identified and removed. To identify all duplicate accounts, you can use the following PowerShell commands: get-adobject -ldapfilter "(cn=*cnf:*)" ; get-adobject -ldapfilter "(sAMAccountName=$duplicate)"
Points:5 points if present
Documentation:[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
Details:The detail can be found in User information and Computer information
S-OS-2012
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows Server 2012 for the workstations within the domain
Technical explanation:The Windows Server 2012 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
Advised solution:In order to solve this security issue, you should upgrade all the servers to a more recent version of Windows, starting from Windows Server 2012.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
10 points if the occurence is greater than or equals than 15
then 5 points if the occurence is greater than or equals than 6
then 2 points if present
https://learn.microsoft.com/fr-fr/lifecycle/products/windows-server-2012-r2
[MITRE]Mitre Att&ck - Mitigation - Update Software
[FR]ANSSI CERTFR-2005-INF-003
The detail can be found in Operating Systems
S-OS-Win7
Description:The purpose is to ensure that there is no use of the obsolete and vulnerable OS Windows 7 for the workstations within the domain
Technical explanation:The Windows 7 OS is no longer supported, as it is vulnerable to many publicly known exploits: Administrator's credentials can be captured, security protocols are weak, etc.
PingCastle is trying to guess if Extended Security Support (ESU) has been purchased from Microsoft. Based on the documentation referenced below, the program checks if the script Activate-ProductOnline.ps1 is present.
If the script is detected, Windows 7 is considered as supported and this rule is not triggered.
In order to solve this security issue, you should upgrade all the workstations to a more recent version of Windows, starting from Windows 10.
Use PingCastle.exe and select export on the main menu. Then choose to export computers. PingCastle will produce a list of all your computers with the OS version in a csv file. You can then use Excel to filter them.
Do note that you can get the full details regarding the OS used with the following PowerShell command: Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap -Auto | where {$_.enabled -eq $true}
You can replace -Filter * with -Filter {OperatingSystem -Like "Windows Server*"}
5 points if the occurence is greater than or equals than 15
then 2 points if the occurence is greater than or equals than 6
then 1 points if present
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/activate-windows-7-esus-on-multiple-devices-with-a-mak/ba-p/1167196
[FR]ANSSI CERTFR-2005-INF-003
[MITRE]Mitre Att&ck - Mitigation - Update Software
The detail can be found in Operating Systems
S-PwdNeverExpires
Description:The purpose is to ensure that every account has a password which is compliant with password expiration policies
Technical explanation:Some accounts have passwords which never expire. Should an attacker compromise one of these accounts, he would be able to maintain long-term access to the Active Directory domain.
We have noted that some Linux servers, domain joined, are configured with a password which never expires.
This is a misconfiguration because a password change can be configured. It was however not the default on some plateform.
See one of the link below for more information.
In order to make Active Directory enforce periodic password change, accounts must not have the "Password never expires" flag set in the "Account" tab of the user properties. Their passwords should then be rolled immediately.
For services accounts, Windows provide the "managed service accounts" and "group managed service accounts" features to facilite the automatic change of passwords.
Please note that there is a document in the section below which references solutions for service accounts of well known products.
Also Linux servers should be configured with automatic machine account change.
1 points if present
Documentation:https://adsecurity.org/?p=4115
https://access.redhat.com/discussions/1283873
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
[FR]ANSSI - Accounts with never-expiring passwords (vuln2_dont_expire)2
The detail can be found in User information
S-DefaultOUChanged
Description:The purpose is to ensure that the default location of computers and user OU has not been changed.
Technical explanation:Default OU such as CN=Computers or CN=Users are stored within the wellKnownObjects attribute of the Domain object.
There are 12 default locations officialy defined.
They can be changed using the program redircmp.
Changing these default can alter the behavior of programs (such as security audit programs) as they may not check the modified objects.
You have to use redircmp to set the value back to normal. See documentation for more details
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5a00c890-6be5-4575-93c4-8bf8be0ca8d8
https://rickardnobel.se/verify-redirected-computers-container-in-active-directory/
[MITRE]Mitre Att&ck - Mitigation - User Account Management
| Expected | Found |
|---|---|
| CN=Computers,DC=egia,DC=com | OU=Computers,OU=MS365EGIA,DC=egia,DC=com |
S-FunctionalLevel3
Description:The purpose is checking the functional level of the domain and the forest, and ensure it is set to the latest secure version
Technical explanation:
Each functional level brings new security features:
* functional level Windows Server 2003: brings forest trusts and read-only domain controller (RODC) support;
* functional level Windows Server 2008: brings support for modern cryptographic algorithms such as AES and DFS for SYSVOL share replication;
* functional level Windows Server 2008R2: brings support for Active Directory Recycle Bin (protects objects against accidental deletion);
* functional level Windows Server 2012: brings advanced Kerberos features, such as compound authentication and claims support;
* functional level Windows Server 2012R2: brings numerous new security features such as authentication policies, authentication policy silos and the Protected users group;
* functional level Windows Server 2016 / 2019 / 2022: brings an upgraded smart card logon security and Privileged Identity Management (PIM) trust relationships between forests.
You have to raise the functional level of the domain or the forest (see the details to know if the domain and/or forest is concerned).
The recommended level is the functional level 7 (Windows Server 2016 / 2019 / 2022)
To upgrade the functional level, a requirement is that all domain controllers are running the right version.
Also, functional level needs to be upgraded level by level.
Informative rule (0 point)
Documentation:https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/identifying-your-functional-level-upgrade
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/raise-active-directory-domain-forest-functional-levels
[FR]ANSSI - Insufficient forest and domains functional levels (vuln3_vuln_functional_level)3
[MITRE]Mitre Att&ck - Mitigation - Update Software
The functional levels are indicated in Domain Information
| Type | Level |
|---|---|
| Domain | Windows Server 2008 R2 |
| Forest | Windows Server 2008 R2 |
Privileged Accounts : 100 /100
It is about administrators of the Active Directory
P-Inactive
Description:The purpose is to ensure that all Administrator Accounts in the AD are necessary and used
Technical explanation:Accounts within the AD have attributes indicating the creation date of the account and the last login of this account. Accounts which haven't have a login since 6 months or created more than 6 months ago without any login are considered inactive. If an Administrator Account is set as inactive, the reason for having Administrator rights should be strongly justified.
Advised solution:To correct the situation, you should make sure that all your Administrator Account(s) are "Active", meaning that you should remove Administrator rights if an account is set as not "Active"
Points:30 points if the occurence is greater than or equals than 30
then 20 points if the occurence is greater than or equals than 15
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R36 [subsection.3.6]
P-Delegated
Description:The purpose is to ensure that all Administrator Accounts have the configuration flag "this account is sensitive and cannot be delegated" (or are members of the built-in group "Protected Users" when your domain functional level is at least Windows Server 2012 R2).
Technical explanation:Without the flag "This account is sensitive and cannot be delegated" any account can be impersonated by some service account. It is a best practice to enforce this flag on administrators accounts.
Advised solution:To correct the situation, you should make sure that all your Administrator Accounts have the check-box "This account is sensitive and cannot be delegated" active or add your Administrator Accounts to the built-in group "Protected Users" if your domain functional level is at least Windows Server 2012 R2 (some functionalities may not work properly afterwards, you should check the official documentation).
If you want to enable the check-box "This account is sensitive and cannot be delegated" but this is not possible because the box is not present (typically for GMSA accounts), you can add the flag manually by adding the number 1048576 to the attribute useraccountcontrol of the account.
Please note that there is a section below in this report named "Admin Groups" which gives more information.
20 points if present
Documentation:[US]STIG V-36435 - Delegation of privileged accounts must be prohibited.
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
The detail can be found in Admin Groups
P-Kerberoasting
Description:The purpose is to ensure that the password of admin accounts cannot be retrieved using the Kerberoast attack.
Technical explanation:To access a service using Kerberos, a user requests a ticket (named TGS) to the DC specific to the service.
This ticket is encrypted using a derivative of the service password, but can be brute-forced to retrieve the original password.
Any account having the attribute SPN populated is considered as a service account.
Given that any user can request a ticket for a service account, these accounts can have their password retrieved.
In addition, services are known to have their password not changed at a regular basis and to use well-known words.
Please note that this program ignores service accounts that had their password changed in the last 40 days ago to support using password rotation as a mitigation.
If the account is a service account, the service should be removed from the privileged group or have a process to change its password at a regular basis.
If the user is a person, the SPN attribute of the account should be removed.
5 points per discovery
Documentation:https://adsecurity.org/?p=3466
[FR]ANSSI - Privileged accounts with SPN (vuln1_spn_priv)1
[MITRE]T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting
The detail can be found in Admin Groups
| Group | User |
|---|---|
| Administrators | Administrator |
| Domain Administrators | Administrator |
| Enterprise Administrators | Administrator |
| Schema Administrators | Administrator |
P-ServiceDomainAdmin
Description:The purpose is to check for accounts with non-expiring passwords in the "Domain Administrator" group
Technical explanation:PingCastle is checking accounts with never expiring password, that are mostly used as service accounts.
"Service Accounts" can imply a high security risk as their password are stored in clear text in the LSA database, which can then be easily exploited using Mimikatz or Cain&Abel for instance. In addition, their passwords don't change and can be used in Kerberoast attacks.
Accounts with never expiring passwords are mostly service accounts.
To mitigate the security risk, it is strongly advised to lower the privileges of the "Service Accounts", meaning that they should be removed from the "Domain Administrator" group, while ensuring that the password of each and every "Service Account" is longer than 20 characters
15 points if the occurence is greater than or equals than 2
Documentation:[FR]ANSSI - Privileged accounts with never-expiring passwords (vuln1_dont_expire_priv)1
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R11 [subsection.2.5]
[US]STIG V-36432 - Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[MITRE]T1003.004 OS Credential Dumping: LSA Secrets
The detail can be found in Admin Groups
P-RecycleBin
Description:The purpose is to ensure that the Recycle Bin feature is enabled
Technical explanation:The Recycle Bin avoids immediate deletion of objects (which can still be partially recovered by its tombstone). This lowers the administration work needed to restore. It also extends the period where traces are available when an investigation is needed.
Advised solution:First, be sure that the forest level is at least Windows Server 2008 R2.
You can check it with Get-ADForest or in the Domain Information section.
Then you can enable it using the PowerShell command:
Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target 'test.mysmartlogon.com'
10 points if present
Documentation:https://enterinit.com/powershell-enable-active-directory-recycle-bin
[MITRE]Mitre Att&ck - Mitigation - Audit
The detail can be found in Domain Information
P-SchemaAdmin
Description:The purpose is to ensure that no account can make unexpected modifications to the schema
Technical explanation:The group "Schema Admins" is used to give permissions to alter the schema. Once a modification is performed on the schema such as new objects, it cannot be undone. This can result in a rebuild of the domain. The best practice is to have this group empty and to add an administrator when a schema update is required, then remove this group membership.
Advised solution:Remove the accounts or groups belonging to the "schema administrators" group.
Points:10 points if present
Documentation:[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R13 [subsection.3.2]
[US]STIG V-72835 - Membership to the Schema Admins group must be limited
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
The detail can be found in Admin Groups
P-ProtectedUsers
Description:The purpose is to ensure that all privileged accounts are in the Protected User security group
Technical explanation:The Protected User group is a special security group which automatically applies protections to minimize credential exposure. Starting with Windows 8.1. Older Operating System must be updated to take this protection in account such as the Windows 7 KB2871997 patch.
For admins, it:
- Disables NTLM authentication
- Reduces Kerberos ticket lifetime
- Mandates strong encryption algorithms, such as AES
- Prevents password caching on workstations
- Prevents any type of Kerberos delegation
Please also note that a few links (see below) recommends that at least one account is kept outside of the group Protected Users in case there is a permission problem.
That's why this rule is not triggered if only one account is not protected.
After having reviewed the potential impact on adding users to this group, add the missing privileged accounts to this group.
Points:10 points if the occurence is greater than or equals than 2
Documentation:https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
https://blog.netwrix.com/2015/02/20/add-sensitive-user-accounts-to-active-directory-protected-users-group/
https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of-before-using-the-protected-users-group/
https://blog.andreas-schreiner.de/2018/09/07/active-directory-sicherheit-teil-1-privilegierte-benutzer/
[FR]ANSSI - Privileged accounts outside of the Protected Users group (vuln3_protected_users)3
[MITRE]Mitre Att&ck - Mitigation - Privileged Process Integrity
[US]STIG V-78131 - Accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
[FR]ANSSI CERTFR-2017-ALE-012
The detail can be found in Admin Groups
| User |
|---|
| ADSyncAdmin-Local |
| itsonicwall |
| BCMBackup |
| nkahal |
| rmehra |
| nsingh |
| VipreService |
| saccount |
| pmanager |
| vmadmin |
| tle |
| tpiper |
| Consultant |
| devteamvpn |
| jvaladez |
| gpotest |
| ccramer |
| slathar |
| ejavaid |
| sharyl |
| spiceworks |
| itsupport |
| bkagent |
| Arcserve |
| Administrator |
| mwservice |
| techadmin |
| sonicwalladmin |
| mtech |
| fssa |
P-AdminPwdTooOld
Description:The purpose is to ensure that all admins are changing their passwords at least every 3 years
Technical explanation:This rule ensure that passwords of administrator are well managed.
Advised solution:We advised to read the ANSSI guidelines about this, which is quoted in the documentation section below.
10 points if present
Documentation:[FR]ANSSI - Privileged account passwords age too old (vuln1_password_change_priv)1
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
The detail can be found in Admin Groups
| Account | Creation | LastChanged |
|---|---|---|
| itsonicwall | 2019-08-01 23:45:55Z | 2019-08-01 16:45:55Z |
| BCMBackup | 2012-11-27 22:16:25Z | 2012-11-27 14:16:25Z |
| nkahal | 2010-12-20 04:57:36Z | 2011-12-26 12:25:15Z |
| rmehra | 2012-07-11 06:02:30Z | 2013-01-17 21:51:15Z |
| VipreService | 2011-01-20 19:58:42Z | 2011-06-27 23:55:45Z |
| saccount | 2010-11-21 21:35:59Z | 2010-11-21 13:35:59Z |
| pmanager | 2010-11-21 21:28:03Z | 2010-11-21 13:28:03Z |
| vmadmin | 2016-08-23 21:50:09Z | 2016-08-23 14:50:09Z |
| tle | 2010-08-23 15:26:48Z | 2012-11-28 15:21:13Z |
| tpiper | 2007-04-19 15:08:14Z | 2015-08-07 10:50:09Z |
| Consultant | 2002-09-17 17:27:04Z | 2010-11-21 13:30:35Z |
| devteamvpn | 2018-03-09 20:54:37Z | 2021-02-07 19:25:13Z |
| jvaladez | 2013-05-20 13:55:31Z | 2020-06-17 17:00:36Z |
| gpotest | 2016-10-25 17:51:34Z | 2016-10-28 14:29:32Z |
| ccramer | 2014-07-25 20:03:05Z | 2020-02-14 06:02:29Z |
| ejavaid | 2010-12-02 14:38:38Z | 2011-12-08 16:17:21Z |
| sharyl | 2017-01-16 22:49:14Z | 2017-03-01 14:32:43Z |
| spiceworks | 2016-09-22 16:51:38Z | 2016-10-11 06:12:25Z |
| itsupport | 2016-09-20 19:02:53Z | 2017-01-19 15:58:36Z |
| bkagent | 2002-05-07 14:37:57Z | 2002-09-26 15:32:26Z |
| Arcserve | 2001-10-06 18:33:48Z | 2001-01-19 11:20:31Z |
| Administrator | 2001-10-06 18:33:47Z | 2015-04-08 09:31:00Z |
| techadmin | 2019-05-31 17:04:45Z | 2019-05-31 10:04:45Z |
| sonicwalladmin | 2017-07-13 17:08:10Z | 2017-07-13 10:08:10Z |
| mtech | 2019-03-19 20:55:34Z | 2020-06-15 16:25:19Z |
| fssa | 2016-11-15 18:46:41Z | 2016-11-15 10:46:41Z |
P-AdminEmailOn
Description:The purpose is to ensure proper isolation of administrative activities and to prevent any admin from having an email address configured in the domain.
Technical explanation:The recommended approach for secure administration is to implement a Tier Zero model.
In this model, low privileged actions cannot be made by highly privileged accounts such as admins.
This means that, in practice, administrators should have two separate Windows accounts: one for regular activities and one for performing privileged actions.
Ensure that administrators do not use the privileged account for browsing the internet or receiving emails.
We highly recommend that you implement this practice to lower the risk of an admin compromise.
To remove this alert, you have to edit the properties of the user account and clear the email attribute.
Keep in mind that this action will silence the alert, but the risk may still be present.
Informative rule (0 point)
Documentation:https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/securing-privileged-access-for-the-ad-admin-part-1/ba-p/259166
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
| Account | |
|---|---|
| nkahal | nkahal@egia.org |
| rmehra | rmehra@egia.org |
| nsingh | navdeep.singh@nvish.com |
| tle | tle@egia.com |
| tpiper | tpiper@egia.com |
| bkagent | bkagent@egia.com |
| Administrator | Administrator@egia.com |
P-OperatorsEmpty
Description:The purpose is to ensure that the operator groups, which can have indirect control to the domain, are empty
Technical explanation:Operator groups (Account Operators, Server Operators, ...) can take indirect control of the domain. Indeed, these groups have write access to critical resources of the domain.
Advised solution:It is recommended to have these groups empty. Assign administrators into administrators group. Other accounts should have proper delegation rights in an OU or in the scope they are managing.
Points:Informative rule (0 point)
Documentation:[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R27 [subsection.3.5]
The detail can be found in Admin Groups
| Group | Members |
|---|---|
| Server Operators | 2 |
P-UnprotectedOU
Description:The purpose is to ensure that Organizational Units (OUs) and Containers in Active Directory are protected to prevent accidental deletion, which could lead to data loss and disruptions in the network infrastructure.
Technical explanation:In Active Directory, Organizational Units can be protected from accidental deletion (reads: using the del key in the wrong place at the wrong time).
This way these objects cannot be deleted, unless the protection is removed. This Active Directory feature was first introduced in Windows Server 2008.
This protection consists of a Deny ACE added to the NTSecurityDescriptor attribute applied to Everyone with the flag set to Delete and DeleteTree.
To safeguard against accidental deletions, it is essential to enable the "Protect object from accidental deletion" option for critical OUs and Containers.
When this option is enabled, it adds an additional layer of security, preventing unintended deletions.
To implement this protection:
* Open the Active Directory Users and Computers management console.
* Locate the OU or Container that requires protection.
* Right-click on the OU or Container, select "Properties."
* In the "Object" tab, check the "Protect object from accidental deletion" option.
* Click "Apply" and then "OK" to save the changes.
You can list unprotected OU using the PowerShell command:
Get-ADOrganizationalUnit -filter {name -like "*"} -Properties ProtectedFromAccidentalDeletion | format-table Name,ProtectedFromAccidentalDeletion
and protect them using the command:
Get-ADOrganizationalUnit -filter {name -like "*"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
Note: only 10 will be listed below. Checkout the Delegations section for the complete list.
Informative rule (0 point)
Documentation:https://dirteam.com/sander/2011/07/13/preventing-ous-and-containers-from-accidental-deletion/
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
The detail can be found in Delegations
| OU |
|---|
| OU=Dell,DC=egia,DC=com |
P-DNSAdmin
Description:The purpose is to ensure that the Dns Admins group is not used
Technical explanation:Administrators of the DNS Service have the possibility to inject a DLL in this service.
However this service is hosted most of the time in the domain controller and is running as SYSTEM.
That means that DNS admins are potentially domain admins.
The security descriptor used to grant admin rights is located on the nTSecurityDescriptor attribute of the object CN=MicrosoftDNS,CN=System.
The "Write All Prop" access right induces the vulnerability.
In this case, the DnsAdmins group is not empty and grant to its user the possibility to interact with the DNS Service.
Rule update:
The Patch Tuesday of October 2021 fixed this vulnerability and assigned it the identifier CVE-2021-40469.
If the patch has been applied, there is no additional mitigation to perform.
This rule is transformed into an informative rule in PingCastle 2.10.1 and will be removed in future versions of PingCastle.
You should remove the members of the Dns Admins group and do a proper delegation to the specific DNS Zones.
First, grant only "Read Property", "List", "List object" and "Read permssions" to CN=MicrosoftDNS,CN=System to enable access to the RPC service.
Then on each zone (the object in the tree below with the class dnsZone), grant "Read Property", "List", "List object", "Read permissions", "Create Child", "Delete Child", "Delete", "Delete Tree".
Informative rule (0 point)
Documentation:https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/007efcd2-2955-46dd-a59e-f83ae88f4678
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI - DnsAdmins group members (vuln4_dnsadmins)4
The detail can be found in Admin Groups
Trusts : 0 /100
It is about links between two Active Directories
No rule matched
Anomalies : 100 /100
It is about specific security control points
A-Krbtgt
Description:The purpose is to alert when the password for the krbtgt account can be used to compromise the whole domain. This password can be used to sign every Kerberos ticket. Monitoring it closely often mitigates the risk of golden ticket attacks greatly.
Technical explanation:Kerberos is an authentication protocol. It is using a secret, stored as the password of the krbtgt account, to sign its tickets. If the hash of the password of the krbtgt account is retrieved, it can be used to generate authentication tickets at will.
To mitigate this attack, it is recommended to change the krbtgt password between 40 days and 6 months. If this is not the case, every backup done until the last password change of the krbtgt account can be used to emit Golden tickets, compromising the entire domain.
Retrieval of this secret is one of the highest priority in an attack, as this password is rarely changed and offer a long term backdoor.
Also this attack can be performed using the former password of the krbtgt account. That's why the krbtgt password should be changed twice to invalidate its leak.
The password of the krbtgt account should be changed twice to invalidate the golden ticket attack.
Beware: two changes of the krbtgt password not replicated to domain controllers can break these domain controllers You should wait at least 10 hours between each krbtgt password change (this is the duration of a ticket life).
There are several possibilities to change the krbtgt password.
First, a Microsoft script can be run in order to guarantee the correct replication of these secrets.
Second, a more manual way is to essentially reset the password manually once, then to wait 3 days (this is a replication safety delay), then to reset it again. This is the safest way as it ensures the password is no longer usable by the Golden ticket attack.
50 points if the occurence is greater than or equals than 1464
then 40 points if the occurence is greater than or equals than 1098
then 30 points if the occurence is greater than or equals than 732
then 20 points if the occurence is greater than or equals than 366
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/faqs-from-the-field-on-krbtgt-reset/ba-p/2367838
https://github.com/microsoft/New-KrbtgtKeys.ps1
https://github.com/PSSecTools/Krbtgt
[FR]ANSSI CERTFR-2014-ACT-032
[FR]ANSSI - Krbtgt account password unchanged for more than a year (vuln2_krbtgt)2
[MITRE]T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket
The detail can be found in Krbtgt
A-BackupMetadata
Description:The purpose is to check if the backups are actually up to date in case they are needed. The alert can be triggered when a domain is backed up using non-recommended methods
Technical explanation:A verification is done on the backups, ensuring that the backup is performed according to Microsoft standards. Indeed, at each backup the DIT Database Partition Backup Signature is updated. If for any reasons, backups are needed to perform a rollback (rebuild a domain) or to track past changes, the backups will actually be up to date. This check is equivalent to a REPADMIN /showbackup *.
Advised solution:Plan AD backups based on Microsoft standards. These standards depend on the Operating System. For example with the wbadmin utility: wbadmin start systemstatebackup -backuptarget:d:
Points:15 points if the occurence is greater than or equals than 7
Documentation:https://technet.microsoft.com/en-us/library/jj130668(v=ws.10).aspx
[MITRE]Mitre Att&ck - Mitigation - Data Backup
[US]STIG V-25385 - Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.
The detail can be found in Backup
A-LAPS-Not-Installed
Description:The purpose is to make sure that there is a proper password policy in place for the native local administrator account.
Technical explanation:LAPS (Local Administrator Password Solution) is the advised solution to handle passwords for the native local administrator account on all workstations, as it is a simple way to handle most of the subject.
Advised solution:If you don't have any provisioning process or password solution to manage local administrators, you should install the LAPS solution. If you mitigate the risk differently, you should add this rule as an exception, as the risk is covered.
Points:15 points if present
Documentation:https://www.microsoft.com/en-us/download/details.aspx?id=46899
[US]STIG V-36438 - Local administrator accounts on domain systems must not share the same password.
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI CERTFR-2015-ACT-046
[MITRE]T1078.003 Valid Accounts: Local Accounts
The detail can be found in LAPS
A-AdminSDHolder
Description:The purpose is to ensure that there are no rogue admin accounts in the Active Directory
Technical explanation:A check is performed on non-admin accounts in order to identify if they have an attribute admincount set. If they have this attribute, it means that this account, which is not supposed to be admin, has been granted administrator rights in the past. This typically happens when an administrator gives temporary rights to a normal account, off process.
Advised solution:These accounts should be reviewed, especially in regards with their past activities and have the admincount attribute removed. In order to identify which accounts are detected by this rule, we advise to run a PowerShell command that will show you all users having this flag set: get-adobject -ldapfilter "(admincount=1)"
Do not forget to look at the section AdminSDHolder below.
50 points if the occurence is greater than or equals than 50
then 45 points if the occurence is greater than or equals than 45
then 40 points if the occurence is greater than or equals than 40
then 35 points if the occurence is greater than or equals than 35
then 30 points if the occurence is greater than or equals than 30
then 25 points if the occurence is greater than or equals than 25
then 20 points if the occurence is greater than or equals than 20
then 15 points if present
https://msdn.microsoft.com/en-us/library/ms675212(v=vs.85).aspx
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R40 [paragraph.3.6.3.1]
The detail can be found in the AdminSDHolder User List
A-AuditDC
Description:The purpose is to ensure that the audit policy on domain controllers collects the right set of events.
Technical explanation:To detect and mitigate an attack, the right set of events need to be collected.
The audit policy is a compromise between too much and too few events to collect.
To solve this problem, the suggested audit policy from adsecurity.org is checked against the audit policy in place.
Identify the Audit settings to apply and fix them.
Be aware that there are two places for audit settings.
For "Simple" audit configuration:
in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies
For "Advanced" audit configuration:
in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration
Also be sure that the audit GPO is applied to all domain controllers, as the underlying object may be in a OU where the GPO is not applied.
10 points if present
Documentation:https://adsecurity.org/?p=3299
https://adsecurity.org/?p=3377
[MITRE]Mitre Att&ck - Mitigation - Audit
The detail can be found in Audit settings
The table below shows the settings that were not found as configured in a GPO for a given domain controller.
| Type | Audit | Problem | Rationale | Domain controller |
|---|---|---|---|---|
| Advanced | Detailed Tracking / DPAPI Activity | No GPO check for audit success | Collect event 4692 to track the export of DPAPI backup key | EGIADC01W |
| Advanced | Account Logon / Kerberos Service Ticket Operations | No GPO check for audit success | Collect events 4769 for kerberos authentication | EGIADC01W |
| Advanced | System / Security System Extension | No GPO check for audit success | Collect events 4610, 4697 to track lsass security packages and services | EGIADC01W |
| Advanced | Privilege Use / Sensitive Privilege Use | No GPO check for audit success | Collect events 4672, 4673, 4674 for privileges tracking such as the debug one | EGIADC01W |
| Advanced | Logon/Logoff / Special Logon | No GPO check for audit success | Collect event 4964 for special group attributed at logon | EGIADC01W |
| Advanced | Detailed Tracking / DPAPI Activity | No GPO check for audit success | Collect event 4692 to track the export of DPAPI backup key | EGIADC01 |
| Advanced | Account Logon / Kerberos Service Ticket Operations | No GPO check for audit success | Collect events 4769 for kerberos authentication | EGIADC01 |
| Advanced | System / Security System Extension | No GPO check for audit success | Collect events 4610, 4697 to track lsass security packages and services | EGIADC01 |
| Advanced | Privilege Use / Sensitive Privilege Use | No GPO check for audit success | Collect events 4672, 4673, 4674 for privileges tracking such as the debug one | EGIADC01 |
| Advanced | Logon/Logoff / Special Logon | No GPO check for audit success | Collect event 4964 for special group attributed at logon | EGIADC01 |
A-DC-Spooler
Description:The purpose is to ensure that credentials cannot be extracted from the DC via its Print Spooler service
Technical explanation:When there's an account with unconstrained delegation configured (which is fairly common) and the Print Spooler service running on a computer, you can get that computers credentials sent to the system with unconstrained delegation as a user. With a domain controller, the TGT of the DC can be extracted allowing an attacker to reuse it with a DCSync attack and obtain all user hashes and impersonate them.
Advised solution:The Print Spooler service should be deactivated on domain controllers. Please note as a consequence that the Printer Pruning functionality (rarely used) will be unavailable.
Points:10 points if present
Documentation:https://adsecurity.org/?p=4056
https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory
[MITRE]T1187 Forced Authentication
The detail can be found in Domain controllers
| Domain controller |
|---|
| EGIADC01W |
| EGIADC01 |
A-DC-Coerce
Description:The objective is to assess the vulnerability of the Domain Controller (DC) to Coerce attacks.
Technical explanation:Coerce attacks are a category of attacks which aims to forcing domain controllers to authenticate to a device controlled by the attacker for the purpose to relay this authentication to gain privileges.
This category of attacks is usually mitigated by applying patch (PetitPotam), disabling services (Spooler), added RPC filter (EDR or firewall) or ensuring integrity (SMB integrity).
Because each of these protections can be individually bypassed (NTLM integrity is disabled on LDAPS), the aim of this scan is to detect proactively if vulnerable RPC services are exposed.
PingCastle estimates that Coerceable interfaces are protected if:
- the GPO "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" is applied through a GPO to DC
- or if RPC interfaces are not reachable
Because these interfaces need to be tested from a computer controlled by the attacker, PingCastle cannot do this test with reliability.
Instead, it sends a malformed RPC packet to try to trigger an error such as "Permission denied" or "RPC interface unavailable".
If the error RPC_X_BAD_STUB_DATA (1783) is triggered, PingCastle considers that the interface is available.
A report that a vulnerable interface is online may not be accurate because its full exploitation is not tested.
Also to avoid EDR alerts or to not perform the scan, you can run PingCastle with the flag --skip-dc-rpc
To effectively mitigate the vulnerability, consider one of the following approaches:
1. Apply Group Policy Object (GPO) - "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers":
Apply this GPO specifically to the Organizational Unit (OU) "Domain Controllers".
Caution: Enabling this GPO might impact services dependent on NTLM such as files copy Backups.
Consider setting the GPO in "Audit mode" initially to identify and assess the impact on affected services.
2. Enable RPC Filters in Windows Firewall:
Configure Windows Firewall to block specific Interface IDs associated with vulnerable RPC interfaces.
This is done using the netsh command. See the documentation links for more information.
Exercise caution: This method filters the entire interface, not specific Operation Numbers (OpNum).
Adjust exceptions for necessary services to ensure critical functionality.
3. Implement External Filters (e.g., EDR, Firewalls):
Leverage third-party solutions, such as Endpoint Detection and Response (EDR) tools or firewalls.
Notable project: rpcfirewall https://github.com/zeronetworks/rpcfirewall, offering logical filtering at the OpNum level.
Be cautious of potential impact and ensure compatibility with existing infrastructure.
10 points if present
Documentation:https://github.com/p0dalirius/Coercer
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers
https://blog.nviso.eu/2023/12/08/rpc-or-not-here-we-log-preventing-exploitation-and-abuse-with-rpc-firewall/
[MITRE]T1187 Forced Authentication
The detail can be found in Domain controllers
| DCName | IP | Interface | Function | OpNum |
|---|---|---|---|---|
| EGIADC01W | 192.168.253.50 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcAddUsersToFile | 9 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcAddUsersToFileEx | 15 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcDecryptFileSrv | 5 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcDuplicateEncryptionInfoFile | 12 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcEncryptFileSrv | 4 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcFileKeyInfo | 12 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcOpenFileRaw | 0 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcQueryRecoveryAgents | 7 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcQueryUsersOnFile | 6 |
| EGIADC01W | 192.168.253.50 | c681d488-d850-11d0-8c52-00c04fd90f7e | EfsRpcRemoveUsersFromFile | 8 |
| EGIADC01W | 192.168.253.50 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01W | 192.168.253.50 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01 | fe80::628a:dd65:10bd:20a0%5 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
| EGIADC01 | 192.168.253.52 | 82273fdc-e32a-18c3-3f78-827929dc23ea | ElfrOpenBELW | 9 |
| EGIADC01 | 192.168.253.52 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotification | 62 |
| EGIADC01 | 192.168.253.52 | 12345678-1234-abcd-ef00-0123456789ab | RpcRemoteFindFirstPrinterChangeNotificationEx | 65 |
A-DCLdapSign
Description:The purpose is to check if signing is really required for LDAP
Technical explanation:If the the request for signing of each LDAP request is not enforced, a man in the middle can be performed on an LDAP connection.
For example to add a user to the admin group.
This test is made by ignoring the local computer security policies.
Signature enforcement is done by setting the flag ISC_REQ_INTEGRITY when initializig the Negotiate / NTLM / Kerberos authentication.
The opposite test is made with the flag ISC_REQ_NO_INTEGRITY set.
PingCastle is testing if this setting is in place by performing a LDAP authentication with and without signature enforcement.
False positives may exists if the PingCastle program is run on the server tested. That's why, if PingCastle is run on a DC, the DC will not be tested.
You have to make sure that ALL LDAP clients are compatible with LDAP signature.
All versions of Windows since XP support this and also most of the Unix clients.
You have to follow the Microsoft article quoted in reference to enable LDAP signing.
This includes auditing the clients which are not compatible and instructions on how to enforce this policy.
5 points if present
Documentation:https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/enable-ldap-signing-in-windows-server
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-2020/ba-p/921536/page/4
https://github.com/zyn3rgy/LdapRelayScan
[MITRE]T1557 Man-in-the-Middle
| Domain controller |
|---|
| EGIADC01W |
A-PreWin2000Anonymous
Description:The purpose is to identify domains which allow access without any account because of a Pre-Windows 2000 compatibility
Technical explanation:When a Windows Server 2003 DC is promoted, a pre-Windows 2000 compatibility setting can be enabled through the wizard. If it is enabled, the wizard will add "Everyone" and "Anonymous" to the pre-Windows 2000 compatible access group, and by doing so, it will authorize the domain to be queried without an account (null session)
It is possible to verify the results provided by the PingCastle solution by using a Kali distribution. You should run [rpcclient -U " target_ip_address] and press enter at the password prompt to finally type [enumdomusers].
Remove the "Everyone" and "Anonymous" from the PreWin2000 group while making sure that the group "Authenticated Users" is present, then reboot each DC.
Note: removing the group "Authenticated Users" (and not keep it like advised here) is an advanced recommendation quoted in the rule A-PreWin2000AuthenticatedUsers
5 points if present
Documentation:https://msdn.microsoft.com/en-us/library/cc223672.aspx
[MITRE]T1110.003 Brute Force: Password Spraying
[US]STIG V-8547 - The Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group.
[FR]ANSSI - The "Pre - Windows 2000 Compatible Access" group includes "Anonymous" (vuln2_compatible_2000_anonymous)2
A-WeakRSARootCert
Description:The purpose is to ensure that there is no use of a certificate using a weak RSA key
Technical explanation:A RSA key certificate with a modulus under 1024 bits is considered unsafe
Advised solution:To solve the matter, the certificate should be removed from the GPO and if needed, certificates depending on it should be reissued.
Points:5 points if present
Documentation:https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/commercial-national-security-algorithm-suite-factsheet.cfm
https://www.ssi.gouv.fr/guide/cryptographie-les-regles-du-rgs/
[MITRE]T1600.001 Weaken Encryption: Reduce Key Space
[US]STIG V-14820 - PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
[FR]ANSSI - Weak or vulnerable certificates (vuln1_certificates_vuln)1
The detail can be found in Certificates
| Source | Subject | Module | Expires |
|---|---|---|---|
| NTLMStore | CN=EGIA, OU=IS, O=Electric and Gas Industries Associates, L=San Leandro, S=CA, C=US, E=cert-auth-root@egia.com | 512 | 11/2/2003 2:44:17 PM |
A-HardenedPaths
Description:The purpose is to ensure that there is no weakness related to hardened paths
Technical explanation:Two vulnerabilities have been reported in 2015 (MS15-011 and MS15-014) which allows a domain takeover via GPO modifications done with a man-in-the-middle attack.
To mitigate these vulnerabilites, Microsoft has designed a workaround named "Hardened Paths". It forces connection settings to enforce Integrity, Mutual Authentication or Privacy.
By default if this policy is empty, if will enforce Integrity and Mutual Authentication on the SYSVOL or NETLOGON shares.
This rule checks if there have been any overwrite to disable this protection.
You have to edit the Hardened Path section in the GPO.
This section is located in Computer Configuration/Policies/Administrative Templates/Network/Network Provider.
Check each value reported here and make sure that entries containing SYSVOL or NETLOGON have RequireIntegrity and RequireMutualAuthentication set to 1.
In addition to that, check entries having the pattern \\DCName\* and apply the same solution.
5 points if present
Documentation:
https://labs.f-secure.com/archive/how-to-own-any-windows-network-with-group-policy-hijacking-attacks/
https://talubu.wordpress.com/2018/02/28/configuring-unc-hardened-access-through-group-policy/
https://adsecurity.org/?p=1405
https://support.microsoft.com/en-us/topic/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10-2015-91b4bda2-945d-455b-ebbb-01d1ec191328
[US]STIG V-63577 - Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
The detail can be found in the Hardened Paths configuration section.
| GPO | Key | RequireIntegrity | RequireMutualAuthentication | RequirePrivacy |
|---|---|---|---|---|
| No GPO Found | NETLOGON | Not Set | Not Set | Not Set |
| No GPO Found | SYSVOL | Not Set | Not Set | Not Set |
A-PreWin2000Other
Description:The purpose is checking that no additional account has been added to the "Pre-Windows 2000 Compatible Access" group
Technical explanation:The pre-Windows 2000 compatible access group grants access to some RPC calls which should not be available to users or computers.
Advised solution:Remove the members from the PreWin2000 group while making sure that the group "Authenticated Users" is present. Then reboot each DC.
Points:2 points if present
Documentation:https://msdn.microsoft.com/en-us/library/cc223672.aspx
[FR]ANSSI - Use of the "Pre-Windows 2000 Compatible Access" group (vuln3_compatible_2000_not_default)3
[MITRE]T1110.003 Brute Force: Password Spraying
A-NoGPOLLMNR
Description:The purpose is to ensure that local name resolution protocol (LLMNR) cannot be used to collect credentials by performing a network attack
Technical explanation:LLMNR is a protocol which translates names such as foo.bar.com into an ip address. LLMNR has been designed to translate name locally in case the default protocol DNS is not available.
Regarding Active Directory, DNS is mandatory which makes LLMNR useless.
LLMNR exploits typo mistakes or faster response time to redirect users to a specially designed share, server or website.
Being trusted, this service will trigger the single sign on procedure which can be abused to retrieve the user credentials.
LLMNR is enabled by default on all OS except starting from Windows 10 v1903 and Windows Server v1903 where it is disabled.
Enable the GPO Turn off multicast name resolution and check that no GPO overrides this setting.
(if it is the case, the policy involved will be displayed below)
Informative rule (0 point)
Documentation:https://youtu.be/Fg2gvk0qgjM
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
The detail can be found in Security settings
A-NoServicePolicy
Description:The purpose is to give information regarding a best practice for the Service Account password policy. Indeed, having a 20+ characters password for this account greatly helps reducing the risk of Kerberoasting attacks (offline cracking of the TGS tickets)
Note: PSO (Password Settings Objects) will be visible only if the user, which collected the information, has the permission to view it.
The rule is purely informative, as it gives insights regarding a best practice. It verifies if there is a GPO or PSO enforcing a 20+ characters password for the Service Accounts.
Advised solution: The recommended way to handle service accounts is to use "Managed service accounts" introduced since Windows Server 2008 R2 (search for "msDS-ManagedServiceAccount").
To solve the anomaly, you should implement a PSO or GPO password guarantying a 20+ length password.
Informative rule (0 point)
Documentation:https://www.microsoft.com/en-us/research/publication/password-guidance/
[MITRE]T1201 Password Policy Discovery
The detail can be found in Password Policies
A-NoNetSessionHardening
Description:The purpose is to ensure that mitigations are in place against the Bloodhound tool
Technical explanation:By default, Windows computers allow any authenticated user to enumerate network sessions to it.
This means an attacker could enumerate network sessions to a file share hosting home directories or a Domain Controller to see who's connected to SYSVOL (to apply Group Policy) and determine which workstations each user and admin account is logged into.
Bloodhound uses this capability extensively to map out credentials in the network.
Disabling Net Session Enumeration removes the capability for any user to enumerate net session info (Recon).
If this mitigation is not part of the computer image, apply the following recommendations:
Run the NetCease PowerShell script (referenced below) on a reference workstation.
Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit .
In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
Right-click the Registry node, point to New, and select Registry Wizard.
Select the reference workstation on which the desired registry settings exist, then click Next .
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\
and select the check box for “SrvsvcSessionInfo” from which you want to create a Registry preference item. Select the check box for a key only if you want to create a Registry item for the key rather than for a value within the key.
Click Finish.
The settings that you selected appear as preference items in the Registry Wizard Values collection
Informative rule (0 point)
Documentation:https://github.com/p0w3rsh3ll/NetCease
https://adsecurity.org/?p=3299
[MITRE]T1087.001 Account Discovery: Local Account
The detail can be found in Security settings
A-AuditPowershell
Description:The purpose is to ensure that PowerShell logging is enabled.
Technical explanation:PowerShell is a powerful language, also used by hackers because of this quality. Hackers are able to run programs such as mimikatz in memory using obfuscated commands such as Invoke–Mimikatz.
Because there is no artefact on the disk, the incident response task is difficult for the forensic analysts.
For this reason, we recommend to enable PowerShell logging via a group policy, despite the fact that these security settings may be part of the workstation or server images.
Go to Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell
And enable "Turn on Module logging" and "Turn on PowerShell Script Block logging"
We recommend to set "*" as the module list.
Informative rule (0 point)
Documentation:https://adsecurity.org/?p=2604
https://docs.microsoft.com/en-us/powershell/scripting/wmf/whats-new/script-logging?view=powershell-6
[US]STIG V-68819 - PowerShell script block logging must be enabled
[MITRE]Mitre Att&ck - Mitigation - Audit
The detail can be found in Security settings
A-DsHeuristicsLDAPSecurity
Description:The purpose is to identify domains having mitigation for CVE-2021-42291 not set to enabled
Technical explanation:The way an Active Directory behaves can be controlled via the attribute DsHeuristics of CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration.
A parameter stored in its attribute and whose value is LDAPAddAutZVerifications and LDAPOwnerModify can be set to modify the mitigatation of CVE-2021-42291.
The KB5008383 has introduced changes to default security descriptor of Computer containers to add audit and limit computer creation without being admin.
Indeed, it is recommended to not let anyone create computer accounts as they can be used to abuse Kerberos or to perform relay attacks.
Mitigations in CVE-2021-42291 consist of 3 choices to be set on 2 settings.
They are named LDAPAddAutZVerifications and LDAPOwnerModify and are respectively the 28th and 29th character of this string.
For the expected values:
- With the value 0 (the default), it enables an additional audit mechanism
- With the value 1 (recommended), it enforces new security permissions, especially to require an action of the domain admin when unusual actions are performed
- With the value 2 (not recommended), it disables the audit mechanism that has been added by default and do not enable the new security permissions
The easiest and fastest way to correct this issue is to replace the 28th and 29th character of the DsHeuristics attribute.
The value of LDAPAddAutZVerifications and LDAPOwnerModify should be set to 1.
Open the procedure embedded into the KB5008383 to apply this mitigation and change the DsHeuristics value.
Note: You have to pay attention that there are control characters at the 10th and 20th position to avoid undesired changes of the DsHeuristics attribute.
Typically if the DsHeuristics is empty, the expected new value is 00000000010000000002000000011
Informative rule (0 point)
Documentation:https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5
https://support.microsoft.com/en-au/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
[MITRE]T1187 Forced Authentication
[FR]ANSSI - Dangerous dsHeuristics settings (vuln3_dsheuristics_bad)3
| Setting | Position | Value |
|---|---|---|
| LDAPAddAuthZVerifications | 28th | Not Set |
| LDAPOwnerModify | 29th | Not Set |
A-DnsZoneAUCreateChild
Description:The purpose is to check if Authenticated Users has the right to create DNS records
Technical explanation:When a computer is joined to a domain, a DNS record is created in the DnsZone to allow the computer to update its DNS settings.
By design, Microsoft choose to grant to the group Authenticated Users (aka every computers and users) the right to create DNS records.
Once created, only the owner keeps the right to edit the new object.
The vulnerability is that specific DNS records can be created to perform man-in-the-middle attacks.
One example is to create a wildcard record (a record with the name "*"), a failover DNS record or anticipating the creation of a DNS record with the right permissions.
As of today, this rule is considered "informative" because the default configuration where Authenticated Users can create DNS records is considered safe.
The reason for this classification is that no exploitation of that vulnerability has been reported.
The proposed enhancement is to replace the identity who has been granted the right to create DNS Records (permission CreateChild) from Authenticated Users to Domain Computers.
To perform this change, you have to edit the permission of the DNSZone whose object is located in the container CN=MicrosoftDNS,DC=DomainDnsZones.
It should be noticed that if there is a privilege escalation on a computer, an attacker can impersonate the computer account and bypass this mitigation.
The best mitigation is to create the DNS records manually as part as the domain join process and to revoke the permission granted to Authenticated Users.
Informative rule (0 point)
Documentation:https://www.ws-its.de/gegenmassnahme-zum-angriff-dns-wildcard/
https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
[MITRE]T1557 Man-in-the-Middle
| DNSZone |
|---|
| 20.168.192.in-addr.arpa |
| 147.56.50.in-addr.arpa |
| 147.56.50.in-addr.arpa CNF:08160273-defb-4859-aa24-150122611381 |
| tradesandtools.com CNF:1ef04c1f-7515-4ef4-bdc7-d8893d08e62b |
| 253.168.192.in-addr.arpa |
| 252.168.192.in-addr.arpa |
| 10.168.192.in-addr.arpa |
| 11.168.192.in-addr.arpa |
| 12.168.192.in-addr.arpa |
A-PreWin2000AuthenticatedUsers
Description:The purpose is checking if the "Pre-Windows 2000 Compatible Access" group contains "Authenticated Users"
Technical explanation:The pre-Windows 2000 compatible access group grants access to some RPC calls.
Its default and secure value is the "Authenticated Users" group which allows users to perform group look-up using legacy protocols.
If this group contains "Authenticated Users", it increases the impact of the exploitation of vulnerabilities in legacy protocols such as the Print Spooler service.
Indeed, in the #PrintNightmare attack, it enables a patch bypass on domain controllers because the property Elevated Token is on when establishing a session to the DC.
Removing the group can have side impacts and as a consequence, this is reported here as a special hardening measure.
Remove "Authenticated Users" from the PreWin2000 group.
Points:Informative rule (0 point)
Documentation:https://msdn.microsoft.com/en-us/library/cc223672.aspx
https://www.gradenegger.eu/?p=1132
[MITRE]T1210 Exploitation of Remote Services
A-SHA1RootCert
Description:The purpose is to ensure that no Root Certificates use the deprecated SHA-1 hashing algorithm
Technical explanation:The SHA1 hashing algorithm is not considered as safe. There are design flaws inherent to the algorithm that allow an attacker to generate a hash collision in less than a brute-force time
Advised solution:To solve the matter, the certificate should be removed from the GPO and if needed, certificates depending on it should be reissued.
Points:Informative rule (0 point)
Documentation:https://tools.ietf.org/html/rfc6194
[FR]ANSSI - Weak or vulnerable certificates (vuln3_certificates_vuln)3
[MITRE]T1600.001 Weaken Encryption: Reduce Key Space
[US]STIG V-14820 - PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
The detail can be found in Certificates
| GPO | Subject |
|---|---|
| NTLMStore | CN=EGIA, OU=IS, O=Electric and Gas Industries Associates, L=San Leandro, S=CA, C=US, E=cert-auth-root@egia.com |
This section shows the main technical characteristics of the domain.
| Domain | Netbios Name | Domain Functional Level | Forest Functional Level | Creation date | DC count | Schema version | Recycle Bin enabled |
|---|---|---|---|---|---|---|---|
| egia.com | EGIA | Windows Server 2008 R2 | Windows Server 2008 R2 | 2001-10-06 18:33:39Z | 2 | Windows Server 2019 | FALSE |
Here is the Azure AD configuration that has been found in the domain
| Tenant name | Tenant id | Kerberos Enabled |
|---|---|---|
| EGIA563.onmicrosoft.com ? | 482e9867-0585-418e-bb72-953ca4dc0306 | FALSE |
This section gives information about the user accounts stored in the Active Directory
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| $DUPLICATE-6b14 | 2017-01-16 22:10:46Z | 2017-01-16 14:51:34Z | 2017-01-16 14:41:24Z | CN=sharyl\0ACNF:cff5105e-507b-4e10-8483-74f6d1e18af1,OU=Sacramento,DC=egia,DC=com |
| accountinguser | 2015-10-12 14:34:13Z | Never | 2015-10-12 07:34:14Z | CN=Accountinguser,OU=Sacramento,DC=egia,DC=com |
| Admin | 2002-09-13 23:34:50Z | 2019-08-13 05:22:33Z | 2002-09-13 16:34:51Z | CN=Admin,OU=ofsdirect.com,DC=egia,DC=com |
| Administrator | 2001-10-06 18:33:47Z | 2021-07-19 23:25:17Z | 2015-04-08 09:31:00Z | CN=Administrator,OU=Groups,DC=egia,DC=com |
| AlamedaMP | 2010-04-22 22:13:52Z | Never | 2010-04-22 15:13:52Z | CN=Alameda MP,OU=Rebates,DC=egia,DC=com |
| Arcserve | 2001-10-06 18:33:48Z | Never | 2001-01-19 11:20:31Z | CN=Arcserve,CN=Users,DC=egia,DC=com |
| asanders | 2017-08-11 19:51:20Z | 2017-08-11 12:53:55Z | 2017-08-11 12:51:20Z | CN=Andrea Sanders,OU=Sacramento,DC=egia,DC=com |
| aschuette | 2017-08-03 17:13:19Z | 2017-08-03 14:02:40Z | 2017-08-03 10:13:19Z | CN=Andrew Schuette,OU=Sacramento,DC=egia,DC=com |
| bbackup | 2010-11-28 16:01:14Z | 2019-03-23 20:57:54Z | 2010-11-28 08:01:14Z | CN=Barracuda Backup,CN=Users,DC=egia,DC=com |
| BCMBackup | 2012-11-27 22:16:25Z | Never | 2012-11-27 14:16:25Z | CN=BCM Backup,OU=Sacramento,DC=egia,DC=com |
| bjohnson | 2019-04-23 18:17:02Z | 2019-04-23 14:24:39Z | 2019-04-23 11:17:02Z | CN=Bill Johnson,CN=Users,DC=egia,DC=com |
| bkagent | 2002-05-07 14:37:57Z | 2020-08-07 09:45:13Z | 2002-09-26 15:32:26Z | CN=Backup Agent,CN=Users,DC=egia,DC=com |
| bwhite | 2017-12-26 18:34:30Z | 2018-03-14 00:14:05Z | 2018-02-12 08:34:09Z | CN=Brionna White,CN=Users,DC=egia,DC=com |
| CallReportingAdmin | 2010-04-13 19:40:57Z | Never | 2015-06-04 09:30:12Z | CN=Call Reporting Admin,CN=Users,DC=egia,DC=com |
| ChicagoLand | 2008-12-15 20:34:56Z | Never | 2008-12-15 12:34:56Z | CN=ChicagoLand,OU=Rebates,DC=egia,DC=com |
| conference | 2015-01-14 18:34:20Z | 2023-01-04 07:52:51Z | 2017-01-20 06:45:40Z | CN=Conference,OU=Sacramento,DC=egia,DC=com |
| Consultant | 2002-09-17 17:27:04Z | 2020-09-08 09:31:41Z | 2010-11-21 13:30:35Z | CN=Consultant,OU=Retired,DC=egia,DC=com |
| contractorapp1 | 2016-05-10 17:26:18Z | Never | 2016-05-10 10:26:19Z | CN=ContractorApp1,OU=Sacramento,DC=egia,DC=com |
| contractorapp2 | 2016-05-10 17:26:58Z | Never | 2016-05-10 10:26:58Z | CN=ContractorApp2,OU=Sacramento,DC=egia,DC=com |
| ContractorServices | 2007-12-01 00:08:06Z | Never | 2007-11-30 16:08:06Z | CN=ContractorServices,CN=Users,DC=egia,DC=com |
| ctodd | 2019-02-25 23:16:57Z | Never | 2019-02-25 15:16:57Z | CN=CJ Todd,OU=Sacramento,DC=egia,DC=com |
| ddelgado | 2020-01-13 18:57:00Z | 2020-01-14 10:30:29Z | 2020-01-14 10:29:57Z | CN=David Delgado,OU=Sacramento,DC=egia,DC=com |
| ddoyle | 2017-08-23 19:06:42Z | 2017-08-25 15:30:00Z | 2017-08-23 12:06:42Z | CN=Dan Doyle,OU=Sacramento,DC=egia,DC=com |
| devteamvpn | 2018-03-09 20:54:37Z | 2021-02-07 19:25:14Z | 2021-02-07 19:25:13Z | CN=Dev Teamvpn,CN=Users,DC=egia,DC=com |
| dmunoz | 2019-07-10 21:47:00Z | 2019-07-10 14:57:47Z | 2019-07-10 14:57:35Z | CN=David Munoz,OU=Sacramento,DC=egia,DC=com |
| drentschler | 2016-10-18 19:15:38Z | 2021-06-15 09:35:25Z | 2016-12-22 10:40:11Z | CN=Danny Rentschler,OU=Sacramento,DC=egia,DC=com |
| efax | 2007-08-03 16:26:52Z | Never | 2007-08-03 09:26:52Z | CN=e Fax,CN=Users,DC=egia,DC=com |
| EGIAServices | 2007-08-07 18:59:18Z | Never | 2007-08-07 11:59:18Z | CN=EGIA Services,CN=Users,DC=egia,DC=com |
| egude | 2019-09-16 21:25:37Z | 2022-03-04 05:44:33Z | 2022-03-04 05:44:33Z | CN=Eric Gude,OU=Sacramento,DC=egia,DC=com |
| ehatton | 2023-10-12 16:29:29Z | 2023-10-12 09:32:43Z | 2023-10-12 09:29:29Z | CN=Eric Hatton,OU=Sacramento,DC=egia,DC=com |
| EMC | 2016-10-20 16:43:39Z | 2020-07-31 16:57:06Z | 2016-10-20 09:43:49Z | CN=EMC,OU=Sacramento,DC=egia,DC=com |
| epic | 2018-09-11 21:29:59Z | 2018-09-11 15:12:14Z | 2018-09-11 14:29:59Z | CN=epic event,CN=Users,DC=egia,DC=com |
| excessisout | 2009-02-12 19:42:14Z | Never | 2009-02-12 11:42:14Z | CN=Excess Is Out,OU=Rebates,DC=egia,DC=com |
| fssa | 2016-11-15 18:46:41Z | 2021-09-05 06:18:02Z | 2016-11-15 10:46:41Z | CN=File Share Service Account,OU=Service Accounts,DC=egia,DC=com |
| gpotest | 2016-10-25 17:51:34Z | Never | 2016-10-28 14:29:32Z | CN=gpotest,OU=GPO Testing,DC=egia,DC=com |
| hemc | 2008-05-14 19:05:59Z | Never | 2008-05-14 12:05:59Z | CN=EGIA Home Energy Makeover,CN=Users,DC=egia,DC=com |
| hlopez | 2023-08-17 17:11:47Z | 2023-08-18 12:57:03Z | 2023-08-18 12:52:41Z | CN=Henry Lopez,OU=Sacramento,DC=egia,DC=com |
| homemakeovercontest | 2010-09-16 16:08:39Z | Never | 2010-09-16 09:08:39Z | CN=HomeMakeoverContest,CN=Users,DC=egia,DC=com |
| HomeownerServices | 2008-05-09 21:01:03Z | Never | 2008-05-09 14:01:03Z | CN=Homeowner Services,CN=Users,DC=egia,DC=com |
| ILS_ANONYMOUS_USER | 2001-10-24 20:31:48Z | Never | 2001-10-24 13:31:48Z | CN=ILS_ANONYMOUS_USER,CN=Users,DC=egia,DC=com |
| ILSRebates | 2010-02-23 01:54:37Z | Never | 2010-02-22 17:54:37Z | CN=ILS Rebates,OU=Rebates,DC=egia,DC=com |
| Info | 2010-08-23 20:57:49Z | Never | 2010-08-23 13:57:59Z | CN=Info,CN=Users,DC=egia,DC=com |
| IS-REQUESTS | 2002-01-03 18:47:31Z | Never | 2002-01-03 10:47:31Z | CN=IS-REQUESTS,CN=Users,DC=egia,DC=com |
| itcsr | 2019-07-10 17:44:11Z | 2019-07-20 14:59:52Z | 2019-07-10 10:44:11Z | CN=IT csr,CN=Users,DC=egia,DC=com |
| itsupport | 2016-09-20 19:02:53Z | 2016-11-15 09:05:21Z | 2017-01-19 15:58:36Z | CN=IT Support,OU=Sacramento,DC=egia,DC=com |
| itvpnusr98W | 2018-07-18 21:28:28Z | 2022-02-24 15:35:16Z | 2022-02-03 14:16:00Z | CN=it vpn,CN=Users,DC=egia,DC=com |
| IUSER | 2010-08-31 18:37:47Z | 2021-07-20 04:59:01Z | 2010-08-31 11:37:47Z | CN=Internet User,CN=Users,DC=egia,DC=com |
| IUSR_BLUE | 2001-11-19 17:54:31Z | Never | 2010-07-16 09:08:26Z | CN=IUSR_BLUE,CN=Users,DC=egia,DC=com |
| IUSR_DEV | 2001-10-12 23:55:53Z | Never | 2001-10-12 16:55:53Z | CN=IUSR_DEV,CN=Users,DC=egia,DC=com |
| IUSR_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:09:06Z | CN=IUSR_NT-SERVER,CN=Users,DC=egia,DC=com |
| IWAM_DEV | 2001-10-12 23:55:49Z | Never | 2001-10-12 16:55:49Z | CN=IWAM_DEV,CN=Users,DC=egia,DC=com |
| IWAM_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:08:14Z | CN=IWAM_NT-SERVER,CN=Users,DC=egia,DC=com |
| jgalapon | 2019-04-23 18:15:05Z | 2019-04-23 14:24:17Z | 2019-04-23 11:15:05Z | CN=Juston Galapon,OU=Sacramento,DC=egia,DC=com |
| jmatulich | 2004-06-21 16:33:52Z | 2023-12-12 09:38:28Z | 2023-10-17 12:40:28Z | CN=Jeff Matulich,OU=Sacramento,DC=egia,DC=com |
| Jobs | 2010-07-07 23:32:20Z | Never | 2010-07-07 16:32:20Z | CN=Jobs,CN=Users,DC=egia,DC=com |
| lamador | 2020-02-24 22:29:55Z | 2021-03-18 14:25:48Z | 2020-02-24 14:29:55Z | CN=Leilani Amador,OU=Sacramento,DC=egia,DC=com |
| lehrbar | 2016-06-16 20:41:43Z | 2018-03-01 09:48:52Z | 2018-01-11 14:33:51Z | CN=Lucas Ehrbar,OU=Sacramento,DC=egia,DC=com |
| loaner | 2019-03-11 18:56:04Z | 2020-02-13 11:05:45Z | 2020-02-13 11:05:45Z | CN=loaner loaner,CN=Users,DC=egia,DC=com |
| malatorre | 2014-12-17 18:09:55Z | 2022-11-22 10:04:40Z | 2020-03-31 06:07:00Z | CN=Maria Alatorre,OU=Sacramento,DC=egia,DC=com |
| mayang | 2019-01-18 16:42:36Z | 2019-07-01 08:03:09Z | 2019-02-04 13:33:53Z | CN=Mai Yang2,CN=Users,DC=egia,DC=com |
| mbratsis | 2017-03-08 21:16:22Z | 2023-09-29 10:02:50Z | 2023-09-28 20:07:02Z | CN=Matthew Bratsis,OU=Sacramento,DC=egia,DC=com |
| mbratsis2 | 2020-01-17 16:28:52Z | 2021-04-29 16:28:28Z | 2020-01-17 08:28:52Z | CN=Matthew Bratsis2,OU=Sacramento,DC=egia,DC=com |
| mferreira | 2020-02-20 18:33:17Z | 2022-03-29 09:50:55Z | 2020-02-21 07:59:29Z | CN=Miguel Ferreira,OU=Sacramento,DC=egia,DC=com |
| mtech | 2019-03-19 20:55:34Z | 2022-12-13 18:52:49Z | 2020-06-15 16:25:19Z | CN=Martin tech,CN=Users,DC=egia,DC=com |
| mvitanza | 2023-08-17 17:16:02Z | 2023-08-18 08:03:47Z | 2023-08-17 10:16:02Z | CN=Marisa Vitanza,OU=Sacramento,DC=egia,DC=com |
| MWDRebates | 2008-06-17 21:36:06Z | Never | 2008-06-17 14:36:06Z | CN=MWD Rebates,OU=Rebates,DC=egia,DC=com |
| myang | 2018-04-13 21:16:35Z | 2020-06-29 12:39:44Z | 2020-02-10 07:54:36Z | CN=Mai Yang,CN=Users,DC=egia,DC=com |
| mzan | 2017-08-07 17:00:09Z | 2018-01-04 11:43:39Z | 2018-01-04 11:43:21Z | CN=Matthew Zan,OU=Sacramento,DC=egia,DC=com |
| NicorRebates | 2010-05-04 00:41:55Z | Never | 2010-05-03 17:41:55Z | CN=Nicor Rebates,OU=Rebates,DC=egia,DC=com |
| nkahal | 2010-12-20 04:57:36Z | Never | 2011-12-26 12:25:15Z | CN=Niraj Kahal,OU=Sacramento,DC=egia,DC=com |
| nsingh | 2011-07-07 04:15:59Z | Never | 2023-06-07 14:29:43Z | CN=Navdeep Singh,OU=Sacramento,DC=egia,DC=com |
| nvaladez | 2023-08-17 18:23:24Z | 2023-11-01 12:49:03Z | 2023-08-17 11:23:24Z | CN=Nayeli Valadez,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| paheatingrebates | 2010-04-20 22:27:56Z | Never | 2010-04-20 15:27:56Z | CN=PAHeating Rebates,OU=Rebates,DC=egia,DC=com |
| PAQ | 2010-09-02 20:37:13Z | Never | 2010-09-02 13:37:23Z | CN=PAQ,OU=Rebates,DC=egia,DC=com |
| pbrokaw | 2023-11-22 02:07:37Z | Never | 2023-11-21 18:07:37Z | CN=Pat Brokaw,OU=Sacramento,DC=egia,DC=com |
| pmanager | 2010-11-21 21:28:03Z | Never | 2010-11-21 13:28:03Z | CN=Print Manager,CN=Users,DC=egia,DC=com |
| Rebate01 | 2003-04-03 21:47:09Z | Never | 2010-06-23 17:27:53Z | CN=Rebate01,OU=Rebates,DC=egia,DC=com |
| Rebates | 2001-10-06 18:33:48Z | Never | 1600-12-31 16:00:00Z | CN=Rebate Process,OU=Rebates,DC=egia,DC=com |
| registrations | 2010-08-30 23:46:33Z | Never | 2010-08-30 16:46:33Z | CN=Registrations,CN=Users,DC=egia,DC=com |
| rerebates | 2004-10-15 20:23:26Z | Never | 2004-10-15 13:23:26Z | CN=Roseville Electric Rebates,OU=Rebates,DC=egia,DC=com |
| rfaust | 2019-05-30 21:15:48Z | 2020-03-09 10:43:53Z | 2020-02-10 07:53:37Z | CN=Robin Faust,OU=Sacramento,DC=egia,DC=com |
| Ricoh | 2011-10-21 20:55:51Z | 2022-05-12 11:03:55Z | 2011-10-21 13:56:48Z | CN=Ricoh,CN=Users,DC=egia,DC=com |
| rmehra | 2012-07-11 06:02:30Z | Never | 2013-01-17 21:51:15Z | CN=Rishab Mehra,OU=Sacramento,DC=egia,DC=com |
| rmong | 2018-08-24 15:58:20Z | 2022-01-31 11:39:55Z | 2020-05-14 09:35:35Z | CN=Ricky Mong,CN=Users,DC=egia,DC=com |
| rpender | 2019-06-25 20:47:54Z | 2020-03-09 16:24:28Z | 2020-03-02 08:15:56Z | CN=Roger Pender,OU=Sacramento,DC=egia,DC=com |
| saccount | 2010-11-21 21:35:59Z | Never | 2010-11-21 13:35:59Z | CN=Service Account,CN=Users,DC=egia,DC=com |
| SalesMarketing | 2009-06-11 21:35:56Z | Never | 2009-06-11 14:35:56Z | CN=SalesMarketing,CN=Users,DC=egia,DC=com |
| sangeles | 2018-08-09 20:55:13Z | 2023-08-01 09:41:03Z | 2020-02-11 10:58:01Z | CN=Stephanie Angeles,OU=Sacramento,DC=egia,DC=com |
| SaveEnergy | 2009-12-03 19:47:49Z | Never | 2009-12-03 11:47:49Z | CN=SaveEnergy,CN=Users,DC=egia,DC=com |
| ScanRouter | 2002-10-30 21:34:13Z | Never | 2002-10-30 13:34:13Z | CN=ScanRouter,CN=Users,DC=egia,DC=com |
| ScanRouterMail | 2002-10-30 23:16:24Z | Never | 2002-10-30 15:16:24Z | CN=ScanRouterMail,CN=Users,DC=egia,DC=com |
| ScanRouterService | 2011-01-20 20:04:57Z | Never | 2011-01-20 12:14:44Z | CN=ScanRouterService,CN=Users,DC=egia,DC=com |
| SCVRebates | 2009-08-17 16:50:54Z | Never | 2009-08-17 09:50:54Z | CN=SCV Rebates,OU=Rebates,DC=egia,DC=com |
| sharyl | 2017-01-16 22:49:14Z | 2017-03-01 14:34:10Z | 2017-03-01 14:32:43Z | CN=sharyl,OU=Sacramento,DC=egia,DC=com |
| skillian | 2015-12-16 16:20:23Z | 2020-03-17 07:42:31Z | 2015-12-16 08:20:24Z | CN=Scott Killian,OU=Sacramento,DC=egia,DC=com |
| slathar | 2011-01-04 18:12:28Z | 2021-07-17 11:55:18Z | 2023-06-07 14:35:01Z | CN=Sunil Lather,OU=Sacramento,DC=egia,DC=com |
| smercado | 2018-08-15 17:12:46Z | 2022-06-19 21:10:52Z | 2020-04-10 07:30:44Z | CN=Samara Mercado,CN=Users,DC=egia,DC=com |
| socalwatersmart | 2011-08-16 04:00:46Z | Never | 2011-08-15 21:00:46Z | CN=SoCalWaterSmart,CN=Users,DC=egia,DC=com |
| SolanoRebates | 2007-02-28 18:25:46Z | Never | 2007-02-28 10:25:46Z | CN=Solano Rebates,OU=Rebates,DC=egia,DC=com |
| sonicwalladmin | 2017-07-13 17:08:10Z | 2017-07-13 13:57:32Z | 2017-07-13 10:08:10Z | CN=sonicwall admin,CN=Users,DC=egia,DC=com |
| spam | 2007-10-28 17:12:29Z | Never | 2007-10-28 10:12:29Z | CN=Spam Box,CN=Users,DC=egia,DC=com |
| spiceworks | 2016-09-22 16:51:38Z | 2020-05-13 03:41:47Z | 2016-10-11 06:12:25Z | CN=SpiceWorks,OU=Service Accounts,DC=egia,DC=com |
| SQLJobs | 2011-03-10 01:08:39Z | 2021-07-22 16:01:16Z | 2011-03-09 17:08:39Z | CN=SQLJobs,CN=Users,DC=egia,DC=com |
| sqlserveralert | 2001-11-14 22:23:36Z | Never | 2001-11-14 15:09:20Z | CN=SQLServer Alert,CN=Users,DC=egia,DC=com |
| SSRS | 2010-08-24 23:56:48Z | 2020-06-16 09:12:07Z | 2010-08-24 16:56:48Z | CN=SQL Server Reporting Services,CN=Users,DC=egia,DC=com |
| ssymons | 2017-08-23 19:05:31Z | 2017-08-23 12:29:36Z | 2017-08-23 12:05:31Z | CN=Shelby Symons,OU=Sacramento,DC=egia,DC=com |
| support | 2003-11-19 22:37:59Z | Never | 2003-11-19 14:38:00Z | CN=Support,CN=Users,DC=egia,DC=com |
| suser | 2010-05-05 02:13:31Z | Never | 2010-05-04 19:13:31Z | CN=SQL User,OU=Sacramento,DC=egia,DC=com |
| svc_prod_sql | 2014-08-12 03:15:59Z | Never | 2014-08-11 20:15:59Z | CN=Production SQL Service,OU=Service Accounts,DC=egia,DC=com |
| svcDevSQLServer | 2010-12-30 05:20:06Z | 2021-07-12 06:46:36Z | 2010-12-29 21:20:06Z | CN=DEV SQL Service,CN=Users,DC=egia,DC=com |
| SWGRebates | 2008-01-25 22:04:44Z | Never | 2008-01-25 14:05:04Z | CN=SWG Rebates,OU=Rebates,DC=egia,DC=com |
| tech | 2007-05-08 15:37:42Z | Never | 2012-02-03 14:51:52Z | CN=Tech,CN=Users,DC=egia,DC=com |
| techadmin | 2019-05-31 17:04:45Z | Never | 2019-05-31 10:04:45Z | CN=tecch admin,CN=Users,DC=egia,DC=com |
| test | 2013-04-15 18:54:26Z | 2022-11-07 11:42:04Z | 2017-01-20 06:45:04Z | CN=Test,OU=Sacramento,DC=egia,DC=com |
| tpiper | 2007-04-19 15:08:14Z | 2021-07-24 22:55:15Z | 2015-08-07 10:50:09Z | CN=Todd Piper,OU=Sacramento,DC=egia,DC=com |
| tpollack | 2015-08-24 17:23:40Z | 2023-03-10 11:32:41Z | 2020-02-04 08:24:45Z | CN=Toviah Pollack,OU=Sacramento,DC=egia,DC=com |
| tsluser | 2010-05-07 20:12:03Z | Never | 2010-05-07 13:12:04Z | CN=tsluser,CN=Users,DC=egia,DC=com |
| VipreService | 2011-01-20 19:58:42Z | Never | 2011-06-27 23:55:45Z | CN=VipreService,CN=Users,DC=egia,DC=com |
| vmadmin | 2016-08-23 21:50:09Z | 2020-06-26 05:15:08Z | 2016-08-23 14:50:09Z | CN=VM Ware Admin,OU=Sacramento,DC=egia,DC=com |
| vpntest2 | 2016-09-30 16:13:35Z | Never | 2016-09-30 09:13:36Z | CN=vpntest2,CN=Users,DC=egia,DC=com |
| webmaster | 2001-11-14 22:23:36Z | Never | 2010-12-06 13:52:35Z | CN=Webmaster,CN=Users,DC=egia,DC=com |
| WyomingRebates | 2010-04-01 16:25:45Z | Never | 2010-04-01 09:25:45Z | CN=Wyoming Rebates,OU=Rebates,DC=egia,DC=com |
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| aarevalo | 2013-05-22 15:23:55Z | 2024-06-10 10:00:22Z | 2024-03-21 10:20:36Z | CN=Adriana Arevalo,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| AccountingTemp | 2012-08-14 16:54:44Z | 2024-07-08 23:01:55Z | 2017-01-24 08:43:23Z | CN=Accounting Temp,OU=Sacramento,DC=egia,DC=com |
| acowden | 2024-04-16 18:09:25Z | Never | 2024-06-06 08:33:55Z | CN=Ashley Cowden,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| Admin | 2002-09-13 23:34:50Z | 2019-08-13 05:22:33Z | 2002-09-13 16:34:51Z | CN=Admin,OU=ofsdirect.com,DC=egia,DC=com |
| Administrator | 2001-10-06 18:33:47Z | 2021-07-19 23:25:17Z | 2015-04-08 09:31:00Z | CN=Administrator,OU=Groups,DC=egia,DC=com |
| ADSyncAdmin-Local | 2024-02-21 20:56:43Z | 2024-02-21 12:57:48Z | 2024-02-21 12:56:43Z | CN=ADSyncAdmin-Local,OU=Service Accounts,DC=egia,DC=com |
| ahuerta | 2024-03-08 04:00:46Z | 2024-07-15 07:17:04Z | 2024-03-27 11:20:41Z | CN=Arturo Huerta,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| AlamedaMP | 2010-04-22 22:13:52Z | Never | 2010-04-22 15:13:52Z | CN=Alameda MP,OU=Rebates,DC=egia,DC=com |
| Arcserve | 2001-10-06 18:33:48Z | Never | 2001-01-19 11:20:31Z | CN=Arcserve,CN=Users,DC=egia,DC=com |
| aschindler | 2024-05-02 21:06:23Z | Never | 2024-07-10 11:55:41Z | CN=Angela Schindler,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| bbackup | 2010-11-28 16:01:14Z | 2019-03-23 20:57:54Z | 2010-11-28 08:01:14Z | CN=Barracuda Backup,CN=Users,DC=egia,DC=com |
| BCMBackup | 2012-11-27 22:16:25Z | Never | 2012-11-27 14:16:25Z | CN=BCM Backup,OU=Sacramento,DC=egia,DC=com |
| bfernandez | 2014-07-11 16:10:54Z | 2020-04-02 13:10:54Z | 2024-04-18 11:52:02Z | CN=Breanna Fernandez,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| bhollandsworth | 2010-04-14 17:14:15Z | 2023-09-28 09:56:25Z | 2024-04-29 11:02:25Z | CN=Brenda Hollandsworth,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| bkagent | 2002-05-07 14:37:57Z | 2020-08-07 09:45:13Z | 2002-09-26 15:32:26Z | CN=Backup Agent,CN=Users,DC=egia,DC=com |
| blyle | 2024-02-09 18:34:18Z | 2024-02-09 14:12:22Z | 2024-02-09 10:34:18Z | CN=Brianna Lyle,OU=Sacramento,DC=egia,DC=com |
| bmatulich | 2003-08-19 21:08:08Z | 2024-07-15 07:45:30Z | 2022-10-18 17:59:03Z | CN=Bruce Matulich,OU=Sacramento,DC=egia,DC=com |
| CallReportingAdmin | 2010-04-13 19:40:57Z | Never | 2015-06-04 09:30:12Z | CN=Call Reporting Admin,CN=Users,DC=egia,DC=com |
| cbuege | 2019-03-07 20:24:09Z | 2022-04-28 14:56:28Z | 2024-05-21 13:19:00Z | CN=Carrie Buege,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| ccramer | 2014-07-25 20:03:05Z | 2024-07-10 11:43:12Z | 2020-02-14 06:02:29Z | CN=Clinton Cramer,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| ChicagoLand | 2008-12-15 20:34:56Z | Never | 2008-12-15 12:34:56Z | CN=ChicagoLand,OU=Rebates,DC=egia,DC=com |
| conference | 2015-01-14 18:34:20Z | 2023-01-04 07:52:51Z | 2017-01-20 06:45:40Z | CN=Conference,OU=Sacramento,DC=egia,DC=com |
| Consultant | 2002-09-17 17:27:04Z | 2020-09-08 09:31:41Z | 2010-11-21 13:30:35Z | CN=Consultant,OU=Retired,DC=egia,DC=com |
| contractorapp1 | 2016-05-10 17:26:18Z | Never | 2016-05-10 10:26:19Z | CN=ContractorApp1,OU=Sacramento,DC=egia,DC=com |
| contractorapp2 | 2016-05-10 17:26:58Z | Never | 2016-05-10 10:26:58Z | CN=ContractorApp2,OU=Sacramento,DC=egia,DC=com |
| ContractorServices | 2007-12-01 00:08:06Z | Never | 2007-11-30 16:08:06Z | CN=ContractorServices,CN=Users,DC=egia,DC=com |
| crolbiecki | 2024-03-21 22:19:36Z | Never | 2024-04-15 15:13:11Z | CN=Clinton Rolbiecki,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| ctodd | 2019-02-25 23:16:57Z | Never | 2019-02-25 15:16:57Z | CN=CJ Todd,OU=Sacramento,DC=egia,DC=com |
| ddecoster | 2024-05-15 20:36:52Z | Never | 2024-05-15 13:41:01Z | CN=Donna Decoster,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| ddelgado | 2020-01-13 18:57:00Z | 2020-01-14 10:30:29Z | 2020-01-14 10:29:57Z | CN=David Delgado,OU=Sacramento,DC=egia,DC=com |
| drentschler | 2016-10-18 19:15:38Z | 2021-06-15 09:35:25Z | 2016-12-22 10:40:11Z | CN=Danny Rentschler,OU=Sacramento,DC=egia,DC=com |
| dthao | 2014-07-11 20:28:48Z | 2022-12-25 23:44:22Z | 2024-04-11 12:18:53Z | CN=Darlene Thao,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| dvinokurov | 2024-06-28 15:06:56Z | Never | 2024-06-28 08:06:56Z | CN=David Vinokurov,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| dwilson | 2012-08-16 23:49:49Z | 2024-01-29 08:27:28Z | 2020-01-31 06:42:35Z | CN=Donica Wilson,OU=Sacramento,DC=egia,DC=com |
| dyashinsky | 2019-03-25 20:11:57Z | 2024-02-09 10:35:19Z | 2024-02-09 10:32:23Z | CN=Darrel Yashinsky,OU=Sacramento,DC=egia,DC=com |
| efax | 2007-08-03 16:26:52Z | Never | 2007-08-03 09:26:52Z | CN=e Fax,CN=Users,DC=egia,DC=com |
| EGIAServices | 2007-08-07 18:59:18Z | Never | 2007-08-07 11:59:18Z | CN=EGIA Services,CN=Users,DC=egia,DC=com |
| egonzalez | 2024-04-23 18:12:17Z | Never | 2024-04-23 11:12:17Z | CN=Edgar Gonzalez,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| ehatton | 2023-10-12 16:29:29Z | 2023-10-12 09:32:43Z | 2023-10-12 09:29:29Z | CN=Eric Hatton,OU=Sacramento,DC=egia,DC=com |
| ejavaid | 2010-12-02 14:38:38Z | 2024-05-21 11:33:55Z | 2011-12-08 16:17:21Z | CN=Eddie Javaid,OU=Sacramento,DC=egia,DC=com |
| emarquez | 2024-05-28 19:19:45Z | 2024-05-28 12:24:42Z | 2024-07-11 12:02:11Z | CN=Elena Marquez,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| EMC | 2016-10-20 16:43:39Z | 2020-07-31 16:57:06Z | 2016-10-20 09:43:49Z | CN=EMC,OU=Sacramento,DC=egia,DC=com |
| epic | 2018-09-11 21:29:59Z | 2018-09-11 15:12:14Z | 2018-09-11 14:29:59Z | CN=epic event,CN=Users,DC=egia,DC=com |
| excessisout | 2009-02-12 19:42:14Z | Never | 2009-02-12 11:42:14Z | CN=Excess Is Out,OU=Rebates,DC=egia,DC=com |
| fssa | 2016-11-15 18:46:41Z | 2021-09-05 06:18:02Z | 2016-11-15 10:46:41Z | CN=File Share Service Account,OU=Service Accounts,DC=egia,DC=com |
| hemc | 2008-05-14 19:05:59Z | Never | 2008-05-14 12:05:59Z | CN=EGIA Home Energy Makeover,CN=Users,DC=egia,DC=com |
| hlopez | 2023-08-17 17:11:47Z | 2023-08-18 12:57:03Z | 2023-08-18 12:52:41Z | CN=Henry Lopez,OU=Sacramento,DC=egia,DC=com |
| homemakeovercontest | 2010-09-16 16:08:39Z | Never | 2010-09-16 09:08:39Z | CN=HomeMakeoverContest,CN=Users,DC=egia,DC=com |
| HomeownerServices | 2008-05-09 21:01:03Z | Never | 2008-05-09 14:01:03Z | CN=Homeowner Services,CN=Users,DC=egia,DC=com |
| ILS_ANONYMOUS_USER | 2001-10-24 20:31:48Z | Never | 2001-10-24 13:31:48Z | CN=ILS_ANONYMOUS_USER,CN=Users,DC=egia,DC=com |
| ILSRebates | 2010-02-23 01:54:37Z | Never | 2010-02-22 17:54:37Z | CN=ILS Rebates,OU=Rebates,DC=egia,DC=com |
| Info | 2010-08-23 20:57:49Z | Never | 2010-08-23 13:57:59Z | CN=Info,CN=Users,DC=egia,DC=com |
| IS-REQUESTS | 2002-01-03 18:47:31Z | Never | 2002-01-03 10:47:31Z | CN=IS-REQUESTS,CN=Users,DC=egia,DC=com |
| itsonicwall | 2019-08-01 23:45:55Z | 2024-07-14 16:48:10Z | 2019-08-01 16:45:55Z | CN=IT SonicWall,OU=Service Accounts,DC=egia,DC=com |
| itvpnusr98W | 2018-07-18 21:28:28Z | 2022-02-24 15:35:16Z | 2022-02-03 14:16:00Z | CN=it vpn,CN=Users,DC=egia,DC=com |
| IUSER | 2010-08-31 18:37:47Z | 2021-07-20 04:59:01Z | 2010-08-31 11:37:47Z | CN=Internet User,CN=Users,DC=egia,DC=com |
| IUSR_BLUE | 2001-11-19 17:54:31Z | Never | 2010-07-16 09:08:26Z | CN=IUSR_BLUE,CN=Users,DC=egia,DC=com |
| IUSR_DEV | 2001-10-12 23:55:53Z | Never | 2001-10-12 16:55:53Z | CN=IUSR_DEV,CN=Users,DC=egia,DC=com |
| IUSR_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:09:06Z | CN=IUSR_NT-SERVER,CN=Users,DC=egia,DC=com |
| IWAM_DEV | 2001-10-12 23:55:49Z | Never | 2001-10-12 16:55:49Z | CN=IWAM_DEV,CN=Users,DC=egia,DC=com |
| IWAM_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:08:14Z | CN=IWAM_NT-SERVER,CN=Users,DC=egia,DC=com |
| jchandler | 2003-11-17 17:07:04Z | 2024-05-15 12:03:52Z | 2018-02-09 13:43:17Z | CN=Jeremy Chandler,OU=Sacramento,DC=egia,DC=com |
| jmadrigal | 2014-12-29 17:39:09Z | 2024-07-08 13:52:22Z | 2024-03-07 14:14:18Z | CN=Jessica Madrigal,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| jmiller | 2016-06-30 20:56:47Z | 2024-07-16 08:03:27Z | 2024-03-07 14:13:30Z | CN=Justine Miller,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| jmorris | 2024-07-03 19:03:02Z | Never | 2024-07-03 12:03:02Z | CN=Jen Morris,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| Jobs | 2010-07-07 23:32:20Z | Never | 2010-07-07 16:32:20Z | CN=Jobs,CN=Users,DC=egia,DC=com |
| jvaladez | 2013-05-20 13:55:31Z | 2024-03-19 09:00:55Z | 2020-06-17 17:00:36Z | CN=Jose Valadez,OU=Sacramento,DC=egia,DC=com |
| kguerrero | 2015-04-20 13:34:27Z | 2022-12-28 15:34:54Z | 2024-04-05 08:01:36Z | CN=Karla Guerrero,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| kong | 2024-07-02 22:06:40Z | Never | 2024-07-02 15:06:41Z | CN=Katrina Ong,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| ksatterwhite | 2015-02-06 19:58:58Z | 2022-09-16 09:19:28Z | 2024-05-03 14:14:33Z | CN=Kimberley Satterwhite,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| lamador | 2020-02-24 22:29:55Z | 2021-03-18 14:25:48Z | 2020-02-24 14:29:55Z | CN=Leilani Amador,OU=Sacramento,DC=egia,DC=com |
| ldisney | 2013-03-25 15:44:51Z | 2024-07-15 07:57:11Z | 2024-06-19 14:44:38Z | CN=Laurie Disney,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| lgopa2 | 2024-04-08 20:40:21Z | 2024-07-16 09:13:39Z | 2024-04-08 13:40:21Z | CN=Larisa Gopa2,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| madisondisney | 2024-03-14 18:03:52Z | 2024-07-09 07:44:28Z | 2024-03-14 11:34:38Z | CN=Madison Disney,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| malatorre | 2014-12-17 18:09:55Z | 2022-11-22 10:04:40Z | 2020-03-31 06:07:00Z | CN=Maria Alatorre,OU=Sacramento,DC=egia,DC=com |
| mayang | 2019-01-18 16:42:36Z | 2019-07-01 08:03:09Z | 2019-02-04 13:33:53Z | CN=Mai Yang2,CN=Users,DC=egia,DC=com |
| mbratsis | 2017-03-08 21:16:22Z | 2023-09-29 10:02:50Z | 2023-09-28 20:07:02Z | CN=Matthew Bratsis,OU=Sacramento,DC=egia,DC=com |
| mbratsis2 | 2020-01-17 16:28:52Z | 2021-04-29 16:28:28Z | 2020-01-17 08:28:52Z | CN=Matthew Bratsis2,OU=Sacramento,DC=egia,DC=com |
| mbryant | 2024-05-09 21:01:37Z | Never | 2024-05-09 14:01:37Z | CN=Molly Bryant,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| mdegenhardt | 2023-09-15 20:21:59Z | 2023-09-15 13:26:36Z | 2024-07-02 12:27:00Z | CN=Matthew Degenhardt,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| mferreira | 2020-02-20 18:33:17Z | 2022-03-29 09:50:55Z | 2020-02-21 07:59:29Z | CN=Miguel Ferreira,OU=Sacramento,DC=egia,DC=com |
| mkelley | 2024-03-08 04:17:12Z | 2024-05-17 13:17:36Z | 2024-05-21 10:25:42Z | CN=Martha Kelley,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| MSOL_bd60f9d632d0 | 2024-02-08 14:14:29Z | 2024-07-10 15:21:59Z | 2024-02-21 14:26:27Z | CN=MSOL_bd60f9d632d0,CN=Users,DC=egia,DC=com |
| mtech | 2019-03-19 20:55:34Z | 2022-12-13 18:52:49Z | 2020-06-15 16:25:19Z | CN=Martin tech,CN=Users,DC=egia,DC=com |
| mvitanza | 2023-08-17 17:16:02Z | 2023-08-18 08:03:47Z | 2023-08-17 10:16:02Z | CN=Marisa Vitanza,OU=Sacramento,DC=egia,DC=com |
| mwalker | 2024-03-21 22:22:43Z | 2024-03-21 15:30:02Z | 2024-03-21 15:22:43Z | CN=Mary Walker,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| MWDRebates | 2008-06-17 21:36:06Z | Never | 2008-06-17 14:36:06Z | CN=MWD Rebates,OU=Rebates,DC=egia,DC=com |
| myang | 2018-04-13 21:16:35Z | 2020-06-29 12:39:44Z | 2020-02-10 07:54:36Z | CN=Mai Yang,CN=Users,DC=egia,DC=com |
| NicorRebates | 2010-05-04 00:41:55Z | Never | 2010-05-03 17:41:55Z | CN=Nicor Rebates,OU=Rebates,DC=egia,DC=com |
| nodom | 2015-06-22 14:19:08Z | 2024-07-16 06:38:26Z | 2024-02-29 13:08:42Z | CN=Nathaniel Odom,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| nsingh | 2011-07-07 04:15:59Z | Never | 2023-06-07 14:29:43Z | CN=Navdeep Singh,OU=Sacramento,DC=egia,DC=com |
| nvaladez | 2023-08-17 18:23:24Z | 2023-11-01 12:49:03Z | 2023-08-17 11:23:24Z | CN=Nayeli Valadez,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| paheatingrebates | 2010-04-20 22:27:56Z | Never | 2010-04-20 15:27:56Z | CN=PAHeating Rebates,OU=Rebates,DC=egia,DC=com |
| PAQ | 2010-09-02 20:37:13Z | Never | 2010-09-02 13:37:23Z | CN=PAQ,OU=Rebates,DC=egia,DC=com |
| pbrokaw | 2023-11-22 02:07:37Z | Never | 2023-11-21 18:07:37Z | CN=Pat Brokaw,OU=Sacramento,DC=egia,DC=com |
| pkeating | 2024-05-23 19:44:45Z | Never | 2024-05-29 13:56:52Z | CN=PJ Keating,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| pmanager | 2010-11-21 21:28:03Z | Never | 2010-11-21 13:28:03Z | CN=Print Manager,CN=Users,DC=egia,DC=com |
| pwhite | 2024-05-01 16:44:43Z | Never | 2024-05-01 09:44:43Z | CN=Paris White,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| Rebate01 | 2003-04-03 21:47:09Z | Never | 2010-06-23 17:27:53Z | CN=Rebate01,OU=Rebates,DC=egia,DC=com |
| registrations | 2010-08-30 23:46:33Z | Never | 2010-08-30 16:46:33Z | CN=Registrations,CN=Users,DC=egia,DC=com |
| rerebates | 2004-10-15 20:23:26Z | Never | 2004-10-15 13:23:26Z | CN=Roseville Electric Rebates,OU=Rebates,DC=egia,DC=com |
| rfaust | 2019-05-30 21:15:48Z | 2020-03-09 10:43:53Z | 2020-02-10 07:53:37Z | CN=Robin Faust,OU=Sacramento,DC=egia,DC=com |
| Ricoh | 2011-10-21 20:55:51Z | 2022-05-12 11:03:55Z | 2011-10-21 13:56:48Z | CN=Ricoh,CN=Users,DC=egia,DC=com |
| rmong | 2018-08-24 15:58:20Z | 2022-01-31 11:39:55Z | 2020-05-14 09:35:35Z | CN=Ricky Mong,CN=Users,DC=egia,DC=com |
| rwilliams | 2018-08-02 21:29:05Z | 2024-07-02 15:44:46Z | 2024-05-02 11:33:24Z | CN=Rhonda Williams,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| saccount | 2010-11-21 21:35:59Z | Never | 2010-11-21 13:35:59Z | CN=Service Account,CN=Users,DC=egia,DC=com |
| SalesMarketing | 2009-06-11 21:35:56Z | Never | 2009-06-11 14:35:56Z | CN=SalesMarketing,CN=Users,DC=egia,DC=com |
| sangeles | 2018-08-09 20:55:13Z | 2023-08-01 09:41:03Z | 2020-02-11 10:58:01Z | CN=Stephanie Angeles,OU=Sacramento,DC=egia,DC=com |
| SaveEnergy | 2009-12-03 19:47:49Z | Never | 2009-12-03 11:47:49Z | CN=SaveEnergy,CN=Users,DC=egia,DC=com |
| ScanRouter | 2002-10-30 21:34:13Z | Never | 2002-10-30 13:34:13Z | CN=ScanRouter,CN=Users,DC=egia,DC=com |
| ScanRouterMail | 2002-10-30 23:16:24Z | Never | 2002-10-30 15:16:24Z | CN=ScanRouterMail,CN=Users,DC=egia,DC=com |
| ScanRouterService | 2011-01-20 20:04:57Z | Never | 2011-01-20 12:14:44Z | CN=ScanRouterService,CN=Users,DC=egia,DC=com |
| SCVRebates | 2009-08-17 16:50:54Z | Never | 2009-08-17 09:50:54Z | CN=SCV Rebates,OU=Rebates,DC=egia,DC=com |
| sfenger | 2024-01-16 18:01:36Z | 2024-01-22 07:53:37Z | 2024-01-16 10:01:36Z | CN=Samantha Fenger,OU=Sacramento,DC=egia,DC=com |
| skillian | 2015-12-16 16:20:23Z | 2020-03-17 07:42:31Z | 2015-12-16 08:20:24Z | CN=Scott Killian,OU=Sacramento,DC=egia,DC=com |
| slee | 2018-08-08 21:31:38Z | 2021-06-20 07:32:12Z | 2024-04-05 05:32:33Z | CN=Somaey Lee,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| smccrary | 2020-03-09 20:10:33Z | 2023-08-31 08:40:22Z | 2024-06-13 13:25:09Z | CN=Sharon McCrary,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| smercado | 2018-08-15 17:12:46Z | 2022-06-19 21:10:52Z | 2020-04-10 07:30:44Z | CN=Samara Mercado,CN=Users,DC=egia,DC=com |
| smiller | 2024-05-09 19:22:18Z | Never | 2024-05-09 12:22:18Z | CN=Sarnai Miller,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| socalwatersmart | 2011-08-16 04:00:46Z | Never | 2011-08-15 21:00:46Z | CN=SoCalWaterSmart,CN=Users,DC=egia,DC=com |
| SolanoRebates | 2007-02-28 18:25:46Z | Never | 2007-02-28 10:25:46Z | CN=Solano Rebates,OU=Rebates,DC=egia,DC=com |
| sonicwalladmin | 2017-07-13 17:08:10Z | 2017-07-13 13:57:32Z | 2017-07-13 10:08:10Z | CN=sonicwall admin,CN=Users,DC=egia,DC=com |
| spam | 2007-10-28 17:12:29Z | Never | 2007-10-28 10:12:29Z | CN=Spam Box,CN=Users,DC=egia,DC=com |
| spiceworks | 2016-09-22 16:51:38Z | 2020-05-13 03:41:47Z | 2016-10-11 06:12:25Z | CN=SpiceWorks,OU=Service Accounts,DC=egia,DC=com |
| SQLJobs | 2011-03-10 01:08:39Z | 2021-07-22 16:01:16Z | 2011-03-09 17:08:39Z | CN=SQLJobs,CN=Users,DC=egia,DC=com |
| sspray | 2024-05-08 21:40:54Z | Never | 2024-05-08 14:40:54Z | CN=Stephanie Spray,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| SSRS | 2010-08-24 23:56:48Z | 2020-06-16 09:12:07Z | 2010-08-24 16:56:48Z | CN=SQL Server Reporting Services,CN=Users,DC=egia,DC=com |
| suser | 2010-05-05 02:13:31Z | Never | 2010-05-04 19:13:31Z | CN=SQL User,OU=Sacramento,DC=egia,DC=com |
| svc_prod_sql | 2014-08-12 03:15:59Z | Never | 2014-08-11 20:15:59Z | CN=Production SQL Service,OU=Service Accounts,DC=egia,DC=com |
| svcDevSQLServer | 2010-12-30 05:20:06Z | 2021-07-12 06:46:36Z | 2010-12-29 21:20:06Z | CN=DEV SQL Service,CN=Users,DC=egia,DC=com |
| SWGRebates | 2008-01-25 22:04:44Z | Never | 2008-01-25 14:05:04Z | CN=SWG Rebates,OU=Rebates,DC=egia,DC=com |
| tech | 2007-05-08 15:37:42Z | Never | 2012-02-03 14:51:52Z | CN=Tech,CN=Users,DC=egia,DC=com |
| techadmin | 2019-05-31 17:04:45Z | Never | 2019-05-31 10:04:45Z | CN=tecch admin,CN=Users,DC=egia,DC=com |
| test | 2013-04-15 18:54:26Z | 2022-11-07 11:42:04Z | 2017-01-20 06:45:04Z | CN=Test,OU=Sacramento,DC=egia,DC=com |
| tfelczak | 2023-08-17 17:07:56Z | 2023-08-17 12:27:59Z | 2024-05-20 06:19:01Z | CN=Tiffany Felczak,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| tgibson | 2003-09-22 15:49:18Z | 2024-03-07 14:25:41Z | 2024-03-07 14:15:01Z | CN=Teresa Gibson,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| tle | 2010-08-23 15:26:48Z | 2024-06-06 13:35:43Z | 2012-11-28 15:21:13Z | CN=Tuan Le,OU=Sacramento,DC=egia,DC=com |
| tpiper | 2007-04-19 15:08:14Z | 2021-07-24 22:55:15Z | 2015-08-07 10:50:09Z | CN=Todd Piper,OU=Sacramento,DC=egia,DC=com |
| tpollack | 2015-08-24 17:23:40Z | 2023-03-10 11:32:41Z | 2020-02-04 08:24:45Z | CN=Toviah Pollack,OU=Sacramento,DC=egia,DC=com |
| tsluser | 2010-05-07 20:12:03Z | Never | 2010-05-07 13:12:04Z | CN=tsluser,CN=Users,DC=egia,DC=com |
| ttrybul | 2023-09-21 20:25:11Z | 2023-09-22 12:43:30Z | 2024-07-10 17:33:25Z | CN=Tammy Trybul,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| twilliamson | 2024-05-03 19:46:29Z | Never | 2024-05-09 06:36:44Z | CN=Tim Williamson,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| VipreService | 2011-01-20 19:58:42Z | Never | 2011-06-27 23:55:45Z | CN=VipreService,CN=Users,DC=egia,DC=com |
| vmadmin | 2016-08-23 21:50:09Z | 2020-06-26 05:15:08Z | 2016-08-23 14:50:09Z | CN=VM Ware Admin,OU=Sacramento,DC=egia,DC=com |
| vperrault | 2024-02-09 18:39:05Z | 2024-07-04 23:34:58Z | 2024-03-15 14:03:43Z | CN=Veronica Perrault,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| WyomingRebates | 2010-04-01 16:25:45Z | Never | 2010-04-01 09:25:45Z | CN=Wyoming Rebates,OU=Rebates,DC=egia,DC=com |
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| Arcserve | 2001-10-06 18:33:48Z | Never | 2001-01-19 11:20:31Z | CN=Arcserve,CN=Users,DC=egia,DC=com |
| bkagent | 2002-05-07 14:37:57Z | 2020-08-07 09:45:13Z | 2002-09-26 15:32:26Z | CN=Backup Agent,CN=Users,DC=egia,DC=com |
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| Admin | 2002-09-13 23:34:50Z | 2019-08-13 05:22:33Z | 2002-09-13 16:34:51Z | CN=Admin,OU=ofsdirect.com,DC=egia,DC=com |
| Administrator | 2001-10-06 18:33:47Z | 2021-07-19 23:25:17Z | 2015-04-08 09:31:00Z | CN=Administrator,OU=Groups,DC=egia,DC=com |
| AlamedaMP | 2010-04-22 22:13:52Z | Never | 2010-04-22 15:13:52Z | CN=Alameda MP,OU=Rebates,DC=egia,DC=com |
| Arcserve | 2001-10-06 18:33:48Z | Never | 2001-01-19 11:20:31Z | CN=Arcserve,CN=Users,DC=egia,DC=com |
| bkagent | 2002-05-07 14:37:57Z | 2020-08-07 09:45:13Z | 2002-09-26 15:32:26Z | CN=Backup Agent,CN=Users,DC=egia,DC=com |
| ChicagoLand | 2008-12-15 20:34:56Z | Never | 2008-12-15 12:34:56Z | CN=ChicagoLand,OU=Rebates,DC=egia,DC=com |
| ContractorServices | 2007-12-01 00:08:06Z | Never | 2007-11-30 16:08:06Z | CN=ContractorServices,CN=Users,DC=egia,DC=com |
| efax | 2007-08-03 16:26:52Z | Never | 2007-08-03 09:26:52Z | CN=e Fax,CN=Users,DC=egia,DC=com |
| EGIAServices | 2007-08-07 18:59:18Z | Never | 2007-08-07 11:59:18Z | CN=EGIA Services,CN=Users,DC=egia,DC=com |
| excessisout | 2009-02-12 19:42:14Z | Never | 2009-02-12 11:42:14Z | CN=Excess Is Out,OU=Rebates,DC=egia,DC=com |
| hemc | 2008-05-14 19:05:59Z | Never | 2008-05-14 12:05:59Z | CN=EGIA Home Energy Makeover,CN=Users,DC=egia,DC=com |
| HomeownerServices | 2008-05-09 21:01:03Z | Never | 2008-05-09 14:01:03Z | CN=Homeowner Services,CN=Users,DC=egia,DC=com |
| ILS_ANONYMOUS_USER | 2001-10-24 20:31:48Z | Never | 2001-10-24 13:31:48Z | CN=ILS_ANONYMOUS_USER,CN=Users,DC=egia,DC=com |
| ILSRebates | 2010-02-23 01:54:37Z | Never | 2010-02-22 17:54:37Z | CN=ILS Rebates,OU=Rebates,DC=egia,DC=com |
| IS-REQUESTS | 2002-01-03 18:47:31Z | Never | 2002-01-03 10:47:31Z | CN=IS-REQUESTS,CN=Users,DC=egia,DC=com |
| IUSR_BLUE | 2001-11-19 17:54:31Z | Never | 2010-07-16 09:08:26Z | CN=IUSR_BLUE,CN=Users,DC=egia,DC=com |
| IUSR_DEV | 2001-10-12 23:55:53Z | Never | 2001-10-12 16:55:53Z | CN=IUSR_DEV,CN=Users,DC=egia,DC=com |
| IUSR_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:09:06Z | CN=IUSR_NT-SERVER,CN=Users,DC=egia,DC=com |
| IWAM_DEV | 2001-10-12 23:55:49Z | Never | 2001-10-12 16:55:49Z | CN=IWAM_DEV,CN=Users,DC=egia,DC=com |
| IWAM_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:08:14Z | CN=IWAM_NT-SERVER,CN=Users,DC=egia,DC=com |
| Jobs | 2010-07-07 23:32:20Z | Never | 2010-07-07 16:32:20Z | CN=Jobs,CN=Users,DC=egia,DC=com |
| MWDRebates | 2008-06-17 21:36:06Z | Never | 2008-06-17 14:36:06Z | CN=MWD Rebates,OU=Rebates,DC=egia,DC=com |
| NicorRebates | 2010-05-04 00:41:55Z | Never | 2010-05-03 17:41:55Z | CN=Nicor Rebates,OU=Rebates,DC=egia,DC=com |
| paheatingrebates | 2010-04-20 22:27:56Z | Never | 2010-04-20 15:27:56Z | CN=PAHeating Rebates,OU=Rebates,DC=egia,DC=com |
| Rebate01 | 2003-04-03 21:47:09Z | Never | 2010-06-23 17:27:53Z | CN=Rebate01,OU=Rebates,DC=egia,DC=com |
| Rebates | 2001-10-06 18:33:48Z | Never | 1600-12-31 16:00:00Z | CN=Rebate Process,OU=Rebates,DC=egia,DC=com |
| rerebates | 2004-10-15 20:23:26Z | Never | 2004-10-15 13:23:26Z | CN=Roseville Electric Rebates,OU=Rebates,DC=egia,DC=com |
| SalesMarketing | 2009-06-11 21:35:56Z | Never | 2009-06-11 14:35:56Z | CN=SalesMarketing,CN=Users,DC=egia,DC=com |
| SaveEnergy | 2009-12-03 19:47:49Z | Never | 2009-12-03 11:47:49Z | CN=SaveEnergy,CN=Users,DC=egia,DC=com |
| ScanRouter | 2002-10-30 21:34:13Z | Never | 2002-10-30 13:34:13Z | CN=ScanRouter,CN=Users,DC=egia,DC=com |
| ScanRouterMail | 2002-10-30 23:16:24Z | Never | 2002-10-30 15:16:24Z | CN=ScanRouterMail,CN=Users,DC=egia,DC=com |
| SCVRebates | 2009-08-17 16:50:54Z | Never | 2009-08-17 09:50:54Z | CN=SCV Rebates,OU=Rebates,DC=egia,DC=com |
| SolanoRebates | 2007-02-28 18:25:46Z | Never | 2007-02-28 10:25:46Z | CN=Solano Rebates,OU=Rebates,DC=egia,DC=com |
| spam | 2007-10-28 17:12:29Z | Never | 2007-10-28 10:12:29Z | CN=Spam Box,CN=Users,DC=egia,DC=com |
| sqlserveralert | 2001-11-14 22:23:36Z | Never | 2001-11-14 15:09:20Z | CN=SQLServer Alert,CN=Users,DC=egia,DC=com |
| support | 2003-11-19 22:37:59Z | Never | 2003-11-19 14:38:00Z | CN=Support,CN=Users,DC=egia,DC=com |
| suser | 2010-05-05 02:13:31Z | Never | 2010-05-04 19:13:31Z | CN=SQL User,OU=Sacramento,DC=egia,DC=com |
| SWGRebates | 2008-01-25 22:04:44Z | Never | 2008-01-25 14:05:04Z | CN=SWG Rebates,OU=Rebates,DC=egia,DC=com |
| tsluser | 2010-05-07 20:12:03Z | Never | 2010-05-07 13:12:04Z | CN=tsluser,CN=Users,DC=egia,DC=com |
| WyomingRebates | 2010-04-01 16:25:45Z | Never | 2010-04-01 09:25:45Z | CN=Wyoming Rebates,OU=Rebates,DC=egia,DC=com |
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| $DUPLICATE-6b14 | 2017-01-16 22:10:46Z | 2017-01-16 14:51:34Z | 2017-01-16 14:41:24Z | CN=sharyl\0ACNF:cff5105e-507b-4e10-8483-74f6d1e18af1,OU=Sacramento,DC=egia,DC=com |
Here is the distribution where the password has been changed for the last time. Only enabled user accounts are analyzed (no guest account for example).
This section gives information about the computer accounts stored in the Active Directory
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| BACKUP-PC$ | 2013-04-18 18:03:39Z | Never | 2013-04-18 11:03:39Z | CN=BACKUP-PC,CN=Computers,DC=egia,DC=com |
| BACKUP-PC2$ | 2013-04-18 21:45:30Z | Never | 2014-09-02 08:51:32Z | CN=BACKUP-PC2,CN=Computers,DC=egia,DC=com |
| BACKUP-PC3$ | 2013-05-08 21:28:27Z | Never | 2013-05-08 14:28:27Z | CN=BACKUP-PC3,CN=Computers,DC=egia,DC=com |
| BACKUP-PC4$ | 2013-05-15 20:54:28Z | Never | 2013-07-19 19:23:21Z | CN=BACKUP-PC4,CN=Computers,DC=egia,DC=com |
| BHOWARTH$ | 2007-01-10 02:12:03Z | Never | 2007-03-12 09:56:21Z | CN=BHOWARTH,CN=Computers,DC=egia,DC=com |
| BLACK$ | 2007-10-17 19:50:10Z | Never | 2010-07-16 14:11:09Z | CN=BLACK,CN=Computers,DC=egia,DC=com |
| BMATULICH$ | 2003-10-27 19:54:28Z | Never | 2011-11-07 21:20:10Z | CN=BMATULICH,CN=Computers,DC=egia,DC=com |
| BMATULICH-HOME$ | 2003-08-19 19:47:37Z | Never | 2010-05-23 11:54:31Z | CN=BMATULICH-HOME,CN=Computers,DC=egia,DC=com |
| BMATULICH-PC$ | 2011-11-15 00:37:48Z | Never | 2014-02-28 08:14:59Z | CN=BMATULICH-PC,CN=Computers,DC=egia,DC=com |
| BROWN$ | 2010-08-15 21:56:51Z | Never | 2016-08-23 11:52:40Z | CN=BROWN,CN=Computers,DC=egia,DC=com |
| CALABRESE$ | 2007-06-22 21:15:22Z | Never | 2013-02-27 13:23:44Z | CN=CALABRESE,CN=Computers,DC=egia,DC=com |
| CALLREPORT$ | 2010-07-27 03:39:48Z | Never | 2010-07-26 20:39:48Z | CN=CALLREPORT,CN=Computers,DC=egia,DC=com |
| CALLREPORTING$ | 2010-03-04 17:53:26Z | Never | 2010-07-14 00:19:11Z | CN=CALLREPORTING,CN=Computers,DC=egia,DC=com |
| CALLREPORTS$ | 2010-07-23 22:55:22Z | Never | 2015-01-13 07:56:37Z | CN=CALLREPORTS,CN=Computers,DC=egia,DC=com |
| CDEARMAN$ | 2010-04-16 17:26:04Z | Never | 2012-12-13 09:51:47Z | CN=CDEARMAN,CN=Computers,DC=egia,DC=com |
| CLINTON-WIN10$ | 2019-01-21 19:25:18Z | 2020-10-29 23:54:28Z | 2020-10-14 23:26:51Z | CN=CLINTON-WIN10,CN=Computers,DC=egia,DC=com |
| CRLAPTOP$ | 2011-05-20 21:19:56Z | Never | 2014-07-30 08:45:02Z | CN=CRLAPTOP,CN=Computers,DC=egia,DC=com |
| CRYSTALM$ | 2018-07-02 21:21:43Z | 2020-03-13 07:55:27Z | 2020-03-11 11:45:48Z | CN=CRYSTALM,CN=Computers,DC=egia,DC=com |
| CSR2$ | 2010-07-19 13:20:01Z | Never | 2011-04-28 06:07:51Z | CN=CSR2,CN=Computers,DC=egia,DC=com |
| DARREL-WIN10$ | 2019-04-03 20:59:26Z | 2021-12-09 08:27:07Z | 2021-12-09 08:42:56Z | CN=DARREL-WIN10,CN=Computers,DC=egia,DC=com |
| DAVE-PC$ | 2016-04-05 17:28:34Z | 2017-07-27 15:08:29Z | 2017-01-07 06:03:06Z | CN=DAVE-PC,CN=Computers,DC=egia,DC=com |
| DESKTOP-0T5O7HL$ | 2019-11-14 21:26:24Z | 2022-04-25 13:05:29Z | 2022-04-25 13:20:10Z | CN=DESKTOP-0T5O7HL,CN=Computers,DC=egia,DC=com |
| DESKTOP-15VAUDB$ | 2021-07-07 22:13:50Z | 2023-07-26 08:59:21Z | 2023-07-14 13:23:53Z | CN=DESKTOP-15VAUDB,CN=Computers,DC=egia,DC=com |
| DESKTOP-16EP77J$ | 2020-06-16 17:14:12Z | 2022-06-07 10:47:59Z | 2021-10-04 10:29:04Z | CN=DESKTOP-16EP77J,CN=Computers,DC=egia,DC=com |
| DESKTOP-1FNOEHQ$ | 2019-11-16 00:48:21Z | 2020-07-21 10:01:13Z | 2020-06-16 08:55:54Z | CN=DESKTOP-1FNOEHQ,CN=Computers,DC=egia,DC=com |
| DESKTOP-1MS7FJ7$ | 2018-08-02 21:27:05Z | 2019-11-13 12:16:05Z | 2019-07-09 15:19:47Z | CN=DESKTOP-1MS7FJ7,CN=Computers,DC=egia,DC=com |
| DESKTOP-1N83ODI$ | 2021-04-21 18:24:00Z | 2022-12-29 12:58:54Z | 2022-12-07 07:47:58Z | CN=DESKTOP-1N83ODI,CN=Computers,DC=egia,DC=com |
| DESKTOP-1ROLPJI$ | 2018-05-14 21:13:38Z | 2021-03-10 07:24:53Z | 2021-03-10 07:24:54Z | CN=DESKTOP-1ROLPJI,CN=Computers,DC=egia,DC=com |
| DESKTOP-3680E7J$ | 2018-09-04 23:02:39Z | 2018-09-16 08:10:18Z | 2018-09-04 16:02:39Z | CN=DESKTOP-3680E7J,CN=Computers,DC=egia,DC=com |
| DESKTOP-3RSQUL8$ | 2020-09-29 20:52:35Z | 2021-04-12 11:21:03Z | 2021-04-02 10:52:16Z | CN=DESKTOP-3RSQUL8,CN=Computers,DC=egia,DC=com |
| DESKTOP-41N990G$ | 2019-09-17 14:04:45Z | 2022-09-16 08:44:10Z | 2022-09-16 08:44:10Z | CN=DESKTOP-41N990G,CN=Computers,DC=egia,DC=com |
| DESKTOP-4FBUQ7K$ | 2020-03-19 17:30:11Z | 2021-08-31 13:50:27Z | 2021-08-31 13:53:28Z | CN=DESKTOP-4FBUQ7K,CN=Computers,DC=egia,DC=com |
| DESKTOP-5MQB4BA$ | 2019-09-17 14:02:36Z | 2021-08-23 09:26:18Z | 2021-08-23 09:26:18Z | CN=DESKTOP-5MQB4BA,CN=Computers,DC=egia,DC=com |
| DESKTOP-5PGLROL$ | 2021-10-12 16:15:22Z | 2023-05-02 07:07:59Z | 2023-05-02 07:08:01Z | CN=DESKTOP-5PGLROL,CN=Computers,DC=egia,DC=com |
| DESKTOP-5R10RF5$ | 2023-09-15 16:49:19Z | 2023-09-15 09:49:20Z | 2023-09-15 09:49:19Z | CN=DESKTOP-5R10RF5,CN=Computers,DC=egia,DC=com |
| DESKTOP-67OSU32$ | 2020-03-19 18:07:46Z | 2021-07-13 10:06:43Z | 2021-07-13 10:08:46Z | CN=DESKTOP-67OSU32,CN=Computers,DC=egia,DC=com |
| DESKTOP-6H9F33F$ | 2021-08-17 22:17:09Z | 2021-08-17 15:17:09Z | 2021-08-17 15:17:09Z | CN=DESKTOP-6H9F33F,CN=Computers,DC=egia,DC=com |
| DESKTOP-6T93L16$ | 2019-11-07 20:31:48Z | 2020-05-14 11:47:10Z | 2020-05-13 09:03:36Z | CN=DESKTOP-6T93L16,CN=Computers,DC=egia,DC=com |
| DESKTOP-77RBVD4$ | 2019-10-29 16:05:50Z | 2021-01-24 12:55:45Z | 2021-01-24 12:55:47Z | CN=DESKTOP-77RBVD4,CN=Computers,DC=egia,DC=com |
| DESKTOP-7B3AG3A$ | 2020-03-16 23:18:44Z | 2020-03-16 16:18:44Z | 2020-03-16 16:19:58Z | CN=DESKTOP-7B3AG3A,CN=Computers,DC=egia,DC=com |
| DESKTOP-7EA5P8T$ | 2019-02-20 17:51:02Z | 2021-05-07 14:43:36Z | 2021-05-07 14:59:21Z | CN=DESKTOP-7EA5P8T,CN=Computers,DC=egia,DC=com |
| DESKTOP-81DIHNJ$ | 2019-11-07 22:57:07Z | 2023-07-21 08:52:09Z | 2023-07-10 08:26:54Z | CN=DESKTOP-81DIHNJ,CN=Computers,DC=egia,DC=com |
| DESKTOP-8KLEBP4$ | 2022-05-11 15:44:45Z | 2023-12-20 15:13:06Z | 2023-05-23 12:32:50Z | CN=DESKTOP-8KLEBP4,OU=Computers,OU=MS365EGIA,DC=egia,DC=com |
| DESKTOP-90810I8$ | 2020-02-05 17:53:42Z | 2022-06-06 10:06:33Z | 2022-06-03 07:59:09Z | CN=DESKTOP-90810I8,CN=Computers,DC=egia,DC=com |
| DESKTOP-938E09J$ | 2021-12-02 20:50:19Z | 2021-12-02 12:50:19Z | 2021-12-02 12:50:19Z | CN=DESKTOP-938E09J,CN=Computers,DC=egia,DC=com |
| DESKTOP-95N1LDC$ | 2023-08-17 17:49:06Z | 2023-11-01 12:47:18Z | 2023-11-01 13:02:13Z | CN=DESKTOP-95N1LDC,CN=Computers,DC=egia,DC=com |
| DESKTOP-9O97NFG$ | 2019-10-04 17:55:21Z | 2023-01-16 11:53:11Z | 2023-01-16 11:56:07Z | CN=DESKTOP-9O97NFG,CN=Computers,DC=egia,DC=com |
| DESKTOP-A3LS3HT$ | 2021-07-26 19:50:42Z | 2023-09-05 14:19:12Z | 2023-08-18 14:18:32Z | CN=DESKTOP-A3LS3HT,CN=Computers,DC=egia,DC=com |
| DESKTOP-CIEMD1C$ | 2021-07-08 20:48:24Z | 2021-07-08 13:48:24Z | 2021-07-08 14:57:08Z | CN=DESKTOP-CIEMD1C,CN=Computers,DC=egia,DC=com |
| DESKTOP-CO6V59D$ | 2020-03-19 19:20:54Z | 2020-09-15 10:04:04Z | 2020-08-24 09:37:26Z | CN=DESKTOP-CO6V59D,CN=Computers,DC=egia,DC=com |
| DESKTOP-COG52B9$ | 2019-02-22 17:55:31Z | 2019-08-23 12:26:14Z | 2019-08-12 12:56:50Z | CN=DESKTOP-COG52B9,CN=Computers,DC=egia,DC=com |
| DESKTOP-D7C73LJ$ | 2019-09-17 14:06:18Z | 2022-03-04 05:23:17Z | 2022-03-04 05:36:56Z | CN=DESKTOP-D7C73LJ,CN=Computers,DC=egia,DC=com |
| DESKTOP-DULLU4G$ | 2020-03-19 14:32:49Z | 2020-04-12 11:10:17Z | 2020-03-19 07:32:49Z | CN=DESKTOP-DULLU4G,CN=Computers,DC=egia,DC=com |
| DESKTOP-E1DCM7D$ | 2020-01-16 17:36:12Z | 2020-01-16 09:36:13Z | 2020-01-16 09:36:12Z | CN=DESKTOP-E1DCM7D,CN=Computers,DC=egia,DC=com |
| DESKTOP-E4U1NOM$ | 2020-03-19 17:22:36Z | 2022-09-01 12:45:48Z | 2022-09-01 12:49:18Z | CN=DESKTOP-E4U1NOM,CN=Computers,DC=egia,DC=com |
| DESKTOP-F8I0LKE$ | 2018-08-21 21:57:36Z | 2020-01-07 15:26:58Z | 2019-12-23 22:25:14Z | CN=DESKTOP-F8I0LKE,CN=Computers,DC=egia,DC=com |
| DESKTOP-FIT3S1H$ | 2021-07-08 17:58:32Z | 2022-11-22 10:04:47Z | 2022-11-22 10:17:21Z | CN=DESKTOP-FIT3S1H,CN=Computers,DC=egia,DC=com |
| DESKTOP-FU376D4$ | 2019-10-24 17:04:17Z | 2019-11-08 11:58:48Z | 2019-10-24 10:04:17Z | CN=DESKTOP-FU376D4,CN=Computers,DC=egia,DC=com |
| DESKTOP-G35K9LK$ | 2019-11-07 20:32:35Z | 2023-10-23 18:39:19Z | 2023-10-22 02:05:35Z | CN=DESKTOP-G35K9LK,CN=Computers,DC=egia,DC=com |
| DESKTOP-GCO3070$ | 2019-11-14 21:25:06Z | 2022-05-20 07:41:45Z | 2022-05-09 08:24:51Z | CN=DESKTOP-GCO3070,CN=Computers,DC=egia,DC=com |
| DESKTOP-GGFHE49$ | 2019-11-07 20:35:26Z | 2021-06-20 07:32:18Z | 2021-06-20 07:33:05Z | CN=DESKTOP-GGFHE49,CN=Computers,DC=egia,DC=com |
| DESKTOP-GNGFIJK$ | 2020-02-05 17:53:29Z | 2023-06-14 15:03:14Z | 2023-06-14 15:20:13Z | CN=DESKTOP-GNGFIJK,CN=Computers,DC=egia,DC=com |
| DESKTOP-H4C5MT3$ | 2021-12-28 15:13:07Z | 2021-12-28 07:13:07Z | 2021-12-28 07:13:07Z | CN=DESKTOP-H4C5MT3,CN=Computers,DC=egia,DC=com |
| DESKTOP-HEVUINE$ | 2019-07-31 20:32:17Z | 2022-06-13 14:26:35Z | 2022-06-03 11:14:28Z | CN=DESKTOP-HEVUINE,CN=Computers,DC=egia,DC=com |
| DESKTOP-J3KF0LB$ | 2020-02-12 16:27:46Z | 2023-08-17 11:09:59Z | 2023-08-07 11:08:15Z | CN=DESKTOP-J3KF0LB,CN=Computers,DC=egia,DC=com |
| DESKTOP-JJ4C7N1$ | 2019-10-24 18:16:15Z | 2021-01-11 10:38:44Z | 2020-12-23 19:51:25Z | CN=DESKTOP-JJ4C7N1,CN=Computers,DC=egia,DC=com |
| DESKTOP-JNF5P6B$ | 2019-11-07 20:10:08Z | 2021-02-12 14:00:35Z | 2021-02-12 14:09:59Z | CN=DESKTOP-JNF5P6B,CN=Computers,DC=egia,DC=com |
| DESKTOP-KHGSECP$ | 2020-06-16 17:14:25Z | 2023-02-07 12:15:35Z | 2023-02-07 12:28:24Z | CN=DESKTOP-KHGSECP,CN=Computers,DC=egia,DC=com |
| DESKTOP-L8EA86Q$ | 2023-09-21 22:37:46Z | 2023-09-21 15:37:50Z | 2023-09-21 15:37:50Z | CN=DESKTOP-L8EA86Q,OU=Computers,OU=MS365EGIA,DC=egia,DC=com |
| DESKTOP-LED9AGJ$ | 2021-08-17 18:24:25Z | 2021-08-17 11:24:25Z | 2021-08-17 11:24:25Z | CN=DESKTOP-LED9AGJ,CN=Computers,DC=egia,DC=com |
| DESKTOP-LEUKS8H$ | 2021-07-12 18:43:46Z | 2023-05-30 08:24:38Z | 2023-06-06 08:25:08Z | CN=DESKTOP-LEUKS8H,CN=Computers,DC=egia,DC=com |
| DESKTOP-NSMT5CP$ | 2019-05-30 22:05:30Z | 2023-06-30 10:46:03Z | 2023-06-30 11:04:51Z | CN=DESKTOP-NSMT5CP,CN=Computers,DC=egia,DC=com |
| DESKTOP-OBEOBB0$ | 2020-03-18 18:34:32Z | 2023-06-15 14:07:19Z | 2023-06-15 14:23:28Z | CN=DESKTOP-OBEOBB0,CN=Computers,DC=egia,DC=com |
| DESKTOP-P3K9L8L$ | 2018-08-27 17:52:48Z | 2023-06-15 13:35:58Z | 2023-06-15 13:35:59Z | CN=DESKTOP-P3K9L8L,CN=Computers,DC=egia,DC=com |
| DESKTOP-PLA4DDM$ | 2020-01-17 18:32:59Z | 2021-04-29 16:28:32Z | 2020-09-11 14:42:01Z | CN=DESKTOP-PLA4DDM,CN=Computers,DC=egia,DC=com |
| DESKTOP-PPTAJ1A$ | 2020-05-28 16:14:23Z | 2023-06-15 13:16:57Z | 2023-06-15 13:31:44Z | CN=DESKTOP-PPTAJ1A,CN=Computers,DC=egia,DC=com |
| DESKTOP-Q62QKF6$ | 2020-03-19 16:41:56Z | 2022-09-01 12:45:32Z | 2022-09-01 12:50:27Z | CN=DESKTOP-Q62QKF6,CN=Computers,DC=egia,DC=com |
| DESKTOP-R1MH3PN$ | 2019-10-17 14:18:04Z | 2021-10-25 11:56:53Z | 2021-10-25 12:04:00Z | CN=DESKTOP-R1MH3PN,CN=Computers,DC=egia,DC=com |
| DESKTOP-RNB6I8D$ | 2019-09-19 15:04:35Z | 2023-08-31 10:19:58Z | 2023-08-31 10:19:58Z | CN=DESKTOP-RNB6I8D,CN=Computers,DC=egia,DC=com |
| DESKTOP-RNIFKH3$ | 2020-10-15 17:48:31Z | 2021-09-16 09:24:05Z | 2021-09-16 09:38:43Z | CN=DESKTOP-RNIFKH3,CN=Computers,DC=egia,DC=com |
| DESKTOP-SFC5JM8$ | 2020-03-19 14:24:48Z | 2020-12-03 10:45:51Z | 2020-12-03 10:29:57Z | CN=DESKTOP-SFC5JM8,CN=Computers,DC=egia,DC=com |
| DESKTOP-SG7ADIU$ | 2020-10-29 18:32:51Z | 2023-05-23 12:07:53Z | 2022-12-19 08:30:54Z | CN=DESKTOP-SG7ADIU,CN=Computers,DC=egia,DC=com |
| DESKTOP-SMT37AV$ | 2019-12-19 20:48:16Z | 2022-06-08 15:58:35Z | 2022-05-20 14:12:59Z | CN=DESKTOP-SMT37AV,CN=Computers,DC=egia,DC=com |
| DESKTOP-T9HB8DN$ | 2020-06-02 15:54:53Z | 2022-06-01 06:42:05Z | 2022-06-01 06:56:50Z | CN=DESKTOP-T9HB8DN,CN=Computers,DC=egia,DC=com |
| DESKTOP-T9O4UH1$ | 2019-11-07 20:33:15Z | 2022-11-07 11:04:31Z | 2022-10-21 14:00:57Z | CN=DESKTOP-T9O4UH1,CN=Computers,DC=egia,DC=com |
| DESKTOP-TEPSFTD$ | 2021-02-12 22:38:00Z | 2023-08-28 08:02:00Z | 2023-08-02 08:11:25Z | CN=DESKTOP-TEPSFTD,CN=Computers,DC=egia,DC=com |
| DESKTOP-TLENJSD$ | 2019-12-04 21:10:53Z | 2021-02-18 13:09:59Z | 2019-12-04 13:10:53Z | CN=DESKTOP-TLENJSD,CN=Computers,DC=egia,DC=com |
| DESKTOP-TQH2330$ | 2023-08-30 23:15:50Z | 2023-08-30 16:15:51Z | 2023-08-30 16:15:50Z | CN=DESKTOP-TQH2330,CN=Computers,DC=egia,DC=com |
| DESKTOP-TSI1525$ | 2018-08-22 17:04:10Z | 2019-10-10 13:39:35Z | 2019-10-10 13:41:37Z | CN=DESKTOP-TSI1525,CN=Computers,DC=egia,DC=com |
| DESKTOP-U0S03D9$ | 2022-05-13 21:13:58Z | 2022-05-13 14:13:58Z | 2022-05-13 14:13:58Z | CN=DESKTOP-U0S03D9,CN=Computers,DC=egia,DC=com |
| DESKTOP-UAS9U5V$ | 2018-03-08 21:26:38Z | 2022-03-01 08:33:44Z | 2022-01-17 15:54:19Z | CN=DESKTOP-UAS9U5V,CN=Computers,DC=egia,DC=com |
| DESKTOP-VBGB4GG$ | 2023-10-12 16:16:27Z | 2023-10-12 09:16:28Z | 2023-10-12 09:16:27Z | CN=DESKTOP-VBGB4GG,CN=Computers,DC=egia,DC=com |
| EDDIEJ$ | 2012-10-12 21:48:04Z | 2018-04-05 19:37:29Z | 2018-03-27 02:04:15Z | CN=EDDIEJ,OU=LocalComputer,DC=egia,DC=com |
| EDDIE-WIN10$ | 2019-05-02 17:22:21Z | 2020-06-19 01:39:50Z | 2020-06-04 15:51:30Z | CN=EDDIE-WIN10,OU=LocalComputer,DC=egia,DC=com |
| EGIA$ | 2023-09-28 16:18:16Z | 2023-09-28 09:18:17Z | 2023-09-28 09:18:16Z | CN=EGIA,CN=Computers,DC=egia,DC=com |
| EGIA482$ | 2023-08-11 20:27:37Z | 2023-08-11 13:27:44Z | 2023-08-11 13:27:43Z | CN=EGIA482,CN=Computers,DC=egia,DC=com |
| EGIA483$ | 2023-08-29 01:23:56Z | 2023-10-20 13:18:01Z | 2023-09-28 07:36:13Z | CN=EGIA483,CN=Computers,DC=egia,DC=com |
| EGIAACCT01$ | 2010-09-27 17:03:29Z | 2021-02-20 17:22:16Z | 2021-02-16 10:38:11Z | CN=EGIAACCT01,CN=Computers,DC=egia,DC=com |
| EGIADC03$ | 2007-04-02 16:05:42Z | 2019-03-10 19:27:11Z | 2019-03-03 19:54:53Z | CN=EGIADC03,CN=Computers,DC=egia,DC=com |
| EGIADEVSQL01$ | 2010-12-30 05:07:10Z | 2021-07-20 10:25:51Z | 2021-07-16 03:23:21Z | CN=EGIADEVSQL01,CN=Computers,DC=egia,DC=com |
| EGIADEVWEB01$ | 2010-12-31 16:25:54Z | 2020-07-01 16:57:13Z | 2020-06-12 20:10:49Z | CN=EGIADEVWEB01,CN=Computers,DC=egia,DC=com |
| EGIADW01$ | 2011-02-08 04:14:01Z | Never | 2016-08-18 22:33:15Z | CN=EGIADW01,CN=Computers,DC=egia,DC=com |
| EGIAFS10$ | 2014-08-07 02:25:18Z | 2022-09-06 09:42:36Z | 2014-08-06 19:25:18Z | CN=egiafs10,OU=Computers,OU=EMC Celerra,DC=egia,DC=com |
| EGIAFTP2W$ | 2018-04-17 22:30:45Z | 2018-05-07 23:01:31Z | 2018-04-17 15:30:45Z | CN=EGIAFTP2W,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-105$ | 2014-08-18 16:15:45Z | 2020-03-18 06:37:05Z | 2019-10-28 06:03:36Z | CN=EGIA-LAP-105,OU=LocalComputer,DC=egia,DC=com |
| EGIA-LAP-106$ | 2014-09-08 17:10:10Z | Never | 2016-09-27 09:39:19Z | CN=EGIA-LAP-106,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-107$ | 2014-09-22 19:28:02Z | Never | 2014-09-22 13:34:40Z | CN=EGIA-LAP-107,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-108$ | 2014-09-24 20:01:54Z | 2018-07-11 10:50:19Z | 2017-11-15 07:24:12Z | CN=EGIA-LAP-108,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-109$ | 2014-09-26 15:45:26Z | Never | 2016-01-11 07:22:59Z | CN=EGIA-LAP-109,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-110$ | 2015-02-09 18:01:00Z | Never | 2016-09-01 09:11:10Z | CN=EGIA-LAP-110,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-112$ | 2015-06-23 15:58:28Z | Never | 2015-08-05 11:02:48Z | CN=EGIA-LAP-112,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-113$ | 2015-08-26 16:18:38Z | 2019-02-15 15:59:11Z | 2019-02-12 16:51:34Z | CN=EGIA-LAP-113,OU=LocalComputer,DC=egia,DC=com |
| EGIA-LAP-114$ | 2015-09-09 19:28:52Z | Never | 2015-12-03 12:41:09Z | CN=EGIA-LAP-114,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-115$ | 2016-02-19 17:41:59Z | 2021-12-06 06:24:03Z | 2021-12-06 06:27:28Z | CN=EGIA-LAP-115,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-116$ | 2016-03-02 16:25:34Z | 2018-03-02 10:04:00Z | 2018-03-02 10:12:41Z | CN=EGIA-LAP-116,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-117$ | 2016-06-20 21:50:58Z | 2021-01-25 14:56:03Z | 2021-01-13 16:00:27Z | CN=EGIA-LAP-117,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-118$ | 2016-08-10 20:48:13Z | 2016-12-09 08:12:29Z | 2016-12-09 08:32:04Z | CN=EGIA-LAP-118,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-119$ | 2016-09-12 22:04:42Z | 2019-07-26 12:38:44Z | 2019-07-26 12:51:29Z | CN=EGIA-LAP-119,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-120$ | 2016-12-12 20:56:15Z | 2018-03-01 09:48:57Z | 2018-03-01 09:51:01Z | CN=EGIA-LAP-120,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-121$ | 2017-09-19 22:22:15Z | 2022-12-08 09:56:04Z | 2022-12-08 09:58:51Z | CN=EGIA-LAP-121,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-480$ | 2023-08-01 16:21:13Z | 2023-08-01 09:21:13Z | 2023-08-01 09:21:13Z | CN=EGIA-LAP-480,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-481$ | 2023-07-25 21:04:44Z | 2023-07-25 14:04:45Z | 2023-07-25 14:04:44Z | CN=EGIA-LAP-481,OU=Computers,OU=MS365EGIA,DC=egia,DC=com |
| EGIA-LAP-484$ | 2023-08-16 21:03:22Z | 2023-08-16 14:03:23Z | 2023-08-16 14:03:22Z | CN=EGIA-LAP-484,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-488$ | 2023-09-28 17:19:08Z | 2023-09-28 10:35:12Z | 2023-09-28 10:19:08Z | CN=EGIA-LAP-488,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-492$ | 2023-10-18 18:47:40Z | 2023-10-18 11:47:40Z | 2023-10-18 11:47:40Z | CN=EGIA-LAP-492,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-EPEREZ$ | 2014-04-22 19:38:58Z | Never | 2014-11-17 13:06:48Z | CN=EGIA-LAP-EPEREZ,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-OT-1$ | 2015-06-19 19:49:03Z | 2018-04-30 08:59:56Z | 2018-04-30 09:13:58Z | CN=EGIA-LAP-OT-1,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-OT-2$ | 2015-06-19 21:20:31Z | 2017-04-11 10:56:56Z | 2017-04-11 10:56:57Z | CN=EGIA-LAP-OT-2,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-OT-3$ | 2015-06-19 22:02:32Z | 2019-05-06 22:34:12Z | 2019-05-04 12:37:40Z | CN=EGIA-LAP-OT-3,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-OT-6$ | 2015-06-25 15:22:36Z | 2016-12-22 12:12:04Z | 2016-12-22 12:22:50Z | CN=EGIA-LAP-OT-6,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-OT-7$ | 2015-06-25 17:05:44Z | 2019-08-14 12:16:48Z | 2019-08-14 13:36:37Z | CN=EGIA-LAP-OT-7,CN=Computers,DC=egia,DC=com |
| EGIA-LAP-OT-8$ | 2015-06-25 19:27:39Z | 2016-12-13 11:28:44Z | 2016-11-29 13:54:58Z | CN=EGIA-LAP-OT-8,CN=Computers,DC=egia,DC=com |
| EGIA-LAPTOP-01$ | 2014-08-05 15:53:37Z | 2020-03-17 12:28:10Z | 2020-03-17 12:42:02Z | CN=EGIA-LAPTOP-01,CN=Computers,DC=egia,DC=com |
| egia-mac-100$ | 2014-06-26 19:25:18Z | 2019-01-09 01:48:56Z | 2019-01-15 07:37:25Z | CN=egia-mac-100,CN=Computers,DC=egia,DC=com |
| egia-mac-103$ | 2014-06-27 14:54:24Z | 2017-07-17 14:47:19Z | 2017-07-07 10:08:09Z | CN=egia-mac-103,CN=Computers,DC=egia,DC=com |
| egia-mac-105$ | 2015-11-13 21:27:24Z | 2019-01-30 00:26:26Z | 2019-01-24 11:53:40Z | CN=egia-mac-105,CN=Computers,DC=egia,DC=com |
| EGIA-PC-100$ | 2013-04-26 00:07:21Z | 2020-06-04 22:50:42Z | 2020-05-21 22:41:00Z | CN=EGIA-PC-100,CN=Computers,DC=egia,DC=com |
| EGIAPC101$ | 2013-03-21 21:24:12Z | Never | 2015-07-20 10:52:16Z | CN=EGIAPC101,CN=Computers,DC=egia,DC=com |
| EGIAPC102$ | 2013-03-22 20:37:44Z | 2016-11-05 10:32:19Z | 2016-10-23 17:32:16Z | CN=EGIAPC102,CN=Computers,DC=egia,DC=com |
| EGIA-PC-102$ | 2013-08-16 15:14:07Z | 2020-01-31 12:16:42Z | 2020-01-08 06:41:05Z | CN=EGIA-PC-102,CN=Computers,DC=egia,DC=com |
| EGIA-PC-103$ | 2013-05-02 16:05:54Z | Never | 2015-07-12 15:05:25Z | CN=EGIA-PC-103,CN=Computers,DC=egia,DC=com |
| EGIA-PC-104$ | 2013-08-21 21:13:50Z | Never | 2015-03-18 02:08:24Z | CN=EGIA-PC-104,CN=Computers,DC=egia,DC=com |
| EGIA-PC-105$ | 2013-10-02 21:47:00Z | Never | 2015-06-16 08:18:20Z | CN=EGIA-PC-105,CN=Computers,DC=egia,DC=com |
| EGIA-PC-109$ | 2013-12-19 17:34:48Z | Never | 2016-08-22 08:21:08Z | CN=EGIA-PC-109,CN=Computers,DC=egia,DC=com |
| EGIA-PC-112$ | 2013-12-26 17:45:39Z | Never | 2016-02-17 02:59:40Z | CN=EGIA-PC-112,CN=Computers,DC=egia,DC=com |
| EGIA-PC-113$ | 2014-02-12 21:39:20Z | 2017-12-11 01:45:01Z | 2017-11-18 00:38:55Z | CN=EGIA-PC-113,CN=Computers,DC=egia,DC=com |
| EGIA-PC-114$ | 2014-02-27 17:40:47Z | Never | 2015-03-03 12:45:39Z | CN=EGIA-PC-114,CN=Computers,DC=egia,DC=com |
| EGIA-PC-116$ | 2014-03-18 19:04:25Z | Never | 2015-06-01 08:54:50Z | CN=EGIA-PC-116,CN=Computers,DC=egia,DC=com |
| EGIA-PC-117$ | 2014-03-18 21:35:01Z | Never | 2014-05-20 08:50:19Z | CN=EGIA-PC-117,CN=Computers,DC=egia,DC=com |
| EGIA-PC-118$ | 2014-04-01 18:58:21Z | Never | 2014-10-09 06:28:33Z | CN=EGIA-PC-118,CN=Computers,DC=egia,DC=com |
| EGIA-PC-119$ | 2014-04-17 16:04:01Z | 2017-11-16 19:31:06Z | 2017-11-15 20:32:28Z | CN=EGIA-PC-119,CN=Computers,DC=egia,DC=com |
| EGIA-PC-121$ | 2014-04-17 21:39:33Z | 2022-01-14 01:46:28Z | 2022-01-14 15:08:21Z | CN=EGIA-PC-121,CN=Computers,DC=egia,DC=com |
| EGIA-PC-122$ | 2014-04-18 19:10:41Z | 2021-01-24 19:58:49Z | 2020-08-05 21:35:25Z | CN=EGIA-PC-122,CN=Computers,DC=egia,DC=com |
| EGIA-PC-123$ | 2014-06-03 22:19:09Z | Never | 2015-04-16 08:35:00Z | CN=EGIA-PC-123,CN=Computers,DC=egia,DC=com |
| EGIA-PC-125$ | 2014-06-11 20:04:39Z | Never | 2014-08-31 17:47:11Z | CN=EGIA-PC-125,CN=Computers,DC=egia,DC=com |
| EGIA-PC-126$ | 2014-08-07 19:57:02Z | 2019-08-21 10:37:37Z | 2019-08-21 10:43:59Z | CN=EGIA-PC-126,CN=Computers,DC=egia,DC=com |
| EGIA-PC-127$ | 2014-08-11 17:25:48Z | Never | 2016-02-01 08:21:27Z | CN=EGIA-PC-127,CN=Computers,DC=egia,DC=com |
| EGIA-PC-128$ | 2014-08-14 14:47:40Z | Never | 2016-09-22 07:26:38Z | CN=EGIA-PC-128,CN=Computers,DC=egia,DC=com |
| EGIA-PC-129$ | 2014-08-15 15:08:36Z | Never | 2015-09-17 03:33:05Z | CN=EGIA-PC-129,CN=Computers,DC=egia,DC=com |
| EGIA-PC-130$ | 2014-08-15 21:29:52Z | 2020-08-13 13:56:09Z | 2020-08-13 14:06:33Z | CN=EGIA-PC-130,CN=Computers,DC=egia,DC=com |
| EGIA-PC-131$ | 2014-08-20 19:35:27Z | 2019-08-19 00:02:38Z | 2019-08-12 08:39:43Z | CN=EGIA-PC-131,CN=Computers,DC=egia,DC=com |
| EGIA-PC-132$ | 2014-09-11 14:32:51Z | 2019-07-18 07:36:22Z | 2019-07-18 07:36:23Z | CN=EGIA-PC-132,CN=Computers,DC=egia,DC=com |
| EGIA-PC-133$ | 2014-09-11 21:04:12Z | Never | 2015-09-24 11:15:36Z | CN=EGIA-PC-133,CN=Computers,DC=egia,DC=com |
| EGIA-PC-134$ | 2014-09-12 19:26:44Z | 2017-01-23 08:16:50Z | 2017-01-16 08:02:16Z | CN=EGIA-PC-134,CN=Computers,DC=egia,DC=com |
| EGIA-PC-135$ | 2014-09-18 17:28:42Z | 2016-11-15 17:23:10Z | 2016-11-05 04:43:45Z | CN=EGIA-PC-135,CN=Computers,DC=egia,DC=com |
| EGIA-PC-136$ | 2014-09-19 15:18:11Z | 2017-03-13 10:02:37Z | 2017-03-06 07:45:23Z | CN=EGIA-PC-136,CN=Computers,DC=egia,DC=com |
| EGIA-PC-137$ | 2014-09-29 20:27:11Z | Never | 2014-09-29 13:27:11Z | CN=EGIA-PC-137,CN=Computers,DC=egia,DC=com |
| EGIA-PC-138$ | 2014-09-30 21:00:05Z | Never | 2015-03-09 06:52:26Z | CN=EGIA-PC-138,CN=Computers,DC=egia,DC=com |
| EGIA-PC-139$ | 2014-10-20 19:33:57Z | Never | 2015-06-30 13:00:35Z | CN=EGIA-PC-139,CN=Computers,DC=egia,DC=com |
| EGIA-PC-140$ | 2014-11-06 19:53:52Z | 2019-09-24 14:06:05Z | 2019-09-17 10:02:41Z | CN=EGIA-PC-140,CN=Computers,DC=egia,DC=com |
| EGIA-PC-141$ | 2014-12-08 21:28:37Z | 2017-09-11 12:56:36Z | 2017-09-11 13:12:04Z | CN=EGIA-PC-141,CN=Computers,DC=egia,DC=com |
| EGIA-PC-142$ | 2014-12-18 17:24:28Z | Never | 2015-08-25 12:52:29Z | CN=EGIA-PC-142,CN=Computers,DC=egia,DC=com |
| EGIA-PC-143$ | 2014-12-26 19:48:22Z | Never | 2016-10-10 13:18:06Z | CN=EGIA-PC-143,CN=Computers,DC=egia,DC=com |
| EGIA-PC-144$ | 2015-01-09 18:01:32Z | 2017-04-03 11:24:46Z | 2017-03-23 15:59:38Z | CN=EGIA-PC-144,CN=Computers,DC=egia,DC=com |
| EGIA-PC-145$ | 2015-01-12 15:15:59Z | Never | 2016-03-21 07:58:54Z | CN=EGIA-PC-145,CN=Computers,DC=egia,DC=com |
| EGIA-PC-146$ | 2015-01-14 20:24:42Z | 2021-01-21 07:37:56Z | 2021-01-21 07:37:57Z | CN=EGIA-PC-146,CN=Computers,DC=egia,DC=com |
| EGIA-PC-147$ | 2015-01-16 15:39:21Z | 2017-10-16 17:35:22Z | 2017-10-13 03:21:30Z | CN=EGIA-PC-147,CN=Computers,DC=egia,DC=com |
| EGIA-PC-148$ | 2015-01-22 18:05:02Z | 2019-06-13 06:22:44Z | 2019-05-22 16:03:39Z | CN=EGIA-PC-148,CN=Computers,DC=egia,DC=com |
| EGIA-PC-149$ | 2015-01-27 16:32:37Z | 2019-11-04 20:18:43Z | 2019-11-11 04:12:57Z | CN=EGIA-PC-149,CN=Computers,DC=egia,DC=com |
| EGIA-PC-150$ | 2015-02-06 18:12:36Z | 2017-05-15 14:01:16Z | 2017-05-02 10:09:52Z | CN=EGIA-PC-150,CN=Computers,DC=egia,DC=com |
| EGIA-PC-151$ | 2010-08-02 17:09:34Z | Never | 2015-07-23 07:04:17Z | CN=EGIA-PC-151,CN=Computers,DC=egia,DC=com |
| EGIA-PC-152$ | 2015-03-03 22:10:13Z | 2023-06-16 14:51:08Z | 2020-07-16 10:58:30Z | CN=EGIA-PC-152,OU=LocalComputer,DC=egia,DC=com |
| EGIA-PC-154$ | 2015-03-25 20:12:03Z | 2019-10-29 16:18:21Z | 2019-10-13 22:23:18Z | CN=EGIA-PC-154,OU=LocalComputer,DC=egia,DC=com |
| EGIA-PC-155$ | 2015-04-07 14:49:56Z | 2017-09-07 08:22:11Z | 2017-09-07 08:20:05Z | CN=EGIA-PC-155,CN=Computers,DC=egia,DC=com |
| EGIA-PC-157$ | 2015-04-10 16:38:12Z | 2018-05-10 10:42:41Z | 2018-04-18 15:10:29Z | CN=EGIA-PC-157,CN=Computers,DC=egia,DC=com |
| EGIA-PC-158$ | 2015-04-13 21:27:24Z | Never | 2015-06-18 12:19:20Z | CN=EGIA-PC-158,CN=Computers,DC=egia,DC=com |
| EGIA-PC-159$ | 2015-04-16 19:11:59Z | 2017-10-02 16:43:01Z | 2017-09-21 09:01:54Z | CN=EGIA-PC-159,CN=Computers,DC=egia,DC=com |
| EGIA-PC-160$ | 2015-04-17 16:26:55Z | Never | 2016-05-26 07:25:53Z | CN=EGIA-PC-160,CN=Computers,DC=egia,DC=com |
| EGIA-PC-161$ | 2015-04-20 19:48:00Z | 2018-08-14 12:23:47Z | 2018-08-11 00:50:26Z | CN=EGIA-PC-161,CN=Computers,DC=egia,DC=com |
| EGIA-PC-163$ | 2015-05-05 16:59:20Z | Never | 2015-08-10 09:40:59Z | CN=EGIA-PC-163,CN=Computers,DC=egia,DC=com |
| EGIA-PC-164$ | 2015-04-27 14:14:32Z | 2017-10-08 10:34:39Z | 2017-10-07 18:09:17Z | CN=EGIA-PC-164,CN=Computers,DC=egia,DC=com |
| EGIA-PC-166$ | 2015-04-22 15:38:36Z | 2018-11-05 00:52:13Z | 2018-11-03 23:58:20Z | CN=EGIA-PC-166,CN=Computers,DC=egia,DC=com |
| EGIA-PC-167$ | 2015-05-12 20:40:51Z | 2019-02-19 19:48:45Z | 2019-01-29 12:44:08Z | CN=EGIA-PC-167,CN=Computers,DC=egia,DC=com |
| EGIA-PC-168$ | 2015-05-14 20:46:53Z | 2019-11-08 16:34:13Z | 2019-11-08 20:19:53Z | CN=EGIA-PC-168,CN=Computers,DC=egia,DC=com |
| EGIA-PC-169$ | 2015-05-22 14:15:15Z | 2021-01-22 02:38:40Z | 2021-01-01 15:38:06Z | CN=EGIA-PC-169,CN=Computers,DC=egia,DC=com |
| EGIA-PC-170$ | 2016-03-25 15:02:35Z | Never | 2016-04-04 11:26:46Z | CN=EGIA-PC-170,CN=Computers,DC=egia,DC=com |
| EGIA-PC-171$ | 2015-05-27 15:15:18Z | 2017-11-09 22:34:28Z | 2017-11-09 06:01:10Z | CN=EGIA-PC-171,CN=Computers,DC=egia,DC=com |
| EGIA-PC-172$ | 2015-05-27 19:38:30Z | 2022-07-01 07:16:20Z | 2022-07-01 07:16:21Z | CN=EGIA-PC-172,CN=Computers,DC=egia,DC=com |
| EGIA-PC-173$ | 2015-06-05 16:10:16Z | 2017-02-24 12:56:05Z | 2017-02-24 12:58:07Z | CN=EGIA-PC-173,CN=Computers,DC=egia,DC=com |
| EGIA-PC-174$ | 2015-06-05 19:45:11Z | 2020-08-11 09:00:15Z | 2020-08-11 09:00:15Z | CN=EGIA-PC-174,CN=Computers,DC=egia,DC=com |
| EGIA-PC-175$ | 2015-06-10 14:17:25Z | 2019-06-24 09:55:11Z | 2019-06-24 09:55:13Z | CN=EGIA-PC-175,CN=Computers,DC=egia,DC=com |
| EGIA-PC-177$ | 2015-06-15 16:02:40Z | Never | 2016-03-24 05:10:28Z | CN=EGIA-PC-177,CN=Computers,DC=egia,DC=com |
| EGIA-PC-178$ | 2015-06-16 15:55:51Z | Never | 2015-09-17 08:34:24Z | CN=EGIA-PC-178,CN=Computers,DC=egia,DC=com |
| EGIA-PC-179$ | 2015-06-18 19:50:44Z | 2020-03-15 03:33:28Z | 2020-02-15 14:51:16Z | CN=EGIA-PC-179,CN=Computers,DC=egia,DC=com |
| EGIA-PC-180$ | 2015-06-22 15:16:29Z | 2020-08-11 08:47:12Z | 2020-08-11 08:47:13Z | CN=EGIA-PC-180,CN=Computers,DC=egia,DC=com |
| EGIA-PC-181$ | 2015-06-22 20:51:14Z | 2022-12-28 21:47:45Z | 2023-01-08 00:15:58Z | CN=EGIA-PC-181,CN=Computers,DC=egia,DC=com |
| EGIA-PC-182$ | 2015-06-23 18:59:50Z | 2022-02-23 08:01:18Z | 2022-02-23 08:01:18Z | CN=EGIA-PC-182,CN=Computers,DC=egia,DC=com |
| EGIA-PC-183$ | 2015-06-29 16:21:10Z | 2019-01-22 11:52:07Z | 2018-12-26 11:57:50Z | CN=EGIA-PC-183,CN=Computers,DC=egia,DC=com |
| EGIA-PC-185$ | 2015-07-02 16:41:18Z | 2019-11-13 14:56:13Z | 2019-11-12 19:08:54Z | CN=EGIA-PC-185,CN=Computers,DC=egia,DC=com |
| EGIA-PC-186$ | 2015-07-02 19:20:09Z | 2019-07-21 01:06:11Z | 2019-07-16 03:05:17Z | CN=EGIA-PC-186,CN=Computers,DC=egia,DC=com |
| EGIA-PC-188$ | 2015-07-14 19:31:09Z | 2019-11-14 10:04:24Z | 2019-10-29 15:03:06Z | CN=EGIA-PC-188,CN=Computers,DC=egia,DC=com |
| EGIA-PC-189$ | 2015-07-22 17:04:35Z | 2019-01-17 13:47:08Z | 2019-01-17 13:47:54Z | CN=EGIA-PC-189,CN=Computers,DC=egia,DC=com |
| EGIA-PC-190$ | 2015-07-23 18:38:28Z | 2021-08-25 07:54:05Z | 2021-07-28 13:28:06Z | CN=EGIA-PC-190,CN=Computers,DC=egia,DC=com |
| EGIA-PC-191$ | 2015-07-23 20:38:55Z | 2019-02-19 08:44:54Z | 2019-01-24 10:54:10Z | CN=EGIA-PC-191,CN=Computers,DC=egia,DC=com |
| EGIA-PC-192$ | 2015-07-24 16:01:02Z | 2019-05-29 10:26:39Z | 2019-05-29 10:42:08Z | CN=EGIA-PC-192,CN=Computers,DC=egia,DC=com |
| EGIA-PC-193$ | 2015-07-28 15:42:52Z | 2018-08-02 10:26:21Z | 2018-08-02 10:26:21Z | CN=EGIA-PC-193,CN=Computers,DC=egia,DC=com |
| EGIA-PC-194$ | 2015-07-29 16:45:48Z | 2018-02-02 19:32:37Z | 2018-01-17 06:34:27Z | CN=EGIA-PC-194,CN=Computers,DC=egia,DC=com |
| EGIA-PC-195$ | 2015-07-31 17:10:48Z | 2019-02-14 07:58:38Z | 2019-02-14 08:13:36Z | CN=EGIA-PC-195,CN=Computers,DC=egia,DC=com |
| EGIA-PC-196$ | 2015-08-04 13:47:19Z | 2017-08-24 10:48:54Z | 2017-08-03 14:14:20Z | CN=EGIA-PC-196,CN=Computers,DC=egia,DC=com |
| EGIA-PC-197$ | 2015-08-04 20:08:34Z | 2019-04-17 13:42:07Z | 2018-10-22 17:16:07Z | CN=EGIA-PC-197,CN=Computers,DC=egia,DC=com |
| EGIA-PC-198$ | 2015-08-05 17:06:26Z | 2019-04-06 17:01:39Z | 2019-04-01 17:16:40Z | CN=EGIA-PC-198,CN=Computers,DC=egia,DC=com |
| EGIA-PC-199$ | 2015-08-06 17:12:43Z | 2021-05-25 14:37:40Z | 2021-05-25 14:37:42Z | CN=EGIA-PC-199,CN=Computers,DC=egia,DC=com |
| EGIA-PC-200$ | 2015-08-07 17:52:06Z | 2019-02-06 09:58:35Z | 2019-01-16 15:00:02Z | CN=EGIA-PC-200,CN=Computers,DC=egia,DC=com |
| EGIA-PC-201$ | 2015-08-07 20:09:59Z | 2018-06-01 13:58:06Z | 2018-06-01 13:58:05Z | CN=EGIA-PC-201,CN=Computers,DC=egia,DC=com |
| EGIA-PC-202$ | 2015-08-10 19:57:42Z | 2019-04-10 08:33:53Z | 2019-03-16 12:20:30Z | CN=EGIA-PC-202,CN=Computers,DC=egia,DC=com |
| EGIA-PC-203$ | 2015-08-11 20:14:11Z | Never | 2015-08-11 13:14:12Z | CN=EGIA-PC-203,CN=Computers,DC=egia,DC=com |
| EGIA-PC-204$ | 2015-08-12 16:54:43Z | 2019-04-02 18:20:36Z | 2019-04-11 02:14:45Z | CN=EGIA-PC-204,CN=Computers,DC=egia,DC=com |
| EGIA-PC-205$ | 2015-08-13 18:42:47Z | 2018-08-09 10:21:36Z | 2018-07-25 10:05:46Z | CN=EGIA-PC-205,CN=Computers,DC=egia,DC=com |
| EGIA-PC-206$ | 2015-08-20 19:38:18Z | Never | 2015-09-21 08:09:53Z | CN=EGIA-PC-206,CN=Computers,DC=egia,DC=com |
| EGIA-PC-207$ | 2015-08-17 18:43:41Z | 2018-06-01 14:14:36Z | 2018-06-01 14:14:37Z | CN=EGIA-PC-207,CN=Computers,DC=egia,DC=com |
| EGIA-PC-208$ | 2015-08-21 19:45:24Z | 2020-08-13 11:59:54Z | 2020-08-13 12:08:46Z | CN=EGIA-PC-208,CN=Computers,DC=egia,DC=com |
| EGIA-PC-210$ | 2015-08-26 20:28:35Z | 2019-02-12 10:16:49Z | 2019-02-12 10:16:50Z | CN=EGIA-PC-210,CN=Computers,DC=egia,DC=com |
| EGIA-PC-211$ | 2015-08-27 20:10:50Z | 2017-04-15 17:01:53Z | 2017-03-20 07:18:16Z | CN=EGIA-PC-211,CN=Computers,DC=egia,DC=com |
| EGIA-PC-212$ | 2015-08-28 19:58:55Z | 2019-08-12 11:45:36Z | 2019-07-21 02:46:29Z | CN=EGIA-PC-212,CN=Computers,DC=egia,DC=com |
| EGIA-PC-213$ | 2015-08-31 16:54:10Z | 2018-08-29 10:07:34Z | 2018-08-29 09:44:29Z | CN=EGIA-PC-213,CN=Computers,DC=egia,DC=com |
| EGIA-PC-215$ | 2015-08-31 21:34:00Z | 2019-12-11 15:16:00Z | 2019-12-11 15:15:59Z | CN=EGIA-PC-215,CN=Computers,DC=egia,DC=com |
| EGIA-PC-216$ | 2015-09-03 17:23:57Z | Never | 2015-09-03 10:23:57Z | CN=EGIA-PC-216,CN=Computers,DC=egia,DC=com |
| EGIA-PC-217$ | 2017-11-17 20:03:20Z | 2020-08-13 16:02:34Z | 2020-02-24 01:07:05Z | CN=EGIA-PC-217,CN=Computers,DC=egia,DC=com |
| EGIA-PC-218$ | 2015-10-12 14:45:14Z | 2023-04-25 10:18:21Z | 2023-04-25 10:34:11Z | CN=EGIA-PC-218,CN=Computers,DC=egia,DC=com |
| EGIA-PC-220$ | 2015-11-04 20:13:25Z | 2021-02-09 13:41:28Z | 2021-01-21 08:40:56Z | CN=EGIA-PC-220,CN=Computers,DC=egia,DC=com |
| EGIA-PC-221$ | 2015-12-21 17:56:45Z | 2017-02-01 10:13:07Z | 2017-02-01 10:17:15Z | CN=EGIA-PC-221,CN=Computers,DC=egia,DC=com |
| EGIA-PC-222$ | 2015-06-26 15:23:38Z | 2020-01-31 12:14:43Z | 2020-01-31 12:31:04Z | CN=EGIA-PC-222,CN=Computers,DC=egia,DC=com |
| EGIA-PC-225$ | 2016-08-09 16:37:47Z | 2023-07-27 11:05:07Z | 2023-07-27 11:18:13Z | CN=EGIA-PC-225,OU=LocalComputer,DC=egia,DC=com |
| EGIA-PC-226$ | 2016-08-12 22:19:17Z | 2020-07-20 17:35:44Z | 2020-07-09 22:57:31Z | CN=EGIA-PC-226,CN=Computers,DC=egia,DC=com |
| EGIA-PC-227$ | 2017-04-11 19:21:56Z | 2021-11-23 11:18:43Z | 2021-11-23 11:20:24Z | CN=EGIA-PC-227,CN=Computers,DC=egia,DC=com |
| EGIA-PC-228$ | 2017-05-03 17:06:21Z | 2022-01-13 09:57:12Z | 2021-12-27 12:55:23Z | CN=EGIA-PC-228,CN=Computers,DC=egia,DC=com |
| EGIA-PC-229$ | 2017-09-13 17:40:32Z | 2021-07-08 15:53:17Z | 2021-06-15 08:13:22Z | CN=EGIA-PC-229,CN=Computers,DC=egia,DC=com |
| EGIA-PC-CHECKS$ | 2016-03-25 17:46:36Z | 2019-10-01 17:16:13Z | 2019-09-04 18:36:09Z | CN=EGIA-PC-CHECKS,CN=Computers,DC=egia,DC=com |
| EGIA-PC-CHECKS2$ | 2017-02-07 20:45:07Z | 2017-10-13 12:36:14Z | 2017-09-21 04:41:43Z | CN=EGIA-PC-CHECKS2,CN=Computers,DC=egia,DC=com |
| EGIA-PC-CONF-1$ | 2017-01-16 18:24:42Z | 2019-02-19 10:47:46Z | 2019-02-19 10:47:46Z | CN=EGIA-PC-CONF-1,CN=Computers,DC=egia,DC=com |
| EGIA-PC-CONF-2$ | 2015-10-12 18:56:44Z | 2020-03-12 09:22:35Z | 2020-03-03 21:02:57Z | CN=EGIA-PC-CONF-2,CN=Computers,DC=egia,DC=com |
| EGIA-PC-DEV$ | 2013-10-04 21:14:48Z | Never | 2014-09-29 07:40:48Z | CN=EGIA-PC-DEV,CN=Computers,DC=egia,DC=com |
| EGIA-PC-OT-5$ | 2015-06-24 21:04:34Z | 2020-04-13 10:30:23Z | 2020-04-11 22:13:35Z | CN=EGIA-PC-OT-5,CN=Computers,DC=egia,DC=com |
| EGIAPGESQL01$ | 2011-02-21 03:33:53Z | Never | 2011-02-20 19:33:53Z | CN=EGIAPGESQL01,CN=Computers,DC=egia,DC=com |
| EGIAPRDRBT01$ | 2016-11-29 05:46:28Z | 2022-09-01 18:48:21Z | 2022-08-24 02:33:32Z | CN=EGIAPRDRBT01,CN=Computers,DC=egia,DC=com |
| EGIAPRDWEB1$ | 2011-01-26 15:59:24Z | 2020-08-09 01:15:59Z | 2020-07-10 18:59:21Z | CN=EGIAPRDWEB1,CN=Computers,DC=egia,DC=com |
| EGIAPRDWEB2$ | 2016-12-02 20:54:55Z | 2018-04-03 22:20:38Z | 2018-04-08 18:58:47Z | CN=EGIAPRDWEB2,CN=Computers,DC=egia,DC=com |
| EGIAPRTG01$ | 2016-10-17 23:49:24Z | 2019-02-09 23:11:00Z | 2019-02-06 00:33:44Z | CN=EGIAPRTG01,OU=GPO Testing,DC=egia,DC=com |
| EGIASQL10$ | 2014-08-12 03:00:16Z | 2016-11-05 10:31:54Z | 2016-10-23 14:30:52Z | CN=EGIASQL10,CN=Computers,DC=egia,DC=com |
| EGIA-SURFACEPRO$ | 2015-03-12 19:59:35Z | Never | 2015-03-12 12:59:35Z | CN=EGIA-SURFACEPRO,CN=Computers,DC=egia,DC=com |
| EGIAVC01$ | 2010-09-05 22:57:36Z | 2021-03-05 03:56:24Z | 2021-02-17 21:22:40Z | CN=EGIAVC01,CN=Computers,DC=egia,DC=com |
| EGIAVC02$ | 2011-05-21 16:09:01Z | 2022-09-03 18:23:06Z | 2022-08-28 12:55:20Z | CN=EGIAVC02,CN=Computers,DC=egia,DC=com |
| EGIAVPN01$ | 2010-10-06 16:31:42Z | 2021-02-07 11:56:17Z | 2021-01-25 05:20:39Z | CN=EGIAVPN01,CN=Computers,DC=egia,DC=com |
| EGIAVPNTEST$ | 2016-10-04 21:50:29Z | 2016-11-16 01:20:30Z | 2016-11-04 01:53:49Z | CN=EGIAVPNTEST,CN=Computers,DC=egia,DC=com |
| EGIAVS01$ | 2010-08-07 22:51:30Z | 2021-07-18 20:26:16Z | 2021-07-10 23:41:32Z | CN=EGIAVS01,CN=Computers,DC=egia,DC=com |
| EGIAVS02$ | 2012-05-29 01:30:57Z | 2020-08-11 11:57:35Z | 2020-07-31 10:14:33Z | CN=EGIAVS02,CN=Computers,DC=egia,DC=com |
| EGIAVS03$ | 2011-03-29 03:00:17Z | 2020-08-20 12:13:19Z | 2020-07-24 01:37:49Z | CN=EGIAVS03,CN=Computers,DC=egia,DC=com |
| EGIAVS04$ | 2011-03-29 03:23:51Z | 2021-07-17 05:02:39Z | 2021-07-19 01:41:05Z | CN=EGIAVS04,CN=Computers,DC=egia,DC=com |
| EGIAVS05$ | 2016-11-03 15:59:57Z | 2020-08-13 05:49:04Z | 2020-07-30 09:06:10Z | CN=EGIAVS05,CN=Computers,DC=egia,DC=com |
| EGIAVS09$ | 2016-10-11 15:54:51Z | Never | 2016-10-11 08:54:52Z | CN=EGIAVS09,CN=Computers,DC=egia,DC=com |
| EGIAWEB01$ | 2010-07-24 01:17:50Z | 2019-08-19 06:46:33Z | 2019-07-26 03:33:14Z | CN=EGIAWEB01,CN=Computers,DC=egia,DC=com |
| EGIAWEB02$ | 2010-07-25 19:44:51Z | 2021-07-20 12:16:39Z | 2021-07-20 19:13:54Z | CN=EGIAWEB02,CN=Computers,DC=egia,DC=com |
| EHOWARTH$ | 2003-11-14 23:44:54Z | Never | 2004-07-09 12:38:42Z | CN=EHOWARTH,CN=Computers,DC=egia,DC=com |
| EJAVAID-LP$ | 2010-12-14 17:20:09Z | Never | 2012-08-17 10:39:30Z | CN=EJAVAID-LP,CN=Computers,DC=egia,DC=com |
| ERIN-WIN10$ | 2019-04-08 18:18:50Z | 2021-08-16 10:25:19Z | 2021-08-18 17:06:51Z | CN=ERIN-WIN10,CN=Computers,DC=egia,DC=com |
| GAVIN-ALIEN$ | 2019-02-05 18:54:18Z | 2020-03-09 13:18:47Z | 2020-03-02 08:07:04Z | CN=GAVIN-ALIEN,CN=Computers,DC=egia,DC=com |
| GREEN$ | 2004-04-02 18:03:38Z | Never | 2010-08-07 12:03:42Z | CN=GREEN,CN=Computers,DC=egia,DC=com |
| ITDEV01$ | 2011-03-18 01:21:36Z | Never | 2013-04-18 13:28:57Z | CN=ITDEV01,CN=Computers,DC=egia,DC=com |
| ITDEV02$ | 2012-08-28 18:26:07Z | Never | 2012-08-28 11:26:07Z | CN=ITDEV02,CN=Computers,DC=egia,DC=com |
| ITDEV03$ | 2012-07-31 21:19:39Z | Never | 2013-02-02 08:45:22Z | CN=ITDEV03,CN=Computers,DC=egia,DC=com |
| IT-MAIN$ | 2016-09-01 19:55:26Z | Never | 2016-09-01 12:55:26Z | CN=IT-MAIN,CN=Computers,DC=egia,DC=com |
| JAVAID$ | 2011-12-08 03:31:52Z | Never | 2016-05-12 11:24:15Z | CN=JAVAID,CN=Computers,DC=egia,DC=com |
| JCHANDLER-WIN10$ | 2019-05-21 18:10:37Z | 2020-06-29 12:24:34Z | 2020-06-29 12:39:34Z | CN=JCHANDLER-WIN10,CN=Computers,DC=egia,DC=com |
| JCHANDLP$ | 2009-08-24 23:52:44Z | Never | 2011-05-23 10:09:43Z | CN=JCHANDLP,CN=Computers,DC=egia,DC=com |
| JMADRIGAL-WIN10$ | 2019-02-06 18:25:43Z | 2023-07-27 10:20:57Z | 2020-09-18 16:33:14Z | CN=JMADRIGAL-WIN10,CN=Computers,DC=egia,DC=com |
| JMATULICH-HP$ | 2011-06-20 17:40:22Z | 2017-09-18 08:17:13Z | 2017-09-18 08:31:32Z | CN=JMATULICH-HP,CN=Computers,DC=egia,DC=com |
| JOEPC$ | 2013-02-28 22:05:01Z | Never | 2015-06-03 14:03:28Z | CN=JOEPC,CN=Computers,DC=egia,DC=com |
| JOHN10$ | 2017-08-10 22:47:17Z | 2020-08-13 14:42:54Z | 2020-08-13 14:57:57Z | CN=JOHN10,OU=LocalComputer,DC=egia,DC=com |
| JWARREN$ | 2013-04-25 16:19:26Z | 2021-08-07 21:15:31Z | 2021-08-12 04:07:18Z | CN=JWARREN,CN=Computers,DC=egia,DC=com |
| K-COLORADOLAP$ | 2019-05-09 17:20:47Z | 2021-10-12 11:02:19Z | 2021-08-19 15:59:00Z | CN=K-COLORADOLAP,CN=Computers,DC=egia,DC=com |
| LAPTOP-CABMF11S$ | 2018-06-15 22:44:37Z | 2019-05-09 11:20:00Z | 2019-05-09 11:20:45Z | CN=LAPTOP-CABMF11S,CN=Computers,DC=egia,DC=com |
| LAPTOP-S8PGPRCU$ | 2019-06-25 18:50:56Z | 2020-04-21 14:53:44Z | 2020-04-21 15:01:41Z | CN=LAPTOP-S8PGPRCU,CN=Computers,DC=egia,DC=com |
| LGOPA$ | 2011-06-24 17:38:18Z | Never | 2015-08-31 08:28:06Z | CN=LGOPA,CN=Computers,DC=egia,DC=com |
| MARTINEZ$ | 2012-01-25 17:59:35Z | Never | 2016-03-21 09:04:03Z | CN=MARTINEZ,CN=Computers,DC=egia,DC=com |
| MCCOLLUM$ | 2011-08-03 16:49:32Z | Never | 2015-01-19 09:26:45Z | CN=MCCOLLUM,CN=Computers,DC=egia,DC=com |
| MMB-PC$ | 2014-07-07 21:33:56Z | Never | 2015-04-17 08:37:09Z | CN=MMB-PC,CN=Computers,DC=egia,DC=com |
| NT-SERVER$ | 2001-10-06 18:33:47Z | Never | 2010-10-09 08:03:54Z | CN=NT-SERVER,CN=Computers,DC=egia,DC=com |
| ORANGE$ | 2002-12-05 02:17:46Z | 2018-01-25 03:36:01Z | 2018-01-21 00:06:38Z | CN=ORANGE,CN=Computers,DC=egia,DC=com |
| PINK$ | 2008-08-25 19:42:32Z | Never | 2010-07-24 04:20:05Z | CN=PINK,CN=Computers,DC=egia,DC=com |
| PROJECTOR$ | 2008-01-29 00:44:39Z | Never | 2013-10-01 07:59:41Z | CN=PROJECTOR,CN=Computers,DC=egia,DC=com |
| PURPLE$ | 2008-08-28 17:21:28Z | Never | 2016-03-05 16:31:56Z | CN=PURPLE,CN=Computers,DC=egia,DC=com |
| QTRAN$ | 2013-04-17 18:32:20Z | 2023-05-12 19:31:34Z | 2023-05-01 13:57:55Z | CN=QTRAN,CN=Computers,DC=egia,DC=com |
| RHONDA-WIN10$ | 2019-04-15 17:21:12Z | 2019-08-12 11:41:35Z | 2019-08-20 12:39:19Z | CN=RHONDA-WIN10,CN=Computers,DC=egia,DC=com |
| RTROIANO-PC$ | 2016-12-07 19:12:22Z | 2017-03-09 13:36:11Z | 2017-03-09 16:41:16Z | CN=RTROIANO-PC,CN=Computers,DC=egia,DC=com |
| SCOTT-ALIEN$ | 2019-02-05 22:04:59Z | 2020-03-12 10:17:45Z | 2020-02-18 08:19:21Z | CN=SCOTT-ALIEN,CN=Computers,DC=egia,DC=com |
| SILVER$ | 2010-04-28 23:03:52Z | 2021-07-15 15:02:21Z | 2018-03-30 05:55:18Z | CN=SILVER,CN=Computers,DC=egia,DC=com |
| SPICEWORKS$ | 2016-09-22 20:29:35Z | 2022-06-25 18:26:50Z | 2022-06-21 07:31:56Z | CN=SPICEWORKS,CN=Computers,DC=egia,DC=com |
| SRODOM$ | 2010-08-09 07:32:01Z | Never | 2015-07-08 15:05:52Z | CN=SRODOM,CN=Computers,DC=egia,DC=com |
| TECH1$ | 2010-08-18 21:53:39Z | Never | 2010-09-20 08:11:37Z | CN=TECH1,CN=Computers,DC=egia,DC=com |
| TECHDEV$ | 2009-11-04 00:09:40Z | Never | 2011-11-08 07:53:35Z | CN=TECHDEV,CN=Computers,DC=egia,DC=com |
| TERASTATION$ | 2007-11-15 17:05:58Z | Never | 1600-12-31 16:00:00Z | CN=TeraStation,CN=Computers,DC=egia,DC=com |
| TOVIAH-WIN10$ | 2019-02-22 18:30:59Z | 2023-03-10 11:32:34Z | 2023-03-10 11:46:34Z | CN=TOVIAH-WIN10,CN=Computers,DC=egia,DC=com |
| TPIPER$ | 2012-09-19 01:32:20Z | 2019-03-13 09:06:31Z | 2019-02-20 10:32:50Z | CN=TPIPER,CN=Computers,DC=egia,DC=com |
| TP-VIRTXP$ | 2012-09-24 22:13:32Z | Never | 2015-09-25 14:20:37Z | CN=TP-VIRTXP,CN=Computers,DC=egia,DC=com |
| TUANLE$ | 2011-11-22 15:12:53Z | 2023-06-15 13:46:04Z | 2023-06-15 13:46:05Z | CN=TUANLE,CN=Computers,DC=egia,DC=com |
| TUANLE-PC$ | 2013-06-26 21:32:38Z | 2017-10-10 05:16:27Z | 2017-09-22 08:05:52Z | CN=TUANLE-PC,CN=Computers,DC=egia,DC=com |
| webfilter$ | 2010-07-16 07:00:15Z | Never | 2010-07-16 00:00:15Z | CN=webfilter,CN=Computers,DC=egia,DC=com |
| WHITE$ | 2008-05-10 00:04:59Z | 2017-01-03 05:03:02Z | 2017-01-07 05:26:07Z | CN=WHITE,CN=Computers,DC=egia,DC=com |
| WIN10-BREANNA$ | 2019-06-21 18:02:59Z | 2022-03-13 15:14:41Z | 2022-03-13 15:27:55Z | CN=WIN10-BREANNA,CN=Computers,DC=egia,DC=com |
| WIN10-DTHAO$ | 2019-06-04 17:30:21Z | 2021-02-05 11:38:01Z | 2020-06-11 08:05:08Z | CN=WIN10-DTHAO,CN=Computers,DC=egia,DC=com |
| WIN10-JUSTINE$ | 2019-06-25 21:53:19Z | 2020-11-06 23:14:00Z | 2020-10-24 09:49:50Z | CN=WIN10-JUSTINE,CN=Computers,DC=egia,DC=com |
| WIN10-RFAUST$ | 2019-06-05 17:26:13Z | 2020-03-09 10:43:52Z | 2020-03-12 07:25:14Z | CN=WIN10-RFAUST,CN=Computers,DC=egia,DC=com |
| WIN10-RHONDA$ | 2019-06-25 20:38:53Z | 2021-05-07 13:46:16Z | 2021-05-07 13:47:01Z | CN=WIN10-RHONDA,CN=Computers,DC=egia,DC=com |
| YELLOW$ | 2010-04-29 01:24:13Z | 2020-06-12 17:58:10Z | 2020-05-19 09:50:03Z | CN=YELLOW,CN=Computers,DC=egia,DC=com |
| YELLOW02$ | 2016-09-26 21:26:27Z | 2017-03-10 07:48:39Z | 2017-02-25 22:20:39Z | CN=YELLOW02,CN=Computers,DC=egia,DC=com |
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| TERASTATION$ | 2007-11-15 17:05:58Z | Never | 1600-12-31 16:00:00Z | CN=TeraStation,CN=Computers,DC=egia,DC=com |
| webfilter$ | 2010-07-16 07:00:15Z | Never | 2010-07-16 00:00:15Z | CN=webfilter,CN=Computers,DC=egia,DC=com |
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| BROWN$ | 2010-08-15 21:56:51Z | Never | 2016-08-23 11:52:40Z | CN=BROWN,CN=Computers,DC=egia,DC=com |
| EGIADC01W$ | 2016-10-20 22:57:09Z | 2024-07-13 22:49:24Z | 2024-07-13 23:05:00Z | CN=EGIADC01W,OU=Domain Controllers,DC=egia,DC=com |
| SILVER$ | 2010-04-28 23:03:52Z | 2021-07-15 15:02:21Z | 2018-03-30 05:55:18Z | CN=SILVER,CN=Computers,DC=egia,DC=com |
| YELLOW$ | 2010-04-29 01:24:13Z | 2020-06-12 17:58:10Z | 2020-05-19 09:50:03Z | CN=YELLOW,CN=Computers,DC=egia,DC=com |
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| BACKUP-PC2$ | 2013-04-18 21:45:30Z | Never | 2014-09-02 08:51:32Z | CN=BACKUP-PC2,CN=Computers,DC=egia,DC=com |
| BACKUP-PC4$ | 2013-05-15 20:54:28Z | Never | 2013-07-19 19:23:21Z | CN=BACKUP-PC4,CN=Computers,DC=egia,DC=com |
| BHOWARTH$ | 2007-01-10 02:12:03Z | Never | 2007-03-12 09:56:21Z | CN=BHOWARTH,CN=Computers,DC=egia,DC=com |
| BLACK$ | 2007-10-17 19:50:10Z | Never | 2010-07-16 14:11:09Z | CN=BLACK,CN=Computers,DC=egia,DC=com |
| BMATULICH$ | 2003-10-27 19:54:28Z | Never | 2011-11-07 21:20:10Z | CN=BMATULICH,CN=Computers,DC=egia,DC=com |
| BMATULICH-HOME$ | 2003-08-19 19:47:37Z | Never | 2010-05-23 11:54:31Z | CN=BMATULICH-HOME,CN=Computers,DC=egia,DC=com |
| CALABRESE$ | 2007-06-22 21:15:22Z | Never | 2013-02-27 13:23:44Z | CN=CALABRESE,CN=Computers,DC=egia,DC=com |
| CALLREPORT$ | 2010-07-27 03:39:48Z | Never | 2010-07-26 20:39:48Z | CN=CALLREPORT,CN=Computers,DC=egia,DC=com |
| CALLREPORTING$ | 2010-03-04 17:53:26Z | Never | 2010-07-14 00:19:11Z | CN=CALLREPORTING,CN=Computers,DC=egia,DC=com |
| CDEARMAN$ | 2010-04-16 17:26:04Z | Never | 2012-12-13 09:51:47Z | CN=CDEARMAN,CN=Computers,DC=egia,DC=com |
| CRLAPTOP$ | 2011-05-20 21:19:56Z | Never | 2014-07-30 08:45:02Z | CN=CRLAPTOP,CN=Computers,DC=egia,DC=com |
| CSR2$ | 2010-07-19 13:20:01Z | Never | 2011-04-28 06:07:51Z | CN=CSR2,CN=Computers,DC=egia,DC=com |
| EGIADC03$ | 2007-04-02 16:05:42Z | 2019-03-10 19:27:11Z | 2019-03-03 19:54:53Z | CN=EGIADC03,CN=Computers,DC=egia,DC=com |
| EGIAFS10$ | 2014-08-07 02:25:18Z | 2022-09-06 09:42:36Z | 2014-08-06 19:25:18Z | CN=egiafs10,OU=Computers,OU=EMC Celerra,DC=egia,DC=com |
| egia-mac-100$ | 2014-06-26 19:25:18Z | 2019-01-09 01:48:56Z | 2019-01-15 07:37:25Z | CN=egia-mac-100,CN=Computers,DC=egia,DC=com |
| egia-mac-103$ | 2014-06-27 14:54:24Z | 2017-07-17 14:47:19Z | 2017-07-07 10:08:09Z | CN=egia-mac-103,CN=Computers,DC=egia,DC=com |
| egia-mac-105$ | 2015-11-13 21:27:24Z | 2019-01-30 00:26:26Z | 2019-01-24 11:53:40Z | CN=egia-mac-105,CN=Computers,DC=egia,DC=com |
| EGIA-PC-DEV$ | 2013-10-04 21:14:48Z | Never | 2014-09-29 07:40:48Z | CN=EGIA-PC-DEV,CN=Computers,DC=egia,DC=com |
| EGIAVS01$ | 2010-08-07 22:51:30Z | 2021-07-18 20:26:16Z | 2021-07-10 23:41:32Z | CN=EGIAVS01,CN=Computers,DC=egia,DC=com |
| EGIAVS02$ | 2012-05-29 01:30:57Z | 2020-08-11 11:57:35Z | 2020-07-31 10:14:33Z | CN=EGIAVS02,CN=Computers,DC=egia,DC=com |
| EGIAVS03$ | 2011-03-29 03:00:17Z | 2020-08-20 12:13:19Z | 2020-07-24 01:37:49Z | CN=EGIAVS03,CN=Computers,DC=egia,DC=com |
| EGIAVS04$ | 2011-03-29 03:23:51Z | 2021-07-17 05:02:39Z | 2021-07-19 01:41:05Z | CN=EGIAVS04,CN=Computers,DC=egia,DC=com |
| EGIAVS05$ | 2016-11-03 15:59:57Z | 2020-08-13 05:49:04Z | 2020-07-30 09:06:10Z | CN=EGIAVS05,CN=Computers,DC=egia,DC=com |
| EGIAVS09$ | 2016-10-11 15:54:51Z | Never | 2016-10-11 08:54:52Z | CN=EGIAVS09,CN=Computers,DC=egia,DC=com |
| EHOWARTH$ | 2003-11-14 23:44:54Z | Never | 2004-07-09 12:38:42Z | CN=EHOWARTH,CN=Computers,DC=egia,DC=com |
| GREEN$ | 2004-04-02 18:03:38Z | Never | 2010-08-07 12:03:42Z | CN=GREEN,CN=Computers,DC=egia,DC=com |
| ITDEV01$ | 2011-03-18 01:21:36Z | Never | 2013-04-18 13:28:57Z | CN=ITDEV01,CN=Computers,DC=egia,DC=com |
| ITDEV02$ | 2012-08-28 18:26:07Z | Never | 2012-08-28 11:26:07Z | CN=ITDEV02,CN=Computers,DC=egia,DC=com |
| JCHANDLP$ | 2009-08-24 23:52:44Z | Never | 2011-05-23 10:09:43Z | CN=JCHANDLP,CN=Computers,DC=egia,DC=com |
| NT-SERVER$ | 2001-10-06 18:33:47Z | Never | 2010-10-09 08:03:54Z | CN=NT-SERVER,CN=Computers,DC=egia,DC=com |
| ORANGE$ | 2002-12-05 02:17:46Z | 2018-01-25 03:36:01Z | 2018-01-21 00:06:38Z | CN=ORANGE,CN=Computers,DC=egia,DC=com |
| PINK$ | 2008-08-25 19:42:32Z | Never | 2010-07-24 04:20:05Z | CN=PINK,CN=Computers,DC=egia,DC=com |
| PROJECTOR$ | 2008-01-29 00:44:39Z | Never | 2013-10-01 07:59:41Z | CN=PROJECTOR,CN=Computers,DC=egia,DC=com |
| PURPLE$ | 2008-08-28 17:21:28Z | Never | 2016-03-05 16:31:56Z | CN=PURPLE,CN=Computers,DC=egia,DC=com |
| TECH1$ | 2010-08-18 21:53:39Z | Never | 2010-09-20 08:11:37Z | CN=TECH1,CN=Computers,DC=egia,DC=com |
| TERASTATION$ | 2007-11-15 17:05:58Z | Never | 1600-12-31 16:00:00Z | CN=TeraStation,CN=Computers,DC=egia,DC=com |
| TP-VIRTXP$ | 2012-09-24 22:13:32Z | Never | 2015-09-25 14:20:37Z | CN=TP-VIRTXP,CN=Computers,DC=egia,DC=com |
| webfilter$ | 2010-07-16 07:00:15Z | Never | 2010-07-16 00:00:15Z | CN=webfilter,CN=Computers,DC=egia,DC=com |
| WHITE$ | 2008-05-10 00:04:59Z | 2017-01-03 05:03:02Z | 2017-01-07 05:26:07Z | CN=WHITE,CN=Computers,DC=egia,DC=com |
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| EGIADC01$ | 2022-09-02 21:47:01Z | 2024-07-17 04:17:55Z | 2024-06-30 07:19:40Z | CN=EGIADC01,OU=Domain Controllers,DC=egia,DC=com |
| EGIADC01W$ | 2016-10-20 22:57:09Z | 2024-07-13 22:49:24Z | 2024-07-13 23:05:00Z | CN=EGIADC01W,OU=Domain Controllers,DC=egia,DC=com |
If you need to find the computers running a specific OS, we advise to use PingCastle.exe and the export / computers feature available from the main menu. Indeed the computer details are not included in the report for performance issues. Doing this will impact significantly the report size and the time to load the report.
| Operating System | Nb OS | Nb Enabled ? | Nb Disabled ? | Nb Active ? | Nb Inactive ? | Nb SidHistory ? | Nb Bad PrimaryGroup ? | Nb unconstrained delegations ? | Nb Reversible password ? |
|---|---|---|---|---|---|---|---|---|---|
| OperatingSystem not set | 2 | 2 | 0 | 0 | 2 | 0 | 0 | 0 | 0 |
| unknown | 6 | 6 | 0 | 0 | 6 | 0 | 0 | 0 | 0 |
| Mac OS X | 3 | 3 | 0 | 0 | 3 | 0 | 0 | 0 | 0 |
| EMC Celerra File Server | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| Windows Server 2008 R2 | 9 | 9 | 0 | 1 | 8 | 0 | 0 | 1 | 0 |
| Windows Server 2022 | 2 | 2 | 0 | 2 | 0 | 0 | 0 | 1 | 0 |
| Windows Server 2003 SP2 | 4 | 4 | 0 | 0 | 4 | 0 | 0 | 0 | 0 |
| Windows 2000 Server | 5 | 4 | 1 | 0 | 4 | 0 | 0 | 0 | 0 |
| Windows Server 2008 R2 | 11 | 10 | 1 | 0 | 10 | 0 | 0 | 0 | 0 |
| Windows XP | 18 | 18 | 0 | 0 | 18 | 0 | 0 | 0 | 0 |
| Windows Server 2008 | 3 | 3 | 0 | 0 | 3 | 0 | 0 | 0 | 0 |
| Windows 2000 | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| Windows 7 | 128 | 127 | 1 | 3 | 124 | 0 | 0 | 0 | 0 |
| Windows 7 | 3 | 3 | 0 | 0 | 3 | 0 | 0 | 0 | 0 |
| Windows 8.1 | 17 | 17 | 0 | 0 | 17 | 0 | 0 | 0 | 0 |
| Windows 8 | 2 | 2 | 0 | 0 | 2 | 0 | 0 | 0 | 0 |
| Windows 10 1507 | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| Windows 10 1703 | 3 | 1 | 2 | 0 | 1 | 0 | 0 | 0 | 0 |
| Windows 10 1709 | 4 | 4 | 0 | 0 | 4 | 0 | 0 | 0 | 0 |
| Windows Server 2016 1607 | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| Windows 10 1803 | 9 | 9 | 0 | 0 | 9 | 0 | 0 | 0 | 0 |
| Windows 10 1809 | 8 | 7 | 1 | 0 | 7 | 0 | 0 | 0 | 0 |
| Windows 10 1511 | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| Windows 10 1903 | 9 | 9 | 0 | 0 | 9 | 0 | 0 | 0 | 0 |
| Windows 10 1909 | 6 | 6 | 0 | 0 | 6 | 0 | 0 | 0 | 0 |
| Windows 10 2004 | 9 | 9 | 0 | 0 | 9 | 0 | 0 | 0 | 0 |
| Windows 10 20H2 | 11 | 11 | 0 | 0 | 11 | 0 | 0 | 0 | 0 |
| Windows 10 21H1 | 14 | 14 | 0 | 0 | 14 | 0 | 0 | 0 | 0 |
| Windows 10 22H2 | 24 | 24 | 0 | 10 | 14 | 0 | 0 | 0 | 0 |
| Windows 11 21H2 | 2 | 2 | 0 | 0 | 2 | 0 | 0 | 0 | 0 |
| Windows 10 21H2 | 16 | 16 | 0 | 1 | 15 | 0 | 0 | 0 | 0 |
| Windows Server 2012 R2 | 2 | 2 | 0 | 1 | 1 | 0 | 0 | 0 | 0 |
| Windows 11 22H2 | 14 | 14 | 0 | 0 | 14 | 0 | 0 | 0 | 0 |
| Windows 11 23H2 | 21 | 21 | 0 | 21 | 0 | 0 | 0 | 0 | 0 |
Here is a specific zoom related to the Active Directory servers: the domain controllers.
| Domain controller | Operating System | Creation Date ? | Startup Time | Uptime | Owner ? | Null sessions ? | SMB v1 ? | Remote spooler ? | FSMO role ? | WebDAV ? |
|---|---|---|---|---|---|---|---|---|---|---|
| EGIADC01W | Windows 2008 | 2016-10-20 22:57:09Z | 2024-05-12 22:45:42Z | 065 days | EGIA\Domain Admins | NO | YES | YES | NO | |
| EGIADC01 | Windows 2022 | 2022-09-02 21:47:01Z | 2024-04-11 20:17:44Z | 096 days | EGIA\Domain Admins | NO | NO | YES | PDC, RID pool manager, Infrastructure master, Schema master, Domain naming Master | NO |
No data is available in the report or no computers are enforcing LAPS.
This section is focused on the groups which are critical for admin activities. If the report has been saved which the full details, each group can be zoomed with its members. If it is not the case, for privacy reasons, only general statistics are available.
| Group Name | Nb Admins ? | Nb Enabled ? | Nb Disabled ? | Nb Inactive ? | Nb PWd never expire ? | Nb Smart Card required ? | Nb Service accounts ? | Nb can be delegated ? | Nb external users ? | Nb protected users ? |
|---|---|---|---|---|---|---|---|---|---|---|
| Account Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Administrators | 31 | 30 | 1 | 23 | 22 | 0 | 1 | 30 | 0 | 0 |
| Backup Operators | 6 | 6 | 0 | 5 | 5 | 0 | 1 | 6 | 0 | 0 |
| Certificate Operators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Certificate Publishers | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Dns Admins | 4 | 4 | 0 | 3 | 3 | 0 | 1 | 4 | 0 | 0 |
| Domain Administrators | 27 | 26 | 1 | 20 | 20 | 0 | 1 | 26 | 0 | 0 |
| Enterprise Administrators | 18 | 17 | 1 | 11 | 13 | 0 | 1 | 17 | 0 | 0 |
| Enterprise Key Administrators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Key Administrators | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Print Operators | 1 | 1 | 0 | 1 | 1 | 0 | 0 | 1 | 0 | 0 |
| Replicator | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Schema Administrators | 5 | 4 | 1 | 3 | 3 | 0 | 1 | 4 | 0 | 0 |
| Server Operators | 2 | 2 | 0 | 2 | 2 | 0 | 0 | 2 | 0 | 0 |
| SamAccountName ? | Enabled ? | Active ? | Pwd never Expired ? | Locked ? | Smart Card required ? | Service account ? | Flag Cannot be delegated present ? | Creation date ? | Last login ? | Password last set ? | In Protected Users ? | Distinguished name ? |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Administrator | YES | NO | YES | NO | NO | YES | NO | 2001-10-06 18:33:47Z | 2021-07-19 23:25:17Z | 2015-04-08 09:31:00Z | NO | CN=Administrator,OU=Groups,DC=egia,DC=com |
| ADSyncAdmin-Local | YES | YES | YES | NO | NO | NO | NO | 2024-02-21 20:56:43Z | 2024-02-21 12:57:48Z | 2024-02-21 12:56:43Z | NO | CN=ADSyncAdmin-Local,OU=Service Accounts,DC=egia,DC=com |
| Arcserve | YES | NO | YES | NO | NO | NO | NO | 2001-10-06 18:33:48Z | Not set | 2001-01-19 11:20:31Z | NO | CN=Arcserve,CN=Users,DC=egia,DC=com |
| BCMBackup | YES | NO | YES | NO | NO | NO | NO | 2012-11-27 22:16:25Z | Not set | 2012-11-27 14:16:25Z | NO | CN=BCM Backup,OU=Sacramento,DC=egia,DC=com |
| bkagent | YES | NO | YES | NO | NO | NO | NO | 2002-05-07 14:37:57Z | 2020-08-07 09:45:13Z | 2002-09-26 15:32:26Z | NO | CN=Backup Agent,CN=Users,DC=egia,DC=com |
| ccramer | YES | YES | YES | NO | NO | NO | NO | 2014-07-25 20:03:05Z | 2024-07-10 11:43:12Z | 2020-02-14 06:02:29Z | NO | CN=Clinton Cramer,OU=Users,OU=MS365EGIA,DC=egia,DC=com |
| Consultant | YES | NO | YES | NO | NO | NO | NO | 2002-09-17 17:27:04Z | 2020-09-08 09:31:41Z | 2010-11-21 13:30:35Z | NO | CN=Consultant,OU=Retired,DC=egia,DC=com |
| Cybershield | NO | NO | NO | NO | NO | NO | YES | 2010-07-16 07:52:02Z | Not set | 2010-07-16 00:52:02Z | NO | CN=Cybershield,OU=Retired,DC=egia,DC=com |
| devteamvpn | YES | NO | NO | NO | NO | NO | NO | 2018-03-09 20:54:37Z | 2021-02-07 19:25:14Z | 2021-02-07 19:25:13Z | NO | CN=Dev Teamvpn,CN=Users,DC=egia,DC=com |
| ejavaid | YES | YES | YES | NO | NO | NO | NO | 2010-12-02 14:38:38Z | 2024-05-21 11:33:55Z | 2011-12-08 16:17:21Z | NO | CN=Eddie Javaid,OU=Sacramento,DC=egia,DC=com |
| fssa | YES | NO | YES | NO | NO | NO | NO | 2016-11-15 18:46:41Z | 2021-09-05 06:18:02Z | 2016-11-15 10:46:41Z | NO | CN=File Share Service Account,OU=Service Accounts,DC=egia,DC=com |
| gpotest | YES | NO | NO | NO | NO | NO | NO | 2016-10-25 17:51:34Z | Not set | 2016-10-28 14:29:32Z | NO | CN=gpotest,OU=GPO Testing,DC=egia,DC=com |
| itsonicwall | YES | YES | YES | NO | NO | NO | NO | 2019-08-01 23:45:55Z | 2024-07-14 16:48:10Z | 2019-08-01 16:45:55Z | NO | CN=IT SonicWall,OU=Service Accounts,DC=egia,DC=com |
| itsupport | YES | NO | NO | NO | NO | NO | NO | 2016-09-20 19:02:53Z | 2016-11-15 09:05:21Z | 2017-01-19 15:58:36Z | NO | CN=IT Support,OU=Sacramento,DC=egia,DC=com |
| jvaladez | YES | YES | YES | NO | NO | NO | NO | 2013-05-20 13:55:31Z | 2024-03-19 09:00:55Z | 2020-06-17 17:00:36Z | NO | CN=Jose Valadez,OU=Sacramento,DC=egia,DC=com |
| mtech | YES | NO | YES | NO | NO | NO | NO | 2019-03-19 20:55:34Z | 2022-12-13 18:52:49Z | 2020-06-15 16:25:19Z | NO | CN=Martin tech,CN=Users,DC=egia,DC=com |
| mwservice | YES | YES | NO | NO | NO | NO | NO | 2023-10-16 16:55:28Z | 2024-07-17 09:25:03Z | 2024-06-13 09:03:03Z | NO | CN=MW Service,OU=Service Accounts,DC=egia,DC=com |
| nkahal | YES | NO | NO | NO | NO | NO | NO | 2010-12-20 04:57:36Z | Not set | 2011-12-26 12:25:15Z | NO | CN=Niraj Kahal,OU=Sacramento,DC=egia,DC=com |
| nsingh | YES | NO | YES | NO | NO | NO | NO | 2011-07-07 04:15:59Z | Not set | 2023-06-07 14:29:43Z | NO | CN=Navdeep Singh,OU=Sacramento,DC=egia,DC=com |
| pmanager | YES | NO | YES | NO | NO | NO | NO | 2010-11-21 21:28:03Z | Not set | 2010-11-21 13:28:03Z | NO | CN=Print Manager,CN=Users,DC=egia,DC=com |
| rmehra | YES | NO | NO | NO | NO | NO | NO | 2012-07-11 06:02:30Z | Not set | 2013-01-17 21:51:15Z | NO | CN=Rishab Mehra,OU=Sacramento,DC=egia,DC=com |
| saccount | YES | NO | YES | NO | NO | NO | NO | 2010-11-21 21:35:59Z | Not set | 2010-11-21 13:35:59Z | NO | CN=Service Account,CN=Users,DC=egia,DC=com |
| sharyl | YES | NO | NO | NO | NO | NO | NO | 2017-01-16 22:49:14Z | 2017-03-01 14:34:10Z | 2017-03-01 14:32:43Z | NO | CN=sharyl,OU=Sacramento,DC=egia,DC=com |
| slathar | YES | NO | NO | NO | NO | NO | NO | 2011-01-04 18:12:28Z | 2021-07-17 11:55:18Z | 2023-06-07 14:35:01Z | NO | CN=Sunil Lather,OU=Sacramento,DC=egia,DC=com |
| sonicwalladmin | YES | NO | YES | NO | NO | NO | NO | 2017-07-13 17:08:10Z | 2017-07-13 13:57:32Z | 2017-07-13 10:08:10Z | NO | CN=sonicwall admin,CN=Users,DC=egia,DC=com |
| spiceworks | YES | NO | YES | NO | NO | NO | NO | 2016-09-22 16:51:38Z | 2020-05-13 03:41:47Z | 2016-10-11 06:12:25Z | NO | CN=SpiceWorks,OU=Service Accounts,DC=egia,DC=com |
| techadmin | YES | NO | YES | NO | NO | NO | NO | 2019-05-31 17:04:45Z | Not set | 2019-05-31 10:04:45Z | NO | CN=tecch admin,CN=Users,DC=egia,DC=com |
| tle | YES | YES | YES | NO | NO | NO | NO | 2010-08-23 15:26:48Z | 2024-06-06 13:35:43Z | 2012-11-28 15:21:13Z | NO | CN=Tuan Le,OU=Sacramento,DC=egia,DC=com |
| tpiper | YES | NO | YES | NO | NO | NO | NO | 2007-04-19 15:08:14Z | 2021-07-24 22:55:15Z | 2015-08-07 10:50:09Z | NO | CN=Todd Piper,OU=Sacramento,DC=egia,DC=com |
| VipreService | YES | NO | YES | NO | NO | NO | NO | 2011-01-20 19:58:42Z | Not set | 2011-06-27 23:55:45Z | NO | CN=VipreService,CN=Users,DC=egia,DC=com |
| vmadmin | YES | NO | YES | NO | NO | NO | NO | 2016-08-23 21:50:09Z | 2020-06-26 05:15:08Z | 2016-08-23 14:50:09Z | NO | CN=VM Ware Admin,OU=Sacramento,DC=egia,DC=com |
Here is the distribution of the last logon of privileged users. Only enabled accounts are analyzed.
Here is the distribution of the password age for privileged users. Only enabled accounts are analyzed.
Each specific rights defined for Organizational Unit (OU) are listed below.
| DistinguishedName | Account | Right |
|---|---|---|
| DC=egia | EGIA\Domain Controllers | EXT_RIGHT_REPLICATION_GET_CHANGES_ALL |
| DC=egia | EGIA\Exchange Enterprise Servers | WriteDacl |
| DC=egia | EGIA\MSOL_bd60f9d632d0 | EXT_RIGHT_REPLICATION_GET_CHANGES_ALL, EXT_RIGHT_FORCE_CHANGE_PWD |
| CN=Keys | EGIA\Domain Controllers | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=Keys | EGIA\Enterprise Key Admins | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=Keys | EGIA\Key Admins | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=MicrosoftDNS,CN=System | EGIA\DnsAdmins | GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=RAS and IAS Servers Access Check,CN=System | EGIA\RAS and IAS Servers | GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop |
| CN=WMIPolicy,CN=System | EGIA\Group Policy Creator Owners | GenericWrite, DSSelf, Write all prop |
| CN=SOM,CN=WMIPolicy,CN=System | EGIA\Group Policy Creator Owners | GenericWrite, DSSelf, Write all prop |
In particular for AD database access (DCSync, AADConnect, ...).
This section focuses on permissions issues that can be exploited to take control of the domain.
This is an advanced section that should be examined after having looked at the Admin Groups section.
This analysis focuses on accounts found in control path and located in other domains.
No operative link with other domains has been found.
This part tries to summarize in a single table if major issues have been found.
Focus on finding critical objects such as the Everyone group then try to decrease the number of objects having indirect access.
The detail is displayed below.
| Priority to remediate ? | Critical Object Found ? | Number of objects with Indirect ? | Max number of indirect numbers ? | Max ratio ? |
|---|---|---|---|---|
| Critical | NO | 0 | 0 | 0 |
| High | NO | 0 | 0 | 0 |
| Medium | NO | 1 | 5 | 0 |
| Other | NO | 0 | 0 | 0 |
If the report has been saved which the full details, each object can be zoomed with its full detail. If it is not the case, for privacy reasons, only general statistics are available.
| Group or user account ? | Priority ? | Users member ? | Computer member of the group ? | Indirect control ? | Unresolved members ? | Links ? | Detail ? |
|---|---|---|---|---|---|---|---|
| Account Operators | High | 0 | 0 | 0 | 0 | None | Analysis |
| Administrator | Critical | 0 | 0 | None | Analysis | ||
| Administrators | Critical | 31 (Details) | 0 | 0 | 0 | None | Analysis |
| Backup Operators | High | 6 (Details) | 0 | 0 | 0 | None | Analysis |
| Certificate Operators | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Certificate Publishers | Other | 0 | 3 (Details) | 0 | 0 | None | Analysis |
| Dns Admins | Medium | 4 (Details) | 0 | 0 | 0 | None | Analysis |
| Domain Administrators | Critical | 27 (Details) | 0 | 0 | 0 | None | Analysis |
| Enterprise Administrators | Critical | 18 (Details) | 0 | 0 | 0 | None | Analysis |
| Enterprise Key Administrators | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Key Administrators | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Print Operators | Medium | 1 (Details) | 0 | 0 | 0 | None | Analysis |
| Replicator | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Schema Administrators | Critical | 5 (Details) | 0 | 0 | 0 | None | Analysis |
| Server Operators | High | 2 (Details) | 0 | 0 | 0 | None | Analysis |
If the report has been saved which the full details, each object can be zoomed with its full detail. If it is not the case, for privacy reasons, only general statistics are available.
| Group or user account ? | Priority ? | Users member ? | Computer member of the group ? | Indirect control ? | Unresolved members ? | Links ? | Detail ? |
|---|---|---|---|---|---|---|---|
| Builtin OU | Medium | 0 | 0 | None | Analysis | ||
| Certificate store | Medium | 0 | 0 | None | Analysis | ||
| Computers container | Medium | 0 | 0 | None | Analysis | ||
| Domain Controllers | Critical | 0 | 2 (Details) | 0 | 0 | None | Analysis |
| Domain Root | Medium | 5 (Details) | 0 | None | Analysis | ||
| Enterprise Read Only Domain Controllers | Other | 0 | 0 | 0 | 0 | None | Analysis |
| Group Policy Creator Owners | Medium | 3 (Details) | 0 | 0 | 0 | None | Analysis |
| Krbtgt account | Medium | 0 | 0 | None | Analysis | ||
| Read Only Domain Controllers | Medium | 0 | 0 | 0 | 0 | None | Analysis |
| Users container | Medium | 0 | 0 | None | Analysis |
This section focuses on the relations that this domain has with other domains
This part displays the direct links that this domain has with other domains.
| Trust Partner | Type | Attribut | Direction ? | SID Filtering active ? | TGT Delegation ? | Creation ? | Is Active ? ? | Algorithm ? |
|---|
These are the domains that PingCastle was able to detect but which is not releated to direct trusts. It may be children of a forest or bastions.
| Reachable domain | Discovered using | Netbios | Creation date |
|---|
This detects trusted certificates which can be used in man in the middle attacks, or which can issue smart card logon certificates
Number of trusted certificates: 1
| Source | Store | Subject | Issuer | NotBefore | NotAfter | Module size | Signature Alg | SC Logon |
|---|---|---|---|---|---|---|---|---|
| Enterprise NTAuth ? | NTLMStore | CN=EGIA, OU=IS, O=Electric and Gas Industries Associates, L=San Leandro, S=CA, C=US, E=cert-auth-root@egia.com | CN=EGIA, OU=IS, O=Electric and Gas Industries Associates, L=San Leandro, S=CA, C=US, E=cert-auth-root@egia.com | 2001-11-02 14:39:27Z | 2003-11-02 14:44:17Z | 512 | sha1RSA | False |
This section lists certificate templates which can be used to generate a certificate. A misconfiguration can allow an attacker to create its own certificate and use it to impersonate other users
Number of certificate templates: 11
| Name | Destination | Manager approval ? | Enrollee can supply subject ? | Issuance requirements ? | Vulnerable ACL ? | Everyone can enroll ? | Agent template ? | Any purpose ? | For Authentication ? | Flag No Security ? |
|---|---|---|---|---|---|---|---|---|---|---|
| User ? | User | NO | NO | NO | NO | YES | NO | NO | YES | NO |
| UserSignature ? | User | NO | NO | NO | NO | YES | NO | NO | YES | NO |
| EFS ? | User | NO | NO | NO | NO | YES | NO | NO | NO | NO |
| Administrator ? | User | NO | NO | NO | NO | NO | NO | NO | YES | NO |
| EFSRecovery ? | User | NO | NO | NO | NO | NO | NO | NO | NO | NO |
| CodeSigning ? | User | NO | NO | NO | NO | NO | NO | NO | NO | NO |
| Machine ? | Computer | NO | NO | NO | NO | YES | NO | NO | YES | NO |
| DomainController ? | Computer | NO | NO | NO | NO | NO | NO | NO | YES | NO |
| WebServer ? | Computer | NO | YES | NO | NO | NO | NO | NO | NO | NO |
| SubCA ? | Computer | NO | YES | NO | NO | NO | NO | YES | YES | NO |
| ExchangeUser ? | User | NO | YES | NO | NO | NO | NO | NO | NO | NO |
The delegations for certificate templates are listed below.
| DistinguishedName | Account | Right |
|---|---|---|
| CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration | EGIA\Domain Controllers | Enroll |
| CN=EFS,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration | Domain Users | Enroll |
| CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration | Domain Computers | Enroll |
| CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration | Domain Users | Enroll |
| CN=UserSignature,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration | Domain Users | Enroll |
Azure AD Connect help maintaining a synchronization between the Active Directory and Azure AD. Azure AD Connect servers should be considered as Tiers0 as they usually have the right to read the hashes of the user passwords.
| Identifier ? | Computer ? | Tenant ? | IsEnabled ? | Created ? | LastLogon ? | PwdLastSet ? | Computer object found ? |
|---|---|---|---|---|---|---|---|
| bd60f9d632d0462e920a96a28db9cee0 | EGIADC01 | egia.org | TRUE | 2024-02-08 14:14:29Z | 2024-07-10 15:21:59Z | 2024-02-21 14:26:27Z | TRUE |
WSUS settings allow workstations and servers located on the intranet to be updated. The reference documentation is here. Here are the settings found in GPO.
| Policy Name | WSUS Server ? | UseWUServer ? | ElevateNonAdmins ? | AUOptions ? | NoAutoUpdate ? | NoAutoRebootWithLoggedOnUsers ? |
|---|
Echange is the mail server of Microsoft. Because it is deeply integrated into the Active Directory, it is a component to be monitored
PingCastle is checking objects of type msExchExchangeServer and the schema to provide the information below.
Exchange schema installation: 2001-11-14 21:40:40Z
The Exchange schema version is : Exchange 2003 RTM
| Name | In service date | Version | Proxy |
|---|---|---|---|
| WHITE | 2008-05-30 22:03:51Z | Version 6.5 (Build 7638.2: Service Pack 2) | |
| RED | 2001-11-14 21:40:40Z | Version 6.0 (Build 4712.7: Service Pack 1) |
SCCM or its more recent name Microsoft Endpoint Manager is the Microsoft tool to manage the workstations and servers. It is used typically to deploy packages.
PingCastle is checking objects of type mSSMSManagementPoint and the schema to provide the information below.
| Name | Version | Client operational version | AAD TenantID | AAD TenantName |
|---|
Service Connection Points are a configuration stored in the AD to expose services to all computers.
| Service ? | Class ? | DNS ? | Binding Info ? | DN ? |
|---|---|---|---|---|
| BackupExec server | BEMainService | DC=egia,DC=com | BLUE | CN=BEServer,CN=Computers,DC=egia,DC=com |
| AD LDS | LDAP | EGIAVC02.egia.com | ldaps://EGIAVC02.egia.com:636 ldap://EGIAVC02.egia.com:389 | CN={3554f926-e5f9-41b5-aaf7-dc22b4cfb969},CN=EGIAVC02,CN=Computers,DC=egia,DC=com |
| AD LDS | LDAP | EGIAVC01.egia.com | ldaps://EGIAVC01.egia.com:636 ldap://EGIAVC01.egia.com:389 | CN={ea6a59f2-368a-44a4-859c-a40a41032d79},CN=EGIAVC01,CN=Computers,DC=egia,DC=com |
| RDS Gateway | TSGateway | EGIAWeb01.egia.com | 443 | CN=TSGateway,CN=EGIAWEB01,CN=Computers,DC=egia,DC=com |
This section checks for known pain points in AES activation and RC4 removal for kerberos
This section is here to evaluate the know problems when removing RC4. If you plan to do so, you should check all the items highlighted below and proceed with a small group of test computers.
Please see the following articles:
This program will proceed to know:
This program starts by determining for how long the infrastructure in place is compatible with AES.
This is done by retrieving the creation date of the groupe 'Read-Only Domain Controllers' which is linked to the first DC compatible with AES (Windows Server 2008).
Installation date of the first DC compatible with AES: 2010-08-08 19:43:20Z
All passwords saved after this date have their hash saved with both RC4 and AES.
To issue Kerberos ticket, the krbtgt account holding the kerberos secret key must have a password changed AFTER the installation of the first DC compatible with AES.
Last krbtgt change: 2016-11-05 12:19:21Z
OK
To support AES, all DC must be at least Windows 2008.
| Domain Controller | OS | AES compatible |
|---|---|---|
| EGIADC01W | Windows 2008 | Yes |
| EGIADC01 | Windows 2022 | Yes |
OK
To be used over trusts, AES requires the trust to support this algorithm. This is done thought the special attribute msDS-SupportedEncryptionTypes.
Be aware that checking 'The other domain supports Kerberos AES Encryption' in the trust property disables RC4. This check is not recommended during the migration phase.
No trust detected
OK
To be used over Azure, the special AzureSSO account must be setup to support AES.
No AzureAD SSO detected
OK
Kerberos tickets for services are signed by the password hash of the service account. The service account must be declared as compatible to handle AES. This is done through the special attribute named msDS-SupportedEncryptionTypes or by checking 'This account supports Kerberos AES XXX bit encryption' in the account properties.
The service account must also have a password newer than the first DC compatible with AES. If there was no password change, the creation date must be newer than the first DC compatible with AES.
If a service account is not compatible, you will received error messages like 'The encryption type requested is not supported by the KDC'. See the following KB for SharePoint of SCCM errors:
Number of service account found without AES configuration: 79
| Name | Creation | Last logon | Pwd Last Set | Distinguished name |
|---|---|---|---|---|
| Admin | 2002-09-13 23:34:50Z | 2019-08-13 05:22:33Z | 2002-09-13 16:34:51Z | CN=Admin,OU=ofsdirect.com,DC=egia,DC=com |
| Administrator | 2001-10-06 18:33:47Z | 2021-07-19 23:25:17Z | 2015-04-08 09:31:00Z | CN=Administrator,OU=Groups,DC=egia,DC=com |
| AlamedaMP | 2010-04-22 22:13:52Z | Never | 2010-04-22 15:13:52Z | CN=Alameda MP,OU=Rebates,DC=egia,DC=com |
| Arcserve | 2001-10-06 18:33:48Z | Never | 2001-01-19 11:20:31Z | CN=Arcserve,CN=Users,DC=egia,DC=com |
| BACKUP-PC2$ | 2013-04-18 21:45:30Z | Never | 2014-09-02 08:51:32Z | CN=BACKUP-PC2,CN=Computers,DC=egia,DC=com |
| BACKUP-PC4$ | 2013-05-15 20:54:28Z | Never | 2013-07-19 19:23:21Z | CN=BACKUP-PC4,CN=Computers,DC=egia,DC=com |
| BHOWARTH$ | 2007-01-10 02:12:03Z | Never | 2007-03-12 09:56:21Z | CN=BHOWARTH,CN=Computers,DC=egia,DC=com |
| bkagent | 2002-05-07 14:37:57Z | 2020-08-07 09:45:13Z | 2002-09-26 15:32:26Z | CN=Backup Agent,CN=Users,DC=egia,DC=com |
| BLACK$ | 2007-10-17 19:50:10Z | Never | 2010-07-16 14:11:09Z | CN=BLACK,CN=Computers,DC=egia,DC=com |
| BMATULICH$ | 2003-10-27 19:54:28Z | Never | 2011-11-07 21:20:10Z | CN=BMATULICH,CN=Computers,DC=egia,DC=com |
| BMATULICH-HOME$ | 2003-08-19 19:47:37Z | Never | 2010-05-23 11:54:31Z | CN=BMATULICH-HOME,CN=Computers,DC=egia,DC=com |
| CALABRESE$ | 2007-06-22 21:15:22Z | Never | 2013-02-27 13:23:44Z | CN=CALABRESE,CN=Computers,DC=egia,DC=com |
| CALLREPORT$ | 2010-07-27 03:39:48Z | Never | 2010-07-26 20:39:48Z | CN=CALLREPORT,CN=Computers,DC=egia,DC=com |
| CALLREPORTING$ | 2010-03-04 17:53:26Z | Never | 2010-07-14 00:19:11Z | CN=CALLREPORTING,CN=Computers,DC=egia,DC=com |
| CDEARMAN$ | 2010-04-16 17:26:04Z | Never | 2012-12-13 09:51:47Z | CN=CDEARMAN,CN=Computers,DC=egia,DC=com |
| ChicagoLand | 2008-12-15 20:34:56Z | Never | 2008-12-15 12:34:56Z | CN=ChicagoLand,OU=Rebates,DC=egia,DC=com |
| ContractorServices | 2007-12-01 00:08:06Z | Never | 2007-11-30 16:08:06Z | CN=ContractorServices,CN=Users,DC=egia,DC=com |
| CRLAPTOP$ | 2011-05-20 21:19:56Z | Never | 2014-07-30 08:45:02Z | CN=CRLAPTOP,CN=Computers,DC=egia,DC=com |
| CSR2$ | 2010-07-19 13:20:01Z | Never | 2011-04-28 06:07:51Z | CN=CSR2,CN=Computers,DC=egia,DC=com |
| efax | 2007-08-03 16:26:52Z | Never | 2007-08-03 09:26:52Z | CN=e Fax,CN=Users,DC=egia,DC=com |
| EGIADC03$ | 2007-04-02 16:05:42Z | 2019-03-10 19:27:11Z | 2019-03-03 19:54:53Z | CN=EGIADC03,CN=Computers,DC=egia,DC=com |
| EGIAFS10$ | 2014-08-07 02:25:18Z | 2022-09-06 09:42:36Z | 2014-08-06 19:25:18Z | CN=egiafs10,OU=Computers,OU=EMC Celerra,DC=egia,DC=com |
| egia-mac-100$ | 2014-06-26 19:25:18Z | 2019-01-09 01:48:56Z | 2019-01-15 07:37:25Z | CN=egia-mac-100,CN=Computers,DC=egia,DC=com |
| egia-mac-103$ | 2014-06-27 14:54:24Z | 2017-07-17 14:47:19Z | 2017-07-07 10:08:09Z | CN=egia-mac-103,CN=Computers,DC=egia,DC=com |
| egia-mac-105$ | 2015-11-13 21:27:24Z | 2019-01-30 00:26:26Z | 2019-01-24 11:53:40Z | CN=egia-mac-105,CN=Computers,DC=egia,DC=com |
| EGIA-PC-DEV$ | 2013-10-04 21:14:48Z | Never | 2014-09-29 07:40:48Z | CN=EGIA-PC-DEV,CN=Computers,DC=egia,DC=com |
| EGIAServices | 2007-08-07 18:59:18Z | Never | 2007-08-07 11:59:18Z | CN=EGIA Services,CN=Users,DC=egia,DC=com |
| EGIAVS01$ | 2010-08-07 22:51:30Z | 2021-07-18 20:26:16Z | 2021-07-10 23:41:32Z | CN=EGIAVS01,CN=Computers,DC=egia,DC=com |
| EGIAVS02$ | 2012-05-29 01:30:57Z | 2020-08-11 11:57:35Z | 2020-07-31 10:14:33Z | CN=EGIAVS02,CN=Computers,DC=egia,DC=com |
| EGIAVS03$ | 2011-03-29 03:00:17Z | 2020-08-20 12:13:19Z | 2020-07-24 01:37:49Z | CN=EGIAVS03,CN=Computers,DC=egia,DC=com |
| EGIAVS04$ | 2011-03-29 03:23:51Z | 2021-07-17 05:02:39Z | 2021-07-19 01:41:05Z | CN=EGIAVS04,CN=Computers,DC=egia,DC=com |
| EGIAVS05$ | 2016-11-03 15:59:57Z | 2020-08-13 05:49:04Z | 2020-07-30 09:06:10Z | CN=EGIAVS05,CN=Computers,DC=egia,DC=com |
| EGIAVS09$ | 2016-10-11 15:54:51Z | Never | 2016-10-11 08:54:52Z | CN=EGIAVS09,CN=Computers,DC=egia,DC=com |
| EHOWARTH$ | 2003-11-14 23:44:54Z | Never | 2004-07-09 12:38:42Z | CN=EHOWARTH,CN=Computers,DC=egia,DC=com |
| excessisout | 2009-02-12 19:42:14Z | Never | 2009-02-12 11:42:14Z | CN=Excess Is Out,OU=Rebates,DC=egia,DC=com |
| GREEN$ | 2004-04-02 18:03:38Z | Never | 2010-08-07 12:03:42Z | CN=GREEN,CN=Computers,DC=egia,DC=com |
| hemc | 2008-05-14 19:05:59Z | Never | 2008-05-14 12:05:59Z | CN=EGIA Home Energy Makeover,CN=Users,DC=egia,DC=com |
| HomeownerServices | 2008-05-09 21:01:03Z | Never | 2008-05-09 14:01:03Z | CN=Homeowner Services,CN=Users,DC=egia,DC=com |
| ILS_ANONYMOUS_USER | 2001-10-24 20:31:48Z | Never | 2001-10-24 13:31:48Z | CN=ILS_ANONYMOUS_USER,CN=Users,DC=egia,DC=com |
| ILSRebates | 2010-02-23 01:54:37Z | Never | 2010-02-22 17:54:37Z | CN=ILS Rebates,OU=Rebates,DC=egia,DC=com |
| IS-REQUESTS | 2002-01-03 18:47:31Z | Never | 2002-01-03 10:47:31Z | CN=IS-REQUESTS,CN=Users,DC=egia,DC=com |
| ITDEV01$ | 2011-03-18 01:21:36Z | Never | 2013-04-18 13:28:57Z | CN=ITDEV01,CN=Computers,DC=egia,DC=com |
| ITDEV02$ | 2012-08-28 18:26:07Z | Never | 2012-08-28 11:26:07Z | CN=ITDEV02,CN=Computers,DC=egia,DC=com |
| IUSR_BLUE | 2001-11-19 17:54:31Z | Never | 2010-07-16 09:08:26Z | CN=IUSR_BLUE,CN=Users,DC=egia,DC=com |
| IUSR_DEV | 2001-10-12 23:55:53Z | Never | 2001-10-12 16:55:53Z | CN=IUSR_DEV,CN=Users,DC=egia,DC=com |
| IUSR_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:09:06Z | CN=IUSR_NT-SERVER,CN=Users,DC=egia,DC=com |
| IWAM_DEV | 2001-10-12 23:55:49Z | Never | 2001-10-12 16:55:49Z | CN=IWAM_DEV,CN=Users,DC=egia,DC=com |
| IWAM_NT-SERVER | 2001-10-06 18:33:48Z | Never | 2001-10-06 11:08:14Z | CN=IWAM_NT-SERVER,CN=Users,DC=egia,DC=com |
| JCHANDLP$ | 2009-08-24 23:52:44Z | Never | 2011-05-23 10:09:43Z | CN=JCHANDLP,CN=Computers,DC=egia,DC=com |
| Jobs | 2010-07-07 23:32:20Z | Never | 2010-07-07 16:32:20Z | CN=Jobs,CN=Users,DC=egia,DC=com |
| MWDRebates | 2008-06-17 21:36:06Z | Never | 2008-06-17 14:36:06Z | CN=MWD Rebates,OU=Rebates,DC=egia,DC=com |
| NicorRebates | 2010-05-04 00:41:55Z | Never | 2010-05-03 17:41:55Z | CN=Nicor Rebates,OU=Rebates,DC=egia,DC=com |
| NT-SERVER$ | 2001-10-06 18:33:47Z | Never | 2010-10-09 08:03:54Z | CN=NT-SERVER,CN=Computers,DC=egia,DC=com |
| ORANGE$ | 2002-12-05 02:17:46Z | 2018-01-25 03:36:01Z | 2018-01-21 00:06:38Z | CN=ORANGE,CN=Computers,DC=egia,DC=com |
| paheatingrebates | 2010-04-20 22:27:56Z | Never | 2010-04-20 15:27:56Z | CN=PAHeating Rebates,OU=Rebates,DC=egia,DC=com |
| PINK$ | 2008-08-25 19:42:32Z | Never | 2010-07-24 04:20:05Z | CN=PINK,CN=Computers,DC=egia,DC=com |
| PROJECTOR$ | 2008-01-29 00:44:39Z | Never | 2013-10-01 07:59:41Z | CN=PROJECTOR,CN=Computers,DC=egia,DC=com |
| PURPLE$ | 2008-08-28 17:21:28Z | Never | 2016-03-05 16:31:56Z | CN=PURPLE,CN=Computers,DC=egia,DC=com |
| Rebate01 | 2003-04-03 21:47:09Z | Never | 2010-06-23 17:27:53Z | CN=Rebate01,OU=Rebates,DC=egia,DC=com |
| Rebates | 2001-10-06 18:33:48Z | Never | 1600-12-31 16:00:00Z | CN=Rebate Process,OU=Rebates,DC=egia,DC=com |
| rerebates | 2004-10-15 20:23:26Z | Never | 2004-10-15 13:23:26Z | CN=Roseville Electric Rebates,OU=Rebates,DC=egia,DC=com |
| SalesMarketing | 2009-06-11 21:35:56Z | Never | 2009-06-11 14:35:56Z | CN=SalesMarketing,CN=Users,DC=egia,DC=com |
| SaveEnergy | 2009-12-03 19:47:49Z | Never | 2009-12-03 11:47:49Z | CN=SaveEnergy,CN=Users,DC=egia,DC=com |
| ScanRouter | 2002-10-30 21:34:13Z | Never | 2002-10-30 13:34:13Z | CN=ScanRouter,CN=Users,DC=egia,DC=com |
| ScanRouterMail | 2002-10-30 23:16:24Z | Never | 2002-10-30 15:16:24Z | CN=ScanRouterMail,CN=Users,DC=egia,DC=com |
| SCVRebates | 2009-08-17 16:50:54Z | Never | 2009-08-17 09:50:54Z | CN=SCV Rebates,OU=Rebates,DC=egia,DC=com |
| SolanoRebates | 2007-02-28 18:25:46Z | Never | 2007-02-28 10:25:46Z | CN=Solano Rebates,OU=Rebates,DC=egia,DC=com |
| spam | 2007-10-28 17:12:29Z | Never | 2007-10-28 10:12:29Z | CN=Spam Box,CN=Users,DC=egia,DC=com |
| sqlserveralert | 2001-11-14 22:23:36Z | Never | 2001-11-14 15:09:20Z | CN=SQLServer Alert,CN=Users,DC=egia,DC=com |
| support | 2003-11-19 22:37:59Z | Never | 2003-11-19 14:38:00Z | CN=Support,CN=Users,DC=egia,DC=com |
| suser | 2010-05-05 02:13:31Z | Never | 2010-05-04 19:13:31Z | CN=SQL User,OU=Sacramento,DC=egia,DC=com |
| SWGRebates | 2008-01-25 22:04:44Z | Never | 2008-01-25 14:05:04Z | CN=SWG Rebates,OU=Rebates,DC=egia,DC=com |
| TECH1$ | 2010-08-18 21:53:39Z | Never | 2010-09-20 08:11:37Z | CN=TECH1,CN=Computers,DC=egia,DC=com |
| TERASTATION$ | 2007-11-15 17:05:58Z | Never | 1600-12-31 16:00:00Z | CN=TeraStation,CN=Computers,DC=egia,DC=com |
| TP-VIRTXP$ | 2012-09-24 22:13:32Z | Never | 2015-09-25 14:20:37Z | CN=TP-VIRTXP,CN=Computers,DC=egia,DC=com |
| tsluser | 2010-05-07 20:12:03Z | Never | 2010-05-07 13:12:04Z | CN=tsluser,CN=Users,DC=egia,DC=com |
| webfilter$ | 2010-07-16 07:00:15Z | Never | 2010-07-16 00:00:15Z | CN=webfilter,CN=Computers,DC=egia,DC=com |
| WHITE$ | 2008-05-10 00:04:59Z | 2017-01-03 05:03:02Z | 2017-01-07 05:26:07Z | CN=WHITE,CN=Computers,DC=egia,DC=com |
| WyomingRebates | 2010-04-01 16:25:45Z | Never | 2010-04-01 09:25:45Z | CN=Wyoming Rebates,OU=Rebates,DC=egia,DC=com |
Not OK
The algorithm to use for kerberos request is decided by a local GPO which is overwritten by domain GPO.
Here is the list of domain GPO altering the kerberos algorithms
| Policy Name | Algorithm ? | AES compatible | RC4 compatible |
|---|
OK
Beware that no GPO supporting AES / RC4 have been found and if the supported algorithm is not defined in the master, AES will not be enabled by default
This section focuses on security checks specific to the Active Directory environment.
The program checks the last date of the AD backup. This date is computed using the replication metadata of the attribute dsaSignature (reference).
Last backup date: 2024-03-26 06:01:47Z
LAPS is used to have a unique local administrator password on all workstations / servers of the domain. Then this password is changed at a fixed interval. The risk is when a local administrator hash is retrieved and used on other workstation in a pass-the-hash attack. Please note that the LAPS schema is installed on the forest and as a consequence the installation date can be before the domain creation date.
Mitigation: having a process when a new workstation is created or install LAPS and apply it through a GPO
Legacy LAPS installation date: Never
Ms LAPS installation date: Never
Windows Event Forwarding is a native mechanism used to collect logs on all workstations / servers of the domain. Microsoft recommends to Use Windows Event Forwarding to help with intrusion detection Here is the list of servers configured for WEF found in GPO
Number of WEF configuration found: 0
The account password for the krbtgt account should be rotated twice yearly at a minimum. More frequent password rotations are recommended, with 40 days the current recommendation by ANSSI. Additional rotations based on external events, such as departure of an employee who had privileged network access, are also strongly recommended.
You can perform this action using this script
You can use the version gathered using replication metadata from two reports to guess the frequency of the password change or if the two consecutive resets have been done. Version starts at 1.
Kerberos password last changed: 2016-11-05 12:19:21Z version: 3
This control detects accounts which are former 'unofficial' admins. Indeed when an account belongs to a privileged group, the attribute admincount is set. If the attribute is set without being an official member, this is suspicious. To suppress this warning, the attribute admincount of these accounts should be removed after review.
Number of accounts to review: 1
This control detects if one of the attributes userPassword or unixUserPassword has been set on accounts. Indeed, these attributes are designed to store encrypted secrets for unix (or mainframe) interconnection. However in the large majority, interconnected systems are poorly designed and the user password is stored in these attributes in clear text or poorly encrypted. The userPassword attribute is also used in classic LDAP systems to change the user password by setting its value. But, with Active Directory, it is considered by default as a normal attribute and doesn't trigger a password but shows instead the password in clear text.
Number of accounts to review: 0
This control detects if one of the attributes javaCodebase, javaFactory or javaClassname has been set on accounts. Indeed, these attributes are designed to add custom code to AD object when running java code. However it can be abused to run code on servers having the flag com.sun.jndi.ldap.object.trustURLCodebase set to true. This is a vulnerability similar to the log4shell vulnerability.
Java Schema extension: Not Found
No active user account found with Java code
You can check here for backdoors or typos in the scriptPath attribute
| Script Name | Count |
|---|---|
| None | 157 |
| admin.vbs | 9 |
| login.bat | 4 |
| rebate.vbs | 4 |
| marketing.vbs | 3 |
| account.vbs | 2 |
This section display advanced information, if any has been found
Note: PSO (Password Settings Objects) will be visible only if the user, which collected the information, has the permission to view it.
PSO shown in the report will be prefixed by "PSO:"
| Policy Name | Complexity | Max Password Age | Min Password Age | Min Password Length | Password History | Reversible Encryption | Lockout Threshold | Lockout Duration | Reset account counter locker after |
|---|---|---|---|---|---|---|---|---|---|
| Default Domain Policy (New) ? | True | 60 day(s) | 0 day | 8 | 2 | False | 999 | 1 minute(s) | 1 minute(s) |
This is the settings related to screensavers stored in Group Policies. Each non compliant setting is written in red.
| Policy Name | Screensaver enforced | Password request | Start after (seconds) | Grace Period (seconds) |
|---|
This section focuses on security settings stored in the Active Directory technical security policies.
The password in GPO are obfuscated, not encrypted. Consider any passwords listed here as compromised and change them immediately.
Giving local group membership in a GPO is a way to become administrator.
The local admin of a domain controller can become domain administrator instantly.
| GPO Name | User or group | Member of |
|---|---|---|
| SQL Servers Group Policy | EGIA\Database Admins | BUILTIN\Administrators |
| SQL Servers Group Policy | EGIA\Database Admins | BUILTIN\Remote Desktop Users |
A GPO can be used to deploy security settings to workstations.
The best practice out of the default security baseline is reported in green.
The following settings in red are unsual and may need to be reviewed.
Each setting is accompanied with its value and a link to the GPO explanation.
You will find below the checks where no occurences have been found
| Policy Name | Setting | Value |
|---|
Audit settings allow the system to generate logs which are useful to detect intrusions. Here are the settings found in GPO.
Simple audit events are described here and Advanced audit events are described here
You can get a list of all audit settings with the command line: auditpol.exe /get /category:* (source)
Simple audit settings are located in: Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Audit Policy. Simple audit settings are named [Simple Audit].
Advanced audit settings are located in: Computer Configuration / Policies / Windows Settings / Security Settings / Advanced Audit Policy Configuration. This category is displayed below.
| Policy Name | Category | Setting | Value |
|---|---|---|---|
| Default Domain Controllers Policy ? | [Simple Audit] | Audit system events | Success and Failure |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit logon events | Success and Failure |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit object access | Unchanged |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit privilege use | Unchanged |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit policy change | Success and Failure |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit account management | Success and Failure |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit process tracking | Success |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit directory service access | Success |
| Default Domain Controllers Policy ? | [Simple Audit] | Audit account logon events | Success and Failure |
| Default Domain Controllers Policy ? | Account Logon | Kerberos Authentication Service | Success and Failure |
| Default Domain Controllers Policy ? | Account Management | Computer Account Management | Success |
| Default Domain Controllers Policy ? | Account Management | Distribution Group Management | Success |
| Default Domain Controllers Policy ? | Account Management | User Account Management | Success and Failure |
| Default Domain Controllers Policy ? | Account Management | Security Group Management | Success |
| Default Domain Controllers Policy ? | Detailed Tracking | Process Creation | Success |
| Default Domain Controllers Policy ? | Detailed Tracking | Process Termination | Success |
| Default Domain Controllers Policy ? | DS Access | Directory Service Changes | Success |
| Default Domain Controllers Policy ? | DS Access | Directory Service Access | Success |
| Default Domain Controllers Policy ? | Logon/Logoff | Logon | Success and Failure |
| Default Domain Controllers Policy ? | Logon/Logoff | Logoff | Success |
| Default Domain Controllers Policy ? | Logon/Logoff | Network Policy Server | Success and Failure |
| Default Domain Controllers Policy ? | Logon/Logoff | Other Logon/Logoff | Success |
| Default Domain Controllers Policy ? | Object Access | Other Object Access | Success |
| Default Domain Controllers Policy ? | Policy Change | Authorization Policy Change | Success |
| Default Domain Controllers Policy ? | Policy Change | Authentication Policy Change | Success |
| Default Domain Controllers Policy ? | System | Security State Change | Success |
Giving privileges in a GPO is a way to become administrator without being part of a group.
For example, SeTcbPriviledge gives the right to act as SYSTEM, which has more privileges than the administrator account.
| GPO Name | Privilege | Members |
|---|---|---|
| Default Domain Controllers Policy ? | SeAssignPrimaryTokenPrivilege | EGIA\SQLServer2005MSSQLUser$BLUE$BKUPEXEC |
| Default Domain Controllers Policy ? | SeBackupPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeBackupPrivilege | BUILTIN\Server Operators |
| SQL Servers Group Policy ? | SeTcbPrivilege | EGIA\svc_prod_sql |
| Default Domain Controllers Policy ? | SeBackupPrivilege | BUILTIN\Backup Operators |
| SQL Servers Group Policy ? | SeAssignPrimaryTokenPrivilege | EGIA\svc_prod_sql |
| SQL Servers Group Policy ? | SeImpersonatePrivilege | Administrators |
| SQL Servers Group Policy ? | SeImpersonatePrivilege | EGIA\svc_prod_sql |
| SQL Servers Group Policy ? | SeImpersonatePrivilege | NT AUTHORITY\SERVICE |
| SQL Servers Group Policy ? | SeManageVolumePrivilege | EGIA\svc_prod_sql |
| SQL Servers Group Policy ? | SeManageVolumePrivilege | Administrators |
| Default Domain Controllers Policy ? | SeCreateTokenPrivilege | EGIA\Administrator |
| Default Domain Controllers Policy ? | SeDebugPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeLoadDriverPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeRestorePrivilege | EGIA\Administrator |
| Default Domain Controllers Policy ? | SeRestorePrivilege | Administrators |
| Default Domain Controllers Policy ? | SeRestorePrivilege | BUILTIN\Server Operators |
| Default Domain Controllers Policy ? | SeRestorePrivilege | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | SeSecurityPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeSecurityPrivilege | EGIA\Exchange Enterprise Servers |
| Default Domain Controllers Policy ? | SeTakeOwnershipPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeTcbPrivilege | EGIA\SQLServer2005MSSQLUser$BLUE$BKUPEXEC |
| Default Domain Controllers Policy ? | SeTcbPrivilege | EGIA\Administrator |
| Default Domain Controllers Policy ? | SeTcbPrivilege | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | SeEnableDelegationPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeMachineAccountPrivilege | Administrators |
| Default Domain Controllers Policy ? | SeMachineAccountPrivilege | EGIA\Administrator |
| Default Domain Controllers Policy ? | SeMachineAccountPrivilege | Domain Administrators |
| Default Domain Controllers Policy ? | SeSyncAgentPrivilege | <empty> |
Login authorization and restriction can be set by GPOs. Indeed, by default, everyone is allowed to login on every computer except domain controllers. Defining login restriction is a way to have different isolated tiers. Here are the settings found in GPOs.
| GPO Name | Privilege | Members |
|---|---|---|
| SQL Servers Group Policy ? | Deny log on locally ? | EGIA\svc_prod_sql |
| SQL Servers Group Policy ? | Deny logon through Remote Desktop Services ? | EGIA\svc_prod_sql |
| SQL Servers Group Policy ? | Allow logon through Remote Desktop Services ? | EGIA\Database Admins |
| SQL Servers Group Policy ? | Log on as a service ? | EGIA\svc_prod_sql |
| Default Domain Controllers Policy ? | Log on as a batch job ? | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\Administrator |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IUSR_DCC1DW01 |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IUSR_DCH6NP01 |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IUSR_DEV |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IUSR_NT-SERVER |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IWAM_DCC1DW01 |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IWAM_DCH6NP01 |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IWAM_DEV |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\IWAM_NT-SERVER |
| Default Domain Controllers Policy ? | Log on as a batch job ? | EGIA\SQLServer2005MSSQLUser$BLUE$BKUPEXEC |
| Default Domain Controllers Policy ? | Allow log on locally ? | TsInternetUser |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Account Operators |
| Default Domain Controllers Policy ? | Allow log on locally ? | Administrators |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\Administrator |
| Default Domain Controllers Policy ? | Allow log on locally ? | Domain Administrators |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\ILS_ANONYMOUS_USER |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\IUSR_DCC1DW01 |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\IUSR_DCH6NP01 |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\IUSR_DEV |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\IUSR_NT-SERVER |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\IWAM_NT-SERVER |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\Oulook Web |
| Default Domain Controllers Policy ? | Allow log on locally ? | EGIA\TsInternetUser |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Print Operators |
| Default Domain Controllers Policy ? | Allow log on locally ? | BUILTIN\Server Operators |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Administrators |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Authenticated Users |
| Default Domain Controllers Policy ? | Access this computer from the network ? | Everyone |
| Default Domain Controllers Policy ? | Log on as a service ? | EGIA\ADSyncMSA93402$ |
| Default Domain Controllers Policy ? | Log on as a service ? | BUILTIN\Backup Operators |
| Default Domain Controllers Policy ? | Log on as a service ? | EGIA\Administrator |
A GPO login script is a way to force the execution of data on behalf of users. Only enabled users are analyzed.
A GPO can be used to deploy applications or copy files. These files may be controlled by a third party to control the execution of local programs.