Security Best Practices Assessment

Active Directory and Windows Operating Systems

Active Directory (AD) and Windows operating systems are targeted by attackers because of the role they play in housing or providing access to sensitive data. As organizations have grown, AD and Windows infrastructures have become more complex to manage and more difficult to secure. The result? Attackers are exploiting AD and Windows security gaps to successfully carry out breaches.

To help organizations find and fix these gaps, STEALTHbits has engineered a 10-step Security Best Practices Assessment for Active Directory and Windows. The assessment automatically finds critical misconfigurations and high-risk conditions and summarizes them in a pre-packaged executive report.

Local Admin report details local group memberships, membership type, and password status, password age, and accounts status.

The Security Best Practices Assessment Report is designed for both customers and partners.

10 Checks to Secure Active Directory and Windows

Here are 10 checks organizations can perform to uncover and remediate critical, high-risk situations in Active Directory and Windows with minimal effort.

Sensitive Security Group Membership report shows the effective membership of Domain, Enterprise, and Schema Administrator groups across domains, as well as nesting depth, age, and password and account status.

Check #1 - Sensitive Security Groups

If Domain, Enterprise, and Schema Admin accounts are stolen, they can be abused to compromise the security of Active Directory and everything connected to it. The Sensitive Security Group Membership report identifies high-risk conditions like inappropriate members for remediation.

Local Administrators report provides details showing how Local Administrator access has been granted and is being used so an organization can adopt a least privilege access model to better secure its critical servers.

Check #2 - Local Administrators

Local Admin access is exploited by attackers who are looking to break into an organization’s network. The Local Administrators report highlights details like account and password status to determine where risks lie.

Stale User Accounts report identifies user accounts that have not logged into the domain for a while or are disabled so organizations can remove stale user objects, thereby reducing management complexity and improving security.

Check #3 - Stale User Accounts

Stale User Accounts are leveraged by internal and external bad actors to evade detection while carrying out attacks. The Stale User Accounts report identifies user accounts that are disabled or not-in-use so they can be removed.

Potential Plaintext Passwords report highlights Active Directory domain controllers where Group Policy Objects have been used to create accounts and set passwords on computers, especially Local Administrator passwords across systems, so organizations can prevent attackers from compromising an account contained in GPOs.

Check #4 - Plaintext Passwords

Because Group Policy Objects (GPOs) are often used to set the Local Admin password across systems, attackers target these GPOs to attain far-reaching, privileged access. The Potential Plaintext Passwords report highlights domain controllers where this vulnerability exists so it can be remediated.

Domain Controller Logon Rights report identifies vulnerabilities in privileged groups like Enterprise Admins, Domain Admins, Administrators, backup operators, account operators, and print operators, as well as their effective membership.

Check #5 - Domain Controller (DC) Logon Rights

Protect privileged identities, and any asset they provide access to, by knowing who can logon to a Domain Controller. The Domain Controller (DC) Logon Rights report highlights potential vulnerabilities in all groups that allow interactive logon to DCs.

Additional LSA Protection report provides clear insight into the protection status of the Local Security Authority (LSA) process across every system so attackers cannot use Mimikatz to compromise credentials from Windows systems through injecting code.

Check #6 - Local Security Authority (LSA) Protection

Attackers can leverage hacking tools like Mimikatz to steal credentials from Windows systems through injecting code into the LSA process. The Additional LSA Protection report provides insight into the protection status of the LSA process on every system, enabling streamlined remediation.

Additional LSA Protection report provides clear insight into the protection status of the Local Security Authority (LSA) process across every system so attackers cannot use Mimikatz to compromise credentials from Windows systems through injecting code.

Check #7 - Password Status Report

Organizations that have accounts that don’t require passwords, or that have passwords that have not changed for a long time, make it easier for attackers to steal credentials and data. The Password Status report provides details on all user account passwords to find and remediate those out-of-compliance.

Nested Groups report identifies the groups with the most nested groups and how many levels of nesting there are to help organizations determine effective access and migrate to a least privilege access model.

Check #8 - Nested Groups

Nesting groups makes managing group memberships easier but also makes understanding effective access harder—a condition attackers exploit to gain privileged access without causing alarm. The Nested Groups report identifies groups with the most nesting, including how many levels of nesting exist, to help untangle access rights and move to a more secure model.

Open Access report identifies all hosts containing data resources like file shares open to a large number of user accounts in an organization and other accounts like Guests and Anonymous, which leave them open to data theft.

Check #9 - Open Access Report

Attackers who gain access to Security Principals like Everyone, Domain Users, and Authenticated Users can use it to steal data from file shares. The Open Access report identifies all hosts containing data resources open to anyone in an organization so access can be restricted.

Local Security Policies report details all users who have the ability to logon to any server through user rights assignments that allow non-administrators to perform administrator-like functions and the level of rights they’ve been granted, highlighting policies with a large number of trustee assignments.

Check #10 - Server Logon Rights Reports

Group Policy controls Local Security Policies that allow non-admins to perform admin-like functions. Attackers can exploit these policies to access and compromise systems, credentials, and data. The Local Security Policies report shows all users who have the ability to logon to any server and their level of rights, to help prioritize and remediate risk.

Resources

Solution Briefs - Active Directory and Windows Security Best Practices Assessment

Active Directory and Windows Security Best Practices Assessment

Checklist - 10-Step Best Practices Checklist for Active Directory and Windows Security

10-Step Best Practices Checklist for Active Directory and Windows Security

Webinar - 5 Ways to Improve Active Directory and Operating System Security in 2017

5 Ways to Improve Active Directory and Operating System Security in 2017