Security Best Practices Assessment
Active Directory and Windows Operating Systems
Active Directory (AD) and Windows operating systems are targeted by attackers because of the role they play in housing or providing access to sensitive data. As organizations have grown, AD and Windows infrastructures have become more complex to manage and more difficult to secure. The result? Attackers are exploiting AD and Windows security gaps to successfully carry out breaches.
To help organizations find and fix these gaps, STEALTHbits has engineered a 10-step Security Best Practices Assessment for Active Directory and Windows. The assessment automatically finds critical misconfigurations and high-risk conditions and summarizes them in a pre-packaged executive report.
The Security Best Practices Assessment Report is designed for both customers and partners.
10 Checks to Secure Active Directory and Windows
Here are 10 checks organizations can perform to uncover and remediate critical, high-risk situations in Active Directory and Windows with minimal effort.
- Sensitive Security Group Membership Report
- Local Administrators Report
- Stale User Accounts Report
- Potential Plaintext Passwords Report
- Domain Controller Logon Rights Report
- Local Security Authority (LSA) Protection Report
- Password Status Report
- Nested Groups Report
- Open Access Report
- Server Logon Rights Report
Check #1 - Sensitive Security Groups
If Domain, Enterprise, and Schema Admin accounts are stolen, they can be abused to compromise the security of Active Directory and everything connected to it. The Sensitive Security Group Membership report identifies high-risk conditions like inappropriate members for remediation.
Check #2 - Local Administrators
Local Admin access is exploited by attackers who are looking to break into an organization’s network. The Local Administrators report highlights details like account and password status to determine where risks lie.
Check #3 - Stale User Accounts
Stale User Accounts are leveraged by internal and external bad actors to evade detection while carrying out attacks. The Stale User Accounts report identifies user accounts that are disabled or not-in-use so they can be removed.
Check #4 - Plaintext Passwords
Because Group Policy Objects (GPOs) are often used to set the Local Admin password across systems, attackers target these GPOs to attain far-reaching, privileged access. The Potential Plaintext Passwords report highlights domain controllers where this vulnerability exists so it can be remediated.
Check #5 - Domain Controller (DC) Logon Rights
Protect privileged identities, and any asset they provide access to, by knowing who can logon to a Domain Controller. The Domain Controller (DC) Logon Rights report highlights potential vulnerabilities in all groups that allow interactive logon to DCs.
Check #6 - Local Security Authority (LSA) Protection
Attackers can leverage hacking tools like Mimikatz to steal credentials from Windows systems through injecting code into the LSA process. The Additional LSA Protection report provides insight into the protection status of the LSA process on every system, enabling streamlined remediation.
Check #7 - Password Status Report
Organizations that have accounts that don’t require passwords, or that have passwords that have not changed for a long time, make it easier for attackers to steal credentials and data. The Password Status report provides details on all user account passwords to find and remediate those out-of-compliance.
Check #8 - Nested Groups
Nesting groups makes managing group memberships easier but also makes understanding effective access harder—a condition attackers exploit to gain privileged access without causing alarm. The Nested Groups report identifies groups with the most nesting, including how many levels of nesting exist, to help untangle access rights and move to a more secure model.
Check #9 - Open Access Report
Attackers who gain access to Security Principals like Everyone, Domain Users, and Authenticated Users can use it to steal data from file shares. The Open Access report identifies all hosts containing data resources open to anyone in an organization so access can be restricted.
Check #10 - Server Logon Rights Reports
Group Policy controls Local Security Policies that allow non-admins to perform admin-like functions. Attackers can exploit these policies to access and compromise systems, credentials, and data. The Local Security Policies report shows all users who have the ability to logon to any server and their level of rights, to help prioritize and remediate risk.