Findings & rules · AD-Supervision

Obsolete domain controller Compliant

Stale objects 30 pts ANSSIR12CIS2.xATT&CKT1210D3FENDD3-OSM

S-DC-Obsolete

Recent krbtgt password Compliant

Anomalies 25 pts ANSSIR6ATT&CKT1558.001D3FENDD3-ANCI

A-Krbtgt

SMBv1 disabled on DCs Compliant

Anomalies 12 pts ANSSIR29CIS18.xATT&CKT1210D3FENDD3-NTF

A-SMBv1

Forest trust filtered Compliant

Trust relationships 8 pts ANSSIR21D3FENDD3-DTP

T-ForestSID

Schema Admins group empty Compliant

Privileged accounts 5 pts ANSSIR7CIS5.1ATT&CKT1078.002D3FENDD3-ANCI

P-SchemaAdmins

AD Recycle Bin Compliant

Stale objects 3 pts ANSSIR37D3FENDD3-RB

S-RecycleBin

Password in a GPP (SYSVOL) Critical

Anomalies 20 pts 1 objects ANSSIR45CIS18.xATT&CKT1552.006D3FENDD3-FA

A-GPPPassword

Unconstrained Kerberos delegation Critical

Privileged accounts 20 pts 7 objects ANSSIR18CIS5.xATT&CKT1558.001D3FENDD3-ANCI

P-Delegation

Trust without SID filtering High

Trust relationships 20 pts 1 objects ANSSIR21ATT&CKT1134.005D3FENDD3-DTP

T-SIDFiltering

LDAP signing not required High

Anomalies 15 pts 4 objects ANSSIR28CIS18.xATT&CKT1557.001D3FENDD3-MH

A-LDAPSigning

Service account in Domain Admins High

Privileged accounts 15 pts 1 objects ANSSIR8CIS5.1ATT&CKT1558.003D3FENDD3-ANCI

P-SvcInDA

Hosts on obsolete OS High

Stale objects 15 pts 56 objects ANSSIR12CIS2.xATT&CKT1210D3FENDD3-OSM

S-OS-Obsolete

Large administrator population High

Privileged accounts 12 pts 7 objects ANSSIR7CIS5.1ATT&CKT1078.002D3FENDD3-ANCI

P-AdminNum

Kerberoastable accounts High

Anomalies 12 pts 28 objects ANSSIR8CIS16.xATT&CKT1558.003D3FENDD3-ANCI

A-Kerberoast

Inactive user accounts High

Stale objects 12 pts 39 objects ANSSIR36CIS5.3ATT&CKT1078D3FENDD3-ANCI

S-Inactive-User

AS-REP roastable accounts High

Anomalies 10 pts 12 objects ANSSIR8CIS16.xATT&CKT1558.004D3FENDD3-ANCI

A-ASREPRoast

Accounts with SID History Medium

Trust relationships 10 pts 8 objects ANSSIR22ATT&CKT1134.005D3FENDD3-DTP

T-SIDHistory

Reversible password encryption Medium

Anomalies 8 pts 4 objects ANSSIR44CIS16.xATT&CKT1555D3FENDD3-ANCI

A-Reversible

LAPS not deployed everywhere Medium

Privileged accounts 8 pts 134 objects ANSSIR39CIS4.xATT&CKT1078.003D3FENDD3-ANCI

P-LAPS

Admins outside 'Protected Users' Medium

Privileged accounts 8 pts 15 objects ANSSIR9CIS5.xATT&CKT1078.002D3FENDD3-ANCI

P-Protected

Weak password policy Medium

Anomalies 8 pts 1 objects ANSSIR31CIS5.2ATT&CKT1110D3FENDD3-SPP

A-PwPolicyWeak

Passwords set to never expire Medium

Stale objects 8 pts 84 objects ANSSIR31CIS5.2ATT&CKT1078D3FENDD3-ANCI

S-PwdNeverExpires

Default ms-DS-MachineAccountQuota Medium

Anomalies 8 pts 1 objects ANSSIR23ATT&CKT1136.002D3FENDD3-ANCI

A-MachineQuota

Inactive computers Low

Stale objects 6 pts 44 objects ANSSIR36CIS5.3ATT&CKT1078D3FENDD3-ANCI

S-Inactive-Computer

Old forest functional level Low

Anomalies 5 pts 1 objects ANSSIR12D3FENDD3-OSM

A-FunctionalLevel

Accounts restricted to DES encryption Low

Stale objects 4 pts 7 objects ANSSIR44CIS16.xATT&CKT1558D3FENDD3-ANCI

S-DesEnabled

Findings & security rules