Security Assessment Report 13 03 2024 08 29 15

SECURITY ASSESSMENT REPORT
v 4.2.2312.5001 | Community
Note: A typical Active Directory is in a constant state of flux, with hundreds or even thousands of changes made each day.
Purple Knight offers a helpful snapshot of your security posture, but it’s no substitution for continuous monitoring of events taking place in your directory.
To learn more about a comprehensive, round-the-clock monitoring of all aspects of AD, click here.
SECURITY POSTURE OVERVIEW

This report summarizes the security assessment results performed in your hybrid identity environment on 13/03/2024 by Semperis’ Active Directory security assessment
tool, Purple Knight. Depending on the environments selected for evaluation, the report includes the assessment results for an Active Directory forest, an Azure AD tenant,
Okta domain, or all.
Active Directory forest: Purple Knight queried the Active Directory environment and ran a series of security indicator scripts against domains within the selected forest (see
Appendix 1 – Domains list for a full list of the domains included in the assessment).
Azure AD tenant: Purple Knight queried the selected Azure AD tenant focusing on some of the most common attack vectors that threat actors use to gain access to the
Azure AD environment.
Okta identity platform: Purple Knight queried the selected Okta domain checking for activities that may indicate unauthorized access attempts, suspicious behavior, or
potential threats within the Okta infrastructure.
The report provides an overall security risk score as well as detailed results about each Indicator of Exposure (IOE) found. By uncovering security weaknesses, this assessment
report provides valuable insight into the overall security posture across your hybrid identity environment and presents opportunities to minimize the attack surface and stay
ahead of the ever-changing threat landscape.
View Appendix 1 - Domains list
34%
ACTIVE DIRECTORY
Forest croix-rouge.asso.fr
No. of Domains 2
Duration 02:31:49.8351716
Run by INTRANET\hounsounoua
Indicators
Evaluated 105
Not selected 0
IOEs found 44
Passed 61
Failed to run 2
Not Relevant 2
Canceled 0
-1- ©2023 Semperis. All rights reserved.

CRITICAL IOEs FOUND
Certificate templates that allow requesters to specify
a subjectAltName Print spooler service is enabled on a DC
This indicator checks if certificate templates are enabling reque… This indicator scans Domain Controllers for a running print spo…
Read More... Read More...
Reversible passwords found in GPOs SMBv1 is enabled on Domain Controllers

This indicator looks in SYSVOL for GPOs that contain password… This indicator looks for domain controllers where SMBv1 proto…
Read More... Read More...
Zerologon vulnerability
This indicator looks for security vulnerability to CVE-2020-147…
Read More...
ADDITIONAL IOEs FOUND
NAME PLATFORM SEVERITY LEVEL ACTION
Abnormal Password Refresh AD Warning Read More...
Built-in domain Administrator account used within the last two weeks AD Warning Read More...
Certificate templates with 3 or more insecure configurations AD Warning Read More...
Changes to Pre-Windows 2000 Compatible Access Group membership AD Warning Read More...
Computer or user accounts with SPN that have unconstrained delegation AD Warning Read More...
Computers with password last set over 90 days ago AD Warning Read More...
Dangerous control paths expose certificate containers AD Warning Read More...
Dangerous control paths expose certificate templates AD Warning Read More...
Dangerous GPO logon script path AD Warning Read More...
Dangerous user rights granted by GPO AD Warning Read More...
Domain trust to a third-party domain without quarantine AD Warning Read More...
Enabled admin accounts that are inactive AD Warning Read More...
GPO linking delegation at the AD Site level AD Warning Read More...
GPO linking delegation at the domain controller OU level AD Warning Read More...
Kerberos krbtgt account with old password AD Warning Read More...
LDAP signing is not required on Domain Controllers AD Warning Read More...
NTFRS SYSVOL Replication AD Warning Read More...
Operators Groups that are not empty AD Warning Read More...

Primary users with SPN not supporting AES encryption on Kerberos AD Warning Read More...
Privileged accounts with a password that never expires AD Warning Read More...
Privileged users with SPN defined AD Warning Read More...
RC4 or DES encryption type are supported by Domain Controllers AD Warning Read More...
User accounts with password not required AD Warning Read More...
Users with Kerberos pre-authentication disabled AD Warning Read More...
Write access to RBCD on DC AD Warning Read More...
AD objects created within the last 10 days AD Informational Read More...
Admins with old passwords AD Informational Read More...
Built-in domain Administrator account with old password (180 days) AD Informational Read More...
Changes to Default Domain Policy or Default Domain Controllers Policy in AD Informational Read More...
the last 7 days
Changes to MS LAPS read permissions AD Informational Read More...
Computers with older OS versions AD Informational Read More...
gMSA not in use AD Informational Read More...
Objects in privileged groups without adminCount=1 (SDProp) AD Informational Read More...
Privileged users that are disabled AD Informational Read More...
Protected Users group not in use AD Informational Read More...
Unprivileged accounts with adminCount=1 AD Informational Read More...
Users with old passwords AD Informational Read More...
Users with Password Never Expires flag set AD Informational Read More...
Users with SPN defined AD Informational Read More...
INDICATORS FAILED TO RUN
Privileged Users with Weak Password Policy AD Critical Read More...
Writable shortcuts found in GPO AD Warning Read More...

Notes

ACTIVE DIRECTORY RESULTS
Categories
A C+ D-
99 %
88 %
51 %
AD DELEGATION ACCOUNT SECURITY AD INFRASTRUCTURE

AD delegation is a critical part of Account Security indicators pertain SECURITY
security and compliance. By to security weaknesses on AD Infrastructure Security
delegating control over Active individual accounts--built-in or indicators pertain to the security
configuration of core parts of AD's
Read More ... Read More ...
Read More ...
C B-
85 %
91 %
N/A
GROUP POLICY SECURITY KERBEROS SECURITY HYBRID
Group Policy Security indicators Kerberos Security indicators Hybrid indicators help you
pertain to the security pertain to the configuration of understand and mitigate the risks
configuration of GPOs and their Kerberos capabilities on computer associated with a hybrid identity
Read More ... Read More ... Read More ...

CATEGORY
A
AD DELEGATION
WEIGHT EVALUATED INDICATORS FOUND
99 %
3 18 3
AD delegation is a critical part of security and compliance. By delegating control over Active Directory, you can grant users or groups
permissions without adding users to privileged groups.
SECURITY INDICATOR
A+
Inheritance enabled on AdminSDHolder object Pass
100 %
SEVERITY WEIGHT
Critical 10
Security Frameworks
MITRE ATT&CK
Defense Evasion
Privilege Escalation
Description
This indicator checks for inheritance being enabled on the Access Control List (ACL) of the AdminSDHolder object, which could
indicate an attempt to modify permissions on privileged objects that are subject to AdminSDHolder (e.g. users or groups with
adminCount=1).
Likelihood of Compromise
Changes to the AdminSDHolder object are very rare. An admin should know that the change was made and be able to articulate
the reason for the change. If the change was not intentional, the likelihood of compromise is very high.
Result
No evidence of exposure.
Remediation Steps
None
SECURITY INDICATOR
A+
Permission changes on AdminSDHolder object Pass
100 %
SEVERITY WEIGHT
Critical 10
Security Frameworks
MITRE ATT&CK
Defense Evasion
ANSSI
vuln1_permissions_adminsdholder
vuln1_privileged_members_perm
Description
This indicator looks for Access Control List (ACL) changes on the AdminSDHolder object, which could indicate an attempt to modify
permissions on privileged objects that are subject to AdminSDHolder (e.g. users or groups with adminCount=1).
Changes to the AdminSDHolder object are very rare. An admin should know that the change was made and be able to articulate
the reason for the change. If the change was not intentional, the likelihood of compromise is very high.
Result
Remediation Steps
None

SECURITY INDICATOR
A+
Changes to AD Display Specifiers in the past 90 days Pass
100 %
SEVERITY WEIGHT
Informational 3
Security Frameworks
MITRE ATT&CK
Execution
Defense Evasion
Description
This indicator looks for changes made in the past 90 days to the adminContextMenu attribute on AD display specifiers. This
attribute controls the right-click menus presented to users in the domain using MMC tools such as AD Users and Computers.
Modifying these attributes can potentially allow attackers to get users to run arbitrary code if those menu options are clicked.
Attackers may utilize context menus as a stealthy way of getting various users in a domain to execute code. Modifying this attribute
requires special permissions granted by default only to Domain Admins and Enterprise Admins and also requires the user to click
on the illicit context menu item. See the this blog post for additional information. (see this writeup for additional information).
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Changes to default security descriptor schema in the last 90 days Pass
100 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Defense Evasion
MITRE D3FEND
Detect - Domain Account Monitoring
Description
This indicator detects changes made to the default security descriptor schema in the last 90 days. If an attacker gets access to the
schema instance in a given forest, they can make changes to the defaultSecurityDescriptor attribute on any AD object class. These
changes would then propagate as new default Access Control Lists (ACLs) on any newly created object in AD, potentially weakening
AD security posture.
Changes to the default security descriptor are not common. An admin should know that the change was made and be able to
articulate the reason for the change. If the change was not intentional, the likelihood of compromise is very high. The chances of
compromise are lower if the change hardens the setting instead of weakening it.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Domain Controller owner is not an administrator Pass
100 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK

Credential Access
MITRE D3FEND
Harden - System Configuration Permissions
ANSSI
vuln1_permissions_dc
Description
This indicator looks for Domain Controller computer accounts whose owner is not a Domain Admins, Enterprise Admins, or built-in
Administrator account.
Control of DC machine accounts allows for an easy path to compromising the domain. While Domain Controller objects are
typically created during DCPromo by privileged accounts, if an accidental ownership change occurs on a DC object, it can have large
consequences for security of the domain, since object owners can change permissions on the object to perform any number of
actions.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Non-default access to DPAPI key Pass
100 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
Harden - User Account Permissions
ANSSI
vuln1_permissions_dpapi
Description
This indicator uses API calls to check whether each DC has non-default principals permitted to retrieve the domain DPAPI backup
key (using LsaRetrievePrivateData).
An attacker could recover all domain data encrypted via DPAPI, if they gain access to such data.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Enterprise Key Admins with full access to domain Pass
100 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Credential Access
Lateral Movement
MITRE D3FEND
ANSSI

vuln2_adupdate_bad
Description
This indicator looks for evidence of a bug in certain versions of Windows Server 2016 Adprep that granted undue access to the
Enterprise Key Admins group.
This issue was corrected in a subsequent release of Server 2016 and may not exist in your environment, but checking for it is
definitely warranted, since it grants this group the ability to replicate all changes from AD (DCSync Attack).
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Foreign Security Principals in Privileged Group Pass
100 %
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
Defense Evasion
Persistence
MITRE D3FEND
Description
This indicator looks for members of privileged groups which are Foreign Security Principals. Special care should be taken when
including accounts from other domains as members of privileged groups.
While not immediately indicative of an attack, privileged users that are not clearly marked as such (adminCount =1) represent an
exposure in that they may be used nefariously without being detected. Since Foreign Security Principals do not have the
adminCount attribute, they could miss being detected by some security auditing tools. Additionally, an attacker may add a
privileged account and attempt to hide it using this method.
Result
Remediation Steps
None
SECURITY INDICATOR
C+
gMSA not in use IOE Found
88 %
SEVERITY WEIGHT
Informational 4
Security Frameworks
MITRE ATT&CK
Credential Access
Description
This indicator checks if there are enabled group Managed Service Account (gMSA) objects in the domain. For more information on
gMSA see the Microsoft article: here.
The group Managed Service Account (gMSA) feature in Windows Server 2016 allows automatic rotation of passwords for service
accounts, making them much more difficult for attackers to compromise. The feature should be used whenever possible for service
accounts.
Result
Found 2 domains with no gMSA objects enabled.

DomainName Ignored
croix-rouge.asso.fr False
intranet.croix-rouge.asso.fr False
Showing 2 of 2
Remediation Steps
Group Managed Service Accounts should be used to protect service accounts. See description for more information.
SECURITY INDICATOR
A+
Non-privileged users with access to gMSA passwords Pass
100 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Credential Access
Description
This indicator looks for principals listed within MSDS-groupMSAmembership that are not in the built-in admin groups.
An attacker that controls access to the gMSA account can retrieve passwords for resources managed with gMSA.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Built-in guest account is enabled Pass
100 %
SEVERITY WEIGHT
Informational 2
Security Frameworks
MITRE ATT&CK
Discovery
Reconnaissance
MITRE D3FEND
Evict - Account Locking
ANSSI
vuln2_guest
Description
This indicator checks if the built-in Active Directory "guest" account is enabled. The guest account allows for accounts with no
password access to the domain and is disabled in most AD environments.
Attackers can take advantage of a guest account to enumerate open shares that are accessible to the "Everyone" setting, as is often
the case. Additionally, attackers may utilize the limited access these accounts provide to conduct additional scanning for vulnerable
users, shares and other network resources.
Result
Remediation Steps
None
- 10 - ©2023 Semperis. All rights reserved.

SECURITY INDICATOR
A+
Users with permissions to set Server Trust Account Pass
100 %
SEVERITY WEIGHT
Critical 8
Security Frameworks
MITRE ATT&CK
Description
Checks for permissions on the domain NC head that enables a user to set a UAC flag - Server_Trust_Account on computer objects.
This flag gives that computer object special permissions similar to a domain controller.
A persistence technique originally reported by Stealthbits researchers, an attacker that is able to seed authenticated user(s) with
these permissions can then utilize their access to these users to "promote" any computer they control to Domain Controller status,
enabling privilege escalation to AD services and carrying out credential access attacks such as DCSync. More information available
here.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Non default value on ms-Mcs-AdmPwd SearchFlags Pass
100 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Credential Access
Description
Some flags on the ms-Mcs-AdmPwd schema may inadvertently cause passwords to be visible to users allowing an attacker to use it
as stealthy backdoor. This indicator looks for any changes to default searchFlags, which may create an exposure. Detection of
changes to the default will result in a score of 80 for this indicator, signifying that a review should be conducted. Any removal of the
default flags will result in a score of 0 due to their importance to security.
Even though schema changes are not common, a targeted schema change like this can leave the administrator passwords of 100s
or 1000s of computers vulnerable to non-privileged users.
Result
Remediation Steps
None
SECURITY INDICATOR
B
Objects in privileged groups without adminCount=1 (SDProp) IOE Found
94 %
SEVERITY WEIGHT
Informational 4
Security Frameworks
MITRE ATT&CK
Defense Evasion
Persistence
Description
This indicator looks for objects in privileged groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the
SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object

through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were
manually set (no inheritance) or that there is an issue with SDProp. For more information see: https://docs.microsoft.com/en-
us/previous-versions/technet-magazine/ee361593(v=msdn.10)
While not immediately indicative of an attack, privileged users that are not clearly marked as such (adminCount =1) represent an
exposure in that they may be used nefariously without being detected. Additionally, an attacker may add a privileged account and
attempt to hide it using this method.
Result
Found 1 privileged users that do not have adminCount equal to 1.
UserDistinguishedName GroupDistinguishedName UserAccountControl Ignored
CN=adm_matulicb,OU=Admin,DC=croix- CN=Administrateurs de 512

rouge,DC=asso,DC=fr l'entreprise,CN=Users,DC=croix- [NormalAccount] False
rouge,DC=asso,DC=fr
Showing 1 of 1
Remediation Steps
Set adminCount=1 and ensure that SDProp is working properly.
SECURITY INDICATOR
F
Changes to MS LAPS read permissions IOE Found
0 %
SEVERITY WEIGHT
Informational 3
Security Frameworks
MITRE ATT&CK
Credential Access
Lateral Movement
MITRE D3FEND
Description
This indicator looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in
environments that use the Microsoft LAPS solution (https://www.microsoft.com/en-us/download/details.aspx?id=46899). These
permissions include Read access to ms-Mcs-AdmPwd as well as Write DACL and Owner (which would allow provisioning the read
access). LAPS provides a method to rotate local administrator account passwords on servers and workstations.
Only authorized administrative users should have access to LAPS passwords. Attackers may use this capability to laterally move
through a domain using local compromised administrator accounts.
Result
Found 2258 computers on which some normal users can read their LAPS password.

DistinguishedName Access
S-1-5-32-548 GenericAll on: All Propertie
INTRANET\Admin_sidibeb DeleteTree,
CN=P3693ET009,OU=Machines,OU=Old,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr ExtendedRight, Delete, GenericRead on: A
Properties;
INTRANET\GG0000_Admin_OU_Territoire
GenericAll on: All Properties
INTRANET\admin_rapint DeleteTree,
CN=PRI4712ET001,OU=4712_POLE_SOLIDARITES_BRETAGNE,OU=Serveurs,OU=Bretagne,OU=TERRITOIRE,DC=intranet,DC=croix- ExtendedRight, Delete, GenericRead on: A
rouge,DC=asso,DC=fr Properties; INTRANET\Admin_bretagne
GenericAll on: All Properties;
INTRANET\Admin_HocineT DeleteTree,
ExtendedRight, Delete, GenericRead on: A
Properties; INTRANET\Admin_IDF_BTC
CN=W4247ET137,OU=Ordinateurs,OU=PAS EVRY,OU=4247_Pole Accompagnement Des Familles,OU=Filiere GenericAll on: All Properties;
Exclusion,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr INTRANET\Admin_IDF_Exclusion GenericA
All Properties; INTRANET\Admin_IDF Gen
on: All Properties;
INTRANET\Admin_prevostm ExtendedRigh
CN=W1947ET017,OU=Ordinateurs,OU=1947_EHPAD_ROCHECHOUART,OU=Filiere Personnes agees,OU=Structures,OU=Nouvelle GenericRead on: All Properties;
Aquitaine,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr INTRANET\Admin_NA GenericAll on: All
Properties;
INTRANET\admin_maurerf DeleteTree,
CN=PRI3632ET002,OU=3632_EEAP_BLAMONT,OU=Serveurs,OU=Grand-Est,OU=TERRITOIRE,DC=intranet,DC=croix- Properties; INTRANET\Admin_Grand-Est
rouge,DC=asso,DC=fr DeleteTree, ExtendedRight, Delete, Generi
on: All Properties; INTRANET\Admin_Gran
CN=PRI2021ET014,OU=2021_EHPAD_ARGENTEUIL,OU=Serveurs,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix- ExtendedRight, Delete, GenericRead on: A
rouge,DC=asso,DC=fr Properties; INTRANET\Admin_IDF Generic
on: All Properties;
INTRANET\admin_hanidz DeleteTree,
CN=P4151ET031,OU=Ordinateurs,OU=4151_EHPAD_NOTRE_MAISON,OU=Filiere Personnes ExtendedRight, Delete, GenericRead on: A
agees,OU=Structures,OU=Pacac,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Properties; INTRANET\Admin_Pacac Gene
on: All Properties;
CN=PRI0000DC5003,OU=AWS,OU=PROD,OU=SERVEURS,DC=intranet,DC=croix-rouge,DC=asso,DC=fr INTRANET\GG0000_Admin_AD_EXPLOITA
ReadProperty, ExtendedRight on: ms-mcs
admpwd
INTRANET\admin_abdeddaimr DeleteTree
CN=W1877ET010,OU=Ordinateurs,OU=1877_ESAT_LES_ECHELLES,OU=Filiere Handicap,OU=Structures,OU=Rhone-Alpes Properties; INTRANET\Admin_RA-
Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Auvergne_Handicap GenericAll on: All
Properties; INTRANET\Admin_RA-Auvergn
CN=P1886ET015,OU=Ordinateurs,OU=1886_HDJ_ETINCELLE,OU=Filiere Sanitaire,OU=Structures,OU=Ile-de- ExtendedRight, Delete, GenericRead on: A
France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Properties; INTRANET\Admin_IDF Generic
on: All Properties;
Showing 10 of 2258
View additional results...

Remediation Steps
Ensure that there are no unnecessary principals who can read computer administrator account passwords via Extended Rights on
the ms-Mcs-AdmPwd attribute.
SECURITY INDICATOR
A+
Non-default principals with DC Sync rights on the domain Pass
100 %
SEVERITY WEIGHT
Critical 8
Security Frameworks
MITRE ATT&CK
Credential Access
ANSSI
vuln1_permissions_naming_context
Description
Any security principals with Replicate Changes All and Replicate Directory Changes permissions on the domain naming context
object can potentially retrieve password hashes for any and all users in an AD domain ("DCSync" attack). Additionally, Write DACL /
Owner also allows assignment of these privileges. This can then lead to all kinds of credential-theft based attacks, including Golden
and Silver Ticket attacks.
DCSync is an attack for accessing credentials through this method. If an attacker gets ahold of these privileges, it is straight-forward
to retrieve credential material using tools like Mimikatz, for any user in a domain.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Privileged objects with unprivileged owners Pass
100 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
ANSSI
vuln1_permissions_adminsdholder
Description
If a privileged object (as determined by adminCount=1) is owned by an account that is unprivileged, then any compromise of that
unprivileged account could result in those privileged objects' delegation being modified, since owners can override any delegation
on an object, if only temporarily.
Most privileged objects are owned by privileged groups or users. But if a privileged object were to be owned by an unprivileged
account, it could be easily taken over. And even though SDProp might correct any delegation done by an attacker who has
compromised an owner, the attacker could have up to 1 hour to perform any changes on the privileged object (e.g. group
membership changes or password changes) before SDProp corrects it.
Result
Remediation Steps
None

SECURITY INDICATOR
A+
Unprivileged users can add computer accounts to the domain Pass
100 %
SEVERITY WEIGHT
Informational 3
Security Frameworks
MITRE ATT&CK
Credential Access
Lateral Movement
Description
This indicator checks for an AD configuration that allows unprivileged domain members to add computer accounts to the domain.
By default, members of the Authenticated Users group can add up to 10 machine accounts to a domain. If the ms-DS-
MachineAccountQuota attribute on the domain naming context head is not set to 0, regular users have this ability.The ability to do
this confers certain rights on those created machine accounts that can be abused by a variety of Kerberos-based attacks. Note: This
configuration may be enabled but be already mitigated by GPO settings (User Right: "Add workstations to domain" configured with
only high-privileged group(s)/account(s)) linked to Domain Controllers OU that are not checked by this indicator.
The ability to add computer accounts to a domain without restrictions or monitoring present opportunities for attackers to add
their own accounts or take advantage of uncontrolled computers with vulnerabilities, thereby extending their reach and
entrenching themselves in the environment.
Result
Remediation Steps
None

CATEGORY
C+
ACCOUNT SECURITY
88 %
6 29 16
Account Security indicators pertain to security weaknesses on individual accounts--built-in or otherwise, within Active Directory.
SECURITY INDICATOR
F
Abnormal Password Refresh IOE Found
0 %
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
Credential Access
Persistence
Description
This indicator looks for user accounts with a recent pwdLastSet change without a corresponding password replication.
If an administrator marks the option "User must change password at next logon" and then clears (i.e. unchecks) the option later,
the pwdLastSet is updated without the password actually being changed. This could be an administrative error or an attempt to
bypass the organization's password policy.
Result
Found 75 user(s) with a mismatch between pwdLastSet and unicodepwd. This could indicate an attempt to bypass the
organization's password policy.
DistinguishedName SamAccountName EventTimestamp Ignored
CN=becavinc,OU=Utilisateurs,OU=1930_IME_RONDO,OU=Pole Handicap 05/03/2024
78,OU=Filiere Handicap,OU=Structures,OU=Ile-de- becavinc 21:59:42 False
France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr
CN=rakotosonj,OU=Utilisateurs,OU=PAF CRETEIL,OU=4247_Pole 05/03/2024
Accompagnement Des Familles,OU=Filiere Exclusion,OU=Structures,OU=Ile-de- rakotosonj 19:52:05 False
CN=appiahottukuasarg,OU=Utilisateurs,OU=2020_EHPAD_BEAUCHAIS,OU=Pole 05/03/2024
Gerontologique 95,OU=Filiere Personnes Agees,OU=Structures,OU=Ile-de- appiahottukuasarg 20:13:58 False
CN=begous,OU=Utilisateurs,OU=1819_ESAT_RECOUBEAU,OU=Filiere 05/03/2024
Handicap,OU=Structures,OU=Rhone-Alpes begous 21:11:17 False
Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr
CN=julianli,OU=Utilisateurs,OU=1819_ESAT_RECOUBEAU,OU=Filiere 05/03/2024
Handicap,OU=Structures,OU=Rhone-Alpes julianli 19:15:37 False
Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr
CN=allardeta,OU=Utilisateurs,OU=3662_IRFSS_LIMOUSIN,OU=Filiere 23/02/2024
Formation,OU=Structures,OU=Nouvelle allardeta 07:57:11 False
Aquitaine,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr
CN=foureurg,OU=Utilisateurs,OU=1830_IME_SOLN,OU=Filiere 05/03/2024
Handicap,OU=Structures,OU=Occitanie,OU=TERRITOIRE,DC=intranet,DC=croix- foureurg 20:35:19 False
rouge,DC=asso,DC=fr
CN=FeuillatreC,OU=Utilisateurs,OU=1928_EHPAD_STEPHANIE,OU=Pole 05/03/2024
Gerontologique 78,OU=Filiere Personnes Agees,OU=Structures,OU=Ile-de- FeuillatreC 20:10:16 False
CN=arnoultj,OU=Utilisateurs,OU=1777_IDE75,OU=Pole Paris,OU=Filiere 05/03/2024
Formation,OU=Structures,OU=Ile-de- arnoultj 20:01:48 False
CN=brahama,OU=Utilisateurs,OU=Structures,OU=Ile-de- brahama 05/03/2024 False
France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 22:25:21
Showing 10 of 75
Remediation Steps
Ensure that users change their password at least once every 6 months.

SECURITY INDICATOR
C+
Built-in domain Administrator account with old password (180 days) IOE Found
88 %
SEVERITY WEIGHT
Informational 4
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
Harden - Strong Password Policy
ANSSI
vuln1_password_change_priv
Description
This indicator checks to see if the pwdLastSet attribute on the built-in Domain Administrator account has been changed within the
last 180 days.
If the password for the built-in Domain Administrator account is not being changed on a regular basis, this account can be
vulnerable to brute force password attacks.
Result
Found 2 domains whose administrator's password has not changed in the last 180 days.
pwdLastSet AttributeLastChange DistinguishedName DaysSinceLastChange SamAccountName Ignored
18/10/2022 18/10/2022 CN=Administrateur,CN=Users,DC=croix- 511 Administrateur False
10:07:41 10:07:41 rouge,DC=asso,DC=fr
18/10/2022 18/10/2022 CN=Administrateur,OU=Admin,DC=intranet,DC=croix- 511 Administrateur False
10:07:06 10:07:06 rouge,DC=asso,DC=fr
Showing 2 of 2
Remediation Steps
Ensure that the built-in domain Administrator account password is changed at least twice per year.
MITRE D3fend based on the reference: NIST.SP.800-63-3
SECURITY INDICATOR
B-
Built-in domain Administrator account used within the last two weeks IOE Found
91 %
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
Detect - Credential Compromise Scope Analysis
Description
The Domain Administrator account should only be used for initial build activities and, when necessary, disaster recovery. This
indicator checks to see if the lastLogonTimestamp for the built-in Domain Administrator account has been updated within the last
two weeks. If so, it could indicate that the user has been compromised.
If best practices are followed and domain Admin is not used, this would indicate a compromise. Ensure any logins to the built-in
Domain Administrator account are legitimate and accounted for. If not accounted for, a breach is likely and should be investigated.
Result
Found 1 domains in which the built-in administrator was used recently.
DistinguishedName EventTimestamp Ignored
CN=Administrateur,OU=Admin,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 08/03/2024 13:30:00 False
Showing 1 of 1

Remediation Steps
Ensure that the built-in domain Administrator account is not used regularly and has a complex password known only to highly
privileged admins.
SECURITY INDICATOR
A+
Computer Accounts in Privileged Groups Pass
100 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Description
This indicator looks for computer accounts that are members of built-in privileged groups.
If a computer account is a member of a domain privileged group, then anyone that compromises that computer account (i.e.
becomes administrator) can act as a member of that group. Generally speaking, there is little reason for normal computer accounts
to be part of privileged groups.
Result
Remediation Steps
None
SECURITY INDICATOR
C
Privileged users that are disabled IOE Found
81 %
SEVERITY WEIGHT
Informational 3
Security Frameworks
MITRE ATT&CK
MITRE D3FEND
Description
This indicator looks for privileged user accounts, as indicated by their adminCount attribute set to 1, that are disabled. If a
privileged account is disabled, it should be removed from its privileged group(s) to prevent inadvertent misuse.
When a user is disabled, it tends to not be monitored as closely as active accounts. If this user is also a privileged user, then it
becomes a target for takeover if an attacker can enable the account.
Result
Found 5 disabled users with adminCount attribute equal to 1.
CN=Nivolisator,CN=Users,DC=croix-rouge,DC=asso,DC=fr Nivolisator 17/01/2023 False

14:04:28
CN=dccontact,CN=Users,DC=croix-rouge,DC=asso,DC=fr dccontact 18/08/2022 False

15:14:30
CN=Svc_dex_ad,CN=Users,DC=croix-rouge,DC=asso,DC=fr Svc_dex_ad 30/08/2022 False

08:47:37
CN=Adm_matulicb,OU=Utilisateurs,OU=Old,OU=TERRITOIRE,DC=intranet,DC=croix- Adm_matulicb 21/02/2024 False
rouge,DC=asso,DC=fr 17:32:27
CN=Adm_GremaudO,OU=Utilisateurs,OU=Old,OU=TERRITOIRE,DC=intranet,DC=croix- Adm_GremaudO 02/10/2023 False
Showing 5 of 5
Remediation Steps

Ensure that privileged groups have only necessary users as members.
SECURITY INDICATOR
B
Enabled admin accounts that are inactive IOE Found
94 %
SEVERITY WEIGHT
Warning 4
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
Evict - Account Locking
ANSSI
vuln1_user_accounts_dormant
Description
This indicator looks for admin accounts that are enabled, but have not logged in for the past 90 days. Attackers who can
compromise these accounts may be able to operate unnoticed.
While the presence of an unused admin account is not automatically a problem, removing these accounts reduces the attack
surface of AD.
Result
Found 1 enabled users that have not logged in in the last 90 days.
SamAccountName DistinguishedName LastLogon Ignored
admin_markovica CN=Admin MarkovicA,OU=Admin,DC=croix-rouge,DC=asso,DC=fr 14/09/2023 19:04:08 False
Showing 1 of 1
Remediation Steps
Admin accounts that are not in use should be removed or disabled.
SECURITY INDICATOR
A+
Ephemeral Admins Pass
100 %
SEVERITY WEIGHT
Informational 3
Security Frameworks
MITRE ATT&CK
Persistence
MITRE D3FEND
Description
This indicator looks for users which were added and removed from an admin group within a 48 hour span of time. Such short-lived
accounts may indicate malicious activity.
In most environments, management of admin accounts is tightly controlled and audited. This indicator provides a fast method to
create a list of ephemeral admins for investigation and review.
Result
Remediation Steps
None

SECURITY INDICATOR
A+
FGPP not applied to Group Pass
100 %
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
Persistence
Credential Access
MITRE D3FEND
Description
This indicator looks for FGPP targeted to a Universal or Domain Local group.
Changing a group's scope settings from Global group to Universal or Domain Local group, will result in FGPP settings no longer
applying to that group, and decreasing its password security controls.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Forest contains more than 50 privileged accounts Pass
100 %
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
Reconnaissance
ANSSI
vuln1_privileged_members
Description
This indicator counts the number of privileged user accounts defined in the forest, where 50 is deemed the upper limit for these
types of accounts. A privileged account is defined as any user with the AdminCount attribute set to 1.
In general, the more privileged accounts you have, the more opportunities there are for attackers to compromise one of those
accounts. 50 is an arbitrary number, but the number should reflect the absolute maximum allowed. If business needs dictate many
privileged accounts, consider implementing a tiered administration model to further isolate those privileged accounts and their
potential impact from compromise.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
AD objects created within the last 10 days IOE Found
100 %
SEVERITY WEIGHT
Informational 1
Security Frameworks
MITRE ATT&CK
Lateral Movement

Persistence
MITRE D3FEND
Description
This indicator looks for any AD objects that were created within the last 10 days. It is meant to be used for threat hunting, post-
breach investigation or compliance validation.
In some environments, object creation happens consistently; however, recently added accounts should be reviewed to ensure they
are legitimate.
Result
Found 700 objects that were created in the last 10 days.
DistinguishedName ObjectClass Name EventTimestamp
DC=156.226,DC=0.10.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=croix- dnsNode 156.226 04/03/2024
Showing 10 of 700
Remediation Steps
Ensure that the new objects are known and legitimate.
MITRE D3fend based on the reference: audit-user-account-management of Microsoft
SECURITY INDICATOR
A+
Recent privileged account creation activity Pass
100 %
SEVERITY WEIGHT
Informational 3
Security Frameworks
MITRE ATT&CK
Persistence
MITRE D3FEND
Description
This indicator looks for any users or groups that were created within the last month. Privileged accounts and groups are defined by
having their adminCount attribute set to 1.
In most environments, creation of privileged accounts and groups is tightly controlled and audited. This indicator provides a fast
method to create a list of new privileged accounts (where adminCount = 1) for investigation and review.
Result

Remediation Steps
None
SECURITY INDICATOR
C-
Unprivileged accounts with adminCount=1 IOE Found
77 %
SEVERITY WEIGHT
Informational 3
Security Frameworks
MITRE ATT&CK
Description
This indicator looks for any users or groups that may have been under the control of SDProp (adminCount=1) but are no longer
members of privileged groups and should not be considered privileged.
The most common scenario for this behavior is if a user is moved from a privileged group to a non-privileged one and their
adminCount variable is not reset. While this is benign, it may cause issues for security controls that monitor privileged users and
reduces the overall hygiene of the environment. In rare cases, this might also be evidence of an attacker that attempted to cover
their tracks and remove a user they used for compromise.
Result
Found 6 objects with adminCount=1 that are not members of a privileged group.
DistinguishedName Type SamAccountName EventTimestamp Ignored
CN=Éditeurs de certificats,CN=Users,DC=croix-rouge,DC=asso,DC=fr group Éditeurs de 06/09/2005 False

certificats 11:25:02
CN=PRR0000IN001,OU=Ordinateurs,OU=DISABLED OBJECT,DC=croix- computer PRR0000IN001$ 26/08/2008 False
CN=svc_serviceNav_ad,OU=V30,OU=COMPTE DE user svc_serviceNav_ad 01/06/2023 False
SERVICE,OU=SERVEURS,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 09:40:38
CN=0001_svc_cohesity,OU=COMPTE DE user 0001_svc_cohesity 01/10/2022 False
SERVICE,OU=SERVEURS,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 17:32:15
CN=Adm_GremaudO,OU=Utilisateurs,OU=Old,OU=TERRITOIRE,DC=intranet,DC=croix- user Adm_GremaudO 18/07/2019 False
CN=Éditeurs de certificats,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr group Éditeurs de 06/09/2005 False

certificats 10:30:01
Showing 6 of 6
Remediation Steps
Remove the adminCount = 1 attribute from these users. Investigate unknown users with this attribute.
SECURITY INDICATOR
A+
Users and computers with non-default Primary Group IDs Pass
100 %
SEVERITY WEIGHT
Informational 3
Security Frameworks
MITRE ATT&CK
ANSSI
vuln1_primary_group_id_1000
vuln3_primary_group_id_nochange
Description
This indicator returns a list of users and computers whose Primary Group IDs (PGIDs) are not the defaults for domain users and
computers. Users created in the domain will have a default PGID of 513 (Domain Users) or 514 (Domain Guests) while computers
are 515 (Domain Computers), 516 (Domain Controllers), or 521 (RODC). The Primary Group ID is not automatically changed when
a user is moved to a different group (i.e. a user moved into Domain Admins will not be assigned PGID 512). This fact can be used to
hide users with privileges to systems that rely on PGID, while hiding the user from queries that rely on enumerating the member
attribute without the PGID. Additionally, group objects' member attribute will not list the user objects with PGID of those groups.

Modifying the Primary Group ID is a stealthy way for an attacker to escalate privileges without triggering member attribute
auditing for group membership changes.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Users and computers without readable PGID Pass
100 %
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
Defense Evasion
Description
This indicator finds users and computers for whom it can't read the PGID. This may be due to the default permission of Read access
having been removed, which could indicate an attempt to hide the user (in combination with removal of the memberOf attribute).
Can be used for hiding users in certain groups (non SDProp protected).
Result
Remediation Steps
None
SECURITY INDICATOR
F
Users with old passwords IOE Found
0 %
SEVERITY WEIGHT
Informational 2
Security Frameworks
MITRE ATT&CK
Credential Access
Persistence
MITRE D3FEND
Description
This indicator looks for user accounts whose password has not changed in over 180 days. This could make these account ripe for
password guessing attacks.
Stale passwords that aren't changed over a long period of time and are not supported by multi-factor authentication are ripe
targets for attackers. These present opportunities for attackers to move laterally through the environment or elevate privileges.
Result
The following 20491 users were returned. Note the following: users with DaysSinceLastSet and ReplicationMetadata higher than
180 days have not changed passwords in over 180 days. Users with PwdLastSet over 180 days and ReplicationMetadata is N/A -
permission was denied to read these users' metadata. These users may be using smartcard for interactive logon instead of
passwords - in which case it is ok that their passwords have not changed.

DistinguishedName SamAccountName PasswordLastSet DaysSinceLastSet Ignored
CN=TsInternetUser,CN=Users,DC=croix- TsInternetUser 8356 False
rouge,DC=asso,DC=fr
CN=IWAM_DCROOTEXCH,CN=Users,DC=croix- IWAM_DCROOTEXCH 7522 False
rouge,DC=asso,DC=fr
CN=IUSR_DCROOTEXCH,CN=Users,DC=croix- IUSR_DCROOTEXCH 7522 False
rouge,DC=asso,DC=fr
CN=FSAVAG4MSE_CROIX-RO,CN=Users,DC=croix- FSAVAG4MSE_CROIX- 7308 False
rouge,DC=asso,DC=fr RO
CN=VUSR_INTRAFF1,CN=Users,DC=croix- VUSR_INTRAFF1 8222 False
rouge,DC=asso,DC=fr
CN=compte de connexion ftp,CN=Users,DC=croix- ftpuser 7825 False
rouge,DC=asso,DC=fr
CN=FSAVAG4MSE,CN=Users,DC=croix- FSAVAG4MSE 7949 False
rouge,DC=asso,DC=fr
CN=bugtracker,CN=Users,DC=croix- bugtracker 4711 False
rouge,DC=asso,DC=fr
CN=HypAnnu,CN=Users,DC=croix- HypAnnu 5033 False
rouge,DC=asso,DC=fr
CN=intranet,CN=Users,DC=croix- intranetAD 4060 False
rouge,DC=asso,DC=fr
Showing 10 of 20491
Remediation Steps
SECURITY INDICATOR
C-
Admins with old passwords IOE Found
80 %
SEVERITY WEIGHT
Informational 2
Security Frameworks
MITRE ATT&CK
Discovery
MITRE D3FEND
ANSSI
vuln1_password_change_priv
Description
This indicator looks for admin accounts whose password has not changed in over 180 days. This could make these accounts ripe for
password guessing attacks.
An administrator account whose password hasn't changed in a while could be a target for attackers looking for privileged accounts
that can provide elevated access to the environment.
Result
The following 9 users were returned. Note the following: users with DaysSinceLastSet and ReplicationMetadata higher than 180
days have not changed passwords in over 180 days. Users with PwdLastSet over 180 days and ReplicationMetadata is N/A -
permission was denied to read these users' metadata. These users may be using smartcard for interactive logon instead of
passwords - in which case it is ok that their passwords have not changed.

DistinguishedName SamAccountName PasswordLastSet DaysSinceLastSet ReplicationMeta
CN=Admin KrcmarM,OU=Admin,DC=croix-rouge,DC=asso,DC=fr Admin_KrcmarM 31/01/2023 406 406

13:36:12
CN=Admin ChattaouiC,OU=Admin,DC=croix-rouge,DC=asso,DC=fr Admin_ChattaouiC 01/02/2023 405 405

11:44:11
CN=Admin MarkovicA,OU=Admin,DC=croix-rouge,DC=asso,DC=fr admin_markovica 03/04/2023 344 344

11:12:09
CN=Adm_KrcmarM,OU=PROD,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix- Adm_KrcmarM 27/01/2023 411 411
CN=Adm_MarkovicA,OU=PROD,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix- Adm_MarkovicA 15/02/2023 391 391
CN=Adm_ChattaouiC,OU=PROD,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix- Adm_ChattaouiC 21/03/2023 357 357
CN=svc_serviceNav_ad,OU=V30,OU=COMPTE DE SERVICE,OU=SERVEURS,DC=intranet,DC=croix- svc_serviceNav_ad 10/07/2023 246 246
CN=svc_serviceNav,OU=V30,OU=COMPTE DE SERVICE,OU=SERVEURS,DC=intranet,DC=croix- svc_serviceNav 10/07/2023 246 246
CN=0001_svc_cohesity,OU=COMPTE DE SERVICE,OU=SERVEURS,DC=intranet,DC=croix- 0001_svc_cohesity 14/01/2020 1519 1519
Showing 9 of 9
Remediation Steps
SECURITY INDICATOR
D-
Operators Groups that are not empty IOE Found
52 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
Description
Operator groups (Account Operators, Server Operators, Backup Operators, Print Operators) can take indirect control of the
domain. These groups have write access to critical resources of the domain.
Operators groups have write access to critical resources of the domain, attackers that are members of these groups change, modify
and add different critical domain resources.
Result
Found 4 Members in Operator Groups
MemberDN OperatorGroupDN Domain Ignored
CN=Svc_dex_ad,CN=Users,DC=croix- CN=Opérateurs de croix-

rouge,DC=asso,DC=fr compte,CN=Builtin,DC=croix- rouge.asso.fr False
rouge,DC=asso,DC=fr
CN=Nivolisator,CN=Users,DC=croix- CN=Opérateurs de croix-

rouge,DC=asso,DC=fr compte,CN=Builtin,DC=croix- rouge.asso.fr False
rouge,DC=asso,DC=fr
CN=0001_svc_cohesity,OU=COMPTE DE CN=Opérateurs de croix-
SERVICE,OU=SERVEURS,DC=intranet,DC=croix- sauvegarde,CN=Builtin,DC=croix- rouge.asso.fr False
rouge,DC=asso,DC=fr rouge,DC=asso,DC=fr
CN=Nivolisator,CN=Users,DC=croix- CN=Opérateurs de intranet.croix-

rouge,DC=asso,DC=fr compte,CN=Builtin,DC=intranet,DC=croix- rouge.asso.fr False
rouge,DC=asso,DC=fr
Showing 4 of 4
Remediation Steps

It is recommended to have these groups empty. Assign administrators into administrators group. Other accounts should have
proper delegation rights in an OU or in the scope they are managing.
SECURITY INDICATOR
C
Changes to Pre-Windows 2000 Compatible Access Group membership IOE Found
83 %
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
Description
This indicator looks for changes to the built-in group "Pre-Windows 2000 Compatible Access". This group grants read-only access
to Active Directory. For more information see the following Semperis blog entry.
As part of a layered approach to security and to ensure that non-authenticated users cannot read Active Directory, it's best to
ensure this group does not contain the "Anonymous Logon" or "Everyone" groups.
Result
Found 2 objects in the Pre-Windows 2000 Compatible Access group.
Group distinguished name Member Operation EventTimestamp Ignored
CN=Accès compatible Pre-Windows NT Risky Member 01/01/1601
2000,CN=Builtin,DC=croix- AUTHORITY\Authenticated Added During 01:00:00 False
rouge,DC=asso,DC=fr Users Domain Creation
CN=Accès compatible Pre-Windows NT Risky Member 01/01/1601
2000,CN=Builtin,DC=intranet,DC=croix- AUTHORITY\Authenticated Added During 01:00:00 False
rouge,DC=asso,DC=fr Users Domain Creation
Showing 2 of 2
Remediation Steps
Confirm that any addition or removals from Pre-Windows 2000 Compatible Access group are valid and properly accounted for.
SECURITY INDICATOR
A+
Changes to privileged group membership in the last 7 days Pass
100 %
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
Persistence
Description
This indicator looks for changes to the built-in privileged groups within the last 7 days, which could indicate attempts to escalate
privilege.
Recent additions or deletions to privileged group members could be normal operational changes or could indicate attempts at
persistence or cleaning up of tracks after an attack (e.g. detection of temporary group membership changes).
Result
Remediation Steps
None

SECURITY INDICATOR
Privileged Users with Weak Password Policy Failed To Run
N/A
SEVERITY WEIGHT
Critical 8
Security Frameworks
MITRE ATT&CK
Discovery
MITRE D3FEND
ANSSI
vuln2_privileged_members_password
Description
This indicator looks for privileged users in each domain that don't have a strong password policy enforced, according to ANSSI
framework. It checks both FGPP (Fine-Grained Password Policy) and the password policy applied to the domain. A strong password
as defined by ANSSI is at least 8 characters long and updated no later than every 3 years.
Weak passwords are easier to crack via brute-force attacks, they can provide attackers opportunities for moving laterally or
escalating privileges. The risk is even higher for privileged accounts, for when easily compromised, they improve the attacker's
chance to quickly advance within the network.
Result
DSP computer does not have sufficient permissions to access FGPP.
DistinguishedName PasswordPolicyDN Max Age Min Age
CN=Stratégie de mot de passe pour compte

CN=0001_svc_cohesity,OU=COMPTE DE SERVICE,OU=SERVEURS,DC=intranet,DC=croix- de service sensible,CN=Password Settings N/A N/A
rouge,DC=asso,DC=fr Container,CN=System,DC=intranet,DC=croix-
rouge,DC=asso,DC=fr
CN=adm_geremyo,OU=PROD,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix- de service sensible,CN=Password Settings N/A N/A
rouge,DC=asso,DC=fr
CN=svc_serviceNav,OU=V30,OU=COMPTE DE SERVICE,OU=SERVEURS,DC=intranet,DC=croix- de service sensible,CN=Password Settings N/A N/A
rouge,DC=asso,DC=fr
Showing 3 of 3
Remediation Steps
Allow DSP computer object to read FGPP policy container and child objects.
SECURITY INDICATOR
C-
Protected Users group not in use IOE Found
79 %
SEVERITY WEIGHT
Informational 1
Security Frameworks
MITRE ATT&CK
Credential Access
ANSSI
vuln3_protected_users
Description
The Protected Users group was introduced in Server 2012-R2 Active Directory to minimize credential exposure for privileged
accounts. Users in the Protected Users group are more secure when authenticating to Windows resources. The differences include
no longer caching clear-text passwords, even when Windows Digest is enabled, NTLM will no longer cache clear-text passwords,
and Kerberos will no longer create DES or RC4 keys. When logging into domain controllers, members of the Protected Users group
cannot authenticate via NTLM (Kerberos only), use DES or RC4 for Kerberos pre-authentication, and cannot be delegated with
constrained or unconstrained delegation.

The Protected Users group provides privileged users with additional protection from direct credential theft attacks. Ideally, all
privileged users are members of the Protected Users group. For more information, see https://docs.microsoft.com/en-us/windows-
server/security/credentials-protection-and-management/protected-users-security-group.
Result
Found 21 privileged users that are not members of the Protected Users group.
DistinguishedName SamAccountName Enabled Ignored
CN=Administrateur,CN=Users,DC=croix-rouge,DC=asso,DC=fr Administrateur True False
CN=Nivolisator,CN=Users,DC=croix-rouge,DC=asso,DC=fr Nivolisator False False
CN=dccontact,CN=Users,DC=croix-rouge,DC=asso,DC=fr dccontact False False
CN=Svc_dex_ad,CN=Users,DC=croix-rouge,DC=asso,DC=fr Svc_dex_ad False False
CN=adm SaintyvesG,OU=Admin,DC=croix-rouge,DC=asso,DC=fr adm_saintyvesg True False
CN=Admin KrcmarM,OU=Admin,DC=croix-rouge,DC=asso,DC=fr Admin_KrcmarM True False
CN=Admin ChattaouiC,OU=Admin,DC=croix-rouge,DC=asso,DC=fr Admin_ChattaouiC True False
CN=Admin MarkovicA,OU=Admin,DC=croix-rouge,DC=asso,DC=fr admin_markovica True False
CN=Administrateur,OU=Admin,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Administrateur True False
CN=Admin_SaintyvesG,OU=PROD,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix- Admin_SaintyvesG True False
rouge,DC=asso,DC=fr
Showing 10 of 21
Remediation Steps
Ensure that all privileged users are members of the Protected Users group. If using a pre 2012-R2 schema, then the protected
users group does not exist. This is an exposure, but the remediation is to upgrade the schema.
SECURITY INDICATOR
A+
Recent sIDHistory changes on objects Pass
100 %
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
ANSSI
vuln2_sidhistory_dangerous
Description
This indicator detects any recent changes to sIDHistory on objects, including changes to non-privileged accounts where privileged
SIDs are added.
Attackers need privileged access to AD to be able to write to sIDHistory, but if such rights exist then writing privileged SIDs to
regular user accounts is a stealthy way of creating backdoor accounts.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Trust accounts with old passwords Pass
100 %
SEVERITY WEIGHT
Informational 3
Security Frameworks
MITRE ATT&CK
Initial Access
MITRE D3FEND

ANSSI
vuln2_trusts_accounts
Description
This indicator looks for trust accounts whose password has not changed within the last year. This could mean that a trust
relationship was removed but its corresponding trust account wasn't cleaned up.
Trust accounts facilitate authentication across trusts. As such they should be protected just like privileged user accounts. Normally
trust account passwords are rotated automatically so a trust account without a recent password change could indicate an orphaned
trust account.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Unprivileged principals as DNS Admins Pass
100 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Execution
ANSSI
vuln1_permissions_msdns
vuln1_dnsadmins
Description
This indicator looks for any member of the DnsAdmins group that is not a privileged user. DnsAdmins itself is not considered a
privileged group and is not protected by the AdminSDHolder SDProp mechanism. However as some research has shown, a member
of this group can remotely load a DLL onto a domain controller running DNS and execute code as SYSTEM.
Administration of DNS is often delegated to non-AD administrators (i.e., administrators with job responsibilities in networking, DNS,
DHCP, etc.). These administration accounts may not have the same security controls as the AD administrator accounts, making
them prime targets for compromise. For more information on how DNS admins can abuse privileges see this blog post.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
User accounts that use DES encryption Pass
100 %
SEVERITY WEIGHT
Informational 4
Security Frameworks
MITRE ATT&CK
Credential Access
ANSSI
vuln2_kerberos_properties_deskey
Description
This indicator identifies user accounts with the "Use Kerberos DES encryption types for this account" flag set. DES is an older cipher
with a 56-bit key length that is relatively easy to crack. The only legitimate use for this flag is to support older systems and
environments that only support DES.

Attackers can easily crack DES passwords using widely available tools, making these accounts ripe for takeover.
Result
Remediation Steps
None
SECURITY INDICATOR
F
Users with Password Never Expires flag set IOE Found
0 %
SEVERITY WEIGHT
Informational 1
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
ANSSI
vuln2_dont_expire
Description
This indicator identifies user accounts where the Password Never Expires flag is set. These accounts can be targets for brute force
password attacks, given that their passwords may not be strong when they were set. These accounts also tend to be service
accounts with privileged access to applications and services, including Kerberos-based services.
Passwords that never expire may be weak and easier to crack. These credentials can provide attackers opportunities for moving
laterally or escalating privileges.
Result
Found 9463 users with password never expires.
DistinguishedName SamAccountName PasswordLastSet ServicePrincipalName Ignored
CN=compte de connexion ftp,CN=Users,DC=croix- ftpuser 09/10/2002 False
CN=bugtracker,CN=Users,DC=croix- bugtracker 19/04/2011 False
CN=HypAnnu,CN=Users,DC=croix- HypAnnu 01/06/2010 False
CN=intranet,CN=Users,DC=croix- intranetAD 29/01/2013 False
CN=cegi,OU=Gestion des etablissements 07/01/2014
PH,OU=Prestataires,DC=croix- cegi 13:29:51 False
rouge,DC=asso,DC=fr
CN=cegifirst,OU=Gestion des etablissements 21/05/2014
PH,OU=Prestataires,DC=croix- cegifirst 13:53:50 False
rouge,DC=asso,DC=fr
CN=svc_normea,CN=Users,DC=croix- svc_normea 11/04/2014 False
CN=ezzianen,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- ezzianen 09:41:14 False
rouge,DC=asso,DC=fr
CN=dufouro,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- dufouro 09:40:39 False
rouge,DC=asso,DC=fr
CN=bonnefoyn,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- bonnefoyn 09:38:28 False
rouge,DC=asso,DC=fr
Showing 10 of 9463
Remediation Steps
Move any user accounts away from Password Never Expires by having a good password rotation scheme and ensure any accounts
that require this flag have the least privileges required. If this is a service account, considering using Group Managed Service

Accounts (gMSA).
SECURITY INDICATOR
F
Privileged accounts with a password that never expires IOE Found
39 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
ANSSI
vuln1_dont_expire_priv
Description
This indicator identifies privileged accounts (adminCount attribute set to 1) where the Password Never Expires flag is set.
User accounts whose passwords never expire are ripe targets for brute force password guessing. If these users are also
administrative or privileged accounts, this makes them even more of a target.
Result
Found 5 users with password never expires.
CN=Admin KrcmarM,OU=Admin,DC=croix-rouge,DC=asso,DC=fr Admin_KrcmarM 31/01/2023 False

13:36:12
CN=Admin ChattaouiC,OU=Admin,DC=croix-rouge,DC=asso,DC=fr Admin_ChattaouiC 01/02/2023 False

11:44:11
CN=Adm_KrcmarM,OU=PROD,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix- Adm_KrcmarM 27/01/2023 False
CN=Adm_MarkovicA,OU=PROD,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix- Adm_MarkovicA 15/02/2023 False
CN=Adm_ChattaouiC,OU=PROD,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix- Adm_ChattaouiC 21/03/2023 False
Showing 5 of 5
Remediation Steps
Enforce that users with privileged access must change their passwords on a regular basis and ensure that those passwords are
complex and ideally require MFA to authenticate.
SECURITY INDICATOR
F
User accounts with password not required IOE Found
0 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Lateral Movement
MITRE D3FEND
Description
This indicator identifies user accounts where a password is not required.
Accounts with weak access controls are often targeted by attackers seeking to move laterally or gain a persistent foothold within
the environment.
Result
Found 5635 users with PASSWD_NOTREQD flag set on their User Account Control value.
DistinguishedName SamAccountName UserAccountControl ManagedBy LastModified CreatedTime Ignored
66080
CN=TsInternetUser,CN=Users,DC=croix- TsInternetUser [PasswordNotRequired, 25/08/2020 26/04/2001 False
rouge,DC=asso,DC=fr NormalAccount, 17:07:15 17:07:12
PasswordDoesNotExpire]
66080
CN=IWAM_DCROOTEXCH,CN=Users,DC=croix- IWAM_DCROOTEXCH [PasswordNotRequired, 25/08/2020 08/08/2003 False
66080
CN=IUSR_DCROOTEXCH,CN=Users,DC=croix- IUSR_DCROOTEXCH [PasswordNotRequired, 25/08/2020 08/08/2003 False
CN=FSAVAG4MSE_CROIX-RO,CN=Users,DC=croix- FSAVAG4MSE_CROIX- 544 21/06/2022 09/03/2004

rouge,DC=asso,DC=fr RO [PasswordNotRequired, 19:51:45 13:44:01 False
NormalAccount]
66080
CN=VUSR_INTRAFF1,CN=Users,DC=croix- VUSR_INTRAFF1 [PasswordNotRequired, 25/08/2020 07/09/2001 False
CN=FSAVAG4MSE,CN=Users,DC=croix- 544 25/08/2020 07/06/2002

rouge,DC=asso,DC=fr FSAVAG4MSE [PasswordNotRequired, 17:07:15 12:29:22 False
NormalAccount]
66080
CN=IWAM_DC1AUTH,CN=Users,DC=intranet,DC=croix- IWAM_DC1AUTH [PasswordNotRequired, 21/09/2023 05/08/2003 False
66080
CN=IUSR_DC1AUTH,CN=Users,DC=intranet,DC=croix- IUSR_DC1AUTH [PasswordNotRequired, 21/09/2023 05/08/2003 False
66080
CN=TsInternetUser,CN=Users,DC=intranet,DC=croix- TsInternetUser [PasswordNotRequired, 21/09/2023 05/08/2003 False
66080
CN=IWAM_INTRAFF1,CN=Users,DC=intranet,DC=croix- IWAM_INTRAFF1 [PasswordNotRequired, 21/09/2023 06/08/2003 False
Showing 10 of 5635
Remediation Steps
This flag represents a potential weakness in user accounts, which if left in place, could make these accounts targets of takeover
attacks. If the flag is required, ensure that these accounts have the least privileges possible.
SECURITY INDICATOR
A+
User accounts that store passwords with reversible encryption Pass
100 %
SEVERITY WEIGHT
Informational 4
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
ANSSI
vuln3_reversible_password
Description
This indicator looks for user accounts with the ENCRYPTED_TEXT_PWD_ALLOWED flag enabled. The secure way of storing

passwords is by utilizing one-way encryption where it is mathematically impossible to derive the original password from the
ciphertext. This setting encrypts the source password such that it is possible to derive the original. This setting is used when an
application or service utilizes authentication protocols that require the original password, e.g. CHAP or IAS.
Attackers may be able to derive these users' passwords from the ciphertext and take over these accounts.
Result
Remediation Steps
None
SECURITY INDICATOR
B-
Users with Kerberos pre-authentication disabled IOE Found
91 %
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
Credential Access
ANSSI
vuln1_kerberos_properties_preauth_priv
vuln2_kerberos_properties_preauth
Description
This indicator identifies users with Kerberos pre-authentication disabled, which exposes them to potential ASREP-Roasting attacks,
such as 'Kerberoasting'. please refer to this resource: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-
pre-authentication-why-it-should-not-be-disabled.aspx.
If an account has Kerberos pre-authentication disabled, it makes it easier for attackers to send dummy requests to a DC to try and
crack its Ticket Granting Ticket (TGT).
Result
Found 1 users with pre-authentication disabled.
DistinguishedName Ignored
CN=dumontap,OU=Utilisateurs,OU=Direction des Metiers Sanitaires Sociaux et False
Medicosociaux,OU=SIEGE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr
Showing 1 of 1
Remediation Steps
Ensure that pre-authentication is enabled on all users if possible; if not possible, consider reducing their privileges instead.

CATEGORY
D-
AD INFRASTRUCTURE SECURITY
51 %
7 31 12
AD Infrastructure Security indicators pertain to the security configuration of core parts of AD's own infrastructure configuration.
SECURITY INDICATOR
A+
Anonymous access to Active Directory enabled Pass
100 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Defense Evasion
Initial Access
Persistence
MITRE D3FEND
ANSSI
vuln2_compatible_2000_anonymous
Description
It is possible, though not recommended, to enable anonymous access to AD. This indicator looks for the presence of the flag that
enables anonymous access. Anonymous access would allow unauthenticated users to query AD.
Anonymous access to Active Directory allows an attacker to enumerate accounts and perform attacks like password spray, as well
as to enumerate the domain to gather information that can model attack paths. This is a significant risk as the complexity of AD
often presents many opportunities for attackers and anonymous access allows them an easy way to find such opportunities.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Anonymous NSPI access to AD enabled Pass
100 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Initial Access
MITRE D3FEND
ANSSI
vuln1_dsheuristics_bad
Description
Anonymous name service provider interface (NSPI) access on AD is a feature that allows anonymous RPC-based binds to AD. This
indicator detects when NSPI access is enabled.
NSPI access is rarely ever enabled so if you find it enabled, this should be a cause for concern.
Result

Remediation Steps
None
SECURITY INDICATOR
C
Dangerous control paths expose certificate containers IOE Found
82 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
Harden - Credential Transmission Scoping
ANSSI
vuln1_adcs_control
Description
This indicator looks for non-default principals with permissions on the NTAuthCertificates container. This container holds the
intermediate CA certificates that can be used to authenticate to AD.
These control paths allow adding a malicious certificate authority, which allow an attacker to authenticate as arbitrary users or
services.
Result
Found 1 principals that have non default permissions on the NTAuthCertificates object.
DistinguishedName Identity Access EventTimestamp Ignored
CN=NTAuthCertificates,CN=Public Key CROIX- Allow: GenericAll 28/11/2005
Services,CN=Services,CN=Configuration,DC=croix- ROUGE\Éditeurs on: All 10:25:24 False
rouge,DC=asso,DC=fr de certificats Properties
Showing 1 of 1
Remediation Steps
Unprivileged users should not have permissions on the NTAuthCertificates. Doing so potentially gives them the ability to escalate
their access and make the domain trust a rouge CA. Remove unnecessary permissions from the object.
SECURITY INDICATOR
F
Certificate templates with 3 or more insecure configurations IOE Found
0 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
Detect - Certificate Analysis
ANSSI
vuln1_adcs_template_auth_enroll_with_name
Description
This indicator checks if certificate templates in the forest have a minimum of three insecure configurations - Manager approval is
disabled, No authorized signatures are required, SAN enabled, Authentication EKU present.
The following configurations of a certificate template can be exploited by adversaries:
1. Manager approval is disabled - new certificates are automatically approved if the user has the correct enrollment rights.
2. No authorized signatures are required - CSRs (Certificate Signing Requests) are not signed by any existing authorized certificate.
3. SAN (Subject Alternative Name) Enabled - Allowing the creator of a certificate template to specify the subjectAltName in the CSR,
thus they can make the request as anyone, even a domain admin.

4. Authentication EKU (Enhanced Key Usage) present - if present, the EKU created from the certificate template will allow the user
to authenticate with it.
Result
Found 12 certificate templates that can potentially be abused.
DistinguishedName CertificateTemplateName PotentialAbusableProblems Published Ignored
CN=CRF-AuthentificationKerberos- no Manager Approval
DC/RODC,CN=Certificate Templates,CN=Public CRF-AuthentificationKerberos- needed, No Signatures
Key DC/RODC needed, Authentication True False
Services,CN=Services,CN=Configuration,DC=croix- EKU present
rouge,DC=asso,DC=fr
CN=Horizon_Recette,CN=Certificate SAN Enabled, no Manager
Templates,CN=Public Key Horizon_Recette Approval needed, No False False
Services,CN=Services,CN=Configuration,DC=croix- Signatures needed,
rouge,DC=asso,DC=fr
CN=CRF-ServeurWeb,CN=Certificate SAN Enabled, no Manager
Templates,CN=Public Key CRF-ServeurWeb Approval needed, No True False
rouge,DC=asso,DC=fr
CN=CRF-Secure,CN=Certificate no Manager Approval
Templates,CN=Public Key CRF-Secure needed, No Signatures False False
Services,CN=Services,CN=Configuration,DC=croix- needed, Authentication
rouge,DC=asso,DC=fr EKU present
CN=CRF-ChromeBook,CN=Certificate SAN Enabled, no Manager

Templates,CN=Public Key Approval needed, No
Services,CN=Services,CN=Configuration,DC=croix- CRF-ChromeBook Signatures needed, True False
rouge,DC=asso,DC=fr Authentication EKU
present
CN=PALO_PROXY,CN=Certificate SAN Enabled, no Manager
Templates,CN=Public Key PALO_PROXY Approval needed, No False False
rouge,DC=asso,DC=fr
CN=«CRF8SSL_PROXY»,CN=Certificate SAN Enabled, no Manager

Services,CN=Services,CN=Configuration,DC=croix- «CRF8SSL_PROXY» Signatures needed, False False
present
CN=CRF-vSphere7,CN=Certificate SAN Enabled, no Manager
Templates,CN=Public Key CRF-vSphere7 Approval needed, No False False
rouge,DC=asso,DC=fr
CN=CRF- no Manager Approval
Authentificationdeserveurmembre,CN=Certificate CRF- needed, No Signatures
Templates,CN=Public Key Authentificationdeserveurmembre needed, Authentication True False
rouge,DC=asso,DC=fr
Authentificationdestationdetravail,CN=Certificate CRF- needed, No Signatures
Templates,CN=Public Key Authentificationdestationdetravail needed, Authentication True False
rouge,DC=asso,DC=fr
Showing 10 of 12
Remediation Steps
Multiple actions can be taken to ensure certificate templates will be less vulnerable: 1. Enable manager approval - make sure
manager approval is enabled and required on the certificate, and approve each request manually after inspecting it. 2. No
authorized signatures are required - it is recommended to set it to 1 so that each request will have to be signed by an authorized
certificate. 3. SAN Enabled - evaluate if the certificate needs to specify a subjectAltName, if not disable this option. 4. Authentication
EKU present - make sure the certificate template is being used for authentication only.
For example, a certificate that is solely used for code signing should not also be used for authentication.
MITRE D3fend based on the reference: MITRE D3fend based on the reference: NIST-SP1800-16B
SECURITY INDICATOR
F
Dangerous control paths expose certificate templates IOE Found
0 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Credential Access
ANSSI
vuln1_adcs_template_control
MITRE D3FEND
Description
This indicators looks for non-default principals with the ability to write properties on a certificate template.
Controlling certificate templates allows one to have the certificate authority issue an arbitrary certificate. It becomes possible to
obtain a smartcard authentication certificate for any user, thus stealing his identity.
Result
Found 7 certificate templates on which unprivileged users can write properties.

DistinguishedName Identity Access Ignored
Allow:
CreateChild,
DeleteChild,
Self,
CN=Horizon_Recette,CN=Certificate WriteProperty,
Templates,CN=Public Key CROIX-ROUGE\Administrateur DeleteTree, False
Services,CN=Services,CN=Configuration,DC=croix- Delete,
rouge,DC=asso,DC=fr GenericRead,
WriteDacl,
WriteOwner
on: All
Properties
Allow:
CN=CRF-ServeurWeb,CN=Certificate ReadProperty,
Templates,CN=Public Key INTRANET\GG0000_DC_PKI_CERT_WEB WriteProperty, False
Services,CN=Services,CN=Configuration,DC=croix- GenericExecute
rouge,DC=asso,DC=fr on: All
Properties
Allow:
CreateChild,
DeleteChild,
Self,
CN=CRF-Secure,CN=Certificate WriteProperty,
WriteDacl,
WriteOwner
on: All
Properties
Allow:
CreateChild,
DeleteChild,
Self,
CN=PALO_PROXY,CN=Certificate WriteProperty,
WriteDacl,
WriteOwner
on: All
Properties
Allow:
CreateChild,
DeleteChild,
Self,
CN=«CRF8SSL_PROXY»,CN=Certificate WriteProperty,
WriteDacl,
WriteOwner
on: All
Properties
CN=CRF- Allow:
Autoritédecertificationsecondaire,CN=Certificate ReadProperty,
Templates,CN=Public Key INTRANET\GG0000_DC_PKI_CERT_SECONDAIRE WriteProperty, False
Services,CN=Services,CN=Configuration,DC=croix- GenericExecute
rouge,DC=asso,DC=fr on: All
Properties
Allow:
CreateChild,
DeleteChild,
Self,
CN=Certificat_Global_2018,CN=Certificate WriteProperty,
WriteDacl,
WriteOwner
on: All
Properties
Showing 7 of 7
Remediation Steps
Unprivileged users should not be able to write properties on certificate templates. Doing so potentially gives them the ability to
escalate their access and create vulnerable certificates to enroll. Remove unnecessary permissions from the certificate template.

MITRE D3fend based on the reference: NIST-SP1800-16B
SECURITY INDICATOR
F
Certificate templates that allow requesters to specify a subjectAltName IOE Found
0 %
SEVERITY WEIGHT
Critical 8
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
ANSSI
vuln1_adcs_template_auth_enroll_with_name
Description
This indicator checks if certificate templates are enabling requesters to specify a subjectAltName in the CSR.
When certificate templates allow requesters to specify a subjectAltName in the CSR, the result is that they can request a certificate
as anyone. For example, a domain admin. When that is combined with an authentication EKU present in the certificate template it
can become extremely dangerous.
Result
Found 7 certificate templates that allow the requester to specify a subjectAltName in the CSR
DistinguishedName CertificateTemplateName SANEnabled CertificateCanBeUsedForAuthentication Published Ignored
CN=Horizon_Recette,CN=Certificate Requester can
Templates,CN=Public Key Horizon_Recette specify a False False False
Services,CN=Services,CN=Configuration,DC=croix- subjectAltName
rouge,DC=asso,DC=fr
CN=CRF-ServeurWeb,CN=Certificate Requester can
Templates,CN=Public Key CRF-ServeurWeb specify a False True False
rouge,DC=asso,DC=fr
CN=CRF-ChromeBook,CN=Certificate Requester can
Templates,CN=Public Key CRF-ChromeBook specify a True True False
rouge,DC=asso,DC=fr
CN=PALO_PROXY,CN=Certificate Requester can
Templates,CN=Public Key PALO_PROXY specify a False False False
rouge,DC=asso,DC=fr
CN=«CRF8SSL_PROXY»,CN=Certificate Requester can
Templates,CN=Public Key «CRF8SSL_PROXY» specify a True False False
rouge,DC=asso,DC=fr
CN=CRF-vSphere7,CN=Certificate Requester can
Templates,CN=Public Key CRF-vSphere7 specify a False False False
rouge,DC=asso,DC=fr
CN=CRF-
Autoritédecertificationsecondaire,CN=Certificate CRF- Requester can
Templates,CN=Public Key Autoritédecertificationsecondaire specify a False False False
rouge,DC=asso,DC=fr
Showing 7 of 7
Remediation Steps
Ensure that when a SAN is allowed on a certificate template it is absolutely required on the template, so that the certificate must
specify a subjectAltName. If not absolutely required, it should be disabled. This configuration can be viewed under the "Supply in
request" option in the "Subject Name" tab in certtmpl.msc. When an authentication EKU is also present on the certificate template
this becomes very dangerous and action should be taken to disable SAN on it.
MITRE D3fend based on the reference: NIST-SP1800-16B

SECURITY INDICATOR
F
Computers with older OS versions IOE Found
0 %
SEVERITY WEIGHT
Informational 4
Security Frameworks
MITRE ATT&CK
Lateral Movement
Persistence
MITRE D3FEND
Harden - Software Update
Description
This indicator looks for machine accounts that are running versions of Windows older than Server 2012-R2 and Windows 8.1
Computers running older and unsupported OS versions could be targeted with known or unpatched exploits.
Result
Found 2949 computers in the organization that have obsolete OS.
DistinguishedName LastLogonTimeStamp PasswordLastSet OperatingSystem Active Enabled EventTimestamp Ignored
CN=PRR0000IN006,OU=Ordinateurs,OU=DISABLED 23/09/2021 Windows Server 11/06/2013

OBJECT,DC=croix-rouge,DC=asso,DC=fr 29/09/2021 12:50:12 03:59:12 2008 R2 False False 15:26:40 False
Entreprise
CN=PRR0000IN001,OU=Ordinateurs,OU=DISABLED 07/07/2014 13:25:23 18/06/2014 Windows Server False False 25/02/2008 False
OBJECT,DC=croix-rouge,DC=asso,DC=fr 18:28:41 2003 09:28:28
CN=PRR0000IN012,OU=Ordinateurs,OU=DISABLED 11/10/2012 16:30:41 17/10/2012 Windows Server False False 09/12/2008 False
OBJECT,DC=croix-rouge,DC=asso,DC=fr 16:18:40 2003 10:44:27
CN=REC0001IN016,OU=Ordinateurs,OU=DISABLED 15/01/2019 Windows Server 17/11/2017

Entreprise
CN=PRR0000IN010,OU=ARCHIVE- 17/04/2021 Windows Server 14/02/2012

S3,OU=Serveurs,DC=croix-rouge,DC=asso,DC=fr 28/04/2021 23:09:56 23:20:11 2008 R2 False False 09:55:59 False
Entreprise
CN=PRR0000IN007,OU=Ordinateurs,OU=DISABLED 16/06/2020 Windows Server 21/06/2013

Entreprise
CN=SAAS- 31/03/2023 Windows Server 13/09/2013
CRXROUGE,OU=Ordinateurs,OU=DISABLED 15/04/2023 12:00:57 18:44:17 2008 R2 False False 09:24:08 False
OBJECT,DC=croix-rouge,DC=asso,DC=fr Standard
CN=SAAS- 19/02/2023 Windows Server 30/07/2013
CRXROUGET,OU=Ordinateurs,OU=DISABLED 18/03/2023 20:00:56 03:15:25 2008 R2 False False 08:24:44 False
CN=NAAS- 01/06/2022 Windows Server 17/06/2014
CRXROUGE,OU=Ordinateurs,OU=DISABLED 06/06/2022 12:01:11 21:11:50 2008 R2 False False 14:08:40 False
CN=NAAS- 10/01/2022 Windows Server 26/05/2014
CRXROUGET,OU=Ordinateurs,OU=DISABLED 10/01/2022 12:17:18 06:28:31 2008 R2 False False 14:57:11 False
Showing 10 of 2949
Remediation Steps
Where possible, update servers and workstations to later versions with better security features.
SECURITY INDICATOR
F
Computers with password last set over 90 days ago IOE Found
0 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Credential Access

MITRE D3FEND
ANSSI
vuln2_password_change_server_no_change_90
Description
This indicator looks for computer accounts that have not rotated their passwords in the last 90 days. These passwords should be
changed automatically every 30 days by default.
Computer accounts should automatically rotate their passwords every 30 days as they are prime targets for attackers. Objects that
are not doing this could show evidence of tampering.
Result
Found 1753 computers whose password has not changed in the last 90 days.
DistinguishedName PasswordLastSet DaysSinceLastSet Active LastLogonTime
CN=PRR0000IN015,OU=Serveurs,DC=croix-rouge,DC=asso,DC=fr 06/11/2021 858 False 31/10/2021

07:33:26 22:15:02
CN=PRI0000DC180,OU=REBOND_BASTION,OU=SERVEURS,DC=intranet,DC=croix- 15/12/2022 454 False 03/01/2023
rouge,DC=asso,DC=fr 03:59:41 02:29:20
CN=P1744ET011,OU=Ordinateurs,OU=1744_IRFSS_ST_ETIENNE,OU=Filiere 24/07/2022 30/01/2024
Formation,OU=Structures,OU=Rhone-Alpes Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix- 14:43:16 597 True 15:38:54
rouge,DC=asso,DC=fr
CN=P1823ET024,OU=Ordinateurs,OU=1823_ESAT_BEAUCHASTEL,OU=POLE_BEAUCHASTEL,OU=Filiere 22/06/2020 15/06/2020
Handicap,OU=Structures,OU=Rhone-Alpes Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix- 11:23:12 1359 False 13:26:15
rouge,DC=asso,DC=fr
CN=P1823ET012,OU=Ordinateurs,OU=1823_ESAT_BEAUCHASTEL,OU=POLE_BEAUCHASTEL,OU=Filiere 10/03/2023 20/03/2023
Handicap,OU=Structures,OU=Rhone-Alpes Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix- 07:36:05 369 False 08:22:09
rouge,DC=asso,DC=fr
CN=P1814ET008,OU=Ordinateurs,OU=1814_CADA_DIJON,OU=Filiere 15/05/2023 13/09/2023
Exclusion,OU=Structures,OU=Bourgogne-Franche-Comte,OU=TERRITOIRE,DC=intranet,DC=croix- 06:48:10 303 False 14:02:18
rouge,DC=asso,DC=fr
CN=W2168ET003,OU=Ordinateurs,OU=2168_POLE_POLYHANDICAP_SESSAD,OU=Filiere 26/09/2023 26/09/2023
Handicap,OU=Structures,OU=Bourgogne-Franche-Comte,OU=TERRITOIRE,DC=intranet,DC=croix- 07:05:25 169 False 09:05:07
rouge,DC=asso,DC=fr
CN=P3618ET002,OU=Ordinateurs,OU=3618_POLE_POLYHANDICAP_MAS,OU=Filiere 14/06/2021 20/09/2023
rouge,DC=asso,DC=fr
CN=W1811ET016,OU=Ordinateurs,OU=1811_POLE_POLYHANDICAP_EEAP,OU=Filiere 20/08/2018 21/08/2023
rouge,DC=asso,DC=fr
CN=W1852ET026,OU=Ordinateurs,OU=1852_IME_STJANS,OU=Filiere 08/01/2021 16/01/2024
Handicap,OU=Structures,OU=Hauts-de-France,OU=TERRITOIRE,DC=intranet,DC=croix- 07:42:26 1160 False 13:39:20
rouge,DC=asso,DC=fr
Showing 10 of 1753
Remediation Steps
Computers should change their passwords every 30 days, it should be investigated why they did not. Here are some suggestions
to do to prevent it in the future:
Password Rotation: For each affected computer, initiate a manual password rotation process. Ensure that the new passwords are
strong and comply with your organization's password policy.
Automated Password Rotation: Implement an automated password rotation solution or policy that aligns with industry best
practices. Passwords should ideally be rotated every 30 days or according to your organization's security policies.
Review Password Policies: Evaluate your organization's password policies to ensure they enforce regular password rotations.
Adjust these policies as needed to meet your security requirements.
Note: The 'Active' column shows if the account was active in the past 45 days.
SECURITY INDICATOR
A+
Domain controllers with old passwords Pass
100 %
SEVERITY WEIGHT
Informational 3
Security Frameworks
MITRE ATT&CK

Resource Development
MITRE D3FEND
ANSSI
vuln1_password_change_dc_no_change
Description
This indicator looks for domain controller machine accounts whose password has not been reset in over 45 days. By default,
machine accounts including DCs, automatically reset their passwords every 30 days. Any machine accounts with passwords older
than that could indicate a DC that is no longer functioning in the domain.
A DC that is not updating its machine account password regularly could be more easily taken over. From an operational standpoint,
it could also indicate a communication problem with the rest of the domain.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Dangerous Trust Attribute Set Pass
100 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
MITRE D3FEND
Harden - Domain Trust Policy
ANSSI
vuln1_trusts_domain_notfiltered
Description
This indicator identifies trusts set with either TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION or
TRUST_ATTRIBUTE_PIM_TRUST. These bits will either allow a kerberos ticket to be delegated or reduce the protection that SID
Filtering provides.
An attacker that has compromised a remote domain can spoof any user or machine in the local domain. This can allow the attacker
to access any resource as well as escalate their privileges, thus compromising the entire forest.
Result
Remediation Steps
None
SECURITY INDICATOR
F
Print spooler service is enabled on a DC IOE Found
0 %
SEVERITY WEIGHT
Critical 8
Security Frameworks
MITRE ATT&CK
Execution
Lateral Movement
MITRE D3FEND

Description
This indicator scans Domain Controllers for a running print spooler service. The scan requires a local print spooler service to be
running on the workstation.
The indicator will return "Fail to Run" if the spooler service is disabled on the local machine. The local print spooler service is enabled
by default, and the vulnerability is on Domain Controllers only.
Keep in mind that if you're running the scan on a workstation that does not normally have the spooler service active, you can turn
it on for the scan and turn it off afterwards.
During June-July 2021, several critical flaws were found in Windows Print Spooler services - CVE-2021-1675 and CVE-2021-34527
which directly affects Print Spoolers on domain controllers, enabling remote code execution. See this link for Microsoft updates and
patch information on this flaw.
In addition to this vulnerability, an existing weakness in print spoolers enabled on a DC, combined with unconstrained delegation
object (see indicator 16 "Computer or user accounts with unconstrained delegation") may allow attackers to authenticate as that
DC to any service (see this writeup for additional information).
Result
Found 4 DCs that have the Print Spooler service running.
FQDN Ignored
PDC0000DC104.croix-rouge.asso.fr False
Showing 4 of 4
Remediation Steps
Print spooler services are enabled by default. If not absolutely required, disable the service on all domain controllers. If required,
make sure the server is fully patched and follow Microsoft guidance here.
SECURITY INDICATOR
A+
Evidence of Mimikatz DCShadow attack Pass
100 %
SEVERITY WEIGHT
Critical 10
Security Frameworks
MITRE ATT&CK
Defense Evasion
MITRE D3FEND
Isolate - Execution Isolation
Description
DCShadow attacks enable attackers that have achieved privileged domain access to inject arbitrary changes into AD by replicating
from a "fake" domain controller. These changes bypass the security event log and can't be spotted using standard monitoring tools.
This indicator looks for evidence of a specific implementation of that attack by the popular Mimikatz tool.
The Mimikatz tool is widely used by legitimate pen-testers as well as nefarious hackers. The criticality and impact of such an attack
necessitate further investigation to ensure that no serious compromise has occurred.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Unsecured DNS configuration Pass
100 %
SEVERITY WEIGHT
Warning 7
Security Frameworks

MITRE ATT&CK
ANSSI
vuln1_dnszone_bad_prop
Description
This indicator looks for DNS zones configured with ZONE_UPDATE_UNSECURE, which allows updating a DNS record anonymously.
An attacker could leverage this exposure to arbitrarily add a new DNS record or replace an existing record to spoof a management
interface, then wait for incoming connections in order to steal credentials.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Domain Controllers in inconsistent state Pass
100 %
SEVERITY WEIGHT
Informational 3
Security Frameworks
MITRE ATT&CK
Resource Development
ANSSI
vuln1_dc_inconsistent_uac
Description
This indicator looks for Domain Controllers that may be in an inconsistent state, indicating a possible rogue or otherwise non-
functional DC. DCs in a consistent state are characterized by the following: 1. UserAccountControl attribute on the DC machine
object has the SERVER_TRUST_ACCOUNT flag set. 2. A corresponding object of type server exists for the DC in the configuration
partition. 3. That server object must have a child NTDS Settings object of type nTDSDSA.
Illegitimate machines acting as DCs could indicate someone has compromised the environment (e.g. using DCShadow or similar DC
spoofing attacks). At the very least, partially functional legitimate DCs could represent a security risk if they are compromised.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Domains with obsolete functional levels Pass
100 %
SEVERITY WEIGHT
Informational 3
Security Frameworks
MITRE ATT&CK
Reconnaissance
MITRE D3FEND
ANSSI
vuln1_functional_level
Description
This indicator looks for AD domains that have a domain functional level set to Windows Server 2012 or lower. These lower

functional levels mean that newer security features available in AD cannot be leveraged. If the OS version of your domain
controllers supports it, you should update to a newer domain functional level to take full advantage of security advancements in
AD.
While domain functional level is not a weakness in and of itself, an attacker with knowledge of functional levels can adjust their
approach to take advantage of lack of security features in AD.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Operator groups no longer protected by AdminSDHolder and SDProp Pass
100 %
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
Defense Evasion
MITRE D3FEND
ANSSI
vuln1_dsheuristics_bad
Description
This indicator checks if dwAdminSDExMask mask on dsHeuristics has been set, which indicates a change to the SDProp behavior
that could compromise security. Certain groups can be removed from SDProp protection with this setting.
Normally the default behavior for AdminSDHolder SDProp should be left intact. If its behavior is modified, this could indicate an
attempt at defense evasion.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
AD Certificate Authority with Web Enrollment - PetitPotam and ESC8 Pass
100 %
SEVERITY WEIGHT
Critical 8
Security Frameworks
MITRE ATT&CK
Credential Access
Description
This indicator attempts to identify AD CS servers in the domain that accept NTLM authentication to Web Enrollment Services. The
script enumerates CAs in the Enrollment Services container, resolves their IP and attempts NTLM authentication to
https://IP/certsrv. Note: This indicator currently does not identify EPA or other mitigations suggested by Microsoft.
The indicator will return a Passed if an enrollment service is contacted, but NTLM authentication is denied (positive effect on the
posture score) for any endpoint.
The indicator will return an IoE Found if NTLM authentication is available on an enrollment service (negative effect on security
posture) on any endpoint.
The indicator will Fail to Run (no effect on security posture score) if one of the following is true for all endpoints:
Cannot Resolve - Enrollment Service Certificate found in AD CS container, but address cannot be resolved
Unreachable - IP is resolved, but service cannot be reached

Attackers may abuse a flaw in AD CS Web Enrollment that enables NTLM relay attacks to authenticate as a privileged user. An
example of such attack was provided in July 2021 when chained with "PetitPotam" authentication coercion on MS-EFSRPC. The
impact of such an attack can be privilege escalation to Domain Admin from network access only. More details about "ESC8" here.
Result
Host Name Resolved IP NTLM Status
PRI0000DC0087.intranet.croix-rouge.asso.fr 10.206.0.87 Denied
PRI0000DC0089.intranet.croix-rouge.asso.fr 10.206.0.89 Unreachable
Showing 2 of 2
Remediation Steps
None
SECURITY INDICATOR
A+
gMSA objects with old passwords Pass
100 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Credential Access
Description
This indicator looks for group managed service accounts that have not automatically rotated their passwords. These passwords
should be changed automatically every 30 days by default.
gMSA accounts should automatically rotate their passwords every 30 days. Objects that are not doing this could show evidence of
tampering.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Domain controllers that have not authenticated to the domain for more than 45 days Pass
100 %
SEVERITY WEIGHT
Warning 4
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
Isolate - Execution Isolation
ANSSI
vuln1_password_change_inactive_dc
Description
Domain controllers must authenticate and change their passwords at least every 30 days. Lack of domain authentication reveals
out-of-sync machines. Out-of-sync domain controllers must be either reinstalled or removed. When reinstalling an out-of-sync
domain controller, care must be taken not to introduce a new OWNER control path exposing its computer account. To avoid doing
so, use of the Djoin utility is advised.
Domain controllers that are not active in the domain would likely be out-of-sync with functional DCs and therefore a compromised
offline DC may be of little value to an attacker. However, if an attacker could compromise an offline DC and crack credentials or re-
connect it to the domain, they may be able to introduce unwanted changes to production AD that could compromise its security.

Result
Remediation Steps
None
SECURITY INDICATOR
F
LDAP signing is not required on Domain Controllers IOE Found
0 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Credential Access
Description
This indicator looks for domain controllers where LDAP signing is not required.
Unsigned network traffic is exposed to MiTM attacks, where attackers alter packets and forward them to the LDAP server, causing
the server to make decisions based on forged requests from the LDAP client.
Result
Found 21 DCs that do not require LDAP Signing.
DCName DistinguishedName State Ignored
PDC0000DC101.croix- CN=PDC0000DC101,OU=Domain Controllers,DC=croix- Ldap Signing Not False
rouge.asso.fr rouge,DC=asso,DC=fr Required
PCI0001IN006.intranet.croix- CN=PCI0001IN006,OU=Domain Ldap Signing Not False
rouge.asso.fr Controllers,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Required
PCI4444DR001.intranet.croix- CN=PCI4444DR001,OU=Domain Ldap Signing Not False
PCI2036ET002.intranet.croix- CN=PCI2036ET002,OU=Domain Ldap Signing Not False
Showing 10 of 21
Remediation Steps
The following remediation steps use Group Policies. They should be followed by order and completed correctly to avoid disruptions
in the domain:
1. Configure clients to request LDAP signing - Group Policy name:Network security:LDAP client signing requirements -> select
Request signing in the dialog box.
2. When all clients request signing, configure domain controllers to require signing - Group Policy name:Domain controller:LDAP
server signing requirements -> select Require signing.
3. Configure clients to require signing - Group Policy name:Network security:LDAP client signing requirements -> select Require
signing in the dialog box.
Following these steps will ensure that no client will stop working during the transition.
See more detailed info here, and here..

SECURITY INDICATOR
A+
Non-standard schema permissions Pass
100 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
ANSSI
vuln1_permissions_schema
MITRE D3FEND
Harden - System Configuration Permissions
Description
This indicator looks for additional principals with any permissions beyond generic Read to the schema partitions.Schema is one of
three main Active Directory naming context. It contains every object attribute definitions of the forest. For additional information
and remediation advice, see the ANSSI website.
By default, modification permissions on schema are limited to Schema Admins. These permissions grant the trusted Principal
complete control over Active Directory.
Result
Remediation Steps
None
SECURITY INDICATOR
C+
NTFRS SYSVOL Replication IOE Found
88 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Lateral Movement
ANSSI
vuln2_sysvol_ntfrs
Description
This indicator looks for indication of usage of FRS for sysvol replication. Domain controllers are configured to use the NTFRS
replication protocol (especially for SYSVOL replication). This protocol is obsolete and unnecessarily adds administrative interfaces to
domain controllers. In addition, this protocol is no longer supported by the latest versions of Windows Server, which prevents
migration to the latest versions.
NTFRS is an older protocol that has been replaced by DFSR. Attackers that can manipulate NTFRS vulnerabilities to compromise
SYSVOL can potentially change GPOs and logon scripts to propagate malware and move laterally across the environment.
Result
Found 1 domains that are suspected to use NTFRS for SYSVOL replication. It is possible that migration to DFSR was completed but
the container was not removed.
Domain Ignored
croix-rouge.asso.fr False
Showing 1 of 1
Remediation Steps
This protocol is obsolete since Windows Server 2008. Migration instruction to DFSR are documented here.

SECURITY INDICATOR
A+
Outbound forest trust with SID History enabled Pass
100 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Lateral Movement
MITRE D3FEND
ANSSI
vuln1_trusts_forest_sidhistory
Description
This indicator looks for outbound forest trusts that has TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL flag set to true. If this bit is set,
then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are
more stringently filtered than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts.
An attacker having compromised the remote domain can spoof any user or machine on the local domain (except for accounts with
a RID lower than 1000, excluding built-in accounts and groups). This attacker can therefore access every resource on the local
domain. If a dangerous control path is exposed to any "spoofable" account (virtually any account other than the built-in ones), the
attacker could also escalate his privileges up to "Domain Admins" and compromise the entire forest.
Result
Remediation Steps
None
SECURITY INDICATOR
C
Domain trust to a third-party domain without quarantine IOE Found
83 %
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
Lateral Movement
MITRE D3FEND
ANSSI
vuln1_trusts_domain_notfiltered
Description
This indicator looks for outbound forest trusts that has Quarantine flag set to false, which means that the trusted domain is not
subject to SID filtering.
An attacker having compromised the remote domain can spoof any user or machine on the local domain (except for accounts with
a RID lower than 1000, excluding built-in accounts and groups). This attacker can therefore access every resource on the local
domain. If a dangerous control path is exposed to any "spoofable" account (virtually any account other than the built-in ones), the
attacker could also escalate his privileges up to "Domain Admins" and compromise the entire forest.
Result
Found 2 outbound trusts where Quarantine is disabled or SID history is enabled.
DistinguishedName TrustedForest TrustAttributes Ignored
DC=croix-rouge,DC=asso,DC=fr intranet.croix-rouge.asso.fr 0 False
DC=intranet,DC=croix-rouge,DC=asso,DC=fr croix-rouge.asso.fr 4194304 [] False
Showing 2 of 2
Remediation Steps
Unless domain migration is currently ongoing, use the following command to enable Quarantine for external trusts:
NETDOM TRUST /domain: /Quarantine yes
And use the following command to disable SID history for forest trusts:
NETDOM TRUST /domain: /EnableSIDhistory:No
SECURITY INDICATOR
A+
Risky RODC credential caching Pass
100 %
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
ANSSI
vuln2_rodc_priv_revealed
Description
On a per-RODC basis, you can control which security principals are allowed to replicate their credentials to an RODC when they
logon. If privileged users are in the allow list, that can expose their credentials to theft from these RODCs. This indicator looks for a
Password Replication Policy that allows privileged objects.
Generally, RODCs are at higher risk than standard DCs (e.g. deployed at remote sites with poor security). This makes them ripe
targets for attackers and privileged credentials cached on these servers can elevate their access significantly.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Privileged user credentials cached on RODC Pass
100 %
SEVERITY WEIGHT
Informational 4
Security Frameworks
MITRE ATT&CK
Lateral Movement
Description
This indicator looks for privileged users with credentials that are cached to RODCs.
While not immediately indicative of an attack, privileged user accounts are sensitive and should not be cached to RODCs since their
physical security is not as robust as a full DCs would be.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Well-known privileged SIDs in sIDHistory Pass
100 %
SEVERITY WEIGHT
Warning 7

Security Frameworks
MITRE ATT&CK
Defense Evasion
ANSSI
vuln2_sidhistory_dangerous
vuln3_sidhistory_present
Description
This indicator looks for security principals that contain specific SIDs of accounts from built-in privileged groups within their
sIDHistory attribute. This would allow those security principals to have the same privileges as those privileged accounts, but in a
way that is not obvious to monitor (e.g. through group membership).
Writing to sIDHistory requires special privileges. Therefore, anyone who can write to the sIDHistory attribute has likely
compromised the domain already, but this method for gaining persistence can be very effective, given the difficulty administrators
will have in detecting these kinds of privileged escalations.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
SMB Signing is not required on Domain Controllers Pass
100 %
SEVERITY WEIGHT
Critical 8
Security Frameworks
MITRE ATT&CK
Credential Access
Description
This indicator looks for domain controllers where SMB signing is not required.
Unsigned network traffic is susceptible to attacks abusing the NTLM challenge-response protocol. A common example of such
attacks is SMB Relay, where an attacker is positioned between the client and the server in order to capture data packets transmitted
between the two, thus gaining unauthorized access to the server or other servers on the network.
Result
Remediation Steps
None
SECURITY INDICATOR
F
SMBv1 is enabled on Domain Controllers IOE Found
0 %
SEVERITY WEIGHT
Critical 8
Security Frameworks
MITRE ATT&CK
Credential Access
Description
This indicator looks for domain controllers where SMBv1 protocol is enabled.
SMBv1 is an old protocol, considered unsafe and susceptible to all kinds of attacks. It was publicly deprecated by Microsoft in 2014.

Result
Found 20 DCs with SMBv1 Enabled.
PDC0000DC101.croix- CN=PDC0000DC101,OU=Domain Controllers,DC=croix- SMBv1 is False
rouge.asso.fr rouge,DC=asso,DC=fr enabled
PCI0001IN006.intranet.croix- CN=PCI0001IN006,OU=Domain SMBv1 is False
rouge.asso.fr Controllers,DC=intranet,DC=croix-rouge,DC=asso,DC=fr enabled
PCI4444DR001.intranet.croix- CN=PCI4444DR001,OU=Domain SMBv1 is False
PCI2036ET002.intranet.croix- CN=PCI2036ET002,OU=Domain SMBv1 is False
Showing 10 of 20
Remediation Steps
Microsoft recommends to disable SMBv1 whenever possible on both client and server side. Do note, before disabling SMBv1 and to
avoid additional errors, make sure best practices are followed regarding the usage of deprecated OS (Windows 2000, 2003, XP, CE),
network printers using SMBv1 scan2shares functionalities, or software accessing Windows share with a custom implementation
relying on SMBv1.
Read more here.
SECURITY INDICATOR
A+
Weak certificate cipher Pass
100 %
SEVERITY WEIGHT
Critical 8
Security Frameworks
MITRE ATT&CK
MITRE D3FEND
Harden - Certificate-based Authentication
ANSSI
vuln1_certificates_vuln
Description
This indicator looks for certificates stored in active directory with keysize smaller than 2048 bits or utilize DSA encryption.
Weak certificates can be abused by attackers to gain access to systems who use certificate authentication.
Result
Remediation Steps
None
SECURITY INDICATOR
F
Zerologon vulnerability IOE Found
0 %
SEVERITY WEIGHT
Critical 10

Security Frameworks
MITRE ATT&CK
Description
This indicator looks for security vulnerability to CVE-2020-1472, which was patched by Microsoft in August 2020. Without this
patch, an unauthenticated attacker can exploit CVE-2020-1472 to elevate their privileges and get administrative access on the
domain.
While this exploit was patched by Microsoft, unpatched domain controllers still exist and there is exploit code in the wild that is
actively taking advantage of this vulnerability.
Result
Found 25 DCs that are vulnerable to ZeroLogon.
FQDN Ignored
PCI1840ET002.intranet.croix-rouge.asso.fr False
Showing 10 of 25
Remediation Steps
Patch your servers and make sure that all Microsoft security updates are applied.

CATEGORY
C
GROUP POLICY SECURITY
85 %
5 9 6
Group Policy Security indicators pertain to the security configuration of GPOs and their deployment within AD.
SECURITY INDICATOR
B
Changes to Default Domain Policy or Default Domain Controllers Policy in the last 7 days IOE Found
94 %
SEVERITY WEIGHT
Informational 4
Security Frameworks
MITRE ATT&CK
Lateral Movement
Persistence
Description
The Default Domain Policy and Default Domain Controllers Policy GPOs are special objects within AD, and control domain-wide and
Domain Controller wide security settings. This indicator looks for changes to these two special GPOs within the last 7 days.
Changes to the Default Domain Policy or Default Domain Controllers Policy should be accounted for by the administrators. If the
change can not be accounted for, investigate the change looking for potential weakening of security posture and why the change
was made.
Result
Found 1 sensitive policies in the organization that have been changed in the last 7 days.
Domain Version GPO Name EventTimestamp Ignored
intranet.croix- CN={6AC1786C-016F-11D2-945F- 07/03/2024

rouge.asso.fr 180 00C04fB984F9},CN=Policies,CN=System,DC=intranet,DC=croix- 11:57:03 False
rouge,DC=asso,DC=fr
Showing 1 of 1
Remediation Steps
Review the changes and ensure that any changes to these two GPOs have gone through well-known change processes and that
any changes made to these GPOs are well-documented. Investigate any undocumented changes.
SECURITY INDICATOR
Writable shortcuts found in GPO Failed To Run
N/A
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Lateral Movement
MITRE D3FEND
Detect - Script Execution Analysis
Detect - File Creation Analysis
Description
This indicator looks for shortcuts within Group Policy Objects (GPOs) that are writable by low privilege users. GPOs are a powerful
feature in Windows domains that are used to manage various settings and configurations for multiple computers and users.
Shortcuts are links to files or applications that can be deployed using GPOs. When low privilege users have the ability to modify
these shortcuts, it could potentially lead to security risks and unauthorized modifications. This indicator helps organizations to
identify such misconfigurations and take appropriate actions.
Changing a shortcut within a GPO, allows an attacker to perform the following:
Unauthorized Modifications - Low privilege users could make unauthorized changes to the files, compromising their integrity and

potentially causing unintended behavior or security vulnerabilities.
Malicious Content Execution - If the files are replaced with malicious content, all users running them could unknowingly execute
malicious code, leading to system compromise or unauthorized access to sensitive information.
System Instability - Unauthorized modifications to files can result in system instability, causing application errors, data corruption,
or system crashes.
Compliance and Legal Consequences - If the affected files are critical for compliance or legal requirements, unauthorized
modifications may lead to non-compliance, financial losses, reputational damage, or legal repercussions.
Result
Impossible de traiter l’argument car la valeur de l’argument « path » n’est pas valide. Modifiez la valeur de l’argument « path » et
réexécutez l’opération.
Remediation Steps
None
SECURITY INDICATOR
F
Dangerous GPO logon script path IOE Found
0 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Lateral Movement
MITRE D3FEND
Description
This indicator searches for logon script paths where the script does not exist and where a low-privilege user has permissions on the
parent folder. Additionally, it checks for logon script paths where the script exists but low-privilege users have permissions to
modify them.
By inserting a new logon script or changing an existing one using normal user that has the permissions to do so, an attacker can
remotely run code on a larger part of the network without special privileges.
Result
Found 31 dangerous logon scripts paths.

Script ScriptType UserWithPrivOnFile UsersWithPrivOnFolder Result
INTRANET\admin_marceult INTRANET\admin_marceult
;INTRANET\alonzol ;INTRANET\alonzol
;INTRANET\Admin_Occitanie ;S-1-5- ;INTRANET\Admin_Occitanie ;S-1-5- The file exists
21-683096409-2250491608- 21-683096409-2250491608- but some low
\\10.108.31.7\Informatique$\Wifi_Temp\Wi-Fi-CRF- Shutdown 1057341159-122037 1057341159-122037 privilege
SALARIES.bat ;INTRANET\GG4459DR_DSI ;INTRANET\GG4459DR_DSI user(s) can
;INTRANET\hanidz ;INTRANET\laforestf ;INTRANET\hanidz ;INTRANET\laforestf modify it.
;INTRANET\Admin_OC ;INTRANET\Admin_OC
;INTRANET\chouraquim ;INTRANET\chouraquim
;BUILTIN\Utilisateurs
The file exists

INTRANET\Admin_cvl_sanitaire INTRANET\Admin_cvl_sanitaire but some low
\\10.108.44.12\Sources$\Wifi\Wi-Fi-CRF-SALARIES.bat Shutdown ;INTRANET\Admin_Pays-loire ;INTRANET\Admin_Pays-loire privilege
;INTRANET\admin_olivol ;INTRANET\admin_olivol user(s) can
modify it.
The file exists

\\10.108.44.12\Sources$\Wifi\Wi-Fi-Medical.bat Shutdown ;INTRANET\Admin_Pays-loire ;INTRANET\Admin_Pays-loire privilege
modify it.
The file exists

INTRANET\Admin_NA_SRR_RICHELIEU INTRANET\Admin_NA_SRR_RICHELIEU but some low
\\10.17.100.115\ad\scripts\supp_racc_bureau.bat Logon ;INTRANET\admin_bouthiere ;INTRANET\admin_bouthiere privilege
user(s) can
modify it.
The file exists

INTRANET\admin_olivol but some low
\\10.29.100.6\Sources$\BL\BL_Brest.bat Logon INTRANET\admin_rapint ;BUILTIN\Utilisateurs privilege
user(s) can
modify it.
The file exists

INTRANET\admin_rapint INTRANET\admin_rapint but some low
\\10.37.104.20\Sources$\BLFormation\BL_BOURGES.bat Logon ;INTRANET\admin_bruelg ;INTRANET\admin_bruelg privilege
modify it.
The file exists
\\10.37.104.20\sources$\BLFormation\BL_TOURS.bat Logon ;INTRANET\admin_bruelg ;INTRANET\admin_bruelg privilege
modify it.
The file exists

but some low
\\10.76.148.7\Scripts\RemoveAnyDesk.bat Startup INTRANET\admin_charretiere BUILTIN\Utilisateurs privilege
;INTRANET\GG3654ET_ALL ;INTRANET\GG3654ET_ALL user(s) can
modify it.
The file exists

INTRANET\admin_charretiere BUILTIN\Utilisateurs but some low
\\10.76.148.7\Scripts\Shortcuts.bat Logon ;INTRANET\GG3654ET_ALL ;INTRANET\GG3654ET_ALL privilege
user(s) can
modify it.
The file exists
INTRANET\admin_charretiere INTRANET\admin_charretiere but some low
\\10.76.148.7\Scripts\WLAN\script_WIFI.bat Logon ;INTRANET\GG3654ET_ALL ;INTRANET\GG3654ET_ALL privilege
;BUILTIN\Utilisateurs user(s) can
modify it.
Showing 10 of 31

Remediation Steps
Ensure that the GPO logon script exists, and that the logon script path does not provide normal users with permissions to change
the script file or access to their parent folder.
SECURITY INDICATOR
A+
GPO with Scheduled Tasks configured Pass
100 %
SEVERITY WEIGHT
Informational 2
Security Frameworks
MITRE ATT&CK
Lateral Movement
MITRE D3FEND
Description
When a scheduled task launches an executable, it checks to see if low-privilege users have permissions to modify GPOs.
Scheduled tasks configured through group policies can be risky if not set up correctly. They can cause unintended problems and
potential security vulnerabilities in the following situations:
Missing path specification for executable files launched by the Task Scheduler: When setting up a scheduled task, it's
important to provide the complete path to the executable file. This helps reduce the risk of path manipulation attacks. Path
manipulation involves manipulating the search path or taking advantage of vulnerabilities in the path resolution mechanism to
execute a malicious program. By explicitly specifying the complete path, you minimize the reliance on potentially vulnerable search
path resolution mechanisms and decrease the chances of path manipulation exploits.
Executables located in unsecure locations: If scheduled tasks are configured to launch executables from locations where
standard users have write access, it poses a potential risk. Standard users having write access to these directories can replace the
intended program with a malicious one. This can lead to privilege escalation, where the malicious program gains higher privileges
than it should have, resulting in security breaches and compromising the system's security.
Result
Remediation Steps
None
SECURITY INDICATOR
F
Dangerous user rights granted by GPO IOE Found
0 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
MITRE D3FEND
Detect - Local Account Monitoring
Description
Group Policy Objects (GPOs) are used to define security settings that apply to a group of users or computers in an Active Directory
environment. GPOs can be used to grant dangerous user rights, such as the ability to bypass file system security, log on as a
service, or even perform actions with elevated privileges. This indicator looks for non-privileged users who are granted elevated
permissions through GPO.
An attacker can potentially exploit the user rights granted by a GPO to gain access to systems, steal sensitive information, or cause
other types of damage. If these dangerous user rights are granted to a user or a group of users, it increases the risk of an attacker
being able to gain access to sensitive data, systems or even perform malicious actions.
Result
Found 6 non-privileged users with elevated permissions granted using GPO.

user privilege policy policyName status LinkedOUs Ignored
{6AC1786C- Default User policy OU: OU=Domain
INTRANET\adminsql SeTcbPrivilege 016F-11D2- Domain enabled. Controllers,DC=croix- False
945F- Controllers Computer rouge,DC=asso,DC=fr; State:
00C04fB984F9} Policy policy enabled. Enabled, Unenforced, Priority: 1
INTRANET\adminsql SeAssignPrimaryTokenPrivilege 016F-11D2- Domain enabled. Controllers,DC=croix- False
CROIX- SeServiceLogonRight 016F-11D2- Domain enabled. Controllers,DC=croix- False
ROUGE\ArcservExchange 945F- Controllers Computer rouge,DC=asso,DC=fr; State:
INTRANET\adminsql SeServiceLogonRight 016F-11D2- Domain enabled. Controllers,DC=croix- False
INTRANET\svc_paloalto SeServiceLogonRight 016F-11D2- Domain enabled. Controllers,DC=intranet,DC=croix- False
INTRANET\adm_commvault SeServiceLogonRight 016F-11D2- Domain enabled. Controllers,DC=intranet,DC=croix- False
Showing 6 of 6
Remediation Steps
The remediation for this indicator involves identifying any dangerous user rights that have been granted through GPOs, and
removing them wherever possible. This can involve reviewing existing GPO settings and modifying them to remove any
unnecessary or excessive user rights, as well as implementing appropriate access controls to restrict access to GPOs and other
critical Active Directory components. By taking these steps, organizations can reduce the risk of compromise and help protect their
systems from potential attacks. For more information about user rights see MS User Rights Assignment
SECURITY INDICATOR
D-
Reversible passwords found in GPOs IOE Found
46 %
SEVERITY WEIGHT
Critical 8
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
Detect - Emulated File Analysis
Description
This indicator looks in SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker ("Cpassword" entries).
Until patch MS14-025, it was possible to store local admin and other high-value credentials in GPOs. The passwords stored in
GPOs were encrypted using a global key that was published and easily available to any domain member for decryption.
Many shops stopped using the feature in GP Preferences to set passwords when Microsoft deprecated the feature in Group Policy,
but existing password entries may not have been removed. This area is one of the first things attackers look for when they've
gained access to an AD environment, as older systems may still utilize those credentials.
Result
Found 2 Group Policies Preference password entries.
GPOName Domain PolicyArea GPOSide Ignored
IDF_ADMIN_LOCAL_VIDAL intranet.croix-rouge.asso.fr Local Users and Groups Computer False
RA_69_1871_ADMIN_PRESTATAIRE intranet.croix-rouge.asso.fr Local Users and Groups Computer False
Showing 2 of 2
Remediation Steps
If Group Policy Preference password entries have been found in one or more GPOs, they should be removed immediately. Their
encryption key is well known and can be easily cracked, potentially exposing accounts defined in those GPOs.

SECURITY INDICATOR
A+
SYSVOL Executable Changes Pass
100 %
SEVERITY WEIGHT
Informational 3
Security Frameworks
MITRE ATT&CK
Execution
Persistence
MITRE D3FEND
Detect - File Analysis
Description
This indicator looks for modifications to executable files within SYSVOL. It only examines files and executables that have read access
to them.
Changes to the executable files within SYSVOL should be accounted for by the administrators. If the change can not be accounted
for, investigate the change looking for potential weakening of security posture and why the change was made.
Result
Remediation Steps
None
SECURITY INDICATOR
C
GPO linking delegation at the AD Site level IOE Found
82 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Execution
ANSSI
vuln1_permissions_gpo_priv
Description
When non-privileged users can link GPOs at the AD Site level, they have the ability to effect change on domain controllers as well
as potentially elevate access and change domain-wide security posture. This indicator looks for non-default principals who have
write permissions on the GPLink attribute or Write DACL/Write Owner on the object.
Just being able to link GPOs doesn't provide the whole picture. An attacker would need to find or edit a GPO that contains the
instructions they want to achieve. However, if an attacker can find an existing GPO that meets their needs, then having this write
permission gives them the keys to the kingdom.
Result
Found 1 objects with write permissions on the GPLink attribute at the AD Site level.
DistinguishedName Access Identity Ignored
Allow: ListChildren, ReadProperty, GenericWrite on: All
Properties;Allow: ListChildren, ReadProperty,
GenericWrite on: All Properties;Allow: ListChildren,
ReadProperty, GenericWrite on: All Properties;Allow:
ListChildren, ReadProperty, GenericWrite on: All

DistinguishedName GenericWrite
Access on: All Properties;Allow: ListChildren, Identity Ignored

CN=DATA-CENTER GenericWrite
DistinguishedName Access on: All Properties;Allow: ListChildren, Identity
INTRANET\GG0000_Admin_Subnet Ignored
False

DistinguishedName GenericWrite
Access on: All Properties;Allow: ListChildren, Identity Ignored
Showing 1 of 1 ReadProperty, GenericWrite on: All Properties
Remediation Steps
Unprivileged users should not be able to link GPOs at the AD Site Level. Doing so essentially gives them the ability to escalate their
access, change domain-level security posture, and use GPOs to effect all systems and users in AD. Remove unnecessary permissions
from the AD Site.
SECURITY INDICATOR
C
GPO linking delegation at the domain controller OU level IOE Found
82 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Execution
ANSSI
Description
When non-privileged users can link GPOs at the Domain Controllers OU level, they have the ability to effect change on domain
controllers as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default
principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object.
Result
Found 1 objects with write permissions on the GPLink attribute at the Domain Controller OU level.
DistinguishedName Identity Access Ignored
OU=Domain Controllers CROIX-ROUGE\Administrateurs clés Enterprise Allow: GenericAll on: All Properties False
Showing 1 of 1
Remediation Steps
Unprivileged users should not be able to link GPOs at the Domain Controllers OU level. Doing so essentially gives them the ability
to escalate their access, change domain-level security posture, and use GPOs to effect all systems and users in AD. Remove
unnecessary permissions from the DC OU.
SECURITY INDICATOR
A+
GPO linking delegation at the domain level Pass
100 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Defense Evasion

ANSSI
Description
When non-privileged users can link GPOs at the domain level, they have the ability to effect change across all users and computers
in the domain as well as potentially elevate access and change domain-wide security posture. This indicator looks for non-default
principals who have write permissions on the GPLink attribute or Write DACL/Write Owner on the object.
Result
Remediation Steps
None

CATEGORY
B-
KERBEROS SECURITY
91 %
8 18 7
Kerberos Security indicators pertain to the configuration of Kerberos capabilities on computer and user accounts within AD.
SECURITY INDICATOR
A+
Accounts with altSecurityIdentities configured Pass
100 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
ANSSI
vuln1_delegation_a2d2
Description
It is possible to add values to the altSecurityIdentities attribute and essentially impersonate that account. The altSecurityIdentities
attribute is a multi-valued attribute used to create mappings for X.509 certificates and external Kerberos accounts. This indicator
checks for accounts with the altSecurityIdentities attribute configured.
This type of attack may be easy to spot as it is rarely configured during normal operations. However, it is possible for this attribute
to be configured genuinely.
Result
Remediation Steps
None
SECURITY INDICATOR
B
Computer or user accounts with SPN that have unconstrained delegation IOE Found
94 %
SEVERITY WEIGHT
Warning 4
Security Frameworks
MITRE ATT&CK
Defense Evasion
Lateral Movement
MITRE D3FEND
ANSSI
vuln2_delegation_t4d
Description
This indicator looks for computer or user accounts with SPN that are trusted for unconstrained Kerberos delegation. These accounts
store users' Kerberos TGT locally to authenticate to other systems on their behalf. Computers and users trusted with unconstrained
delegation are good targets for Kerberos-based attacks.
Attackers who control a service or user trusted for unconstrained delegation can dump local credentials and uncover cached TGT.
These credentials could belong to users that accessed the service and who may be privileged.
Result
Found 1 objects configured with unconstrained Kerberos delegation.

DistinguishedName DisplayName UserAccountControl ServicePrincipalName EventTimestamp Ignored
590336 BICMS/svcbo_rec.intranet.croix-
CN=SvcBO_REC,CN=Users,DC=intranet,DC=croix- [TrustedForDelegation, rouge.asso.fr; HTTP/recette-bo.croix- 17/08/2023
rouge,DC=asso,DC=fr SvcBO_REC NormalAccount, rouge.fr; 14:43:49 False
PasswordDoesNotExpire] HTTP/REC00000DC194.intranet.croix-
rouge.Asso.fr; HTTP/REC00000DC194
Showing 1 of 1
Remediation Steps
Accounts that require Kerberos delegation should be set to constrain that delegation to the particular service or services that
require delegation. Attempts should be made to have Kerberos-enabled accounts not be privileged accounts.
MITRE D3fend based on the reference: audit-user-account-management of Microsoft
SECURITY INDICATOR
A+
Accounts with Constrained Delegation configured to krbtgt Pass
100 %
SEVERITY WEIGHT
Critical 9
Security Frameworks
MITRE ATT&CK
MITRE D3FEND
ANSSI
Description
It is possible to create a Kerberos delegation to the krbtgt account itself. Such a delegation to a user or computer would allow that
principal to generate a Ticket Granting Service (TGS) request to the krbtgt account as any user, which has the effect of generating a
Ticket Granting Ticket (TGT) similar to a Golden Ticket. This indicator looks for accounts that have Constrained Delegation
configured to the krbtgt service.
This type of attack should be easy to spot as no delegations should normally be created to the krbtgt account. However, if they are
found, they would represent a significant risk and should be mitigated quickly.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Accounts with Constrained Delegation configured to ghost SPN Pass
100 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
ANSSI
Description
When computers are decommissioned, delegation configuration to them is often not cleaned up. Such a delegation could allow an
attacker that has the privileges to write to the ServicePrincipalName attribute of another service account, to escalate privileges on
those services. This could result in escalating privileges by moving laterally across the infrastructure. This indicator looks for
accounts that have Constrained Delegation configured to ghost SPNs.
This type of attack should be easy to spot as the configured SPN within the msds-allowedtodelegateto attribute will not exist on
the domain. However, if they are found, they would represent a significant risk and should be mitigated quickly.

Result
Remediation Steps
None
SECURITY INDICATOR
C+
Kerberos krbtgt account with old password IOE Found
88 %
SEVERITY WEIGHT
Warning 4
Security Frameworks
MITRE ATT&CK
Credential Access
MITRE D3FEND
ANSSI
vuln2_krbtgt
Description
The krbtgt user account is a special (disabled) user account in every Active Directory domain that has a special role in Kerberos
function. If this account's password is compromised, Golden Ticket attacks can be performed to get access to any resource in the
AD domain. This indicator looks for a krbtgt user account whose password hasn't been changed in the past 180 days. While
Microsoft recommends changing the password every year, STIG recommends changing it every 180 days.
The potential impact of a compromised krbtgt password is access to any and all connected services. These attacks typically require
that an attacker gets access to the krbtgt hash through other compromise methods. This does not directly indicate compromise
but should be remediated. A script for resetting the krbtgt password is available on Microsoft's GitHub here.
A more updated version is available on the script author's GitHub page here.
Result
Found 2 domains whose krbrtgt's password has not changed in the last 180 days.
LastChange DistinguishedName Attribute EventTimestamp Ignored
31/08/2023 CN=krbtgt,CN=Users,DC=croix-rouge,DC=asso,DC=fr unicodePwd 31/08/2023 False
08:13:17 08:13:17
31/08/2023 CN=krbtgt,CN=Users,DC=intranet,DC=croix- unicodePwd 31/08/2023 False
08:35:00 rouge,DC=asso,DC=fr 08:35:00
Showing 2 of 2
Remediation Steps
STIG recommends resetting the password by changing it twice (waiting for replication between changes) every 180 days. Microsoft
recommends doing this once a year. This reduces the chance that it could be retrieved and used to generate Golden Tickets.
SECURITY INDICATOR
A+
Objects with constrained delegation configured Pass
100 %
SEVERITY WEIGHT
Informational 5
Security Frameworks
MITRE ATT&CK
Lateral Movement
MITRE D3FEND
Description
This indicator looks for any objects that have values in the msDS-AllowedToDelegateTo attribute (i.e. Constrained Delegation) and
does not have the UserAccountControl bit for protocol transition set.
Attackers may utilize delegations to move laterally or escalate privileges if they compromise a service that is trusted to delegate.
While constrained delegation is less likely to be compromised than unconstrained delegation, knowing all of the accounts within
your environment that have this defined and ensuring they have strong passwords is a good thing.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Principals with constrained authentication delegation enabled for a DC service Pass
100 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
MITRE D3FEND
Description
This indicator looks for principals (computers or users) that have constrained delegation enabled for a service running on a DC. If an
attacker can create such a delegation, they can authenticate to that service using any user that is not protected against delegation.
Constrained delegation allows a service to act on behalf of an authenticated user to another service. While this is sometimes
necessary and requires the user to authenticate to the delegating service first, delegation to such services on domain controllers
greatly increases risk. An attacker that is able to compromise such a service can significantly elevate their privileges in this way and
infiltrate Active Directory.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Kerberos protocol transition delegation configured Pass
100 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Credential Access
Lateral Movement
Description
This indicator looks for services that have been configured to allow Kerberos protocol transition. This capability enables a delegated
service to use any available authentication protocol. This means that compromised services can reduce the quality of their
authentication protocol to something that is more easily compromised (e.g. NTLM).
Protocol transition is not often used but when it is, it should be monitored closely for signs of abuse. In addition to compromising
the authentication strength, this setting also allows attackers to request delegations with no authentication.
Result
Remediation Steps
None

SECURITY INDICATOR
A+
Principals with constrained delegation using protocol transition enabled for a DC service Pass
100 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
ANSSI
vuln1_delegation_t2a4d
Description
This indicator looks for principals (computers or users) that have constrained delegation using protocol transition defined against a
service running on a DC.
Protocol transition (also known as T2A4D) allows any user to authenticate to a delegated service using any protocol such as NTLM.
This allows the delegated service to request a TGS from Kerberos for any user without any proof such as that user's corresponding
TGT or TGS. If an attacker can create such a delegation for a service that they control or compromise an existing service, they can
effectively gain a TGS for any user with privileges to the DC.
Result
Remediation Steps
None
SECURITY INDICATOR
F
Users with SPN defined IOE Found
32 %
SEVERITY WEIGHT
Informational 3
Security Frameworks
MITRE ATT&CK
MITRE D3FEND
Description
This indicator provides a way to visually inventory all users accounts that have SPNs defined. Generally SPNs are only defined for
"Kerberized" services, so if you see an account with an SPN that should not have one, this could be cause for concern.
SPNs are generally only defined for service accounts or other services that use Kerberos. If you see SPNs on other accounts, they
are worth investigating to determine if they are just an administrative error.
Result
Found 18 users with associated SPN.

DistinguishedName SamAccountName ServicePrincipalName AES Enabled Ignored
CN=qualiac sso dev,CN=Users,DC=croix- qualiac_sso_dev http/qualiqua.croix-rouge.fr False False
rouge,DC=asso,DC=fr
HTTP/dev0001in009.croix-rouge.asso.fr;
CN=ping poc,CN=Users,DC=croix- HTTP/dev0001in009.intranet.croix-
rouge,DC=asso,DC=fr ping_poc rouge.asso.fr; False False
HTTP/DEV0001IN009.intranet.crfrec.local;
HTTP/ping-poc.croix-rouge.fr
HTTP/pri0001in155;
HTTP/pri0001in155.intranet.croix-
CN=svcBO,OU=Compte de service,OU=DISABLED svcBO rouge.asso.fr; HTTP/decisionnel; False False
OBJECT,DC=intranet,DC=croix-rouge,DC=asso,DC=fr HTTP/decisionnel.intranet.croix-
rouge.asso.fr;
BICMS/svcbo.intranet.croix-rouge.asso.fr
HTTP/bo.croix-rouge.asso.fr;
CN=SvcBO_PROD,CN=Users,DC=intranet,DC=croix- HTTP/pri0001in196.intranet.croix-
rouge,DC=asso,DC=fr SvcBO_PROD rouge.asso.fr; HTTP/pri0001in196; False False
BICMS/svcBO_PROD.intranet.croix-
rouge.asso.fr
HTTP/PRI00000DC194;
CN=SvcBO_PROD2,CN=Users,DC=intranet,DC=croix- HTTP/PRI00000DC194.intranet.croix-
rouge,DC=asso,DC=fr SvcBO_PROD2 rouge.asso.fr; HTTP/bo.croix-rouge.fr; False False
BICMS/Svcbo_PROD2.intranet.croix-
rouge.asso.fr
BICMS/svcbo_rec.intranet.croix-
CN=SvcBO_REC,CN=Users,DC=intranet,DC=croix- rouge.asso.fr; HTTP/recette-bo.croix-
rouge,DC=asso,DC=fr SvcBO_REC rouge.fr; False False
HTTP/REC00000DC194.intranet.croix-
CN=service ADFS 365,OU=COMPTE DE
SERVICE,OU=SERVEURS,DC=intranet,DC=croix- svc_adfs host/id.croix-rouge.fr False False
rouge,DC=asso,DC=fr
CN=svc prod_okta_IWA,OU=COMPTE DE
SERVICE,OU=SERVEURS,DC=intranet,DC=croix- svc_prod_okta_IWA HTTP/croix-rouge.kerberos.okta.com False False
rouge,DC=asso,DC=fr
CN=Qualiac SSO http/dev0001in034.intranet.croix-
Dev2,CN=Users,DC=intranet,DC=croix- qualiac_sso_dev2 rouge.asso.fr; http/qualiacdev2.croix- False False
rouge,DC=asso,DC=fr rouge.fr
http/dev0001in034.intranet.croix-
rouge.asso.fr; http/qualiac-
CN=Qualiac SSO Recette,OU=Compte de recette.authentification.croix-rouge.fr;
service,OU=DISABLED qualiac_sso_recette http/rec0002in101.intranet.croix- False False
OBJECT,DC=intranet,DC=croix-rouge,DC=asso,DC=fr rouge.asso.fr;
http/rec0002in102.intranet.croix-
rouge.asso.fr; http/qualiac-recette.croix-
rouge.fr
Showing 10 of 18
Remediation Steps
If possible use Group Managed Service Accounts instead of regular users or ensure that all users that have an SPN are not primary
users and considered as service accounts.
SECURITY INDICATOR
F
Primary users with SPN not supporting AES encryption on Kerberos IOE Found
0 %
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
Credential Access
ANSSI
vuln3_kerberos_properties_encryption
Description
This indicator shows all Primary users with SPNs that do not support AES-128 or AES-256 encryption type.
AES encryption is stronger than RC4 encryption. Configuring primary users with SPN to support AES encryption will not mitigate
attacks such as Kerberoasting but does force AES by default, meaning that it is possible to monitor for encryption downgrade
attacks to RC4 (Kerberoasting attacks)
Result
Found 17 Primary users with SPN not supporting AES encryption
DistinguishedName ServicePrincipalName SamAccountName Ignored
CN=qualiac sso dev,CN=Users,DC=croix- http/qualiqua.croix-rouge.fr qualiac_sso_dev False
rouge,DC=asso,DC=fr
CN=ping poc,CN=Users,DC=croix- HTTP/dev0001in009.intranet.croix-
rouge,DC=asso,DC=fr rouge.asso.fr; ping_poc False
HTTP/pri0001in155;
CN=svcBO,OU=Compte de service,OU=DISABLED rouge.asso.fr; HTTP/decisionnel; svcBO False
rouge.asso.fr;
CN=SvcBO_PROD,CN=Users,DC=intranet,DC=croix- HTTP/pri0001in196.intranet.croix-
rouge,DC=asso,DC=fr rouge.asso.fr; HTTP/pri0001in196; SvcBO_PROD False
rouge.asso.fr
HTTP/PRI00000DC194;
CN=SvcBO_PROD2,CN=Users,DC=intranet,DC=croix- HTTP/PRI00000DC194.intranet.croix-
rouge,DC=asso,DC=fr rouge.asso.fr; HTTP/bo.croix-rouge.fr; SvcBO_PROD2 False
rouge.asso.fr
CN=SvcBO_REC,CN=Users,DC=intranet,DC=croix- rouge.asso.fr; HTTP/recette-bo.croix-
rouge,DC=asso,DC=fr rouge.fr; SvcBO_REC False
CN=service ADFS 365,OU=COMPTE DE
SERVICE,OU=SERVEURS,DC=intranet,DC=croix- host/id.croix-rouge.fr svc_adfs False
rouge,DC=asso,DC=fr
CN=svc prod_okta_IWA,OU=COMPTE DE
SERVICE,OU=SERVEURS,DC=intranet,DC=croix- HTTP/croix-rouge.kerberos.okta.com svc_prod_okta_IWA False
rouge,DC=asso,DC=fr
CN=Qualiac SSO http/dev0001in034.intranet.croix-
Dev2,CN=Users,DC=intranet,DC=croix- rouge.asso.fr; http/qualiacdev2.croix- qualiac_sso_dev2 False
rouge,DC=asso,DC=fr rouge.fr
CN=Qualiac SSO Recette,OU=Compte de recette.authentification.croix-rouge.fr;
service,OU=DISABLED http/rec0002in101.intranet.croix- qualiac_sso_recette False
rouge.fr
Showing 10 of 17
Remediation Steps
Best practice is to enable AES encryption support on service accounts. Follow Microsoft guidance here.
SECURITY INDICATOR
C+
Privileged users with SPN defined IOE Found
88 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Credential Access
ANSSI
vuln1_spn_priv

Description
This indicator looks for accounts with the adminCount attribute set to 1 AND ServicePrincipalNames (SPNs) defined on the account.
In general, privileged accounts should not have SPNs defined on them, as it makes them targets for Kerberos-based attacks that
can elevate privileges to those accounts. By default, the krbtgt account falls under this category but is a special case and is not
considered part of this indicator.
This is a significant issue that can allow an attacker to elevate privileges in a domain. Audit all accounts where privileged access is
possible looking for anomalous access. If found, a breach or ongoing attack should be further investigated.
Result
Found 1 privileged users with associated SPN.
DistinguishedName SamAccountName ServicePrincipalName AES Enabled EventTimestamp Ignored
MSSQLSvc/PRR0000IN001.croix-
rouge.asso.fr:1433; Agent
VProRecovery Backup Exec
CN=PRR0000IN001,OU=Ordinateurs,OU=DISABLED System Recovery 19/08/2008
OBJECT,DC=croix-rouge,DC=asso,DC=fr PRR0000IN001$ 7.0/PRR0000IN001.croix- False 09:00:05 False
rouge.asso.fr;
HOST/PRR0000IN001.croix-
rouge.asso.fr;
HOST/PRR0000IN001
Showing 1 of 1
Remediation Steps
Remove SPN from privileged accounts when not required or mitigate by other means.
SECURITY INDICATOR
A+
Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD) Pass
100 %
SEVERITY WEIGHT
Informational 5
Security Frameworks
MITRE ATT&CK
Credential Access
Lateral Movement
Description
With sufficient permissions on a computer account and the ability to create another user or computer security principal, it is
possible to compromise resources on that computer account using Kerberos resource-based constrained delegation (RBCD). This
indicator looks for the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on computer objects.
Attackers may utilize Kerberos RBCD configuration to escalate privileges through a computer they control if that computer has
delegation to the target service.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
Domain controllers with Resource-Based Constrained Delegation (RBCD) enabled Pass
100 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Defense Evasion
Lateral Movement
ANSSI
vuln1_delegation_sourcedeleg

Description
This indicator detects a configuration that grants certain accounts with complete delegation to domain controllers. Delegations
towards privileged resources such as DCs should be avoided. Resource-based constrained delegation is configured on the target
resource, as opposed to other delegation types that are configured on the accounts accessing the resource.
An attacker needs to know the Service Principal Name (SPN) of the object they want to delegate, as well as be able to populate the
msDS-AllowedToActOnBehalfOfOtherIdentity attribute with a computer account that they control. This is sometimes possible when
unprivileged users are by default allowed to create computer accounts (MachineAccountQuota) and write the attribute to the
target computer.
Result
Remediation Steps
None
SECURITY INDICATOR
A+
krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled Pass
100 %
SEVERITY WEIGHT
Critical 9
Security Frameworks
MITRE ATT&CK
ANSSI
Description
It is possible to create a Kerberos delegation on the krbtgt account itself. Such a delegation to a user or computer would allow that
principal to generate a Ticket Granting Service (TGS) request to the krbtgt account as any user, which has the effect of generating a
Ticket Granting Ticket (TGT) similar to a Golden Ticket. This indicator looks for a krbtgt account that has Resource-Based
Constrained Delegation (RBCD) defined.
This type of attack should be easy to spot as no delegations should normally be created on the krbtgt account. However, if they are
found, they would represent a significant risk and should be mitigated quickly.
Result
Remediation Steps
None
SECURITY INDICATOR
D-
Write access to RBCD on DC IOE Found
52 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Credential Access
Description
This indicator looks for Write access on RBCD for Domain Controllers to users who are not in Domain Admins, Enterprise Admins
and Built-in Admins groups.
This setting enables configuring RBCD on Domain Controllers. An attacker that is able to gain Write access to RBCD for a resource
can cause that resource to impersonate any user (except where delegation is explicitly disallowed). Write on RBCD is always a high
privilege, but when it is on a DC, the impact is substantial as an attacker can delegate to a controlled resource as a privileged user
and abuse the DC services.
Result
Found 4 DCs on which the listed principals can write to their msds-AllowedToActOnBehalfOfOtherIdentity attribute.

DistinguishedName Access Ignored
CN=PDC0000DC103,OU=Domain CROIX-ROUGE\Administrateurs clés Enterprise Allow: False
Controllers,DC=croix-rouge,DC=asso,DC=fr GenericAll on: All Properties
Showing 4 of 4
Remediation Steps
For each DC listed, ensure that the principals who can set resource-based constrained delegation are valid.
SECURITY INDICATOR
A+
Write access to RBCD on krbtgt account Pass
100 %
SEVERITY WEIGHT
Warning 7
Security Frameworks
MITRE ATT&CK
Credential Access
Description
This indicator looks for Write access on RBCD for the krbtgt account to users who are not in Domain Admins, Enterprise Admins
and Built-in Admins groups.
This setting enables configuring RBCD on the krbtgt account. An attacker that is able to gain Write access to RBCD for a resource
can cause that resource to impersonate any user (except where delegation is explicitly disallowed). Write on RBCD is always a high
privilege, but when it is on the krbtgt account, the impact is substantial because it allows the attacker to create TGS for krbtgt for
any user, which can then be used as a TGT.
Result
Remediation Steps
None
SECURITY INDICATOR
F
RC4 or DES encryption type are supported by Domain Controllers IOE Found
0 %
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Credential Access
ANSSI
vuln2_dc_crypto
vuln4_dc_crypto
Description
This indicator checks if RC4 or DES encryption is supported by Domain Controllers
RC4 and DES are considered an insecure form of encryption, susceptible to various cryptographic attacks. Multiple vulnerabilities in
the RC4 and DES algorithms allow MitM and deciphering attacks. See CVE-2013-2566 and CVE-2015-2808.
Result
Found 157 Domain Controllers that support RC4 or DES encryption

DistinguishedName SupportedEncryptionTypes EventTimestamp Ignored
CN=PDC0000DC101,OU=Domain Controllers,DC=croix- AES 128, AES 256, 02/07/2020 False
rouge,DC=asso,DC=fr RC4_HMAC_MD5 13:28:36
CN=PCI3670ET001,OU=Domain AES 128, AES 256, 13/03/2018 False
Controllers,DC=intranet,DC=croix-rouge,DC=asso,DC=fr RC4_HMAC_MD5 09:34:38
Showing 10 of 157
Remediation Steps
It is best practice to disable support for RC4 and DES on domain controllers. Proceed with caution, as this can cause clients that
request RC4 encrypted kerberos tickets by default to fail. Disable it by adding the group policy Network security: Configure
encryption types allowed for Kerberos and select only AES-128, AES-256 encryption types, to a GPO that affects the Domain
Controllers container. The group policy path is Computer Configuration\Windows Settings\Security Settings\Local Policies\Security
Options.

CATEGORY
HYBRID
N/A
7 0 0
Hybrid indicators help you understand and mitigate the risks associated with a hybrid identity environment. Active Directory is a perimeter
point for Azure AD and a popular attack vendor. Understanding where the Active Directory perimeter is connecting to Azure AD provides
clarity for how to secure the Active Directory entry point.
SECURITY INDICATOR
Resource Based Constrained Delegation applied to AZUREADSSOACC account Not Relevant
N/A
SEVERITY WEIGHT
Warning 5
Security Frameworks
MITRE ATT&CK
Lateral Movement
Credential Access
Description
This indicator looks for Resource Based Constrained Delegation configured for the Azure SSO account AZUREADSSOACC.
It is possible to create a Kerberos Resource Based Constrained Delegation on the AZUREADSSOACC account itself. An account with
such delegation would allow that principal to generate a Ticket Granting Service (TGS) request to the Azure tenant on behalf of the
AZUREADSSOACC account as any user and impersonate that user.
Result
This indicator is only relevant for environments with AAD Connect. No IDs for AAD Connect were detected in the environment.
Remediation Steps
None
SECURITY INDICATOR
SSO computer account with password last set over 90 days ago Not Relevant
N/A
SEVERITY WEIGHT
Warning 6
Security Frameworks
MITRE ATT&CK
Credential Access
ANSSI
vuln2_password_change_server_no_change_90
Description
This indicator checks the SSO computer account (AZUREADSSOACC) to determine if the password has been rotated in the last 90
days.
The computer account utilized for Azure SSO (AZUREADSSOACC) does not automatically change its password every 30 days. If the
password for this account is compromised, an attacker could generate a Ticket Granting Service (TGS) request to the
AZUREADSSOACC account as any user, which has the effect of generating a Ticket to azure and impersonate that user.
Result
This indicator is only relevant for environments with AAD Connect. No IDs for AAD Connect were detected in the environment.
Remediation Steps
None

Notes

Appendix 1 - Domains list
croix-rouge.asso.fr
intranet.croix-rouge.asso.fr
Appendix 2 - Scoring method
How do we determine the tests' score

The risk scores included in this report reveal the security posture of the Active Directory environment that was assessed. Risk scores are represented by percentage and letter
grade. It is recommended to aim for the highest score possible; a 100% (A+) risk score indicates that there were no Indicators of Exposure (IOEs) found for the security
indicators that were assessed. The following explanation is intended to help you understand the scoring methodology and factors used to calculate the risk scores presented
in this report.
Risk scores:
The Security Assessment report provides the following risk scores:
Security Indicator risk score: Each individual security indicator evaluated is assigned a score according to its internal logic and the relative number of results found. The
individual security indicator score is assigned a weight (value between 1-10) according to the risk of the IOE found and the likelihood of compromise. This weighted score,
together with a general factor of the industry risk, affects the score assigned to the relevant category.
Category risk score:The security indicators included in the tool cover a range of categories that represent different aspects of Active Directory security posture. The
category risk score is based on the test results and severity of each individual security indicator that was evaluated within the relevant category.
Overall risk score: The overall risk score is derived from a weighted average of all indicator results, which are aggregated according to their respective severity levels.
NOTE: When calculating the risk scores, only security indicators and categories included in the assessment are included (e.g., security indicators that passed and resulting in
IOEs found). Security indicators that were not selected, cancelled, or failed to run are not taken into account. For an accurate assessment, it is recommended that you include
all security indicators and all domains in the selected forest.
Scoring methods/factors:
Letter grading: Each score is assigned a suitable letter grade according to the following table:
A+ 100 A 99 A- 98 B+ 96-97 B 93-95
B- 90-92 C+ 86-89 C 81-85 C- 75-80 D+ 67-74
D 58-66 D- 44-57 F 0-43
Risk factors: To determine the risk level of a particular security indicator, the following factors are taken into consideration:
Severity (Informational, Warning, Critical)
Likelihood of compromise
The DREAD Threat Probability Matrix
DREAD Threat Probability Matrix
DREAD High(3) Medium(2) Low(1)

Significant damage: The attacker can Moderate damage: The attacker can Minimal damage: The attacker can
Damage potential How bad would the attack be? subvert the security system and gain access/leak sensitive information. only access/leak trivial information.
full trust authorization.
How easy would it be to recreate the The attack can be consistently The attack can be reproduced, but The attack is very difficult to
Reproducibility attack? reproduced and does not require a only within a specific timing window reproduce, even with knowledge of
specific timing window. and in a particular sequence. the security weakness/vulnerability.
How easy would it be to launch the A novice programmer could perform Requires a skilled programmer to Requires an extremely skilled
Exploitability attack? the attack with minimal effort. launch the attack and be able to programmer with in-depth
repeat the steps. knowledge to launch an attack.
A large percentage or all users are A moderate percentage of users are A very small percentage of users are
Affected users How many users would be impacted? impacted; default configuration and impacted; non-default configuration impacted; anonymous users are
key customers are impacted. is impacted. affected
Easily discovered. Published Would require some effort to discover

How easy would it be for the attacker information explains the vulnerability and successfully exploit. The Hard to discover. The issue is obscure,
Discoverability to discover this exposure? and attack technique. The vulnerability is found in a seldomly- and it is unlikely that users would
vulnerability is found in commonly used part of the product and only a discover a way to cause damage.
used features and is very noticeable. few users should discover it

Notes

Appendix 3 - ANSSI Scorecard
The following section displays the breakdown of indicators within the framework of the French National Agency for the Security of Information Systems (ANSSI).
For more information visit: https://www.cert.ssi.gouv.fr/uploads/ad_checklist.html
ANSSI LEVEL
Critical weaknesses and misconfigurations pose an immediate threat to all hosted resources. Corrective actions should be taken as soon as possible.
1
EVALUATED Indicators FOUND PASSED FAILED TO RUN CANCELED NOT SELECTED
39/39 13 26 0 0 0
ANSSI ID INDICATOR NAME
vuln1_password_change_priv Built-in domain Administrator account with old password (180 Full Results
days)
vuln1_permissions_adminsdholder Permission changes on AdminSDHolder object Full Results

vuln1_privileged_members_perm
vuln1_delegation_a2d2 Accounts with altSecurityIdentities configured Full Results
vuln1_dsheuristics_bad Anonymous NSPI access to AD enabled Full Results
vuln1_adcs_control Dangerous control paths expose certificate containers Full Results
vuln1_adcs_template_auth_enroll_with_name Certificate templates with 3 or more insecure configurations Full Results
vuln1_adcs_template_control Dangerous control paths expose certificate templates Full Results
vuln1_adcs_template_auth_enroll_with_name Certificate templates that allow requesters to specify a Full Results

subjectAltName
vuln1_password_change_dc_no_change Domain controllers with old passwords Full Results
vuln1_delegation_a2d2 Accounts with Constrained Delegation configured to krbtgt Full Results
vuln1_trusts_domain_notfiltered Dangerous Trust Attribute Set Full Results
vuln1_delegation_a2d2 Accounts with Constrained Delegation configured to ghost Full Results

SPN
vuln1_dnszone_bad_prop Unsecured DNS configuration Full Results
vuln1_dc_inconsistent_uac Domain Controllers in inconsistent state Full Results
vuln1_permissions_dc Domain Controller owner is not an administrator Full Results
vuln1_functional_level Domains with obsolete functional levels Full Results
vuln1_permissions_dpapi Non-default access to DPAPI key Full Results
vuln1_dsheuristics_bad Operator groups no longer protected by AdminSDHolder and Full Results

SDProp
vuln1_user_accounts_dormant Enabled admin accounts that are inactive Full Results
vuln1_password_change_inactive_dc Domain controllers that have not authenticated to the domain Full Results
for more than 45 days
vuln1_privileged_members Forest contains more than 50 privileged accounts Full Results
vuln1_primary_group_id_1000 Users and computers with non-default Primary Group IDs Full Results

vuln1_permissions_schema Non-standard schema permissions Full Results
vuln1_delegation_t2a4d Principals with constrained delegation using protocol Full Results

transition enabled for a DC service
vuln1_password_change_priv Admins with old passwords Full Results
vuln1_trusts_forest_sidhistory Outbound forest trust with SID History enabled Full Results
vuln1_trusts_domain_notfiltered Domain trust to a third-party domain without quarantine Full Results
vuln1_spn_priv Privileged users with SPN defined Full Results
vuln1_delegation_sourcedeleg Domain controllers with Resource-Based Constrained Full Results

Delegation (RBCD) enabled
vuln1_delegation_a2d2 krbtgt account with Resource-Based Constrained Delegation Full Results
(RBCD) enabled
vuln1_permissions_naming_context Non-default principals with DC Sync rights on the domain Full Results
vuln1_permissions_msdns Unprivileged principals as DNS Admins Full Results

vuln1_dnsadmins
vuln1_permissions_adminsdholder Privileged objects with unprivileged owners Full Results
vuln1_dont_expire_priv Privileged accounts with a password that never expires Full Results
vuln1_kerberos_properties_preauth_priv Users with Kerberos pre-authentication disabled Full Results
vuln1_certificates_vuln Weak certificate cipher Full Results
vuln1_permissions_gpo_priv GPO linking delegation at the AD Site level Full Results
vuln1_permissions_gpo_priv GPO linking delegation at the domain controller OU level Full Results
vuln1_permissions_gpo_priv GPO linking delegation at the domain level Full Results
ANSSI LEVEL
Configuration and management weaknesses put all hosted resources at risk of a short-term compromise. Corrective actions should be carefully planned and
2 implemented shortly.
15/17 7 8 1 0 0
vuln2_password_change_server_no_change_9 SSO computer account with password last set over 90 days Full Results
0 ago
vuln2_compatible_2000_anonymous Anonymous access to Active Directory enabled Full Results
vuln2_password_change_server_no_change_9 Computers with password last set over 90 days ago Full Results
0
vuln2_delegation_t4d Computer or user accounts with SPN that have unconstrained Full Results
delegation
vuln2_adupdate_bad Enterprise Key Admins with full access to domain Full Results
vuln2_guest Built-in guest account is enabled Full Results

vuln2_krbtgt Kerberos krbtgt account with old password Full Results
vuln2_sysvol_ntfrs NTFRS SYSVOL Replication Full Results
vuln2_privileged_members_password Privileged Users with Weak Password Policy Full Results
vuln2_dc_crypto RC4 or DES encryption type are supported by Domain Full Results
Controllers
vuln2_sidhistory_dangerous Recent sIDHistory changes on objects Full Results
vuln2_rodc_priv_revealed Risky RODC credential caching Full Results
vuln2_sidhistory_dangerous Well-known privileged SIDs in sIDHistory Full Results
vuln2_trusts_accounts Trust accounts with old passwords Full Results
vuln2_kerberos_properties_deskey User accounts that use DES encryption Full Results
vuln2_dont_expire Users with Password Never Expires flag set Full Results
vuln2_kerberos_properties_preauth Users with Kerberos pre-authentication disabled Full Results
ANSSI LEVEL
The Active Directory infrastructure does not appear to have been weakened from what default installation settings provide.
3
6/6 2 4 0 0 0
vuln3_primary_group_id_nochange Users and computers with non-default Primary Group IDs Full Results
vuln3_kerberos_properties_encryption Primary users with SPN not supporting AES encryption on Full Results
Kerberos
vuln3_protected_users Protected Users group not in use Full Results
vuln3_sidhistory_present Well-known privileged SIDs in sIDHistory Full Results
vuln3_reversible_password User accounts that store passwords with reversible encryption Full Results
ANSSI LEVEL
The Active Directory infrastructure exhibits an enhanced level of security and management.
4
2/2 1 1 0 0 0
vuln4_dc_crypto RC4 or DES encryption type are supported by Domain Full Results
Controllers

Appendix 4
Changes to MS LAPS read permissions result

Showing 30 of 2258
S-1-5-32-548 GenericAll on: All Properties;
CN=P3693ET009,OU=Machines,OU=Old,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr ExtendedRight, Delete, GenericRead on: All
Properties;
INTRANET\admin_rapint DeleteTree,
CN=PRI4712ET001,OU=4712_POLE_SOLIDARITES_BRETAGNE,OU=Serveurs,OU=Bretagne,OU=TERRITOIRE,DC=intranet,DC=croix- ExtendedRight, Delete, GenericRead on: All
rouge,DC=asso,DC=fr Properties; INTRANET\Admin_bretagne
ExtendedRight, Delete, GenericRead on: All
Properties; INTRANET\Admin_IDF_BTC
CN=W4247ET137,OU=Ordinateurs,OU=PAS EVRY,OU=4247_Pole Accompagnement Des Familles,OU=Filiere GenericAll on: All Properties;
Exclusion,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr INTRANET\Admin_IDF_Exclusion GenericAll on:
All Properties; INTRANET\Admin_IDF GenericAll
on: All Properties;
INTRANET\Admin_prevostm ExtendedRight,
CN=W1947ET017,OU=Ordinateurs,OU=1947_EHPAD_ROCHECHOUART,OU=Filiere Personnes agees,OU=Structures,OU=Nouvelle GenericRead on: All Properties;
Properties;
INTRANET\admin_maurerf DeleteTree,
CN=PRI3632ET002,OU=3632_EEAP_BLAMONT,OU=Serveurs,OU=Grand-Est,OU=TERRITOIRE,DC=intranet,DC=croix- Properties; INTRANET\Admin_Grand-Est
rouge,DC=asso,DC=fr DeleteTree, ExtendedRight, Delete, GenericRead
on: All Properties; INTRANET\Admin_Grand-Est
CN=PRI2021ET014,OU=2021_EHPAD_ARGENTEUIL,OU=Serveurs,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix- ExtendedRight, Delete, GenericRead on: All
rouge,DC=asso,DC=fr Properties; INTRANET\Admin_IDF GenericAll
on: All Properties;
CN=P4151ET031,OU=Ordinateurs,OU=4151_EHPAD_NOTRE_MAISON,OU=Filiere Personnes ExtendedRight, Delete, GenericRead on: All
agees,OU=Structures,OU=Pacac,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Properties; INTRANET\Admin_Pacac GenericAll
on: All Properties;
CN=PRI0000DC5003,OU=AWS,OU=PROD,OU=SERVEURS,DC=intranet,DC=croix-rouge,DC=asso,DC=fr INTRANET\GG0000_Admin_AD_EXPLOITATION
ReadProperty, ExtendedRight on: ms-mcs-
admpwd
INTRANET\admin_abdeddaimr DeleteTree,
CN=W1877ET010,OU=Ordinateurs,OU=1877_ESAT_LES_ECHELLES,OU=Filiere Handicap,OU=Structures,OU=Rhone-Alpes Properties; INTRANET\Admin_RA-
Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Auvergne_Handicap GenericAll on: All
Properties; INTRANET\Admin_RA-Auvergne

CN=P1886ET015,OU=Ordinateurs,OU=1886_HDJ_ETINCELLE,OU=Filiere Sanitaire,OU=Structures,OU=Ile-de- ExtendedRight, Delete, GenericRead on: All
France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Properties; INTRANET\Admin_IDF GenericAll
on: All Properties;
INTRANET\admin_abouhalai DeleteTree,
CN=P4132ET2002,OU=Ordinateurs,OU=4132_IRFSS_GRENOBLE,OU=Filiere Formation,OU=Structures,OU=Rhone-Alpes Properties; INTRANET\Admin_RA-
Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Auvergne_formation GenericAll on: All
INTRANET\svc_prod_master_dell
CN=P3712ET081,OU=Ordinateurs,OU=3712_CHRS_POITIERS,OU=Filiere Exclusion,OU=Structures,OU=Nouvelle ExtendedRight, GenericRead on: All Properties;
Properties;
INTRANET\admin_laforestf DeleteTree,
CN=W1785ET233,OU=Fixes,OU=1785,OU=Ordinateurs,OU=1785_IFTS_OLLIOULES,OU=Filiere ExtendedRight, Delete, GenericRead on: All
Formation,OU=Structures,OU=Pacac,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Properties; INTRANET\Admin_Pacac GenericAll
on: All Properties;
INTRANET\admin_marceult DeleteTree,
CN=PRI1749ET003,OU=1749_IFSI_CHALONS-EN-CHAMPAGNE,OU=Serveurs,OU=Grand- ExtendedRight, Delete, GenericRead on: All
Est,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Properties; INTRANET\Admin_Grand-Est
INTRANET\admin_michelmax DeleteTree,
CN=PRI1880ET004,OU=1880_EHPAD_ECLAIRCIE,OU=Serveurs,OU=Rhone-Alpes ExtendedRight, Delete, GenericRead on: All
Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Properties; INTRANET\Admin_RA-Auvergne
INTRANET\admin_bensalahr DeleteTree,
CN=P4132ET1910,OU=Ordinateurs,OU=4132_IRFSS_GRENOBLE,OU=Filiere Formation,OU=Structures,OU=Rhone-Alpes Properties; INTRANET\Admin_RA-
Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Auvergne_formation GenericAll on: All
INTRANET\Admin_Pacac_CRI GenericAll on: All
CN=P8007CRI013,OU=Ordinateurs,OU=4837_IMPULSE_TOIT,OU=Croix-rouge Properties; INTRANET\Admin_Pacac GenericAll
Insertion,OU=Structures,OU=Pacac,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr on: All Properties;
INTRANET\admin_gouillarts DeleteTree,
CN=P4073ET012,OU=Ordinateurs,OU=4073_CDFP_GUYANE,OU=Filiere Formation,OU=973_Guyane,OU=Structures,OU=Outre Properties; INTRANET\Admin_OM_973
Mer,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr GenericAll on: All Properties;
INTRANET\Admin_OM GenericAll on: All
Properties;
CN=W1796ET052,OU=Ordinateurs,OU=1796_IME_MIRASOL,OU=Pole Mougins,OU=Filiere ExtendedRight, Delete, GenericRead on: All
Handicap,OU=Structures,OU=Pacac,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Properties; INTRANET\Admin_Pacac GenericAll
on: All Properties;

CN=W4559ET006,OU=4559_MNA93,OU=Ordinateurs,OU=3832_PEM_PEMIE_MNA_BOBIGNY,OU=Filiere Protection ExtendedRight, Delete, GenericRead on: All
Enfance,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Properties; INTRANET\Admin_IDF GenericAll
on: All Properties;
INTRANET\svc_prod_master_dell
CN=P1813ET019,OU=Ordinateurs,OU=1813_CPHR_QUETIGNY,OU=Filiere Exclusion,OU=Structures,OU=Bourgogne-Franche- ExtendedRight, GenericRead on: All Properties;
Comte,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr INTRANET\Admin_BFC GenericAll on: All
Properties;
INTRANET\admin_michelmax DeleteTree,
CN=P1742ET008,OU=Ordinateurs,OU=1742_IRFSS_LONS_LE_SAUNIER,OU=Filiere Formation,OU=Structures,OU=Bourgogne- Properties;
Franche-Comte,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr INTRANET\Admin_BFC_FORMATION GenericAll
on: All Properties; INTRANET\Admin_BFC
CN=P1940ET012,OU=Ordinateurs,OU=1940_SSIAD_APT,OU=Filiere ExtendedRight, Delete, GenericRead on: All
Domicile,OU=Structures,OU=Pacac,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Properties; INTRANET\Admin_Pacac GenericAll
on: All Properties;
INTRANET\Admin_Rousseaud ExtendedRight,
CN=PRI2602ET001,OU=2602_HAD_DE_LA_NIEVRE,OU=Serveurs,OU=Bourgogne-Franche- GenericRead on: All Properties;
Comte,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr INTRANET\Admin_BFC GenericAll on: All
Properties;
INTRANET\Admin_RegnierBr DeleteTree,
CN=W2121ET016,OU=Ordinateurs,OU=2121_CRFP-IDF,OU=Pole Romainville,OU=Filiere Formation,OU=Structures,OU=Ile-de- ExtendedRight, Delete, GenericRead on: All
France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Properties; INTRANET\Admin_IDF GenericAll
on: All Properties;
CN=PRI3619DR021,OU=3619_DR Noisy le Grand,OU=Serveurs,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix- ExtendedRight, Delete, GenericRead on: All
rouge,DC=asso,DC=fr Properties; INTRANET\Admin_IDF GenericAll
on: All Properties;
INTRANET\admin_laforestf DeleteTree,
CN=PRI1785ET001,OU=1785_IFTS_OLLIOULES,OU=Serveurs,OU=Pacac,OU=TERRITOIRE,DC=intranet,DC=croix- ExtendedRight, Delete, GenericRead on: All
rouge,DC=asso,DC=fr Properties; INTRANET\Admin_Pacac GenericAll
on: All Properties;
INTRANET\Admin_OU_TEST GenericAll on: All
CN=TEST-GPO,OU=Serveurs,OU=Test,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Properties;
INTRANET\admin_alonzol DeleteTree,
CN=W1796ET047,OU=Ordinateurs,OU=1796_IME_MIRASOL,OU=Pole Mougins,OU=Filiere ExtendedRight, Delete, GenericRead on: All
Handicap,OU=Structures,OU=Pacac,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Properties; INTRANET\Admin_Pacac GenericAll
on: All Properties;

INTRANET\admin_bouthiere DeleteTree,
Properties;
CN=P1808ET058,OU=Portables,OU=Ordinateurs,OU=1808_SSR_RICHELIEU,OU=Filiere Sanitaire,OU=Structures,OU=Nouvelle INTRANET\Admin_NA_SRR_RICHELIEU
Aquitaine,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr GenericAll on: All Properties;
INTRANET\Admin_NA GenericAll on: All
Properties;
Saved to SI000035 tab in C:\Users\hounsounoua\Documents\pk\Output\03_13_2024_08_29_14\Security_Assessment_Report_13_03_2024_08_29_14.xlsx

Appendix 5
Abnormal Password Refresh result

Showing 30 of 75

CN=becavinc,OU=Utilisateurs,OU=1930_IME_RONDO,OU=Pole Handicap 78,OU=Filiere becavinc 05/03/2024 False
Handicap,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 21:59:42
CN=rakotosonj,OU=Utilisateurs,OU=PAF CRETEIL,OU=4247_Pole Accompagnement Des 05/03/2024
Familles,OU=Filiere Exclusion,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix- rakotosonj 19:52:05 False
rouge,DC=asso,DC=fr
CN=appiahottukuasarg,OU=Utilisateurs,OU=2020_EHPAD_BEAUCHAIS,OU=Pole Gerontologique 05/03/2024
95,OU=Filiere Personnes Agees,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix- appiahottukuasarg 20:13:58 False
rouge,DC=asso,DC=fr
CN=begous,OU=Utilisateurs,OU=1819_ESAT_RECOUBEAU,OU=Filiere 05/03/2024
Handicap,OU=Structures,OU=Rhone-Alpes Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix- begous 21:11:17 False
rouge,DC=asso,DC=fr
CN=julianli,OU=Utilisateurs,OU=1819_ESAT_RECOUBEAU,OU=Filiere Handicap,OU=Structures,OU=Rhone- julianli 05/03/2024 False
Alpes Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 19:15:37
CN=allardeta,OU=Utilisateurs,OU=3662_IRFSS_LIMOUSIN,OU=Filiere 23/02/2024
Formation,OU=Structures,OU=Nouvelle Aquitaine,OU=TERRITOIRE,DC=intranet,DC=croix- allardeta 07:57:11 False
rouge,DC=asso,DC=fr
CN=foureurg,OU=Utilisateurs,OU=1830_IME_SOLN,OU=Filiere foureurg 05/03/2024 False
Handicap,OU=Structures,OU=Occitanie,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 20:35:19
CN=FeuillatreC,OU=Utilisateurs,OU=1928_EHPAD_STEPHANIE,OU=Pole Gerontologique 78,OU=Filiere 05/03/2024
Personnes Agees,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix- FeuillatreC 20:10:16 False
rouge,DC=asso,DC=fr
CN=arnoultj,OU=Utilisateurs,OU=1777_IDE75,OU=Pole Paris,OU=Filiere arnoultj 05/03/2024 False
Formation,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 20:01:48
CN=brahama,OU=Utilisateurs,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix- brahama 05/03/2024 False
CN=bavouxa,OU=Utilisateurs,OU=3796_CMCR_MASSUES,OU=Filiere Sanitaire,OU=Structures,OU=Rhone- bavouxa 05/03/2024 False
Alpes Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 20:31:40
CN=nanitelamiojp,OU=EHPAD,OU=Utilisateurs,OU=1926_EHPAD_CHAMPSFLEUR,OU=Pole 05/03/2024
Gerontologique 78,OU=Filiere Personnes Agees,OU=Structures,OU=Ile-de- nanitelamiojp 21:56:28 False
CN=niassea,OU=EHPAD,OU=Utilisateurs,OU=1926_EHPAD_CHAMPSFLEUR,OU=Pole Gerontologique 05/03/2024
78,OU=Filiere Personnes Agees,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix- niassea 19:29:39 False
rouge,DC=asso,DC=fr
CN=granadost,OU=Utilisateurs,OU=3658_DIRFSS_GEMENOS,OU=Filiere granadost 05/03/2024 False
Formation,OU=Structures,OU=Pacac,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 21:57:45
CN=masmitjad,OU=Utilisateurs,OU=Structures,OU=Occitanie,OU=TERRITOIRE,DC=intranet,DC=croix- masmitjad 05/03/2024 False
CN=tahirf,OU=Utilisateurs,OU=Structures,OU=Occitanie,OU=TERRITOIRE,DC=intranet,DC=croix- tahirf 05/03/2024 False
CN=hattonl,OU=Utilisateurs,OU=Structures,OU=Occitanie,OU=TERRITOIRE,DC=intranet,DC=croix- hattonl 05/03/2024 False
CN=hadjalk,OU=Utilisateurs,OU=Structures,OU=Occitanie,OU=TERRITOIRE,DC=intranet,DC=croix- hadjalk 05/03/2024 False
CN=chevreuxgarciak,OU=Utilisateurs,OU=Structures,OU=Occitanie,OU=TERRITOIRE,DC=intranet,DC=croix- chevreuxgarciak 05/03/2024 False
CN=matmatis,OU=Utilisateurs,OU=1880_EHPAD_ECLAIRCIE,OU=Filiere Personnes 05/03/2024
agees,OU=Structures,OU=Rhone-Alpes Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix- matmatis 21:32:35 False
rouge,DC=asso,DC=fr
CN=cavaillien,OU=Utilisateurs,OU=1830_IME_SOLN,OU=Filiere cavaillien 05/03/2024 False
CN=moucheli,OU=Utilisateurs,OU=1830_IME_SOLN,OU=Filiere moucheli 05/03/2024 False
CN=blotf,OU=Utilisateurs,OU=2572_MAS_SAINT_MARTIN,OU=Pole Mougins,OU=Filiere blotf 05/03/2024 False
Handicap,OU=Structures,OU=Pacac,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 22:04:06
CN=janodypf,OU=Utilisateurs,OU=1896_BAPU,OU=Filiere Handicap,OU=Structures,OU=Ile-de- janodypf 05/03/2024 False
CN=syllawa,OU=Utilisateurs,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix- syllawa 05/03/2024 False

CN=moslihs,OU=Utilisateurs,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix- moslihs 05/03/2024 False
CN=valentinmg,OU=Utilisateurs,OU=BRETAGNE_STE_CLOTILDE,OU=2175_SSIAD_LA_REUNION,OU=Filiere 05/03/2024
Domicile,OU=974_La_Reunion,OU=Structures,OU=Outre Mer,OU=TERRITOIRE,DC=intranet,DC=croix- valentinmg 19:40:58 False
rouge,DC=asso,DC=fr
CN=dupontca,OU=Utilisateurs,OU=Structures,OU=Outre Mer,OU=TERRITOIRE,DC=intranet,DC=croix- dupontca 05/03/2024 False
CN=siffertp,OU=Utilisateurs,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix- siffertp 05/03/2024 False
CN=vanveenp,OU=Utilisateurs,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix- vanveenp 05/03/2024 False

Appendix 6
AD objects created within the last 10 days result

Showing 30 of 700

DistinguishedName ObjectClass Name EventTimestamp

Appendix 7
Users with old passwords result

Showing 30 of 20491

CN=TsInternetUser,CN=Users,DC=croix- TsInternetUser 8356 False
rouge,DC=asso,DC=fr
CN=IWAM_DCROOTEXCH,CN=Users,DC=croix- IWAM_DCROOTEXCH 7522 False
rouge,DC=asso,DC=fr
CN=IUSR_DCROOTEXCH,CN=Users,DC=croix- IUSR_DCROOTEXCH 7522 False
rouge,DC=asso,DC=fr
CN=FSAVAG4MSE_CROIX- FSAVAG4MSE_CROIX- 7308 False
RO,CN=Users,DC=croix-rouge,DC=asso,DC=fr RO
CN=VUSR_INTRAFF1,CN=Users,DC=croix- VUSR_INTRAFF1 8222 False
rouge,DC=asso,DC=fr
CN=compte de connexion ftp,CN=Users,DC=croix- ftpuser 7825 False
rouge,DC=asso,DC=fr
CN=FSAVAG4MSE,CN=Users,DC=croix- FSAVAG4MSE 7949 False
rouge,DC=asso,DC=fr
CN=bugtracker,CN=Users,DC=croix- bugtracker 4711 False
rouge,DC=asso,DC=fr
CN=HypAnnu,CN=Users,DC=croix- HypAnnu 5033 False
rouge,DC=asso,DC=fr
CN=intranet,CN=Users,DC=croix- intranetAD 4060 False
rouge,DC=asso,DC=fr
CN=cegi,OU=Gestion des etablissements
PH,OU=Prestataires,DC=croix- cegi 3717 False
rouge,DC=asso,DC=fr
CN=cegifirst,OU=Gestion des etablissements
PH,OU=Prestataires,DC=croix- cegifirst 3583 False
rouge,DC=asso,DC=fr
CN=svc_normea,CN=Users,DC=croix- svc_normea 3623 False
rouge,DC=asso,DC=fr
CN=ezzianen,OU=Gestion des etablissements
PH,OU=Prestataires,DC=croix- ezzianen 3546 False
rouge,DC=asso,DC=fr
CN=dufouro,OU=Gestion des etablissements
PH,OU=Prestataires,DC=croix- dufouro 3546 False
rouge,DC=asso,DC=fr
CN=bonnefoyn,OU=Gestion des etablissements
PH,OU=Prestataires,DC=croix- bonnefoyn 3546 False
rouge,DC=asso,DC=fr
CN=dumasx,OU=Gestion des etablissements
PH,OU=Prestataires,DC=croix- dumasx 3546 False
rouge,DC=asso,DC=fr
CN=caillouxv,OU=Gestion des etablissements
PH,OU=Prestataires,DC=croix- caillouxv 3546 False
rouge,DC=asso,DC=fr
CN=asselineaut,OU=Gestion des etablissements
PH,OU=Prestataires,DC=croix- asselineaut 3546 False
rouge,DC=asso,DC=fr
CN=durands,OU=Gestion des etablissements
PH,OU=Prestataires,DC=croix- durands 3546 False
rouge,DC=asso,DC=fr
CN=grosliers,OU=Gestion des etablissements
PH,OU=Prestataires,DC=croix- grosliers 3546 False
rouge,DC=asso,DC=fr
CN=dechetp,OU=Gestion des etablissements
PH,OU=Prestataires,DC=croix- dechetp 3546 False
rouge,DC=asso,DC=fr
CN=svc_owncloud,CN=Users,DC=croix- svc_owncloud 3507 False
rouge,DC=asso,DC=fr

CN=adm_vco,CN=Users,DC=croix- adm_vco 3414 False
rouge,DC=asso,DC=fr
CN=qualiac sso dev,CN=Users,DC=croix- qualiac_sso_dev 3255 False
rouge,DC=asso,DC=fr
CN=svc_intranet,CN=Users,DC=croix- svc_intranet 3095 False
rouge,DC=asso,DC=fr
CN=svc_fillieres,CN=Users,DC=croix- svc_fillieres 3043 False
rouge,DC=asso,DC=fr
CN=svc_bigip,CN=Users,DC=croix- svc_bigip 3080 False
rouge,DC=asso,DC=fr
CN=svcSQL,CN=Users,DC=croix- svcSQL 4390 False
rouge,DC=asso,DC=fr
CN=busettag,OU=Gestion des etablissements
PH,OU=Prestataires,DC=croix- busettag 3546 False
rouge,DC=asso,DC=fr

Appendix 8
Protected Users group not in use result

Showing 21 of 21
DistinguishedName SamAccountName Enabled Ignored

CN=Administrateur,CN=Users,DC=croix-rouge,DC=asso,DC=fr Administrateur True False
CN=Nivolisator,CN=Users,DC=croix-rouge,DC=asso,DC=fr Nivolisator False False
CN=dccontact,CN=Users,DC=croix-rouge,DC=asso,DC=fr dccontact False False
CN=Svc_dex_ad,CN=Users,DC=croix-rouge,DC=asso,DC=fr Svc_dex_ad False False
CN=adm SaintyvesG,OU=Admin,DC=croix-rouge,DC=asso,DC=fr adm_saintyvesg True False
CN=Admin KrcmarM,OU=Admin,DC=croix-rouge,DC=asso,DC=fr Admin_KrcmarM True False
CN=Admin ChattaouiC,OU=Admin,DC=croix-rouge,DC=asso,DC=fr Admin_ChattaouiC True False
CN=Admin MarkovicA,OU=Admin,DC=croix-rouge,DC=asso,DC=fr admin_markovica True False
CN=Administrateur,OU=Admin,DC=intranet,DC=croix-rouge,DC=asso,DC=fr Administrateur True False
CN=Admin_SaintyvesG,OU=PROD,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix- Admin_SaintyvesG True False
rouge,DC=asso,DC=fr
CN=Adm_KrcmarM,OU=PROD,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix- Adm_KrcmarM True False
rouge,DC=asso,DC=fr
CN=Adm_MarkovicA,OU=PROD,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix- Adm_MarkovicA True False
rouge,DC=asso,DC=fr
CN=Adm_ChattaouiC,OU=PROD,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix- Adm_ChattaouiC True False
rouge,DC=asso,DC=fr
CN=adm_geremyo,OU=PROD,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix- adm_geremyo True False
rouge,DC=asso,DC=fr
CN=Adm_Veschambreh,OU=PROD,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix- Adm_Veschambreh True False
rouge,DC=asso,DC=fr
CN=Adm_DupuisFr,OU=Front Adm_DupuisFr True False
Office,OU=Admin,OU=Campus,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr
CN=svc_serviceNav_ad,OU=V30,OU=COMPTE DE SERVICE,OU=SERVEURS,DC=intranet,DC=croix- svc_serviceNav_ad True False
rouge,DC=asso,DC=fr
CN=svc_serviceNav,OU=V30,OU=COMPTE DE SERVICE,OU=SERVEURS,DC=intranet,DC=croix- svc_serviceNav True False
rouge,DC=asso,DC=fr
CN=0001_svc_cohesity,OU=COMPTE DE SERVICE,OU=SERVEURS,DC=intranet,DC=croix- 0001_svc_cohesity True False
rouge,DC=asso,DC=fr
CN=Adm_matulicb,OU=Utilisateurs,OU=Old,OU=TERRITOIRE,DC=intranet,DC=croix- Adm_matulicb False False
rouge,DC=asso,DC=fr
CN=Adm_GremaudO,OU=Utilisateurs,OU=Old,OU=TERRITOIRE,DC=intranet,DC=croix- Adm_GremaudO False False
rouge,DC=asso,DC=fr

Appendix 9
Users with Password Never Expires flag set result

Showing 30 of 9463

CN=compte de connexion ftp,CN=Users,DC=croix- ftpuser 09/10/2002 False
CN=bugtracker,CN=Users,DC=croix- bugtracker 19/04/2011 False
CN=HypAnnu,CN=Users,DC=croix- HypAnnu 01/06/2010 False
CN=intranet,CN=Users,DC=croix- intranetAD 29/01/2013 False
CN=cegi,OU=Gestion des etablissements 07/01/2014
PH,OU=Prestataires,DC=croix- cegi 13:29:51 False
rouge,DC=asso,DC=fr
CN=cegifirst,OU=Gestion des etablissements 21/05/2014
PH,OU=Prestataires,DC=croix- cegifirst 13:53:50 False
rouge,DC=asso,DC=fr
CN=svc_normea,CN=Users,DC=croix- svc_normea 11/04/2014 False
CN=ezzianen,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- ezzianen 09:41:14 False
rouge,DC=asso,DC=fr
CN=dufouro,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- dufouro 09:40:39 False
rouge,DC=asso,DC=fr
CN=bonnefoyn,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- bonnefoyn 09:38:28 False
rouge,DC=asso,DC=fr
CN=dumasx,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- dumasx 09:40:47 False
rouge,DC=asso,DC=fr
CN=caillouxv,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- caillouxv 09:38:52 False
rouge,DC=asso,DC=fr
CN=asselineaut,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- asselineaut 09:37:21 False
rouge,DC=asso,DC=fr
CN=durands,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- durands 09:41:04 False
rouge,DC=asso,DC=fr
CN=grosliers,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- grosliers 09:42:09 False
rouge,DC=asso,DC=fr
CN=dechetp,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- dechetp 09:40:12 False
rouge,DC=asso,DC=fr
CN=svc_owncloud,CN=Users,DC=croix- svc_owncloud 05/08/2014 False
CN=adm_vco,CN=Users,DC=croix- adm_vco 06/11/2014 False
CN=qualiac sso dev,CN=Users,DC=croix- qualiac_sso_dev 14/04/2015 http/qualiqua.croix- False
rouge,DC=asso,DC=fr 16:21:42 rouge.fr
CN=svc_intranet,CN=Users,DC=croix- svc_intranet 21/09/2015 False
CN=svc_fillieres,CN=Users,DC=croix- svc_fillieres 12/11/2015 False
CN=svc_bigip,CN=Users,DC=croix- svc_bigip 06/10/2015 False
CN=svcSQL,CN=Users,DC=croix- svcSQL 05/03/2012 False

CN=busettag,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- busettag 09:38:45 False
rouge,DC=asso,DC=fr
CN=baivel-pessonl,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- baivel-pessonl 09:37:42 False
rouge,DC=asso,DC=fr
CN=dasilvamc,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- dasilvamc 09:40:03 False
rouge,DC=asso,DC=fr
CN=duqueyroixt,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- duqueyroixt 09:40:56 False
rouge,DC=asso,DC=fr
CN=chalardm,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- chalardm 09:39:16 False
rouge,DC=asso,DC=fr
CN=chaffraixh,OU=Gestion des etablissements 27/06/2014
PH,OU=Prestataires,DC=croix- chaffraixh 09:39:09 False
rouge,DC=asso,DC=fr
CN=Benoit Pinto,OU=Gestion des etablissements 19/09/2018
PH,OU=Prestataires,DC=croix- pintob 14:08:39 False
rouge,DC=asso,DC=fr

Appendix 10
User accounts with password not required result

Showing 30 of 5635
DistinguishedName SamAccountName UserAccountControl ManagedBy LastModified Create

66080
CN=TsInternetUser,CN=Users,DC=croix-rouge,DC=asso,DC=fr TsInternetUser [PasswordNotRequired, 25/08/2020 26/04
NormalAccount, 17:07:15 17:07:
66080
CN=IWAM_DCROOTEXCH,CN=Users,DC=croix-rouge,DC=asso,DC=fr IWAM_DCROOTEXCH [PasswordNotRequired, 25/08/2020 08/08
66080
CN=IUSR_DCROOTEXCH,CN=Users,DC=croix-rouge,DC=asso,DC=fr IUSR_DCROOTEXCH [PasswordNotRequired, 25/08/2020 08/08
FSAVAG4MSE_CROIX- 544 21/06/2022 09/03

CN=FSAVAG4MSE_CROIX-RO,CN=Users,DC=croix-rouge,DC=asso,DC=fr RO [PasswordNotRequired, 19:51:45 13:44:
NormalAccount]
66080
CN=VUSR_INTRAFF1,CN=Users,DC=croix-rouge,DC=asso,DC=fr VUSR_INTRAFF1 [PasswordNotRequired, 25/08/2020 07/09
544 25/08/2020 07/06
CN=FSAVAG4MSE,CN=Users,DC=croix-rouge,DC=asso,DC=fr FSAVAG4MSE [PasswordNotRequired, 17:07:15 12:29:
NormalAccount]
66080
CN=IWAM_DC1AUTH,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr IWAM_DC1AUTH [PasswordNotRequired, 21/09/2023 05/08
66080
CN=IUSR_DC1AUTH,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr IUSR_DC1AUTH [PasswordNotRequired, 21/09/2023 05/08
66080
CN=TsInternetUser,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr TsInternetUser [PasswordNotRequired, 21/09/2023 05/08
66080
CN=IWAM_INTRAFF1,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr IWAM_INTRAFF1 [PasswordNotRequired, 21/09/2023 06/08
66080
CN=IUSR_INTRAFF1,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr IUSR_INTRAFF1 [PasswordNotRequired, 21/09/2023 06/08
66080
CN=IUSR_INTREXCH1,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr IUSR_INTREXCH1 [PasswordNotRequired, 21/09/2023 08/08
66080
CN=IUSR_INTREXCHGE,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr IUSR_INTREXCHGE [PasswordNotRequired, 21/09/2023 31/03
66080
CN=IWAM_INTREXCHGE,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr IWAM_INTREXCHGE [PasswordNotRequired, 21/09/2023 31/03
CN=ramoscerqueiraf,OU=Utilisateurs_CHU_Fontainebleau,OU=2522_STRUCTURES,OU=Pole 66080
77,OU=Filiere Exclusion,OU=Structures,OU=Ile-de- ramoscerqueiraf [PasswordNotRequired, 13/03/2024 03/01
France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr NormalAccount, 09:13:54 09:33:
CN=slobodkinr,OU=Utilisateurs,OU=1819_ESAT_RECOUBEAU,OU=Filiere 66080
Handicap,OU=Structures,OU=Rhone-Alpes slobodkinr [PasswordNotRequired, 04/03/2024 26/03
Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr NormalAccount, 08:42:36 08:31:

DistinguishedName SamAccountName UserAccountControl ManagedBy LastModified Create
CN=besseyrec,OU=Utilisateurs,OU=1819_ESAT_RECOUBEAU,OU=Filiere 66080
Handicap,OU=Structures,OU=Rhone-Alpes besseyrec [PasswordNotRequired, 04/03/2024 09/06
CN=rouller,OU=Utilisateurs,OU=1819_ESAT_RECOUBEAU,OU=Filiere 66080
Handicap,OU=Structures,OU=Rhone-Alpes rouller [PasswordNotRequired, 22/02/2024 25/05
CN=espinassa,OU=Utilisateurs,OU=1819_ESAT_RECOUBEAU,OU=Filiere 66080
Handicap,OU=Structures,OU=Rhone-Alpes espinassa [PasswordNotRequired, 25/02/2024 27/09
CN=mathone,OU=Utilisateurs,OU=1819_ESAT_RECOUBEAU,OU=Filiere 66080
Handicap,OU=Structures,OU=Rhone-Alpes mathone [PasswordNotRequired, 07/03/2024 25/05
CN=berthetc,OU=Utilisateurs,OU=1819_ESAT_RECOUBEAU,OU=Filiere 544 06/03/2024 13/01
Handicap,OU=Structures,OU=Rhone-Alpes berthetc [PasswordNotRequired, 07:57:53 10:21:
Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr NormalAccount]
CN=reymondd,OU=Utilisateurs,OU=1819_ESAT_RECOUBEAU,OU=Filiere 66080
Handicap,OU=Structures,OU=Rhone-Alpes reymondd [PasswordNotRequired, 04/03/2024 08/11
CN=berrick,OU=Utilisateurs,OU=1819_ESAT_RECOUBEAU,OU=Filiere 544 11/03/2024 02/04
Handicap,OU=Structures,OU=Rhone-Alpes berrick [PasswordNotRequired, 19:13:42 10:18:
CN=massond,OU=Utilisateurs,OU=1819_ESAT_RECOUBEAU,OU=Filiere 544 06/03/2024 07/11
Handicap,OU=Structures,OU=Rhone-Alpes massond [PasswordNotRequired, 08:42:54 08:31:
CN=favrem,OU=Utilisateurs,OU=2531_SAMSAH_MEAUX,OU=Pole Handicap 544 05/03/2024 17/04
NORD,OU=Filiere Handicap,OU=Structures,OU=Ile-de- favrem [PasswordNotRequired, 19:27:49 10:17:
France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr NormalAccount]
CN=formentinm,OU=Utilisateurs,OU=2535_EA_MAGNY,OU=Pole Handicap 544 07/03/2024 17/06
NORD,OU=Filiere Handicap,OU=Structures,OU=Ile-de- formentinm [PasswordNotRequired, 09:28:03 08:07:
France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr NormalAccount]
CN=fulgonif,OU=Utilisateurs,OU=2545_MAS_GUYNEMER,OU=Pole Handicap 78,OU=Filiere 544 07/03/2024 11/10
Handicap,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix- fulgonif [PasswordNotRequired, 09:43:03 12:07:
rouge,DC=asso,DC=fr NormalAccount]
CN=RobinMa,OU=Utilisateurs,OU=2603_MAS_LUNEVILLE,OU=Filiere 66080
Handicap,OU=Structures,OU=Grand-Est,OU=TERRITOIRE,DC=intranet,DC=croix- RobinMa [PasswordNotRequired, 04/03/2024 02/02
rouge,DC=asso,DC=fr NormalAccount, 09:27:36 10:08:
CN=comeaus,OU=Utilisateurs,OU=1744_IRFSS_ST_ETIENNE,OU=Filiere 544 11/03/2024 24/11
Formation,OU=Structures,OU=Rhone-Alpes comeaus [PasswordNotRequired, 11:58:38 09:42:
CN=durieuxmc,OU=Utilisateurs,OU=1744_IRFSS_ST_ETIENNE,OU=Filiere 66080
Formation,OU=Structures,OU=Rhone-Alpes durieuxmc [PasswordNotRequired, 07/03/2024 13/10

Appendix 11
Certificate templates with 3 or more insecure configurations result

Showing 12 of 12
DistinguishedName CertificateTemplateName PotentialAbusableProblems Published Ignored

CN=CRF-AuthentificationKerberos- no Manager Approval
DC/RODC,CN=Certificate Templates,CN=Public CRF-AuthentificationKerberos- needed, No Signatures
Key DC/RODC needed, Authentication True False
rouge,DC=asso,DC=fr
CN=Horizon_Recette,CN=Certificate SAN Enabled, no Manager
Templates,CN=Public Key Horizon_Recette Approval needed, No False False
rouge,DC=asso,DC=fr
CN=CRF-ServeurWeb,CN=Certificate SAN Enabled, no Manager
Templates,CN=Public Key CRF-ServeurWeb Approval needed, No True False
rouge,DC=asso,DC=fr
CN=CRF-Secure,CN=Certificate no Manager Approval
Templates,CN=Public Key CRF-Secure needed, No Signatures False False
CN=CRF-ChromeBook,CN=Certificate SAN Enabled, no Manager

Services,CN=Services,CN=Configuration,DC=croix- CRF-ChromeBook Signatures needed, True False
present
CN=PALO_PROXY,CN=Certificate SAN Enabled, no Manager
Templates,CN=Public Key PALO_PROXY Approval needed, No False False
rouge,DC=asso,DC=fr
CN=«CRF8SSL_PROXY»,CN=Certificate SAN Enabled, no Manager

Services,CN=Services,CN=Configuration,DC=croix- «CRF8SSL_PROXY» Signatures needed, False False
present
CN=CRF-vSphere7,CN=Certificate SAN Enabled, no Manager
Templates,CN=Public Key CRF-vSphere7 Approval needed, No False False
rouge,DC=asso,DC=fr
Authentificationdeserveurmembre,CN=Certificate CRF- needed, No Signatures
Templates,CN=Public Key Authentificationdeserveurmembre needed, Authentication True False
rouge,DC=asso,DC=fr
Authentificationdestationdetravail,CN=Certificate CRF- needed, No Signatures
Templates,CN=Public Key Authentificationdestationdetravail needed, Authentication True False
rouge,DC=asso,DC=fr
CN=CRF-
Autoritédecertificationsecondaire,CN=Certificate CRF- SAN Enabled, no Manager
Templates,CN=Public Key Autoritédecertificationsecondaire Approval needed, No False False
rouge,DC=asso,DC=fr
CN=Certificat_Global_2018,CN=Certificate no Manager Approval
Templates,CN=Public Key Certificat_Global_2018 needed, No Signatures False False

Appendix 12
Computers with older OS versions result

Showing 30 of 2949
DistinguishedName LastLogonTimeStamp PasswordLastSet OperatingSystem Active Enabled
CN=PRR0000IN006,OU=Ordinateurs,OU=DISABLED OBJECT,DC=croix- 23/09/2021 Windows Server

rouge,DC=asso,DC=fr 29/09/2021 12:50:12 03:59:12 2008 R2 False False
Entreprise
CN=PRR0000IN001,OU=Ordinateurs,OU=DISABLED OBJECT,DC=croix- 07/07/2014 13:25:23 18/06/2014 Windows Server False False
rouge,DC=asso,DC=fr 18:28:41 2003
CN=PRR0000IN012,OU=Ordinateurs,OU=DISABLED OBJECT,DC=croix- 11/10/2012 16:30:41 17/10/2012 Windows Server False False
rouge,DC=asso,DC=fr 16:18:40 2003
CN=REC0001IN016,OU=Ordinateurs,OU=DISABLED OBJECT,DC=croix- 15/01/2019 Windows Server

Entreprise
CN=PRR0000IN010,OU=ARCHIVE-S3,OU=Serveurs,DC=croix- 17/04/2021 Windows Server

Entreprise
CN=PRR0000IN007,OU=Ordinateurs,OU=DISABLED OBJECT,DC=croix- 16/06/2020 Windows Server

Entreprise
CN=SAAS-CRXROUGE,OU=Ordinateurs,OU=DISABLED OBJECT,DC=croix- 31/03/2023 Windows Server

Standard
CN=SAAS-CRXROUGET,OU=Ordinateurs,OU=DISABLED OBJECT,DC=croix- 19/02/2023 Windows Server

Standard
CN=NAAS-CRXROUGE,OU=Ordinateurs,OU=DISABLED OBJECT,DC=croix- 01/06/2022 Windows Server

Standard
CN=NAAS-CRXROUGET,OU=Ordinateurs,OU=DISABLED OBJECT,DC=croix- 10/01/2022 Windows Server

Standard
CN=W1819ET009,OU=Windows 7,OU=WORKSTATION,OU=DISABLED 06/06/2021 15:38:33 25/05/2021 Windows 7 False False
OBJECT,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 15:34:34 Professionnel
CN=P2603ET003,OU=Windows 7,OU=WORKSTATION,OU=DISABLED 24/08/2021 15:34:37 27/09/2018 Windows 7 False False
CN=W1849ET033,OU=Machines,OU=Old,OU=TERRITOIRE,DC=intranet,DC=croix- 07/02/2024 09:08:36 23/01/2024 Windows 7 False False
rouge,DC=asso,DC=fr 06:24:55 Professionnel
CN=P1744ET001,OU=Machines,OU=Old,OU=TERRITOIRE,DC=intranet,DC=croix- 04/07/2020 17:31:08 08/06/2020 Windows 7 False False
CN=W3764ET004,OU=Machines,OU=Old,OU=TERRITOIRE,DC=intranet,DC=croix- 01/10/2019 16:20:18 21/02/2018 Windows XP False False
rouge,DC=asso,DC=fr 08:34:04 Professional

DistinguishedName LastLogonTimeStamp PasswordLastSet OperatingSystem Active Enabled

Appendix 13
Computers with password last set over 90 days ago result

Showing 30 of 1753

DistinguishedName PasswordLastSet DaysSinceLastSet Active
CN=PRR0000IN015,OU=Serveurs,DC=croix-rouge,DC=asso,DC=fr 06/11/2021 858 False

07:33:26
CN=PRI0000DC180,OU=REBOND_BASTION,OU=SERVEURS,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 15/12/2022 454 False

03:59:41
CN=P1744ET011,OU=Ordinateurs,OU=1744_IRFSS_ST_ETIENNE,OU=Filiere Formation,OU=Structures,OU=Rhone-Alpes 24/07/2022 597 True
Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 14:43:16
CN=P1823ET024,OU=Ordinateurs,OU=1823_ESAT_BEAUCHASTEL,OU=POLE_BEAUCHASTEL,OU=Filiere 22/06/2020 1359 False
Handicap,OU=Structures,OU=Rhone-Alpes Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 11:23:12
CN=P1823ET012,OU=Ordinateurs,OU=1823_ESAT_BEAUCHASTEL,OU=POLE_BEAUCHASTEL,OU=Filiere 10/03/2023 369 False
Handicap,OU=Structures,OU=Rhone-Alpes Auvergne,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 07:36:05
CN=P1814ET008,OU=Ordinateurs,OU=1814_CADA_DIJON,OU=Filiere Exclusion,OU=Structures,OU=Bourgogne-Franche- 15/05/2023 303 False
Comte,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 06:48:10
CN=W2168ET003,OU=Ordinateurs,OU=2168_POLE_POLYHANDICAP_SESSAD,OU=Filiere 26/09/2023 169 False
Handicap,OU=Structures,OU=Bourgogne-Franche-Comte,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 07:05:25
CN=P3618ET002,OU=Ordinateurs,OU=3618_POLE_POLYHANDICAP_MAS,OU=Filiere 14/06/2021 1002 False
CN=W1811ET016,OU=Ordinateurs,OU=1811_POLE_POLYHANDICAP_EEAP,OU=Filiere 20/08/2018 2032 False
CN=W1852ET026,OU=Ordinateurs,OU=1852_IME_STJANS,OU=Filiere Handicap,OU=Structures,OU=Hauts-de- 08/01/2021 1160 False
CN=PRI0001IN023,OU=INFRA,OU=PROD,OU=SERVEURS,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 18/01/2022 784 False

20:18:37
CN=P1727ET011,OU=Ordinateurs,OU=1727_IFSI_NIMES,OU=Filiere 24/11/2023 109 False
Formation,OU=Structures,OU=Occitanie,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 13:54:12
CN=P3632ET002,OU=Ordinateurs,OU=3632_EEAP_BLAMONT,OU=Filiere Handicap,OU=Structures,OU=Grand- 13/10/2023 151 False
Est,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 11:17:55
CN=W4228ET006,OU=Ordinateurs,OU=4228_SAMU-SOCIAL,OU=Filiere 16/03/2022
Exclusion,OU=971_Guadeloupe,OU=Structures,OU=Outre Mer,OU=TERRITOIRE,DC=intranet,DC=croix- 21:52:32 727 False
rouge,DC=asso,DC=fr
CN=P4247ET012,OU=Ordinateurs,OU=4247_Pole Accompagnement Des Familles,OU=Filiere 09/11/2023 124 False
Exclusion,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 12:46:05
CN=W4247ET144,OU=Ordinateurs,OU=PAF CRETEIL,OU=4247_Pole Accompagnement Des Familles,OU=Filiere 30/08/2023 196 False
CN=P3664ET076,OU=Ordinateurs,OU=3664_IRFSS-IDF,OU=Pole Romainville,OU=Filiere Formation,OU=Structures,OU=Ile- 18/11/2023 115 False
de-France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 15:52:28
CN=P2532ET006,OU=Ordinateurs,OU=2532_FH_MEAUX,OU=Pole Handicap NORD,OU=Filiere 12/12/2023 91 False
Handicap,OU=Structures,OU=Ile-de-France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 10:42:07
CN=P1910ET004,OU=Ordinateurs,OU=1910_HOPITAL_BG,OU=Filiere 08/11/2023 125 False
Sanitaire,OU=Structures,OU=Normandie,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 17:47:48
CN=PRI1848ET002,OU=1848_IFAP_LUNEVILLE,OU=Serveurs,OU=Grand-Est,OU=TERRITOIRE,DC=intranet,DC=croix- 08/12/2023 95 False
CN=PRI3622ET001,OU=3622_EHPAD_LOUIS_FONOLL,OU=Serveurs,OU=Occitanie,OU=TERRITOIRE,DC=intranet,DC=croix- 27/06/2022 624 True
CN=P1859ET101,OU=Ordinateurs,OU=1859_MAS_LILLERS,OU=Filiere Handicap,OU=Structures,OU=Hauts-de- 22/11/2023 111 False
CN=P3745ET021,OU=Ordinateurs,OU=3745_IFSI_TROYES,OU=Filiere Formation,OU=Structures,OU=Grand- 27/07/2022 594 False
Est,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 12:56:35
CN=P4247ET093,OU=Ordinateurs,OU=PAS EVRY,OU=4247_Pole Accompagnement Des Familles,OU=Filiere 13/11/2023 120 False
CN=P4352ET030,OU=Computers_territoire,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 09/08/2023 216 False

13:32:31
CN=P4521ET002,OU=Ordinateurs,OU=4521_REINSTALLES_NIMES,OU=Filiere 13/10/2023 152 False
Exclusion,OU=Structures,OU=Occitanie,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 07:40:02
CN=P2137ET006,OU=Ordinateurs,OU=2137_CAT_NIMES,OU=Filiere 06/11/2023 127 False
CN=P2569ET003,OU=Ordinateurs,OU=2569_CADA_NIMES,OU=Filiere 12/10/2023 153 False
CN=P2569ET002,OU=Ordinateurs,OU=2569_CADA_NIMES,OU=Filiere 05/06/2023 282 False
CN=NAS3781ET002,OU=NAS,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr 25/07/2022 596 False

16:48:21

Appendix 14
LDAP signing is not required on Domain Controllers result

Showing 21 of 21

PCI0000DC101.intranet.croix- CN=PCI0000DC101,OU=Domain Ldap Signing Not False

Appendix 15
SMBv1 is enabled on Domain Controllers result

Showing 20 of 20

PCI0000DC101.intranet.croix- CN=PCI0000DC101,OU=Domain SMBv1 is False

Appendix 16
Zerologon vulnerability result

Showing 25 of 25
FQDN Ignored

Appendix 17
Dangerous GPO logon script path result

Showing 30 of 31
INTRANET\admin_marceult INTRANET\admin_marceult
;INTRANET\alonzol ;INTRANET\alonzol
;INTRANET\Admin_Occitanie ;S-1-5- ;INTRANET\Admin_Occitanie ;S-1-5- The file exists
21-683096409-2250491608- 21-683096409-2250491608- but some low
\\10.108.31.7\Informatique$\Wifi_Temp\Wi-Fi-CRF-SALARIES.bat Shutdown 1057341159-122037 1057341159-122037 privilege
;INTRANET\GG4459DR_DSI ;INTRANET\GG4459DR_DSI user(s) can
;INTRANET\hanidz ;INTRANET\laforestf ;INTRANET\hanidz ;INTRANET\laforestf modify it.
;INTRANET\Admin_OC ;INTRANET\Admin_OC
;INTRANET\chouraquim ;INTRANET\chouraquim
;BUILTIN\Utilisateurs
The file exists

\\10.108.44.12\Sources$\Wifi\Wi-Fi-CRF-SALARIES.bat Shutdown ;INTRANET\Admin_Pays-loire ;INTRANET\Admin_Pays-loire privilege
modify it.
The file exists

\\10.108.44.12\Sources$\Wifi\Wi-Fi-Medical.bat Shutdown ;INTRANET\Admin_Pays-loire ;INTRANET\Admin_Pays-loire privilege
modify it.
The file exists

INTRANET\Admin_NA_SRR_RICHELIEU INTRANET\Admin_NA_SRR_RICHELIEU but some low
\\10.17.100.115\ad\scripts\supp_racc_bureau.bat Logon ;INTRANET\admin_bouthiere ;INTRANET\admin_bouthiere privilege
user(s) can
modify it.
The file exists

INTRANET\admin_olivol but some low
\\10.29.100.6\Sources$\BL\BL_Brest.bat Logon INTRANET\admin_rapint ;BUILTIN\Utilisateurs privilege
user(s) can
modify it.
The file exists

\\10.37.104.20\Sources$\BLFormation\BL_BOURGES.bat Logon ;INTRANET\admin_bruelg ;INTRANET\admin_bruelg privilege
modify it.
The file exists
\\10.37.104.20\sources$\BLFormation\BL_TOURS.bat Logon ;INTRANET\admin_bruelg ;INTRANET\admin_bruelg privilege
modify it.
The file exists

but some low
\\10.76.148.7\Scripts\RemoveAnyDesk.bat Startup INTRANET\admin_charretiere BUILTIN\Utilisateurs privilege
;INTRANET\GG3654ET_ALL ;INTRANET\GG3654ET_ALL user(s) can
modify it.
The file exists

INTRANET\admin_charretiere BUILTIN\Utilisateurs but some low
\\10.76.148.7\Scripts\Shortcuts.bat Logon ;INTRANET\GG3654ET_ALL ;INTRANET\GG3654ET_ALL privilege
user(s) can
modify it.

The file exists
INTRANET\admin_charretiere INTRANET\admin_charretiere but some low
\\10.76.148.7\Scripts\WLAN\script_WIFI.bat Logon ;INTRANET\GG3654ET_ALL ;INTRANET\GG3654ET_ALL privilege
;BUILTIN\Utilisateurs user(s) can
modify it.
The file exists

\\intranet.croix-rouge.asso.fr\SysVol\intranet.croix-rouge.asso.fr\Policies\ INTRANET\Admin_RA-Auvergne ;S-1- INTRANET\Admin_RA-Auvergne ;S-1- but some low
{1541503E-3070-4B64-B8CA- Logon 5-21-683096409-2250491608- 5-21-683096409-2250491608- privilege
32E3BD7E9EED}\User\Scripts\Logon\install_java_client-HR_settings.bat 1057341159-38778 1057341159-38778 user(s) can
modify it.
The file exists

\\intranet.croix-rouge.asso.fr\SysVol\intranet.croix-rouge.asso.fr\Policies\ but some low
{18833F42-61C6-491A-9DAB- Logon INTRANET\Admin_Occitanie INTRANET\Admin_Occitanie privilege
6C7743BD78B5}\User\Scripts\Logon\SO_1936_Impression.vbs ;INTRANET\admin_cazenaveb ;INTRANET\admin_cazenaveb user(s) can
modify it.
The file exists

\\intranet.croix-rouge.asso.fr\SysVol\intranet.croix-rouge.asso.fr\Policies\ INTRANET\admin_marceult INTRANET\admin_marceult but some low
{201B2BB7-4454-4BB1-B865- Logon ;INTRANET\Admin_Normandie ;INTRANET\Admin_Normandie privilege
A0DD13350F82}\User\Scripts\Logon\OUEST_4273_Impressions.vbs user(s) can
modify it.
The file exists
{26F478E3-C8DC-4217-9D89- Logon 5-21-683096409-2250491608- 5-21-683096409-2250491608- privilege
13C8088F2197}\User\Scripts\Logon\HM_settings.bat 1057341159-38778 1057341159-38778 user(s) can
modify it.
The file exists
\\intranet.croix-rouge.asso.fr\SysVol\intranet.croix-rouge.asso.fr\Policies\ INTRANET\admin_martyst INTRANET\admin_martyst but some low
{328B1609-7E92-4351-AA9E- Startup ;INTRANET\Admin_Occitanie ;INTRANET\Admin_Occitanie privilege
2DD042582DF6}\Machine\Scripts\Startup\CredSSP.cmd user(s) can
modify it.
The file exists
\\intranet.croix-rouge.asso.fr\SysVol\intranet.croix-rouge.asso.fr\Policies\ S-1-5-21-683096409-2250491608- S-1-5-21-683096409-2250491608- but some low
{3694AC2A-C854-4CCE-A4F6- Startup 1057341159-260011 1057341159-260011 privilege
4D9F5517BC7C}\Machine\Scripts\Startup\gpo-bo_assistant_1.8.3.ps1 ;INTRANET\Admin_IDF ;INTRANET\Admin_IDF user(s) can
modify it.
The file exists
{4738C28F-128E-49E2-B5FA- Startup 1057341159-260011 1057341159-260011 privilege
5A4BF6374876}\Machine\Scripts\Startup\startup.bat ;INTRANET\Admin_IDF ;INTRANET\Admin_IDF user(s) can
modify it.
The file exists
{4738C28F-128E-49E2-B5FA- Logon 1057341159-260011 1057341159-260011 privilege
5A4BF6374876}\User\Scripts\Logon\startup.bat ;INTRANET\Admin_IDF ;INTRANET\Admin_IDF user(s) can
modify it.
The file exists
{4BB33F50-75BE-486E-9F49- Startup 1057341159-38778 1057341159-38778 privilege
ABD05D72939C}\Machine\Scripts\Startup\settings_ACTEUR_machines.bat ;INTRANET\Admin_RA-Auvergne ;INTRANET\Admin_RA-Auvergne user(s) can
modify it.
INTRANET\Admin_NA_FORMATION The file exists

\\intranet.croix-rouge.asso.fr\SysVol\intranet.croix-rouge.asso.fr\Policies\ ;S-1-5-21-683096409-2250491608- INTRANET\Admin_NA_FORMATION but some low
{4BF8E1EE-6667-4A94-B4E3- Logon 1057341159-92227 ;INTRANET\admin_cazenaveb privilege
4EB8D7A297D9}\User\Scripts\Logon\SO_3660_Impression_new.vbs ;INTRANET\Admin_NA ;INTRANET\Admin_NA user(s) can
modify it.

The file exists

\\intranet.croix-rouge.asso.fr\SysVol\intranet.croix-rouge.asso.fr\Policies\ but some low
{573A46A4-1C26-445B-A0A5- Logon INTRANET\admin_alonzol INTRANET\admin_alonzol privilege
956E0F1BA025}\User\Scripts\Logon\proxyoff.ps1 ;INTRANET\Admin_Pacac ;INTRANET\Admin_Pacac user(s) can
modify it.
The file exists

{6BA6D665-9280-4462-8FCA- Logon 5-21-683096409-2250491608- 5-21-683096409-2250491608- privilege
AADB846EC7AB}\User\Scripts\Logon\HM_settings.bat 1057341159-38778 1057341159-38778 user(s) can
modify it.
The file exists
\\intranet.croix-rouge.asso.fr\SysVol\intranet.croix-rouge.asso.fr\Policies\ INTRANET\admin_saintleonro INTRANET\admin_saintleonro but some low
{809A41B6-89DC-4055-8074- Logon ;INTRANET\Admin_Hauts-de-france ;INTRANET\Admin_Hauts-de-france privilege
931DD5CBE868}\User\Scripts\Logon\alerte.bat user(s) can
modify it.
The file exists
\\intranet.croix-rouge.asso.fr\SysVol\intranet.croix-rouge.asso.fr\Policies\ INTRANET\admin_saintleonro INTRANET\admin_saintleonro but some low
{B7F6AD88-5C2F-425B-AE16- Startup ;INTRANET\Admin_Hauts-de-france ;INTRANET\Admin_Hauts-de-france privilege
27B26A630730}\Machine\Scripts\Startup\support.bat user(s) can
modify it.
The file exists
{BD53042D-A6DC-44A8-A323- Logon ;INTRANET\Admin_OM ;INTRANET\Admin_OM privilege
C5ECD2D44A8A}\User\Scripts\Logon\CopyHelloDoc.bat user(s) can
modify it.
The file exists
{C4CBD17C-629D-4561-856B- Logon ;INTRANET\Admin_OM ;INTRANET\Admin_OM privilege
E7D10CD30EDA}\User\Scripts\Logon\CopyHelloDoc.bat user(s) can
modify it.
The file exists
\\intranet.croix-rouge.asso.fr\SysVol\intranet.croix-rouge.asso.fr\Policies\ INTRANET\Admin_BFC INTRANET\Admin_BFC but some low
{DC529A03-26C7-450F-BD32- Logon ;INTRANET\admin_marceult ;INTRANET\admin_marceult privilege
88EF4C0DAD5E}\User\Scripts\Logon\EST_1952_Impression.vbs user(s) can
modify it.
The file exists
INTRANET\admin_rapint but some low
\\PRI1837ET001\sources$\WIFI\Wi-Fi-crfstluc_data.bat Logoff INTRANET\admin_rapint ;BUILTIN\Utilisateurs privilege
user(s) can
modify it.
The file exists
INTRANET\Admin_IDF ;AUTORITE AUTORITE NT\Utilisateurs authentifiés but some low
\\Pri1915et001\hosts\Hosts_1915.cmd Logon NT\Utilisateurs authentifiés ;INTRANET\Admin_IDF privilege
user(s) can
modify it.
The file exists

INTRANET\Admin_Pays-loire INTRANET\Admin_Pays-loire but some low
\\PRI2592ET001\Sources$\BLFormation\BL_REZE.bat Logon ;INTRANET\Admin_Pays- ;INTRANET\Admin_Pays- privilege
loire_Formation loire_Formation user(s) can
modify it.

Appendix 18
Users with SPN defined result

Showing 18 of 18

DistinguishedName SamAccountName ServicePrincipalName AES Enabled Ignored
CN=qualiac sso dev,CN=Users,DC=croix-rouge,DC=asso,DC=fr qualiac_sso_dev http/qualiqua.croix-rouge.fr False False
HTTP/dev0001in009.intranet.croix-
CN=ping poc,CN=Users,DC=croix-rouge,DC=asso,DC=fr ping_poc rouge.asso.fr; False False
HTTP/pri0001in155;
CN=svcBO,OU=Compte de service,OU=DISABLED svcBO rouge.asso.fr; HTTP/decisionnel; False False
rouge.asso.fr;
CN=SvcBO_PROD,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr SvcBO_PROD rouge.asso.fr; HTTP/pri0001in196; False False
rouge.asso.fr
HTTP/PRI00000DC194;
HTTP/PRI00000DC194.intranet.croix-
CN=SvcBO_PROD2,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr SvcBO_PROD2 rouge.asso.fr; HTTP/bo.croix-rouge.fr; False False
rouge.asso.fr
rouge.asso.fr; HTTP/recette-bo.croix-
CN=SvcBO_REC,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr SvcBO_REC rouge.fr; False False
CN=service ADFS 365,OU=COMPTE DE svc_adfs host/id.croix-rouge.fr False False
SERVICE,OU=SERVEURS,DC=intranet,DC=croix-rouge,DC=asso,DC=fr
CN=svc prod_okta_IWA,OU=COMPTE DE svc_prod_okta_IWA HTTP/croix-rouge.kerberos.okta.com False False
CN=Qualiac SSO Dev2,CN=Users,DC=intranet,DC=croix- http/dev0001in034.intranet.croix-

rouge,DC=asso,DC=fr qualiac_sso_dev2 rouge.asso.fr; http/qualiacdev2.croix- False False
rouge.fr
recette.authentification.croix-rouge.fr;
CN=Qualiac SSO Recette,OU=Compte de service,OU=DISABLED qualiac_sso_recette http/rec0002in101.intranet.croix- False False
rouge.fr
CN=Qualiac SSO Dev,OU=Compte de service,OU=DISABLED http/qualiqua.croix-rouge.fr;

OBJECT,DC=intranet,DC=croix-rouge,DC=asso,DC=fr qualiac_sso_dev http/dev0001in034.intranet.croix- False False
rouge.asso.fr
CN=svc_paloalto,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr svc_paloalto HTTP/portal.croix-rouge.fr False False
http/prd0002in102.intranet.croix-
CN=Qualiac SSO,OU=Compte de service,OU=DISABLED qualiac_sso rouge.asso.fr; False False
OBJECT,DC=intranet,DC=croix-rouge,DC=asso,DC=fr http/prd0002in101.intranet.croix-
rouge.asso.fr; http/qualiac.croix-rouge.fr
MSSQLSvc/pri0001in403.intranet.croix-
rouge.asso.fr:1433;
MSSQLSvc/PRI0001IN404.intranet.croix-
rouge.asso.fr:1433;
CN=adminsql,OU=Admin,DC=intranet,DC=croix-rouge,DC=asso,DC=fr adminsql MSSQLSvc/PVI0001IN024.intranet.croix- False False
rouge.asso.fr;
MSSQLSvc/PVI0001IN024.intranet.croix-
rouge.asso.fr:1433;
rouge.asso.fr:1433
CN=svc_dex10,OU=COMPTE DE svc_dex10 rouge.asso.fr:1433; False False
SERVICE,OU=SERVEURS,DC=intranet,DC=croix-rouge,DC=asso,DC=fr MSSQLSvc/PRI0001IN115.intranet.croix-
rouge.asso.fr
CN=admin_balavoine Rudy,OU=Admin,OU=Hauts-de- admin_balavoiner MSSQLSvc/PRI3718DR004.intranet.croix- False False
France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr rouge.asso.fr:SQLEXPRESS
MSSQLSvc/REC0001IN073.intranet.croix-
CN=0001_rec_k2,OU=COMPTE DE 0001_rec_k2 rouge.asso.fr:1433; False False
SERVICE,OU=SERVEURS,DC=intranet,DC=croix-rouge,DC=asso,DC=fr MSSQLSvc/REC0001IN073.intranet.croix-
rouge.asso.fr
CN=0001_svc_recsage100c,OU=Utilisateurs,OU=SIEGE,DC=intranet,DC=croix- 0001_svc_recsage100c MSSQLSvc/REC0001IN152.intranet.croix- False False
rouge,DC=asso,DC=fr rouge.asso.fr:SAGE100


Appendix 19
Primary users with SPN not supporting AES encryption on Kerberos result
Showing 17 of 17

DistinguishedName ServicePrincipalName SamAccountName Ignored
CN=qualiac sso dev,CN=Users,DC=croix-rouge,DC=asso,DC=fr http/qualiqua.croix-rouge.fr qualiac_sso_dev False
HTTP/dev0001in009.intranet.croix-
CN=ping poc,CN=Users,DC=croix-rouge,DC=asso,DC=fr rouge.asso.fr; ping_poc False
HTTP/pri0001in155;
CN=svcBO,OU=Compte de service,OU=DISABLED rouge.asso.fr; HTTP/decisionnel; svcBO False
rouge.asso.fr;
CN=SvcBO_PROD,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr rouge.asso.fr; HTTP/pri0001in196; SvcBO_PROD False
rouge.asso.fr
HTTP/PRI00000DC194;
HTTP/PRI00000DC194.intranet.croix-
CN=SvcBO_PROD2,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr rouge.asso.fr; HTTP/bo.croix-rouge.fr; SvcBO_PROD2 False
rouge.asso.fr
rouge.asso.fr; HTTP/recette-bo.croix-
CN=SvcBO_REC,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr rouge.fr; SvcBO_REC False
CN=service ADFS 365,OU=COMPTE DE host/id.croix-rouge.fr svc_adfs False
CN=svc prod_okta_IWA,OU=COMPTE DE HTTP/croix-rouge.kerberos.okta.com svc_prod_okta_IWA False
CN=Qualiac SSO Dev2,CN=Users,DC=intranet,DC=croix- http/dev0001in034.intranet.croix-

rouge,DC=asso,DC=fr rouge.asso.fr; http/qualiacdev2.croix- qualiac_sso_dev2 False
rouge.fr
recette.authentification.croix-rouge.fr;
CN=Qualiac SSO Recette,OU=Compte de service,OU=DISABLED http/rec0002in101.intranet.croix- qualiac_sso_recette False
rouge.fr
CN=Qualiac SSO Dev,OU=Compte de service,OU=DISABLED http/qualiqua.croix-rouge.fr;

OBJECT,DC=intranet,DC=croix-rouge,DC=asso,DC=fr http/dev0001in034.intranet.croix- qualiac_sso_dev False
rouge.asso.fr
CN=svc_paloalto,CN=Users,DC=intranet,DC=croix-rouge,DC=asso,DC=fr HTTP/portal.croix-rouge.fr svc_paloalto False
http/prd0002in102.intranet.croix-
CN=Qualiac SSO,OU=Compte de service,OU=DISABLED rouge.asso.fr; qualiac_sso False
OBJECT,DC=intranet,DC=croix-rouge,DC=asso,DC=fr http/prd0002in101.intranet.croix-
rouge.asso.fr; http/qualiac.croix-rouge.fr
rouge.asso.fr:1433;
rouge.asso.fr:1433;
CN=adminsql,OU=Admin,DC=intranet,DC=croix-rouge,DC=asso,DC=fr MSSQLSvc/PVI0001IN024.intranet.croix- adminsql False
rouge.asso.fr;
MSSQLSvc/PVI0001IN024.intranet.croix-
rouge.asso.fr:1433;
rouge.asso.fr:1433
CN=svc_dex10,OU=COMPTE DE rouge.asso.fr:1433; svc_dex10 False
SERVICE,OU=SERVEURS,DC=intranet,DC=croix-rouge,DC=asso,DC=fr MSSQLSvc/PRI0001IN115.intranet.croix-
rouge.asso.fr
CN=admin_balavoine Rudy,OU=Admin,OU=Hauts-de- MSSQLSvc/PRI3718DR004.intranet.croix- admin_balavoiner False
France,OU=TERRITOIRE,DC=intranet,DC=croix-rouge,DC=asso,DC=fr rouge.asso.fr:SQLEXPRESS
CN=0001_svc_recsage100c,OU=Utilisateurs,OU=SIEGE,DC=intranet,DC=croix- MSSQLSvc/REC0001IN152.intranet.croix- 0001_svc_recsage100c False
rouge,DC=asso,DC=fr rouge.asso.fr:SAGE100

Appendix 20
RC4 or DES encryption type are supported by Domain Controllers result

Showing 30 of 157

DistinguishedName SupportedEncryptionTypes EventTimestamp Ignored
CN=PCI1286DT001,OU=Domain AES 128, AES 256, 14/12/2021 False

Security Assessment Report 13 03 2024 08 29 15

Uploaded by

Copyright:

Available Formats

Security Assessment Report 13 03 2024 08 29 15

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Assessment Report 13 03 2024 08 29 15

Uploaded by

Copyright:

Available Formats

SECURITY ASSESSMENT REPORT

SECURITY POSTURE OVERVIEW

-1- ©2023 Semperis. All rights reserved.

Reversible passwords found in GPOs SMBv1 is enabled on Domain Controllers

ADDITIONAL IOEs FOUND

NAME PLATFORM SEVERITY LEVEL ACTION

Abnormal Password Refresh AD Warning Read More...

Certificate templates with 3 or more insecure configurations AD Warning Read More...

Dangerous control paths expose certificate containers AD Warning Read More...

Dangerous control paths expose certificate templates AD Warning Read More...

Dangerous GPO logon script path AD Warning Read More...

Dangerous user rights granted by GPO AD Warning Read More...

Domain trust to a third-party domain without quarantine AD Warning Read More...

Enabled admin accounts that are inactive AD Warning Read More...

GPO linking delegation at the AD Site level AD Warning Read More...

Kerberos krbtgt account with old password AD Warning Read More...

LDAP signing is not required on Domain Controllers AD Warning Read More...

NTFRS SYSVOL Replication AD Warning Read More...

Operators Groups that are not empty AD Warning Read More...

-2- ©2023 Semperis. All rights reserved.

Privileged users with SPN defined AD Warning Read More...

User accounts with password not required AD Warning Read More...

Users with Kerberos pre-authentication disabled AD Warning Read More...

Write access to RBCD on DC AD Warning Read More...

AD objects created within the last 10 days AD Informational Read More...

Admins with old passwords AD Informational Read More...

Computers with older OS versions AD Informational Read More...

gMSA not in use AD Informational Read More...

Objects in privileged groups without adminCount=1 (SDProp) AD Informational Read More...

Privileged users that are disabled AD Informational Read More...

Protected Users group not in use AD Informational Read More...

Unprivileged accounts with adminCount=1 AD Informational Read More...

Users with old passwords AD Informational Read More...

Users with SPN defined AD Informational Read More...

INDICATORS FAILED TO RUN

NAME PLATFORM SEVERITY LEVEL ACTION

Privileged Users with Weak Password Policy AD Critical Read More...

Writable shortcuts found in GPO AD Warning Read More...

-3- ©2023 Semperis. All rights reserved.

-4- ©2023 Semperis. All rights reserved.

AD DELEGATION ACCOUNT SECURITY AD INFRASTRUCTURE

Read More ... Read More ... Read More ...

-5- ©2023 Semperis. All rights reserved.

-6- ©2023 Semperis. All rights reserved.

-7- ©2023 Semperis. All rights reserved.

-8- ©2023 Semperis. All rights reserved.

-9- ©2023 Semperis. All rights reserved.

- 10 - ©2023 Semperis. All rights reserved.

- 11 - ©2023 Semperis. All rights reserved.

CN=adm_matulicb,OU=Admin,DC=croix- CN=Administrateurs de 512

- 12 - ©2023 Semperis. All rights reserved.

- 13 - ©2023 Semperis. All rights reserved.

- 14 - ©2023 Semperis. All rights reserved.

- 15 - ©2023 Semperis. All rights reserved.

- 16 - ©2023 Semperis. All rights reserved.

MITRE D3fend based on the reference: NIST.SP.800-63-3

- 17 - ©2023 Semperis. All rights reserved.

CN=Nivolisator,CN=Users,DC=croix-rouge,DC=asso,DC=fr Nivolisator 17/01/2023 False

CN=dccontact,CN=Users,DC=croix-rouge,DC=asso,DC=fr dccontact 18/08/2022 False