> Software > Protect > Identity > Active Directory > Vulnerability assessments for Active Directory

Architecture and deployment for Active Directory vulnerability assessment

The Active Directory vulnerability assessment uses an agent-based collection model to evaluate security posture across the Active Directory forest. It is designed to be lightweight, non-intrusive, and flexible for environments of varying size and complexity.

This section describes the deployment model, agent placement requirements, and scan behavior.

Deployment model overview

The assessment operates using the following components:

  • Forest client - Represents the Active Directory forest within the console.

  • Active Directory agent - Installed on domain controllers to collect configuration and security data.

  • Control plane - Evaluates indicators and generates findings based on collected data.

The agent performs read-only data collection from Active Directory and the local domain controller. Collected data is securely transmitted to the control plane, where vulnerability indicators are evaluated and results are generated.

No changes are made to Active Directory during assessment.

Agent placement strategy

Proper agent placement is required to ensure accurate and complete assessment results.

Minimum deployment

At a minimum:

  • Install the agent on a domain controller in the root domain.

  • Install the agent on at least one domain controller in each additional domain within the forest.

This enables forest-level and domain-level indicators to be evaluated.

Indicator scope

Indicators are evaluated at one or more of the following scopes:

  • Forest scope: Evaluates configuration in the forest configuration partition or settings that affect all domains.

  • Domain scope: Evaluates domain-specific configuration and policies.

  • Domain controller scope: Evaluates settings local to individual DCs.

Assessment coverage depends on agent placement and domain discovery.

Domain controller-level indicators

Some security indicators evaluate settings that are specific to individual domain controllers. For these indicators, the agent must be installed on each domain controller that you want evaluated.

Examples of DC-level checks include:

  • Print Spooler service configuration

  • LDAP signing requirements

  • SMB signing configuration

  • NTLM settings

  • Local security policy configuration

If the agent is not installed on a domain controller, DC-level indicators for that server will not be evaluated.

Multi-domain forests

In multi-domain forests:

  • The root domain must be onboarded first.

  • Additional domains are discovered during topology discovery.

  • At least one agent must be deployed per domain to evaluate domain-level indicators.

If a domain does not have an agent installed, that domain will not be assessed.

Scan execution model

Assessments can be initiated manually or executed according to a pre-defined daily schedule.

During a scan:

  1. The agent collects configuration and security-related data.

  2. Data is transmitted to the control plane.

  3. Indicators are evaluated.

  4. Findings are updated in the console.

Newly added domain controllers or domains are evaluated after topology refresh and agent deployment.

Performance considerations

The Active Directory Vulnerability Assessment is designed to minimize operational impact.

  • All data collection is read-only.

  • LDAP queries and configuration checks are scoped to required attributes.

  • No schema modifications are performed.

  • No replication changes are triggered.

Scan duration varies depending on:

  • Number of domains

  • Number of domain controllers

  • Number of enabled indicators

In most environments, assessment execution completes within minutes.

Security and permissions

The agent requires sufficient privileges to:

  • Read Active Directory configuration data

  • Query domain controller security settings

  • Retrieve policy and service configuration data

×

Loading...