> Software > Protect > Identity > Active Directory > Vulnerability assessments for Active Directory > Getting started

Remediating identified findings

The Active Directory vulnerability assessment identifies security weaknesses but does not automatically modify your environment.

All remediation actions must be performed by an administrator according to your organization's change management and validation processes.

Important

The Active Directory Vulnerability Assessment provides guidance based on widely accepted security best practices and vendor recommendations. It does not replace architectural review, threat modeling, or formal security audits.

Administrators remain responsible for validating and implementing configuration changes appropriate for their environment.

Remediation approach

When addressing findings:

  1. Prioritize by severity: Begin with Critical and High findings that pose the greatest security risk.

  2. Review affected objects: Identify which domains, domain controllers, or accounts are impacted.

  3. Understand the impact: Review the Details and Impact sections of the finding to understand:

    • Why the configuration is risky

    • What the expected secure state should be

    • Whether compatibility testing is required

  4. Plan the change: Many security hardening actions—such as enforcing LDAP signing, disabling legacy protocols, or removing delegation—can affect authentication and service behavior.

    Validate configuration changes in a non-production or staged environment whenever possible.

  5. Implement remediation: Apply changes using supported administrative tools, such as:

    • Group Policy

    • Active Directory Users and Computers

    • PowerShell

    • Security policy configuration tools

  6. Re-run the assessment: After implementing changes, re-run the assessment to confirm that the vulnerability has been resolved.

Common remediation types

Depending on the indicator, remediation may involve:

  • Enforcing secure authentication protocols

  • Disabling legacy or insecure protocols

  • Adjusting delegation settings

  • Removing unnecessary privileges

  • Hardening domain controller configuration

  • Modifying Group Policy settings

Some changes—particularly those involving authentication and delegation—may require careful sequencing to avoid service disruption.

Change management considerations

Certain security configurations can impact application compatibility. Examples include:

  • Requiring LDAP signing

  • Enforcing SMB signing

  • Restricting NTLM usage

  • Removing unconstrained delegation

Before enforcing these settings:

  • Identify dependent applications and services.

  • Validate compatibility in staging.

  • Communicate planned changes to relevant teams.

Security hardening should be implemented deliberately to balance risk reduction and operational continuity.

Verification and continuous improvement

After remediation:

  • Confirm that the affected objects reflect the expected secure state.

  • Re-run the assessment to verify resolution.

  • Schedule recurring assessments to monitor for configuration drift.

Active Directory security posture can change over time due to:

  • Administrative actions

  • New domain controller deployments

  • Application installations

  • Group Policy modifications

Regular assessment helps ensure that remediated vulnerabilities do not reappear.

×

Loading...