> Software > Protect > Identity > Active Directory > Vulnerability assessments for Active Directory > Getting started

Security Indicators

The Active Directory Vulnerability Assessment evaluates a curated set of security indicators designed to identify high-impact misconfigurations and risky conditions within Active Directory environments. Each indicator reflects widely recognized security best practices and vendor guidance, with a focus on issues that meaningfully increase the likelihood of compromise, privilege escalation, or lateral movement.

All indicators included in this assessment are classified as Medium, High, or Critical severity.

The table below lists all evaluated indicators, including a brief description, category, and severity classification. Detailed findings for each indicator include impact analysis, affected objects, remediation guidance, and authoritative references.

Indicator Severity Category
Accounts with constrained delegation to DC services (CIFS/DC, LDAP/DC, etc.) Critical Delegation and Privilege Escalation Paths
Accounts with no Kerberos preauthentication Critical Password Policies and Account Security
Accounts with unconstrained delegation Critical Delegation and Privilege Escalation Paths
Detect privileged accounts without proper logon restrictions (Tiering gaps) Critical Privileged Accounts and Groups
Domain controllers running unsupported OS Critical Active Directory Infrastructure Security
External trust SID filtering disabled Critical Active Directory Trusts and External Access
Insecure GPO permissions (non-admin can edit) Critical Group Policy and Endpoint Configuration
LDAP signing not required on DC Critical Authentication & Protocol Security
Non-admin users can modify/link critical GPOs Critical Delegation and Privilege Escalation Paths
Non-admin users have DCSync rights Critical Delegation and Privilege Escalation Paths
NTLMv1/LM authentication permitted Critical Authentication & Protocol Security
Plaintext credentials in GPOs Critical Group Policy and Endpoint Configuration
Print Spooler service running on DC Critical Active Directory Infrastructure Security
Privileged account with SPN (Kerberoastable admin) Critical Privileged Accounts and Groups
Resource-based delegation set on Tier-0 account Critical Delegation and Privilege Escalation Paths
SMB signing not required on DCs Critical Authentication & Protocol Security
SMBv1 protocol enabled on DCs Critical Authentication & Protocol Security
Weak domain password policy settings Critical Password Policies and Account Security
Accounts with password never expiring High Password Policies and Account Security
High number of privileged (Tier 0) users High Privileged Accounts and Groups
Kerberos ticket policies not enforced High Authentication & Protocol Security
LM hash storage not disabled High Authentication & Protocol Security
Missing baseline hardening GPOs High Group Policy and Endpoint Configuration
No LAPS (Local Admin Password Solution) deployed High Group Policy and Endpoint Configuration
Privileged users not in Protected Users group High Credential Protection and Privileged Account Hardening
Trust not using selective authentication High Active Directory Trusts and External Access
Weak Kerberos encryption (RC4/DES allowed) High Authentication & Protocol Security
WSUS server misconfigurations High Active Directory Infrastructure Security
Stale computer accounts (>90 days) Medium Active Directory Infrastructure Security
Stale user accounts (inactive > 90 days) Medium Active Directory Infrastructure Security
×

Loading...