Movement
Last updated
Was this helpful?
Last updated
Was this helpful?
This is a work-in-progress
Below is a checklist to go through when conducting a pentest. Order is irrelevant and many tests require authenticated or admin access. This checklist answers "what to audit on AD?" rather than "how to pwn AD?". A mindmap is in the works for that matter .
Local administrators have a unique, random, complex and rotating password on every server/workstation (e.g. use of LAPS). This can be checked by dumping a local admin password or hash and attempting (i.e. trying to log in on other resources with that password/hash).
Strong password and lockout policies exist and are applied (complexity enabled, at least 12 chars, 16 for admins, must change every 6 months) and users know not to use simple and guessable passwords (e.g. password == username) limiting credential , guessing, and attacks.
Tier Model is applied (administrative personnel have multiple accounts, one for each tier, with different passwords and security requirements for each one) and a "least requirement" policy is followed (i.e. service accounts don't have domain admin (or equivalent) privileges, ACEs are carefully set) limiting credential , guessing, and attacks.
Sensitive network shares are not readable by all users. A "need to know" policy is followed, preventing data leak and other .
No account is configured with capabilities.
Caching of domain users is limited on workstations and avoided on servers to prevent of LSA secrets from registry.
are not used.
Network shares readable by all domain users don't contain sensitive data like passwords or certificates limiting .
IPv6 is either fully configured and used or disabled, preventing attacks.
are disabled, preventing MITM attacks relying on those multicast/broadcast domain name resolution protocols.
WPAD is disabled, preventing .
A record exists in ADIDNS for the * (wildcard) preventing powerful attacks. Preferably, this is a TXT record.
The print spooler is disabled on Domain Controllers and sensitive servers to prevent the authentication coercion attack.
The WSUS server (if any) is configured with HTTPS, to prevent ARP poisoning with attacks.
Set-up packet filtering & inspection and enable port security on network switched to prevent attacks and .
Set-up VLANs, 802.1X or other securities to limit the attackers progress within the network.
Plaintext protocols are avoided when using credentials (HTTP, FTP, ...), in order to minimize the risks of the .
There are no certificate templates that are badly configured. This prevents .
AD-CS web endpoints are secured against (HTTPS and EPA (Extended Protection for Authentication) enforced).