Active Directory Security Assessment Tool
Identify Security Weaknesses Across Your
Active Directory Environment
What Does the Security Assessment Tool Check?
Misconfigurations, weak password policies, and stale accounts are among the most common entry points for attackers targeting Active Directory. The Security Assessment Tool scans your environment for well known vulnerabilities, giving you a clear report of what’s at risk and how to address it.
48 checks for AD vulnerabilities and misconfigurations.
| Category | Check | Description | Source |
|---|---|---|---|
| Password Policy | Minimum password length | Checks domain password policy minimum length. Pass: ≥14 characters | CIS Benchmark |
| Password history enforced | Checks how many passwords are remembered. Pass: ≥24 | CIS Benchmark | |
| Maximum password age | Checks if passwords expire. Pass: 60-90 days | CIS Benchmark | |
| Minimum password age | Checks minimum time before password can be changed. Pass: ≥1 day | CIS Benchmark | |
| Account lockout threshold | Checks if account lockout is configured. Pass: 3-5 attempts | CIS Benchmark | |
| Account lockout duration | Checks how long accounts stay locked. Pass: ≥15 minutes | CIS Benchmark | |
| Reversible encryption disabled | Checks if reversible encryption is off. Pass: Disabled | CIS Benchmark | |
| Password complexity required | Checks if complexity requirements are enabled. Pass: Enabled | CIS Benchmark | |
| Privileged Access | Privileged group member count | Counts members in Domain Admins, Enterprise Admins, Schema Admins, etc. Flags excessive membership | Best Practice |
| Disabled accounts in privileged groups | Checks for disabled accounts still in admin groups | Best Practice | |
| Account Hygiene | Stale enabled accounts (90+ days) | Counts enabled accounts with no logon in 90+ days | Best Practice |
| Password set to never expire | Counts accounts with non-expiring passwords | CIS Benchmark | |
| Password not required | Counts accounts with PASSWD_NOTREQD flag | OWASP Microsoft | |
| Kerberoastable accounts | Counts user accounts with SPNs set (Kerberoast attack risk) | MITRE ATT&CK | |
| Users with SID History | Counts accounts with SID history (migration residue, potential attack vector) | MITRE ATT&CK | |
| Stale computer accounts (90+ days) | Counts enabled computer accounts with no logon in 90+ days | CIS Benchmark | |
| Security Settings | Guest account disabled | Checks if the built-in Guest account is disabled | CIS Benchmark |
| krbtgt password age | Checks when krbtgt password was last reset. Warn if >180 days | Microsoft NIST | |
| Unconstrained delegation | Counts accounts trusted for unconstrained delegation (excluding DCs) | MITRE ATT&CK | |
| Protected Users group membership | Checks if privileged accounts are in the Protected Users group | Microsoft | |
| AdminCount orphan accounts | Accounts with adminCount=1 but not in any privileged group | Best Practice | |
| AS-REP Roastable accounts | Accounts with Kerberos pre-authentication disabled (DONT_REQUIRE_PREAUTH) | MITRE ATT&CK | |
| Accounts with DES encryption | Accounts with USE_DES_KEY_ONLY flag enabled | CIS Benchmark | |
| Machine account quota | Checks ms-DS-MachineAccountQuota. Pass: 0 (only admins can join computers) | Microsoft | |
| LAPS coverage | Percentage of enabled computers with LAPS passwords deployed | Microsoft | |
| Constrained delegation | Counts user accounts with msDS-AllowedToDelegateTo configured | MITRE ATT&CK | |
| AdminSDHolder consistency | Privileged accounts missing adminCount flag — indicates propagation issues | Microsoft | |
| AD Recycle Bin enabled | Checks if the Active Directory Recycle Bin optional feature is enabled | Microsoft | |
| Kerberos Security | Weak Kerberos encryption types | Accounts with msDS-SupportedEncryptionTypes set to DES only (no AES) | CIS Benchmark |
| Accounts with DES-only encryption | Accounts with USE_DES_KEY_ONLY userAccountControl flag | CIS Benchmark | |
| Audit & Logging | Audit policy configured on DCs | Checks if audit policies are enabled via GPO on Domain Controllers OU | CIS Benchmark |
| Advanced Audit Policy | Checks specific subcategories (logon events, account management, directory service changes, etc.) | CIS Benchmark |
Security Checks Grounded in Real-World Frameworks
Every check in the AD Security Assessment is mapped to one or more industry-recognized security frameworks, so you’re not just running arbitrary scans, you’re validating your environment against the same standards auditors and penetration testers use.
CIS Benchmarks
The Center for Internet Security publishes hardening guidelines specifically for Windows Server and Active Directory. Our password policy, account lockout, audit policy, and encryption checks are mapped directly to CIS Benchmark recommendations, the same controls that pen testers and auditors use. When a check fails, the recommendation tells you exactly which CIS control to address. Learn more about CIS Benchmarks
MITRE ATT&CK
MITRE ATT&CK documents real-world attack techniques used by threat actors. Several of our checks target the exact misconfigurations that attackers exploit to move laterally, escalate privileges, and steal credentials in Active Directory environments:
- Kerberoasting (T1558.003) identifies user accounts with SPNs that attackers can request service tickets for and crack offline
- AS-REP Roasting (T1558.004) finds accounts with pre-authentication disabled, allowing attackers to request encrypted data without credentials
- Unconstrained & Constrained Delegation (T1134.001) detects delegation misconfigurations that allow privilege escalation across services
- SID History Injection (T1134.005) flags accounts with SID history that could be abused for unauthorized access
NIST 800-63 & Microsoft Best Practices
Our checks also align with NIST authentication guidelines and Microsoft’s own AD hardening recommendations. This includes krbtgt password rotation, LAPS deployment coverage, Protected Users group usage, AdminSDHolder consistency, machine account quota restrictions, and AD Recycle Bin status, configurations that Microsoft explicitly recommends but many environments overlook.
Why This Matters
Most Active Directory environments have security gaps they don’t know about. Running a scan takes minutes and the results map directly to the frameworks that auditors, red teams, and compliance standards reference. Fix what fails, and you’re closing the same doors that attackers try to open.
How to Run a Security Assessment with AD Pro Toolkit
- Go to Security > Security Assessment
- Click “Run Audit”