Mondoo
Docs
Identity

Assess Active Directory Security with cnspec

Scan Active Directory domains against security and compliance best practices with cnspec.

Scan your Active Directory domain to find security risks before attackers do. cnspec connects to a domain controller over LDAP and evaluates password policies, privileged group membership, Kerberos delegation, domain controller hardening, Active Directory Certificate Services (AD CS) templates, domain trusts, and dozens of other directory controls.

Prerequisites

Before you start:

  • Install cnspec.
  • Make sure you have network access to a domain controller in the domain you want to scan.
  • Have a domain account that can read Active Directory over LDAP. Standard domain user accounts can read most directory objects. Reading certain security descriptors and AD CS configuration may require an elevated account.

Connect to a domain controller

cnspec uses the activedirectory provider to query Active Directory Domain Services over LDAP. You point cnspec at a domain controller and authenticate with a domain account.

By default, cnspec connects using LDAPS (LDAP over TLS, port 636). cnspec auto-detects the domain DNS name and base DN from the domain controller, so you usually only need to supply the domain controller, a user, and a password.

To test access, open a cnspec shell and verify the connection:

cnspec shell activedirectory --dc dc01.lunalectric.com --user admin@lunalectric.com --password YOUR_PASSWORD
cnspec> activedirectory { domain netbiosName forestName functionalLevel }
activedirectory: {
  domain: "lunalectric.com"
  netbiosName: "LUNALECTRIC"
  forestName: "lunalectric.com"
  functionalLevel: "2016"
}

You can specify credentials as user@domain.com or DOMAIN\user. If you need to override the auto-detected values, pass --domain and --base-dn explicitly.

Use Kerberos authentication

Instead of a simple LDAP bind, you can authenticate with Kerberos by adding the --kerberos flag. Kerberos supports a keytab, a credential cache, or a user and password:

cnspec shell activedirectory --dc dc01.lunalectric.com --kerberos --user admin@LUNALECTRIC.COM --keytab /etc/krb5.keytab

On Windows, omit the explicit credentials to authenticate with the current logon session:

cnspec shell activedirectory --dc dc01.lunalectric.com --kerberos

LDAPS is the default and recommended transport. For lab environments that cannot use TLS, you can add --starttls to upgrade a plain LDAP connection on port 389, or --plain-ldap to send credentials without encryption. Avoid these options in production.

Scan Active Directory

To scan your Active Directory domain:

cnspec scan activedirectory --dc dc01.lunalectric.com --user admin@lunalectric.com --password YOUR_PASSWORD

Understand scan output

When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:

✓ Pass:  Ensure the domain password policy enforces complexity
✕ Fail:  Ensure SMBv1 is disabled on domain controllers
✓ Pass:  Ensure the AD Recycle Bin is enabled

At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.

Scan with the Mondoo Active Directory Security policy

Mondoo maintains an out of the box Active Directory Security policy that checks password policies, privileged group membership, domain controller hardening, Kerberos delegation, AD Certificate Services templates, and more.

In the Mondoo App, go to Findings > Policies, search for "Active Directory", and add the policy to your space. All future scans of your Active Directory domain automatically evaluate against it. To learn more, read Manage Policies.

You can also create your own policies to meet your specific requirements.

Explore your Active Directory environment

Run cnspec shell activedirectory --dc dc01.lunalectric.com --user admin@lunalectric.com --password YOUR_PASSWORD to open the interactive shell.

Inspect the domain password policy

cnspec> activedirectory.domainPasswordPolicy {
    minPasswordLength
    complexityEnabled
    lockoutThreshold
    maxPasswordAge
}

Find privileged users

cnspec> activedirectory.users.where( isPrivileged ) { sAMAccountName displayName isDomainAdmin enabled }

Audit domain trusts

cnspec> activedirectory.trusts { targetDomain trustType trustDirection sidFilteringEnabled }

Review AD Certificate Services templates

cnspec> activedirectory.certificateTemplates { name isPublished isVulnerableESC1 lowPrivilegedEnrollment }

Example security checks

Ensure LDAP signing is required on domain controllers

cnspec> activedirectory.ldapSigningRequired == true

Ensure SMBv1 is disabled

cnspec> activedirectory.smbv1Enabled == false

Ensure the password policy enforces a minimum length

cnspec> activedirectory.domainPasswordPolicy.minPasswordLength >= 14

Ensure no privileged accounts are kerberoastable

cnspec> activedirectory.users.where( isPrivileged ).none( kerberoastable )

Ensure no certificate templates are vulnerable to ESC1

cnspec> activedirectory.certificateTemplates.none( isVulnerableESC1 )

Ensure the AD Recycle Bin is enabled

cnspec> activedirectory.recycleBinEnabled == true

Learn more

VMware Cloud Director

Scan a VMware Cloud Director environment against security and compliance best practices with cnspec.

Okta

Scan Okta against security and compliance best practices with cnspec.

On this page

PrerequisitesConnect to a domain controllerUse Kerberos authenticationScan Active DirectoryUnderstand scan outputScan with the Mondoo Active Directory Security policyExplore your Active Directory environmentInspect the domain password policyFind privileged usersAudit domain trustsReview AD Certificate Services templatesExample security checksEnsure LDAP signing is required on domain controllersEnsure SMBv1 is disabledEnsure the password policy enforces a minimum lengthEnsure no privileged accounts are kerberoastableEnsure no certificate templates are vulnerable to ESC1Ensure the AD Recycle Bin is enabledLearn more