Here's a summary of the AD Rating® tool's eleven analysis categories
Summary :
Only ACLs on LDAP and GPO objects are part of the AD Rating checkpoints.
ACLs on individual files on each server are not considered in the AD Rating checkpoints.
Here are the 11 analysis categories, with over 172 control points :
Domains controlers : 31 control points
Domain controller tests analyze the configuration and best practices implemented on domain controllers (DCs). These include DC updates, exposed services, flow signature configurations and TLS/SSL configuration of services.
Domain configuration : 17 Control points
These tests analyze the configuration and best practices implemented on the Active Directory domain. In particular, they concern access rights to DNS records, machine account creation rights, and various Active Directory service and feature configurations.
PKI and certificates : 22 control points
These tests analyze the configuration and best practices implemented on the Active Directory Public Key Infrastructure (ADCS). In particular, they cover certificate template access rights, certificate template configuration, certificate enrollment services configuration, and the cryptographic algorithms used in root certificates.
Trust relationships : 10 control points
These tests analyze the configuration and best practices in place for approval relationships with other Active Directory domains. In particular, they concern the cryptographic algorithms used during exchanges with third-party domains, and the watertightness between different Active Directory domains.
Privileged account management : 13 Control points
These tests analyze the configuration and best practices in place for accounts with elevated privileges on the domain (administrator or similar accounts). In particular, they concern the management of passwords for these accounts, and the implementation of configurations to protect these accounts against possible compromise.
User account management : 11 Control points
These tests analyze the configuration and best practices in place for the domain's user and machine accounts. In particular, they concern the management of passwords for these accounts, and the implementation of configurations to protect these accounts against possible compromise.
Access rights and delegations : 21 Control Points
These tests analyze the configuration and best practices in place for access rights and privileges assigned to domain users and groups. They aim to identify privileges assigned to users, enabling them to perform privileged actions on the domain, or to compromise domain resources.
GPO : 19 Control points
These tests analyze the configuration and best practices implemented through Group Policy Options (GPOs). They aim to identify GPOs that disable security features, activate vulnerable features, or disclose sensitive data such as passwords.
OS Upgrades : 13 Control Points
These tests analyze the configuration and best practices implemented through Group Policy Options (GPOs). They aim to identify GPOs that disable security features, activate vulnerable features, or disclose sensitive data such as passwords.
Maintenance : 13 points de contrôle
These tests analyze the general configuration and best practices implemented at domain level. They aim to identify any maintenance problems in an Active Directory domain.
Chemins d'attaque : 2 points de contrôle
These tests analyze the domain configuration and the access rights assigned to users and groups, to identify potential scenarios in which simple users could compromise key elements of the domain.
